CN101923678A - Data security protection method of enterprise management software - Google Patents

Data security protection method of enterprise management software Download PDF

Info

Publication number
CN101923678A
CN101923678A CN 201010241026 CN201010241026A CN101923678A CN 101923678 A CN101923678 A CN 101923678A CN 201010241026 CN201010241026 CN 201010241026 CN 201010241026 A CN201010241026 A CN 201010241026A CN 101923678 A CN101923678 A CN 101923678A
Authority
CN
Grant status
Application
Patent type
Prior art keywords
enterprise
software
management
method
security
Prior art date
Application number
CN 201010241026
Other languages
Chinese (zh)
Inventor
熊彩辉
Original Assignee
武汉天喻信息产业股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date

Links

Abstract

The invention discloses an enterprise management software security protection method and belongs to the field of information security. The method provided by the invention can protect the data security of enterprise confidential information without any influences on the application flow of enterprise management software. In the method, a database file which stores enterprise core confidential data is subjected to storage encryption to prevent secret leakage caused by copying the database file; for preventing password secret leakage from leading to network attack, the access to a database server is controlled, so that only specific terminals are allowed to access the database server after verification; and an enterprise management software system client is protected completely and intelligently, the output files are encrypted, and content copying, printing, screen capturing and any other operation which may lead to secret leakage are strictly controlled in a management software application process.

Description

一种企业管理软件的数据安全保护方法 An enterprise management software for data security protection methods

技术领域 FIELD

[0001] 本发明属于信息安全领域,具体涉及一种保障企业管理软件数据安全性以及机密性的方法。 [0001] The invention belongs to the field of information security, in particular to a business management software, data security and confidentiality protection methods.

技术背景 technical background

[0002] 目前,绝大部分企事业单位均采用安全性和机密性较低的国产管理软件来处理企业财务、进销存、人事、工资等业务流程,涉及到企业核心机密资料。 [0002] Currently, most enterprises have adopted the security and confidentiality of lower domestic management software to handle corporate finance, inventory, personnel, payroll and other business processes related to the core business confidential information. 这些管理软件的主流产品采用C/S (Client/Server,客户端/数据库服务器)架构,其中,数据库服务器采用通用的DBMS (Database Management System,关系数据库,如SQL_Server、Mysql、Oracle 等),通过数据库的通讯服务端口对外提供服务(如SQL-Server为1433端口);客户端则通过标准ODBC^penDatabase Connectivity,开放数据库互连)引擎与上述数据库服务器建立连接。 The management software of mainstream products using C / S (Client / Server, Client / database server) architecture, in which the database server using a common DBMS (Database System Management, relational databases, such as SQL_Server, Mysql, Oracle, etc.), through a database the messaging service to provide services (such as SQL-server 1433 port); client through standard ODBC ^ penDatabase Connectivity, open database Connectivity) is connected to the engine to establish a database server.

[0003] 上述企业管理软件在使用过程中具有严重的安全隐患,其主要隐患列举如下: [0003] The business management software has serious security risks in the course, the main risks are listed below:

[0004] 一:数据库服务器明文存储引起的泄密隐患 [0004] a: The database server stores plaintext hidden leaks caused by

[0005] 上述企业管理软件使用的DBMS数据库服务器中,所有的数据文件和日志文件全部以明文方式存储,包括基础数据、人事信息、财务信息、客户信息等等。 [0005] The DBMS database server enterprise management software, all the data files and log files are all stored in plain text, including basic data, personnel information, financial information, customer information, and so on. 一旦这些明文数据文件和日志文件被窃取,可以在其他安装了同类型的DBMS数据库的机器上轻易导入,将直接导致企业核心机密信息的外泄。 Once the plaintext data files and log files were stolen, you can easily import the machine is installed the same type of DBMS database in other, will lead directly to their core leakage of confidential information.

[0006] 二:客户端软件造成的泄密隐患 [0006] II: client software caused by hidden leaks

[0007] 在使用企业管理软件客户端过程中,基本每个界面、每个报表均具备数据导出功能,可以将当前报表导出成自定义报表格式、Excel等格式,造成泄密;基本每个报表均可以直接打印输出,造成泄密;甚至可以直接通过截屏工具将当前屏幕保存并发送出去,从而造成企业核心机密信息泄密。 [0007] In the use of business management software client process, each basic interface, each report possess data export function, you can export the current report to custom report formats, Excel and other formats, resulting in leaks; each report are essential It can be printed out directly, causing leaks; even the current screen can be saved directly through the screenshot tool and sent out, resulting in core secrets leaked information.

[0008] 三:因口令丢失造成的网络攻击 [0008] Three: because of password loss caused by cyber attacks

[0009] 一方面是因为企业管理软件用户账号的失窃。 [0009] One reason is that business management software stolen user account. 管理软件客户端的鉴权方式为简单的用户名、密码验证,一旦普通员工窃取了部门主管的登录口令,即可在任意一台安装有企业管理软件客户端软件的计算机上登录企业管理软件,从而越权查看涉密信息,造成企业机密信息泄密。 Management software client authentication method is simple user name and password authentication, once the head of the general staff steal login password, you can log in at Renyiyitai enterprise management software installed on the computer software business management software client, which unauthorized viewing of classified information, resulting in leaks of confidential corporate information.

[0010] 另一方面是对DBMS数据库远程非法入侵。 [0010] On the other hand is the illegal invasion of a remote DBMS database. 企业管理软件使用的DBMS数据库服务器通过默认通讯服务端口对网内所有主机提供服务,DBMS数据库的超级管理员甚至没有设置任何密码。 DBMS database server enterprise management software used by the default messaging service to provide services for all hosts within the network, the super administrator DBMS database did not even set any password. 在同一个局域网内任意计算机只要安装一个同类型的DBMS数据库客户端工具即可直接连接到远程DBMS数据库服务器,然后备份明文数据库,从而造成企业机密信息泄密。 In the same LAN installed on any computer as long as the same type of DBMS database client tools to connect directly to the remote DBMS database server, and then back up the plaintext database, resulting in leaks of confidential corporate information.

[0011] 综上所述,为加强企事业单位管理软件的数据安全,杜绝最终用户企业机密信息的泄密,提供一种安全的、通用性强的企业管理软件数据安全保护方法具有重大而紧迫的现实意义。 [0011] In summary, the data of enterprises and institutions to strengthen the security management software, end-user to prevent leakage of confidential corporate information, providing a safe, versatile enterprise management software data security protection methods has important and urgent practical significance. 发明内容 SUMMARY

[0012] 针对以上提到的几种安全隐患,本发明的目的在于提供一种专业的企业管理软件数据安全保护方法,主要目标是: [0012] For several safety problems mentioned above, the present invention is to provide a professional business management software, data security protection methods, the main objectives are:

[0013] 1、对数据库服务器指定实例的数据文件和日志文件进行存储加密,防止因拷贝明文数据库文件造成泄密,但不影响数据库正常功能的使用 [0013] 1, data files and log files for the specified instance of the database server stores the encrypted plaintext copy of the database file to prevent leaks caused, but does not affect the normal function of the database

[0014] 2、实现数据库的准入控制。 [0014] 2, to realize access control database. 只允许安装了防护终端的计算机经授权后才允许访问后台数据库服务器,否则一律拒绝服务,防止因口令泄密造成网络攻击 Only allowed to install the protection of computer terminals authorized before allowing access back-end database server, Otherwise they would be a denial of service, prevent password leakage caused by cyber attacks

[0015] 3、对安装了企业管理软件客户端的计算机进行加密防护,所有通过客户端软件导出的目标文件将全部加密;在使用客户端软件过程中,所有可能泄密的操作,如打印、截屏、 内容复制等,将受到严格限制。 [0015] 3, on a computer that has enterprise management software client encrypts protection, all exported via the client software target file will be fully encrypted; the use of client software process, all possible leak of operations, such as printing, screen shots, content replication, will be strictly limited.

[0016] 以下用详细流程说明本发明采用技术方案: [0016] The following detailed process description of the invention with the technical solution:

[0017] 一:数据库文件的存储加密 [0017] One: store encrypted database files

[0018] 本发明主要使用虚拟磁盘驱动、文件过滤驱动和文件重定向技术实现数据库文件的存储加密,具体步骤如下: [0018] The present invention using the virtual disk drive, file system filter driver technology and file redirection file is stored encrypted database, the following steps:

[0019] 步骤1 :利用虚拟磁盘驱动创建一个能够容纳指定数据库实例的数据文件和日志文件的虚拟磁盘文件,隐藏保存在任意磁盘分区。 [0019] Step 1: Using virtual disk drive to create a database instance can contain the specified data files and log files of the virtual disk file, saved in any hidden disk partition.

[0020] 步骤2 :利用虚拟磁盘驱动安装步骤1创建的磁盘文件成一个隐藏的虚拟磁盘分区(在本发明中分区盘符为#:),同时利用进程防护技术防止非授权进程访问该虚拟磁盘分区(盘符# :)。 [0020] Step 2: disk file using the virtual disk drive installation created in step 1 into a hidden virtual disk partition (in this invention is the partition letter # :), while taking advantage of the process protection technology to prevent unauthorized access to the virtual disk process partition (letter # :).

[0021] 步骤3 :停止数据库服务进程,拷贝指定数据库实例的数据文件和日志文件到虚拟磁盘分区(盘符# :),然后对原始的数据文件和日志文件进行加密,或直接删除; [0021] Step 3: Stop the database service process, a copy of the specified database instance data files and log files to a virtual disk partition (drive letter :) #, and then the original data files and log files are encrypted, or delete;

[0022] 步骤4 :加载文件过滤驱动,该驱动可以拦截操作系统中所有进程的启动; [0022] Step 4: Load the file filter driver that intercepts all operating system boot process;

[0023] 步骤5 :启动数据库服务进程,此时文件过滤驱动将拦截数据库服务进程的启动, 注入文件重定向功能代码到数据库服务进程; [0023] Step 5: Start the database service process, the file filter driver intercepts the database service process starts, injecting code into the file redirection database service process;

[0024] 步骤6 :上述文件重定向功能代码通过拦截数据库服务进程对数据文件和日志文件的读、写操作,全部重定向到虚拟磁盘分区(盘符#:)中对应的文件,完全不影响数据库服务的使用; [0024] Step 6: The above file redirection function code database service process by reading the interception of data files and log files, write operation, all redirected to the virtual disk partition (drive letter :) # corresponding file, does not affect use database services;

[0025] 步骤7 :虚拟磁盘驱动将截获数据库服务进程对虚拟磁盘分区(盘符# :)的读、写操作,实现保存时自动加密,读取时自动解密。 [0025] Step 7: virtual disk drive will intercept database service process to read virtual disk partition (drive letter :) #, the write operation is automatically encrypted when implementing saved automatically decrypted when read.

[0026] 以上流程能在不影响数据库服务器正常工作情况下,实现数据文件和日志文件以加密方式存储在虚拟磁盘文件中。 [0026] In the above process can not affect the normal operation of the database server, data files and log files stored in encrypted form in the virtual disk file.

[0027] 二:实现数据库的准入控制 [0027] II: implement admission control database

[0028] 本发明从数据库服务器端和企业管理软件客户端两部分出发,结合LSP(Layered Service Provider,分层服务提供程序,可以监视系统网络通讯情况)的网络应用层过滤和TDI (Transport Driver Interface,传输驱动接口)的网络驱动层过滤,实现数据库的准入控制,具体步骤如下: [0028] The present invention from a database server and enterprise management software client in two parts, combined with LSP (Layered Service Provider, Layered Service Provider, the system can monitor network traffic conditions) of the network application layer filtering and TDI (Transport Driver Interface , transport driver Interface) network drive layer was filtered, to achieve access control database, the following steps:

[0029] 服务器端准入控制: [0029] The admission control server:

[0030] 主要功能:实现对数据库服务器的通讯服务端口监听,只允许指定的IP连接。 [0030] The main functions: to achieve communication service port listens to the database server, allowing only specified IP connections.

4[0031] 步骤1 :在数据库服务器所在计算机安装LSP网络应用过滤器,监视并拦截当前系统的所有网络通讯情况; 4 [0031] Step 1: database server installed in a computer network application LSP filter, monitors and intercepts all network traffic of the current situation of the system;

[0032] 步骤2 :利用LSP网络应用过滤器监听数据库服务器进程的通讯服务端口,一旦发现有远程客户端连接到该端口,从该连接中分析客户端的IP和端口,进入步骤3 ; [0032] Step 2: LSP filter network application listening messaging service database server process, if it is found the client connects to the remote port, the client analyzes the IP and port from the connection proceeds to step 3;

[0033] 步骤3 :LSP网络应用过滤器根据权限分配表(本发明的方法中维护的允许哪些客户端IP访问数据库的权限表),检索当前连接客户端的权限,如果判断允许连接则放行该连接,此时该客户端可以正常连接到数据库服务器;如果判断无此权限,则立即断开该连接,此时该客户端无法连接到数据库服务器。 [0033] Step 3: LSP web application filters based rights allocation table (method of the present invention is maintained to allow what client permission table IP access to the database), retrieving rights currently connected client, if it is determined to allow the connection is released the connection In this case the client can properly connect to the database server; if no such determination permission immediately disconnect the connection, then the client can not connect to the database server.

[0034] 客户端准入控制: [0034] Access Control client:

[0035] 主要功能:基于TDI的网络驱动层过滤,只允许授权客户端的指定进程在规定时间段内连接数据库服务器。 [0035] The main functions: TDI-based network drive layer was filtered, the process allows only authorized clients to specify the database server is connected to a predetermined period of time.

[0036] 步骤1 :在企业管理软件客户端所在计算机安装TDI网络驱动,监视并拦截当前系统的所有连接到指定数据库服务器的通讯服务端口的网络通讯情况; [0036] Step 1: In business management software client is installed on your computer TDI network drive, monitor and intercept all currently connected to the communications service port of the database server network communication situation of the system;

[0037] 步骤2 :TDI网络驱动一旦监听到试图连接到数据库服务器的通讯服务端口的通讯,从该通讯连接中分析当前建立连接的进程信息,进入步骤3 ; [0037] Step 2: TDI network driver once overheard trying to connect to the database server communications service communications port to analyze the current process of establishing connections, proceed to step 3 from the communication connection;

[0038] 步骤3 :TDI网络驱动根据预定义的权限分配表(本发明的方法中维护的允许客户端哪些进程访问数据库的权限表),检索当前进程是否有权限连接到数据库服务器,如果判断允许连接则放行该连接,此时该进程可以正常连接到数据库服务器;如果判断无此权限,则直接返回,此时该进程提示连接数据库服务器失败。 [0038] Step 3: TDI network driver according to a predefined privileges allocation table (method of the present invention is maintained to allow customers to which permission table process access to the database ends), whether to retrieve the current process has permission to connect to the database server, if it is determined to allow connecting the connection is released, at which point the process can be properly connected to the database server; if the determination is no such rights, the direct return, at which point the process prompts connect to the database server fails.

[0039] 以上流程通过服务器端的LSP的网络应用层过滤和客户端的TDI的网络驱动过滤,实现数据库服务器的准入控制。 [0039] The above filtering process and the TDI filter driver network client through the server side of the network application layer LSP achieve admission control server database.

[0040] 三:实现企业管理软件客户端的加密防护 [0040] Three: encryption protection enterprise management software client

[0041] 本发明主要使用文件过滤驱动和API H00K( —种用于改变API执行结果的技术, Microsoft自身也在Windows操作系统里面使用了这个技术,如Windows兼容模式等)技术实现企业管理软件客户端的输出文件加密和应用安全防护,具体步骤如下: [0041] The present invention primarily use the file filter driver and API H00K (- kind of technology used to change the API execution result, Microsoft's own Windows operating system, which also uses this technology, such as Windows compatible mode) technology enterprise management software customer the output end of file encryption and security applications, the following steps:

[0042] 步骤1 :在企业管理软件客户端所在计算机安装文件过滤驱动和API HOOK。 [0042] Step 1: In Enterprise Manager client software installed on the computer where the file filter driver and API HOOK. 文件过滤驱动负责对企业管理软件客户端的输出文件自动加密,API H00K负责过滤和拦截企业管理软件客户端可能发生的泄密行为。 File filter driver responsible for the business management software client output file is automatically encrypted, API H00K responsible for filtering and blocking software enterprise management client security breach may occur.

[0043] 步骤2 :加载文件过滤驱动后可以拦截当前系统所有进程的启动,一旦拦截到企业管理软件客户端的启动,则进入透明加解密流程,对企业管理软件客户端所有导出的文件强制加密;当企业管理软件客户端读取已加密的文件时自动解密。 [0043] Step 2: After loading the file filter driver to intercept start all current process system, once started business management software client to intercept, then enter a transparent encryption and decryption processes, enterprise management software clients all exported files enforce encryption; when the enterprise management software client reads the encrypted files automatically decrypted.

[0044] 步骤3 :加载API H00K实现企业管理软件客户端的应用防护,通过过滤操作系统发起的内容复制、打印、截屏等内核API,然后根据授权策略(本发明的系统中维护的客户端防护权限)判断是否放行,如果不允许则直接返回,这些可能发生泄密的内核API将不能正确执行,以此达到防打印、截屏、内容复制等。 [0044] Step 3: Load the API H00K implement application protection enterprise management software client, by filtering the operating system-initiated content copying, printing, screen shots, and other kernel API, and then based on the authorization policy (system of the present invention to maintain client protection authority ) to determine whether to release, if it does not allow direct return, these leaks may occur kernel API will not be executed properly in order to achieve anti printing, screen shots, content replication.

[0045] 优选地,所述企业管理软件为使用C/S架构的企业管理软件。 [0045] Preferably, the business management software using C / S architecture of enterprise management software.

[0046] 优选地,所述数据库所述数据库为DBMS数据库。 [0046] Preferably, the database is a database of the database DBMS.

[0047] 以上流程可以实现企业管理软件客户端所有输出的文件均被执行强制加密,在使用企业管理软件客户端过程中所有的内容复制、报表打印、截屏操作将受到严格限制,防止泄密。 [0047] above processes can be implemented enterprise management software clients all output files are forced to perform encryption, all content copied using business management software client process, report printing, screen shots, the operation will be strictly limited to prevent leaks. 附图说明 BRIEF DESCRIPTION

[0048] 图1为SQL-Server数据库服务器存储加密技术原理图 [0048] FIG. 1 is SQL-Server database server storage encryption technology schematics

[0049] 图2为SQL-Server数据库服务器存储加密流程图 [0049] FIG 2 is a flowchart of a database server stores encrypted SQL-Server

[0050] 图3为SQL-Server数据库端LSP准入控制流程图 [0050] FIG. 3 is a SQL-Server database access control flowchart end LSP

[0051] 图4为企业管理软件客户端TDI准入控制流程图 [0051] FIG. 4 is a business management software client admission control flowchart TDI

[0052] 图5为企业管理软件客户端文件输出强制加密流程图 [0052] FIG. 5 is a business management software client file output force encryption flowchart

[0053] 图6为企业管理软件客户端泄密防护流程图 [0053] FIG. 6 is business management software customer leakage protection flowchart ends

具体实施方式 detailed description

[0054] 下面本发明以SQL-Server数据库服务器为例,结合附图对本发明的技术方案进行清楚、完整的描述。 [0054] In the present invention the following SQL-Server database server, for example, technical drawings of the present invention will be apparent binding, a full description. 其中,本发明也适用于MySqLOracle等DBMS数据库的保护。 Wherein the present invention is also applicable to other protection MySqLOracle DBMS database. 基于本发明中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护的范围。 Based on the embodiments of the present invention, all other embodiments of ordinary skill in the art without any creative effort shall fall within the scope of the present invention.

[0055] 一: SQL-Server数据库服务器存储加密 [0055] a: SQL-Server database server storage encryption

[0056] 如图1所示描述了SQL-Server数据库服务器存储加密技术原理。 [0056] FIG described encryption server storage database SQL-Server principle shown in FIG. 本发明在SQL-Server服务器端创建了一个较大空间的虚拟磁盘文件,然后利用虚拟磁盘驱动安装隐藏的虚拟磁盘分区(在本发明中分区盘符为#:);所有写入隐藏分区的数据将自动加密存储到虚拟磁盘文件。 The invention SQL-Server on the server side to create a larger space for the virtual disk file, and then use the virtual disk drive installed hidden virtual disk partition (in this invention is the partition letter # :); all data written to the hidden partition It will be automatically encrypted storage to a virtual disk file. 利用文件过滤驱动拦截SQL-Server服务器进程的读、写数据文件的操作,重定向到虚拟磁盘分区(盘符# :),以此实现SQL-Server所有创建和保存的数据文件、日志文件全部加密保存在虚拟磁盘文件中,而SQL-Server数据库的正常功能不受影响。 Read using a file filter driver to intercept SQL-Server server process, write data files, is redirected to the virtual disk partition (drive letter :) #, in order to achieve SQL-Server to create and save all the data files, log files of all encryption stored in the virtual disk file, while the normal function of SQL-Server database are not affected.

[0057] 如图2所示,具体描述了本发明的技术流程: [0057] Figure 2, specifically described technical process of the present invention:

[0058] a)在初始化安装时,创建一个较大空间的虚拟磁盘文件,利用虚拟磁盘驱动安装该磁盘文件成一个隐藏的虚拟磁盘分区(在本发明中分区盘符为#:);然后停止SQL-Server服务进程,拷贝待保护数据文件和日志文件到虚拟磁盘分区(盘符# :),原始数据文件和日志文件进行加密或删除处理 [0058] a) at the time of initial installation, a large space to create a virtual disk files, virtual disk drive using the disk file into a mounted virtual disk hidden partition (the partition in the present invention is the letter # :); then stopped SQL-Server service process, to be protected copy the data files and log files to a virtual disk partition (drive letter :) # raw data files and log files to encrypt or delete processing

[0059] b)正常使用过程中,利用加载文件过滤驱动拦截操作系统中所有进程的启动;当判断到SQL-Server服务进程启动后,则注入文件重定向功能代码,以拦截SQL-Server服务进程的读、写文件操作 [0059] b) normal use by loading the file system filter driver interception starts all processes; when service is determined to SQL-Server process is started, the injection function code file redirection to intercept SQL-Server service process read, write file operation

[0060] c)当文件重定向功能拦截到SQL-Server服务进程的读、写文件操作全部重定向到虚拟磁盘分区(盘符# :)中对应的文件 [0060] c) When the file redirection to intercept read SQL-Server service processes, and redirect all write file operation to a virtual disk partition (drive letter in the corresponding file :) #

[0061] d)如图所示,虚拟磁盘驱动将截获SQL-Server服务进程对虚拟磁盘分区(盘符# :)的读、写操作,实现保存时自动加密,读取时自动解密。 [0061] d) As shown, the virtual disk drive will intercept SQL-Server service process for automatic encryption when a virtual disk partition (drive letter :) # of read and write operations, to achieve saved automatically decrypted when read.

[0062] 在本流程中,本发明提供了进程防护驱动,对允许访问虚拟磁盘分区(盘符# :) 的进程进行过滤和拦截,防止黑客通过CMD (Windows Command Prompt,微软Windows系统基于command, com上的命令解释程序)或专用工具直接访问虚拟磁盘分区(盘符# :)。 [0062] In this process, the present invention provides a process fencing driver, to allow the process to access the virtual disk partition (drive letter :) # to filter and block, to prevent hackers based command through the CMD (Windows Command Prompt, Microsoft's Windows system, com on the command interpreter) or special tools to directly access the virtual disk partition (drive letter :) #.

[0063] 二: SQL-Server数据库的准入控制[0064] 1.服务器端准入控制 [0063] II: SQL-Server Database Access Control [0064] 1. The server admission control

[0065] 如图3描述了在SQL-Server服务端利用LSP网络应用层过滤器实现指定IP的授权访问。 [0065] FIG. 3 depicts a SQL-Server access authorization server using an application layer LSP filter of specified IP networks. 基本流程为: The basic process is:

[0066] a)在SQL-Server服务器所在计算机安装LSP网络应用层过滤器,监听所有远程客户端试图连接到本地SQL-Server服务器1433端口的通讯; [0066] a) application layer LSP installed filters in a network server computer where SQL-Server, listens to all the remote client attempts to connect to the local communication port 1433 Server SQL-Server;

[0067] b)当LSP网络应用层过滤器监听到有远程客户端试图连接本地SQL-Server服务器1433端口时,则分解连接的IP和端口,然后根据预定义的权限分配表(本发明的系统中维护的允许哪些客户端IP访问数据库的权限表)判断是否允许连接,如果允许连接则放行,否则拒绝创建连接。 [0067] b) When the LSP network application layer filter is monitored when the remote client attempts to connect the local SQL-Server Server 1433, decomposition IP and port connections, and the system (the present invention according to a predefined privileges allocation table in which the client is allowed to maintain IP access rights to the database table) to determine whether to allow the connection, if the connection is allowed to be released, or refuse to create a connection.

[0068] 在本流程中,本发明可以做到在SQL-Server服务端基于IP规则判断的准入控制, 但无法识别远程客户端是否是授权的进程连接到SQL-Server服务器,可能因此导致在客户端通过其他黑客工具连接到SQL-Server服务器从而导致企业机密信息泄密。 [0068] In this process, the present invention can be done based IP access control rules to determine the SQL-Server server, but can not identify whether the remote client is authorized to connect to SQL-Server process server, this may result in client connections through other hacker tools to SQL-server server resulting in leaks of confidential corporate information.

[0069] 2.客户端准入控制 [0069] 2. The client admission control

[0070] 如图4所示,客户端连接进程的有效性判断,将有安装在企业管理软件客户端所在计算机的TDI驱动进行判断,以此弥补图3的漏洞。 [0070] shown in Figure 4, the client connection to determine the effectiveness of the process, there will be installed in the TDI business management software client computers where the driver is judged, in order to make up for the loopholes in Figure 3. 基本流程为: The basic process is:

[0071] a)在企业管理软件客户端计算机安装TDI网络过滤驱动,监听本地连试图连接到SQL-Server服务器1433端口的通讯; [0071] a) install TDI network management software in the enterprise client computers filter driver, monitoring and even trying to connect to the local communications port SQL-Server 1433 server;

[0072] b) TDI网络过滤驱动拦截到试图连接到SQL-Server服务器1433端口的事件,则分析发起连接的进程,获取进程指纹信息与预定义的权限分配表(本发明的系统中维护的允许客户端哪些进程访问数据库的权限表)进行校验,如果校验成功则放行,该进程可以正常连接到SQL-Server服务器;如果校验失败则断开连接,则该进程连接失败。 [0072] b) TDI network filter driver to intercept attempts to connect to the event 1433 of SQL-Server servers, the analysis process of initiating connections, the process of obtaining fingerprint information to predefined rights allocation table (system of the present invention allows for maintenance permissions table which processes access the database) client to check if the check is successful then released, the process can connect to SQL-server normal server; if the check fails then disconnect the connection process fails.

[0073] 在本流程中,本发明可以做到在企业管理软件客户端基于应用程序的准入控制, 有效弥补了LSP网络应用过滤器的缺陷。 [0073] In this flow, the present invention can be done in the business management software client application-based admission control, effectively compensate for the defects of the filter network application LSP.

[0074] 三:企业管理软件客户端的加密防护 [0074] Three: encryption protection enterprise management software client

[0075] 如图5和图6所示,描述了对企业管理软件客户端的输出加密和应用防护的过程。 As shown in [0075] Figures 5 and 6, describes the process outputs the encrypted client business management software application and protection.

[0076] 如图5所示,企业管理软件客户端输出加密主要利用文件过滤驱动拦截进程的启动,实现对输出文件加密和读取解密,具体流程为: [0076] shown in Figure 5, enterprise management software encryption client output mainly use the file filter driver to intercept the process start to realize the output file encryption and decryption of reading, specific procedures:

[0077] a)安装在企业管理软件客户端的文件过滤驱动拦截所有进程的启动,如果判断是合法的客户端进程,则启动透明加解密流程; [0077] a) enterprise management software installed on the client file system filter driver intercepts all start the process, if the judgment is a legitimate client process, start the process transparent encryption and decryption;

[0078] b)利用透明加解密流程对企业管理软件客户端所有导出的文件强制加密;当企业管理软件客户端读取已加密的文件时自动解密。 [0078] b) the use of transparent encryption and decryption process management software for enterprise clients all exported files enforce encryption; enterprise management software automatically decrypted when the client reads the encrypted files.

[0079] 如图6所示描述了企业管理软件客户端应用防护过程。 [0079] Figure 6 describes the business management software application client protection process. 通过文件过滤驱动拦截企业管理软件客户端的启动,注入API HOOK以实现对企业管理软件客户端的应用安全防护, 通过过滤系统发起的内容复制、打印、截屏等内核API,然后根据授权策略(本发明的系统中维护的客户端防护权限)判断是否放行,如果不允许则直接返回,这些可能发生泄密的内核API将不能正确执行,以此达到防打印、截屏、内容复制等功能。 By file system filter driver intercepts start enterprise management software clients, injecting API HOOK to implement application security to enterprise management software client, initiated through the filtration system content copying, printing, screen shots, and other kernel API, and then based on the authorization policy (the present invention system maintenance of client protection authority) to determine whether to release, if it does not allow direct return, these leaks may occur kernel API will not be executed properly in order to achieve anti printing, screen shots, content replication and other functions.

[0080] 通过输出加密和应用防护两种手段相结合,本发明可以做到企业管理软件客户端输出的所有文件自动强制加密,即使流传出去也不会造成泄密,同时企业管理软件客户端仍然可以正常使用已加密的文件;而应用防护则可以实现在使用企业管理软件客户端时无 [0080] By combining the output of two means of encryption and protection applications, the present invention can do all the business management software client files automatically enforce encryption output, even if spread out will not cause or disclosure, enterprise management software clients can still the normal use of encrypted files; and application protection can be achieved without the use of business management software client

7法正常使用内容复制、报表打印、截屏或录屏操作造成企业机密信息泄密。 7 normal use content replication method, report printing, screen shots or screen recording operations resulting in leaks of confidential corporate information.

[0081] 最后我们以某一具体实施例来说明本发明的可行性。 [0081] Finally, we In a particular embodiment to illustrate the feasibility of the present invention.

[0082] 某单位安装和使用的一套财务软件系统,分为SQL-Server数据库服务器和财务客户端两部分,存在一系列安全隐患,迫切需要解决: [0082] a unit to install and use a financial software system is divided into SQL-Server database servers, and financial client in two parts, there is a series of safety problems, the urgent need to address:

[0083] 1.以SQL-Server数据库为例,由于是明文存储,一旦黑客入侵或内外勾结拿走了数据文件和日志文件,将直接造成泄密。 [0083] 1. SQL-Server database as an example, because it is stored in clear text, once hacking or collusion took the data files and log files will directly cause leaks.

[0084] 在使用了本发明描述的SQL-Server数据库服务器存储加密方法后,将在服务器端对所有SQL-Server数据库的数据文件和日志文件加密存储到虚拟磁盘文件中,原始的文件将进行加密和删除,因此无法获取有价值的数据文件和日志文件。 [0084] After using the database server to store encryption method SQL-Server according to the present invention described herein, the server side data files and log files encrypted storage for all SQL-Server database to a virtual disk file, the original file will be encrypted and remove and therefore can not obtain valuable data files and log files.

[0085] 2.从SQL-Server数据库的准入控制来说,一旦财务客户端系统口令失窃,或者SQL-Server数据库的SA账户口令丢失,别有用心者将直接可以在局域网内登录财务客户端,或者直接安装SQL-Server客户端登录到SQL-Server数据库中,从而造成财务信息泄 [0085] 2. From the Access Control SQL-Server database, the client once the financial system password theft, or SA account password SQL-Server database is lost, people with ulterior motives will direct financial client can log on the LAN, or directly install SQL-Server client logs on to SQL-Server database, resulting in leakage of financial information

Nourish

rt [ o rt [o

[0086] 在使用本发明描述的LSP网络应用层过滤和TDI网络过滤驱动后,将可以在SQL-Server数据库服务器端基于IP进行准入控制,在财务软件客户端可以基于进程进行准入控制,两者的有效结合将构建完整的SQ L-Server数据库服务器准入控制保护。 [0086] After filtration and TDI filter driver network, the admission control may be based on the IP SQL-Server database server in the network application layer LSP description of the invention, the financial software client may be based on admission control process, Construction of an effective combination of both the full SQ L-server database server admission control protection.

[0087] 3.从财务客户端泄密途径来说,登录了财务客户端以后可以导出财务信息为多种报表格式,同时可以通过内容复制、打印、截屏或录屏等手段造成当前财务信息的泄密。 [0087] 3. From a financial client leak way, the client can log on the financial exported after the end of financial information for a variety of report formats, and can pass the contents of copy, print, screen shots or screen recording and other means to cause the current financial information leaks .

[0088] 在使用了本发明所描述的财务客户端的输出加密和应用防护流程后,财务客户端输出的所有文件将自动予以加密;在使用财务客户端时,内容复制、打印、截屏或录屏等手段将进行严格控制,严防泄密。 [0088] After using financial customer described in the present invention, end outputs the encrypted and applying protection processes, all files financial client output will be automatically encrypted; when using financial client, content copy, print, screen capture or record screen and other means will be strictly controlled to prevent leaks.

[0089] 本发明对SQL-Server数据库文件存储加密和准入控制功能,也适用于其他DBMS 数据管理系统,如ACESS、MySql、FoxPro、Sybase、Oracle等常用数据库平台。 [0089] The present inventors SQL-Server database files and stores encrypted admission control function, also applies to other DBMS data management systems, such as ACESS, MySql, FoxPro, Sybase, Oracle Database and other common internet.

8 8

Claims (6)

  1. 一种企业管理软件的数据安全保护方法,通过对企业管理软件的数据库和客户端进行处理,实现对企业管理软件数据的安全保护,具体为:(1)对数据库文件进行存储加密,防止数据库服务器泄密;(2)对数据库服务器进行准入控制,只允许安装了防护终端的计算机经授权后才允许访问后台数据库服务器,防止非授权的终端入侵;(3)对企业管理软件客户端的输出进行加密和应用防护,即对所有通过客户端软件导出的目标文件加密,防止通过客户端软件发生泄密。 An enterprise management software for data security protection methods, by enterprise management software for database and client processing, and security to enterprise data management software, specifically: (1) the database file storage encryption to prevent the database server leaks; computer (2) admission control of the database server, only allowed to install a protective authorized before allowing the terminal to access back-end database servers, preventing unauthorized intrusion terminal; (3) enterprise management software for the client to encrypt output and application protection, that is all exported through the client software target file encryption, prevent leaks occur through the client software.
  2. 2.根据权利要求1所述的一种企业管理软件的数据安全保护方法,其特征在于,所述的对数据库文件的存储加密具体步骤为:(2. 1)创建一个虚拟磁盘文件,利用虚拟磁盘驱动安装该虚拟磁盘文件成一个隐藏的虚拟磁盘分区,然后停止数据库服务进程,拷贝待保护数据文件和日志文件到所述虚拟磁盘分区,原始数据文件和日志文件进行加密或删除处理;(2. 2)使用文件过滤驱动拦截操作系统中所有进程的启动,当判断到数据库服务进程启动后,则注入文件重定向功能代码,以拦截数据库服务进程的读、写文件操作;(2. 3)利用文件重定向将数据库服务进程所有的数据读、写操作重定向到所述虚拟磁盘分区中,虚拟磁盘驱动将截获数据库服务进程对所述虚拟磁盘分区的读、写操作,实现保存时自动加密,读取时自动解密。 According to claim 1. An enterprise management software data security method as claimed in claim, wherein said step of storing the encrypted database file specific to: create a virtual disk file (21), using the virtual disk drive to install the virtual disk files to a hidden virtual disk partition, and then stop the database service process, to be protected copy the data files and log files to the virtual disk partition, the original data files and log files are encrypted or deletion process; (2 2) using a file system filter driver interception starts all processes, when the service determination process is started to a database, the file redirection injection function code to read the database service interception process, write file operations;. (23) automatically encrypted when using the file redirection database service process all data read and write operations redirected to the virtual disk partition, a virtual disk drive will intercept the database service process for the virtual disk partition read and write operations, to achieve conservation , automatically decrypted when read.
  3. 3.根据权利要求1或2所述的一种企业管理软件的数据安全保护方法,其特征在于,所述的对数据库服务器的准入控制通过从数据库服务器端和企业管理软件客户端两部分出发,结合LSP的网络应用层过滤和TDI的网络驱动层过滤,实现数据库的准入控制,具体过程为:(3. 1)在数据库服务器所在计算机通过LSP的网络应用层过滤监视并拦截操作系统中所有网络通讯情况,当截获到有远程客户端试图连接数据库服务器的通讯服务端口时,则分解连接的IP和端口,然后根据预定义的权限分配表判断是否允许连接,如果允许连接则放行,否则拒绝创建连接;(3. 2)在企业管理软件客户端通过TDI的网络驱动层过滤驱动,监视并拦截当前系统的所有连接到指定数据库服务器通讯服务端口的网络通讯情况,分析发起连接的进程,获取进程指纹信息与预定义的权限分配表进行 According to claim 1 or 2 or an enterprise management software data security method as claimed in claim, wherein said admission of the starting control by the database server from the database server and enterprise management software client in two parts combining the LSP network application layer filtering and network layer TDI filter driver, to achieve access control database, the specific process is: (. 31) in a computer database server through the application layer filtering LSP network monitoring and interception system all network communications, when intercepted that there is a remote client tries to connect messaging service database server, the decomposition IP and port, and according to pre-defined rights allocation table to determine whether to allow the connection, if the connection to allow the release, otherwise refused to create a connection; (. 32) filter driver through the network driver layer TDI in business management software client, monitor and intercept the current system all connected to the specified network traffic the database server messaging service, and analyzes the process of initiating the connection, the process of acquiring fingerprint information to predefined rights allocation table 验,如果允许则放行,如果不允许则立即断开。 Inspection, if allowed the release, if allowed to disconnect immediately.
  4. 4.根据权利要求1-3之一所述的一种企业管理软件的数据安全保护方法,其特征在于,所述的企业管理软件客户端的输出加密和应用防护具体为,在企业管理软件客户端所在计算机安装文件过滤驱动和API Hook,所述文件过滤驱动用于对企业管理软件客户端的输出文件自动加密,所述API Hook用于过滤和拦截企业管理软件客户端可能发生泄密的内核API的执行。 4. 1-3 according to one of an enterprise management software data security method according to claim, wherein said business management software outputs the encrypted client application and protection Specifically, in the business management software client installed on the computer where the file filter driver and API Hook, the file filter driver for the output file is automatically encrypted on the client's business management software, the API Hook for filtering and blocking implementation of enterprise management software client leaks that may occur kernel API .
  5. 5.根据权利要求1-4之一所述的一种企业管理软件的数据安全保护方法,其特征在于,所述企业管理软件为使用C/S架构的企业管理软件。 1-4 according to one of an enterprise management software data security method as claimed in claim, wherein said business management software using C / S architecture of enterprise management software.
  6. 6.根据权利要求1-5之一所述的一种企业管理软件的数据安全保护方法,其特征在于,所述数据库为DBMS数据库。 6. 1-5 according to one of an enterprise management software data security method according to claim, wherein said database is a database DBMS.
CN 201010241026 2010-07-30 2010-07-30 Data security protection method of enterprise management software CN101923678A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 201010241026 CN101923678A (en) 2010-07-30 2010-07-30 Data security protection method of enterprise management software

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 201010241026 CN101923678A (en) 2010-07-30 2010-07-30 Data security protection method of enterprise management software

Publications (1)

Publication Number Publication Date
CN101923678A true true CN101923678A (en) 2010-12-22

Family

ID=43338595

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 201010241026 CN101923678A (en) 2010-07-30 2010-07-30 Data security protection method of enterprise management software

Country Status (1)

Country Link
CN (1) CN101923678A (en)

Cited By (19)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102591802A (en) * 2011-01-05 2012-07-18 广州市国迈科技有限公司 USB flash disk with stored files openable while irreproducible
CN102708335A (en) * 2012-05-05 2012-10-03 南京赛孚科技有限公司 Confidential file protection method
CN102710452A (en) * 2012-06-26 2012-10-03 深圳市华力特电气股份有限公司 Method and device for managing visit of multiple clients
CN102750483A (en) * 2012-06-21 2012-10-24 无锡华御信息技术有限公司 SQL (structured query language) injection attack protection method based on database
CN102761559A (en) * 2012-08-02 2012-10-31 上海上讯信息技术有限公司 Private data-based network security sharing method and communication terminal
CN102880539A (en) * 2012-08-23 2013-01-16 福建升腾资讯有限公司 Log redirecting method based on windows embedded standard (WES) system
CN103150270A (en) * 2012-02-15 2013-06-12 林善红 Security method for distributing data
CN103166977A (en) * 2013-04-16 2013-06-19 福建伊时代信息科技股份有限公司 Method, terminal, server and system for accessing website
CN103279717A (en) * 2013-06-19 2013-09-04 福建伊时代信息科技股份有限公司 Operation method and device for documents
CN103544286A (en) * 2013-10-28 2014-01-29 中国软件与技术服务股份有限公司 Database protection method
CN103679368A (en) * 2013-12-13 2014-03-26 清华大学 Wafer CMP processing information management system
CN104580083A (en) * 2013-10-17 2015-04-29 苏州慧盾信息安全科技有限公司 System and method for providing safety protection for financial system
CN104636675A (en) * 2013-11-08 2015-05-20 苏州慧盾信息安全科技有限公司 System and method for providing safety protection for database
CN104732160A (en) * 2015-02-03 2015-06-24 武汉风奥软件技术有限公司 Control method for preventing database information from being leaked internally
CN104750428A (en) * 2013-12-27 2015-07-01 纬创资通股份有限公司 Block Storage Gateway Module, Storage System And Method, And Content Delivery Apparatus
CN104992123A (en) * 2015-04-16 2015-10-21 中安比特(江苏)软件技术有限公司 Database transparency encryption method
CN105488420A (en) * 2014-10-10 2016-04-13 广州联奕信息科技有限公司 Drive layer kernel-level code-based file encrypting method and device
CN105592027A (en) * 2014-11-18 2016-05-18 苏州慧盾信息安全科技有限公司 Security protection system and method for preventing drag of DNS
CN103544286B (en) * 2013-10-28 2017-04-12 中国软件与技术服务股份有限公司 One kind of database protection method

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1299103A (en) * 1999-12-03 2001-06-13 朴宰佑 User certification system and method performed by bio-information in network
CN1373424A (en) * 2001-11-29 2002-10-09 上海格尔软件股份有限公司 Virtual magnetic disk method under windows
US20040049677A1 (en) * 2002-09-11 2004-03-11 Chung-I Lee Authorization and security management system and method
CN1540547A (en) * 2003-10-27 2004-10-27 上海金诺网络安全技术发展股份有限公 Controlling method for accessing networked games and method of charging
US7050589B2 (en) * 2001-08-17 2006-05-23 Sun Microsystems, Inc. Client controlled data recovery management
CN1937495A (en) * 2006-09-29 2007-03-28 清华大学深圳研究生院 Digital copyright protection method and system for media network application
US20080066184A1 (en) * 2006-09-13 2008-03-13 Nice Systems Ltd. Method and system for secure data collection and distribution
CN101266609A (en) * 2008-04-30 2008-09-17 中山爱科数字科技有限公司;广东爱科数字科技有限公司 Method for accomplishing medical data external inquiry for digital remote medical treatment

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1299103A (en) * 1999-12-03 2001-06-13 朴宰佑 User certification system and method performed by bio-information in network
US7050589B2 (en) * 2001-08-17 2006-05-23 Sun Microsystems, Inc. Client controlled data recovery management
CN1373424A (en) * 2001-11-29 2002-10-09 上海格尔软件股份有限公司 Virtual magnetic disk method under windows
US20040049677A1 (en) * 2002-09-11 2004-03-11 Chung-I Lee Authorization and security management system and method
CN1540547A (en) * 2003-10-27 2004-10-27 上海金诺网络安全技术发展股份有限公 Controlling method for accessing networked games and method of charging
US20080066184A1 (en) * 2006-09-13 2008-03-13 Nice Systems Ltd. Method and system for secure data collection and distribution
CN1937495A (en) * 2006-09-29 2007-03-28 清华大学深圳研究生院 Digital copyright protection method and system for media network application
CN101266609A (en) * 2008-04-30 2008-09-17 中山爱科数字科技有限公司;广东爱科数字科技有限公司 Method for accomplishing medical data external inquiry for digital remote medical treatment

Cited By (22)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102591802A (en) * 2011-01-05 2012-07-18 广州市国迈科技有限公司 USB flash disk with stored files openable while irreproducible
CN103150270A (en) * 2012-02-15 2013-06-12 林善红 Security method for distributing data
CN102708335A (en) * 2012-05-05 2012-10-03 南京赛孚科技有限公司 Confidential file protection method
CN102750483A (en) * 2012-06-21 2012-10-24 无锡华御信息技术有限公司 SQL (structured query language) injection attack protection method based on database
CN102710452A (en) * 2012-06-26 2012-10-03 深圳市华力特电气股份有限公司 Method and device for managing visit of multiple clients
CN102761559A (en) * 2012-08-02 2012-10-31 上海上讯信息技术有限公司 Private data-based network security sharing method and communication terminal
CN102761559B (en) * 2012-08-02 2016-02-17 上海上讯信息技术股份有限公司 Network-based method and a secure shared private data communication terminal
CN102880539A (en) * 2012-08-23 2013-01-16 福建升腾资讯有限公司 Log redirecting method based on windows embedded standard (WES) system
CN103166977A (en) * 2013-04-16 2013-06-19 福建伊时代信息科技股份有限公司 Method, terminal, server and system for accessing website
CN103279717A (en) * 2013-06-19 2013-09-04 福建伊时代信息科技股份有限公司 Operation method and device for documents
CN104580083A (en) * 2013-10-17 2015-04-29 苏州慧盾信息安全科技有限公司 System and method for providing safety protection for financial system
CN103544286B (en) * 2013-10-28 2017-04-12 中国软件与技术服务股份有限公司 One kind of database protection method
CN103544286A (en) * 2013-10-28 2014-01-29 中国软件与技术服务股份有限公司 Database protection method
CN104636675A (en) * 2013-11-08 2015-05-20 苏州慧盾信息安全科技有限公司 System and method for providing safety protection for database
CN103679368A (en) * 2013-12-13 2014-03-26 清华大学 Wafer CMP processing information management system
CN104750428A (en) * 2013-12-27 2015-07-01 纬创资通股份有限公司 Block Storage Gateway Module, Storage System And Method, And Content Delivery Apparatus
CN104750428B (en) * 2013-12-27 2018-03-02 纬创资通股份有限公司 Block storage access and gateway module, and the storage system and a method for content delivery device
CN105488420A (en) * 2014-10-10 2016-04-13 广州联奕信息科技有限公司 Drive layer kernel-level code-based file encrypting method and device
CN105592027A (en) * 2014-11-18 2016-05-18 苏州慧盾信息安全科技有限公司 Security protection system and method for preventing drag of DNS
CN104732160B (en) * 2015-02-03 2018-04-13 武汉风奥软件技术有限公司 A control method for an internal database information preventing leaks
CN104732160A (en) * 2015-02-03 2015-06-24 武汉风奥软件技术有限公司 Control method for preventing database information from being leaked internally
CN104992123A (en) * 2015-04-16 2015-10-21 中安比特(江苏)软件技术有限公司 Database transparency encryption method

Similar Documents

Publication Publication Date Title
Chen et al. Data security and privacy protection issues in cloud computing
US7844829B2 (en) Secured database system with built-in antivirus protection
US8261320B1 (en) Systems and methods for securely managing access to data
US20050060579A1 (en) Secure network system and associated method of use
US7100047B2 (en) Adaptive transparent encryption
CN102394894A (en) Network virtual disk file safety management method based on cloud computing
CN101895578A (en) Document monitor and management system based on comprehensive safety audit
CN101017525A (en) Divulging secrets prevention system of USB storage device date based on certificate and transparent encryption technology
Hasan et al. Toward a threat model for storage systems
Tan et al. The issues of cloud computing security in high-speed railway
CN102254117A (en) Virtualized technology-based data anti-disclosure system
CN1822014A (en) Protecting method for security files under cooperative working environment
CN101588360A (en) Associated equipment and method for internal network security management
US20130086685A1 (en) Secure integrated cyberspace security and situational awareness system
CN101520831A (en) Safe terminal system and terminal safety method
CN102034052A (en) Operation system architecture based on separation of permissions and implementation method thereof
CN101710380A (en) Electronic document safety protection method
CN101271497A (en) Electric document anti-disclosure system and its implementing method
CN101827101A (en) Information asset protection method based on credible isolated operating environment
CN102333090A (en) Internal control bastion host and security access method of internal network resources
CN101547199A (en) Electronic document security ensuring system and electronic document security ensuring method
CN103530570A (en) Electronic document safety management system and method
CN101504706A (en) Database information encryption method and system
US8321915B1 (en) Control of access to mass storage system
CN101751712A (en) Centralized invoice authentification system and authentification method

Legal Events

Date Code Title Description
C06 Publication
C10 Request of examination as to substance
C02 Deemed withdrawal of patent application after publication (patent law 2001)