Nothing Special   »   [go: up one dir, main page]

CN114531267A - Data asset management method and system - Google Patents

Data asset management method and system Download PDF

Info

Publication number
CN114531267A
CN114531267A CN202111662653.2A CN202111662653A CN114531267A CN 114531267 A CN114531267 A CN 114531267A CN 202111662653 A CN202111662653 A CN 202111662653A CN 114531267 A CN114531267 A CN 114531267A
Authority
CN
China
Prior art keywords
data
information
security
identification
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202111662653.2A
Other languages
Chinese (zh)
Other versions
CN114531267B (en
Inventor
黄涛
申大伟
谢云明
王晓磊
范伟宁
郭壮
支琛
刘森
郭晓超
管清鑫
史知贺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaneng Information Technology Co Ltd
Original Assignee
Huaneng Information Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaneng Information Technology Co Ltd filed Critical Huaneng Information Technology Co Ltd
Priority to CN202111662653.2A priority Critical patent/CN114531267B/en
Publication of CN114531267A publication Critical patent/CN114531267A/en
Application granted granted Critical
Publication of CN114531267B publication Critical patent/CN114531267B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Bioethics (AREA)
  • Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention relates to the field of data assets, and particularly discloses a data asset management method and a data asset management system. The embodiment of the invention manages the data registration of the data assets, generates data directory information in a data center station, and uploads and stores the data assets; exchanging the data directory information to a security middlebox; in a security middle station, carrying out security identification of three dimensions of a secret domain, an application domain and an environment domain on the data directory information to generate security identification data information; and performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data asset according to the policy decision. The data asset management system can register and manage data assets, carry out security identification of three dimensions of a secret domain, an application domain and an environment domain on data directory information, further carry out security policy calculation through the security identification, and carry out security release according to policy decision, thereby effectively improving the security protection of the data assets.

Description

Data asset management method and system
Technical Field
The invention belongs to the field of data assets, and particularly relates to a data asset management method and system.
Background
The security protection of data assets is mainly to schedule security capability through the execution of security policies and provide a secure environment for the data assets. To set a security policy for a data asset, it is necessary to have sufficient knowledge of the detailed information of the data asset. The existing data asset management method and system can not accurately and sufficiently analyze data assets, can not provide comprehensive safety identification for the data assets, and can not mobilize the arrangement, scheduling and execution of data asset safety strategies, so that the safety protection of the data assets is not high.
Disclosure of Invention
Embodiments of the present invention provide a method and a system for managing data assets, which aim to solve the problems in the background art.
In order to achieve the above purpose, the embodiments of the present invention provide the following technical solutions:
a data asset management method, the method comprising the steps of:
managing data registration of data assets, generating data directory information in a data center station, and uploading and storing the data assets;
exchanging the data directory information to a security middle station in a data interface mode;
in the security middle station, security identification of three dimensions of a secret domain, an application domain and an environment domain is carried out on the data directory information to generate security identification data information;
and performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data assets according to the policy decision.
As a further limitation of the technical solution of the embodiment of the present invention, the managing data registration of the data assets, generating data directory information in the data center station, and uploading and storing the data assets specifically includes the following steps:
acquiring data registration information of the data assets;
calling an interface of a data center station, and synchronizing the data registration information to the data center station;
processing the data registration information in the data center station to generate data directory information;
and uploading and storing the data assets, generating a storage address, and hooking the storage address with the data directory information.
As a further limitation of the technical solution of the embodiment of the present invention, the processing the data registration information in the data center station to generate the data directory information specifically includes the following steps:
editing the data registration information to generate data editing information;
judging whether the data assets are registered or not according to the data editing information;
if the data assets are registered, logging off the data editing information;
and if the data assets are not registered, performing catalogue processing on the data editing information to generate data catalogue information.
As a further limitation of the technical solution of the embodiment of the present invention, the exchanging the data directory information to the security middlebox through the data interface specifically includes the following steps:
interface issuing is carried out according to the storage address, and a data interface is generated;
and exchanging the data directory information to a security middlebox through the data interface.
As a further limitation of the technical solution of the embodiment of the present invention, in the security middlebox, performing security identification of three dimensions, namely, a secret domain, an application domain and an environment domain, on the data directory information, and generating security identification data information specifically includes the following steps:
carrying out security identification of a security domain on the data directory information to generate first security identification information;
performing security identification of an application domain on the first security identification information to generate second security identification information;
and carrying out the security identification of the environment domain on the second security identification information to generate security identification data information.
As a further limitation of the technical solution of the embodiment of the present invention, the performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data asset according to the policy decision specifically includes the following steps:
performing security policy calculation on the data assets through the security identification data information to generate a policy decision;
acquiring safety environment information;
generating a policy execution engine according to the security environment information and the policy decision;
driving secure publication of the data asset according to the policy enforcement engine.
A data asset management system, the system comprising a registration management storage unit, an interface information exchange unit, an information security identification unit, and a security policy issuing unit, wherein:
the registration management storage unit is used for managing data registration of the data assets, generating data directory information in a data center station and uploading and storing the data assets;
the interface information exchange unit is used for exchanging the data directory information to a security middle station in a data interface mode;
the information security identification unit is used for carrying out security identification of three dimensions, namely a secret domain, an application domain and an environment domain, on the data directory information in the security middle station to generate security identification data information;
and the security policy issuing unit is used for performing security policy calculation according to the security identification data information, generating a policy decision and issuing the data assets in a security manner according to the policy decision.
As a further limitation of the technical solution of the embodiment of the present invention, the registration management storage unit specifically includes:
the registration information acquisition module is used for acquiring data registration information of the data assets;
the registration information synchronization module is used for calling an interface of a data center station and synchronizing the data registration information to the data center station;
the registration information processing module is used for processing the data registration information in the data center station to generate data directory information;
and the uploading storage hooking module is used for uploading and storing the data assets, generating a storage address and hooking the storage address with the data directory information.
As a further limitation of the technical solution of the embodiment of the present invention, the information security identification unit specifically includes:
the confidential domain identification module is used for carrying out the security identification of the confidential domain on the data directory information to generate first security identification information;
the application domain identification module is used for carrying out the safety identification of the application domain on the first safety identification information to generate second safety identification information;
and the environment domain identification module is used for carrying out the security identification of the environment domain on the second security identification information to generate security identification data information.
As a further limitation of the technical solution of the embodiment of the present invention, the security policy issuing unit specifically includes:
the security policy calculation module is used for performing security policy calculation on the data assets through the security identification data information to generate a policy decision;
the environment information acquisition module is used for acquiring the safe environment information;
the execution engine generation module is used for generating a policy execution engine according to the security environment information and the policy decision;
and the data security issuing module is used for driving the security issuing of the data assets according to the strategy execution engine.
Compared with the prior art, the invention has the beneficial effects that:
the embodiment of the invention manages the data registration of the data assets, generates data directory information in a data center station, and uploads and stores the data assets; exchanging the data directory information to a security middlebox; in a security middle station, carrying out security identification of three dimensions of a secret domain, an application domain and an environment domain on the data directory information to generate security identification data information; and performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data assets according to the policy decision. The data asset management system can register and manage data assets, carry out security identification of three dimensions of a secret domain, an application domain and an environment domain on data directory information, further carry out security policy calculation through the security identification, and carry out security release according to policy decision, thereby effectively improving the security protection of the data assets.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention.
Fig. 1 shows a flow chart of a method provided by an embodiment of the invention.
Fig. 2 shows a flow chart of data asset registration management and storage in a method provided by an embodiment of the invention.
Fig. 3 shows a flowchart of data registration information processing in the method provided by the embodiment of the invention.
Fig. 4 shows a flowchart of data directory information exchange in the method provided by the embodiment of the present invention.
Fig. 5 shows a flowchart of the data directory information security identifier in the method provided by the embodiment of the present invention.
Fig. 6 shows a flow chart of secure publishing of data assets in a method provided by an embodiment of the invention.
Fig. 7 shows an application architecture diagram of a system provided by an embodiment of the invention.
Fig. 8 is a block diagram illustrating a structure of a registration management storage unit in the system according to the embodiment of the present invention.
Fig. 9 shows a block diagram of an information security identification unit in the system according to the embodiment of the present invention.
Fig. 10 shows a block diagram of a security policy issuing unit in the system according to the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
It can be understood that, in the prior art, the data asset management method and system generally cannot analyze the data assets accurately and sufficiently, cannot provide a comprehensive security identifier for the data assets, cannot invoke the orchestration, scheduling and execution of the data asset security policies, and thus cannot protect the data assets safely.
In order to solve the above problems, the embodiment of the present invention manages data registration of data assets, generates data directory information in a data center station, and uploads and stores the data assets; exchanging the data directory information to a security middlebox; in a security middle station, carrying out security identification of three dimensions of a secret domain, an application domain and an environment domain on the data directory information to generate security identification data information; and performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data assets according to the policy decision. The data asset registration management can be carried out, the security identification of three dimensions of a secret domain, an application domain and an environment domain is carried out on data directory information, the security strategy calculation is carried out through the security identification, and the security issue is carried out according to strategy decision, so that the security protection of the data asset is improved.
Fig. 1 shows a flow chart of a method provided by an embodiment of the invention.
Specifically, the method for managing the data assets specifically comprises the following steps:
step S101, managing data registration of data assets, generating data directory information in a data center station, and uploading and storing the data assets.
In the embodiment of the invention, the data registration information obtained by the user performing data registration according to the registration data resource directory is obtained, the data registration information is managed, the data directory information is generated in the data center station, the data assets are uploaded to the designated storage position, and the storage position of the data assets is connected with the data directory information in a hanging mode, so that the data asset files can be conveniently downloaded by accessing the data directory information.
In particular, fig. 2 shows a flow chart of data asset registration management and storage in the method provided by the embodiment of the invention.
In a preferred embodiment of the present invention, the managing data registration of data assets, generating data directory information in a data center station, and uploading and storing the data assets specifically includes the following steps:
step S1011, acquiring data registration information of the data asset.
In the embodiment of the invention, the data registration information obtained by the user performing data registration and registration on the data assets according to the registration data resource catalog is obtained.
It is understood that registering the data resource catalog includes: catalog classification, data resource name, data resource number, data resource storage format, data resource abstract, data type, storage capacity, record number, data consumption mode, data item name, data item type, data item length, update cycle, storage physical location, storage network location, data resource catalog consumption mode introduction, consumption mode example information, data materialization information and the like.
Step S1012, calling an interface of the data center station, and synchronizing the data registration information to the data center station.
In the embodiment of the invention, after the acquisition of the data registration information is completed, the data center station synchronously acquires the data registration information in an interface mode.
Step S1013, the data registration information is processed by the data center station to generate data catalog information.
In the embodiment of the present invention, data directory information is generated by editing, materializing, or the like the data registration information in the data center.
Specifically, fig. 3 shows a flowchart of data registration information processing in the method provided by the embodiment of the present invention.
In a preferred embodiment of the present invention, the processing the data registration information in the data center station to generate the data directory information specifically includes:
step S10131 edits the data registration information to generate data edit information.
In the embodiment of the present invention, the data registered information is edited, and the data registered information is corrected to generate the data edited information.
Step S10132, determining whether the data asset is registered according to the data editing information.
In an embodiment of the present invention, it is determined whether the data asset is registered by polling the data editing information in the data center.
Step S10133, if the data asset is registered, canceling the data editing information.
In the embodiment of the invention, when the data assets are registered, the data editing information is logged out, and the corresponding data assets are logged out.
Step S10134, if the data asset is not registered, cataloguing the data editing information to generate data catalog information.
In the embodiment of the invention, when the data assets are not registered, the data editing information is subjected to cataloging processing, and various catalog information of the data editing information is sorted to generate the data catalog information.
Further, the managing the data registration of the data assets, generating data directory information in the data center station, and uploading and storing the data assets further comprises the following steps:
and step S1014, uploading and storing the data assets, generating a storage address, and hooking the storage address with the data directory information.
In the embodiment of the invention, the data asset file is uploaded to the designated storage position, the storage address is generated, the storage address is hooked with the data directory information, and the data asset file can be downloaded from the data directory information when the data directory information is accessed.
Further, the data asset management method further comprises the following steps:
and S102, exchanging the data directory information to a security middlebox in a data interface mode.
In the embodiment of the invention, the data interface is provided by the security middlebox, the data middlebox calls the interface, the data directory information required by the security middlebox is exchanged to the security middlebox, and the exchange result is fed back after the exchange of the data directory information is completed.
Specifically, fig. 4 shows a flowchart of data directory information exchange in the method provided by the embodiment of the present invention.
In a preferred embodiment of the present invention, the exchanging the data directory information to the security middlebox through the data interface specifically includes the following steps:
and S1021, issuing an interface according to the storage address to generate a data interface.
In an embodiment of the invention, the security middleware provides a data interface according to the storage address of the data asset file.
Step S1022, the data directory information is exchanged to the security middlebox through the data interface.
In the embodiment of the invention, the data center station calls the interface, exchanges the data directory information required by the security center station to the security center station, and after the exchange of the data directory information is completed, the security center station calls back the interface of the data center station to inform the exchange result of the data directory information.
Further, the data asset management method further comprises the following steps:
step S103, in the security middlebox, security identification of three dimensions of a secret domain, an application domain and an environment domain is carried out on the data directory information to generate security identification data information.
In the embodiment of the invention, the portrait operation is executed on the data directory information, and the security identification of three dimensions of a secret domain, an application domain and an environment domain is carried out. Wherein, the security domain is the security identification of adding the security domain to the data directory information, and comprises: secure registration, secure manner, etc.; the application domain is a security identifier for adding the application domain to the data directory information, and comprises the following steps: data display, data analysis, production decision and the like; the environment domain is a security identifier for adding the environment domain to the data directory information, and comprises the following steps: encrypted transmissions, authorized access, non-downloadable, and the like.
Specifically, fig. 5 shows a flowchart of the data directory information security identifier in the method provided by the embodiment of the present invention.
In a preferred embodiment provided by the present invention, in the security middleware, the performing security identification of three dimensions, namely, a security domain, an application domain and an environment domain on the data directory information by using a data interface, and generating the security identification data information specifically includes the following steps:
and step S1031, performing security identification of the security domain on the data directory information, and generating first security identification information.
In the embodiment of the invention, a security identifier is added to data directory information through a security secret domain tag component to generate first security identifier information, and the security identifier of the secret domain comprises: secure registration, secure manner, etc.
Step S1032 performs security identification of the application domain on the first security identification information, and generates second security identification information.
In the embodiment of the invention, a security identifier is added to the data directory information through a security application domain label component to generate second security identifier information, and the application domain security identifier comprises: data presentation, data analysis, production decision, and the like.
Step S1033, performing security identification of the environment domain on the second security identification information, and generating security identification data information.
In the embodiment of the present invention, a security identifier is added to data directory information by a security environment domain tag component to generate security identifier data information, where the environment domain security identifier includes: encrypted transmissions, authorized access, non-downloadable, and the like.
Further, the data asset management method further comprises the following steps:
and step S104, performing security policy calculation according to the security identification data information, generating a policy decision, and performing security release on the data assets according to the policy decision.
In the embodiment of the invention, the security middlebox carries out security policy calculation on the data assets through the security identification data information, carries out security policy calculation through four dimensions of the security identification data information, the user security identification, the endpoint security identification and the security equipment security identification, generates a policy decision by combining information such as security event analysis, security information, security situation perception and the like, and carries out security release on the data assets according to the policy decision.
In particular, fig. 6 shows a flow chart of secure publishing of data assets in the method provided by the embodiment of the invention.
In a preferred embodiment provided by the present invention, the performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data asset according to the policy decision specifically includes the following steps:
step S1041, performing security policy calculation on the data assets through the security identification data information, and generating a policy decision.
In the embodiment of the invention, the security middlebox carries out security policy calculation by security identification data information and combining a user security identification, an endpoint security identification and a security equipment security identification to generate a policy decision.
Step S1042, acquiring the security environment information.
In the embodiment of the invention, the safety environment information such as safety event analysis, safety information, safety situation perception and the like is obtained.
And S1043, generating a policy execution engine according to the security environment information and the policy decision.
In the embodiment of the invention, a policy execution engine for arranging the policy decision is generated according to the security environment information and the policy decision.
And step S1044, driving the safe release of the data assets according to the strategy execution engine.
In the embodiment of the invention, the data assets are driven to be released according to the strategy execution engine, so that the safety protection is carried out in the releasing process, and the safety protection capability of the data assets is improved.
Further, fig. 7 is a diagram illustrating an application architecture of the system according to the embodiment of the present invention.
In another preferred embodiment, a data asset management system includes:
and the registration management storage unit 101 is configured to manage data registration of data assets, generate data directory information in a data center, and upload and store the data assets.
In the embodiment of the present invention, the registration management storage unit 101 acquires data registration information obtained by a user performing data registration according to a registration data resource directory, manages the data registration information, generates data directory information in a data center, uploads a data asset to a specified storage location, and hooks the storage location of the data asset with the data directory information, so as to access the data directory information to download a data asset file.
Specifically, fig. 8 shows a block diagram of the structure of the registration management storage unit 101 in the system according to the embodiment of the present invention.
In a preferred embodiment of the present invention, the registration management storage unit 101 specifically includes:
a registration information obtaining module 1011, configured to obtain data registration information of the data asset.
In the embodiment of the present invention, the registration information obtaining module 1011 obtains data registration information obtained by a user performing data registration on data assets according to a registration data resource directory.
And a registration information synchronization module 1012, configured to invoke an interface of the data center station, and synchronize the data registration information to the data center station.
In this embodiment of the present invention, the registration information synchronization module 1012 controls the data center to synchronously acquire the data registration information through an interface.
A registration information processing module 1013 configured to process the data registration information in the data center station to generate data directory information.
In the embodiment of the present invention, the registration information processing module 1013 performs processes such as editing and catalog materialization on the data registration information to generate data catalog information.
And an upload storage hooking module 1014, configured to upload and store the data assets, generate a storage address, and hook the storage address with the data directory information.
In the embodiment of the present invention, the upload storage attach module 1014 uploads the data asset file to a designated storage location, generates a storage address, attaches the storage address to the data directory information, and downloads the data asset file from the data directory information when accessing the data directory information.
Further, the data asset management system further includes:
and an interface information exchange unit 102, configured to exchange the data directory information to a security middlebox in a data interface manner.
In the embodiment of the present invention, the interface information exchange unit 102 controls the security middlebox to provide a data interface, the data middlebox calls the interface, exchanges the data directory information required by the security middlebox to the security middlebox, and feeds back an exchange result after the exchange of the data directory information is completed.
And the information security identification unit 103 is configured to perform security identification of three dimensions, namely a security domain, an application domain and an environment domain, on the data directory information in the security middleware to generate security identification data information.
In the embodiment of the present invention, the information security identification unit 103 performs a portrait operation on the data directory information to perform security identification of three dimensions, namely, a security domain, an application domain, and an environment domain.
Specifically, fig. 9 shows a block diagram of a structure of the information security identification unit 103 in the system according to the embodiment of the present invention.
In a preferred embodiment provided by the present invention, the information security identification unit 103 specifically includes:
a secret domain identification module 1031, configured to perform a security identification of the secret domain on the data directory information, and generate first security identification information.
In this embodiment of the present invention, the secret domain identification module 1031 adds a security identification to the data directory information through a security secret domain tag component to generate first security identification information, where the secret domain security identification includes: secure registration, secure manner, etc.
An application domain identification module 1032, configured to perform security identification of the application domain on the first security identification information, and generate second security identification information.
In this embodiment of the present invention, the application domain identification module 1032 adds a security identification to the data directory information through a security application domain tag component, and generates second security identification information, where the application domain security identification includes: data presentation, data analysis, production decision, and the like.
An environment domain identification module 1033, configured to perform security identification of an environment domain on the second security identification information, and generate security identification data information.
In this embodiment of the present invention, the environment domain identifier module 1033 adds a security identifier to the data directory information through a security environment domain tag component, and generates security identifier data information, where the environment domain security identifier includes: encrypted transmissions, authorized access, non-downloadable, and the like.
Further, the data asset management system further includes:
and the security policy issuing unit 104 is configured to perform security policy calculation according to the security identification data information, generate a policy decision, and perform security issue on the data asset according to the policy decision.
In the embodiment of the present invention, the security policy issuing unit 104 controls the security central office to perform security policy calculation on the data asset through the security identifier data information, perform security policy calculation through four dimensions of the security identifier data information, the user security identifier, the endpoint security identifier, and the security device security identifier, generate a policy decision by combining information such as security event analysis, security information, security situation awareness, and perform security issue on the data asset according to the policy decision.
Specifically, fig. 10 shows a block diagram of a security policy issuing unit 104 in the system according to the embodiment of the present invention.
In an embodiment of the present invention, the security policy issuing unit 104 specifically includes:
and a security policy calculation module 1041, configured to perform security policy calculation on the data asset through the security identification data information, and generate a policy decision.
In this embodiment of the present invention, the security policy calculation module 1041 controls the security middlebox to perform security policy calculation by using the security identifier data information and combining the user security identifier, the endpoint security identifier, and the security device security identifier, so as to generate a policy decision.
The environment information obtaining module 1042 is configured to obtain the secure environment information.
In the embodiment of the present invention, the environment information obtaining module 1042 obtains security environment information such as security event analysis, security information, security situation awareness, and the like.
And an execution engine generating module 1043, configured to generate a policy execution engine according to the security environment information and the policy decision.
In this embodiment of the present invention, the execution engine generation module 1043 generates a policy execution engine for arranging policy decisions according to the security environment information and the policy decisions.
And the data security publishing module 1044 is configured to drive the secure publishing of the data asset according to the policy enforcement engine.
In the embodiment of the present invention, the data security publishing module 1044 drives the data asset to publish according to the policy enforcement engine, so as to perform security protection for the publishing process, thereby improving the security protection capability for the data asset.
In summary, the embodiment of the present invention can perform registration management on data assets, perform security identification of three dimensions, namely, a secret domain, an application domain and an environment domain, on data directory information, further perform security policy calculation through the security identification, and perform security release according to policy decision, thereby effectively improving security protection on the data assets.
It should be understood that, although the steps in the flowcharts of the embodiments of the present invention are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a portion of the steps in various embodiments may include multiple sub-steps or multiple stages that are not necessarily performed at the same time, but may be performed at different times, and the order of performance of the sub-steps or stages is not necessarily sequential, but may be performed in turn or alternately with other steps or at least a portion of the sub-steps or stages of other steps.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by a computer program, which can be stored in a non-volatile computer-readable storage medium, and can include the processes of the embodiments of the methods described above when the program is executed. Any reference to memory, storage, database, or other medium used in the embodiments provided herein may include non-volatile and/or volatile memory, among others. Non-volatile memory can include read-only memory (ROM), Programmable ROM (PROM), Electrically Programmable ROM (EPROM), Electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), Dynamic RAM (DRAM), Synchronous DRAM (SDRAM), Double Data Rate SDRAM (DDRSDRAM), Enhanced SDRAM (ESDRAM), Synchronous Link DRAM (SLDRAM), Rambus Direct RAM (RDRAM), direct bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The technical features of the embodiments described above may be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the embodiments described above are not described, but should be considered as being within the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present invention, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present invention. It should be noted that various changes and modifications can be made by those skilled in the art without departing from the spirit of the invention, and these changes and modifications are all within the scope of the invention. Therefore, the protection scope of the present patent shall be subject to the appended claims.
The above description is intended to be illustrative of the preferred embodiment of the present invention and should not be taken as limiting the invention, but rather, the intention is to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Claims (10)

1. A data asset management method is characterized by specifically comprising the following steps:
managing data registration of data assets, generating data directory information in a data center station, and uploading and storing the data assets;
exchanging the data directory information to a security middle station in a data interface mode;
in the security middle station, security identification of three dimensions of a secret domain, an application domain and an environment domain is carried out on the data directory information to generate security identification data information;
and performing security policy calculation according to the security identification data information to generate a policy decision, and performing security release on the data assets according to the policy decision.
2. The data asset management method according to claim 1, wherein the managing of data registration of data assets, generating data directory information in a data center station, and uploading and storing the data assets specifically comprises the steps of:
acquiring data registration information of the data assets;
calling an interface of a data center station, and synchronizing the data registration information to the data center station;
processing the data registration information in the data center station to generate data directory information;
and uploading and storing the data assets, generating a storage address, and hooking the storage address with the data directory information.
3. The data asset management method according to claim 2, wherein said processing said data registration information in said data middlebox to generate data directory information specifically comprises the steps of:
editing the data registration information to generate data editing information;
judging whether the data assets are registered or not according to the data editing information;
if the data assets are registered, logging off the data editing information;
and if the data assets are not registered, performing catalogue processing on the data editing information to generate data catalogue information.
4. The method according to claim 2, wherein said exchanging said data directory information to a security middleware via a data interface comprises the steps of:
interface issuing is carried out according to the storage address, and a data interface is generated;
and exchanging the data directory information to a security middlebox through the data interface.
5. The data asset management method according to claim 1, wherein in the security middleware, security identification of three dimensions of a security domain, an application domain and an environment domain is performed on the data directory information, and generating the security identification data information specifically includes the following steps:
carrying out security identification of a security domain on the data directory information to generate first security identification information;
performing security identification of an application domain on the first security identification information to generate second security identification information;
and carrying out the security identification of the environment domain on the second security identification information to generate security identification data information.
6. The data asset management method according to claim 1, wherein said performing security policy calculation based on said security identification data information to generate a policy decision, and said securely publishing said data asset based on said policy decision specifically comprises the steps of:
performing security policy calculation on the data assets through the security identification data information to generate a policy decision;
acquiring safety environment information;
generating a policy execution engine according to the security environment information and the policy decision;
driving secure publication of the data asset according to the policy enforcement engine.
7. A data asset management system is characterized in that the system comprises a registration management storage unit, an interface information exchange unit, an information security identification unit and a security policy issuing unit, wherein:
the registration management storage unit is used for managing data registration of the data assets, generating data directory information in a data center station and uploading and storing the data assets;
the interface information exchange unit is used for exchanging the data directory information to a security middle station in a data interface mode;
the information security identification unit is used for carrying out security identification of three dimensions, namely a secret domain, an application domain and an environment domain, on the data directory information in the security middle station to generate security identification data information;
and the security policy issuing unit is used for performing security policy calculation according to the security identification data information, generating a policy decision and issuing the data assets in a security manner according to the policy decision.
8. The data asset management system according to claim 7, wherein said registration management storage unit specifically comprises:
the registration information acquisition module is used for acquiring data registration information of the data assets;
the registration information synchronization module is used for calling an interface of a data center station and synchronizing the data registration information to the data center station;
the registration information processing module is used for processing the data registration information in the data center station to generate data directory information;
and the uploading storage hooking module is used for uploading and storing the data assets, generating a storage address and hooking the storage address with the data directory information.
9. The data asset management system according to claim 7, wherein the information security identification unit specifically comprises:
the confidential domain identification module is used for carrying out the security identification of the confidential domain on the data directory information to generate first security identification information;
the application domain identification module is used for carrying out security identification of an application domain on the first security identification information to generate second security identification information;
and the environment domain identification module is used for carrying out the security identification of the environment domain on the second security identification information to generate security identification data information.
10. The data asset management system according to claim 7, wherein the security policy issuing unit specifically includes:
the security policy calculation module is used for performing security policy calculation on the data assets through the security identification data information to generate a policy decision;
the environment information acquisition module is used for acquiring the safe environment information;
the execution engine generation module is used for generating a policy execution engine according to the security environment information and the policy decision;
and the data security issuing module is used for driving the security issuing of the data assets according to the strategy execution engine.
CN202111662653.2A 2021-12-31 2021-12-31 Data asset management method and system Active CN114531267B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111662653.2A CN114531267B (en) 2021-12-31 2021-12-31 Data asset management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111662653.2A CN114531267B (en) 2021-12-31 2021-12-31 Data asset management method and system

Publications (2)

Publication Number Publication Date
CN114531267A true CN114531267A (en) 2022-05-24
CN114531267B CN114531267B (en) 2024-01-23

Family

ID=81621352

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111662653.2A Active CN114531267B (en) 2021-12-31 2021-12-31 Data asset management method and system

Country Status (1)

Country Link
CN (1) CN114531267B (en)

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499110B1 (en) * 1998-12-23 2002-12-24 Entrust Technologies Limited Method and apparatus for facilitating information security policy control on a per security engine user basis
JP2005004549A (en) * 2003-06-12 2005-01-06 Fuji Electric Holdings Co Ltd Policy server, its policy setting method, access control method, and program
CN104813337A (en) * 2012-12-21 2015-07-29 迈克菲公司 Hardware management interface
CN108965289A (en) * 2018-07-10 2018-12-07 北京明朝万达科技股份有限公司 A kind of network security collaboration means of defence and system
CN111597267A (en) * 2020-05-21 2020-08-28 中建材信息技术股份有限公司 Data middlebox based on multilayer service engine and construction method
CN112687097A (en) * 2020-11-16 2021-04-20 招商新智科技有限公司 Highway highway section level data center platform system
CN112712286A (en) * 2021-01-15 2021-04-27 科技谷(厦门)信息技术有限公司 Data asset management method based on data middleboxes

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6499110B1 (en) * 1998-12-23 2002-12-24 Entrust Technologies Limited Method and apparatus for facilitating information security policy control on a per security engine user basis
JP2005004549A (en) * 2003-06-12 2005-01-06 Fuji Electric Holdings Co Ltd Policy server, its policy setting method, access control method, and program
CN104813337A (en) * 2012-12-21 2015-07-29 迈克菲公司 Hardware management interface
CN108965289A (en) * 2018-07-10 2018-12-07 北京明朝万达科技股份有限公司 A kind of network security collaboration means of defence and system
CN111597267A (en) * 2020-05-21 2020-08-28 中建材信息技术股份有限公司 Data middlebox based on multilayer service engine and construction method
CN112687097A (en) * 2020-11-16 2021-04-20 招商新智科技有限公司 Highway highway section level data center platform system
CN112712286A (en) * 2021-01-15 2021-04-27 科技谷(厦门)信息技术有限公司 Data asset management method based on data middleboxes

Also Published As

Publication number Publication date
CN114531267B (en) 2024-01-23

Similar Documents

Publication Publication Date Title
US10185894B2 (en) Picture management method and device, picture synchronization method and device
CN110197085B (en) Document anti-tampering method based on fabric alliance chain
EP1601214B1 (en) Information terminal device and content backup method
JP2007538315A5 (en)
US20150347447A1 (en) Method and architecture for synchronizing files
US20190095632A1 (en) Electronic laboratory notebook system and method
EP2275949B1 (en) Content identification method and system, content management client and server
CN102355503A (en) Client terminal resource management method, resource management device, system and cloud server
US9665732B2 (en) Secure Download from internet marketplace
CN113127811B (en) Cultural relic digital resource safe sharing method, system and information data processing terminal
CN109189749A (en) File synchronisation method and terminal device
CN105453127A (en) Method and system for document synchronization in a distributed server-client environment
CN104461826A (en) Object flow monitoring method, device and system
CN114416638A (en) Automatic electronic file filing method and system
CN102932476B (en) Network storage synchro system
CN114531267A (en) Data asset management method and system
CN112073521B (en) Sharing scheduling method and system for scattered data
CN116382596B (en) Space-time big data storage method and system based on distributed technology
US7127446B1 (en) File system based task queue management
EP3944111B1 (en) System and method for generating a minimal forensic image of a dataset of interest
CN114911869A (en) Data and file storage system, method and device and electronic equipment
CN112395057B (en) Data processing method and device based on timing task and computer equipment
CN110851305B (en) Backup storage method and device for science and technology project files
CN111984996A (en) Human resource information sharing processing method, device, computer and storage medium
CN102932477B (en) Network storage client and synchronous method

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant