CN109145630A - Sensitive data method for deleting, device, equipment and computer readable storage medium - Google Patents

Sensitive data method for deleting, device, equipment and computer readable storage medium Download PDF

Info

Publication number
CN109145630A
CN109145630A CN201710463588.8A CN201710463588A CN109145630A CN 109145630 A CN109145630 A CN 109145630A CN 201710463588 A CN201710463588 A CN 201710463588A CN 109145630 A CN109145630 A CN 109145630A
Authority
CN
China
Prior art keywords
sensitive data
data
scanned
class
sensitive
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710463588.8A
Other languages
Chinese (zh)
Inventor
李林
雷中杰
胡莉
樊炼
许佳
薛超
徐庆
张欣
黄璐
王卉
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Original Assignee
China Mobile Communications Group Co Ltd
China Mobile Group Hubei Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Mobile Communications Group Co Ltd, China Mobile Group Hubei Co Ltd filed Critical China Mobile Communications Group Co Ltd
Priority to CN201710463588.8A priority Critical patent/CN109145630A/en
Publication of CN109145630A publication Critical patent/CN109145630A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes

Landscapes

  • Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Databases & Information Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention discloses a kind of sensitive data method for deleting, device, equipment and computer readable storage mediums.This method comprises: being scanned based on default sensitive data feature database for the data in cloud resource pond;When scanning is to sensitive data and sensitive data meets erased conditions, preassembled sensitive data erasing program is called, sensitive data is wiped.Sensitive data method for deleting, device, equipment and the computer readable storage medium of the embodiment of the present invention, can be improved the safety of data.

Description

Sensitive data method for deleting, device, equipment and computer readable storage medium
Technical field
The present invention relates to data protection technical field more particularly to a kind of sensitive data method for deleting, device, equipment and meters Calculation machine readable storage medium storing program for executing.
Background technique
Sensitive data refers to the data including client's individual privacy information or Enterprise business value information.
Data in cloud resource pond use storage area network (Storage Area Network, SAN) virtual memory skill Art is shared.Currently, mainly pass through for the data protection in cloud resource pond physics fire wall equipment, software firewall and The modes such as anti-virus software are protected.
But fictitious host computer uses the shared resource dynamic generation in cloud resource pond.Before resource-sharing, there are shared moneys The case where sensitive data in source is not wiped.This results in the sensitive data in cloud resource pond to there is the risk leaked, data peace Full property is poor.
Summary of the invention
The embodiment of the present invention provides a kind of sensitive data method for deleting, device, equipment and computer readable storage medium, energy Enough improve the safety of data.
On the one hand, the embodiment of the invention provides a kind of sensitive data method for deleting, method includes:
Based on default sensitive data feature database, it is scanned for the data in cloud resource pond;
When scanning is to sensitive data and sensitive data meets erased conditions, preassembled sensitive data erasing journey is called Sequence wipes sensitive data.
On the other hand, the embodiment of the invention provides a kind of sensitive data erasing apparatus, device includes: scan module and wiping Except module, wherein
Scan module, for being scanned for the data in cloud resource pond based on default sensitive data feature database;
Module is wiped, for calling preassembled when scanning is to sensitive data and sensitive data meets erased conditions Sensitive data wipes program, wipes sensitive data.
In another aspect, the embodiment of the invention provides a kind of sensitive data erasing apparatus, the equipment include: processor and It is stored with the memory of computer program instructions;Processor execution stores real in the computer program instructions on the memory Any one existing sensitive data method for deleting.
In another aspect, the embodiment of the invention provides a kind of computer readable storage medium, the computer-readable storage medium Computer program instructions are stored in matter;The computer program instructions realize that any one sensitive data is wiped when being executed by processor Except method.
Sensitive data method for deleting, device, equipment and the computer readable storage medium of the embodiment of the present invention, can be improved The safety of data.
Detailed description of the invention
In order to illustrate the technical solution of the embodiments of the present invention more clearly, will make below to required in the embodiment of the present invention Attached drawing is briefly described, for those of ordinary skill in the art, without creative efforts, also Other drawings may be obtained according to these drawings without any creative labor.
Fig. 1 shows the first flow diagram of sensitive data method for deleting provided in an embodiment of the present invention;
Fig. 2 shows second of flow diagrams of sensitive data method for deleting provided in an embodiment of the present invention;
Fig. 3 shows the third flow diagram of sensitive data method for deleting provided in an embodiment of the present invention;
Fig. 4 shows the first structural schematic diagram of sensitive data erasing apparatus provided in an embodiment of the present invention;
Fig. 5 shows second of structural schematic diagram of sensitive data erasing apparatus provided in an embodiment of the present invention;
Fig. 6 shows the third structural schematic diagram of sensitive data erasing apparatus provided in an embodiment of the present invention;
Fig. 7 shows the hardware structural diagram of sensitive data erasing apparatus provided in an embodiment of the present invention.
Specific embodiment
The feature and exemplary embodiment of various aspects of the invention is described more fully below, in order to make mesh of the invention , technical solution and advantage be more clearly understood, with reference to the accompanying drawings and embodiments, the present invention is further retouched in detail It states.It should be understood that specific embodiment described herein is only configured to explain the present invention, it is not configured as limiting the present invention. To those skilled in the art, the present invention can be real in the case where not needing some details in these details It applies.Below the description of embodiment is used for the purpose of better understanding the present invention to provide by showing example of the invention.
It should be noted that, in this document, relational terms such as first and second and the like are used merely to a reality Body or operation are distinguished with another entity or operation, are deposited without necessarily requiring or implying between these entities or operation In any actual relationship or order or sequence.Moreover, the terms "include", "comprise" or its any other variant are intended to Non-exclusive inclusion, so that the process, method, article or equipment including a series of elements is not only wanted including those Element, but also including other elements that are not explicitly listed, or further include for this process, method, article or equipment Intrinsic element.In the absence of more restrictions, the element limited by sentence " including ... ", it is not excluded that including There is also other identical elements in the process, method, article or equipment of the element.
In order to solve prior art problem, the embodiment of the invention provides a kind of sensitive data method for deleting, device, equipment And computer readable storage medium.
It should be noted that sensitive data method for deleting provided in an embodiment of the present invention and device, are preferably applied to super Overseer (Hypervisor).Wherein, Hypervisor is a kind of centre operated between physical server and operating system Software layer (operates in the middle layer between physical machine and virtual machine), allows multiple operating systems and a set of base of Application share Plinth physical hardware, Hypervisor can also be called virtual machine monitor (virtual machine monitor, VMM). Hypervisor is a kind of " member " operating system in virtual environment, it has access to that including disk and interior presence on server Interior all physical equipments.Hypervisors not only coordinates the access of these hardware resources, also simultaneously each virtual machine it Between apply protection.When server is started and carried out Hypervisor, it can load the operating system of all virtual-machine clients The each suitable memory of virtual machine, CPU, network and disk can be distributed to simultaneously.Hypervisor is all virtualization technologies Core.Support non-interruptedly multiplexing make load migration ability be Hypervisor basic function.
Sensitive data erasing is provided for the embodiments of the invention first below to be introduced.
Fig. 1 shows the first flow diagram of sensitive data method for deleting provided in an embodiment of the present invention.It can be with Include:
S101: it based on default sensitive data feature database, is scanned for the data in cloud resource pond.When scanning to sensitivity Data and when sensitive data meets erased conditions, execute S102.
S102: preassembled sensitive data erasing program is called, sensitive data is wiped.
Being stored in default sensitive data feature database indicates that data are the feature of sensitive data.
With files classes data instance, it is assumed that file format is in picture format and file name comprising keyword " identity card " Files classes data be sensitive data.Then for files classes tables of data registration according to the feature for being sensitive data are as follows: file format is It include character " identity card " in picture format and file name.Wherein, picture format includes but is not limited to be listed below Several frequently seen format: bitmap (BitMaP, BMP) format, GIF(Graphic Interchange format) (Graphics Interchange Format, GIF), combine photo expert group (Joint Photographic Expert Group, JPEG) format, portable network figure (Portable Network Graphics, PNG) format.
With the data instance in database, it is assumed that the data length in database is 18 and data format meets regular expressions Formula: " ^ [1-9] d { 5 } (18 | 19 | ([23] d)) d { 2 } ((0 [1-9]) | (10 | 11 | 12)) (([0-2] [1-9]) | 10 | 20 | 30 | 31) d { 3 } [0-9Xx] $ " data be sensitive data.It can be seen that data length be 18 and data format meet it is above-mentioned just Then the data of expression formula are identification card number formatted data.Indicate that data are the feature of sensitive data for identification card number formatted data Are as follows: data length is that 18 and data format meet above-mentioned regular expression.
Certain sensitive data feature can also be for data are in special directory, data belong to special owner etc..
It should be noted that the embodiment of the present invention is with sensitive data feature are as follows: file format is picture format and file Include in title character " identity card ", data length be 18 and data format meet above-mentioned regular expression for said Bright, an only of the invention specific example, and do not constitute a limitation of the invention.
In one embodiment of the invention, based on default sensitive data feature database, for the data in cloud resource pond into Row scanning may include: based on default sensitive data feature database, according to pre-set scan plan, in cloud resource pond Data be scanned, wherein the scan plan includes starting sweep time point and scan position.
Specifically, when scan position is full cloud resource pond, i.e., based on default sensitive data feature database, using scan full hard disk Mode is scanned for the data in cloud resource pond.When scan position be in specified cloud resource pond a certain position (such as certain One disk, a certain subregion, a certain database, critical directories in system) when, i.e., based on default sensitive data feature database, using pumping Sample scanning mode is scanned for the data in cloud resource pond.
For scan full hard disk and sampling scanning mode, if only do not included comprising starting sweep time point in scan plan Terminate sweep time point, then when the time, which reaches, starts sweep time point, starts to scan;After the completion of the scanning of designated position, stop Only scan.If not only including beginning sweep time point in scan plan also includes to terminate sweep time point, reached when the time When starting sweep time point, start to scan;When the time, which reaches, terminates sweep time point, stop scanning.
When being based on default sensitive data feature database, it is scanned for the data in cloud resource pond;Scan sensitive data And sensitive data calls preassembled sensitive data erasing program, wipes sensitive data when meeting erased conditions.
Specifically, the sensitive data in the embodiment of the present invention meets erased conditions, it can be to receive for sensitive data Erasing instruction;It can also be to monitor that the virtual machine for generating the sensitive data is destroyed;It can also be to monitor sensitive data Corresponding user is deleted etc..
Below to monitor sensitive data correspond to user be deleted be described in detail.
Illustratively, it is assumed that certain user has submitted sensitive data " identity card scanning during certain bank handles bank card Part ".But bank card that the user handles in the row and the bank card handled in other banks do not have in longer period of time Income record (deposit, Internetbank gathering etc.) and expenditure record (withdrawing the money, Internetbank is transferred accounts).Then bank can delete the user at this time It removes, while the identity card scanned copy of the user being deleted.
Assuming that certain user has handled phonecard in certain communication common carrier, and has submitted sensitive data " identification card number ", by identity A card number telephone number corresponding with phonecard is bound.The communication common carrier detects that the telephone number arrearage is more than one section longer Time can recycle the telephone number at this time, the identification card number with telephone number binding be deleted, by identification card number and phone number Code is unbinded.
Specifically, can first be backed up to sensitive data before deleting sensitive data.Band after preventing sensitive data to be deleted The loss come.
In one embodiment of the invention, preassembled sensitive data erasing program is called, sensitive data is wiped, it can To include: to call preassembled sensitive data erasing program, sensitive data is crushed.
Wherein, crushing sensitive data is by sensitive data region using other rewriting datas, so that sensitive data is thorough Bottom is deleted, and can not be resumed.
In one embodiment of the invention, access of the user to sensitive data can also be controlled.Specifically, can be set For the various permissions of sensitive data, such as: read right, write permission execute permission, call permission, duplication permission, delete permission Deng.The protection of Life cycle is carried out to sensitive data by the setting of above-mentioned permission.And it is also based on log access note Record monitors access of the user to sensitive data.
In one embodiment of the invention, it is calling preassembled sensitive data to wipe program, is wiping sensitive data Before, the sensitive data scanned can also be marked.Protection is carried out to sensitive data by label and erasing is handled Deng.
Fig. 2 shows second of flow diagrams of sensitive data method for deleting provided in an embodiment of the present invention.The present invention On the basis of embodiment illustrated in fig. 2 embodiment shown in Fig. 1, increase S103 before S102: according to pre-set classification gauge Then, classify to the sensitive data scanned.
Illustratively, pre-set classifying rules is as follows:
The first kind: user identity and authentication information class (hereinafter referred to as A class).
Wherein, A class includes two subclasses: user identity and identification information class (hereinafter referred to as A1 class) and user network identity Authentication information class (hereinafter referred to as A2 class).
A1 class includes five subclasses again: natural person's identity class (hereinafter referred to as A1-1 class), network identity mark class (with Lower abbreviation A1-2 class), user's basic document class (hereinafter referred to as A1-3 class), entity identities prove class (hereinafter referred to as A1-4 class) and User's secret data class (hereinafter referred to as A1-5 class).A2 class includes a subclass again: user password and related information are (hereinafter referred to as A2-1 class).
Second class: user data and service content information class (hereinafter referred to as B class).
Wherein, B class includes a subclass: service content and data (hereinafter referred to as B1 class).
B1 class includes two subclasses again: service content data class (hereinafter referred to as B1-1 class) and contact information class are (following Abbreviation B1-2 class).
Third class: user service relevant information class (hereinafter referred to as C class).
Wherein, C class includes two subclasses: user service using data class (hereinafter referred to as C1 class) and facility information class (with Lower abbreviation C2 class).
C1 class includes five subclasses again: service order relation object (hereinafter referred to as C1-1 class), service log and log class (with Lower abbreviation C1-2 class), consumption information and bill class (hereinafter referred to as C1-3 class), position data class (hereinafter referred to as C1-4 class) and disobey Rule record data class (hereinafter referred to as C1-5 class).C2 class includes two subclasses again: Terminal Equipment Identifier class (hereinafter referred to as C2-1 Class) and terminal device data class (hereinafter referred to as C2-2 class).
Wherein, A1-1 class corresponding data are as follows: customer name, type of credential and number, driving license number, bank account, client Entity number, group customer numbering, group customer title, group customer Fu Zeren contact information etc. can be fixed with precise marking The information of the specific entity client in position.
A1-2 class corresponding data are as follows: telephone number, email address, network client number, instant messaging account, network social intercourse User account etc. can be with the precise marking network user or the information of communication user.
A1-3 class corresponding data are as follows: client occupation, work unit, age, gender, native place, hobby etc.;Group customer Place provinces and cities, place industry, group contract time and agreement expiration time, unit member individual's basic document etc..
A1-4 class corresponding data are as follows: certificates photostat such as identity card, passport, driving license, business license etc.;Fingerprint, vocal print, rainbow Film etc..
A1-5 class corresponding data are as follows: the personal race of announcement, family members' information, inhabitation address, religious belief, gene, individual are strong (laws, the administrative regulation such as " reference industry management rules " provide against disclosed related user's private information such as health, private life User's other information).
A2-1 class corresponding data are as follows: user network identification cipher and related information, such as: mobile phone customer service password, mailbox password, Mobile wireless local network (Wireless Local Area Network, WLAN) password etc. and various trading passwords and this The cryptoguard answer etc. of a little cryptographic associations.
B1-1 class corresponding data are as follows: telecommunications network service content data: the Content of Communication such as short message, multimedia message, speech;Mobile interchange Net service content information, comprising: dialog context involved by the mobile internet services such as Fetion, converged communication, 139 mailboxes, in time Content, data file, Mail Contents, user's online access content etc. are issued in Content of Communication, group;User's cloud storage, software are fixed Adopted network (Software Defined Network, SDN), Internet data center (Internet Data Center, IDC) Deng datas information such as the private privately owned text of storage or caching, multimedias.
B1-2 class corresponding data are as follows: the subscriber datas data such as user communication record, buddy list, group list.
C1-1 class corresponding data are as follows: basic service order relations: situations such as brand, set meal customize;Value added service ordering closes System: 139 mailboxes, Fetion and address list, come show, registration, modification, the cancellation of the value-added services such as CRBT and packet.
C1-2 class corresponding data are as follows: service detailed list and signaling: the single in detail, 2G/ including voice, short message, multimedia message and internet log 3G/ long term evolution (Long Term Evolution, LTE) user face exernal data representation (External Data Representation, XDR) and signaling plane XDR etc., with including calling number, master home, called number, when starting communication Between, the information such as duration, flow;Mobile internet service record: including Cookie content, internet log, connection application program (Application, APP) etc. includes calling number, network address, online shopping record etc..
C1-3 class corresponding data are as follows: consumption information: machine, network entry time are stopped, in net time, integral, advance deposit, credit etc. Grade, credit line, payment situation, way of paying and packet remaining sum, transactions history record;Bill: the constant expense monthly entered an item of expenditure in the accounts, Communication cost, arrearage information, data expense, charge.
C1-4 class corresponding data are as follows: precise position information (such as cell code, base station number, latitude and longitude of base station coordinate) and big It causes location information (such as area code).
C1-5 class corresponding data are as follows: User Violations record, including the records such as refuse messages, harassing call, blacklist, grey name It is single etc.;Business records in violation of rules and regulations, including records, blacklist, the gray list such as port abuse, violation channel, objectionable website domain name etc..
C2-1 class corresponding data are as follows: International Mobile Station Equipment Identification (International Mobile Equipment Identity, IMEI), the address, client identification module equipment media access control (Media Access Control, MAC) (Subscriber Identification Module, SIM) card international mobile subscriber identity (International Mobile Subscriber Identification Number, IMSI) information etc. can position specific equipment with precise marking Information.
C2-2 class corresponding data are as follows: terminal models, brand, manufacturer, OS Type, it is preset installation software application, make With duration etc..
Illustratively, with sensitive data are as follows: file format is the file in picture format and file name comprising identity card For.Identify that the sensitive data is identity card photostat.According to above-mentioned classifying rules, which can be divided into A1-4 class.
Classified based on classifying rules to sensitive data, can be convenient the management to sensitive data.
Fig. 3 shows the third flow diagram of sensitive data method for deleting provided in an embodiment of the present invention.The present invention On the basis of embodiment illustrated in fig. 3 embodiment shown in Fig. 1, increase S104 before S102: according to pre-set classifier Then, the sensitive data scanned is classified.
It should be noted that S104 shown in the embodiment of the present invention can also be to increase on the basis of embodiment shown in Fig. 2.
Illustratively, pre-set classification rule includes four ranks, is respectively as follows: pole sensitivity level, sensitivity level, more sensitive Grade and low sensitivity level.
Wherein, sensitivity level data in pole may include: above-mentioned to belong to A1-4 class data, A1-5 class data and A2-1 class number According to.
Sensitivity level data may include: above-mentioned to belong to A1-1 class data, A1-2 class data, A1-3 class data, B1-1 class number According to, B1-2 class data, C1-2 class data and C1-4 class data.
It may include: above-mentioned to belong to C1-3 class data, C2-1 class data and C2-2 class data compared with sensitivity level data.
Muting sensitive sense grade data may include: above-mentioned to belong to C1-1 class data and C1-5 class data.
Sensitive data is classified based on classification rule, can be convenient the management to sensitive data.
The sensitive data method for deleting of the embodiment of the present invention, sensitive data is wiped.Avoid the sensitivity in cloud resource pond The leakage of data, can be improved Information Security.
Corresponding with above-mentioned embodiment of the method, the embodiment of the present invention also provides a kind of sensitive data erasing apparatus.
Fig. 4 shows the first structural schematic diagram of sensitive data erasing apparatus provided in an embodiment of the present invention.It can be with It include: scan module 401 and erasing module 402, wherein
Scan module 401, for being scanned for the data in cloud resource pond based on default sensitive data feature database;
Module 402 is wiped, for when scanning is to sensitive data and sensitive data meets erased conditions, calling installation in advance Sensitive data wipe program, wipe sensitive data.
Being stored in default sensitive data feature database indicates that data are the feature of sensitive data.
With files classes data instance, it is assumed that file format is in picture format and file name comprising keyword " identity card " Files classes data be sensitive data.Then for files classes tables of data registration according to the feature for being sensitive data are as follows: file format is It include character " identity card " in picture format and file name.Wherein, picture format includes but is not limited to be listed below Several frequently seen format: BMP format, GIF format, jpeg format, PNG format.
With the data instance in database, it is assumed that the data length in database is 18 and data format meets regular expressions Formula: " ^ [1-9] d { 5 } (18 | 19 | ([23] d)) d { 2 } ((0 [1-9]) | (10 | 11 | 12)) (([0-2] [1-9]) | 10 | 20 | 30 | 31) d { 3 } [0-9Xx] $ " data be sensitive data.It can be seen that data length be 18 and data format meet it is above-mentioned just Then the data of expression formula are identification card number formatted data.Indicate that data are the feature of sensitive data for identification card number formatted data Are as follows: data length is that 18 and data format meet above-mentioned regular expression.
Certain sensitive data feature can also be for data are in special directory, data belong to special owner etc..
It should be noted that the embodiment of the present invention is with sensitive data feature are as follows: file format is picture format and file Include in title character " identity card ", data length be 18 and data format meet above-mentioned regular expression for said Bright, an only of the invention specific example, and do not constitute a limitation of the invention.
The scan module 401 of the embodiment of the present invention, specifically can be used for: based on default sensitive data feature database, according to pre- The scan plan being first arranged is scanned for the data in cloud resource pond, wherein the scan plan includes when starting scanning Between put and scan position.
Specifically, when scan position is full cloud resource pond, i.e., based on default sensitive data feature database, using scan full hard disk Mode is scanned for the data in cloud resource pond.When scan position be in specified cloud resource pond a certain position (such as certain One disk, a certain subregion, a certain database, critical directories in system) when, i.e., based on default sensitive data feature database, using pumping Sample scanning mode is scanned for the data in cloud resource pond.
For scan full hard disk and sampling scanning mode, if only do not included comprising starting sweep time point in scan plan Terminate sweep time point, then when the time, which reaches, starts sweep time point, starts to scan;After the completion of the scanning of designated position, stop Only scan.If not only including beginning sweep time point in scan plan also includes to terminate sweep time point, reached when the time When starting sweep time point, start to scan;When the time, which reaches, terminates sweep time point, stop scanning.
When being based on default sensitive data feature database, it is scanned for the data in cloud resource pond;Scan sensitive data And sensitive data calls preassembled sensitive data erasing program, wipes sensitive data when meeting erased conditions.
Specifically, the sensitive data in the embodiment of the present invention meets erased conditions, it can be to receive for sensitive data Erasing instruction;It can also be to monitor that the virtual machine for generating the sensitive data is destroyed;It can also be to monitor sensitive data Corresponding user is deleted etc..
Below to monitor sensitive data correspond to user be deleted be described in detail.
Illustratively, it is assumed that certain user has submitted sensitive data " identity card scanning during certain bank handles bank card Part ".But bank card that the user handles in the row and the bank card handled in other banks do not have in longer period of time Income record (deposit, Internetbank gathering etc.) and expenditure record (withdrawing the money, Internetbank is transferred accounts).Then bank can delete the user at this time It removes, while the identity card scanned copy of the user being deleted.
Assuming that certain user has handled phonecard in certain communication common carrier, and has submitted sensitive data " identification card number ", by identity A card number telephone number corresponding with phonecard is bound.The communication common carrier detects that the telephone number arrearage is more than one section longer Time can recycle the telephone number at this time, the identification card number with telephone number binding be deleted, by identification card number and phone number Code is unbinded.
Specifically, can first be backed up to sensitive data before deleting sensitive data.Band after preventing sensitive data to be deleted The loss come.
The erasing module 402 of the embodiment of the present invention, specifically can be used for: call preassembled sensitive data erasing journey Sequence crushes sensitive data.Wherein, crushing sensitive data is by sensitive data region using other rewriting datas, so that quick Sense data are thoroughly deleted, and can not be resumed.
In one embodiment of the invention, access of the user to sensitive data can also be controlled.Specifically, can be set For the various permissions of sensitive data, such as: read right, write permission execute permission, call permission, duplication permission, delete permission Deng.The protection of Life cycle is carried out to sensitive data by the setting of above-mentioned permission.And it is also based on log access note Record monitors access of the user to sensitive data.
Fig. 5 shows second of structural schematic diagram of sensitive data erasing apparatus provided in an embodiment of the present invention.The present invention Embodiment illustrated in fig. 5 on the basis of the embodiment shown in fig. 4, increases categorization module 403, for according to pre-set classification gauge Then, classify to the sensitive data scanned.
Pre-set classifying rules can refer to the classifying rules in embodiment illustrated in fig. 2.
Classified based on classifying rules to sensitive data, can be convenient the management to sensitive data.
Fig. 6 shows the third structural schematic diagram of sensitive data erasing apparatus provided in an embodiment of the present invention.The present invention Embodiment illustrated in fig. 6 on the basis of the embodiment shown in fig. 4, increases diversity module 404, for according to pre-set classifier Then, the sensitive data scanned is classified.
It should be noted that diversity module 404 shown in the embodiment of the present invention can also be with the basis of embodiment shown in Fig. 5 Upper increase.
Pre-set classification rule can refer to the rule of the classification in embodiment illustrated in fig. 3.
Sensitive data is classified based on classification rule, can be convenient the management to sensitive data.
The sensitive data erasing apparatus of the embodiment of the present invention, sensitive data is wiped.Avoid the sensitivity in cloud resource pond The leakage of data, can be improved Information Security.
In addition, the sensitive data method for deleting and device in conjunction with Fig. 1 to Fig. 6 embodiment of the present invention described can be by sensitivities Data erasing apparatus is realized.Fig. 7 shows the hardware configuration signal of sensitive data erasing apparatus provided in an embodiment of the present invention Figure.
Sensitive data erasing apparatus may include processor 701 and the memory 702 for being stored with computer program instructions.
Specifically, above-mentioned processor 701 may include central processing unit (CPU) or specific integrated circuit (Application Specific Integrated Circuit, ASIC), or may be configured to implement implementation of the present invention One or more integrated circuits of example.
Memory 702 may include the mass storage for data or instruction.For example it rather than limits, memory 702 may include hard disk drive (Hard Disk Drive, HDD), floppy disk drive, flash memory, CD, magneto-optic disk, tape or logical With the combination of universal serial bus (Universal Serial Bus, USB) driver or two or more the above.It is closing In the case where suitable, memory 702 may include the medium of removable or non-removable (or fixed).In a suitable case, it stores Device 702 can be inside or outside synthesized gateway disaster tolerance equipment.In a particular embodiment, memory 702 is nonvolatile solid state Memory.In a particular embodiment, memory 702 includes read-only memory (ROM).In a suitable case, which can be ROM, programming ROM (PROM), erasable PROM (EPROM), the electric erasable PROM (EEPROM), electrically rewritable of masked edit program The combination of ROM (EAROM) or flash memory or two or more the above.
Processor 701 is by reading and executing the computer program instructions stored in memory 702, to realize above-mentioned implementation Any one sensitive data method for deleting in example.
In one example, sensitive data erasing apparatus may also include communication interface 703 and bus 710.Wherein, such as Fig. 7 Shown, processor 701, memory 702, communication interface 703 connect by bus 710 and complete mutual communication.
Communication interface 703 is mainly used for realizing in the embodiment of the present invention between each module, device, unit and/or equipment Communication.
Bus 710 includes hardware, software or both, and the component of sensitive data erasing apparatus is coupled to each other together.It lifts It for example rather than limits, bus may include accelerated graphics port (AGP) or other graphics bus, enhancing Industry Standard Architecture (EISA) bus, front side bus (FSB), super transmission (HT) interconnection, Industry Standard Architecture (ISA) bus, infinite bandwidth interconnect, are low Number of pins (LPC) bus, memory bus, micro- channel architecture (MCA) bus, peripheral component interconnection (PCI) bus, PCI- Express (PCI-X) bus, Serial Advanced Technology Attachment (SATA) bus, Video Electronics Standards Association part (VLB) bus or The combination of other suitable buses or two or more the above.In a suitable case, bus 710 may include one Or multiple buses.Although specific bus has been described and illustrated in the embodiment of the present invention, the present invention considers any suitable bus Or interconnection.
The sensitive data erasing apparatus can be based in the relevant information in the cloud resource pond execution embodiment of the present invention Sensitive data method for deleting, to realize in conjunction with Fig. 1 to Fig. 6 sensitive data method for deleting described and device.
In addition, in conjunction with the sensitive data method for deleting in above-described embodiment, the embodiment of the present invention can provide a kind of computer Readable storage medium storing program for executing is realized.Computer program instructions are stored on the computer readable storage medium;The computer program refers to Enable any one the sensitive data method for deleting realized in above-described embodiment when being executed by processor.
It should be clear that the invention is not limited to specific configuration described above and shown in figure and processing. For brevity, it is omitted here the detailed description to known method.In the above-described embodiments, several tools have been described and illustrated The step of body, is as example.But method process of the invention is not limited to described and illustrated specific steps, this field Technical staff can be variously modified, modification and addition after understanding spirit of the invention, or suitable between changing the step Sequence.
Functional block shown in structures described above block diagram can be implemented as hardware, software, firmware or their group It closes.When realizing in hardware, it may, for example, be electronic circuit, specific integrated circuit (ASIC), firmware appropriate, insert Part, function card etc..When being realized with software mode, element of the invention is used to execute program or the generation of required task Code section.Perhaps code segment can store in machine readable media program or the data-signal by carrying in carrier wave is passing Defeated medium or communication links are sent." machine readable media " may include any medium for capableing of storage or transmission information. The example of machine readable media includes electronic circuit, semiconductor memory devices, ROM, flash memory, erasable ROM (EROM), soft Disk, CD-ROM, CD, hard disk, fiber medium, radio frequency (RF) link, etc..Code segment can be via such as internet, inline The computer network of net etc. is downloaded.
It should also be noted that, the exemplary embodiment referred in the present invention, is retouched based on a series of step or device State certain methods or system.But the present invention is not limited to the sequence of above-mentioned steps, that is to say, that can be according in embodiment The sequence referred to executes step, may also be distinct from that the sequence in embodiment or several steps are performed simultaneously.
The above description is merely a specific embodiment, it is apparent to those skilled in the art that, For convenience of description and succinctly, the system, module of foregoing description and the specific work process of unit can refer to preceding method Corresponding process in embodiment, details are not described herein.It should be understood that scope of protection of the present invention is not limited thereto, it is any to be familiar with Those skilled in the art in the technical scope disclosed by the present invention, can readily occur in various equivalent modifications or substitutions, These modifications or substitutions should be covered by the protection scope of the present invention.

Claims (10)

1. a kind of sensitive data method for deleting, which is characterized in that the described method includes:
Based on default sensitive data feature database, it is scanned for the data in cloud resource pond;
When scanning is to sensitive data and the sensitive data meets erased conditions, preassembled sensitive data erasing journey is called Sequence wipes the sensitive data.
2. being provided the method according to claim 1, wherein described be based on default sensitive data feature database for cloud Data in the pond of source are scanned, comprising:
It is scanned using scan full hard disk mode for the data in cloud resource pond based on default sensitive data feature database.
3. being provided the method according to claim 1, wherein described be based on default sensitive data feature database for cloud Data in the pond of source are scanned, comprising:
It is swept according to pre-set scan plan for the data in cloud resource pond based on default sensitive data feature database It retouches, wherein the scan plan includes starting sweep time point and scan position.
4. the method according to claim 1, wherein calling preassembled sensitive data to wipe journey described Sequence, before wiping the sensitive data, the method also includes:
According to pre-set classifying rules, classify to the sensitive data scanned.
5. the method according to claim 1, wherein calling preassembled sensitive data to wipe journey described Sequence, before wiping the sensitive data, the method also includes:
According to pre-set classification rule, the sensitive data scanned is classified.
6. the method according to claim 1, wherein calling preassembled sensitive data to wipe journey described Sequence, before wiping the sensitive data, the method also includes:
The sensitive data scanned is marked.
7. the method according to claim 1, wherein described call preassembled sensitive data to wipe program, Wipe the sensitive data, comprising:
Preassembled sensitive data erasing program is called, the sensitive data is crushed.
8. a kind of sensitive data erasing apparatus, which is characterized in that described device includes: scan module and erasing module, wherein
The scan module, for being scanned for the data in cloud resource pond based on default sensitive data feature database;
The erasing module, for when scanning is to sensitive data and the sensitive data meets erased conditions, calling peace in advance The sensitive data of dress wipes program, wipes the sensitive data.
9. a kind of sensitive data erasing apparatus, which is characterized in that the equipment includes: processor and is stored with computer program The memory of instruction;
The processor realizes the sensitive data as described in claim 1-7 any one when executing the computer program instructions Method for deleting.
10. a kind of computer readable storage medium, which is characterized in that be stored with computer on the computer readable storage medium Program instruction;
Realize that the sensitive data as described in claim 1-7 any one is wiped when the computer program instructions are executed by processor Except method.
CN201710463588.8A 2017-06-19 2017-06-19 Sensitive data method for deleting, device, equipment and computer readable storage medium Pending CN109145630A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710463588.8A CN109145630A (en) 2017-06-19 2017-06-19 Sensitive data method for deleting, device, equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710463588.8A CN109145630A (en) 2017-06-19 2017-06-19 Sensitive data method for deleting, device, equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN109145630A true CN109145630A (en) 2019-01-04

Family

ID=64804297

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710463588.8A Pending CN109145630A (en) 2017-06-19 2017-06-19 Sensitive data method for deleting, device, equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN109145630A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763098A (en) * 2009-12-14 2012-10-31 思杰系统有限公司 Methods and systems for communicating between trusted and non-trusted virtual machines
CN104205115A (en) * 2012-03-26 2014-12-10 国际商业机器公司 Using different secure erase algorithms to erase chunks from file associated with different security levels
US20150033221A1 (en) * 2013-07-24 2015-01-29 International Business Machines Corporation Sanitization of virtual machine images
CN106789964A (en) * 2016-12-02 2017-05-31 中国移动通信集团新疆有限公司 Cloud resource pool data safety detection method and system

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102763098A (en) * 2009-12-14 2012-10-31 思杰系统有限公司 Methods and systems for communicating between trusted and non-trusted virtual machines
CN104205115A (en) * 2012-03-26 2014-12-10 国际商业机器公司 Using different secure erase algorithms to erase chunks from file associated with different security levels
US20150033221A1 (en) * 2013-07-24 2015-01-29 International Business Machines Corporation Sanitization of virtual machine images
CN106789964A (en) * 2016-12-02 2017-05-31 中国移动通信集团新疆有限公司 Cloud resource pool data safety detection method and system

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
刘明辉 等: ""云环境下的敏感数据保护技术研究"", 《电信科学》 *

Similar Documents

Publication Publication Date Title
US20190236289A1 (en) System and method to reduce inappropriate email and online behavior
WO2015096695A1 (en) Installation control method, system and device for application program
CN108763921B (en) A kind of method of application software and SDK control
CN104376266B (en) The determination method and device of application software level of security
US20110119730A1 (en) Enforcing Centralized Communication Policies
EP1422646A2 (en) System and Method for Electronic Purchase
US10142494B2 (en) Enforcement of compliance rules
CN105263119A (en) Geographical position information-based mobile intelligent terminal communication encryption method
CN111797418A (en) Control method and device of online service, service terminal, server and storage medium
Liccardi et al. Improving mobile app selection through transparency and better permission analysis
CN109150864B (en) Anti-cheating method and device based on secondary authentication
KR20080072873A (en) Anti-spam application storage system
US11956384B2 (en) Intelligent attestation of traffic using a routing engine
CN109145630A (en) Sensitive data method for deleting, device, equipment and computer readable storage medium
CN117035391A (en) Risk identification method and risk identification device
CN107679871B (en) List management method, device, system and computer readable storage medium
CN104021351A (en) Method and device for data resource access
CN111988473B (en) Voice communication call control method and device based on intelligent contract
CN108924270B (en) Method for updating terminal contact information, server and storage medium
CN107809758B (en) SIM card information protection method and device
CN106446717A (en) Information processing method, device and terminal
CN112995999B (en) Fraud location identification method and device and computing equipment
US20130117374A1 (en) Social Network with Blocked Network Users and Accessible Network Users
Cheng et al. Characterizing the Security Threats of Disposable Phone Numbers
CN115243246B (en) Safety alarm system based on big data informatization

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20190104