CN115967564A - Data content protection method and storage medium - Google Patents
Data content protection method and storage medium Download PDFInfo
- Publication number
- CN115967564A CN115967564A CN202211664369.3A CN202211664369A CN115967564A CN 115967564 A CN115967564 A CN 115967564A CN 202211664369 A CN202211664369 A CN 202211664369A CN 115967564 A CN115967564 A CN 115967564A
- Authority
- CN
- China
- Prior art keywords
- security policy
- data
- policy
- security
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 68
- 238000012545 processing Methods 0.000 claims abstract description 82
- 230000004044 response Effects 0.000 claims description 8
- 238000012790 confirmation Methods 0.000 claims description 3
- 230000008569 process Effects 0.000 abstract description 16
- 238000004590 computer program Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 7
- 238000007689 inspection Methods 0.000 description 6
- 238000007726 management method Methods 0.000 description 5
- 238000000586 desensitisation Methods 0.000 description 4
- 238000011161 development Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000002159 abnormal effect Effects 0.000 description 2
- 230000003203 everyday effect Effects 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- GOLXNESZZPUPJE-UHFFFAOYSA-N spiromesifen Chemical compound CC1=CC(C)=CC(C)=C1C(C(O1)=O)=C(OC(=O)CC(C)(C)C)C11CCCC1 GOLXNESZZPUPJE-UHFFFAOYSA-N 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data content protection method and a storage medium, wherein the method comprises the following steps: acquiring security policy information configured by a data providing source according to a main node of the security policy cluster; transmitting the security policy information to a first data processing system of the master node and to slave nodes of the security policy cluster; and controlling the first data processing system and the slave node to newly add a security policy entry corresponding to the security policy information according to the submission request of the master node. The embodiment of the invention solves the problem that the security policy is not updated timely in the existing data access process, can realize the security policy configuration of each node in the system by synchronizing the security policy information through the security policy cluster, can reduce the difficulty of data access configuration, and keeps the expansibility of the security policy content.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a data content protection method and a storage medium.
Background
The big data all-in-one machine is a scheme product oriented to integration of big data storage, processing and showing whole links and software and hardware, solves the problem of continuous expansion of infrastructure in big data era, and can reduce the storage cost of mass data. At present, in a data circulation all-in-one machine formed by multiple data components, each data component needs to be configured with a corresponding security policy, and the definition and the use method of the security policy are agreed. At present, common data protection modes mainly include a distributed security policy scheme and a security policy scheme based on a static security plug-in, wherein in the distributed security policy scheme, a user-defined security policy is configured for each component in a data flow all-in-one machine system, a corresponding policy file needs to be configured for each product participating in a data link, and complex security configuration can be realized only by a manual mode. When a complex security policy is configured, the security policy based on the static security plug-in needs to be implemented by hard coding, the security policy is integrated into the data component by the attenuation of the plug-in, and the implementation logic needs to be continuously updated along with the change of the security scene and the extension of the rule, so that the security policy cannot be adjusted along with the security scene in time.
Disclosure of Invention
Embodiments of the present invention provide a data content protection method and a storage medium, which adjust security policy entries of a data processing system in real time through a security policy cluster, thereby reducing security policy implementation difficulty and improving security of data protection.
According to an aspect of the present invention, a data content protection method is provided, which is applied to a security policy cluster, wherein the method includes:
acquiring security policy information configured by a data providing source according to a main node of the security policy cluster;
transmitting the security policy information to a first data processing system of the master node and to slave nodes of the security policy cluster;
and controlling the first data processing system and the slave node to newly add a security policy entry corresponding to the security policy information according to the submission request of the master node.
According to another aspect of the present invention, another data content protection method is provided, which is applied to a data processing system, wherein the method includes:
responding to the data call request to generate a security policy object and obtain a security policy item;
generating a security operation tree of the security policy item according to the security policy object;
and determining a request processing result of the data calling request according to the safety operation tree.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the data content protection method according to any one of the embodiments of the present invention when the computer instructions are executed.
According to the technical scheme of the embodiment of the invention, the security policy information configured by the data providing source is obtained at the main node of the security policy cluster, the security policy information is transmitted to the first data processing system connected with the main node and the slave node of the security policy cluster, and the security policy items corresponding to the security policy information are newly added to the first data processing system and the slave node according to the submission request of the main node, so that the problem that the security policy is not updated timely in the existing data access process can be solved, the security policy configuration of each node in the system is realized by synchronizing the security policy information through the security policy cluster, the difficulty of data access configuration can be reduced, and the expansibility of the security policy content is reserved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flow chart of a method for protecting data content according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a security policy cluster provided according to an embodiment of the present invention;
FIG. 3 is a flow chart of a method for protecting data content according to an embodiment of the present invention;
FIG. 4 is a flow chart of another method for protecting data content according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating an example of data content protection provided in accordance with an embodiment of the present invention;
FIG. 6 is an exemplary diagram of another data content guard provided in accordance with an embodiment of the present invention;
FIG. 7 is a schematic structural diagram of a data content protection device according to an embodiment of the present invention;
FIG. 8 is a schematic structural diagram of another data content guard provided in accordance with an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an electronic device implementing the data content protection method according to the embodiment of the present invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Moreover, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Fig. 1 is a flowchart of a data content protection method according to an embodiment of the present invention, where this embodiment is applicable to a data security protection situation of a modem system, and the method may be executed by a data content access device, where the data content protection device may be implemented in a form of hardware and/or software, and the device may be configured in a security policy cluster, see fig. 2, and a security policy cluster may employ a master-slave architecture, where a master node is connected to multiple slave nodes, respectively, and the master node may manage security policy information of the slave nodes. As shown in fig. 1, the method includes:
and step 110, acquiring security policy information configured by a data providing source according to the master node of the security policy cluster.
The data providing source may be a data providing source, the data providing source may be a local data source or a third-party data source, the security policy information may be policy information for guaranteeing security of data content in a data transaction process, the security policy information may include policy requirements for checking that data provided by a data consumer meets policy requirements, and may further include policy requirements for checking that a received data access request is released to meet policy requirements, and the security policy information may be configured by the data providing source according to needs of the data providing source.
In the embodiment of the present invention, the master node of the security policy cluster may monitor the data providing source, and when the data providing source dynamically configures the security policy information, the master node may obtain the security policy information configured by the data providing source, and it is understood that the number of the security policy information may be one or more, and the security policy information may include information such as a policy name, a policy type, a policy service, a policy content specification, a policy alarm level, and a policy description.
Step 120, transmitting the security policy information to the first data processing system of the master node and to the slave nodes of the security policy cluster.
The first data processing system may be a data processing system connected to the master node, the first data processing system may include a data security gateway application, a database management system, a database access application, and the like, the slave node may be a node in a security policy cluster in which the master node is located, and the slave node may receive security policy information transmitted by the master node and process the data processing system connected to the slave node according to the security policy information.
In an embodiment of the invention, the master node of the security policy cluster may transmit the received security policy information to the first data processing system and to the slave nodes in the security policy cluster. Further, before sending the security policy information to the slave node, the master node may also monitor the operating state of the slave node, and may send the security policy information only to the slave node that operates normally.
In some embodiments, the master node and each slave node of the security policy cluster may sense an overall online state of the security policy cluster by using a heartbeat mechanism, and after receiving the security policy information, the master node of the security policy cluster may transmit the security policy information to the slave node whose heartbeat is monitored normally.
And step 130, controlling the first data processing system and adding a security policy entry corresponding to the security policy information to the slave node according to the submission request of the master node.
The security policy entry may be policy information indicating that the data content is protected within the security policy information, the security policy entry may be an identifier or a name of the policy content, and different security policy entries may represent different security policy contents.
In this embodiment of the present invention, the master node may transmit a commit request to the first data processing system and the slave node, where the commit request is used to instruct the first data processing system and the slave node to perform data protection according to the previously transmitted security policy information, and the commit request may be transmitted based on a preset transmission protocol. The first data processing system and the slave node may extract one or more security policy information entries from the previously received security policy information when receiving the commit request, and the extracted security policy entries may be used as security policy entries for protecting the newly added data content.
According to the embodiment of the invention, the security policy information configured by the data providing source is acquired by the main node of the security policy cluster, the security policy information is transmitted to the first data processing system connected with the main node and the slave node of the security policy cluster, and the security policy items corresponding to the security policy information are newly added to the first data processing system and the slave node according to the submission request of the main node, so that the problem that the security policy is not updated timely in the existing data access process can be solved.
Fig. 3 is a flowchart of a method for protecting data content according to an embodiment of the present invention, which is embodied on the basis of the above embodiment of the present invention, and referring to fig. 3, the method provided by the embodiment of the present invention specifically includes the following steps:
step 210, obtaining the security policy information configured by the data providing source according to the master node of the security policy cluster.
Step 220, transmitting the security policy information to the first data processing system of the master node and to the slave nodes of the security policy cluster.
And step 230, determining that the security policy information is successfully issued according to the allowable threshold and the confirmation quantity of the master node receiving the security policy information corresponding to the slave node.
The allowable threshold may be a critical value used for determining that the security policy information is successfully issued, and the allowable threshold may be a minimum value of the number of the security policy information that is acknowledged and received from the node.
In the embodiment of the present invention, after the master node of the security policy cluster transmits the security policy information, the master node may receive the acknowledgements fed back from the slave nodes, may determine the acknowledgement number of the slave nodes that feed back the acknowledgements, may compare the acknowledgement number with the allowable threshold, and may determine that the security policy information is successfully issued when the acknowledgement number is greater than the allowable threshold.
And step 240, controlling the first data processing system and adding a security policy entry corresponding to the security policy information to the slave node according to the submission request of the master node.
Step 250, transmitting the security policy information to a second data processing system of the slave node based on the slave node.
Wherein the second data processing system may be a data processing system connected to the slave node, the second data processing system may include one or more of a data security gateway application, a database management system, and a database access application.
In the embodiment of the present invention, after receiving the security policy information transmitted by the master node, the slave node of the security policy cluster may transmit the security policy information to the second data processing system connected to the slave node, and it is understood that the security policy information may be pushed to the second data processing system by the slave node or pulled from the slave node by the second processing system.
And step 260, responding to the submission request of the master node, and controlling the second data processing system to add a new security policy item according to the slave node.
In the embodiment of the present invention, the slave node in the security policy cluster may receive the commit request transmitted by the master node, and the slave node may extract the security policy entry from the security policy information transmitted to the second data processing system, and newly add the security policy entry to the security policy used by the second data processing system for data content protection.
And 270, acquiring topology information of the security gateway according to the security policy cluster to construct a data flow path.
The security gateway may be a device that implements data content access control, access audit, dynamic desensitization, and the like in devices for which the security policy cluster is used for protection, the topology information may be a network connection condition of the security gateway between the protection devices to which the security policy cluster is applied, and the topology information may represent a flow path of data in a network.
In the embodiment of the present invention, the security policy cluster may be controlled to obtain topology information corresponding to security gateways in a network, one or more topology structure paths may be selected from the topology information along a data flow direction as a data flow direction path, the data flow direction path may be a part of the topology information, and the data flow direction path may reflect a precedence relationship of a data flow through different security gateways.
And step 280, displaying the application condition of the security policy item according to the data flow path.
In the embodiment of the present invention, the application of the security policy entry may be displayed in an auxiliary manner based on the determined data flow path, for example, the security policy entry used by different nodes may be identified in the data flow path, or a node using a certain security policy entry in the data flow path may be identified by a different color or pattern.
The embodiment of the invention can solve the problem that the security policy is not updated timely in the existing data access process, the security policy configuration of each node in the system is realized by synchronizing the security policy information through the security policy cluster, the difficulty of data access configuration can be reduced, and the expansibility of security content is reserved.
Further, on the basis of the above embodiment of the present invention, the security policy information is composed of at least one of a policy sequence number, a policy name, a policy type, a policy service, a policy content specification, a policy alarm level, and a policy description.
In the embodiment of the present invention, the security policy information may be transmission information constructed according to a specified format, and the security policy information may be composed of a policy sequence number, a policy name, a policy type, a policy service, a policy content specification, a policy alarm level, a policy description, and the like, and may be transmitted through the above contents. The policy sequence number may be a unique identifier for identifying the policy entity, and may be used for consistency check during transmission between the master node and the slave node; the policy name may be a name of a security policy entry, the policy type may be information identifying a type to which the policy belongs, the policy type may include an application type and an inspection type, the application type may be an application type and an inspection type, the application type may represent that the policy entry is used to inspect whether output data meets requirements, such as privacy query and dynamic desensitization requirements, and the inspection type may represent that the policy entry is used to inspect whether access requests meet requirements, such as SQL protection requirements, user right control, metadata access control, black and white lists of network addresses, and the like; the policy service may represent a type of service within the modem system that applies the policy, and the policy content specification may be a specification of use of a Domain Specific Language (DSL) that describes the policy; the policy alarm level can be different security levels corresponding to different security policy items, and can be preset by the data providing end according to the influence degree and range of abnormal operation; the policy description may be content that specifies the content of the security policy entry.
Further, on the basis of the above embodiment of the invention, the security policy information is transmitted between the master node and the slave node in a heartbeat packet.
In the embodiment of the invention, heartbeat monitoring can be carried out between the master node and the slave node in the security policy cluster, and the security policy information can be transmitted by means of a heartbeat packet monitored by the heartbeat.
Fig. 4 is a flowchart of another data content protection method according to an embodiment of the present invention, where this embodiment is applicable to a data security protection situation of a database all-in-one machine, and the method may be executed by a data content access device, where the data content protection device may be implemented in the form of hardware and/or software, and the device may be configured in a data processing system, and referring to fig. 4, the method provided by the embodiment of the present invention specifically includes the following steps:
step 310, generating a security policy object in response to the data call request and obtaining a security policy entry.
The security policy object may be an operation object executed by the data processing system, and the security policy object may be implemented based on a development language, and in some embodiments, the security policy object may be implemented based on a DSL language. The data call request may be a request to invoke a data processing system, and the data call request may include information requesting a call to a service or data of the data processing system.
In the embodiment of the present invention, the data processing system may pre-configure an operating environment of the security policy object, where the operating environment may include a software environment and a hardware environment used for operating the security policy object, and when receiving a data call request, the data processing system may generate the security policy object based on a development language, and the data processing system may also locally search for a security policy entry to be executed, where the security policy entry may be pushed by the security policy cluster or pulled by the data processing system within the security policy cluster, and the security policy entry may be stored locally in the data processing system.
Step 320, generating a security operation tree of the security policy entry according to the security policy object.
The security operation tree may be an atomic command tree composed of security operations corresponding to one or more security policy entries, and the security operation tree may include an execution order of different security operations.
In some embodiments, the security policy object may be based on a DSL compiler implemented in a DSL development language, and an atomic command operation of the security policy entry may be processed into the security operation tree by using the DSL compiler.
And step 330, determining a request processing result of the data call request according to the security operation tree.
In the embodiment of the present invention, the data call request may be sequentially processed according to the atomic command operation in the secure operation tree, the processing result of each atomic command operation may be extracted, each processing result may be summarized as the request processing result, and whether to respond to or prohibit the data call request may be determined by the request processing result.
In the embodiment of the invention, the security policy object is generated according to the received data call request, the security policy item in use is obtained, the security policy item is processed into the security operation tree according to the security policy object, and the request processing result corresponding to the data call request is determined through the security operation tree, so that the processing of the data call request is realized, and the data content protection efficiency is improved.
In some embodiments, generating the security policy object and obtaining the security policy entry in response to the data call request comprises:
receiving the data calling request; initializing the security policy object, wherein the security policy object at least comprises at least one of a session information object, a call request information object, and a structured query statement object; and searching the locally executed security policy item in a preset local policy item storage.
In the embodiment of the present invention, when a data processing system receives a data call request, a security policy object may be initialized, where the security policy object may include a session information object, a call request information object, a structured query statement object, and the like, different types of security policy objects may be used to perform data security protection on different types of data call requests, and the data processing system may search, in a local policy entry store, a security policy entry used by the data processing system, where the local policy entry store may be a storage area of an executing security policy entry stored by the data processing system, and the storage area may be located locally in the data processing system.
In other embodiments, determining a request processing result of the data call request according to the secure operation tree includes:
summarizing the execution result of the atomic operation in the safe operation tree; and executing or deleting the data calling request according to the execution result.
In the embodiment of the present invention, the safety operation tree may include one or more atomic operations, where the atomic operations may be used to perform data safety protection on the data call request, may process the data call request in sequence according to the safety operation tree, may extract and summarize execution results of each atomic operation, and may process the data call request according to the summarized execution results, so as to delete or continue to execute the data call request. For example, the atomic operation may include extracting the data access right of the data call request pair, and if the execution result of the atomic operation is that no data access right exists, the data access request may be deleted.
In an exemplary implementation manner, fig. 5 is an exemplary diagram of data content protection according to an embodiment of the present invention, and referring to fig. 5, a method provided in an embodiment of the present invention is specifically executed by a security policy center cluster, where the security policy center cluster includes a security policy center serving as a Master and a security policy center serving as a Slave, a data provider provides a dynamic security policy, the security policy may be applied inside a modem system, and the security policy is divided into two types:
1. a data consumption security policy, which is a policy used to detect whether data output to a consumer meets security requirements, such as a privacy query policy, a dynamic desensitization policy, and the like;
2. the access control security policy is a policy used for checking whether the received access request meets security requirements, for example, an SQL protection policy, a user right control policy, a metadata access control policy, a black and white list of network addresses, and the like.
In an embodiment of the present invention, the security policy may be specified according to a security policy declaration specification standard, which may be used to define a standard for implementing a security policy using DSL in a data product for data transaction, and the security policy may include the following fields according to the security policy declaration specification: the policy sequence number may be a unique identifier for identifying the policy entity, and may be used for consistency check during transmission between the master node and the slave node; the policy name may be a name of a security policy entry, the policy type may be information identifying a type to which the policy belongs, the policy type may include an application type and an inspection type, the application type may be an application type and an inspection type, the application type may represent that the policy entry is used to inspect whether output data meets requirements, such as privacy query and dynamic desensitization requirements, and the inspection type may represent that the policy entry is used to inspect whether access requests meet requirements, such as SQL protection requirements, user right control, metadata access control, black and white lists of network addresses, and the like; the policy service may represent the type of service within the modem system that applies the policy, and the policy content specification may be a specification for use of DSL that describes the policy; the policy alarm level can be different security levels corresponding to different security policy items, and can be preset by the data providing end according to the influence degree and range of abnormal operation; the policy description may be content that specifies the content of the security policy entry.
In the embodiment of the present invention, the execution process of the security policy may include the following steps:
1. issuing a security policy:
after the deployment of the data all-in-one machine system is started, the data provider dynamically configures the security policy items. The data provider declares a plurality of security policy items by using the security policy standard and then sends the items to a Master node of a security policy center in the cross-domain all-in-one machine; the Master node of the security policy center is responsible for cross-domain distribution to other security policy center nodes.
A security policy center in a cross-domain all-in-one machine forms a security policy center cluster, and nodes in the cluster sense the on-line state of the cluster as a whole by adopting a heartbeat mechanism; after receiving the newly added security policy entries, the Master node issues the security policy entries to other Slave nodes by adopting 2 PC:
a sending down stage: the Master node sends issuing requests to all the Slave nodes, a plurality of newly added safety strategy entries are issued to the Slave nodes, and if the number of the Slave nodes of the number of the requests is confirmed to reach the allowable threshold value configured by the data provider, the Master node represents that the safety strategy entries below are successful.
A submission stage: and the Master node applies the newly added security policy entries to the local data all-in-one machine system and sends submission requests to other Slave nodes in the cluster. The node receiving the submission request will also apply the newly added security policy entry locally. The Master node embeds the local latest security policy sequence number in the heartbeat packet, and the Slave node checks the synchronization condition of the local security policy items after receiving the heartbeat packet and applies for updating to the Master node in time.
2. Subscription and push of security policies
Inside the data all-in-one machine, different types of data services respectively subscribe the policy information to the security policy center. And when the newly added security policy entry is applied to the security policy center, the policy entry is pushed to the corresponding data service according to the service type in the policy entry.
Further, on the basis of the above embodiment of the present invention, an embodiment of the present invention further provides security policy management based on data flow, which specifically includes: a data provider defines a topological architecture on a cross-domain all-in-one machine in a data security gateway in advance. The safety strategy center collects topology information of the data safety gateway, marks the route flow direction of the data flow in the topological graph, and shows the route flow direction to the operation and maintenance of the data provider by combining the application condition of the safety strategy entry in the data flow. And the data provider adds required security policy items on the topological structure of the all-in-one machine system, and monitors and manages the issuing and pushing processes of the security policy items.
In the embodiment of the present invention, a server may process a security request according to configured security policy entries, referring to fig. 6, a conventional data security access policy is limited by a single table or a user, and cannot achieve some global security control, for example, the number of data records queried by a certain IP through a data API every day is limited to not more than 1000, or G3-level data queried by a certain user/application cannot exceed 1MB, and the like. The invention can associate various component information by using the security policy described by the DSL specification, and is used for a global security management and control scene. For example, the "limit number of data records queried by the data API every day by using the DSL claim security policy" is "session.ip = '172.16.xxx.xxx' and session.getip context.get (" 172.16.Xxx.xxx "). LastDayQueryCount < =1000".
Each data service has a built-in DSL enforcement engine for parsing and enforcing the entire set of DSL processes. The data service can pre-extend the implementation of commands for servicing specific scenarios according to its own characteristics, and embed them into the DSL execution engine.
After receiving a call request from a data caller, a data service initializes a current security policy object, such as a session information object, a call request information object, an sql object, and the like, for a subsequent security policy command execution phase; the data service retrieves all strategy items which can be used for the security check, generates an execution tree of a command after being processed by a DSL compiler, and each node on the execution tree is an atomic command operation which can generate a specific result; and finally, the data service collects and calculates the processing results of all the atomic commands to judge whether to continue or forbid the request of the data caller.
Fig. 7 is a schematic structural diagram of a data content protection device according to an embodiment of the present invention, as shown in fig. 7, the device includes:
a policy obtaining module 401, configured to obtain, according to the master node of the security policy cluster, security policy information configured by a data providing source.
A policy transmission module 402 configured to transmit the security policy information to the first data processing system of the master node and to the slave nodes of the security policy cluster.
A policy submission module 403, configured to control the first data processing system and the slave node to add a security policy entry corresponding to the security policy information according to the submission request of the master node.
According to the embodiment of the invention, the security policy information configured by a data providing source is obtained at the master node of the security policy cluster through the policy obtaining module, the policy transmission module transmits the security policy information to the first data processing system connected with the master node and the slave node of the security policy cluster, and the policy submitting module adds the security policy items corresponding to the security policy information at the first data processing system and the slave node according to the submitting request of the master node.
In some embodiments of the present invention, the security policy information is composed of at least one of a policy sequence number, a policy name, a policy type, a policy service, a policy content specification, a policy alarm level, and a policy description.
In some inventive embodiments, the apparatus further comprises:
a second transmission module for transmitting the security policy information to a second data processing system of the slave node in accordance with the slave node.
And the second submitting module is used for responding to the submitting request of the main node and controlling the second data processing system to newly add the security policy entry according to the slave node.
In some inventive embodiments, the apparatus further comprises: and the issuing judgment module is used for determining that the issuing of the security policy information is successful according to an allowable threshold and the confirmation quantity of the master node receiving the security policy information corresponding to the slave node.
In some inventive embodiments, security policy information is transmitted in heartbeat packets between the master node and the slave node.
In some inventive embodiments, the apparatus further comprises: the application condition module is used for acquiring topological information of the security gateway according to the security policy cluster to construct a data flow path; and displaying the application condition of the security policy item according to the data flow path.
Fig. 8 is a schematic structural diagram of another data content protection apparatus provided in accordance with an embodiment of the present invention, as shown in fig. 8, the apparatus includes:
a request response module 501, configured to generate a security policy object and obtain a security policy entry in response to the data call request.
An operation tree module 502, configured to generate a security operation tree of the security policy entry according to the security policy object.
A processing result module 503, configured to determine a request processing result of the data call request according to the secure operation tree.
According to the embodiment of the invention, the request response module generates the security policy object according to the received data call request, the security policy item in use is obtained, the operation tree module processes the security policy item into the security operation tree according to the security policy object, and the processing result module determines the request processing result corresponding to the data call request through the security operation tree, so that the processing of the data call request is realized, and the data content protection efficiency is improved.
In some embodiments of the present invention, the request response module 501 is specifically configured to: receiving the data calling request; initializing the security policy object, wherein the security policy object at least comprises at least one of a session information object, a call request information object, and a structured query statement object; and searching the locally executed security policy item in a preset local policy item storage.
In some embodiments of the present invention, the processing result module 503 is specifically configured to summarize execution results of atomic operations in the secure operation tree; and executing or deleting the data calling request according to the execution result.
The data content protection device provided by the embodiment of the invention can execute the data content protection method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
Fig. 9 is a schematic structural diagram of an electronic device implementing the data content protection method according to the embodiment of the present invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 9, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network such as the internet and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various dedicated Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, and so forth. The processor 11 performs the various methods and processes described above, such as a data content protection method.
In some embodiments, the data content protection method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the data content protection method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the data content protection method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user may provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A data content protection method applied to a security policy cluster, the method comprising:
acquiring security policy information configured by a data providing source according to a main node of the security policy cluster;
transmitting the security policy information to a first data processing system of the master node and to slave nodes of the security policy cluster;
and controlling the first data processing system and the slave node to add a security policy entry corresponding to the security policy information according to the submission request of the master node.
2. The method of claim 1, wherein the security policy information comprises at least one of a policy sequence number, a policy name, a policy type, a policy service, a policy content specification, a policy alarm level, and a policy description.
3. The method of claim 1, further comprising:
transmitting the security policy information to a second data processing system of the slave node in accordance with the slave node;
and in response to the submission request of the master node, controlling the second data processing system to add the security policy entry according to the slave node.
4. The method of claim 1, wherein transmitting the security policy information to the first data processing system of the master node and the slave nodes of the security policy cluster further comprises:
and determining that the safety strategy information is successfully issued according to an allowable threshold and the confirmation quantity of the master node for receiving the safety strategy information corresponding to the slave node.
5. The method of claim 1, wherein the security policy information is transmitted in heartbeat packets between the master node and the slave node.
6. The method of claim 1, further comprising:
acquiring topological information of a security gateway according to the security policy cluster to construct a data flow path;
and displaying the application condition of the security policy item according to the data flow direction path.
7. A method for protecting data content, applied to a data processing system, the method comprising:
responding to the data call request to generate a security policy object and obtain a security policy item;
generating a security operation tree of the security policy entry according to the security policy object;
and determining a request processing result of the data calling request according to the safety operation tree.
8. The method of claim 7, wherein generating a security policy object and obtaining a security policy entry in response to the data call request comprises:
receiving the data calling request;
initializing the security policy object, wherein the security policy object at least comprises at least one of a session information object, a call request information object, and a structured query statement object;
and searching the locally executed security policy entry in a preset local policy entry storage.
9. The method of claim 7, wherein determining a request processing result of the data call request according to the secure operation tree comprises:
summarizing the execution result of the atomic operation in the safe operation tree;
and executing or deleting the data calling request according to the execution result.
10. A computer-readable storage medium storing computer instructions for causing a processor to implement the data content protection method of any one of claims 1-6 or 7-9 when executed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211664369.3A CN115967564B (en) | 2022-12-23 | 2022-12-23 | Data content protection method and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211664369.3A CN115967564B (en) | 2022-12-23 | 2022-12-23 | Data content protection method and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN115967564A true CN115967564A (en) | 2023-04-14 |
| CN115967564B CN115967564B (en) | 2024-02-02 |
Family
ID=87354547
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211664369.3A Active CN115967564B (en) | 2022-12-23 | 2022-12-23 | Data content protection method and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115967564B (en) |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050289150A1 (en) * | 2004-06-29 | 2005-12-29 | International Business Machines Corporation | Access controller using tree-structured data |
| CN102215212A (en) * | 2010-04-02 | 2011-10-12 | 中兴通讯股份有限公司 | Method and architecture for handling conflict of security policies and unified converter |
| CN102833251A (en) * | 2012-08-28 | 2012-12-19 | 瑞达信息安全产业股份有限公司 | Intra-class interconnection security policy management method oriented to classified protection system |
| EP2741465A1 (en) * | 2012-12-04 | 2014-06-11 | Orange | Method and device for managing secure communications in dynamic network environments |
| CN108667857A (en) * | 2018-08-28 | 2018-10-16 | 深信服科技股份有限公司 | A kind of security strategy maintaining method and system, server-side, client |
| US20190124198A1 (en) * | 2017-10-24 | 2019-04-25 | Comptel Oy | Method and arrangement for policy regulation of electronic communication devices |
| CN109858286A (en) * | 2018-12-07 | 2019-06-07 | 赵耘田 | For the security policy manager system of credible calculating platform |
| CN111314312A (en) * | 2020-01-19 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Policy management method, system, device and medium |
| CN112437059A (en) * | 2020-11-11 | 2021-03-02 | 中国电子科技集团公司第二十九研究所 | Collaborative defense strategy transceiving method for networking group intelligent system |
| CN113922988A (en) * | 2021-09-16 | 2022-01-11 | 苏州浪潮智能科技有限公司 | Host security policy detection method and system based on network |
| US20220247786A1 (en) * | 2021-02-01 | 2022-08-04 | Ordr Inc. | Security policy generation and enforcement for device clusters |
-
2022
- 2022-12-23 CN CN202211664369.3A patent/CN115967564B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050289150A1 (en) * | 2004-06-29 | 2005-12-29 | International Business Machines Corporation | Access controller using tree-structured data |
| CN102215212A (en) * | 2010-04-02 | 2011-10-12 | 中兴通讯股份有限公司 | Method and architecture for handling conflict of security policies and unified converter |
| CN102833251A (en) * | 2012-08-28 | 2012-12-19 | 瑞达信息安全产业股份有限公司 | Intra-class interconnection security policy management method oriented to classified protection system |
| EP2741465A1 (en) * | 2012-12-04 | 2014-06-11 | Orange | Method and device for managing secure communications in dynamic network environments |
| US20190124198A1 (en) * | 2017-10-24 | 2019-04-25 | Comptel Oy | Method and arrangement for policy regulation of electronic communication devices |
| CN108667857A (en) * | 2018-08-28 | 2018-10-16 | 深信服科技股份有限公司 | A kind of security strategy maintaining method and system, server-side, client |
| CN109858286A (en) * | 2018-12-07 | 2019-06-07 | 赵耘田 | For the security policy manager system of credible calculating platform |
| CN111314312A (en) * | 2020-01-19 | 2020-06-19 | 苏州浪潮智能科技有限公司 | Policy management method, system, device and medium |
| CN112437059A (en) * | 2020-11-11 | 2021-03-02 | 中国电子科技集团公司第二十九研究所 | Collaborative defense strategy transceiving method for networking group intelligent system |
| US20220247786A1 (en) * | 2021-02-01 | 2022-08-04 | Ordr Inc. | Security policy generation and enforcement for device clusters |
| CN113922988A (en) * | 2021-09-16 | 2022-01-11 | 苏州浪潮智能科技有限公司 | Host security policy detection method and system based on network |
Also Published As
| Publication number | Publication date |
|---|---|
| CN115967564B (en) | 2024-02-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109245908B (en) | Method and device for switching master cluster and slave cluster | |
| JP2023520057A (en) | METHOD, APPARATUS, ELECTRONIC DEVICE, SYSTEM AND STORAGE MEDIUM FOR MICROSERVICE COMPOSITION | |
| CN111427701A (en) | Workflow engine system and business processing method | |
| CN114513468B (en) | Method, device, equipment, storage medium and product for protecting flow in Sentinel | |
| CN113271359A (en) | Method and device for refreshing cache data, electronic equipment and storage medium | |
| US8117181B2 (en) | System for notification of group membership changes in directory service | |
| CN117762886A (en) | Resource sharing method, system, equipment and storage medium | |
| CN113946816A (en) | Cloud service-based authentication method and device, electronic equipment and storage medium | |
| CN117082073A (en) | File storage method, file downloading method, device, equipment and storage medium | |
| CN117040799A (en) | Page interception rule generation and page access control method and device and electronic equipment | |
| CN114285889B (en) | Processing method, device and equipment for configuration information of application service | |
| CN115967564B (en) | Data content protection method and storage medium | |
| CN110071840A (en) | Upgrade method, device and client | |
| CN114051029B (en) | Authorization method, authorization device, electronic equipment and storage medium | |
| WO2023024057A1 (en) | Cross-domain authorization processing method and cross-domain call processing method | |
| CN115629909A (en) | Service data processing method and device, electronic equipment and storage medium | |
| CN114924826A (en) | Page fusion method, device and equipment based on different code platforms | |
| CN110262756B (en) | Method and device for caching data | |
| CN113760886B (en) | Method, apparatus, device and computer readable medium for providing data service | |
| CN115665240A (en) | Proxy service adding method, device, electronic equipment and storage medium | |
| CN117615021A (en) | Route forwarding method, device, equipment and storage medium | |
| CN118819889A (en) | Message processing method, device, equipment, medium and program product | |
| CN114629919A (en) | Resource acquisition method, device, equipment and storage medium | |
| CN115314509A (en) | Synchronization method, device, equipment and storage medium of application registration information | |
| CN117560248A (en) | Database access method, database gateway device, electronic device, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |