CN105915547A - Method for realizing control and leakage prevention of data out of service system - Google Patents

Method for realizing control and leakage prevention of data out of service system Download PDF

Info

Publication number
CN105915547A
CN105915547A CN201610432031.3A CN201610432031A CN105915547A CN 105915547 A CN105915547 A CN 105915547A CN 201610432031 A CN201610432031 A CN 201610432031A CN 105915547 A CN105915547 A CN 105915547A
Authority
CN
China
Prior art keywords
data
cloud platform
local
management cloud
safety management
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201610432031.3A
Other languages
Chinese (zh)
Inventor
陈瑞霞
王贝贝
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
MrRay Chengdu Technology Co Ltd
Original Assignee
MrRay Chengdu Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MrRay Chengdu Technology Co Ltd filed Critical MrRay Chengdu Technology Co Ltd
Priority to CN201610432031.3A priority Critical patent/CN105915547A/en
Publication of CN105915547A publication Critical patent/CN105915547A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a method for realizing control and leakage prevention of data out of service system. The method comprises following steps of sending data identifier of local data of a user to a data security management cloud platform for requesting for data security service; producing an encryption secret key and a decryption secret key according to the received data identifier; producing a control strategy according to the received data identifier; setting the effective period of the decryption secret key and inspection and modification of the control strategy; receiving the encryption secret key produced by the security management cloud platform; encrypting the local data; sending a data use request to the security management cloud platform; receiving the decryption secret key produced by the security management cloud platform; decrypting the local data; receiving the data use request of the local data; and sending the decryption secret key to the local data if the data use request is consistent with the control strategy and the time of the data use request is in the effective period of the decryption secret key. According to the method, the data of any type and any platform can be protected, monitored and controlled.

Description

A kind of leakage-preventing method of data management and control realized outside operation system
Technical field
The invention belongs to data security arts, be specifically related to a kind of leakage-preventing method of data management and control realized outside operation system.
Background technology
The world today, the digitized of information resources height, exacerbate the generation of the perils such as leaking data.For enterprise, In the face of continuous production power, cooperation between each company and service provider, in order to prevent the generation of this peril, need urgently To be converted to coping style directly protect data itself to come up.
Information is preserved, shares different thesauruss by enterprise, and data can be distributed in different systems by routine work again, bag Include CRM, ERP, HRM even financial sector etc..Even for having the company of clear and definite cloud and data control strategy, as This data source at random and data sharing service also can greatly weaken the monitoring of company and control the ability of data flowing.Therefore with Enterprise and independent worker becomes increasingly to handle official business ensured sustained development, IT and security department need security control to be expanded to these Outside platform even these platforms, thus effectively prevent the leakage of data.Additionally, to solve these demands, in addition it is also necessary to pay close attention to The design that user is mutual.If being provided that the protection of simple transparent and sharing mode, enterprise will be able to maintain that management policy, and pole The earth promotes the ability of their management, data protection and control.
Solution now, including PKI specification, ECM, Box, Dropbox etc. synchronize and share instrument, all can only solve this One part of a little safety problems, such as PKI specification carries out offer just with what public key cryptography was e-commerce field A set of foundation for security platform technology and specification, its range is limited;User data then can be stored in cloud platform by Dropbox, And data once depart from these platforms and will lose protection, it can be seen that, they can not fully protect the whole of business data Individual life cycle.
Another reason that traditional data protection scheme is not accepted by the user is that they need user to change their working method.With Family is it is desirable that on any equipment, put the access instant, seamless to data at any time, and this gives the routine work of user Bring great inconvenience.
Summary of the invention
The present invention solves problem above present in prior art, it is provided that a kind of data management and control realized outside operation system is anti-lets out Dew method, it is possible to protect, monitor and control any type, the data of any platform.
To achieve these goals, the technical solution used in the present invention is:
A kind of leakage-preventing method of data management and control realized outside operation system, the method includes that local data processes step and data safety Management cloud platform processes step, and described local data processes step and includes:
" data identifier " of the local data that data send user is sent to data safety management cloud platform request data safety Service;
Local data is encrypted by the encryption key receiving the generation of safety management cloud platform;
Send data to safety management cloud platform and use request, and receive the decruption key of safety management cloud platform generation to local number According to being decrypted;
Safety management cloud platform processes step and comprises the following steps:
Step 1: generate encryption key and decruption key according to " data identifier " of the local data received;
Step 2: generate control strategy according to " data identifier " of the local data received;
Step 3: the expiry date of decruption key and the inspection of control strategy and change are configured;
Step 4: the data receiving local data use request, data use request to be consistent with control strategy, and data use The time of request in decruption key expiry date, then sends decruption key to local data.
In such scheme, described data safety management cloud platform will not store data and send the local data of user.
In such scheme, data safety management cloud platform preserves safety management cloud platform and processes the operation note of step, and by described Operation note is aggregating transmission local data and processes.
In such scheme, the corresponding unique encryption key of " data identifier " of every part of local data and decruption key.
In such scheme, the algorithm that local data is encrypted employing is AES256 algorithm.
In such scheme, data use request to include opening, edit, replicate, share and preserve data.
In such scheme, operation note includes time, identity, operation, place.
The leakage-preventing method of notebook data management and control is not for application-specific, it is possible to protect, monitor and control any type, any platform Data.After needing data to be protected to be protected by this leakage-preventing method of data management and control, no matter data be in inside operation system or Outside, data can be protected whenever and wherever possible, fully protects the whole life cycle of data.
1) the leakage-preventing method of notebook data management and control is on the premise of control strategy allows, and will not change the routine office work mode of user And custom, no matter user selects to use what instrument, can handle official business easily.
2) the leakage-preventing method of notebook data management and control provides powerful management based on cloud platform and controls function, and it can monitor number Position is there is according to flowing, location data.
3) in the leakage-preventing method of notebook data management and control, data management cloud platform will not store any data content of user, thus quilt The data volume of protection is not limited by the memory data output of cloud platform, and only data management user and corresponding data connect Receiving user and just have permission the protected data of access, third party cannot access protected data, considerably increase The safety of data.
Accompanying drawing explanation
Fig. 1 is the general frame figure of the present invention;
Fig. 2 is user side and the transmitting procedure of the present invention;
Fig. 3 is the data protection process in the method for the present invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, the present invention is made the most detailed Thin description.
Seeing Fig. 1-3, a kind of leakage-preventing method of data management and control realized outside operation system, the method includes that local data processes step Processing step with data safety management cloud platform, described local data processes step and includes:
" data identifier " of the local data that data send user is sent to data safety management cloud platform request data safety Service;Described data safety management cloud platform will not store data and send the local data of user.
Local data is encrypted by the encryption key receiving the generation of safety management cloud platform;Local data is encrypted employing Algorithm is AES256 algorithm.
Send data to safety management cloud platform and use request, and receive the decruption key of safety management cloud platform generation to local number According to being decrypted;
Safety management cloud platform processes step and comprises the following steps:
Step 1: generate encryption key and decruption key according to " data identifier " of the local data received;Every part of local number According to " data identifier " corresponding unique encryption key and decruption key.
Step 2: generate control strategy according to " data identifier " of the local data received;
Step 3: the expiry date of decruption key and the inspection of control strategy and change are configured;
Step 4: the data receiving local data use request, data use request to be consistent with control strategy, and data use The time of request in decruption key expiry date, then sends decruption key to local data.Data use request to include opening, Edit, replicate, share and preserve data.
Data safety management cloud platform preserves safety management cloud platform and processes the operation note of step, and described operation note is polymerized Get up to send local data to process.Operation note includes time, identity, operation, place.
Embodiment 1
In work process, the same number of same user is according to may operate in different user sides, and different data also may be used To operate in identical user side.Protection is needed when data management user sends portion by his user side to data receiver user Data time, the user side of data management user first can to data safety management cloud platform send local data to be protected " number According to identifier " and ask security service, including the encryption key of data to be protected and control strategy etc., described data safety management Cloud platform will not store data and send the local data of user.Safety management cloud platform is according to " the data of the local data received Identifier " generate encryption key and decruption key;" data identifier " of every part of local data corresponding unique encryption key and Decruption key.Safety management cloud platform generates control strategy according to " data identifier " of the local data received;Control plan Slightly include: open, edit, replicate, share and preserve data etc..Safety management cloud platform to the expiry date of decruption key and Inspection and the change of control strategy are configured;Preferably, safety management cloud platform can preserve by " the data of protection local data Identifier " respectively with control strategy and the incidence relation of key, the most both can be used to data are carried out policy control so that Any restriction formulated by control strategy all can correspond to corresponding data, it is also possible to carries out the trajectory track of data.
The user side of data management user receives the encryption key of safety management cloud platform generation and is encrypted local data;To this It is AES256 algorithm that ground data are encrypted the algorithm of employing.The user side of data receiver user sends number to safety management cloud platform According to using request, data use request to include opening, edit, replicate, share and preserving data, and safety management cloud platform receives The data of local data use request, and data are sent directly to data receiver use at the user side of data management user after encryption The user side at family, the two user side can be the same or different, in order to ensure the safety of transmitting procedure, leading between them Letter is through encryption.Data use request to be consistent with control strategy, and data use the time of request to have at decruption key In the effect time limit, then send decruption key to local data.The user side of data receiver user receives what safety management cloud platform generated Local data is decrypted by decruption key;After successful decryption, data receiver user can be efficiently used data.
Embodiment 2
The present embodiment on the basis of embodiment 1, all operations record of data safety management cloud platform, including the time, identity, Operation, place etc., all can correspondingly be saved in data safety management cloud platform, and the monitoring being aggregating confession management-plane divides Analysis.It addition, manager can revise control strategy by management-plane, determine the useful life of key.The most different users Use same number according to time, can be different according to the operating right carried out to this number, can the most not to the useful life of data yet With.Such as: same number evidence, manager can be authorized user A and opened by amendment control strategy, edits, replicates, shares Authority, and be granted to only the authority that user B opens, edits, at this moment different user user side will to the operating right of these data Different;It addition, when the user side of data receiver user to the useful life of data to after date, it is contemplated that data are inconvenient to receive Returning, now manager can be by cancelling the key of respective file in data management cloud platform so that the user of data receiver user End can not the most effectively use this data.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all the spirit and principles in the present invention it In, any modification, equivalent substitution and improvement etc. made, should be included within the scope of the present invention.

Claims (7)

1. the leakage-preventing method of data management and control that a kind realizes outside operation system, it is characterised in that the method includes that local data processes Step and data safety management cloud platform process step,
Described local data processes step and includes:
" data identifier " of the local data that data send user is sent to data safety management cloud platform request data safety Service;
Local data is encrypted by the encryption key receiving the generation of safety management cloud platform;
Send data to safety management cloud platform and use request, and receive the decruption key of safety management cloud platform generation to local number According to being decrypted;
Safety management cloud platform processes step and comprises the following steps:
Step 1: generate encryption key and decruption key according to " data identifier " of the local data received;
Step 2: generate control strategy according to " data identifier " of the local data received;
Step 3: the expiry date of decruption key and the inspection of control strategy and change are configured;
Step 4: the data receiving local data use request, data use request to be consistent with control strategy, and data use The time of request in decruption key expiry date, then sends decruption key to local data.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that described data Safety management cloud platform will not store data and send the local data of user.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that data safety Management cloud platform preserves safety management cloud platform and processes the operation note of step, and described operation note is aggregating transmission this locality Data process.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that every part of this locality The corresponding unique encryption key of " data identifier " of data and decruption key.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that to local number It is AES256 algorithm according to the algorithm being encrypted employing.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that data use Request includes opening, edits, replicates, shares and preserve data.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 3, it is characterised in that operation note Including time, identity, operation, place.
CN201610432031.3A 2016-06-15 2016-06-15 Method for realizing control and leakage prevention of data out of service system Pending CN105915547A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610432031.3A CN105915547A (en) 2016-06-15 2016-06-15 Method for realizing control and leakage prevention of data out of service system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610432031.3A CN105915547A (en) 2016-06-15 2016-06-15 Method for realizing control and leakage prevention of data out of service system

Publications (1)

Publication Number Publication Date
CN105915547A true CN105915547A (en) 2016-08-31

Family

ID=56751536

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610432031.3A Pending CN105915547A (en) 2016-06-15 2016-06-15 Method for realizing control and leakage prevention of data out of service system

Country Status (1)

Country Link
CN (1) CN105915547A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109800596A (en) * 2018-12-27 2019-05-24 余炀 A kind of personal data safety management system
CN110691071A (en) * 2019-09-11 2020-01-14 湖北工业大学 Mass data processing system and method with privacy protection function

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030072454A1 (en) * 2001-10-11 2003-04-17 Krawetz Neal A. System and method for secure data transmission
CN101110097A (en) * 2007-08-17 2008-01-23 南京新模式软件集成有限公司 Method for safely dispensing electronic document
EP2119091A2 (en) * 2007-01-09 2009-11-18 Microsoft Corp. Content encryption schema for integrating digital rights management with encrypted multicast
CN102098295A (en) * 2010-12-28 2011-06-15 上海华御信息技术有限公司 Method for improving data security under SaaS application
CN102281261A (en) * 2010-06-10 2011-12-14 杭州华三通信技术有限公司 Data transmission method, system and apparatus
CN102710633A (en) * 2012-05-29 2012-10-03 大连佳姆信息安全软件技术有限公司 Cloud security management system of security electronic documents and method
US20160156602A1 (en) * 2011-08-31 2016-06-02 Sonic Ip, Inc. Systems and Methods for Application Identification

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030072454A1 (en) * 2001-10-11 2003-04-17 Krawetz Neal A. System and method for secure data transmission
EP2119091A2 (en) * 2007-01-09 2009-11-18 Microsoft Corp. Content encryption schema for integrating digital rights management with encrypted multicast
CN101110097A (en) * 2007-08-17 2008-01-23 南京新模式软件集成有限公司 Method for safely dispensing electronic document
CN102281261A (en) * 2010-06-10 2011-12-14 杭州华三通信技术有限公司 Data transmission method, system and apparatus
CN102098295A (en) * 2010-12-28 2011-06-15 上海华御信息技术有限公司 Method for improving data security under SaaS application
US20160156602A1 (en) * 2011-08-31 2016-06-02 Sonic Ip, Inc. Systems and Methods for Application Identification
CN102710633A (en) * 2012-05-29 2012-10-03 大连佳姆信息安全软件技术有限公司 Cloud security management system of security electronic documents and method

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109800596A (en) * 2018-12-27 2019-05-24 余炀 A kind of personal data safety management system
CN109800596B (en) * 2018-12-27 2023-01-31 余炀 Personal data safety management system
CN110691071A (en) * 2019-09-11 2020-01-14 湖北工业大学 Mass data processing system and method with privacy protection function

Similar Documents

Publication Publication Date Title
CN103179114B (en) Data fine-grained access control method during a kind of cloud stores
CN103327002B (en) Based on the cloud memory access control system of attribute
US8984611B2 (en) System, apparatus and method for securing electronic data independent of their location
CN109525570B (en) Group client-oriented data layered security access control method
CN115242555B (en) Monitorable cross-chain private data sharing method and device
CN104780175A (en) Hierarchical classification access authorization management method based on roles
CN111274599A (en) Data sharing method based on block chain and related device
CN104063334A (en) Encryption method and system based on data attributions
CN104392405A (en) Electronic medical record safety system
CN107864157A (en) Protecting data encryption and ownership mandate decryption application process and system based on ownership
WO2022206453A1 (en) Method and apparatus for providing cross-chain private data
CN104219077A (en) Information management system for middle and small-sized enterprises
CN103973698B (en) User access right revoking method in cloud storage environment
CN103607273B (en) A kind of data file encipher-decipher method controlled based on time limit
CN107426223A (en) Cloud file encryption and decryption method, encryption and decryption device and processing system
CN108882030A (en) A kind of monitor video classification encryption and decryption method and system based on time-domain information
CN102984125B (en) A kind of system and method for Mobile data isolation
CN105915547A (en) Method for realizing control and leakage prevention of data out of service system
Luo et al. Accountable data sharing scheme based on blockchain and SGX
CN111343421B (en) Video sharing method and system based on white-box encryption
CN113328860A (en) Block chain-based user privacy data security providing method
CN105243330A (en) Protection method and system facing internal data transfer process of Android system
CN110474873A (en) It is a kind of based on know range encryption electronic document access control method and system
CN117294465B (en) Attribute encryption system and method based on cross-domain communication
CN108667843A (en) A kind of information safety protection System and method for for BYOD environment

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication

Application publication date: 20160831

RJ01 Rejection of invention patent application after publication