CN104796290A - Data security control method and data security control platform - Google Patents

Abstract

The invention discloses a data security control method and a data security control platform. The method includes S1, partitioning data according to type and security classification; S2, performing encryption, identity authentication, access control, security audit, tracking and forensics on the data according to a data partitioning result, and distributing corresponding security protection tools for security protection; S3, collecting and normalizing log information generated by the security protection tools, and creating a full-life-cycle security view of the data. The data security control method and the data security control platform have the advantages that fine-grained differential full-life-cycle protection of big data can be achieved, utilization rate of the security protection tools can be increased, and the big data can be subjected to tracking and forensics.

Description

A kind of data security control method and platform

Technical field

The present invention relates to a kind of data security control method and platform, belong to technical field of data security.

Background technology

Along with business event and informationalized development, business datum presents as a kind of enterprise assets (data assets) that output is large, the characteristic of diversity, high value, and data assets has entered large data age.The meaning of data security has been not limited only to data itself, also directly has influence on and whether data can be promoted to data assets to the lifting of the business development and core competitiveness of serving enterprise; Within 2014, country proposes " information security concerns national security ", also illustrate that the data security of enterprise concerns enterprise security and national security.

But, the data security requirement of shelter of various under current security protection means and technology cannot meet large data environment, magnanimity, it is in particular in the following aspects:

(1) for magnanimity, the isomeric data assets of enterprise, differentiation protection is lacked.The data assets object origin variation of enterprise, the platform mainly comprising traditional operation system (goods and materials, capital construction, marketing, people's money, office, finance), data resource management platform and build based on large data, also has the terminating machine etc. that routine office work uses.For different structure, different types of data, the value of its data itself is also different.Comparatively thick to the prevention policies granularity of data assets at present, there is partial data protection shortcoming, partial data protection is too harsh, affect the unreasonable situation that business uses.

(2) the security protection product of enterprise only pays close attention to the equipment of its protection itself, lacks unified secured views.Network layer protection only paid close attention to by such as fire compartment wall, terminal table pipe fail-safe software only pays close attention to the protection of terminating machine, security protection product lacks interlock, secured views dispersion is isolated, lack the unified safety management view of the whole network all devices one, one of all devices overall fail-safe condition cannot be known.

(3) under large data scene, data are all faced with different security risks in each stage of life cycle, there is different security protection demands, but the security protection lacked at present the whole life cycle of data, the unified security cannot accomplishing to produce data, access, transmit, recover and destroy complete life cycle protects and manages, and can not ensure the safety of data at links such as storage, transmission, use, destructions.

(4), after there is security violation event, be difficult to navigate to person liable rapidly and accurately.

Summary of the invention

The object of the invention is to, a kind of data security control method and platform are provided, can to large data carry out fine granularity, differentiation, the security management and control of Life cycle, be convenient to carry out following the tracks of to large data and collect evidence.

For solving the problems of the technologies described above, the present invention adopts following technical scheme: a kind of data security control method, comprises the following steps:

S1, divides data according to data category and level of confidentiality;

S2, according to Data Placement result to the encryption of data, authentication, access control, security audit and follow the tracks of and distribute corresponding safety protective tool and carry out security protection with collecting evidence;

S3, collects the log information that safety protective tool produces, and is normalized, set up the secured views of the Life cycle of data.

In aforesaid data security control method, the data category of described step S1 divides by the following method: according to the relation of the content of data itself, type, affiliated function, business activity or operation system, data are divided into the large class of data, data subclass, data group and data, the large class of data, data subclass, data group and data are corresponding data territory, operation function territory, business procedure territory and business activity respectively.

In aforesaid data security control method, in described step S1, data category belonging to data, the assets value of carrying out data according to CIA assignment and CIA weight calculates, again in conjunction with the concerning security matters of data to Data Placement level of confidentiality, be high sensitive data, sensitive data, internal data and common data according to level of confidentiality by Data Placement.

In aforesaid data security control method, the assets value V of described data is according to V=Round1{Log2 [(A × 2 ^conf+ B × 2 ^int+ C × 2 ^ava)/3] } calculate, wherein, A represents the weights of confidentiality, and B represents the weights of integrality, and C represents the weights of availability; Round function is that logarithm value rounds up, and Round1 represents reservation 1 decimal by formulation figure place.

In aforesaid data security control method, according to Data Placement result, the authentication of data, access control are distributed to corresponding safety protective tool and carry out security protection and specifically comprise in described step S2:

(1) initialization: suppose total n+1 data class in information system, m user, sets up encryption key hierarchical tree, and calculates rope master key K _jwith class key K _x, wherein, 1≤j≤t, t+1≤x≤n, t, j are master index node, and t+1, x, n are the leaf node under master index node;

(2) data encryption: encryption equipment generates data class C according to the level of confidentiality of data _xencryption key K _x,s, utilize this encryption key K _x,sto data class C _xbe encrypted, wherein C _xrepresent the data class being positioned at leaf node under master index node j;

(3) user's registration: the user D of trusted party authentication-access data _iwhether meet the condition of Accreditation System, if meet, then encryption equipment calculates user's master key trusted party is issued and is comprised this user's master key and information system identity certificate to user D _ias the identity documents of access system, wherein, for user D _ipKI;

(4) access request: trusted party authentication of users D _isystem identity certificate, if by checking, be then user D _iissue the access certificate of data class identification information comprising user's level of confidentiality, the role authorized and authorize;

(5) decipher: the access certificate described in trusted party checking, if there is partial ordering relation namely user D is realized _ivisit data class C in level of confidentiality authority _kin data.

