CN101098254A - Data security control method and apparatus for information system - Google Patents
Data security control method and apparatus for information system Download PDFInfo
- Publication number
- CN101098254A CN101098254A CNA2007100412779A CN200710041277A CN101098254A CN 101098254 A CN101098254 A CN 101098254A CN A2007100412779 A CNA2007100412779 A CN A2007100412779A CN 200710041277 A CN200710041277 A CN 200710041277A CN 101098254 A CN101098254 A CN 101098254A
- Authority
- CN
- China
- Prior art keywords
- data
- information system
- data processing
- application server
- user
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data safety control method of information system, comprising that building an application server, distributing the data of a database of the information system to user, building a data processing controller, entitling user about data processing priority, and controlling the data process of user on the application server, building a backup unit to backup the data of the database, building an audit unit, to recording the user operation on the application server, relative to data safety. The invention uses the application server to avoid direct user access on the database of information system, and the data process controller uses an access control mode based on priority to control the data process, to simplify user authorization management. And the backup unit can backup and recover data, and the audit unit can record and detect data process, to improve safe control on the data.
Description
Technical field
The present invention relates to the safety Design of data information system, more particularly, relate to a kind of data security control method and device of information system.
Background technology
At present increasing need of work uses various information systems, and the fail safe of information system more and more obtains people's attention, and the security reliability operation of information system is the basis of integrated information system safety.The various security incident great majority that taken place at present are because the security breaches of computer system cause, and therefore, must give sufficient attention to the safety of the information system under the network environment.
The fail safe of information system is a system engineering, to implement different security strategies in all fields in other words, described various aspects comprise the data processing and control aspect, data backup aspect etc., such as aspect the data processing and control, so-called data processing comprises the input of data, visit and modification, in an information system, have the different various users of rank, specific user can only handle specific data, if and safety measure is not in place, the user can be occurred so and the data that it should not be handled can be handled, thereby cause accident such as divulge a secret, cause the loss that is difficult to retrieve just may for country and enterprise.With the public safety field is example, public security system contains much information, the information of different categories within police force (as public security, traffic control, criminal investigation), different stage (portion, province, city) has in various degree privacy requirements (no level of confidentiality, secret, secret, top secret) to different users, this has just determined will create different data processing authorities for the user of different stage, so just can satisfy each user's data processing requirements and can guarantee that also secret data is not leaked, thereby reach the purpose of the data processing of different user being carried out corresponding control.Because information system comprises googol according to the storehouse such as the public security information system, and these data are extremely important,, significant data can be recovered during in order to generation data security accident in addition so need back up to it.
Summary of the invention
The object of the present invention is to provide a kind of data security control method and device of information system, the purpose of carrying out security control with data processing and the database data of realizing described information system.
According to a first aspect of the invention, provide a kind of method of controlling security of information system, may further comprise the steps:
A. set up application server, described application server calls user's use of the data of database of described information system for described information system;
B. set up the data processing and control unit, described data processing and control unit is given described a step user's data processing authority and the data processing of described user on described application server is controlled;
C. set up backup units, described backup units backs up the data of database of described a Step Information system;
D. set up auditable unit, described auditable unit writes down operation that relates to data security and the activity that described user carries out on described application server.
The data processing and control unit of described b step comprises definition module, Registering modules and control module, described definition module definition of data processing authority, described Registering modules provides registration and creates identify label to described user for described user, and described control module is given described user with identify label with described data processing authority.
The application server controls of described a step is to the number of users of the concurrent visit of described information system, and the backup units of controlling described c step backs up, described backup units comprises backup database, the described backed up data of Backup Data library storage, described backup units has data recovery function, and described restore funcitons comprises that overall recovery, respective files are recovered and redirected the recovery.
Described operation and the audit log movable and that formation is encrypted that relates to data security of the auditable unit record of described d step, described audit log is read-only form and the Admin Access who only allows described information system.
Described identify label is unique, password of described each identify label coupling, and described Registering modules is verified described user's the described identify label and the legitimacy of password.
According to a second aspect of the invention, provide a kind of safety control of information system, comprising:
Application server, described application server is connected with the database of described information system, and described application server calls the user use of described data of database for described information system;
The data processing and control unit is connected with described application server, and described data processing and control unit is given described user data processing authority and the data processing of described user on described application server controlled;
Backup units, the database with described application server and described information system is connected respectively, and described backup units backs up the data of database of described information system;
Auditable unit is connected with described application server, and described auditable unit writes down the operation that relates to data security and the activity of described data processing and control unit and described information system.
Described data processing and control unit comprises definition module, Registering modules and control module, described definition module definition of data processing authority, described Registering modules provides registration and creates identify label to described user for described user, and described control module is given described user with identify label with described data processing authority.
Described application server controls is to the number of users of the concurrent visit of described information system, and the backup units of controlling described c step backs up, described backup units comprises backup database, the described backed up data of Backup Data library storage, described backup units has data recovery function, and described restore funcitons comprises that overall recovery, respective files are recovered and redirected the recovery.
Described operation and the audit log movable and that formation is encrypted that relates to data security of described auditable unit record, described audit log is read-only form and the Admin Access who only allows described information system.
Described identify label is unique, password of described each identify label coupling, and described Registering modules is verified described user's the described identify label and the legitimacy of password.
Adopt the method for controlling security and the device of a kind of information system of the present invention, because method of the present invention and device comprise application server, application server has avoided the user directly described information system database directly to be visited as the buffer unit of user and described information system database; And data processing and control of the present invention unit uses based on the access control model of authority data to be handled and controls, alleviated data safety management work like this, this mode only need be created new registered user to defined data processing authority and get final product, need not to the user reassigns resource and operation, thereby simplified empowerment management work; Backup units of the present invention in addition has data backup and restore funcitons, can the significant data of described system be backed up and the significant data of losing be recovered, and auditable unit of the present invention has the record monitoring function of security incident, the administrative staff of described system can check the security incident of auditable unit record at any time, can adjust the security strategy of implementation data so at any time.
Description of drawings
Fig. 1 is the principle schematic of safety control of the present invention;
Fig. 2 is the schematic flow sheet of method of controlling security of the present invention;
Fig. 3 is the workflow schematic diagram of data processing and control of the present invention unit.
Embodiment
Further specify technical scheme of the present invention below in conjunction with drawings and Examples.
With reference to figure 1, the present invention provides data security protecting for information system 50, and Data Security Control device 100 of the present invention comprises with lower unit:
Data processing and control unit 20, data processing and control unit 20 is connected with application server 10, and data processing and control unit 20 is given described user data processing authority and the data processing of described user on application server 10 is controlled.
Backup units 30, database 51 with application server 10 and information system 50 is connected respectively, backup units 30 comprises backup database 31, the data of the database 51 of backup units 30 backup information systems 50 also are stored in it in backup database 31, and application server 10 control backup units 30 are carried out data backup.
According to an embodiment, described data processing and control unit 20 comprises definition module 21, Registering modules 23 and control module 22, definition module 21 definition of data processing authority, Registering modules 23 provides registration and creates identify label to described user for described user, and control module 22 is given described user with identify label with described data processing authority.Described identify label is unique, password of described each identify label coupling, the described identify label when the Registering modules 23 described users of checking login and the legitimacy of password.
According to an embodiment, backup units 30 also has data recovery function, and under described application server 10 controls, the restore funcitons of backup units 30 comprises that overall recovery, respective files are recovered and redirected the recovery.Recover to be also referred to as system restoration totally, generally be cause in the disaster that meets accident that the data of database 51 are all lost, under system crash or the situations such as planned system upgrade, system's reorganization, enable overall recovery, original whole data can be recovered; Respective files is recovered, and promptly refers to the file of indivedual minorities is recovered, and in practical operation, only need browse backup database 31, finds the file of losing, and touches restore funcitons, will recover specified file automatically in the database 51 of information system 50; Redirected recovery is backed up data to be returned to another different position or system gets on, rather than returns in original position or the system and go.
According to an embodiment, application server 10 can also be controlled the number of users of the concurrent visit of information system 50, application server 10 can be provided with the number of users of visit simultaneously in a scope according to predetermined requirement in advance, when the number of users of visit simultaneously exceeded this scope, application server 10 sent early warning and limits or refuse more user's visit.
According to an embodiment, 40 pairs of auditable unit relate to the operation and the movable audit log that writes down and form encryption of data security, described audit log is read-only form and the Admin Access who only allows described information system, that is to say that audit log can only be read and can not be revised by the keeper, but the keeper can delete it.
With reference to figure 2, accordingly data security control method of the present invention is described:
101. set up application server 10.Application server 10 is equivalent to a platform, and its effect is in order to prevent that the user from directly conducting interviews to the database 51 of information system 50, thereby as a buffer platform; Simultaneously, application server 10 still is a control unit, and application server 10 is controlled to be the data security protecting that information system 50 provides.According to an embodiment, application server 10 can also be controlled the number of users of the concurrent visit of information system 50, application server 10 can be provided with the number of users of visit simultaneously in a scope according to predetermined requirement in advance, when the number of users of visit simultaneously exceeded this scope, application server 10 sent early warning and limits or refuse more user's visit.
102. calling the data of database 51 uses for the user.This step is finished by application server 10, thereby realizes the buffering and the intermediation of application server 10.
103. set up data processing and control unit 20.Data processing and control unit 20 comprises definition module 21, Registering modules 23 and control module 22.
104. give the user data processing authority and user's data processing behavior controlled.This step is finished by data processing and control unit 20, definition module 21 definition of data processing authority, Registering modules 23 provides registration and creates identify label to described user for described user, and control module 22 is given described user with identify label with described data processing authority.Described identify label is unique, password of described each identify label coupling, and the described identify label when the Registering modules 23 described users of checking login and the legitimacy of password be not if legal then the login successfully landed failure if conform to rule.
105. set up backup units 30.Backup units 30 comprises backup database 31, backup units 30 be used for backup information system 50 database 51 data and it is stored in the backup database 31.
106. all data of backup database 51.This step is finished under the control of application server 10 by backup units 30, according to an embodiment, backup units 30 also has data recovery function, and under described application server 10 controls, the restore funcitons of backup units 30 comprises that overall recovery, respective files are recovered and redirected the recovery.Recover to be also referred to as system restoration totally, generally be cause in the disaster that meets accident that the data of database 51 are all lost, under system crash or the situations such as planned system upgrade, system's reorganization, enable overall recovery, original whole data can be recovered; Respective files is recovered, and promptly refers to the file of indivedual minorities is recovered, and in practical operation, only need browse backup database 31, finds the file of losing, and touches restore funcitons, will recover specified file automatically in the database 51 of information system 50; Redirected recovery is backed up data to be returned to another different position or system gets on, rather than returns in original position or the system and go.
107. set up auditable unit 40.Auditable unit 40 is the record of information system and the device of monitoring in fact, and the administrative staff of described information system can check the security incident of auditable unit record at any time, can adjust the security strategy of implementation data so at any time.
108. record relates to the operation and the activity of data security.This step is finished by auditable unit 40, according to an embodiment, 40 pairs of auditable unit relate to the operation and the movable audit log that writes down and form encryption of data security, described audit log is read-only form and the Admin Access who only allows described information system, that is to say that audit log can only be read and can not be revised by the keeper, but the keeper can delete it.
In above data security control method and the device, the course of work of data processing and control unit 20 is comparatively complicated, further specifies below in conjunction with a specific embodiment:
Method of controlling security of the present invention and device can be applied in the information system in public security field, with reference to figure 1 and Fig. 2, at first to set up application server 10, the user all carries out on application server 10 data access and the processing of this information system, and the definition module 1 of data processing and control unit 20 will define different data processing authorities, such as having defined one of them data processing authority, this data processing authority has visit and handles the authority of emphasis demographic data.When people's police Xu certain when information system is registered, Registering modules 2 is created unique identify label for it, and passwords password, when the manager think people's police Xu certain can have the authority of visit emphasis demographic data the time, the data processing authority that Registering modules 2 will define at the emphasis demographic data give have unique identify label people's police slowly certain.
With reference to figure 3, serve as people's police Xu certain when landing described information system, the identify label and the password password of input carry out legitimate verification when calling Registering modules 2 certain landing at people's police Xu, when the specific password password of identify label and its is consistent, can enter system, when inconsistent, return log-in interface; After entering system, people's police Xu certain utilize identify label to send data processing request, the data processing authority and the data processing target thereof of 3 pairs of identify labels of control module this moment are analyzed, if the target data that identify label and data processing authority and identify label desire are handled is at once, then permit the user and carry out data processing, if the target data that identify label and data processing authority and identify label desire are handled not at once, then return " do not have authority " prompting.
In order to increase the flexibility of described method of controlling security and device, when people's police's data rights that certain need be higher slowly of data processing low rights user is prescribed a time limit, under the control of control module 3 the high authority user of data processing (as people's police team leader) its data processing authority can be given people's police Xu certain, like this people's police Xu certain just had higher data processing authority, can handle data high confidential.
In addition, as required, after some data (as the data of high confidential) are being carried out data processing, control module 3 is passed to the high authority user of data processing (as the police commissioner) with data processed result, after high authority user examined and determines, described data processed result just came into force and deposits in the database 51 of information system 50.
By last,, just can handle and control a plurality of user's data when defining and set up a plurality of data processing authorities, identify label.
Those of ordinary skill in the art will be appreciated that, above embodiment is used for illustrating the present invention, and be not to be used as limitation of the invention, as long as in connotation scope of the present invention, all will drop in claims scope of the present invention variation, the modification of above embodiment.
Claims (10)
1. the data security control method of an information system is characterized in that, may further comprise the steps:
A. set up application server, allow application server call of user's use of the data of database of described information system for described information system;
B. set up the data processing and control unit, make the data processing and control unit give described a step user's data processing authority and the data processing of described user on described application server controlled;
C. set up backup units, make backup units back up the data of database of described a Step Information system;
D. set up auditable unit, make auditable unit write down operation that relates to data security and activity that described user carries out on described application server.
2. method of controlling security as claimed in claim 1, it is characterized in that, the data processing and control unit of described b step comprises definition module, Registering modules and control module, described definition module definition of data processing authority, described Registering modules provides registration and creates identify label to described user for described user, and described control module is given described user with identify label with described data processing authority.
3. method of controlling security as claimed in claim 1, it is characterized in that, the application server controls of described a step is to the number of users of the concurrent visit of described information system, and the backup units of controlling described c step backs up, described backup units comprises backup database, the described backed up data of Backup Data library storage, described backup units has data recovery function, and described restore funcitons comprises that overall recovery, respective files are recovered and redirected the recovery.
4. method of controlling security as claimed in claim 1, it is characterized in that, described operation and the audit log movable and that formation is encrypted that relates to data security of the auditable unit record of described d step, described audit log is read-only form and the Admin Access who only allows described information system.
5. method of controlling security as claimed in claim 2 is characterized in that described identify label is unique, password of described each identify label coupling, and described Registering modules is verified described user's the described identify label and the legitimacy of password.
6. the Data Security Control device of an information system is characterized in that, comprising:
Application server, described application server is connected with the database of described information system, and described application server calls the user use of described data of database for described information system;
The data processing and control unit is connected with described application server, and described data processing and control unit is given described user data processing authority and the data processing of described user on described application server controlled;
Backup units, the database with described application server and described information system is connected respectively, and described backup units backs up the data of database of described information system;
Auditable unit is connected with described application server, and described auditable unit writes down the operation that relates to data security and the activity of described data processing and control unit and described information system.
7. safety control as claimed in claim 6, it is characterized in that, described data processing and control unit comprises definition module, Registering modules and control module, described definition module definition of data processing authority, described Registering modules provides registration and creates identify label to described user for described user, and described control module is given described user with identify label with described data processing authority.
8. safety control as claimed in claim 6, it is characterized in that, described application server controls is to the number of users of the concurrent visit of described information system, and the backup units of controlling described c step backs up, described backup units comprises backup database, the described backed up data of Backup Data library storage, described backup units has data recovery function, and described restore funcitons comprises that overall recovery, respective files are recovered and redirected the recovery.
9. safety control as claimed in claim 6, it is characterized in that, described operation and the audit log movable and that formation is encrypted that relates to data security of described auditable unit record, described audit log is read-only form and the Admin Access who only allows described information system.
10. access control apparatus as claimed in claim 7 is characterized in that described identify label is unique, password of described each identify label coupling, and described Registering modules is verified described user's the described identify label and the legitimacy of password.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100412779A CN101098254A (en) | 2007-05-25 | 2007-05-25 | Data security control method and apparatus for information system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007100412779A CN101098254A (en) | 2007-05-25 | 2007-05-25 | Data security control method and apparatus for information system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101098254A true CN101098254A (en) | 2008-01-02 |
Family
ID=39011792
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007100412779A Pending CN101098254A (en) | 2007-05-25 | 2007-05-25 | Data security control method and apparatus for information system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101098254A (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012170A1 (en) * | 2008-07-28 | 2010-02-04 | 成都市华为赛门铁克科技有限公司 | Database security monitoring method, device and system |
| CN101807276A (en) * | 2010-04-19 | 2010-08-18 | 公安部交通管理科学研究所 | Security management and supervision system of traffic management software and application method thereof |
| CN103441883A (en) * | 2013-09-04 | 2013-12-11 | 上海辰锐信息科技公司 | System-user management method |
| CN110633956A (en) * | 2019-09-05 | 2019-12-31 | 国网上海市电力公司 | Information safety protection system of interactive service type microgrid |
| CN113672479A (en) * | 2021-04-27 | 2021-11-19 | 全球能源互联网研究院有限公司 | Data sharing method and device and computer equipment |
| CN114139189A (en) * | 2021-12-08 | 2022-03-04 | 广西民族大学 | Data security processing method and device based on mutual simulation equivalence |
| CN116992496A (en) * | 2023-09-28 | 2023-11-03 | 武汉彤新科技有限公司 | Data resource safety supervision system for enterprise service management |
| CN117235797A (en) * | 2023-09-28 | 2023-12-15 | 广州工程技术职业学院 | Intelligent management method, device, equipment and system for big data resource access |
-
2007
- 2007-05-25 CN CNA2007100412779A patent/CN101098254A/en active Pending
Cited By (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010012170A1 (en) * | 2008-07-28 | 2010-02-04 | 成都市华为赛门铁克科技有限公司 | Database security monitoring method, device and system |
| CN101807276A (en) * | 2010-04-19 | 2010-08-18 | 公安部交通管理科学研究所 | Security management and supervision system of traffic management software and application method thereof |
| CN101807276B (en) * | 2010-04-19 | 2011-11-09 | 公安部交通管理科学研究所 | Security management and supervision system of traffic management software and application method thereof |
| CN103441883A (en) * | 2013-09-04 | 2013-12-11 | 上海辰锐信息科技公司 | System-user management method |
| CN103441883B (en) * | 2013-09-04 | 2016-10-05 | 上海辰锐信息科技公司 | A kind of System-user management method |
| CN110633956A (en) * | 2019-09-05 | 2019-12-31 | 国网上海市电力公司 | Information safety protection system of interactive service type microgrid |
| CN113672479A (en) * | 2021-04-27 | 2021-11-19 | 全球能源互联网研究院有限公司 | Data sharing method and device and computer equipment |
| CN113672479B (en) * | 2021-04-27 | 2024-08-06 | 全球能源互联网研究院有限公司 | Data sharing method and device and computer equipment |
| CN114139189A (en) * | 2021-12-08 | 2022-03-04 | 广西民族大学 | Data security processing method and device based on mutual simulation equivalence |
| CN114139189B (en) * | 2021-12-08 | 2023-03-24 | 广西民族大学 | Data security processing method and device based on mutual simulation equivalence |
| CN116992496A (en) * | 2023-09-28 | 2023-11-03 | 武汉彤新科技有限公司 | Data resource safety supervision system for enterprise service management |
| CN117235797A (en) * | 2023-09-28 | 2023-12-15 | 广州工程技术职业学院 | Intelligent management method, device, equipment and system for big data resource access |
| CN116992496B (en) * | 2023-09-28 | 2023-12-29 | 武汉彤新科技有限公司 | Data resource safety supervision system for enterprise service management |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101098254A (en) | Data security control method and apparatus for information system | |
| KR102068580B1 (en) | Method of securing a computing device | |
| CN101493869B (en) | Password protection for backed-up file | |
| CN105027498B (en) | A kind of method and its system and device by remotely separating and assembling data file realization secure storage | |
| US20080228827A1 (en) | Safe processing of on-demand delete requests | |
| CN101923678A (en) | Data security protection method of enterprise management software | |
| CN102143168B (en) | Linux platform-based server safety performance real-time monitoring method and system | |
| CN106533693B (en) | Access method and device of railway vehicle monitoring and overhauling system | |
| US8721738B1 (en) | System and method for ensuring security of data stored on data storage devices | |
| EP4211864A2 (en) | Systems and methods for non-deterministic multi-party, multi-user sender-receiver authentication and non-repudiatable resilient authorized access to secret data | |
| CN106502927B (en) | Trusted end-user calculating and data inactivity security system and method | |
| CN109684866A (en) | A kind of safe USB disk system for supporting multi-user data to protect | |
| CN102667792A (en) | Method and device for accessing files of a secure fileserver | |
| CN110768963B (en) | Trusted security management platform with distributed architecture | |
| CN101350722A (en) | Apparatus and method for controlling data security of information system | |
| CN102571874A (en) | On-line audit method and device in distributed system | |
| CN110309673A (en) | A kind of adaptively customized encryption cloud Database Systems and encryption method | |
| CN101324913B (en) | Method and apparatus for protecting computer file | |
| CN113162950A (en) | Mobile application secondary authority authentication and management system based on i country network | |
| US20140380407A1 (en) | Role based search | |
| CN101198928A (en) | A computer system, integrable software component and software application | |
| JP2005339308A (en) | Privacy management system in cooperation with biometrics, and authentication server therefor | |
| CN114239034A (en) | Log recording system for protecting sensitive resources and accident evidence obtaining method | |
| CN100464338C (en) | Method for binding security mechanism of application software and large database | |
| Nanda et al. | Oracle Privacy Security Auditing: Includes Federal Law Compliance with HIPAA, Sarbanes Oxley and the Gramm Leach Bliley Act GLB |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Open date: 20080102 |