CN117640152A - Dynamic desensitization method and device based on API gateway - Google Patents
Dynamic desensitization method and device based on API gateway Download PDFInfo
- Publication number
- CN117640152A CN117640152A CN202311454150.5A CN202311454150A CN117640152A CN 117640152 A CN117640152 A CN 117640152A CN 202311454150 A CN202311454150 A CN 202311454150A CN 117640152 A CN117640152 A CN 117640152A
- Authority
- CN
- China
- Prior art keywords
- api
- user
- data
- desensitization
- gateway
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000586 desensitisation Methods 0.000 title claims abstract description 155
- 238000000034 method Methods 0.000 title claims abstract description 46
- 230000004044 response Effects 0.000 claims abstract description 48
- 238000013475 authorization Methods 0.000 claims abstract description 38
- 238000011282 treatment Methods 0.000 claims abstract description 19
- 230000008569 process Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 10
- 238000012545 processing Methods 0.000 claims description 9
- 238000012795 verification Methods 0.000 claims description 6
- 230000000977 initiatory effect Effects 0.000 claims description 3
- 230000006870 function Effects 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 230000008520 organization Effects 0.000 description 3
- 238000012360 testing method Methods 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000873 masking effect Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 230000035945 sensitivity Effects 0.000 description 1
- 238000000638 solvent extraction Methods 0.000 description 1
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a dynamic desensitization method and a device based on an API gateway, wherein the method comprises the following steps: setting data identification rules and desensitization rules of sensitive data in an API gateway; the API gateway marks the API interface with a data label according to the data identification rule; a user subscribes an API interface in an API gateway, and an administrator distributes desensitization rules for the user according to user information; the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the user identity is checked; after the user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on the sensitive data through the desensitization rule associated with the user. The method and the device improve the data security of the API interface and increase the flexibility of desensitization treatment.
Description
Technical Field
The invention relates to the technical field of data desensitization, in particular to a dynamic desensitization method and device based on an API gateway.
Background
Data security protection systems, obligations and legal responsibilities have been clarified in various laws and regulations such as "data security laws" and "network security laws". With the development of API ecology, an API gateway has been indispensable as an important channel for data transmission. As a bridge for data transmission, ensuring the security of outgoing data is an essential feature of an API gateway.
The data desensitization refers to a technical measure of processing sensitive fields in original data on the premise of not influencing the accuracy of data analysis results, thereby reducing the data sensitivity and personal privacy risks. The existing data desensitization is mainly realized through a database, one is that the data stored in the database is desensitized, when the data is used, the data needs to be recovered, and the other is that the database is connected to a desensitization system for data desensitization. However, the interfaces of the two service systems are generally unified, that is, the user roles cannot be distinguished, and different desensitization treatments cannot be performed according to different user roles. Different users have different rights, for example, the business system is often simulated by adopting original data in the development and test links, research personnel or test personnel need to judge the correctness of the data by using the original data, but operation and maintenance personnel or clients need to use the desensitized data, and meanwhile, the rights of the data in and out of the environment are different, but the database layer is desensitized, and the flexibility is lacking.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a dynamic desensitization method and a device based on an API gateway, which improve the data security of an API interface and increase the flexibility of desensitization treatment.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in an embodiment of the present invention, a dynamic desensitization method based on an API gateway is provided, the method includes:
setting data identification rules and desensitization rules of sensitive data in an API gateway;
the API gateway marks the API interface with a data label according to the data identification rule;
a user subscribes an API interface in an API gateway, and an administrator distributes desensitization rules for the user according to user information;
the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the user identity is checked;
after the user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on the sensitive data through the desensitization rule associated with the user.
Further, the data identification rule and the data tag of the same data type allow a plurality of data identification rules and data tags to be identified in different manners; multiple desensitization rules of the same data type are allowed, the desensitization rule identification being unique.
Further, the user subscribes to the API interface at the API gateway, and the administrator distributes desensitization rules for the user according to the user information, including:
a user subscribes an API interface on an API gateway, and an administrator creates account information for the user and allocates rights;
the administrator completes the authorization of the API interface according to the user information;
and in the process of authorizing the API interface, an administrator distributes corresponding desensitization rules for the user according to the user information and the data type of the API interface subscribed by the user.
Further, the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the step of verifying the identity of the user includes:
when the API request of the user reaches the API gateway, the API gateway firstly carries out API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is carried out with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
Further, after the user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on the sensitive data through the desensitization rule associated with the user, including:
when the user authentication authorization verification passes, the API gateway identifies the content in the API request and the response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and the response accords with the data identification rule, the API gateway indicates that the API request and the response carry corresponding sensitive data;
the API gateway matches a desensitization rule associated with an API interface authorized user according to the data type in the data identification rule, and desensitizes the data according to the desensitization rule;
and the API gateway respectively processes the API request and the response according to the matching stage of the data identification rule, and performs corresponding forwarding processing after the desensitization is completed.
In an embodiment of the present invention, there is further provided an API gateway-based dynamic desensitizing apparatus, including:
the API gateway is used for setting data identification rules and desensitization rules of the sensitive data; marking a data tag for the API interface according to the data identification rule; performing API interface matching on the API request of the user, and checking the identity of the user if the API interface has authorized access; after user authentication authorization is completed, carrying out data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and carrying out desensitization treatment on sensitive data through the desensitization rule associated with the user;
a user for subscribing to an API interface at an API gateway; initiation and response of API requests;
an administrator for creating account information for the user and assigning rights; according to the user information, completing the authorization of the API interface; in the process of authorizing the API interface, corresponding desensitization rules are distributed to the user according to the user information and the data type of the API interface subscribed by the user.
Further, the data identification rule and the data tag of the same data type allow a plurality of data identification rules and data tags to be identified in different manners; multiple desensitization rules of the same data type are allowed, the desensitization rule identification being unique.
Further, performing API interface matching on the API request of the user, and if the API interface has authorized access, verifying the identity of the user, including:
when the API request of the user reaches the API gateway, the API gateway firstly carries out API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is carried out with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
Further, after the user authentication authorization is completed, according to the data identification rule associated with the data tag of the API interface, performing data identification on the API request and response of the user, and performing desensitization treatment on the sensitive data through the desensitization rule associated with the user, including:
when the user authentication authorization verification passes, the API gateway identifies the content in the API request and the response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and the response accords with the data identification rule, the API gateway indicates that the API request and the response carry corresponding sensitive data;
the API gateway matches a desensitization rule associated with an API interface authorized user according to the data type in the data identification rule, and desensitizes the data according to the desensitization rule;
and the API gateway respectively processes the API request and the response according to the matching stage of the data identification rule, and performs corresponding forwarding processing after the desensitization is completed.
In an embodiment of the present invention, a computer device is further provided, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the aforementioned API gateway-based dynamic desensitization method when executing the computer program.
In an embodiment of the invention, a computer readable storage medium is also presented, the computer readable storage medium storing a computer program for executing the API gateway based dynamic desensitization method.
The beneficial effects are that:
1. the invention realizes dynamic desensitization of data based on users and meets the data requirements of different users.
2. The invention improves the data security of the API interface.
Drawings
FIG. 1 is a flow chart of a dynamic desensitization method based on an API gateway of the present invention;
FIG. 2 is a schematic diagram of the dynamic desensitizing device based on the API gateway according to the present invention;
FIG. 3 is a schematic diagram of a computer device of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the following forms, namely: complete hardware, complete software (including firmware, resident software, micro-code, etc.), or a combination of hardware and software.
According to the embodiment of the invention, a dynamic desensitization method and a device based on an API gateway are provided, wherein a data identification rule and a desensitization rule of sensitive data are set in the API gateway; the API gateway marks the API interface with a data label according to the data identification rule; a user subscribes an API interface in an API gateway, and an administrator distributes desensitization rules for the user according to user information; the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the user identity is checked; after the user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on the sensitive data through the desensitization rule associated with the user. The method and the device improve the data security of the API interface and increase the flexibility of desensitization treatment.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments thereof.
FIG. 1 is a flow chart of a dynamic desensitization method based on an API gateway of the present invention. As shown in fig. 1, the method includes:
s1, setting a data identification rule and a desensitization rule of sensitive data in an API gateway;
the administrator creates data identification rules and desensitization rules for sensitive data at the API gateway.
The data identification rules include data rule names, data rule codes, data grades, data types, data categories, matching stages, identification rules, identification content, and the like.
Specifically, the matching phase includes a request phase and a response phase.
Specifically, the recognition rules include regularities and dictionaries.
Specifically, the identification content includes field identification and content identification.
The data category is divided into personal information, network information, enterprise information and other major categories; the data type is a subclass of the data category, such as the personal information, and the identity card number, the mobile phone number, the mailbox and the like are subdivided.
The desensitization rule comprises a desensitization rule name, a desensitization rule identification, a desensitization mode, a desensitization algorithm and the like.
The data tag includes tag values, data types, data rule encodings, identifying content, and hit fields.
There may be multiple data identification rules and data tags of the same data type that are identified in different ways.
Likewise, there may be multiple desensitization rules for the same data type, the desensitization rule identifying the unique.
S2, the API gateway marks a data tag on the API interface according to the data identification rule;
specifically, the API gateway marks the API interface with a data tag according to the definition of the API interface and the data identification rule.
Specifically, the API gateway automatically recognizes the data of the API interface through the data recognition rule according to the API flow, and marks the data.
S3, subscribing the API interface in the API gateway by the user, and distributing desensitization rules for the user by an administrator according to the user information;
a user subscribes an API interface on an API gateway, and an administrator creates account information for the user and allocates rights; and the administrator completes the authorization of the API interface according to the user information.
And in the process of authorizing the API interface, an administrator distributes corresponding desensitization rules for the user according to the user information and the data type of the API interface subscribed by the user.
Specifically, the desensitization mode is divided into desensitization and encryption, the desensitization is divided into masking, occupying, hashing and the like, the encryption is divided into different algorithms such as DES, AES, RSA and the like, for an asymmetric algorithm, a gateway distributes a key to a user, and the user receives encrypted data and decrypts according to the key.
Specifically, the user information includes a user role, an account name, an affiliated institution, and the like.
S4, the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the user identity is checked;
when the API request of the user reaches the API gateway, the API gateway firstly carries out API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is carried out with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
S5, after user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on sensitive data through the desensitization rule associated with the user;
when the user authentication authorization verification passes, the API gateway identifies the content in the API request and the response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and the response accords with the data identification rule, the API gateway indicates that the API request and the response carry corresponding sensitive data;
the API gateway matches a desensitization rule associated with an API interface authorized user according to the data type in the data identification rule, and desensitizes the data according to the desensitization rule;
and the API gateway respectively processes the API request and the response according to the matching stage of the data identification rule, and performs corresponding forwarding processing after the desensitization is completed.
It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
For a clearer explanation of the above-described dynamic desensitization method based on an API gateway, a specific embodiment will be described below, however, it should be noted that this embodiment is only for better explaining the present invention and is not meant to limit the present invention unduly.
Examples:
in this embodiment, the system a issues an external API through the API gateway, and an administrator needs to manage and configure an account of the system a through the API gateway, and a developer needs to test and verify a mailbox function, so that both the administrator and the developer need to authorize access to the account interface.
S1, setting a data identification rule and a desensitization rule of sensitive data in an API gateway;
the administrator creates data identification rules and desensitization rules for sensitive data at the API gateway.
The data identification rules include data rule names, data rule codes, data grades, data types, data categories, matching stages, identification rules, identification content, and the like.
Specifically, the matching phase includes a request phase and a response phase.
Specifically, the recognition rules include regularities and dictionaries.
Specifically, the identification content includes field identification and content identification.
The data category is divided into personal information, network information, enterprise information and other major categories; the data type is a subclass of the data category, such as the personal information, and the identity card number, the mobile phone number, the mailbox and the like are subdivided.
The desensitization rule comprises a desensitization rule name, a desensitization rule identification, a desensitization mode, a desensitization algorithm and the like.
The API gateway is internally provided with data identification rules and desensitization rules, and an administrator can customize the data identification rules and the desensitization rules according to the data type of the API interface.
There may be multiple data identification rules and data tags of the same data type that are identified in different ways. For example, there may be multiple identification rules for a personal account.
Likewise, there may be multiple desensitization rules for the same data type, the desensitization rule identifying the unique.
In this embodiment, the account interface includes a mailbox, an account name, an account password, a user mobile phone, an organization, an account type, a role, and the like.
In specific implementation, the data identification rule can be renamed, and the data rule code uniquely identifies one data identification rule, that is, the same type of data can have different data identification rules.
In this embodiment, the account interface associates 4 data identification rules;
such as account name, the data identification rule is:
data rule name: an account number; data rule coding: personal_account; the data grade is high; data type: an account number; data category: personal information; matching: a response phase; identifying a rule: a dictionary; identifying the type: a field; identifying content: user_name.
Identifying the type: refers to whether the fields or the values of the fields match.
Such as mailbox names, whose data identification rules are:
data rule name: a personal mailbox; data rule coding: personal_email; the data grade is high; data type: a personal mailbox; data category: personal information; matching: a response phase; identifying a rule: regularization; identifying the type: the field content; the regular expression: "+\\\ s \ w+ (? {0,1} [ \\w- ] +) @ [ a-zA-Z0-9] + (.
S2, the API gateway marks a data tag on the API interface according to the data identification rule;
specifically, the API gateway marks the API interface with a data tag according to the definition of the API interface and the data identification rule.
Specifically, the API gateway automatically recognizes the data of the API interface through the data recognition rule according to the API flow, and marks the data.
In this embodiment, the API gateway marks the API interface with a data tag according to the definition of the API interface, which is an account name, an account password, a mailbox, and a mobile phone number, respectively.
S3, subscribing the API interface in the API gateway by the user, and distributing desensitization rules for the user by an administrator according to the user information;
a user subscribes an API interface on an API gateway, and an administrator creates account information for the user and allocates rights; and the administrator completes the authorization of the API interface according to the user information. Specifically, an administrator creates an administrator account and a developer account for the system a, and registers the account and the developer account on the API gateway.
And in the process of authorizing the API interface, an administrator distributes corresponding desensitization rules for the user according to the user information and the data type of the API interface subscribed by the user.
In specific implementation, authorization can be performed according to different modes such as account name, account role, organization and the like, and then the authorization is associated with the desensitization rule according to the authorization mode. Such as that a certain account number authorizes access to certain interfaces, or that a certain role account number needs to authorize access to certain interfaces; if such an account number or such a character needs to be desensitized, the account number is associated with the desensitization rule or the character is associated with the desensitization rule.
After the user authorization is successful, the API interface is associated with the user identification, and according to the API interface, user information can be found according to the user identification, and a desensitization rule is associated in the user information.
In this embodiment, the administrator allocates different desensitization rules according to the access rights of two users to the account interface of the system a, the administrator of the system a needs to see the account information, needs to cover the password, desensitizes the mobile phone and the mailbox, the research personnel needs to see the account information and the mailbox information, and other data needs to be desensitized.
Specifically, the desensitization mode is divided into desensitization and encryption, the desensitization is divided into masking, occupying, hashing and the like, the encryption is divided into different algorithms such as DES, AES, RSA and the like, for an asymmetric algorithm, a gateway distributes a key to a user, and the user receives encrypted data and decrypts according to the key.
Specifically, the user information includes a user role, an account name, an affiliated institution, and the like. An administrator can track the account name, the role of the account, and the institution to which the account belongs, and assign different desensitization rules to the account.
In specific implementation, the same desensitization rule is only one, and the account number is associated with the identification of the desensitization rule or the desensitization rule is associated with the data label.
In particular, if the user needs the original data, no associated desensitization rule is needed.
In the implementation, if the API interface has no sensitive data, desensitization treatment is not needed.
In this embodiment, the mobile phone number is desensitized, the middle 6 bits are covered, and the password is fully occupied. The administrator of the system a performs the middle part covering process on the mailbox.
S4, the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the user identity is checked;
the API interface is statically defined, while the API request is dynamic, and is the real request of the user, the parameters are the same, but the values of the parameters are different.
When the API request of the user reaches the API gateway, the API gateway firstly carries out API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is carried out with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
In this embodiment, API interface matching may be performed by the URL of the interface.
S5, after user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on sensitive data through the desensitization rule associated with the user;
when the user authentication authorization check passes, the API gateway identifies the content in the API request and the response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and the response accords with the data identification rule, the API gateway indicates that the API request and the response carry corresponding sensitive data.
The API gateway matches the desensitization rule associated with the API interface authorized user according to the data type in the data identification rule, and carries out desensitization treatment on the data according to the desensitization rule.
In the implementation, a user may authorize multiple API interfaces, and when the number of desensitization rules is large, the desensitization rules need to be matched according to the authorized data labels of the API interfaces, so as to find the desensitization rules with consistent data labels, and perform desensitization processing on the API interfaces.
In the implementation, if the number of the API interfaces subscribed by the user is relatively large, and the same data has different desensitization rules, the API interfaces, the user and the desensitization rules are bound together, namely the API interfaces are taken as unique identifiers, and the user and the desensitization rules of the user are arranged under each interface. In particular, a user may refer not only to a user name, but also to a user of some type, such as a character, such as an organization.
And the API gateway respectively processes the API request and the response according to the matching stage of the data identification rule, and performs corresponding forwarding processing after the desensitization is completed.
Based on the same inventive concept, the invention also provides a dynamic desensitizing device based on the API gateway. The implementation of the device can be referred to as implementation of the above method, and the repetition is not repeated. The term "module" as used below may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
Fig. 2 is a schematic structural diagram of an API gateway-based dynamic desensitizing device according to an embodiment of the present invention. As shown in fig. 2, the apparatus includes:
an API gateway 101 for setting data identification rules and desensitization rules of sensitive data; marking a data tag for the API interface according to the data identification rule; performing API interface matching on the API request of the user, and checking the identity of the user if the API interface has authorized access; after the user authentication authorization is completed, carrying out data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and carrying out desensitization treatment on sensitive data through the desensitization rule associated with the user.
The data identification rule and the data tag of the same data type are allowed to be multiple, and the identification modes are different; multiple desensitization rules of the same data type are allowed, the desensitization rule identification being unique.
When the API request of the user reaches the API gateway 101, the API gateway 101 firstly performs API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is performed with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
When the authentication and authorization verification of the user passes, the API gateway 101 identifies the content in the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and response accords with the data identification rule, the API request and response carry corresponding sensitive data;
the API gateway 101 matches the desensitization rule associated with the authorized user of the API interface according to the data type in the data identification rule, and carries out desensitization treatment on the data according to the desensitization rule;
the API gateway 101 processes the API request and response respectively according to the matching stage where the data identification rule is located, and after the desensitization is completed, performs corresponding forwarding processing.
A user 102 for subscribing to an API interface at the API gateway 101; initiation and response of API requests;
an administrator 103, configured to create account information for a user and assign rights; according to the user information, completing the authorization of the API interface; in the process of authorizing the API interface, corresponding desensitization rules are distributed to the user according to the user information and the data type of the API interface subscribed by the user.
It should be noted that while several modules of an API gateway-based dynamic desensitization apparatus are mentioned in the above detailed description, this partitioning is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.
Based on the foregoing inventive concept, as shown in fig. 3, the present invention further proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored in the memory 210 and executable on the processor 220, where the processor 220 implements the foregoing API gateway-based dynamic desensitization method when executing the computer program 230.
Based on the foregoing inventive concept, the present invention also proposes a computer-readable storage medium storing a computer program for executing the foregoing dynamic desensitization method based on an API gateway.
According to the dynamic desensitization method and device based on the API gateway, dynamic desensitization of data is realized based on users, and the data requirements of different users are met; the data security of the API interface is improved.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
It should be apparent to those skilled in the art that various modifications or variations can be made in the present invention without requiring any inventive effort by those skilled in the art based on the technical solutions of the present invention.
Claims (11)
1. A method for dynamic desensitization based on an API gateway, the method comprising:
setting data identification rules and desensitization rules of sensitive data in an API gateway;
the API gateway marks the API interface with a data label according to the data identification rule;
a user subscribes an API interface in an API gateway, and an administrator distributes desensitization rules for the user according to user information;
the API gateway performs API interface matching on the API request of the user, and if the API interface has authorized access, the user identity is checked;
after the user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on the sensitive data through the desensitization rule associated with the user.
2. The API gateway-based dynamic desensitization method according to claim 1, wherein the same data type data identification rule and data tag allows multiple data identification in different ways; multiple desensitization rules of the same data type are allowed, the desensitization rule identification being unique.
3. The API gateway-based dynamic desensitization method as recited in claim 1, wherein the user subscribes to the API interface at the API gateway, and the administrator assigns the user with the desensitization rule according to the user information, comprising:
a user subscribes an API interface on an API gateway, and an administrator creates account information for the user and allocates rights;
the administrator completes the authorization of the API interface according to the user information;
and in the process of authorizing the API interface, an administrator distributes corresponding desensitization rules for the user according to the user information and the data type of the API interface subscribed by the user.
4. The API gateway-based dynamic desensitization method according to claim 1, wherein the API gateway performs API interface matching on the user's API request, and if the API interface has authorized access, verifying the user identity comprises:
when the API request of the user reaches the API gateway, the API gateway firstly carries out API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is carried out with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
5. The API gateway-based dynamic desensitization method as recited in claim 1, wherein after user authentication authorization is completed, the API gateway performs data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and performs desensitization treatment on the sensitive data by the desensitization rule associated with the user, comprising:
when the user authentication authorization verification passes, the API gateway identifies the content in the API request and the response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and the response accords with the data identification rule, the API gateway indicates that the API request and the response carry corresponding sensitive data;
the API gateway matches a desensitization rule associated with an API interface authorized user according to the data type in the data identification rule, and desensitizes the data according to the desensitization rule;
and the API gateway respectively processes the API request and the response according to the matching stage of the data identification rule, and performs corresponding forwarding processing after the desensitization is completed.
6. An API gateway-based dynamic desensitizing apparatus, comprising:
the API gateway is used for setting data identification rules and desensitization rules of the sensitive data; marking a data tag for the API interface according to the data identification rule; performing API interface matching on the API request of the user, and checking the identity of the user if the API interface has authorized access; after user authentication authorization is completed, carrying out data identification on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and carrying out desensitization treatment on sensitive data through the desensitization rule associated with the user;
a user for subscribing to an API interface at an API gateway; initiation and response of API requests;
an administrator for creating account information for the user and assigning rights; according to the user information, completing the authorization of the API interface; in the process of authorizing the API interface, corresponding desensitization rules are distributed to the user according to the user information and the data type of the API interface subscribed by the user.
7. The API gateway-based dynamic desensitizing apparatus according to claim 6, wherein the same data type allows multiple data identification rules and data tags, which are identified in different ways; multiple desensitization rules of the same data type are allowed, the desensitization rule identification being unique.
8. The API gateway-based dynamic desensitizing apparatus according to claim 6, wherein API interface matching is performed on a user's API request, and if the API interface has authorized access, verifying the user's identity comprises:
when the API request of the user reaches the API gateway, the API gateway firstly carries out API interface matching, if the API interface can hit, the authorization condition of the API interface is checked, authentication is carried out with the account information in the API request according to the account information associated with the API interface, and if the authentication is passed, the user is authorized to access the API interface.
9. The API gateway-based dynamic desensitizing apparatus according to claim 6, wherein after user authentication authorization is completed, data identification is performed on the API request and response of the user according to the data identification rule associated with the data tag of the API interface, and the sensitive data is desensitized by the desensitizing rule associated with the user, comprising:
when the user authentication authorization verification passes, the API gateway identifies the content in the API request and the response of the user according to the data identification rule associated with the data tag of the API interface, and if the content in the API request and the response accords with the data identification rule, the API gateway indicates that the API request and the response carry corresponding sensitive data;
the API gateway matches a desensitization rule associated with an API interface authorized user according to the data type in the data identification rule, and desensitizes the data according to the desensitization rule;
and the API gateway respectively processes the API request and the response according to the matching stage of the data identification rule, and performs corresponding forwarding processing after the desensitization is completed.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-5 when executing the computer program.
11. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for performing the method of any one of claims 1-5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311454150.5A CN117640152A (en) | 2023-11-03 | 2023-11-03 | Dynamic desensitization method and device based on API gateway |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311454150.5A CN117640152A (en) | 2023-11-03 | 2023-11-03 | Dynamic desensitization method and device based on API gateway |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117640152A true CN117640152A (en) | 2024-03-01 |
Family
ID=90024340
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311454150.5A Pending CN117640152A (en) | 2023-11-03 | 2023-11-03 | Dynamic desensitization method and device based on API gateway |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117640152A (en) |
-
2023
- 2023-11-03 CN CN202311454150.5A patent/CN117640152A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110414268B (en) | Access control method, device, equipment and storage medium | |
| CN103581105A (en) | Login verification method and login verification system | |
| CN107231234A (en) | A kind of identity registration method and device | |
| CN113612740A (en) | Authority management method and device, computer readable medium and electronic equipment | |
| CN108846292B (en) | Desensitization rule generation method and device | |
| CN112967056A (en) | Access information processing method and device, electronic equipment and medium | |
| CN114172663B (en) | Business right determining method and device based on block chain, storage medium and electronic equipment | |
| CN108053220A (en) | A kind of guard method, equipment and storage medium withdrawn the money without card | |
| US20110225634A1 (en) | CAPTCHA (Completely Automated Public Test to Tell Computers and Humans Apart) Data Generation Methods and Related Data Management Systems and Computer Program Products Thereof | |
| CN110837635A (en) | Method, device, equipment and storage medium for equipment verification | |
| CN111143808B (en) | System security authentication method and device, computing equipment and storage medium | |
| CN117640152A (en) | Dynamic desensitization method and device based on API gateway | |
| CN112749376B (en) | Dynamic desensitization method for relational database | |
| CN114006735B (en) | Data protection method, device, computer equipment and storage medium | |
| CN114584324A (en) | Identity authorization method and system based on block chain | |
| CN115618389A (en) | Sensitive data processing method and system, electronic equipment and readable storage medium | |
| CN114706932A (en) | Method and system for encryption desensitization and query of geographic information | |
| CN114186253A (en) | Authority management method and device based on double verification and electronic equipment | |
| CN108804713B (en) | Image output method, electronic device, and computer-readable medium | |
| CN113609531A (en) | Block chain based information interaction method, device, equipment, medium and product | |
| CN107612763B (en) | Metadata management method, application server, service system, medium and controller | |
| CN114881773B (en) | User information processing system, method, device, equipment and medium | |
| CN114978552B (en) | Security management method, device, equipment and medium for mailbox verification code | |
| CN116938594B (en) | Multi-level identity verification system based on high-speed encryption technology | |
| CN113627938B (en) | Data deleting method, device and equipment of block chain and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |