CN107770160B - Data security protection method, device and computer readable storage medium - Google Patents
Data security protection method, device and computer readable storage medium Download PDFInfo
- Publication number
- CN107770160B CN107770160B CN201710928259.6A CN201710928259A CN107770160B CN 107770160 B CN107770160 B CN 107770160B CN 201710928259 A CN201710928259 A CN 201710928259A CN 107770160 B CN107770160 B CN 107770160B
- Authority
- CN
- China
- Prior art keywords
- data
- data transmission
- intranet
- virtual desktop
- transmitted
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 47
- 230000005540 biological transmission Effects 0.000 claims abstract description 200
- 238000011217 control strategy Methods 0.000 claims abstract description 21
- 230000001960 triggered effect Effects 0.000 claims abstract description 16
- 238000012550 audit Methods 0.000 claims description 12
- 238000004891 communication Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 238000005516 engineering process Methods 0.000 description 4
- 230000003993 interaction Effects 0.000 description 3
- 238000007726 management method Methods 0.000 description 3
- 238000012827 research and development Methods 0.000 description 3
- 230000007547 defect Effects 0.000 description 2
- 230000000694 effects Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a data security protection method, which comprises the following steps: detecting a data transmission request triggered based on a preset intranet safety virtual desktop; determining a data transmission mode corresponding to the data transmission request; and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy. The invention also discloses a data security protection device and a computer readable storage medium. The method and the device can reduce the leakage risk of the confidential data of the intranet.
Description
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a data security protection method, device, and computer-readable storage medium.
Background
Data such as production, technology, customers, cost, strategic planning of an enterprise are always core confidential data on which the enterprise lives, and loss or leakage of the data often causes huge loss to the enterprise, so that how to effectively protect the data is a major concern of most enterprises.
At present, with the birth of VDI (Virtual Desktop Infrastructure) products, the problem of terminal data falling to the ground is thoroughly solved, that is, in a VDI system, all terminal data are uniformly stored in a cloud server, and a Virtual Desktop of an enterprise intranet needs to have a certain authority to acquire data of the cloud server, so that leakage of confidential data of the enterprise can be prevented to a certain extent by the method, but the following defects also exist: the authority of data external transmission of different virtual desktops in the intranet (that is, data is transmitted from the intranet to the external internet) is not clearly divided, and the flow of data between different virtual desktops in the intranet is not limited, so that if confidential data flows to a virtual desktop with the authority of data external transmission, the confidential data is likely to be leaked.
Disclosure of Invention
The invention mainly aims to provide a data security protection method, data security protection equipment and a computer readable storage medium, and aims to reduce the leakage risk of confidential data in an intranet.
In order to achieve the above object, the present invention provides a data security protection method, which comprises the following steps:
detecting a data transmission request triggered based on a preset intranet safety virtual desktop;
determining a data transmission mode corresponding to the data transmission request;
and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy.
Optionally, before the step of detecting a data transmission request triggered based on a preset intranet secure virtual desktop, the method may further include:
the method comprises the steps of dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop, wherein the intranet safe virtual desktop and the intranet non-safe virtual desktop are mutually isolated in network, setting the intranet safe virtual desktop to have local area network access permission but not external internet access permission, and setting the intranet non-safe virtual desktop to have external internet access permission but not local area network access permission.
Optionally, the step of performing policy control on the data transmission request according to the data transmission control policy includes:
acquiring data to be transmitted corresponding to the data transmission request;
auditing or approving the acquired data to be transmitted according to a preset rule;
and when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
Optionally, the data transmission mode includes transmission through a USB interface, and the step of controlling the data to be transmitted according to the data transmission mode includes:
and when the data transmission mode is transmission through a USB interface, calling the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted.
Optionally, the data transmission method further includes transmitting through a preset virtualization application, and the step of controlling the data to be transmitted according to the data transmission method further includes:
and when the data transmission mode is transmission through a preset virtualization application, sending the data to be transmitted to a corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted.
In addition, to achieve the above object, the present invention further provides a data security device, including: a memory, a processor, and a data security program stored on the memory and executable on the processor, the data security program when executed by the processor implementing the steps of:
detecting a data transmission request triggered based on a preset intranet safety virtual desktop;
determining a data transmission mode corresponding to the data transmission request;
and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy.
Optionally, the data security protection program further implements the following steps when executed by the processor:
the method comprises the steps of dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop, wherein the intranet safe virtual desktop and the intranet non-safe virtual desktop are mutually isolated in network, setting the intranet safe virtual desktop to have local area network access permission but not external internet access permission, and setting the intranet non-safe virtual desktop to have external internet access permission but not local area network access permission.
Optionally, the data security protection program further implements the following steps when executed by the processor:
acquiring data to be transmitted corresponding to the data transmission request;
auditing or approving the acquired data to be transmitted according to a preset rule;
and when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
Optionally, the data transmission mode includes transmission through a USB interface and transmission through a preset virtualized application, and when executed by the processor, the data security protection program further implements the following steps:
when the data transmission mode is transmission through a USB interface, calling the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted;
and when the data transmission mode is transmission through a preset virtualization application, sending the data to be transmitted to a corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted.
In addition, to achieve the above object, the present invention further provides a computer readable storage medium, having a data security program stored thereon, where the data security program, when executed by a processor, implements the steps of the data security method as described above.
The method comprises the steps of detecting a data transmission request triggered based on a preset intranet safety virtual desktop; determining a data transmission mode corresponding to the data transmission request; and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy. Through the mode, the virtual desktop in the intranet is set to comprise the intranet safety virtual desktop, and further data outgoing permission control and intranet data transmission strategy control are carried out on the data transmission request triggered based on the intranet safety virtual desktop, so that the leakage risk of the intranet confidential data can be reduced.
Drawings
FIG. 1 is a schematic diagram of an apparatus architecture of a hardware operating environment according to an embodiment of the present invention;
FIG. 2 is a flowchart illustrating a first embodiment of a data security protection method according to the present invention;
FIG. 3 is a schematic diagram of a scenario for dividing an intranet virtual desktop in an implementation of the present invention;
fig. 4 is a schematic diagram illustrating a detailed step of performing policy control on the data transmission request according to the data transmission control policy in fig. 2.
The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.
Detailed Description
It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
The main solution of the embodiment of the invention is as follows: detecting a data transmission request triggered based on a preset intranet safety virtual desktop; determining a data transmission mode corresponding to the data transmission request; and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy.
In the prior art, the virtual desktop infrastructure based on the VDI product can prevent the leakage of confidential data of an enterprise to a certain extent, but has the following defects: the authority of data external transmission of different virtual desktops in the intranet (that is, data is transmitted from the intranet to the external internet) is not clearly divided, and the flow of data between different virtual desktops in the intranet is not limited, so that if confidential data flows to a virtual desktop with the authority of data external transmission, the confidential data is likely to be leaked.
According to the method, the virtual desktop in the intranet is set to comprise the intranet safety virtual desktop, and further data outgoing permission control and intranet data transmission strategy control are carried out on the data transmission request triggered based on the intranet safety virtual desktop, so that the leakage risk of confidential data of the intranet can be reduced.
The invention provides a data security protection method.
As shown in fig. 1, fig. 1 is a schematic device structure diagram of a hardware operating environment according to an embodiment of the present invention.
The data security protection device in the embodiment of the present invention may be a terminal device such as a PC or a server (e.g., an X86 server) equipped with a virtualization platform.
As shown in fig. 1, the apparatus may include: a processor 1001, such as a CPU, a network interface 1004, a user interface 1003, a memory 1005, a communication bus 1002. Wherein a communication bus 1002 is used to enable connective communication between these components. The user interface 1003 may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), and the optional user interface 1003 may also include a standard wired interface, a wireless interface. The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface). The memory 1005 may be a high-speed RAM memory or a non-volatile memory (e.g., a magnetic disk memory). The memory 1005 may alternatively be a storage device separate from the processor 1001.
Those skilled in the art will appreciate that the device architecture shown in fig. 1 is not intended to be limiting and may include more or fewer components than those shown, or some components may be combined, or a different arrangement of components.
As shown in fig. 1, a memory 1005, which is a kind of computer storage medium, may include therein an operating system, a network communication module, a user interface module, and a data security program.
In the terminal shown in fig. 1, the network interface 1004 is mainly used for connecting to a backend server and performing data communication with the backend server; the user interface 1003 is mainly used for connecting a client (user side) and performing data communication with the client; and the processor 1001 may be configured to invoke a data security program stored in the memory 1005 and perform the following operations:
detecting a data transmission request triggered based on a preset intranet safety virtual desktop;
determining a data transmission mode corresponding to the data transmission request;
and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy.
Further, processor 1001 may call a data security program stored in memory 1005, and also perform the following operations:
the method comprises the steps of dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop, wherein the intranet safe virtual desktop and the intranet non-safe virtual desktop are mutually isolated in network, setting the intranet safe virtual desktop to have local area network access permission but not external internet access permission, and setting the intranet non-safe virtual desktop to have external internet access permission but not local area network access permission.
Further, processor 1001 may call a data security program stored in memory 1005, and also perform the following operations:
acquiring data to be transmitted corresponding to the data transmission request;
auditing or approving the acquired data to be transmitted according to a preset rule;
and when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
Further, the data transmission mode includes transmission through a USB interface, and the processor 1001 may call a data security protection program stored in the memory 1005, and further perform the following operations:
and when the data transmission mode is transmission through a USB interface, calling the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted.
Further, the data transmission mode further includes transmission through a preset virtualization application, and the processor 1001 may call the data security protection program stored in the memory 1005, and further perform the following operations:
and when the data transmission mode is transmission through a preset virtualization application, sending the data to be transmitted to a corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted.
Based on the hardware structure, the embodiment of the data security protection method is provided.
Referring to fig. 2, fig. 2 is a schematic flow chart of a first embodiment of a data security protection method of the present invention, where the method includes:
step S10, detecting a data transmission request triggered based on a preset intranet safety virtual desktop;
the present embodiment may be implemented by a desktop virtualization server in a virtual desktop infrastructure. In the virtual desktop infrastructure, a desktop operating system is operated and enterprise applications are published on a desktop virtualization server of a data center, a user can use various enterprise applications anytime and anywhere only by remotely logging in a dedicated virtual desktop, and the effect is consistent with that of a desktop using a physical computer in an enterprise.
In the existing virtual desktop infrastructure, the authority of data external transmission of different virtual desktops in an intranet (that is, data is transmitted from the intranet to the external internet) is not explicitly divided, and the flow of data between different virtual desktops in the intranet is not limited, so that if confidential data flows to a virtual desktop with the authority of data external transmission, the confidential data is likely to be leaked. Therefore, the invention provides a data security protection method based on a virtual desktop infrastructure.
First, the virtual desktop of the intranet of the enterprise needs to be divided into an intranet secure virtual desktop and an intranet non-secure virtual desktop in advance, that is, before step S10, the method may further include: the method comprises the steps of dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop, wherein the intranet safe virtual desktop and the intranet non-safe virtual desktop are mutually isolated in network, setting the intranet safe virtual desktop to have local area network access permission but not external internet access permission, and setting the intranet non-safe virtual desktop to have external internet access permission but not local area network access permission. Referring to fig. 3, fig. 3 is a schematic view of a scene for dividing an intranet virtual desktop in the implementation of the present invention, wherein the intranet secure virtual desktop only allows access to a local area network and does not have a data outgoing permission; the intranet non-safety desktop only allows access to the internet, namely the external internet, and has a data outgoing permission, so that network isolation between the intranet safety virtual desktop and the intranet non-safety desktop is realized. At a certain moment, a user wants to transmit data in the divided intranet secure virtual desktop to an external network (including transmission to an intranet non-secure virtual desktop and transmission to the external internet), so that a corresponding data transmission request is triggered through the intranet secure virtual desktop, and at this moment, the desktop virtualization server detects the data transmission request triggered based on the preset intranet secure virtual desktop.
Step S20, determining a data transmission mode corresponding to the data transmission request;
because the intranet security virtual desktop does not have the access right of the external internet, the data transmission request has two conditions: the requested data is streamed or transferred to the external storage device within the intranet. At this time, the desktop virtualization server further determines a data transmission mode corresponding to the data transmission request. When the data is transferred to the external storage device, the data transmission mode corresponding to the data transmission request may include transmission through a USB interface, a printer, or a recorder; when data is circulated in the intranet, the data transmission mode corresponding to the data transmission request may include transmission through a preset virtualization application (e.g., a mail application, a chat application). Specifically, the desktop virtualization server may parse the detected data transmission request to determine the corresponding data transmission manner, for example, if the detected data transmission request is to send data to an external storage device connected to the client, the corresponding data transmission manner may be determined to be transmitted through the USB interface.
Step S30, a preset data transmission control policy corresponding to the data transmission mode is loaded, and the data transmission request is policy-controlled according to the data transmission control policy.
After the data transmission mode corresponding to the detected data transmission request is determined, the desktop virtualization server loads a preset data transmission control strategy corresponding to the data transmission mode, and carries out strategy control on the data transmission request according to the loaded data transmission control strategy. The data transmission management and control policy corresponding to the data transmission request may be flexibly set according to actual needs, and a data transmission manner is described as an example of transmission through a preset virtualized application.
The virtualized application relies on application virtualization technology, so-called application virtualization, that is, the human-computer interaction logic (application program interface, keyboard and mouse operations, audio input and output, card reader, printout, etc.) of an application program is isolated from the computing logic, when a user accesses an application virtualized by a server, the user client transmits the human-computer interaction logic to the server, the server establishes an independent session space for the user, the computing logic of the application program operates in the session space, then the changed human-computer interaction logic is transmitted to the client and displayed on corresponding equipment of the client, so that the user obtains the same access feeling as the local application program.
In this embodiment, an application virtualization technology is adopted in the virtual desktop infrastructure, and when the data transmission mode is transmission through a preset virtualization application, the corresponding application scenario may be: according to business needs, a research and development team of an enterprise needs to send mails to a technical support team, the research and development team uses an intranet secure virtual desktop, the technical support team uses an intranet non-secure virtual desktop, and if confidential data of the enterprise is sent in the mails, the confidential data has a risk of being sent out through the intranet non-secure virtual desktop, so that a corresponding data transmission control strategy can be set as follows: when a research and development team sends a mail to a technical support team, the system starts an auditing or approving program, related personnel audit or approve the mail content, the mail is allowed to be sent only when the auditing or approving is passed, and in addition, the auditing or approving result can be stored so as to facilitate subsequent tracing. Therefore, when the desktop virtualization server detects a data transmission request based on the preset mail application, the content of the mail is audited or approved according to the strategy, and the mail is allowed to be sent only when the audit or approval is passed, so that the risk of sending confidential data is reduced.
It should be noted that, in addition to the above auditing or approving manner, the data to be transmitted may be encrypted by the encryption software and then transmitted, and the data may be flexibly set in specific implementation.
In this embodiment, the desktop virtualization server detects a data transmission request triggered based on a preset intranet secure virtual desktop; determining a data transmission mode corresponding to the data transmission request; and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy. In this way, this embodiment sets up the virtual desktop in the intranet into including intranet safety virtual desktop, and then carries out data outgoing authority management and control and intranet data transmission strategy management and control to the data transmission request based on this intranet safety virtual desktop triggers to can reduce enterprise intranet confidential data's the risk of revealing.
Further, based on the first embodiment of the data security protection method of the present invention, a second embodiment of the data security protection method of the present invention is provided. Referring to fig. 4, fig. 4 is a schematic diagram illustrating a detailed step of performing policy control on the data transmission request according to the data transmission control policy in fig. 2. Based on the embodiment shown in fig. 2, the step of performing policy control on the data transmission request according to the data transmission control policy may include:
step S31, acquiring the data to be transmitted corresponding to the data transmission request;
step S32, auditing or approving the acquired data to be transmitted according to a preset rule;
and step S33, when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
In this embodiment, when the desktop virtualization server performs policy control on the data transmission request, the data to be transmitted corresponding to the data transmission request may be first obtained, and then the obtained data to be transmitted is audited or approved according to a preset rule. The auditing can comprise judging the confidentiality degree of the data to be transmitted, and if the data is preset data with higher confidentiality degree without transmission permission, the auditing is not passed; the examination and approval is to send the data to be transmitted to a corresponding examination and approval person (such as a leader) for examination and approval so as to determine whether the data to be transmitted has transmission authority. When the method is implemented specifically, the rules of auditing or approving can be flexibly set, for example, whether the mail is allowed to be sent or not can be judged only by a sender and a receiver of the mail, or whether the mail is allowed to be sent or not is determined by judging the confidentiality degree of data to be sent, and the like; and if the audit or the approval is not passed, forbidding the transmission of the data to be transmitted, and if the audit or the approval is passed, controlling the data to be transmitted to transmit according to the corresponding data transmission mode.
Further, the data transmission mode may include transmission through a USB interface and transmission through a preset virtualized application.
When the data transmission mode is transmission through a USB interface, the desktop virtualization server calls the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted so as to transmit the data to be transmitted to the external storage device; when the data transmission mode is transmission through a preset virtualization application, the desktop virtualization server sends the data to be transmitted to the corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted, wherein a network where the application virtualization server is located, an intranet safe virtual desktop and a network where the intranet non-safe virtual desktop is located are both in communication, and the data to be transmitted sent by the intranet safe desktop can be forwarded to the intranet non-safe virtual desktop.
According to the embodiment, the data to be transmitted is audited or approved, and the data to be transmitted is allowed to be transmitted only when the audit or approval is passed, so that the leakage risk of confidential data in an intranet is greatly reduced.
The invention also provides data safety protection equipment.
The data security protection device of the invention comprises: a memory, a processor, and a data security program stored on the memory and executable on the processor, the data security program when executed by the processor implementing the steps of:
detecting a data transmission request triggered based on a preset intranet safety virtual desktop;
determining a data transmission mode corresponding to the data transmission request;
and loading a preset data transmission control strategy corresponding to the data transmission mode, and carrying out strategy control on the data transmission request according to the data transmission control strategy.
Further, when executed by the processor, the data security protection program further implements the steps of:
the method comprises the steps of dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop, wherein the intranet safe virtual desktop and the intranet non-safe virtual desktop are mutually isolated in network, setting the intranet safe virtual desktop to have local area network access permission but not external internet access permission, and setting the intranet non-safe virtual desktop to have external internet access permission but not local area network access permission.
Further, when executed by the processor, the data security protection program further implements the steps of:
acquiring data to be transmitted corresponding to the data transmission request;
auditing or approving the acquired data to be transmitted according to a preset rule;
and when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
Further, the data transmission mode includes transmission through a USB interface and transmission through a preset virtualized application, and the data security protection program further implements the following steps when executed by the processor:
when the data transmission mode is transmission through a USB interface, calling the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted;
and when the data transmission mode is transmission through a preset virtualization application, sending the data to be transmitted to a corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted.
The method implemented when the data security protection program running on the processor is executed may refer to the embodiment of the data security protection method of the present invention, and details thereof are not described here.
The invention also provides a computer readable storage medium.
The computer readable storage medium of the present invention stores a data security program, and the data security program implements the steps of the data security method as described above when executed by a processor.
The method implemented when the data security protection program running on the processor is executed may refer to the embodiment of the data security protection method of the present invention, and details thereof are not described here.
It should be noted that, in this document, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or system that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or system. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or system that comprises the element.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
Through the above description of the embodiments, those skilled in the art will clearly understand that the method of the above embodiments can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware, but in many cases, the former is a better implementation manner. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium (e.g., ROM/RAM, magnetic disk, optical disk) as described above and includes instructions for enabling a terminal device (e.g., a mobile phone, a computer, a server, or a network device) to execute the method according to the embodiments of the present invention.
The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.
Claims (6)
1. A data security protection method is characterized by comprising the following steps:
dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop which are mutually isolated from each other in a network, and setting the intranet safe virtual desktop to have local area network access authority but not external internet access authority, wherein the intranet non-safe virtual desktop has external internet access authority but not local area network access authority;
detecting a data transmission request which is triggered based on the intranet safety virtual desktop and is transmitted to an external network;
determining a data transmission mode corresponding to the data transmission request;
loading a preset data transmission control strategy corresponding to the data transmission mode, and acquiring data to be transmitted corresponding to the data transmission request;
auditing or approving the acquired data to be transmitted according to a preset rule;
and when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
2. The data security protection method according to claim 1, wherein the data transmission mode includes transmission through a USB interface, and the step of controlling the data to be transmitted according to the data transmission mode includes:
and when the data transmission mode is transmission through a USB interface, calling the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted.
3. The data security protection method according to claim 1, wherein the data transmission mode includes transmission by a preset virtualized application, and the step of controlling the data to be transmitted according to the data transmission mode includes:
and when the data transmission mode is transmission through a preset virtualization application, sending the data to be transmitted to a corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted.
4. A data security apparatus, the data security apparatus comprising: a memory, a processor, and a data security program stored on the memory and executable on the processor, the data security program when executed by the processor implementing the steps of:
dividing an intranet virtual desktop into an intranet safe virtual desktop and an intranet non-safe virtual desktop which are mutually isolated from each other in a network, and setting the intranet safe virtual desktop to have local area network access authority but not external internet access authority, wherein the intranet non-safe virtual desktop has external internet access authority but not local area network access authority;
detecting a data transmission request which is triggered based on the intranet safety virtual desktop and is transmitted to an external network;
determining a data transmission mode corresponding to the data transmission request;
loading a preset data transmission control strategy corresponding to the data transmission mode, and acquiring data to be transmitted corresponding to the data transmission request;
auditing or approving the acquired data to be transmitted according to a preset rule;
and when the audit or the approval is passed, controlling the data to be transmitted according to the data transmission mode.
5. The data security device of claim 4, wherein the data transmission modes include transmission through a USB interface and transmission through a preset virtualized application, and the data security program when executed by the processor further implements the steps of:
when the data transmission mode is transmission through a USB interface, calling the USB interface of the intranet safety virtual desktop to transmit the data to be transmitted;
and when the data transmission mode is transmission through a preset virtualization application, sending the data to be transmitted to a corresponding application virtualization server so that the application virtualization server transmits the data to be transmitted.
6. A computer-readable storage medium, having stored thereon a data security program which, when executed by a processor, implements the steps of the data security method according to any one of claims 1-3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710928259.6A CN107770160B (en) | 2017-09-30 | 2017-09-30 | Data security protection method, device and computer readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710928259.6A CN107770160B (en) | 2017-09-30 | 2017-09-30 | Data security protection method, device and computer readable storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107770160A CN107770160A (en) | 2018-03-06 |
| CN107770160B true CN107770160B (en) | 2021-03-09 |
Family
ID=61267166
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710928259.6A Active CN107770160B (en) | 2017-09-30 | 2017-09-30 | Data security protection method, device and computer readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107770160B (en) |
Families Citing this family (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109934011A (en) * | 2019-03-18 | 2019-06-25 | 国网安徽省电力有限公司黄山供电公司 | A kind of data safety partition method applied to O&M auditing system |
| CN110543775B (en) * | 2019-08-30 | 2022-07-29 | 湖南麒麟信安科技股份有限公司 | Data security protection method and system based on super-fusion concept |
| CN110545324B (en) * | 2019-09-04 | 2022-06-14 | 北京百度网讯科技有限公司 | Data processing method, device, system, network equipment and storage medium |
| CN112448957B (en) * | 2020-11-27 | 2023-04-25 | 成都新希望金融信息有限公司 | Network isolation method, device, system, server side and readable storage medium |
| CN114512151B (en) * | 2021-12-28 | 2024-03-22 | 奇安信科技集团股份有限公司 | Method and system for auditing, managing and controlling optical disk writing |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102333072A (en) * | 2011-06-09 | 2012-01-25 | 张欢 | Network banking trusted transaction system and method based on intelligent terminal |
| CN102346818A (en) * | 2010-08-02 | 2012-02-08 | 南京壹进制信息技术有限公司 | Computer network environment isolation system implemented by using software |
| CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
| CN104753887A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团黑龙江有限公司 | Safety control implementation method and system and cloud desktop system |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20140188977A1 (en) * | 2012-12-28 | 2014-07-03 | Futurewei Technologies, Inc. | Appratus, method for deploying applications in a virtual desktop interface system |
-
2017
- 2017-09-30 CN CN201710928259.6A patent/CN107770160B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102346818A (en) * | 2010-08-02 | 2012-02-08 | 南京壹进制信息技术有限公司 | Computer network environment isolation system implemented by using software |
| CN102333072A (en) * | 2011-06-09 | 2012-01-25 | 张欢 | Network banking trusted transaction system and method based on intelligent terminal |
| CN102843352A (en) * | 2012-05-15 | 2012-12-26 | 广东电网公司茂名供电局 | Cross-physical isolation data transparent transmission system and method between intranet and extranet |
| CN104753887A (en) * | 2013-12-31 | 2015-07-01 | 中国移动通信集团黑龙江有限公司 | Safety control implementation method and system and cloud desktop system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107770160A (en) | 2018-03-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107770160B (en) | Data security protection method, device and computer readable storage medium | |
| US9923902B2 (en) | Remote processsing of mobile applications | |
| US11741222B2 (en) | Sandbox environment for document preview and analysis | |
| EP3788760B1 (en) | Systems and methods for adding watermarks using an embedded browser | |
| US9402184B2 (en) | Associating services to perimeters | |
| CN109639652B (en) | Method and system for accessing internetwork data based on security isolation | |
| US9223970B2 (en) | Evaluating application integrity | |
| US20140283071A1 (en) | Application malware isolation via hardware separation | |
| US11893123B2 (en) | Systems and methods for screenshot mediation based on policy | |
| CN109873803A (en) | The authority control method and device of application program, storage medium, computer equipment | |
| CN107566400A (en) | Application with multiple operator schemes | |
| US11841931B2 (en) | Systems and methods for dynamically enforcing digital rights management via embedded browser | |
| KR20110074484A (en) | Collaborative malware detection and prevention on mobile devices | |
| CN102291387A (en) | Encrypted network traffic interception and inspection | |
| US20190019154A1 (en) | Intelligent, context-based delivery of sensitive email content to mobile devices | |
| US11023606B2 (en) | Systems and methods for dynamically applying information rights management policies to documents | |
| US9137333B1 (en) | Method and system for adding plug-in functionality to virtualized applications | |
| US11822643B2 (en) | Method and system for creating quarantined workspaces through controlled interaction between a host and virtual guests | |
| EP2570960A2 (en) | Method of controlling information processing system, program for controlling apparatus | |
| CN112711770A (en) | Sensitive behavior blocking method, device, terminal and storage medium | |
| CN105554005A (en) | Enterprise network security management method, device and system and security gateway | |
| EP3308319B1 (en) | Method and system for anonymizing a user identity and/or user data of a subscriber of a data protection service, program and computer program product | |
| CN113761515A (en) | Cloud desktop security detection method and system, computing device and storage medium | |
| US9871873B2 (en) | Adapter for communication between web applications within a browser | |
| Ben Rebah et al. | Cloud Computing: Potential Risks and Security Approaches |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right | ||
| PE01 | Entry into force of the registration of the contract for pledge of patent right |
Denomination of invention: Data security protection methods, equipment, and computer-readable storage media Effective date of registration: 20231212 Granted publication date: 20210309 Pledgee: Shenzhen Branch of China Merchants Bank Co.,Ltd. Pledgor: SANGFOR TECHNOLOGIES Inc. Registration number: Y2023980070863 |