CN105915547A - Method for realizing control and leakage prevention of data out of service system - Google Patents
Method for realizing control and leakage prevention of data out of service system Download PDFInfo
- Publication number
- CN105915547A CN105915547A CN201610432031.3A CN201610432031A CN105915547A CN 105915547 A CN105915547 A CN 105915547A CN 201610432031 A CN201610432031 A CN 201610432031A CN 105915547 A CN105915547 A CN 105915547A
- Authority
- CN
- China
- Prior art keywords
- data
- cloud platform
- local
- management cloud
- safety management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a method for realizing control and leakage prevention of data out of service system. The method comprises following steps of sending data identifier of local data of a user to a data security management cloud platform for requesting for data security service; producing an encryption secret key and a decryption secret key according to the received data identifier; producing a control strategy according to the received data identifier; setting the effective period of the decryption secret key and inspection and modification of the control strategy; receiving the encryption secret key produced by the security management cloud platform; encrypting the local data; sending a data use request to the security management cloud platform; receiving the decryption secret key produced by the security management cloud platform; decrypting the local data; receiving the data use request of the local data; and sending the decryption secret key to the local data if the data use request is consistent with the control strategy and the time of the data use request is in the effective period of the decryption secret key. According to the method, the data of any type and any platform can be protected, monitored and controlled.
Description
Technical field
The invention belongs to data security arts, be specifically related to a kind of leakage-preventing method of data management and control realized outside operation system.
Background technology
The world today, the digitized of information resources height, exacerbate the generation of the perils such as leaking data.For enterprise,
In the face of continuous production power, cooperation between each company and service provider, in order to prevent the generation of this peril, need urgently
To be converted to coping style directly protect data itself to come up.
Information is preserved, shares different thesauruss by enterprise, and data can be distributed in different systems by routine work again, bag
Include CRM, ERP, HRM even financial sector etc..Even for having the company of clear and definite cloud and data control strategy, as
This data source at random and data sharing service also can greatly weaken the monitoring of company and control the ability of data flowing.Therefore with
Enterprise and independent worker becomes increasingly to handle official business ensured sustained development, IT and security department need security control to be expanded to these
Outside platform even these platforms, thus effectively prevent the leakage of data.Additionally, to solve these demands, in addition it is also necessary to pay close attention to
The design that user is mutual.If being provided that the protection of simple transparent and sharing mode, enterprise will be able to maintain that management policy, and pole
The earth promotes the ability of their management, data protection and control.
Solution now, including PKI specification, ECM, Box, Dropbox etc. synchronize and share instrument, all can only solve this
One part of a little safety problems, such as PKI specification carries out offer just with what public key cryptography was e-commerce field
A set of foundation for security platform technology and specification, its range is limited;User data then can be stored in cloud platform by Dropbox,
And data once depart from these platforms and will lose protection, it can be seen that, they can not fully protect the whole of business data
Individual life cycle.
Another reason that traditional data protection scheme is not accepted by the user is that they need user to change their working method.With
Family is it is desirable that on any equipment, put the access instant, seamless to data at any time, and this gives the routine work of user
Bring great inconvenience.
Summary of the invention
The present invention solves problem above present in prior art, it is provided that a kind of data management and control realized outside operation system is anti-lets out
Dew method, it is possible to protect, monitor and control any type, the data of any platform.
To achieve these goals, the technical solution used in the present invention is:
A kind of leakage-preventing method of data management and control realized outside operation system, the method includes that local data processes step and data safety
Management cloud platform processes step, and described local data processes step and includes:
" data identifier " of the local data that data send user is sent to data safety management cloud platform request data safety
Service;
Local data is encrypted by the encryption key receiving the generation of safety management cloud platform;
Send data to safety management cloud platform and use request, and receive the decruption key of safety management cloud platform generation to local number
According to being decrypted;
Safety management cloud platform processes step and comprises the following steps:
Step 1: generate encryption key and decruption key according to " data identifier " of the local data received;
Step 2: generate control strategy according to " data identifier " of the local data received;
Step 3: the expiry date of decruption key and the inspection of control strategy and change are configured;
Step 4: the data receiving local data use request, data use request to be consistent with control strategy, and data use
The time of request in decruption key expiry date, then sends decruption key to local data.
In such scheme, described data safety management cloud platform will not store data and send the local data of user.
In such scheme, data safety management cloud platform preserves safety management cloud platform and processes the operation note of step, and by described
Operation note is aggregating transmission local data and processes.
In such scheme, the corresponding unique encryption key of " data identifier " of every part of local data and decruption key.
In such scheme, the algorithm that local data is encrypted employing is AES256 algorithm.
In such scheme, data use request to include opening, edit, replicate, share and preserve data.
In such scheme, operation note includes time, identity, operation, place.
The leakage-preventing method of notebook data management and control is not for application-specific, it is possible to protect, monitor and control any type, any platform
Data.After needing data to be protected to be protected by this leakage-preventing method of data management and control, no matter data be in inside operation system or
Outside, data can be protected whenever and wherever possible, fully protects the whole life cycle of data.
1) the leakage-preventing method of notebook data management and control is on the premise of control strategy allows, and will not change the routine office work mode of user
And custom, no matter user selects to use what instrument, can handle official business easily.
2) the leakage-preventing method of notebook data management and control provides powerful management based on cloud platform and controls function, and it can monitor number
Position is there is according to flowing, location data.
3) in the leakage-preventing method of notebook data management and control, data management cloud platform will not store any data content of user, thus quilt
The data volume of protection is not limited by the memory data output of cloud platform, and only data management user and corresponding data connect
Receiving user and just have permission the protected data of access, third party cannot access protected data, considerably increase
The safety of data.
Accompanying drawing explanation
Fig. 1 is the general frame figure of the present invention;
Fig. 2 is user side and the transmitting procedure of the present invention;
Fig. 3 is the data protection process in the method for the present invention.
Detailed description of the invention
For making the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing, the present invention is made the most detailed
Thin description.
Seeing Fig. 1-3, a kind of leakage-preventing method of data management and control realized outside operation system, the method includes that local data processes step
Processing step with data safety management cloud platform, described local data processes step and includes:
" data identifier " of the local data that data send user is sent to data safety management cloud platform request data safety
Service;Described data safety management cloud platform will not store data and send the local data of user.
Local data is encrypted by the encryption key receiving the generation of safety management cloud platform;Local data is encrypted employing
Algorithm is AES256 algorithm.
Send data to safety management cloud platform and use request, and receive the decruption key of safety management cloud platform generation to local number
According to being decrypted;
Safety management cloud platform processes step and comprises the following steps:
Step 1: generate encryption key and decruption key according to " data identifier " of the local data received;Every part of local number
According to " data identifier " corresponding unique encryption key and decruption key.
Step 2: generate control strategy according to " data identifier " of the local data received;
Step 3: the expiry date of decruption key and the inspection of control strategy and change are configured;
Step 4: the data receiving local data use request, data use request to be consistent with control strategy, and data use
The time of request in decruption key expiry date, then sends decruption key to local data.Data use request to include opening,
Edit, replicate, share and preserve data.
Data safety management cloud platform preserves safety management cloud platform and processes the operation note of step, and described operation note is polymerized
Get up to send local data to process.Operation note includes time, identity, operation, place.
Embodiment 1
In work process, the same number of same user is according to may operate in different user sides, and different data also may be used
To operate in identical user side.Protection is needed when data management user sends portion by his user side to data receiver user
Data time, the user side of data management user first can to data safety management cloud platform send local data to be protected " number
According to identifier " and ask security service, including the encryption key of data to be protected and control strategy etc., described data safety management
Cloud platform will not store data and send the local data of user.Safety management cloud platform is according to " the data of the local data received
Identifier " generate encryption key and decruption key;" data identifier " of every part of local data corresponding unique encryption key and
Decruption key.Safety management cloud platform generates control strategy according to " data identifier " of the local data received;Control plan
Slightly include: open, edit, replicate, share and preserve data etc..Safety management cloud platform to the expiry date of decruption key and
Inspection and the change of control strategy are configured;Preferably, safety management cloud platform can preserve by " the data of protection local data
Identifier " respectively with control strategy and the incidence relation of key, the most both can be used to data are carried out policy control so that
Any restriction formulated by control strategy all can correspond to corresponding data, it is also possible to carries out the trajectory track of data.
The user side of data management user receives the encryption key of safety management cloud platform generation and is encrypted local data;To this
It is AES256 algorithm that ground data are encrypted the algorithm of employing.The user side of data receiver user sends number to safety management cloud platform
According to using request, data use request to include opening, edit, replicate, share and preserving data, and safety management cloud platform receives
The data of local data use request, and data are sent directly to data receiver use at the user side of data management user after encryption
The user side at family, the two user side can be the same or different, in order to ensure the safety of transmitting procedure, leading between them
Letter is through encryption.Data use request to be consistent with control strategy, and data use the time of request to have at decruption key
In the effect time limit, then send decruption key to local data.The user side of data receiver user receives what safety management cloud platform generated
Local data is decrypted by decruption key;After successful decryption, data receiver user can be efficiently used data.
Embodiment 2
The present embodiment on the basis of embodiment 1, all operations record of data safety management cloud platform, including the time, identity,
Operation, place etc., all can correspondingly be saved in data safety management cloud platform, and the monitoring being aggregating confession management-plane divides
Analysis.It addition, manager can revise control strategy by management-plane, determine the useful life of key.The most different users
Use same number according to time, can be different according to the operating right carried out to this number, can the most not to the useful life of data yet
With.Such as: same number evidence, manager can be authorized user A and opened by amendment control strategy, edits, replicates, shares
Authority, and be granted to only the authority that user B opens, edits, at this moment different user user side will to the operating right of these data
Different;It addition, when the user side of data receiver user to the useful life of data to after date, it is contemplated that data are inconvenient to receive
Returning, now manager can be by cancelling the key of respective file in data management cloud platform so that the user of data receiver user
End can not the most effectively use this data.
The foregoing is only presently preferred embodiments of the present invention, not in order to limit the present invention, all the spirit and principles in the present invention it
In, any modification, equivalent substitution and improvement etc. made, should be included within the scope of the present invention.
Claims (7)
1. the leakage-preventing method of data management and control that a kind realizes outside operation system, it is characterised in that the method includes that local data processes
Step and data safety management cloud platform process step,
Described local data processes step and includes:
" data identifier " of the local data that data send user is sent to data safety management cloud platform request data safety
Service;
Local data is encrypted by the encryption key receiving the generation of safety management cloud platform;
Send data to safety management cloud platform and use request, and receive the decruption key of safety management cloud platform generation to local number
According to being decrypted;
Safety management cloud platform processes step and comprises the following steps:
Step 1: generate encryption key and decruption key according to " data identifier " of the local data received;
Step 2: generate control strategy according to " data identifier " of the local data received;
Step 3: the expiry date of decruption key and the inspection of control strategy and change are configured;
Step 4: the data receiving local data use request, data use request to be consistent with control strategy, and data use
The time of request in decruption key expiry date, then sends decruption key to local data.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that described data
Safety management cloud platform will not store data and send the local data of user.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that data safety
Management cloud platform preserves safety management cloud platform and processes the operation note of step, and described operation note is aggregating transmission this locality
Data process.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that every part of this locality
The corresponding unique encryption key of " data identifier " of data and decruption key.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that to local number
It is AES256 algorithm according to the algorithm being encrypted employing.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 1, it is characterised in that data use
Request includes opening, edits, replicates, shares and preserve data.
Realize the leakage-preventing method of data management and control outside operation system the most as claimed in claim 3, it is characterised in that operation note
Including time, identity, operation, place.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610432031.3A CN105915547A (en) | 2016-06-15 | 2016-06-15 | Method for realizing control and leakage prevention of data out of service system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610432031.3A CN105915547A (en) | 2016-06-15 | 2016-06-15 | Method for realizing control and leakage prevention of data out of service system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN105915547A true CN105915547A (en) | 2016-08-31 |
Family
ID=56751536
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610432031.3A Pending CN105915547A (en) | 2016-06-15 | 2016-06-15 | Method for realizing control and leakage prevention of data out of service system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105915547A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109800596A (en) * | 2018-12-27 | 2019-05-24 | 余炀 | A kind of personal data safety management system |
CN110691071A (en) * | 2019-09-11 | 2020-01-14 | 湖北工业大学 | Mass data processing system and method with privacy protection function |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030072454A1 (en) * | 2001-10-11 | 2003-04-17 | Krawetz Neal A. | System and method for secure data transmission |
CN101110097A (en) * | 2007-08-17 | 2008-01-23 | 南京新模式软件集成有限公司 | Method for safely dispensing electronic document |
EP2119091A2 (en) * | 2007-01-09 | 2009-11-18 | Microsoft Corp. | Content encryption schema for integrating digital rights management with encrypted multicast |
CN102098295A (en) * | 2010-12-28 | 2011-06-15 | 上海华御信息技术有限公司 | Method for improving data security under SaaS application |
CN102281261A (en) * | 2010-06-10 | 2011-12-14 | 杭州华三通信技术有限公司 | Data transmission method, system and apparatus |
CN102710633A (en) * | 2012-05-29 | 2012-10-03 | 大连佳姆信息安全软件技术有限公司 | Cloud security management system of security electronic documents and method |
US20160156602A1 (en) * | 2011-08-31 | 2016-06-02 | Sonic Ip, Inc. | Systems and Methods for Application Identification |
-
2016
- 2016-06-15 CN CN201610432031.3A patent/CN105915547A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030072454A1 (en) * | 2001-10-11 | 2003-04-17 | Krawetz Neal A. | System and method for secure data transmission |
EP2119091A2 (en) * | 2007-01-09 | 2009-11-18 | Microsoft Corp. | Content encryption schema for integrating digital rights management with encrypted multicast |
CN101110097A (en) * | 2007-08-17 | 2008-01-23 | 南京新模式软件集成有限公司 | Method for safely dispensing electronic document |
CN102281261A (en) * | 2010-06-10 | 2011-12-14 | 杭州华三通信技术有限公司 | Data transmission method, system and apparatus |
CN102098295A (en) * | 2010-12-28 | 2011-06-15 | 上海华御信息技术有限公司 | Method for improving data security under SaaS application |
US20160156602A1 (en) * | 2011-08-31 | 2016-06-02 | Sonic Ip, Inc. | Systems and Methods for Application Identification |
CN102710633A (en) * | 2012-05-29 | 2012-10-03 | 大连佳姆信息安全软件技术有限公司 | Cloud security management system of security electronic documents and method |
Cited By (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109800596A (en) * | 2018-12-27 | 2019-05-24 | 余炀 | A kind of personal data safety management system |
CN109800596B (en) * | 2018-12-27 | 2023-01-31 | 余炀 | Personal data safety management system |
CN110691071A (en) * | 2019-09-11 | 2020-01-14 | 湖北工业大学 | Mass data processing system and method with privacy protection function |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN103179114B (en) | Data fine-grained access control method during a kind of cloud stores | |
CN103327002B (en) | Based on the cloud memory access control system of attribute | |
US8984611B2 (en) | System, apparatus and method for securing electronic data independent of their location | |
CN109525570B (en) | Group client-oriented data layered security access control method | |
CN115242555B (en) | Monitorable cross-chain private data sharing method and device | |
CN104780175A (en) | Hierarchical classification access authorization management method based on roles | |
CN111274599A (en) | Data sharing method based on block chain and related device | |
CN104063334A (en) | Encryption method and system based on data attributions | |
CN104392405A (en) | Electronic medical record safety system | |
CN107864157A (en) | Protecting data encryption and ownership mandate decryption application process and system based on ownership | |
WO2022206453A1 (en) | Method and apparatus for providing cross-chain private data | |
CN104219077A (en) | Information management system for middle and small-sized enterprises | |
CN103973698B (en) | User access right revoking method in cloud storage environment | |
CN103607273B (en) | A kind of data file encipher-decipher method controlled based on time limit | |
CN107426223A (en) | Cloud file encryption and decryption method, encryption and decryption device and processing system | |
CN108882030A (en) | A kind of monitor video classification encryption and decryption method and system based on time-domain information | |
CN102984125B (en) | A kind of system and method for Mobile data isolation | |
CN105915547A (en) | Method for realizing control and leakage prevention of data out of service system | |
Luo et al. | Accountable data sharing scheme based on blockchain and SGX | |
CN111343421B (en) | Video sharing method and system based on white-box encryption | |
CN113328860A (en) | Block chain-based user privacy data security providing method | |
CN105243330A (en) | Protection method and system facing internal data transfer process of Android system | |
CN110474873A (en) | It is a kind of based on know range encryption electronic document access control method and system | |
CN117294465B (en) | Attribute encryption system and method based on cross-domain communication | |
CN108667843A (en) | A kind of information safety protection System and method for for BYOD environment |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
RJ01 | Rejection of invention patent application after publication |
Application publication date: 20160831 |
|
RJ01 | Rejection of invention patent application after publication |