ApsaraDB RDS:Overview

Feature description

The always-confidential database feature uses confidential computing to support all database operations, such as transactions, queries, and analysis, and encrypts the query results before they are returned. The always-confidential database feature ensures that data is processed inside a secure enclave such as an application and a database but remains in ciphertext outside the enclave. This prevents cloud platform providers, unauthorized users, and management personnel such as database administrators (DBAs) from accessing your plaintext data. This also prevents developers and O&M personnel from stealing your data. The always-confidential database feature defends against external and internal threats in an efficient manner, protects your data throughout the lifecycle, and helps you privatize your cloud data.

• How does the always-confidential database feature ensure that my data is not leaked on the cloud?

  The always-confidential database feature encrypts the data that needs to be protected in query results. This way, the data keeps confidential even if relevant account credentials are leaked. The feature delivers robust defenses against data breaches. You can use the always-confidential database feature together with the cloud disk encryption feature or the transparent data encryption (TDE) feature to implement multi-layer encryption. Both the cloud disk encryption feature and the TDE feature deliver disk encryption capabilities. We recommend that you use the always-confidential database feature together with the cloud disk encryption feature. For more information, see Use the cloud disk encryption feature and Configure TDE.

  Note

  You can use the always-confidential database feature together with the disk encryption capabilities based on your business requirements.

Scenarios

The goal of the always-confidential database feature is design for a system or database architecture that features native security capabilities to protect the confidentiality of data. The always-confidential database feature optimizes the design and adjusts architectures to introduce security capabilities and ensure the high stability, high performance, and cost-effectiveness of your database system.

The following list describes several scenarios in which you can use the always-confidential database feature to address data security issues.

• Platform O&M: This scenario mainly involves database service protection in TEEs, such as third-party platforms, to ensure data security during O&M. In most cases, data owners are application service providers. They want to prevent their application data from being accessed by unauthorized database service providers and O&M personnel and ensure that their databases are running as expected.

  Examples:

  • If a database is migrated to the cloud, the always-confidential database feature prevents unauthorized cloud platform providers and O&M personnel from accessing the database data.

  • If a database system is deployed on a server in a data center for application connection, the always-confidential database feature prevents unauthorized O&M personnel from accessing the database data.  

• Protected data compliance: This scenario mainly involves application service protection in TEEs, such as third-party platforms, to ensure the security of protected user data. In user-oriented scenarios, specific data, such as health data and financial data, is owned by users. They want application services to provide data management and analysis capabilities without accessing plaintext private data.

  Examples:

  • If enterprises use third-party services to manage commercial data, the always-confidential database feature prevents the trade secrets of the enterprises from being obtained by the third-party service providers.

  • If third-party service providers manage confidential data, such as personally identifiable information (PII) and gene information, the always-confidential database feature helps meet compliance requirements on end-to-end encryption.  

Security levels provided by the always-confidential database feature

From a security perspective, ApsaraDB RDS can prevent security threats at the following levels in ascending order:

• Regular database on the cloud: This feature is used together with Alibaba Cloud security services to block most external attacks. However, a trust relationship must be built among the operating system, database software, Infrastructure as a service (IaaS) O&M personnel, and database users on an RDS instance.

• Always-confidential database (basic edition): This feature is recommended. This feature is used together with the always-confidential access control module to limit the ability of database users to manipulate data within a database. This prevents unauthorized access and ensures that your data is available but invisible to all database users, including DBAs. You need to trust only the operating system, database software, and IaaS O&M personnel in your RDS instance.

• Always-confidential database (hardware-enhanced edition): Compared with the always-confidential database (basic edition) feature, this feature uses TEE technologies to allow the RDS instances that use the always-confidential database (basic edition) feature to run in TEE environments with all external security threats isolated. TEE technologies include Intel Software Guard Extensions (SGX), Intel Trust Domain Extensions (TDX), ARM TrustZone, AMD Secure Encrypted Virtualization (SEV), Hygon Commercial Security Version (CSV), and confidential containers. You need to trust only the operating system and database software in your RDS instance.