In aforesaid data security control method, described safety protective tool comprises anti-data-leakage instrument, data encrypting and deciphering instrument and Data Audit instrument; Wherein, the leakage prevention method of described structural data comprises:

A1, the encryption key of database protection server generation system root key, row key, level of confidentiality value and the high sensitive data of each row, sensitive data, internal data, and the encryption key described in utilizing is encrypted the high sensitive data of each row in database, sensitive data, internal data;

B1, subscription client sends the request of certain data rows in access structure data to database server by application server, database protection server is according to the level of confidentiality of user, the median being used for calculating user's level of confidentiality value is distributed to user with the form of access certificate, and subscription client calculates each level of confidentiality value allowing its access according to the access certificate of this median;

C1, whether database protection server, by the flow analysis SQL statement of mirror image, judges in this access request containing access in violation of rules and regulations;

D1, accesses in violation of rules and regulations if do not contain and accessed data rows is public data, then backward reference request msg; If containing in violation of rules and regulations access and accessed data rows is high sensitive data, sensitive data or internal data, then subscription client sends the level of confidentiality value corresponding to high sensitive data, sensitive data or internal data, database protection server is according to this level of confidentiality value and corresponding row key, generate the decruption key of this data rows, the corresponding data in decryption key decryption database server is utilized to arrange, and backward reference request msg.

In aforesaid data security control method, described safety protective tool comprises anti-data-leakage instrument, data encrypting and deciphering instrument and Data Audit instrument; Wherein, the leakage prevention method of described unstructured data comprises:

A2, controlled terminal carries out classify and grading to non-structured data assets, and carries out digital signature according to responsive grade to the unstructured data of corresponding kind;

B2, when controlled terminal request sends unstructured data to Internet or Extranet, network protection server carries out filtration treatment by the flow of mirror image and sensitive keys word to these data;

C2, if comprise sensitive keys word in described unstructured data, then adopts the signature of the PKI of corresponding sensitivity level to this unstructured data to verify;

D2, if by checking, then blocks this controlled terminal sends request from data to Internet or Extranet.

In aforesaid data security control method, for unstructured data, described step S3 comprises:

S31, record unstructured data file is creating, is storing, uses, transmits, destroys and recover the data manipulation behavior in each stage, and is stored as log audit record;

S32, reads unstructured data file at the log audit record creating, store, use, transmit, destroy and recover each stage, analyzes, generate analysis report to the data manipulation behavior of violating security strategy;

S33, sets up the safety management view of the Life cycle of unstructured data.

In the described step S3 of aforesaid data security control method, described log information comprises warning information, when event or system resource surplus are lower than the critical value set in violation of rules and regulations in safety protective tool generation, will produce warning information; The normalized of described warning information comprises alarm event classification, alarm event classification, alarm event merging and alarm event standardization.

Realize a data security control platform for preceding method, comprising:

Data classification diversity module, for dividing data according to data category and level of confidentiality;

Safety protective tool distribution module, for according to Data Placement result to the encryption of data, authentication, access control, security audit and follow the tracks of and distribute corresponding safety protective tool and carry out security protection with collecting evidence;

Log collection processing module, for collecting the log information that safety protective tool produces, and being normalized, setting up the secured views of the Life cycle of data.

In aforesaid data security control platform, described Data classification diversity module comprises data categorization module, for the relation of the content according to data itself, type, affiliated function, business activity or operation system, data are divided into the large class of data, data subclass, data group and data, the large class of data, data subclass, data group and data are corresponding data territory, operation function territory, business procedure territory and business activity respectively.

In aforesaid data security control platform, described Data classification diversity module comprises data staging module, for classifying according to data, carries out the calculating of the assets value of data according to CIA assignment and CIA weight; Again in conjunction with the concerning security matters of data to Data Placement level of confidentiality; Be high sensitive data, sensitive data, internal data and common data according to level of confidentiality by Data Placement.

In aforesaid data security control platform, described data staging module is according to V=Round1{Log2 [(A × 2 ^conf+ B × 2 ^int+ C × 2 ^ava)/3] } the assets value V of calculated data, wherein, A represents the weights of confidentiality, and B represents the weights of integrality, and C represents the weights of availability; Round function is that logarithm value rounds up, and Round1 represents reservation 1 decimal by formulation figure place.

In aforesaid data security control platform, described safety protective tool distribution module comprises:

Anti-data-leakage instrument distribution module, for distributing corresponding anti-data-leakage instrument according to the level of confidentiality of data, carries out anti-data-leakage protection to data;

Data encrypting and deciphering instrument distribution module, for distributing corresponding data encrypting and deciphering instrument according to the level of confidentiality of data, carries out data encrypting and deciphering protection to data;

Data Audit instrument distribution module, for distributing corresponding Data Audit instrument according to the level of confidentiality of data, carries out Data Audit protection to data.

In aforesaid data security control platform, described log collection processing module comprises:

Audit log logging modle, for recording unstructured data file in the data manipulation behavior creating, store, use, transmit, destroy and recover each stage, and is stored as log audit record;

Audit log analysis module, for reading unstructured data file at the log audit record creating, store, use, transmit, destroy and recover each stage, analyzing the data manipulation behavior of violating security strategy, generating analysis report;

Secured views sets up module, for setting up the safety management view of the Life cycle of unstructured data.

In aforesaid data security control platform, described audit log analysis module comprises warning information and collects processing module, for collecting when safety protective tool generation violation event or system resource surplus are lower than the warning information produced during the critical value set, and alarm event classification, alarm event classification, alarm event merging and alarm event standardization are normalized.

Compared with prior art, the present invention adopts natural language processing and Algorithm of documents categorization, utilize artificial intelligence theory and machine learning techniques, realization can according to the semantic feature of data content and form, data are associated with one or more predefine classification, and automatically distribute specific data rank according to Data classification, make fine granularity control of authority become possibility; And according to three characteristics (confidentiality C, integrality I, availability A) of the data security of ISO27001 system, to the assignment of data assets confidentiality, integrity, and availability, reflect that the business of data assets is worth better, and distinguish the value grade of each data assets, the utilance of safety protective tool can be improved; Can to large data carry out fine granularity, differentiation, the security management and control of Life cycle, realize protecting and managing the unified security of the complete life cycles such as data generation, access, transmission, recovery and destruction, for manager provides the secured views that all supervision datas are unified; Increase is carried out following the tracks of to large data and is collected evidence, and after generation security violation event, can navigate to person liable rapidly and accurately; Destroy from terminal security protection, security transfer model to anti-data-leakage mechanism, data security and recover, realizing general safety protection management that is multi-level, three-dimensional.

Accompanying drawing explanation

Fig. 1 is method flow schematic diagram of the present invention;

Fig. 2 is data classification method schematic flow sheet of the present invention;

Fig. 3 is the authorization management method schematic diagram of user accesses data of the present invention;

Fig. 4 is safety management view generation schematic flow sheet of the present invention;

Fig. 5 is platform structure schematic diagram of the present invention;

Fig. 6 is paralell composition of the present invention;

Fig. 7 is plateform system application module schematic diagram of the present invention;

Fig. 8 is the integrated schematic diagram of platform interior of the present invention.

Reference numeral is: 1-Data classification diversity module, 11-data categorization module, 12-data staging module, 2-safety protective tool distribution module, 21-anti-data-leakage instrument distribution module, 22-data encrypting and deciphering instrument distribution module, 23-Data Audit instrument distribution module, 3-log collection processing module, 31-audit log logging modle, 32-audit log analysis module, 33-secured views sets up module, and 321-warning information collects processing module.

Below in conjunction with the drawings and specific embodiments, the present invention is further illustrated.

Embodiment

The embodiment of the present invention 1: a kind of data security control method, as shown in Figure 1, comprises the following steps:

One, according to data category and level of confidentiality, data are divided

Described data category divides by the following method: according to the relation of the content of data itself, type, affiliated function, business activity or operation system, data are divided into the large class of data, data subclass, data group and data, the large class of data, data subclass, data group and data are corresponding data territory, operation function territory, business procedure territory and business activity respectively.

Automatic classification classification technique can be adopted, namely natural language processing and Algorithm of documents categorization is adopted, data according to the semantic feature of data content and form, can be associated with one or more predefine classification, and automatically distribute specific data classification according to Data classification by realization.

As shown in Figure 2, data classification method flow process is as follows:

1, based on data category, data are identified, determine the concrete business procedure corresponding to business activity data or operation function territory or even data field;

2, after identifying, according to affiliated classification, according to the reference proposition of CIA assignment and CIA weight, carry out assets value calculating, suitably can revise CIA when there being abundant reason and advise assignment and weight, guarantee that data assets is worth and obtain reasonable estimation;

3, according to the reasonable value of data assets, the concerning security matters of reference data assets, finally define the level to data assets, once determine rank, namely protect according to code requirement.

Data category belonging to data, the assets value of carrying out data according to CIA assignment and CIA weight calculates, then in conjunction with the concerning security matters of data to Data Placement level of confidentiality, is high sensitive data, sensitive data, internal data and common data according to level of confidentiality by Data Placement.The assets value V of described data is according to V=Round1{Log2 [(A × 2 ^conf+ B × 2 ^int+ C × 2 ^ava)/3] } calculate, wherein, A represents the weights of confidentiality, and B represents the weights of integrality, and C represents the weights of availability; Round function is that logarithm value rounds up, and Round1 represents reservation 1 decimal by formulation figure place.

Two, according to Data Placement result to the encryption of data, authentication, access control, security audit and follow the tracks of and distribute corresponding safety protective tool and carry out security protection with collecting evidence

Described safety protective tool comprises anti-data-leakage instrument, data encrypting and deciphering instrument and Data Audit instrument; Wherein:

1, the leakage prevention method of described structural data

(1) encryption key of database protection server generation system root key, row key, level of confidentiality value and the high sensitive data of each row, sensitive data, internal data, and the encryption key described in utilizing is encrypted the high sensitive data of each row in database, sensitive data, internal data.

(2) subscription client sends the request of certain data rows in access structure data to database server by application server, database protection server is according to the level of confidentiality of user, the median being used for calculating user's level of confidentiality value is distributed to user with the form of access certificate, and subscription client calculates by level of confidentiality tree each level of confidentiality value allowing its access according to the access certificate of this median.

(3) whether database protection server is by the flow analysis SQL statement of mirror image, judge in this access request containing access in violation of rules and regulations;

Described judges whether specifically comprise containing accessing in violation of rules and regulations in this access request: judge whether user's level of confidentiality matches with the responsive grade of its visit data, judge the identity of this user and whether legal to the operation of visit data simultaneously, if not, then containing access in violation of rules and regulations;

Described judge that whether user's level of confidentiality matches with the responsive grade of its visit data and comprise the following steps:

A, database protection server by utilizing the identity information filter user-level of confidentiality table of user, or by utilizing the electronic security level certificate of user, obtains the security information of user;

B, database protection server, according to the data rows of user's request access, obtains the responsive class information of this data rows; And the responsive grade that the level of confidentiality of user and its visit data arrange is mated.

The described identity judging this user and specifically comprising whether the operation of visit data is legal: judge that whether user is the founder of data, judge whether comprise amendment in the access of user simultaneously, increase or deletion action; If this user is not the founder of data, and it comprises amendment to the operation of visit data, increases or delete, then this access is illegal operation.

