Analysis: Baidu large data security practice

Data is an important asset of Baidu. Baidu company built a company-wide data platform, including the company's various business areas of data, building data closed-loop solutions to promote the company's data unified management, data sharing, data discovery and data use. These data assets come together from multiple departments and businesses, and the security requirements are different.

Baidu attaches great importance to the safety of large data applications in the process of security in the formation of a unified large data security framework, through the data throughout the life cycle of the implementation of security technology and management mechanisms for large data platform and user data security.

Baidu large data platform security architecture

Baidu large data platform with the basis of system security, security management, and data security classification mechanism as the core of the data security architecture, as shown in Figure B-3:

System security and security management is the most basic security mechanism in Baidu's large data platform. Data security architecture in the entire large data security architecture in a very important position. Data security architecture includes security audit, security control and security encryption in three parts, and the use of security classification mechanism, divided into basic and optional level.

The security infrastructure includes both security auditing and security control, which is the security foundation for all business data on large data platforms, providing auditable and granular integrity throughout the lifecycle of data on large data platforms control function. Optional levels include data encryption and decryption functions, support a variety of strength encryption and decryption algorithm.

Baidu large data platform to support the encrypted data storage, taking into account the platform every day the amount of data generated is extremely large, and the efficiency of data computing requirements, according to the data business characteristics and level requirements to choose different intensity encryption algorithm.

Baidu large data platform key security capabilities

Baidu proposed 4A security system to build a large data platform, the key security capabilities, including:

Account: Create a unique user account for each user and authenticate the user to ensure that data access control and security auditing can be traced back to individual accounts. At the same time, the use of role-based user group management, the system management role, the system data construction role and data viewing role to distinguish.

Authentication: Baidu large data platform on the data access must have a unified identity authentication mechanism. Baidu large data platform using a unified single sign-on identity authentication technology for users to identify the identity management.

Authorization (Authorization): Baidu large data platform needs to be based on data access to the identity of the main body, as well as access to data encryption level, to achieve access to various types of data authorization. For more than confidential data, you need to dock a specific electronic approval process. In addition, the data in the process of circulation, large data platform can automatically determine the corresponding next node of the security level and personnel authorization, the data flow to the safety of judgment and maintenance.

Audit: Baidu large data platform with audit log records, to achieve the system for user management, rights management, user login, data acquisition / access / modification and other acts of complete log records. Based on the system audit log, you can achieve the safety monitoring in the event, as well as the behavior of the tracing and evidence analysis. (Source: Bureau of data compiled: China Electronic Commerce Research Center)

Internet Research Papers