As the carrier of carrying data, storage plays an increasingly prominent key basic role in the national information technology and high-tech fields. Data storage is not only related to the safe storage of enterprise data, but also related to the safety of the digital economy industry, * * * *. Data storage is the last line of defense for data security. Under the demand of building a powerful country in the digital economy, it is urgent to accelerate independent innovation around the storage industry and build a safe and reliable data infrastructure.
Data increases exponentially and security risks are highlighted.
With the deepening of industry digitization, new applications and new scenarios are emerging intensively. Massive amounts of data have put pressure on the safe storage, management and use of data. Enterprises are increasingly demanding data reliability. At present, China's data storage security still faces many challenges.
First, data disaster recovery is weak and data risks are increasing day by day. China's data protection regulations and standard system are relatively perfect, but lack of implementation practice and guidance, and there is still widespread & ldquo; In key areas such as banking, education, medical treatment, manufacturing, etc.; Backup, no disaster recovery & rdquo;, & ldquo; Lack of remote disaster recovery & rdquo; And other issues. Currently, China has low investment in data security disaster recovery. In scenarios such as large and medium-sized enterprises, disaster recovery coverage is low and business downtime losses are high. According to professional estimates, in the investment in data storage capacity construction, the investment in disaster recovery construction in the United States accounts for 32%, while that in China is only 8%, less than half of that in Turkey. At the same time, in China's financial data and government data, the proportion of disaster recovery coverage protection is only 15% and 9% respectively. In extreme cases, natural disasters, virus attacks will cause serious economic losses, so it is time to improve the level of data disaster recovery.
Second, the security risks of the open source software supply chain are increasing. Open source software itself not only brings commercial convenience, but also brings uncertainty risk. At this stage, many domestic storage products use open-source software mainly from abroad, and the disclosure of open-source software vulnerabilities is controlled by overseas governments. However, the number of open-source software vulnerabilities has increased by 88% in the past two years. Under such a security situation, the limited disclosure of open-source vulnerabilities will bring great challenges to the timely repair of affected product vulnerabilities. At present, half of the storage software called & ldquo; Domestic & rdquo; Is based on foreign open source technologies such as Ceph and Lustre; Widely used databases, 80% of the downstream eco-open source software such as the operating system is controlled by the United States. It is in urgent need of mutual promotion at the National, enterprise and user levels to crack the & ldquo; Stuck neck & rdquo; Problem.
Third, after more than ten years of development, China has initially formed an independent and controllable national secret algorithm system, but there is still a big gap compared with the world's advanced level. China's commercial password technology started late and has a short development time. The existing commercial password products are still dominated by hardware, which is in contrast with the characteristics of foreign software and hardware products such as balance and strong product universality. It is difficult to meet the requirements of new technologies, requirements for product performance for new applications. In addition, the research and application of commercial cryptography technology in key national infrastructure fields still need to be strengthened. In the application of key national industries, data transmission encryption, storage encryption uses US-led cryptographic algorithms and protocols. The CIF algorithm is not widely used, the CIF product catalog is not perfect, and the industry guidance policy is not perfect. It is imperative to continuously transform and optimize commercial password products and vigorously promote the application of domestic commercial passwords.
& ldquo; Data security
with the increase of internal and external risks, various attacks gradually take data as the attack object, and store data as the & ldquo; Home & rdquo; Of the data, with complete data encryption, data disaster recovery backup, the anti-ransomware capability of data provides the basic guarantee for high security, high availability and high reliability of data, and becomes an essential component of the data defense system, data storage is the last line of defense for data security.
The storage disaster recovery and backup technology is the base for the security protection of key information infrastructure. Enterprises should comprehensively build a basic pattern of full disaster recovery and full data backup for key businesses to improve business continuity and data reliability. For existing disaster recovery systems, the local active/standby disaster recovery mode is upgraded to dual active mode to ensure zero loss of important data; you can upgrade the zone-wide active data disaster recovery architecture to a multi-center protection architecture to enable multi-replica data and cross-region business recovery. You can use hierarchical backup to back up data. For key data, you can upgrade local single-point backup to local and remote data backup. At the same time, it is suggested that data classification and classification management in various industries must formulate clear defense and recovery levels, implement drills and reviews of network attack and defense and disaster recovery once or four times a year, and effectively ensure data security.
As a key basic software, storage system software is the guarantee for the safety of national key information infrastructure. Facing the increasingly serious risk of open-source software, if we continue to use unsafe open-source software to build the storage system of key domestic infrastructure, the & ldquo; City guard Wall & rdquo; there is a gap that malicious organizations may use to attack, posing fatal risks to core data assets. China should strengthen investment in data storage software development, ensure the safety and credibility of storage devices, do a good job in the security management of open source software supply chain, and realize the independent sustainability and security of storage software supply. Only by vigorously developing the overall storage industry chain from devices, equipment to systems and consolidating the base safety of key information infrastructure can the safe and stable operation of national key information infrastructure be ensured, to truly guarantee the information and data security of the national economy and people's livelihood.
Domestic commercial cryptographic technology is an important foundation for ensuring ***. The Transformation of national encryption and storage First are the best ways to build an end-to-end encryption system. Data encryption and storage can be completed by application software, databases or external encryption machines, and can also be fully integrated with devices or applications themselves. At present, many domestic products adopt the & ldquo; External & rdquo; Scheme, which is equivalent to & ldquo; Lock & rdquo;, resulting in low system performance, in-storage encryption is the one with the strongest scalability and minimal performance loss. Currently, the storage encryption technology is mature, with low transformation difficulty and fast deployment speed. It is recommended to take the lead in promoting the root storage encryption technology and continuously develop the application innovation of domestic commercial passwords in the field of data storage. In addition, China's supervision and standard-setting mechanism on the use of domestic commercial secrets is not mature, and there are some inaccurate judgments on the real use of domestic commercial secrets, many key infrastructures are not included in the scope of use assessment. We recommend that you add the encrypted storage product to the commercial password product certification directory to meet the corresponding technical requirements and testing specifications.
In response to blackmail software attacks, data storage is the last line of defense to protect data security. Traditional security defense generally focuses on the network side, such as firewalls, security gateways and other technologies. However, for blackmail attacks, the network side alone cannot be recognized, and it also needs to rely on storage blackmail detection, security snapshots, data isolation, data recovery, and other capabilities to protect data logically and physically. According to Northrop & middot; Grumman's deep defense model, the network/host layer is used to prevent blackmail software from invading and block the spread of blackmail software. After the blackmail software invades, the network/host layer can no longer prevent the blackmail software from damaging data. In this case, data storage is required. Data storage can detect abnormal IO of ransomware attacks at the first time and actively protect data through tamper-proof technology. The storage layer and the network layer can use Linkage Technology to notify security devices such as firewalls to isolate the source of ransomware attacks and prevent ransomware from spreading horizontally through the network. After data is blackmailed and encrypted, it depends on the physical isolation area of the data storage, and the last copy & ldquo; Clean & rdquo; Data is retained for recovery.
Create secure and reliable data storage
huawei has made innovative explorations in data storage security, through data blackmail prevention, data leakage prevention, data loss prevention, open source management of storage software, storage software security and system underlying security capabilities, implement & ldquo; For customers; Data is not leaked, data is not tampered, data is not lost, business is always online, access is always compliant & rdquo; & ldquo; Three no two forever & rdquo; support Trusted targets.
First of all, in order to cope with natural disasters such as fires and earthquakes, the disaster recovery construction of Huawei storage goes further on the traditional dual-active solution in the industry. Based on the dual-active disaster recovery of IP/FC networks, cooperate with Huawei Optical product line to develop Huawei SOCC(Storage-Optical Connection Coordination) solution. Through Optical linkage sensor and millisecond-level sensing algorithm, reduce the switching time of the traditional storage dual-active link from 2 minutes to 2 seconds. For network jitter, the service system is completely zero-aware to ensure the smooth operation of the service. Huawei's disaster recovery solution has already supported the online smooth upgrade of the three solutions, namely, the same-city dual-active & rarr; The two-city three-center & rarr; The two-city four-center, among them, the plan of four centers in the two places will upgrade the Disaster Recovery Center of the original three centers in the two places to the production center, and the two places will be standby for each other to protect the existing investment of customers.
To prevent data loss caused by operational errors or system failures, it is very important to establish an efficient and reliable backup system. If the backup performance is too low, only a small amount of data can be backed up every day within the limited backup time window, which may cause old and incomplete data copies. The recovery performance determines the time for data recovery and business reoperation, which is related to the loss caused by business downtime. Dedicated Backup storage for Huawei OceanProtect provides high-speed recovery performance of up to 172TB/hour, which is five times higher than the industry level and minimizes the business impact caused by data recovery in production systems. At the same time, relying on the self-developed efficient re-deletion and compression algorithm, it provides a data reduction rate of up to 72:1, 20% ahead of the industry. It can back up more data in the same space, greatly saving system investment.
Secondly, aiming at the risk of open-source storage software, on the one hand, it is to accelerate the construction of independent innovation capability, and on the other hand, it is to improve the risk management capability of open-source software of enterprises. At the beginning of its establishment, Huawei's data storage has defined the independent design and research path of storage basic software and hardware, and adopted storage & ldquo; Equipment security, data security and security management & rdquo; A three-tier security framework ensures effective data protection and legal access. On the & ldquo; Device Security & rdquo; At the source of the security protection framework, based on the co-design of fully self-developed hardware and software and hardware, system sources such as trusted startup are trusted. Through integrated product development (IPD) process, which standardizes the lifecycle process security of product security requirement analysis, security design, security development/testing, security release, and security O & M, and ensures that users are provided with a secure and trusted storage infrastructure. In terms of open-source risk management, Huawei has established a complete lifecycle management framework for open-source software. In the & ldquo; Supply, selection, use, maintenance, and feedback & rdquo; build an open-source software management system throughout the chain to ensure that open-source risks are controllable and manageable.
Thirdly, in response to the transformation of commercial password products, Huawei has sunk data encryption into storage products to create a complete storage encryption solution based on technologies such as full-scale encryption and array encryption. Through storage encryption, the underlying software and hardware capabilities are consolidated to enhance data toughness, enabling applications to be free from modification and transparent to the upper layer. Huawei has developed SED disks (Self-Encrypting Drives) with mature technology and built-in encryption engines to implement full-disk encryption, no computing resources are consumed; The encryption of the storage controller array is completed by the independent commercial encryption engine, which does not occupy the CPU instruction processing time window and makes the application performance worry-free.
Finally, Huawei flash memory storage and distributed storage can provide the most complete anti-ransomware solutions in the industry, aiming at the characteristics that ransomware is difficult to identify and lurking for a long time. Huawei's storage anti-ransomware solution provides dual protection of primary storage and backup, and is set up layer by layer in the whole stage of ransomware attacks: based on machine learning, ransomware attacks are detected and intercepted, and the recognition accuracy is as high as 99.9%; use WORM file system and secure snapshot technology to protect data replicas from tampering. After being attacked, you can use secure replicas to recover data. Use Air Gap Technology to establish separate physical isolation areas, copy the data stored in production and backup to the isolation zone to protect the data offline from being damaged by hackers.
The continuous innovation and development of ICT technology will bring about a larger data scale. The collection, storage, transmission, exchange and processing of digital information depend on highly reliable and stable digital infrastructure. China's storage industry is in a new stage of benign and rapid development. Data security is the first key in the field of information storage and the foundation for product application. We should speed up building a reliable storage base to ensure data security in an all-round way, build the last line of defense for data security.