CN104732160A - Control method for preventing database information from being leaked internally - Google Patents
Control method for preventing database information from being leaked internally Download PDFInfo
- Publication number
- CN104732160A CN104732160A CN201510055828.1A CN201510055828A CN104732160A CN 104732160 A CN104732160 A CN 104732160A CN 201510055828 A CN201510055828 A CN 201510055828A CN 104732160 A CN104732160 A CN 104732160A
- Authority
- CN
- China
- Prior art keywords
- database
- module
- file
- access
- control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a control method for preventing database information from being leaked internally. In the method, a control service, a filter driver, a remote console and a WAN console are adopted. Database files are encrypted automatically in a remote control mode by means of the filter driver, thereby being prevented from being copied and leaked by operation and maintenance staff; illegal export of database information is controlled through the filter driver, so the content of a database is prevented from being embezzled illegally by the operation staff; the WAN console is used for remote control, so the risk that database hardware is stolen is further reduced, and the security of the database information is improved.
Description
Technical field
The invention belongs to field of computer information security, particularly database information access control field.
Background technology
In recent years, database has been widely used in the every field of Computer Storage as the important means of storage organization data, and database Safety also becomes increasingly conspicuous.Database security comprises security of operation and information security two parts, and information security issue is more outstanding comparatively speaking.Database information is revealed becomes focal issue day by day, not only brings serious direct economic loss to enterprise, and causes damage in brand value, investor's relation, public's image etc.Strengthen database information safety management extremely urgent.
Usually, the situation producing database information leakage is diversified, abroad, the situation by mistake making secret reveal due to carelessness is often many, in China, first want it is considered that from the problem of internal staff, it not is a question of morality that internal staff divulges a secret, but out and out benefits program, because Legal Regulation effect is not enough, the disappearance of social credit system, inner blabber is made to be easy to escape the sanction of law, so a lot of internal staff is for the motivation of making profit, privately steal enterprise key secret to peddle and other enterprises, or even rival, when leaving office, the vital strategic secrets of enterprise copy is also often taken away by employee, using the important foundation as further work, therefore the emphasis that domestic enterprise will take precautions against is divulged a secret in inside.
Divulged a secret the information security issue caused in inside at present, also there is no effective control method.Three aspect problems below main existence:
1. effectively cannot take precautions against the stolen risk of DATABASE HARDWARE.No matter be the systems such as fire wall, antivirus software, this " old three samples " information safety system of intrusion detection, or emerging network log-in management, water [proof, all prove in practice and cannot prevent inside from divulging a secret.Although the various port controlling management of enterprise network are very tight, because data itself do not do safe handling, still have and divulge a secret greatly because suffering from.Internal staff directly can unload hard disk down and be suspended to other computer and to get on copies data.
2. internal document authority is out of control gives away secrets.The delineation of power of the classified information of Most current section is quite extensive, and the personnel's (as operation maintenance personnel) not possessing corresponding level of confidentiality have known senior secret, easily cause data divulged a secret by copy.
3. when database facility meets accident, there is the risk of leakage of information.Suffer wooden horse when internal staff surfs the Net or virus causes the capsule information in computer to be run off, movable storage device has been lost, keeped in repair or scrap and often cause divulging a secret.
Summary of the invention
The technical matters that the present invention solves is: 1. prevent database file from being divulged a secret by operation maintenance personnel copy; 2. prevent database information from illegally deriving, and data-base content is illegally usurped by operating personnel; 3. take precautions against the risk that DATABASE HARDWARE is stolen, strengthen the security of database information.
Technical scheme of the present invention is: provide a kind of and prevent the database information inside control method of divulging a secret, described method by controlling service, filtration drive, remote console, outer net control desk four modules complete, comprise the following steps:
Step 1: strategy is issued control service module by remote console module;
Step 2: control service module according to strategy access outer net control desk module, and arrange strategy for improvement according to outer net control desk module;
Step 3: control service module by improve after policy distribution to filter driver module;
Step 4: filtration drive module controls database file access.
Further, step 4 also comprises and forbids being specially the step that conducts interviews to database according to strategy:
After control service module stops, all programs of filtration drive module disables are to the access of database, and database is in complete guard mode;
After control service module normally starts, filtration drive modular filtration is to the access of database file, comprise following two aspects: for the access of database program, filtration drive module deciphers the data-base content encrypted automatically, database program can normal accessing database fileinfo; When copying database file, the non-decrypting database file encrypted of filtration drive module, the database file copy of copy leaves environment for use and cannot normally use, and filtration drive module disables copies unencrypted database file.
Further, step 4 also can comprise the step of forbidding the derivation to database according to strategy, is specially:
When control strategy forbidden data storehouse is derived, user is derived by SQL statement or guide will failure.
Further, step 4 can also comprise the step of automatic encrypting database and backup thereof, is specially:
Filtration drive module is when filter operates database file, whether automatic decision database file is encrypted, when unencrypted, automatically it is encrypted, copy to prevent database file and divulge a secret, upper procedure is when carrying out backup operation to database, and filtration drive module also can be encrypted automatically.
Further, remote console module work, in Intranet, comprises the following steps:
Control startup and the stopping of service module, when controlling service module and stopping, all programs of filtration drive module disables conduct interviews to database;
The derivation of controlling database, defaults to and forbids deriving, and when allowing to derive, data-base content could be exported to other form by user;
Arrange control program just to start the need of after the checking of outer net control desk.
Further, outer net control desk module work is in outer net, and carry out supplementary and perfect to the function of remote console module, for when remote control module normally cannot work in Intranet, control database, concrete steps are as follows:
When remote console module installation needs outer net control desk to verify, control to need and outer net control desk module communication before service module starts, do not start service when communication is not smooth.
When outer net control desk module installation software failure, control service module and automatically can delete software, database was thoroughly lost efficacy.
Further, remote console module is connected by Intranet or internet with control service module, described outer net control desk module is connected by internet with control service module, and described filtration drive module is directly connected by special purpose interface device with control service module.
Beneficial effect of the present invention is as follows:
1, the automatic encrypting database of filtration drive and backup, database file copy is invalid.
2, filtration drive controls illegal derivation, prevents content from being divulged a secret by alternate manner.
3, remote console and the service that controls are separated, and prevent operation maintenance personnel from stealing.
4, outer net control desk remote control program lost efficacy, and when database facility occurs unexpected, database information also can not be divulged a secret.
Therefore, the present invention passes through remote controlled manner, rely on filtration drive automatically to encrypt database file, can effectively prevent database file from being divulged a secret by operation maintenance personnel copy, simultaneously by the derivation of forbidden data library information, can prevent data-base content from illegally being usurped by operating personnel, and the use of outer net control desk, the risk that DATABASE HARDWARE is stolen can be taken precautions against further.
Accompanying drawing illustrates:
Fig. 1 is that the present invention prevents the inner control method process flow diagram of divulging a secret of database information;
Fig. 2 is that a kind of control flow of filtration drive module to database file implements illustration.
Embodiment
Be described below in detail embodiments of the invention, the example of described embodiment is shown in the drawings, and wherein same or similar label represents same or similar element or has element that is identical or similar functions from start to finish.Being exemplary below by the embodiment be described with reference to the drawings, only for explaining the present invention, and can not limitation of the present invention being interpreted as.
Below in conjunction with the drawings and specific embodiments, the present invention is described in further detail:
For the file system filter driver parts that accessing data base controls, work in operating system nucleus, employing Windows drives the file system layer filtration drive technology in hierarchical structure to conduct interviews control to database file, because it is in filter Driver on FSD layer, this logical organization can shield the complicacy of underlying device type, file system filter driver parts conduct interviews the principle of control work, and it comprises following basic step:
Step 1: the accessing operation of upper procedure to file converts operating system file access interface to and call;
Step 2: operating system is called and is delivered to I/O manager, converts the I/O request bag of filtration drive resume module to;
Step 3:I/O manager first gives filtration drive module before file access request bag is passed to file system driver;
Step 4: filtration drive module asks bag to process according to control strategy to I/O.
Particularly, as namely IRP in Fig. 2, figure represents I/O request bag, the input output request that filtration drive module is controlled database by following steps:
After receiving the I/O request bag of file access, judging whether to conduct interviews to database file by obtaining filename, then directly letting slip if not, if then judge whether to allow access;
When disable access, direct refusal process is accessed further and is returned I/O request bag;
When allowing access, then judging that whether access process is legal, accessing for illegal process, denied access also returns I/O request bag;
To legitimate processes access, then judge whether access file is ciphertext, if then deciphering is read and returns, then file is encrypted if not, ensures that database file is in encrypted state.
By this control strategy, the automatic encrypting database of filtration drive and backup, database file copy is invalid, and filtration drive controls illegal derivation, prevent content from being divulged a secret by alternate manner, therefore rely on this filtration drive automatically to encrypt database file, can effectively prevent database file from being divulged a secret by operation maintenance personnel copy.
The present invention divulges a secret mainly for the inside of database information, according to the setting of control desk, drive the reading of filter Driver on FSD to database of layer to conduct interviews control by windows, database file stores in an encrypted form, condition adjudgement is carried out during database access, when for plaintext, be automatically encrypted file, Lawful access is decrypted ciphertext, do not affect the normal access to database, unauthorized access is non-decrypting, even if database is illegally duplicated, leaves environment and also cannot use.
