CN105512569A - Database security reinforcing method and device - Google Patents
Database security reinforcing method and device Download PDFInfo
- Publication number
- CN105512569A CN105512569A CN201510956006.0A CN201510956006A CN105512569A CN 105512569 A CN105512569 A CN 105512569A CN 201510956006 A CN201510956006 A CN 201510956006A CN 105512569 A CN105512569 A CN 105512569A
- Authority
- CN
- China
- Prior art keywords
- data
- database
- database user
- described current
- current
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention provides a database security reinforcing method and device. The method and device are applied to a database of a pre-assigned database administrator and a pre-assigned security administrator. The method comprises the steps that an access request of a current database user for accessing current data from the database is received, and whether the current data is allowed to be accessed by the current database user or not is judged according to a mandatory access control strategy pre-established by the security administrator; if not, the current database user is prevented from accessing the current data, and if yes, whether the current database has the authority for accessing the current data or not is further judged according to a discretionary access control strategy pre-established by the database administrator; according to the further judgment result, if yes, the current database user is allowed to accessing the current data, and if not, the current database user is prevented from accessing the current data. According to the scheme, the database security can be improved.
Description
Technical field
The present invention relates to computer security technique field, particularly a kind of database security method of reinforcing and device.
Background technology
Along with development and the progress of computer technology, the amount of computer data gets more and more, in order to carry out management and use to Various types of data better, database fortune Ying Ersheng, carry out classification by mass-memory unit to computer data to store, use the data sharing in database to multiple user, substantially increase the management intensity to computer data, simultaneously for user provides a great convenience.Database, as a jumbo memory device, stores a lot of data, and the malice access behavior of user probably causes the significant data of other users to reveal, and causes huge loss to user.
At present, in order to the access behavior of restricting data storehouse user, significant data in database is avoided to reveal, improve the security of database, generally by data base administrator, the access rights of database user are arranged, after only obtaining the mandate of data base administrator, user can access specific data, otherwise the authority that user does not access.
Be directed to prior art manages to improve database security method to database access privilege, because data base administrator has super authority, can arrange any authority of any user, once the account of data base administrator and password are stolen, lawless person can pass through logon data library manager account, the access rights of any user are arranged or create new user, to steal the data stored in database, thus, prior art is protected database security by data base administrator, and the security of database is lower.
Summary of the invention
The invention provides method and the device of the reinforcing of a kind of database security, the security of database can be improved.
Embodiments provide a kind of method that database security is reinforced, be applied to the database of specific data library manager and safety officer in advance, comprise:
Receive the request of access that current database user conducts interviews to current data in described database;
According to the Mandatory Access Control that described safety officer is pre-created, judge whether described current data allows by described current database user access;
If not, described current database user is stoped to conduct interviews to described current data, if so, then according to the self contained navigation strategy that described data base administrator is pre-created, judge whether described current database user has the authority conducted interviews to described current data further;
According to the judged result of described further judgement, if so, allow described current database user to conduct interviews to described current data, otherwise stop described current database user to conduct interviews to described current data.
Preferably, the method comprises further: in advance for described database specifies audit administrator;
In real time the operation behavior of described data base administrator and described safety officer is monitored, according to the Audit control strategy that described audit administrator is pre-created, judge whether described data base administrator and described safety officer occur not meeting the operation behavior of described Audit control strategy, if so, send a warning.
Preferably, described Mandatory Access Control comprises: for each data in described database, and specify the database user that can conduct interviews to these data, the described database user only in specialized range just can conduct interviews to these data.
Preferably, described Mandatory Access Control comprises: be directed to each data in described database, specifies that these data allow the accessed time period, only just can conduct interviews to these data within the time period that described permission is accessed.
Preferably, described Mandatory Access Control comprises: be directed to each data in described database, and specify that these data allow accessed IP address, the IP address only in the IP address range that described permission is accessed just can conduct interviews to these data.
Preferably, described self contained navigation strategy comprises: the access rights specifying database user described in each, be directed to database user described in each, this database user only in its access authority range, can conduct interviews to data specific in described database.
The embodiment of the present invention additionally provides the device that a kind of database security is reinforced, and is applied to the database of specific data library manager and safety officer in advance, comprises: receiving element, the first judging unit, the second judging unit and performance element;
Described receiving element, for receiving the request of access that current database user conducts interviews to current data in described database;
Described first judging unit, for the Mandatory Access Control be pre-created according to described safety officer, judges whether described current data allows by described current database user access;
Described second judging unit, for the judged result according to described first judging unit, if so, according to the self contained navigation strategy that described data base administrator is pre-created, judge whether described current database user has the authority conducted interviews to described current data further;
Described performance element, for the judged result according to described second judging unit, if, described current database user is allowed to conduct interviews to described current data, otherwise stop described current database user to conduct interviews to described current data, and according to the judged result of described first judging unit, if not, stop described current database user to conduct interviews to described current-period data.
Preferably, this device comprises further: auditable unit;
Described database comprises preassigned audit administrator, is pre-created Audit control strategy by described audit administrator;
Described auditable unit, monitor for the real-time operation behavior to described data base administrator and described safety officer, according to described Audit control strategy, judge whether described data base administrator and described safety officer occur not meeting the operation behavior of described total control strategy, if so, send a warning.
Preferably, described first judging unit, for according to described Mandatory Access Control, the database user that acquisition can conduct interviews to described current data, judge described current database user whether in the scope of described database user, if, next step judgement of corresponding execution operation is judged described request of access further by described second judging unit, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
Preferably, described first judging unit, for according to described Mandatory Access Control, obtain described current data and allow the accessed time period, judge whether described current database user allows in the accessed time period in described current data to the access time of described current data, if, by described second judging unit, described request of access is judged further, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
Preferably, described first judging unit, for according to described Mandatory Access Control, obtain the IP address of described current database user, judge whether the IP address of described current database user allows in accessed IP address range in described current data, if so, is judged further described request of access by described second judging unit, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
Preferably, described second judging unit, for according to described self contained navigation strategy, obtain the access rights of described current database user, the access rights to described current data whether are comprised in the access authority range judging described current database user, if, perform described described current database user perhaps by described performance element to conduct interviews to described current data, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
Present embodiments provide method and the device of the reinforcing of a kind of database security, for database specific data library manager and safety officer in advance, self contained navigation strategy is pre-created by data base administrator, Mandatory Access Control is pre-created by safety officer, when data in Database user access database, first judge whether accessed data allow to be conducted interviews by this database user according to Mandatory Access Control, if, judge whether this database user has the access rights to accessed data according to self contained navigation strategy further, only have and just allow this database user to conduct interviews to accessed data when two judged results judged are and are, otherwise stop this database user to conduct interviews to accessed data, like this, the authority of data base administrator in prior art is weakened, need to obtain simultaneously data base administrator with and the mandate of safety officer could realize to data access, even if the account of one of them keeper is stolen, can not arbitrarily conduct interviews to the data in database, thus improve the security of database.
Accompanying drawing explanation
Fig. 1 is the method flow diagram of a kind of database security reinforcing that one embodiment of the invention provides;
Fig. 2 is the method flow diagram of a kind of database security reinforcing that another embodiment of the present invention provides;
Fig. 3 is the device schematic diagram of a kind of database security reinforcing that one embodiment of the invention provides.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described.Obviously, described embodiment is only the present invention's part embodiment, instead of whole embodiments.Based on the embodiment in the present invention, those of ordinary skill in the art, not making the every other embodiment obtained under creative work prerequisite, belong to the scope of protection of the invention.
As shown in Figure 1, one embodiment of the invention provides a kind of method that database security is reinforced, and is applied to the database of specific data library manager and safety officer in advance, comprises:
Step 101: receive the request of access that current database user conducts interviews to current data in described database;
Step 102: the Mandatory Access Control be pre-created according to described safety officer, judges whether described current data allows by described current database user access, if so, performs step 103, otherwise performs step 104;
Step 103: the self contained navigation strategy be pre-created according to described data base administrator, judges whether described current database user has the authority conducted interviews to described current data further, if so, performs step 105, otherwise performs step 104;
Step 104: stop described current database user to conduct interviews to described current data, and terminate current process;
Step 105: allow described current database user to conduct interviews to described current data.
Embodiments provide a kind of method that database security is reinforced, for database specific data library manager and safety officer in advance, self contained navigation strategy is pre-created by data base administrator, Mandatory Access Control is pre-created by safety officer, when data in Database user access database, first judge whether accessed data allow to be conducted interviews by this database user according to Mandatory Access Control, if, judge whether this database user has the access rights to accessed data according to self contained navigation strategy further, only have and just allow this database user to conduct interviews to accessed data when two judged results judged are and are, otherwise stop this database user to conduct interviews to accessed data, like this, the authority of data base administrator in prior art is weakened, need to obtain simultaneously data base administrator with and the mandate of safety officer could realize to data access, even if the account of one of them keeper is stolen, can not arbitrarily conduct interviews to the data in database, thus improve the security of database.
In an embodiment of the invention, database also comprises preassigned audit administrator, Audit control strategy is pre-created by audit administrator, in database operational process, in real time the operation behavior of data base administrator and safety officer is monitored, the design con-trol strategy that monitor data and design management person create is contrasted, judge whether data base administrator and safety officer occur not meeting the abnormal operation style of writing of design con-trol strategy, if, then send a warning, such audit administrator can the abnormal operation behavior of Timeliness coverage data base administrator and safety officer, take corresponding remedial measures accordingly, avoid resulting in greater loss, further increase the security of database.
In an embodiment of the invention, Mandatory Access Control can specify the database user that can access to each data in database, after receiving the request of access that the data of in database are conducted interviews, first the database user scope that can conduct interviews to these data of Mandatory Access Control regulation is obtained, judge within the scope of this database user, whether to comprise the database user of initiating this request of access, if, next step deterministic process is performed for this request of access, if not, the access behavior of direct this request of access of prevention, like this, be the database user that data in database specify to conduct interviews by Mandatory Access Control, the distribution of access rights is realized in file level, without the need to arranging for the access rights of data to each database user, improve the efficiency of data base authority management.
In an embodiment of the invention, Mandatory Access Control can specify to each data in database the time period allowing access, after receiving the request of access that the data of in database are conducted interviews, according to the system time of database, judge in the time period of the permission access whether time that this request of access initiates specifies at Mandatory Access Control, if, next step judgement operation is performed for this request of access, if not, the access behavior of direct this request of access of prevention, like this, for the data that some is special, can specify that it allows the accessed time period flexibly, to reach the object controlling data and protect, improve the dirigibility of configuration database access authority.
In an embodiment of the invention, Mandatory Access Control can specify the IP address that can access to each data in database, after receiving the request of access that the data of in database are conducted interviews, obtain the IP address of the database user of initiating this request of access, judge this IP address whether in the IP address range that can conduct interviews to these accessed data of Mandatory Access Control regulation, if, next step judgement operation is performed for this request of access, if not, the access behavior of direct this request of access of prevention, like this, can limit the login client of the database user of visit data, access rights to be authorized the database user of particular ip address scope or specific region, to reach the flexible configuration to database-access rights.
In an embodiment of the invention, self contained navigation strategy can limit the access rights of each database user, data base administrator is set the access rights of each database user respectively by self contained navigation strategy, when the request of access of database user is by the judgement of Mandatory Access Control, after current data allows current database user access, be the user configured access rights of current database according to self contained navigation strategy, judge whether current database user has the authority conducted interviews to current data, if had, then current database user can conduct interviews to current data, otherwise the request of access of current database user will be prevented from, like this, can separately for each database user arranges access rights by self contained navigation strategy, with the access rights of configuration database flexibly.
For making the object, technical solutions and advantages of the present invention clearly, below in conjunction with drawings and the specific embodiments, the present invention is described in further detail.
As shown in Figure 2, one embodiment of the invention provides a kind of method that database security is reinforced, and comprising:
Step 201: be database specific data library manager, safety officer and audit administrator.
In an embodiment of the invention, creation database keeper account, safety officer's account and audit administrator account, the account of correspondence is distributed to corresponding managerial personnel, thus be database specific data library manager, safety officer and audit administrator, data base administrator can manage the authority of database user, and the data in database are safeguarded, the operations such as renewal and backup, safety officer is to the data configuration access rights in database, and be responsible for the establishment of the new user of database, the operation behavior of audit administrator to data base administrator and safety officer is monitored, judge whether the operation behavior occurring not meeting regulation or internal control requirement.
Step 202: data base administrator creates self contained navigation strategy, and safety officer creates Mandatory Access Control, audit administrator creates Audit control strategy.
In an embodiment of the invention, the data base administrator account log database of data base administrator by distributing, to database initialize self contained navigation strategy, wherein self contained navigation strategy defines the access rights of each database user, and access rights comprise the data that can access and the access stencil to data.Such as, database 1 has 3 database users, be respectively database user 1, database user 2 and database user 3, by self contained navigation strategy, specified data storehouse user 1 and database user 3 have the authority conducted interviews to the financial statement 1 in database 1, and specified data storehouse user 2 is not to the authority that the financial statement 1 in database 1 conducts interviews.
The safety officer account log database of safety officer by distributing, to database initialize Mandatory Access Control, wherein the access rights of Mandatory Access Control to each data in database limit, and comprise that can to conduct interviews in database user, the time period that can conduct interviews to data and the IP address that can conduct interviews to data to data any one or more.Such as, be directed to the financial statement 1 in database 1, can be conducted interviews by database user 1 and database user 3 by Mandatory Access Control regulation financial statement 1, cannot be conducted interviews by database user 1, and specify that financial statement 1 only can be accessed at the 8:00-17:00 of every day, and the IP of the database user sending request of access is necessary for intra-company IP address.
The audit administrator account log database of audit administrator by distributing, to database initialize Audit control strategy, wherein Audit control strategy defines the specification that data base administrator and safety officer operate database.Such as, design con-trol strategy defines standard and safety officer that data base administrator modifies to self contained navigation strategy to the standard of modifying of Mandatory Access Control.
Step 203: receive the request of access that current database user conducts interviews to current data.
In an embodiment of the invention, when current database user conducts interviews to the current data in database, receive the accessing request information that current database user sends, from this accessing request information, obtain current data that current database user will access, the IP address of current database user and access time.
Step 204: according to Mandatory Access Control, judges whether current data allows to be accessed by current database user, if so, performs step 205, otherwise performs step 209.
In an embodiment of the invention, after receiving the request of access that current database conducts interviews to current data, according to Mandatory Access Control, the database user list that acquisition can conduct interviews to current data, judge whether comprise current database user in the database user list got, if comprised, illustrate that current data allows current database user access, corresponding execution step 205, otherwise illustrate that current data does not allow current database user access, corresponding execution step 209.Such as, after receiving the request of access that current database user conducts interviews to the financial statement 1 in database 1, if current database user is database user 2 or database user 3, because regulation financial statement 1 in Mandatory Access Control can be conducted interviews by database user 2 or database user 3, request of access for database user 2 or database user 3 pairs of financial statements 1 performs step 205, if current database is with being database user 1, because Mandatory Access Control regulation financial statement 1 cannot be conducted interviews by database user 1, request of access for database user 1 pair of financial statement 1 performs step 209.
Step 205: according to Mandatory Access Control, judges whether current data allows to conduct interviews in current time, if so, performs step 206, otherwise performs step 209.
In an embodiment of the invention, the time period accessed according to the permission forcing access strategy to specify current data is the present system time of database, judge that current database user initiates whether to allow in the accessed time period in current data to the time that current data conducts interviews, if, perform step 206, otherwise perform step 209.Such as, if current database user is 12:00 to the time that financial statement 1 conducts interviews, because this access time allows in accessed time period 8:00-17:00 in financial statement 1, corresponding execution step 206, if current database user is 20:00 to the time that financial statement 1 conducts interviews, because this access time does not allow in accessed time period 8:00-17:00 in financial statement 1, corresponding execution step 209.
Step 206: according to Mandatory Access Control, judges whether the IP address of current database user allows in accessed IP address range in current data, if so, performs step 207, otherwise performs step 209.
In an embodiment of the invention, according to Mandatory Access Control, obtain current data and allow accessed IP address range, judge that the login IP of current database user is whether in the IP address range got, if so, illustrate that the login IP of current database user meets the requirements, corresponding execution step 207, otherwise illustrate that the login IP of current database user is undesirable, corresponding execution step 209.Such as, obtain the IP address logging in current database user account client, judge whether in-company IP address belonging to database 1, this IP address, if, illustrate that current database user meets the access of financial statement 1 and log in IP address challenges, corresponding execution step 207, otherwise illustrate that the login IP mail returned on ground of incorrect address consolidated financial statement of current database user is to the requirement logging in IP address, corresponding execution step 209.
Step 207: according to self contained navigation strategy, judges whether current database user has the authority conducted interviews to current data, if so, performs step 208, otherwise performs step 209.
In an embodiment of the invention, after judging that the request of access of current database user meets Mandatory Access Control, according to self contained navigation strategy, obtain all data that current database user has access rights, judge whether there is current data in all data obtained, if, illustrate that current database user has the authority conducted interviews to current data, corresponding execution step 208, otherwise, current database user is described not to the authority that current data conducts interviews, corresponding execution step 209.Such as, if current database user is database user 2, because self contained navigation strategy specified data storehouse user 2 is not to the authority that financial statement 1 conducts interviews, corresponding execution step 209, if current database user is database user 3, because self contained navigation strategy specified data storehouse user 3 has the authority conducted interviews to financial statement 1, corresponding execution step 208.
Step 208: allow current database user to conduct interviews to current data, and terminate current process.
In one embodiment of the invention, the request of access that current database user initiates current data, after step 204 to the judgement of step 207 meets the regulation of Mandatory Access Control and self contained navigation strategy, allows current database user to conduct interviews to current data.Such as, the financial statement 1 in database user 3 pairs of databases 1 is allowed to conduct interviews.
Step 209: stop current database user to conduct interviews to current data.
In an embodiment of the invention, when current database user conducts interviews to current data, if judge in any one determining step that in step 204 to step 207 access of current database user to current data does not meet the regulation of Mandatory Access Control or self contained navigation strategy, then current database user is stoped to conduct interviews to current data.Such as, the financial statement 1 in database user 1 and database user 2 pairs of databases 1 is stoped to conduct interviews.
It should be noted that, in the process that database runs, in real time the operation behavior of data base administrator and safety officer is monitored, the behavior specified in the Audit control strategy operation behavior of data base administrator and safety officer and audit administrator are created contrasts, if the operation behavior of data base administrator or safety officer does not meet the regulation of Audit control strategy, then send warning message, processed in time by audit administrator, such as, when authority to be awarded inappropriate database user by data base administrator, or safety officer cancels some safety rule temporarily, when performing illegal operation to facilitate some database user, give the alarm to audit administrator.
As shown in Figure 3, one embodiment of the invention provides the device that a kind of database security is reinforced, be applied to the database of specific data library manager and safety officer in advance, comprise: receiving element 301, first judging unit 302, second judging unit 303 and performance element 304;
Described receiving element 301, for receiving the request of access that current database user conducts interviews to current data in described database;
Described first judging unit 302, for the Mandatory Access Control be pre-created according to described safety officer, judges whether described current data allows by described current database user access;
Described second judging unit 303, for the judged result according to described first judging unit 302, if so, according to the self contained navigation strategy that described data base administrator is pre-created, judge whether described current database user has the authority conducted interviews to described current data further;
Described performance element 304, for the judged result according to described second judging unit 303, if, described current database user is allowed to conduct interviews to described current data, otherwise stop described current database user to conduct interviews to described current data, and according to the judged result of described first judging unit 302, if not, stop described current database user to conduct interviews to described current-period data.
In an embodiment of the invention, this device comprises further: auditable unit;
Described database comprises preassigned audit administrator, is pre-created Audit control strategy by described audit administrator;
Described auditable unit, monitor for the real-time operation behavior to described data base administrator and described safety officer, according to described Audit control strategy, judge whether described data base administrator and described safety officer occur not meeting the operation behavior of described total control strategy, if so, send a warning.
In an embodiment of the invention, described first judging unit, for according to described Mandatory Access Control, the database user that acquisition can conduct interviews to described current data, judge described current database user whether in the scope of described database user, if, next step judgement of corresponding execution operation is judged described request of access further by described second judging unit, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
In an embodiment of the invention, described first judging unit, for according to described Mandatory Access Control, obtain described current data and allow the accessed time period, judge whether described current database user allows in the accessed time period in described current data to the access time of described current data, if, by described second judging unit, described request of access is judged further, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
In an embodiment of the invention, described first judging unit, for according to described Mandatory Access Control, obtain the IP address of described current database user, judge whether the IP address of described current database user allows in accessed IP address range in described current data, if, by described second judging unit, described request of access is judged further, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
In an embodiment of the invention, described second judging unit, for according to described self contained navigation strategy, obtain the access rights of described current database user, the access rights to described current data whether are comprised in the access authority range judging described current database user, if, perform described described current database user perhaps by described performance element to conduct interviews to described current data, if not, then perform described prevention described current database user by described performance element to conduct interviews to described current data.
It should be noted that, the content such as information interaction, implementation between each unit in the said equipment, due to the inventive method embodiment based on same design, particular content can see in the inventive method embodiment describe, repeat no more herein.
According to such scheme, the method that a kind of database security that embodiments of the invention provide is reinforced and device, at least have following beneficial effect:
1, in the embodiment of the present invention, for database specific data library manager and safety officer in advance, self contained navigation strategy is pre-created by data base administrator, Mandatory Access Control is pre-created by safety officer, when data in Database user access database, first judge whether accessed data allow to be conducted interviews by this database user according to Mandatory Access Control, if, judge whether this database user has the access rights to accessed data according to self contained navigation strategy further, only have and just allow this database user to conduct interviews to accessed data when two judged results judged are and are, otherwise stop this database user to conduct interviews to accessed data, like this, the authority of data base administrator in prior art is weakened, need to obtain simultaneously data base administrator with and the mandate of safety officer could realize to data access, even if the account of one of them keeper is stolen, can not arbitrarily conduct interviews to the data in database, thus improve the security of database.
2, in the embodiment of the present invention, in advance audit administrator is specified to database, audit administrator creates Audit control strategy, the operation behavior specification of data base administrator and safety officer is defined in Audit control strategy, if the operation behavior of data base administrator or safety officer does not meet the requirement of Audit control strategy, then give the alarm to audit administrator, audit administrator can process the operation behavior against regulation of data base administrator and safety officer in time, avoid data base administrator or safety officer is stolen threatens to database, further increase the security of database.
3, in the embodiment of the present invention; Mandatory Access Control is except data allowing accessed database user in specified data storehouse; data can also allow accessed time period and IP address in specified data storehouse; allow the accessed time period by data in specified data storehouse and allow accessed IP address; the access rights of the data in database are configured flexibly; to reach the object of data security in protected data storehouse, improve the dirigibility of data base authority configuration.
4, in the embodiment of the present invention, by the access rights of self contained navigation strategy configuration database user, by the access rights of data in Mandatory Access Control configuration database, request of access needs to meet self contained navigation strategy simultaneously and Mandatory Access Control can realize conducting interviews to the data in database, avoid, by the access rights of data in sole user's authority restricting data storehouse, improve the security of database.
It should be noted that, in this article, the relational terms of such as first and second and so on is only used for an entity or operation to separate with another entity or operational zone, and not necessarily requires or imply the relation that there is any this reality between these entities or operation or sequentially.And, term " comprises ", " comprising " or its any other variant are intended to contain comprising of nonexcludability, thus make to comprise the process of a series of key element, method, article or equipment and not only comprise those key elements, but also comprise other key elements clearly do not listed, or also comprise by the intrinsic key element of this process, method, article or equipment.When not more restrictions, the key element " being comprised " limited by statement, and be not precluded within process, method, article or the equipment comprising described key element and also there is other same factor.
One of ordinary skill in the art will appreciate that: all or part of step realizing said method embodiment can have been come by the hardware that programmed instruction is relevant, aforesaid program can be stored in the storage medium of embodied on computer readable, this program, when performing, performs the step comprising said method embodiment; And aforesaid storage medium comprises: ROM, RAM, magnetic disc or CD etc. various can be program code stored medium in.
Finally it should be noted that: the foregoing is only preferred embodiment of the present invention, only for illustration of technical scheme of the present invention, be not intended to limit protection scope of the present invention.All any amendments done within the spirit and principles in the present invention, equivalent replacement, improvement etc., be all included in protection scope of the present invention.
Claims (10)
1. a method for database security reinforcing, is characterized in that, be applied to the database of specific data library manager and safety officer in advance, comprise:
Receive the request of access that current database user conducts interviews to current data in described database;
According to the Mandatory Access Control that described safety officer is pre-created, judge whether described current data allows by described current database user access;
If not, described current database user is stoped to conduct interviews to described current data, if so, then according to the self contained navigation strategy that described data base administrator is pre-created, judge whether described current database user has the authority conducted interviews to described current data further;
According to the judged result of described further judgement, if so, allow described current database user to conduct interviews to described current data, otherwise stop described current database user to conduct interviews to described current data.
2. method according to claim 1, is characterized in that, comprises further: in advance for described database specifies audit administrator;
In real time the operation behavior of described data base administrator and described safety officer is monitored, according to the Audit control strategy that described audit administrator is pre-created, judge whether described data base administrator and described safety officer occur not meeting the operation behavior of described Audit control strategy, if so, send a warning.
3. method according to claim 1, is characterized in that,
Described Mandatory Access Control comprises: for each data in described database, and specify the database user that can conduct interviews to these data, the described database user only in specialized range just can conduct interviews to these data.
4. method according to claim 3, is characterized in that,
Described Mandatory Access Control comprises: be directed to each data in described database, specifies that these data allow the accessed time period, only just can conduct interviews to these data within the time period that described permission is accessed;
And/or,
Described Mandatory Access Control comprises: be directed to each data in described database, and specify that these data allow accessed IP address, the IP address only in the IP address range that described permission is accessed just can conduct interviews to these data.
5., according to described method arbitrary in claim 1 to 5, it is characterized in that,
Described self contained navigation strategy comprises: the access rights specifying database user described in each, is directed to database user described in each, and this database user only in its access authority range, can conduct interviews to data specific in described database.
6. a device for database security reinforcing, is characterized in that, be applied to the database of specific data library manager and safety officer in advance, comprise: receiving element, the first judging unit, the second judging unit and performance element;
Described receiving element, for receiving the request of access that current database user conducts interviews to current data in described database;
Described first judging unit, for the Mandatory Access Control be pre-created according to described safety officer, judges whether described current data allows by described current database user access;
Described second judging unit, for the judged result according to described first judging unit, if so, according to the self contained navigation strategy that described data base administrator is pre-created, judge whether described current database user has the authority conducted interviews to described current data further;
Described performance element, for the judged result according to described second judging unit, if, described current database user is allowed to conduct interviews to described current data, otherwise stop described current database user to conduct interviews to described current data, and according to the judged result of described first judging unit, if not, stop described current database user to conduct interviews to described current-period data.
7. device according to claim 6, is characterized in that, comprises further: auditable unit;
Described database comprises preassigned audit administrator, is pre-created Audit control strategy by described audit administrator;
Described auditable unit, monitor for the real-time operation behavior to described data base administrator and described safety officer, according to described Audit control strategy, judge whether described data base administrator and described safety officer occur not meeting the operation behavior of described total control strategy, if so, send a warning.
8. device according to claim 6, is characterized in that,
Described first judging unit, for according to described Mandatory Access Control, the database user that acquisition can conduct interviews to described current data, judge described current database user whether in the scope of described database user, if, next step judgement of corresponding execution operation is judged described request of access further by described second judging unit, if not, then performs described prevention described current database user by described performance element and conducts interviews to described current data.
9. device according to claim 8, is characterized in that,
Described first judging unit, for according to described Mandatory Access Control, obtain described current data and allow the accessed time period, judge whether described current database user allows in the accessed time period in described current data to the access time of described current data, if, by described second judging unit, described request of access is judged further, if not, then perform described prevention described current database user by described performance element and described current data is conducted interviews;
And/or,
Described first judging unit, for according to described Mandatory Access Control, obtain the IP address of described current database user, judge whether the IP address of described current database user allows in accessed IP address range in described current data, if, by described second judging unit, described request of access is judged further, if not, then perform described prevention described current database user by described performance element and described current data is conducted interviews.
10., according to described device arbitrary in claim 6 to 9, it is characterized in that,
Described second judging unit, for according to described self contained navigation strategy, obtain the access rights of described current database user, the access rights to described current data whether are comprised in the access authority range judging described current database user, if, perform described described current database user perhaps by described performance element to conduct interviews to described current data, if not, then perform described prevention described current database user by described performance element and described current data is conducted interviews.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510956006.0A CN105512569A (en) | 2015-12-17 | 2015-12-17 | Database security reinforcing method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201510956006.0A CN105512569A (en) | 2015-12-17 | 2015-12-17 | Database security reinforcing method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN105512569A true CN105512569A (en) | 2016-04-20 |
Family
ID=55720542
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510956006.0A Pending CN105512569A (en) | 2015-12-17 | 2015-12-17 | Database security reinforcing method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN105512569A (en) |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096448A (en) * | 2016-06-20 | 2016-11-09 | 浪潮电子信息产业股份有限公司 | SSR encryption technology-based database security reinforcement method and system |
| CN106649856A (en) * | 2016-12-30 | 2017-05-10 | 金蝶软件(中国)有限公司 | Database access device, system and method |
| CN106649772A (en) * | 2016-12-27 | 2017-05-10 | 上海上讯信息技术股份有限公司 | Method and equipment for accessing data |
| CN108696540A (en) * | 2018-07-18 | 2018-10-23 | 安徽云图信息技术有限公司 | A kind of authorizing secure system and its authorization method |
| CN109005161A (en) * | 2018-07-18 | 2018-12-14 | 安徽云图信息技术有限公司 | A kind of data safety monitoring system and its access monitoring method |
| CN109104414A (en) * | 2018-07-18 | 2018-12-28 | 安徽云图信息技术有限公司 | A kind of data safety monitoring system |
| CN109492376A (en) * | 2018-11-07 | 2019-03-19 | 浙江齐治科技股份有限公司 | Control method, device and the fort machine of equipment access authority |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN111191254A (en) * | 2019-08-01 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Access verification method and device, computer equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1858738A (en) * | 2006-02-15 | 2006-11-08 | 华为技术有限公司 | Method and device for access data bank |
| CN1858740A (en) * | 2006-05-31 | 2006-11-08 | 武汉华工达梦数据库有限公司 | 'Three powers separation' safety method for data bank safety management |
| CN101630351A (en) * | 2009-06-04 | 2010-01-20 | 中国人民解放军理工大学指挥自动化学院 | Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis |
| EP2357585A2 (en) * | 2010-02-12 | 2011-08-17 | Samsung Electronics Co., Ltd. | User terminal, server and controlling method thereof |
| CN102521385A (en) * | 2011-12-21 | 2012-06-27 | 北京人大金仓信息技术股份有限公司 | Method for setting forced access control on database system graph |
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN105046146A (en) * | 2015-06-30 | 2015-11-11 | 中标软件有限公司 | Resource access method of Android system |
-
2015
- 2015-12-17 CN CN201510956006.0A patent/CN105512569A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1858738A (en) * | 2006-02-15 | 2006-11-08 | 华为技术有限公司 | Method and device for access data bank |
| CN1858740A (en) * | 2006-05-31 | 2006-11-08 | 武汉华工达梦数据库有限公司 | 'Three powers separation' safety method for data bank safety management |
| CN101630351A (en) * | 2009-06-04 | 2010-01-20 | 中国人民解放军理工大学指挥自动化学院 | Method for enhancing safety of Oracle database server by utilizing progress infusion and TNS protocol analysis |
| EP2357585A2 (en) * | 2010-02-12 | 2011-08-17 | Samsung Electronics Co., Ltd. | User terminal, server and controlling method thereof |
| CN102521385A (en) * | 2011-12-21 | 2012-06-27 | 北京人大金仓信息技术股份有限公司 | Method for setting forced access control on database system graph |
| CN104484617A (en) * | 2014-12-05 | 2015-04-01 | 中国航空工业集团公司第六三一研究所 | Database access control method on basis of multi-strategy integration |
| CN105046146A (en) * | 2015-06-30 | 2015-11-11 | 中标软件有限公司 | Resource access method of Android system |
Cited By (10)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106096448A (en) * | 2016-06-20 | 2016-11-09 | 浪潮电子信息产业股份有限公司 | SSR encryption technology-based database security reinforcement method and system |
| CN106649772A (en) * | 2016-12-27 | 2017-05-10 | 上海上讯信息技术股份有限公司 | Method and equipment for accessing data |
| CN106649856A (en) * | 2016-12-30 | 2017-05-10 | 金蝶软件(中国)有限公司 | Database access device, system and method |
| CN108696540A (en) * | 2018-07-18 | 2018-10-23 | 安徽云图信息技术有限公司 | A kind of authorizing secure system and its authorization method |
| CN109005161A (en) * | 2018-07-18 | 2018-12-14 | 安徽云图信息技术有限公司 | A kind of data safety monitoring system and its access monitoring method |
| CN109104414A (en) * | 2018-07-18 | 2018-12-28 | 安徽云图信息技术有限公司 | A kind of data safety monitoring system |
| CN109492376A (en) * | 2018-11-07 | 2019-03-19 | 浙江齐治科技股份有限公司 | Control method, device and the fort machine of equipment access authority |
| CN109885554A (en) * | 2018-12-20 | 2019-06-14 | 顺丰科技有限公司 | Method of Database Secure Audit method, system and computer readable storage medium |
| CN111191254A (en) * | 2019-08-01 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Access verification method and device, computer equipment and storage medium |
| CN111191254B (en) * | 2019-08-01 | 2024-02-27 | 腾讯科技(深圳)有限公司 | Access verification method, device, computer equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN105512569A (en) | Database security reinforcing method and device | |
| DE60301177T2 (en) | Program, procedure and device for data protection | |
| CN103310161B (en) | A kind of means of defence for Database Systems and system | |
| CN102891840B (en) | Based on the Information Security Management System of separation of the three powers and the management method of information security | |
| CN105827645B (en) | Method, equipment and system for access control | |
| CN102546672A (en) | Out-of-band authorization safety reinforcement method for cloud computing platform | |
| CN106445399A (en) | Control method of storage system, and storage system | |
| CN114157457A (en) | Authority application and monitoring method for network data information security | |
| CN111737703A (en) | Method for realizing data lake security based on dynamic data desensitization technology | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| CN117332433A (en) | Data security detection method and system based on system integration | |
| CN106228078A (en) | Safe operation method based on enhanced ROST under Linux | |
| CN105893835A (en) | Operation authority control method and device | |
| CN103970540B (en) | Key Functions secure calling method and device | |
| US9268917B1 (en) | Method and system for managing identity changes to shared accounts | |
| CN107273725B (en) | Data backup method and system for confidential information | |
| CN106487770A (en) | Method for authenticating and authentication device | |
| CN113672479A (en) | Data sharing method and device and computer equipment | |
| CN102271141A (en) | Electronic file permission dynamic adaptive control method and system | |
| CN102801743A (en) | SAP safety sensitive information system based on many-sided authorization and dynamic password | |
| CN116628681A (en) | Authority management method and system based on upper computer monitoring control software | |
| CN202218262U (en) | Safety management system for internal network information | |
| Purba et al. | Assessing Privileged Access Management (PAM) using ISO 27001: 2013 Control | |
| Malyuk et al. | Information security theory for the future internet | |
| CN105120010A (en) | Anti-stealing method for virtual machine under cloud environment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20160420 |
|
| WD01 | Invention patent application deemed withdrawn after publication |