(4) if containing in violation of rules and regulations access and accessed data rows is public data, then backward reference request msg; If containing in violation of rules and regulations access and accessed data rows is high sensitive data, sensitive data or internal data, then subscription client sends the level of confidentiality value corresponding to high sensitive data, sensitive data or internal data, database protection server is according to this level of confidentiality value and corresponding row key, generate the decruption key of this data rows, the corresponding data in decryption key decryption database server is utilized to arrange, and backward reference request msg.

Wherein, the decruption key of described data rows is pressed following formula and is generated: K _{x, s}=H _k(K _x‖ V _{b (s)}); Wherein, K _{x, s}the decruption key of data rows, H _k() is the HMAC of a band key, and K is system access root key, K _xrow keys, V _{b (s)}it is level of confidentiality value.

Utilize based on structural data leakage prevention method expressly, namely formulate corresponding fine-grained anti-leak strategy according to the classify and grading of data and carry out implementing structured anti-data-leakage, thus can effectively prevent the sensitive structure data in enterprise information assets from leaking; In addition; the present invention additionally uses the structural data leakage prevention method based on ciphertext; namely high sensitive data, sensitive data and internal data are encrypted in advance; only have the level of confidentiality of user during access and allow level of confidentiality value of its access all to meet the requirements and could decipher, access corresponding data rows, thus the further available protecting fail safe of high sensitive data, sensitive data and internal data.In addition, inventor finds through a large amount of experimental studies: adopt the structural data leakage prevention method based on ciphertext in the present invention, if directly the encryption key of each data rows is distributed to all personnel that can access it, so senior concerning security matters personnel need the data of preserving all data rows, and the data of a data rows will be distributed to multiple personnel, be easy to like this cause Key Exposure; Therefore the present invention proposes a kind of new key management method, namely make the encryption key K of a data rows _{x, s}by row key K _xwith level of confidentiality value V _{b (s)}form, the encryption key of described data rows is generated by following formula: K _{x, s}=H _k(K _x‖ V _{b (s)}), and level of confidentiality value V wherein _{b (s)}by the median that database protection server issues according to the level of confidentiality of user, utilize level of confidentiality to set and calculate, thus effectively can ensure the fail safe of key and the fail safe of structural data.In addition, in 2 kinds of leakage-preventing methods in the present invention, all users can only access equal with oneself level of confidentiality or lower than the structural data of oneself level of confidentiality, and can not access the structural data higher than oneself level of confidentiality, thus effectively ensure that the fail safe of sensitive data.

2, the leakage prevention method of described unstructured data

(1) controlled terminal carries out classify and grading to non-structured data assets, data is divided into high sensitivity level data, sensitivity level data, internal data and public data; To high sensitivity level data, sensitivity level data and internal data preassignment public and private key pair respectively, and each private key is utilized to carry out ElGamal or DSA signature to corresponding data.

Wherein, ElGamal signature algorithm is adopted to carry out digital signature to unstructured data and verify this signature specifically comprising the following steps:

A, initialization

Controlled terminal selects Big prime p and Z _pin a generator g, and announce p and g; Select a random number sk ∈ Z again _p-1, and calculate pk=g ^sk(mod p), pk is open as PKI, and sk is as key;

B, signs to document m

Select a random number calculate r=g ^k(mod p);

Solving equation: m ≡ skr+ks (mod p-1), obtains s, wherein, namely m needs the document encrypted; (r, s) the i.e. signature of document m produced after encryption, is attached to after document m;

C, checking:

Detect equation: g ^m≡ pk ^rr ^swhether (mod p) sets up, if set up, by checking.

(2) when controlled terminal sends HTTP, HTTPS, FTP or SMTP request to Internet or Extranet transmission unstructured data, if network protection server judges---source IP is corporate intranet IP, object IP is enterprise outer net IP, then by the flow of mirror image and sensitive keys word, filtration treatment is carried out to the front cover of this unstructured data, theme, text and annex, judge whether it comprises sensitive keys word.

(3) if comprise sensitive keys word in described unstructured data, then the signature of the PKI of corresponding sensitivity level to this unstructured data is adopted to verify.

(4) if by checking, then this controlled terminal sends request from data to Internet or Extranet is blocked.

By adopting the method that keyword filters and data label combines, the unstructured data in enterprise's classification data assets is protected, thus not only effectively can prevent leaking data, but also the wrong report phenomenon (as non-sensitive information is identified as sensitive information) that can greatly reduce in message protection process, improve the accuracy rate of unstructured data protection.In addition, the present inventor finds through lot of experiments research: produce digital label according to hash algorithm of the prior art, as long as so know the hash algorithm of use, anyone can produce and verify hash value, and for an identical document, the hash value of generation is identical, so just can not ensure that the document with sensitivity level can only be produced by the personnel that level of confidentiality adapts with it, and anyone can revise document and regenerates hash value, be unfavorable for the fail safe of guarantee system.And if ElGamal or the DSA signature algorithm in employing the present invention produces digital label, so just can ensure that the personnel (i.e. concerning security matters personnel) only having sensitivity level key could produce the label with sensitivity level document, and other people can not replace digital label, network protection server only needs to use corresponding public key verifications to sign simultaneously, and do not need to know private key, thus effectively ensure that the fail safe of system.

3, according to Data Placement result, the authentication of data, access control are distributed to corresponding safety protective tool and carry out security protection, as shown in Figure 3:

(1) initialization

Suppose total n+1 data class in information system, m user, sets up encryption key hierarchical tree, and calculates rope master key K _jwith class key K _x, wherein, 1≤j≤t, t+1≤x≤n, t, j are master index node, and t+1, x, n are the leaf node under master index node;

The HMAC H of encryption equipment Stochastic choice integer IV, two band keys _k() and run polynomial time group generating algorithm produce group G, and select an impact resistant hash function H ': { 0,1}* → G, wherein, K is system access master key, K _xfor security classes C _xclass key;

Wherein, CID _jfor the class of master index node identifies; CID _xfor the class of leaf node under master index node j identifies.

(2) data encryption

Encryption equipment generates data class C according to the level of confidentiality of data _xencryption key K _x,s, K _x,s=H _k(K _x|| V _{b (s)}), wherein, K _xfor class key, V _{b (s)}for the value (set by level of confidentiality and obtain) of level of confidentiality s; Utilize this encryption key K _x,sto data class C _xbe encrypted, wherein C _xrepresent the data class being positioned at leaf node under master index node j.

(3) user's registration

The user D of trusted party authentication-access data _iwhether meet the condition of Accreditation System, if meet, then encryption equipment calculates user's master key trusted party is issued and is comprised this user's master key and information system identity certificate to user D _ias the identity documents of access system, wherein, for user D _ipKI;

Wherein, described calculating user master key comprise the following steps:

A, sets up decruption key hierarchical tree: the root node dynamically in encryption key hierarchical tree and adding users node, the key be associated with user node and user's master key between second layer master index node

B, calculates user's master key

(4) access request

A, trusted party authentication of users D _isystem identity certificate, search for access control policy, if user D simultaneously _iaccess request meet any one access control policy, then trusted party extracts the mark set of respective leaves child node wherein be r the index node about keyword I be extracted;

B, encryption equipment finds intermediate node in level of confidentiality tree, and calculates the level of confidentiality value V of these intermediate nodes ^u;

C, trusted party is user D _iissue access certificate, in described access certificate, comprise the information with trusted party signature with wherein s is the level of confidentiality of data or the level of confidentiality of user, { V ^ufor expiring the level of confidentiality value set of y-bend subtree root node, for authorizing user D according to access control policy _ithe set of the mark of the leaf node data class of access, for user D _ipKI.

(5) decipher

A, user D _iutilize the private key of oneself decimation value from access certificate

B, user D _iaccording to the level of confidentiality of oneself, from access certificate decimation value V ⁰..., V ^uwith

C, calculates level of confidentiality value V _{b (s)}with decruption key K _k,s, K _k,s=H _k(K _k|| V _{b (s)}), wherein, described for user's master key;

D, user D _iaccording to the level of confidentiality s of oneself, utilize decruption key K _k,sdeciphering belongs to data class C _kin data.

represent the level of confidentiality of data class, wherein s0, s1, s2, s3 are respectively common data, internal data, sensitive data, high sensitive data.Adopt state close SM1 algorithm to be encrypted high sensitive data, adopt AES-128 cryptographic algorithm or the close SM4 algorithm of state to be encrypted sensitive data, adopt lightweight PRESENT-80 algorithm to be encrypted internal data.

Effectively can solve problems of the prior art, especially the stored in clear of database data and terminal document causes sensitive information leakage, the plaintext transmission of data is easy to when causing data to be transmitted in a network to be revealed and weak authentication easily causes the problem of unauthorized access.

Three, collect the log information that safety protective tool produces, and be normalized, set up the secured views of the Life cycle of data.

Due to structural data generation, use etc. all in a database, therefore the management of structural data is comparatively concentrated, and general direct Query Database just can obtain all information of structural data.

And different from structural data, the wide and difficult to govern control (circulating between each terminal and server) of unstructured data distribution, its log information produced by safety protective tool is collected by the following method, as shown in Figure 4:

1, record unstructured data file in the data manipulation behavior creating, store, use, transmit, destroy and recover each stage, and be stored as log audit record;

2, read unstructured data file at the log audit record creating, store, use, transmit, destroy and recover each stage, the data manipulation behavior of violating security strategy is analyzed, generates analysis report;

3, the safety management view of the Life cycle of unstructured data is set up.

Described log information comprises warning information, when event or system resource surplus are lower than the critical value set in violation of rules and regulations in safety protective tool generation, will produce warning information; The normalized of described warning information comprises alarm event classification, alarm event classification, alarm event merging and alarm event standardization.

Security audit refers in the running of information system, the security control means recording and supervise are carried out in normal stream journey, abnormality and security incident etc., prevent the situation violating information security policy from occurring, also can be used for the objects such as confirmation of responsibility, Performance tuning and security evaluation.The carrier of security audit and object are generally the daily records that in system, various components produces, and the diversified daily record data of form is through standardization, cleaning and form significant audit information after analyzing, and Added Management person forms the effective cognition to running situation.

The embodiment of the present invention 2: a kind of data security control platform realizing preceding method, as shown in Figure 5, comprising:

Data classification diversity module 1, for dividing data according to data category and level of confidentiality;

Safety protective tool distribution module 2, for according to Data Placement result to the encryption of data, authentication, access control, security audit and follow the tracks of and distribute corresponding safety protective tool and carry out security protection with collecting evidence;

Log collection processing module 3, for collecting the log information that safety protective tool produces, and being normalized, setting up the secured views of the Life cycle of data.

Described Data classification diversity module 1 comprises data categorization module 11, for the relation of the content according to data itself, type, affiliated function, business activity or operation system, data are divided into the large class of data, data subclass, data group and data, the large class of data, data subclass, data group and data are corresponding data territory, operation function territory, business procedure territory and business activity respectively.

Described Data classification diversity module 1 comprises data staging module 12, for classifying according to data, carries out the calculating of the assets value of data according to CIA assignment and CIA weight; Again in conjunction with the concerning security matters of data to Data Placement level of confidentiality; Be high sensitive data, sensitive data, internal data and common data according to level of confidentiality by Data Placement.

Described data staging module 12 is according to V=Round1{Log2 [(A × 2 ^conf+ B × 2 ^int+ C × 2 ^ava)/3] } the assets value V of calculated data, wherein, A represents the weights of confidentiality, and B represents the weights of integrality, and C represents the weights of availability; Round function is that logarithm value rounds up, and Round1 represents reservation 1 decimal by formulation figure place.

Described safety protective tool distribution module 2 comprises:

Anti-data-leakage instrument distribution module 21, for distributing corresponding anti-data-leakage instrument according to the level of confidentiality of data, carries out anti-data-leakage protection to data;

Data encrypting and deciphering instrument distribution module 22, for distributing corresponding data encrypting and deciphering instrument according to the level of confidentiality of data, carries out data encrypting and deciphering protection to data;

Data Audit instrument distribution module 23, for distributing corresponding Data Audit instrument according to the level of confidentiality of data, carries out Data Audit protection to data.

Described log collection processing module 3 comprises:

Audit log logging modle 31, for recording unstructured data file in the data manipulation behavior creating, store, use, transmit, destroy and recover each stage, and is stored as log audit record;

Audit log analysis module 32, for reading unstructured data file at the log audit record creating, store, use, transmit, destroy and recover each stage, analyzing the data manipulation behavior of violating security strategy, generating analysis report;

Secured views sets up module 33, for setting up the safety management view of the Life cycle of unstructured data.

Described audit log analysis module 32 comprises warning information and collects processing module 321, for collecting when safety protective tool generation violation event or system resource surplus are lower than the warning information produced during the critical value set, and alarm event classification, alarm event classification, alarm event merging and alarm event standardization are normalized.

Data security control platform is divided into four levels, from bottom to top respectively by management and control object layer, tool layer, functional module layer and user interface layer.Data security control platform Organization Chart is as shown in Figure 6:

Referred to that data security control platform needs structuring and the unstructured data of supervision by management and control object layer.Wherein structural data includes but not limited to the important business data information that operation system produces, but not structured data comprises the data such as file, image, phonotape and videotape, image that routine office work system produces.These source data objects are in the file server of client, traditional mode and database server, the large data platform of main flow, and the key node of transfer of data.

Tool layer refers to that control platform intends integrated data security management and control instrument.Specifically comprise data tracking and evidence obtaining software, data encrypting and deciphering software and anti-data-leakage software.The integrated existing mature equipment of tool layer or software.

Functional layer is the core layer of this platform, is the secondary development carried out on tool layer.Be responsible for realizing the function of the function of safety protection of this data security control platform, statistical analysis, platform management.The function of functional layer specific implementation has data assets classified and graded management, tactical management, log management, alarm management etc.

The superiors' boundary layer is the service window of the friendly interface that control platform provides for user, comprise abundant report query interface, interface and Data classification differentiated control operation reminded in alarm, platform management operation, strategy configuration entrance.Wherein report query comprises data assets Regional Distribution that overview display module provides, data assets Tissue distribution, data assets alarm distribution and data assets hotspot's distribution situation.Platform management operation interface comprises the User Interfaces such as organization management, Role Management, user management and platform log management.Strategy configuration interface comprises and configures the strategy of encryption and decryption instrument, anti-leak instrument, tracking and forensic tools and carry out parameter configuration to the key of encryption and decryption instrument.

As shown in Figure 7, mainly four module is divided into, platform management, data assets classified and graded management, log management and tactical management from application function division.Platform management mainly provides for the behavior of platform user and Role Management etc., ensures to only have to authorize and validated user ability access system, and carries out legal operation.The data assets classify and grading result of off-line is mainly mapped in the metamessage of the data assets of system by data assets classified and graded management, thus provides the Back ground Information identifying different stage assets for follow-up prevention policies.Log management is divided into the process such as log collection and Web log mining analysis, and its basic goal carries out statistical analysis and the tracking afterwards to alarm event for the protection situation of data assets, and excavates and analyze potential harm and risk.And tactical management primary responsibility is different protection tool distributing policy, so that the assets of different protection tool identification appropriate levels, and protects accordingly and analyze.

Consider from deployment angle, protection tool major deployments in the exit, border of each large data assets, and in main frame running environment.And log collection instrument is responsible for by the log collection of each protection tool log server to unified HDFS file system, carry out storing and analyzing.Platform management is then disposed and is supplied to user access on the application server.

In the specific implementation of data security control platform, based on the multi-layer framework of SOA, adopt Spring framework, the displaying interface of front end adopts the thin-client of B/S pattern, RIA (Rich InternetApplications, enriches internet program) is realized by JSP+AJAX technology; WEB layer responds the HTTP request of front end by SERVLET, calls the logical operation of background service finishing service; Application service component layer adopts mixed mode, does not limit development language, adopts C or JAVA to develop, to make full use of the advantage of C language and JAVA language for different services; Data storage layer uses MySQL database and distributed platform HDFS, improves systematic function; Service interface layer, based on uniform service framework, obtains service support by agreements such as WebService, JMS, HTTP from 4A platform and data resource management platform.

(1) front end

Front end adopts JSP technology to represent in a browser, coordinates AJAX assembly to realize RIA; WEB layer adopts SERVLET technology response front end request, SERVLET realizes to the conversion of JAVA class, then calling background service to HTTP (S) data, returns to front end, front end and Background communication adopt http protocol, adopt FLEX technology for figure, representing of chart.Front end mainly achieves the boundary layer of upper figure.

(2) backstage

Backstage adopts middleware to build business module, realizes in the highly reliable service of needs and high-performance calculation etc. by C language; The aspect JAVA language such as the process of needs elastic traffic and personal needs are realized.Backstage achieves Access Layer, service components layer and data storage layer.

Access Layer, in large-scale application, especially large-scale real-time service system, ensure that the process service request of entire system stability and high efficiency is most important, Access Layer realizes carrying out integrated management, the functions such as the service request protocol conversion initiated terminal by Access Layer, service routing, traffic management and control, safety management and on-line monitoring to terminal access.According to different deployment requirements, Access Layer can be nested, realizes multistage access to adapt to complicated access demand.

Service components layer, core business and data processing are packaged into the serviced component possessing standalone transaction, are deployed to JAVA component server or transaction middleware respectively, externally provide unified calling interface, the call request of response Access Layer.Component layer is disposed all kinds of serviced component and is managed, for adapting to various complicated applications and real time service request concurrent greatly, service components layer can realize carrying out dynamic reorganization in the restructuring of server rank or server by business categorizing, concurrency or response speed according to practical operation situation, for the highly reliable characteristic of real-time service system, service components layer support dynamically increases server online, or the serviced component of the dynamically interior operation of online increase and decrease server, really realize the persistent service of 24*7.

Data storage layer, the full-service data that data storage layer is responsible for whole system store, and are that in system, maximum, the IO of data volume is the most frequent, and one deck of most influential system performance, can realize service components layer without tables of data level association by good Service Design.Adopt MySQL database to store data assets classify and grading information, policy data, user data etc., good structural data operating characteristics can be provided; The a large amount of daily record datas adopting Hadoop distributed file system HDFS to store data security control platform to collect, can provide the memory space of magnanimity and the concurrent handling property of height, can greatly promote the efficiency that daily record stores and analyzes.

According to needing integrated system and device type, the system integration can be divided into that built-in system is integrated, external system is integrated and equipment class integrating three kinds.The Integrated Strategy of system has following three types:

Built-in system integrated (as shown in Figure 8), come integrated to 6+1 scope internal applications system by integration platform for heterogeneous information sources, extraneously pay the utmost attention to unified integrated interface, special applications adopts personalized integration mode.

External system is integrated, and part system adopts exploitation standard interface and external system integrated, and also some external portion application system employing front end processor mode is integrated, according to the deployed position of working range determination front end processor.

External equipment is integrated, pays the utmost attention to uniform protocol, interface to hardware device, considers personalize development to special installation.

Data security control platform needs to obtain user and agency information from data resource management platform, needs and 4A platform intergration, obtains the services such as user authentication, account management, mandate, audit.

Data security control platform collects the daily record data of magnanimity from lower tool, and is normalized these log informations, and then the tracking forensic information of therefrom mining analysis alarm event.If the log processing of these magnanimity can not get effective Storage and Processing, will greatly affect the performance of whole control platform.In order to make control platform access more fast and efficiently and process daily record data, we adopt Hadoop distributed file system HDFS to carry out storing daily record data in rear end.Hadoop has the feature of high fault tolerance, can be deployed on cheap hardware; It provides high-throughput to visit the data of application program, is applicable to the application program that those have super large data set; It relaxes the requirement of POSIX, can data in the form of streaming in access file system; It works in a parallel fashion, is accelerated the processing speed of data by parallel processing.Further, Hadoop supposes to calculate element and storage meeting failure in design, and therefore it safeguards multiple operational data copy, guarantees, for the node redistribution process of failure, to have high reliability.It can thus be appreciated that these advantages of Hadoop can make data security control platform possess high-performance and high reliability just.

Data security control platform possesses high security, on the one hand, according to the overall planning of Guangdong Power Grid Corporation to Information Security Construction, data security control platform, by accessing the service such as user management, certification, mandate of 4A platform in the mode of Services Integration, realizes the unified management to control platform user, authentication and authorization; On the other hand, control platform self also realizes the functions such as user identity discriminating, access control, log audit.In user's discriminating, special login control module is provided to carry out identify label and discriminating to login user; There is provided User Identity unique and authentication information complexity audit function, there is not duplicate customer identify label in guarantee platform, identification information is not easily falsely used.In access control, Partition of role will follow the principle of "separation of the three powers", makes the mutual containing of the authority of different keeper, avoids the situation causing privilege abuse because personal authority is excessive to occur.On log audit, can all operations of recording user, can inquire about daily record, real name audit is carried out to platform safety significant incident, can record of the audit be protected, avoid being subject to unexpected deletion, amendment and covering.

Data security control platform adopts standard interface design, Southern Power Grid Company ECIM standard followed by service data model, the requirement that Interface realization meets " SOA application technology specification the 3rd part: SOA Technique of Information Integration specification ", the basis that service realizes is carried out encapsulation and the definition of serviceization, there is provided service call with the interface technology protocols Web Service of standard or obtain external service, the pragmatic existing ins and outs of external screening clothing, realize the loose coupling between Service realization layer and business function layer, possess expansibility.

Claims (10)

1. a data security control method, is characterized in that, comprises the following steps:

S1, divides data according to data category and level of confidentiality;

S2, according to Data Placement result to the encryption of data, authentication, access control, security audit and follow the tracks of and distribute corresponding safety protective tool and carry out security protection with collecting evidence;

S3, collects the log information that safety protective tool produces, and is normalized, set up the secured views of the Life cycle of data.

2. data security control method according to claim 1, it is characterized in that: in described step S1, data category belonging to data, the assets value of carrying out data according to CIA assignment and CIA weight calculates, again in conjunction with the concerning security matters of data to Data Placement level of confidentiality, be high sensitive data, sensitive data, internal data and common data according to level of confidentiality by Data Placement.

3. data security control method according to claim 2, is characterized in that: the assets value V of described data is according to V=Round1{Log2 [(A × 2 ^conf+ B × 2 ^int+ C × 2 ^ava)/3] } calculate, wherein, A represents the weights of confidentiality, and B represents the weights of integrality, and C represents the weights of availability; Round function is that logarithm value rounds up, and Round1 represents reservation 1 decimal by formulation figure place.

4. data security control method according to claim 1 and 2, is characterized in that, according to Data Placement result, the authentication of data, access control is distributed to corresponding safety protective tool and carries out security protection and specifically comprise in described step S2:

(1) initialization: suppose total n+1 data class in information system, m user, sets up encryption key hierarchical tree, and calculates rope master key K _jwith class key K _x, wherein, 1≤j≤t, t+1≤x≤n, t, j are master index node, and t+1, x, n are the leaf node under master index node;

(2) data encryption: encryption equipment generates data class C according to the level of confidentiality of data _xencryption key K _x,s, utilize this encryption key K _x,sto data class C _xbe encrypted, wherein C _xrepresent the data class being positioned at leaf node under master index node j;

(3) user's registration: the user D of trusted party authentication-access data _iwhether meet the condition of Accreditation System, if meet, then encryption equipment calculates user's master key trusted party is issued and is comprised this user's master key and information system identity certificate to user D _ias the identity documents of access system, wherein, for user D _ipKI;

(4) access request: trusted party authentication of users D _isystem identity certificate, if by checking, be then user D _iissue the access certificate of data class identification information comprising user's level of confidentiality, the role authorized and authorize;

(5) decipher: the access certificate described in trusted party checking, if there is partial ordering relation namely user D is realized _ivisit data class C in level of confidentiality authority _kin data.

5. data security control method according to claim 2, is characterized in that: described safety protective tool comprises anti-data-leakage instrument, data encrypting and deciphering instrument and Data Audit instrument; Wherein, the leakage prevention method of described structural data comprises:

A1, the encryption key of database protection server generation system root key, row key, level of confidentiality value and the high sensitive data of each row, sensitive data, internal data, and the encryption key described in utilizing is encrypted the high sensitive data of each row in database, sensitive data, internal data;

B1, subscription client sends the request of certain data rows in access structure data to database server by application server, database protection server is according to the level of confidentiality of user, the median being used for calculating user's level of confidentiality value is distributed to user with the form of access certificate, and subscription client calculates each level of confidentiality value allowing its access according to the access certificate of this median;

C1, whether database protection server, by the flow analysis SQL statement of mirror image, judges in this access request containing access in violation of rules and regulations;

D1, accesses in violation of rules and regulations if do not contain and accessed data rows is public data, then backward reference request msg; If containing in violation of rules and regulations access and accessed data rows is high sensitive data, sensitive data or internal data, then subscription client sends the level of confidentiality value corresponding to high sensitive data, sensitive data or internal data, database protection server is according to this level of confidentiality value and corresponding row key, generate the decruption key of this data rows, the corresponding data in decryption key decryption database server is utilized to arrange, and backward reference request msg.

6. data security control method according to claim 2, is characterized in that: described safety protective tool comprises anti-data-leakage instrument, data encrypting and deciphering instrument and Data Audit instrument; Wherein, the leakage prevention method of described unstructured data comprises:

A2, controlled terminal carries out classify and grading to non-structured data assets, and carries out digital signature according to responsive grade to the unstructured data of corresponding kind;

B2, when controlled terminal request sends unstructured data to Internet or Extranet, network protection server carries out filtration treatment by the flow of mirror image and sensitive keys word to these data;

C2, if comprise sensitive keys word in described unstructured data, then adopts the signature of the PKI of corresponding sensitivity level to this unstructured data to verify;

D2, if by checking, then blocks this controlled terminal sends request from data to Internet or Extranet.

7. the data security control method according to claim 1 or 6, is characterized in that, for unstructured data, described step S3 comprises:

S31, record unstructured data file is creating, is storing, uses, transmits, destroys and recover the data manipulation behavior in each stage, and is stored as log audit record;

S32, reads unstructured data file at the log audit record creating, store, use, transmit, destroy and recover each stage, analyzes, generate analysis report to the data manipulation behavior of violating security strategy;

S33, sets up the safety management view of the Life cycle of unstructured data.

8. realize a data security control platform for method described in claim 1 ~ 7 any one, it is characterized in that, comprising:

Data classification diversity module, for dividing data according to data category and level of confidentiality;

Safety protective tool distribution module, for according to Data Placement result to the encryption of data, authentication, access control, security audit and follow the tracks of and distribute corresponding safety protective tool and carry out security protection with collecting evidence;

Log collection processing module, for collecting the log information that safety protective tool produces, and being normalized, setting up the secured views of the Life cycle of data.

9. data security control platform according to claim 8, is characterized in that: described safety protective tool distribution module comprises:

Anti-data-leakage instrument distribution module, for distributing corresponding anti-data-leakage instrument according to the level of confidentiality of data, carries out anti-data-leakage protection to data;

Data encrypting and deciphering instrument distribution module, for distributing corresponding data encrypting and deciphering instrument according to the level of confidentiality of data, carries out data encrypting and deciphering protection to data;

Data Audit instrument distribution module, for distributing corresponding Data Audit instrument according to the level of confidentiality of data, carries out Data Audit protection to data.

10. data security control platform according to claim 8 or claim 9, is characterized in that: described log collection processing module comprises:

Audit log logging modle, for recording unstructured data file in the data manipulation behavior creating, store, use, transmit, destroy and recover each stage, and is stored as log audit record;

Audit log analysis module, for reading unstructured data file at the log audit record creating, store, use, transmit, destroy and recover each stage, analyzing the data manipulation behavior of violating security strategy, generating analysis report;

Secured views sets up module, for setting up the safety management view of the Life cycle of unstructured data.