Claims (10)
1. prevent a database information inside control method of divulging a secret, described method by controlling service, filtration drive, remote console, outer net control desk four modules complete, it is characterized in that, comprise the following steps:
Step 1: strategy is issued control service module by remote console module;
Step 2: control service module according to strategy access outer net control desk module, and arrange strategy for improvement according to outer net control desk module;
Step 3: control service module by improve after policy distribution to filter driver module;
Step 4: filtration drive module controls database file access.
2. the method for claim 1, is characterized in that, described step 4 also comprises forbids being specially the step that conducts interviews to database according to strategy:
After control service module stops, all programs of filtration drive module disables are to the access of database, and database is in complete guard mode;
After control service module normally starts, filtration drive modular filtration, to the access of database file, comprises following two aspects:
For the access of database program, filtration drive module deciphers the database file encrypted automatically, and database program can normal accessing database fileinfo;
When copying database file, the non-decrypting database file encrypted of filtration drive module, the database file copy of copy leaves environment for use and cannot normally use, and filtration drive module disables copies unencrypted database file.
3. the method for claim 1, is characterized in that, described step 4 also comprises the step of forbidding the derivation to database according to strategy, is specially:
When control strategy forbidden data storehouse is derived, user is derived by SQL statement or guide will failure.
4. the method for claim 1, is characterized in that, described step 4 also comprises the step of automatic enciphered data library file and backup thereof, is specially:
Filtration drive module is when filter operates database file, whether automatic decision database file is encrypted, when unencrypted, automatically it is encrypted, copy to prevent database file and divulge a secret, upper procedure is when carrying out backup operation to database, and filtration drive module also can be encrypted automatically.
5. the method for claim 1, is characterized in that, described remote console module work is in Intranet, further comprising the steps of:
Control startup and the stopping of service module, when controlling service module and stopping, all programs of filtration drive module disables conduct interviews to database;
The derivation of controlling database, defaults to and forbids deriving, and when allowing to derive, data-base content could be exported to other form by user;
Arrange control program just to start the need of after outer net control desk module verification.
6. the method for claim 1, is characterized in that, described outer net control desk module work is in outer net, the function of remote console module is carried out supplementary and perfect, for when remote control module normally cannot work in Intranet, control database, concrete steps are as follows:
When remote console module installation needs outer net control desk to verify, control to need and outer net control desk module communication before service module starts, do not start service when communication is not smooth.
When outer net control desk module installation software failure, control service module and automatically can delete software, database was thoroughly lost efficacy.
7. the method for claim 1, it is characterized in that, described filtration drive module work, in operating system nucleus, employs WINDOWS and drives the file system layer filtering technique in hierarchical structure to carry out access control to database file, comprise following basic step:
The accessing operation of upper procedure to file converts operating system file access interface to and calls;
Operating system is called and is delivered to I/O manager, converts the I/O request bag of filtration drive resume module to;
I/O manager first gives filtration drive module before file access request bag is delivered to file system driver;
Filtration drive module asks bag to process according to control strategy to I/O.
8. the method for claim 1, is characterized in that, the input output request that described filtration drive module is controlled database by following steps:
After receiving the I/O request bag of file access, judging whether to conduct interviews to database file by obtaining filename, then directly letting slip if not, if then judge whether to allow access;
When disable access, direct refusal process is accessed further and is returned I/O request bag;
When allowing access, then judging that whether access process is legal, accessing for illegal process, denied access also returns I/O request bag;
To legitimate processes access, then judge whether access file is ciphertext, if then deciphering is read and returns, then file is encrypted if not, ensures that database file is in encrypted state.
9. the method for claim 1, is characterized in that, described filtration drive module is in filter Driver on FSD layer, for shielding the complicacy of underlying device type.
10. the method for claim 1, it is characterized in that, described remote console module is connected by Intranet or internet with control service module, described outer net control desk module is connected by internet with control service module, and described filtration drive module is directly connected by special purpose interface device with control service module.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510055828.1A CN104732160B (en) | 2015-02-03 | 2015-02-03 | A kind of control method for preventing from divulging a secret inside database information |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510055828.1A CN104732160B (en) | 2015-02-03 | 2015-02-03 | A kind of control method for preventing from divulging a secret inside database information |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104732160A true CN104732160A (en) | 2015-06-24 |
| CN104732160B CN104732160B (en) | 2018-04-13 |
Family
ID=53456040
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510055828.1A Active CN104732160B (en) | 2015-02-03 | 2015-02-03 | A kind of control method for preventing from divulging a secret inside database information |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104732160B (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187216A (en) * | 2015-08-28 | 2015-12-23 | 宇龙计算机通信科技(深圳)有限公司 | Data safety processing method, device and system |
| CN109934011A (en) * | 2019-03-18 | 2019-06-25 | 国网安徽省电力有限公司黄山供电公司 | A kind of data safety partition method applied to O&M auditing system |
| CN111984998A (en) * | 2020-08-20 | 2020-11-24 | 北京人大金仓信息技术股份有限公司 | Mandatory access control method and device for database |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060129527A1 (en) * | 2003-01-10 | 2006-06-15 | Hui Li | Method and device for accessing a database |
| CN101030242A (en) * | 2007-02-12 | 2007-09-05 | 深圳市迈科龙电子有限公司 | Method for controlling database safety access |
| US20080235771A1 (en) * | 2005-10-20 | 2008-09-25 | International Business Machines Corporation | Method and System For Dynamic Adjustment of Computer Security Based on Network Activity of Users |
| CN101923678A (en) * | 2010-07-30 | 2010-12-22 | 武汉天喻信息产业股份有限公司 | Data security protection method of enterprise management software |
| CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
| CN103412801A (en) * | 2013-08-09 | 2013-11-27 | 厦门天锐科技有限公司 | Method for file backup based on process identification file |
-
2015
- 2015-02-03 CN CN201510055828.1A patent/CN104732160B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20060129527A1 (en) * | 2003-01-10 | 2006-06-15 | Hui Li | Method and device for accessing a database |
| US20080235771A1 (en) * | 2005-10-20 | 2008-09-25 | International Business Machines Corporation | Method and System For Dynamic Adjustment of Computer Security Based on Network Activity of Users |
| CN101030242A (en) * | 2007-02-12 | 2007-09-05 | 深圳市迈科龙电子有限公司 | Method for controlling database safety access |
| CN101923678A (en) * | 2010-07-30 | 2010-12-22 | 武汉天喻信息产业股份有限公司 | Data security protection method of enterprise management software |
| CN102394894A (en) * | 2011-11-28 | 2012-03-28 | 武汉大学 | Network virtual disk file safety management method based on cloud computing |
| CN103412801A (en) * | 2013-08-09 | 2013-11-27 | 厦门天锐科技有限公司 | Method for file backup based on process identification file |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105187216A (en) * | 2015-08-28 | 2015-12-23 | 宇龙计算机通信科技(深圳)有限公司 | Data safety processing method, device and system |
| CN109934011A (en) * | 2019-03-18 | 2019-06-25 | 国网安徽省电力有限公司黄山供电公司 | A kind of data safety partition method applied to O&M auditing system |
| CN111984998A (en) * | 2020-08-20 | 2020-11-24 | 北京人大金仓信息技术股份有限公司 | Mandatory access control method and device for database |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104732160B (en) | 2018-04-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN100568251C (en) | The guard method of security files under cooperative working environment | |
| CN102034052B (en) | Operation system architecture based on separation of permissions and implementation method thereof | |
| CN101572660B (en) | Comprehensive control method for preventing leakage of data | |
| CN101923678A (en) | Data security protection method of enterprise management software | |
| CN103530570A (en) | Electronic document safety management system and method | |
| CN104680079A (en) | Electronic document security management system and electronic document security management method | |
| CN101098224B (en) | Method for encrypting/deciphering dynamically data file | |
| CN104077244A (en) | Process isolation and encryption mechanism based security disc model and generation method thereof | |
| CN100535876C (en) | Smart card and USB combined equipment and method of self-destroy forillegal access and try to pass valve value | |
| CN105740725A (en) | File protection method and system | |
| CN102799831B (en) | Information safety protection system of application system based on database and information safety protection method | |
| CN104318176A (en) | Terminal and data management method and device thereof | |
| CN107358097A (en) | A kind of method and system in open environment Computer protecting information safety | |
| WO2007001046A1 (en) | Method for protecting confidential file of security countermeasure application and confidential file protection device | |
| CN103268435A (en) | Intranet license generation method and system, and intranet license protection method and system | |
| CN103970540B (en) | Key Functions secure calling method and device | |
| CN107563221A (en) | A kind of certification decoding security management system for encrypting database | |
| CN109918934A (en) | Research and development data safety and secrecy system based on tri- layers of dynamic encryption technology of AES | |
| CN104732160A (en) | Control method for preventing database information from being leaked internally | |
| CN104376270A (en) | File protection method and system | |
| CN111236105B (en) | Parking space lock management method, device and system and parking space lock | |
| CN107273725B (en) | Data backup method and system for confidential information | |
| CN104182667B (en) | Data guard method and device based on screen locking | |
| US20050162992A1 (en) | Information access control method, access control program, and external recording medium | |
| CN113407984A (en) | System and method for providing security protection for database |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |