Enterprise Data Security Risks, Encryption Techniques, and Tencent Cloud Data Security Solutions

Data security is both a technical and a management issue. This article summarizes the online sharing by Tencent Security Cloud Lab expert Ji Shengli at the Cloud+ Community Salon, analyzing current domestic data security challenges and the status of cryptographic applications, and presents Tencent's data security solutions and best practices for cloud encryption.

1. Enterprise Data Security Risks and Domestic Cryptography Status

With deepening cloud adoption and digital transformation, data has become a core asset for enterprises. Large‑scale data breaches have become frequent, caused by external attacks and internal threats such as insecure configurations, source‑code leaks, and hard‑coded credentials.

Business Security Challenges

Protect confidentiality and integrity during data transmission and storage.

Implement comprehensive key‑lifecycle management.

Secure financial payment, e‑government, and identity authentication processes.

Regulations such as the Cryptography Law, Cybersecurity Law, and the Level‑2 Protection standard impose clear requirements for data protection and encryption.

2. Common Cryptographic Techniques

Symmetric encryption (AES, DES, 3DES, SM4) uses the same key for encryption and decryption.

Asymmetric encryption (RSA, ECC, SM2) uses a public key for encryption and a private key for decryption.

Hash functions (SHA, MD5, SM3) are one‑way and irreversible.

Digital signatures reverse the asymmetric key usage: the private key signs, the public key verifies.

3. Difficulties in Enterprise Data Security

Key challenges include classification, governance, and policy; advanced encryption techniques (DaR/DiT/DiU); key management; and incident monitoring and analysis.

From a development‑operation perspective, data leakage risks arise in development (hard‑coded secrets), testing (exposed test databases), deployment (weak configurations), and production (password leaks, weak passwords, unprotected sensitive data).

From an application‑service perspective, every stage—generation, transmission, storage, processing, and sharing—poses leakage risks, covering local sensitive data storage, network channels, configuration files, key management, cloud storage, financial payment, data sharing, and display sanitization.

4. Challenges of Cloud‑Based Encryption and Key Management

Cloud data lifecycle protection requires data classification and governance to enforce encryption throughout production, storage, movement, use, and destruction.

Cloud products (cloud disks, storage, databases) need fine‑grained encryption and centralized key policy control, multi‑tenant isolation, and secure key distribution.

Traditional on‑premise key management systems struggle to integrate with cloud architectures, making hardware security module deployment, multi‑tenant management, and API compatibility difficult.

Key‑tenant self‑control separates encryption from key management, allowing tenants to manage key access policies, materials, and algorithms throughout the key lifecycle.

5. Tencent Cloud Data Security Platform

The platform offers three major features: full data‑lifecycle support, complete integration with the cloud product ecosystem, and support for national cryptographic (GuoMi) and FIPS standards. It provides simple encryption APIs and SDKs for minimal‑effort data protection.

6. Best Practices for Cloud Data Security

6.1 Key Management Service (KMS)

KMS centralizes key storage, generation, rotation, lifecycle management, and supports hardware‑based true random numbers, fine‑grained permission control, automatic rotation, import of customer‑owned keys, and multi‑level key management. Keys are stored in HSMs, preventing any party from accessing plaintext master keys.

KMS integrates with Tencent Cloud Access Management (CAM) for resource‑level authorization, enabling role‑based access to sensitive keys.

6.2 Sensitive Data Encryption

KMS supports both symmetric and asymmetric encryption for data under 4 KB, such as keys, certificates, and configuration files. The default algorithm is AES overseas and a national algorithm domestically.

Envelope encryption (CMK + DEK) is recommended for large files or performance‑sensitive scenarios, allowing local high‑performance encryption while keeping master keys secure.

6.3 BYOK (Bring Your Own Key)

Customers can import their own key material into KMS, creating external keys that are managed and distributed by the service.

6.4 Seamless Cloud Product Integration

KMS integrates with cloud products such as Cloud Block Storage (CBS). When CBS encryption is enabled, KMS automatically generates a CMK and encrypts data transparently for the user.

6.5 White‑Box Key Management

White‑box encryption mixes algorithm and key, eliminating plaintext keys in memory. Administrators create white‑box keys to protect API credentials, with optional device‑binding for additional security.

6.6 Credential Management System

SecretsManager (SSM) centralizes management of credentials (account passwords, IPs, DB connection strings), providing encrypted storage, versioning, automatic rotation, and lifecycle management.

6.7 Cloud HSM (Virtual Encryption Machines)

Virtual HSMs (VSM) offer scalable, high‑availability hardware‑level encryption for financial, payment, and government workloads, supporting both international and national algorithms.

6.8 Database Encryption

Options include plugin‑based encryption, database encryption gateways, TDE (tablespace‑level encryption), and Cloud Access Security Broker (CASB) for field‑level encryption without application changes.

Q&A Highlights

Typical encryption/decryption latency via KMS is under 10 ms; overall latency 30‑50 ms depending on network.

Cross‑provider data transfer uses envelope encryption with role‑based cross‑account authorization.

Hardware encryption provides true random numbers and secure key storage compared to software‑generated pseudo‑random numbers.

Internal analysts should decrypt data only during analysis, keeping plaintext off‑disk.

AES‑256 impacts performance more than AES‑128; choice depends on security requirements and hardware acceleration.

White‑box encryption mixes key and algorithm, protecting API keys from exposure.

National cryptographic algorithms (GuoMi) follow the same principles as international algorithms but are mandated by Chinese standards.