BigQuery AEAD功能的键集管理的最佳做法 [英] Best practices for keyset management for BigQuery AEAD function
问题描述
我的目标是建立一个基于BigQuery的安全解决方案.我使用受CMEK保护的BigQuery表.另外,我有一个数据流作业,将数据写入表中.它使用AEAD函数加密某些值. https://cloud.google.com/bigquery/docs/reference/standard-sql/aead_encryption_functions 我使用Tableau从BigQuery读取数据.并使用AEAD函数解密一些值.
My goal is to build a secure solution based on BigQuery. I use BigQuery tables protected with CMEK. Also, I have a dataflow job that writes data in the table. It encrypts some values with an AEAD function. https://cloud.google.com/bigquery/docs/reference/standard-sql/aead_encryption_functions I read data from BigQuery with Tableau. And decrypt some values with an AEAD function.
我需要一种与AEAD一起使用的安全可靠的密钥集管理方法.加密期间,密钥集应可用于数据流.另外,密钥集应该在Tableau中可用以进行解密.
I need a secure and reliable approach for keyset management that used with AEAD. Keyset should be available for Dataflow during encryption. Also, the keyset should be available in Tableau for decryption.
推荐答案
作为我的简要说明,您的用例包括使用CMEK和AEAD对静态数据进行加密,以供Cloud Dataflow和Tableau等外部工具访问数据.
As a brief statement of my understanding, your use case consists of keeping data encrypted at rest with CMEKs and AEAD in where Cloud Dataflow and external tools like Tableau can access the data.
我认为市长的问题是AEAD无法解决密钥管理问题,如标准文档:
I think the mayor problem is that key management is not addressed by AEAD as stated in the Standard documentation:
"虽然AEAD算法非常有用,但它们无济于事密钥生成和密钥管理问题".
"While AEAD algorithms are quite useful, they do nothing to address the issues of key generation and key management".
尽管如此,我可以想到以下方法:
Nevertheless, I can think of the following approaches:
- 要管理CMEK,可能要使用 Cloud KMS . >
Cloud Dataflow可以通过代码Java或Python访问CMEK.但是,您将需要查看Tableau文档以了解如何在KMS中配置/连接到CMEK.
Cloud Dataflow can access CMEKs by code Java or Python. But, you will need to check the Tableau documentation to know how to configure/connect to CMEKs in KMS.
-
从您共享的链接中,我可以读取以字节表示形式或纯文本格式的json文件形式的AEAD密钥集;因此,我可以可视化管理密钥集的两条路径:
From the link you shared, I can read a AEAD keyset is either in byte representation or a json file in plain text; so, I can visualize two paths to manage keysets:
-
如果要将它们带到BigQuery(jsons)之外,可以将它们作为秘密进行管理,并使用秘密管理器,允许您使用Java或Python来管理机密,您可以使用这些语言与Cloud Dataflow集成.我不清楚Tableau如何使用这种方法.
If you want to take them outside of BigQuery (jsons), you can manage them as secrets and use tools like Secret Manager that allow you use Java or Python to manage the secrets, you can use those languages to integrate with Cloud Dataflow. It's not clear to me how Tableau can use this approach though.
您可以将BigQuery中的键集保持在其数据附近,并执行配置,使您的应用仅访问其有权查看的数据.在这种情况下,BiQuery中的授权视图会为您提供帮助.您将需要在BA中执行其他配置并构建sql查询以创建视图.然后,Dataflow和Tableau可以透明地连接并从授权视图读取.
You can keep the keysets in BigQuery close to their data and perform configurations let your apps access only the data they are authorized to see. In this scenario, Authorized Views in BiQuery would help you. You will need to perform additional configuration in BA and build sql queries to create the Views. Then, Dataflow and Tableau can connect and read from the Authorized View transparently.
作为第二点的示例,您可以使用此访问键集的查询创建一个授权视图 customers_pii :
As an example of the second point, you can create an Authorized View customers_pii with this query that accesses keysets:
SELECT
ecd.customer_id as customer_id,
AEAD.DECRYPT_BYTES(
(SELECT ck.keyset
FROM aead.CustomerKeysets AS ck
WHERE ecd.customer_id = ck.customer_id),
ecd.encrypted_animal,
CAST(ecd.customer_id AS STRING)
) AS favorite_animal
FROM aead.EncryptedCustomerData AS ecd;
然后,用户/应用程序无法访问键集,他们应该以这种方式查询以在视图中检索数据:
then, users/apps cannot access keysets, they should query this way to retrieve the data in the View:
SELECT customer_id from customers_pii;
这篇关于BigQuery AEAD功能的键集管理的最佳做法的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
