CN108133143A - A kind of data leakage prevention method and system of facing cloud desktop application environment - Google Patents
A kind of data leakage prevention method and system of facing cloud desktop application environment Download PDFInfo
- Publication number
- CN108133143A CN108133143A CN201711321695.3A CN201711321695A CN108133143A CN 108133143 A CN108133143 A CN 108133143A CN 201711321695 A CN201711321695 A CN 201711321695A CN 108133143 A CN108133143 A CN 108133143A
- Authority
- CN
- China
- Prior art keywords
- file
- data
- outgoing
- data object
- platform side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a kind of data leakage prevention method and system of facing cloud desktop application environment, this method includes the following steps:Anti-data-leakage terminal intercepts and the file operation process of take over cloud desktop user, obtains file operation information of the cloud desktop user during host service function and pushes to platform side;Platform side establishes corresponding data object according to file operation information in data pool;Platform side maps data object and Hosts file, and save file map information;Cloud desktop user selects outgoing Hosts file and target user;Platform side sends information according to outgoing Hosts file, and sends the outgoing Hosts file according to management and control strategy.By technical scheme of the present invention, by difference access mechanism, scene is logged according to different user, loads corresponding data outgoing management and control strategy, reduces the influence to user's Normal data operation, improves the service efficiency of cloud desktop user.
Description
Technical field
The present invention relates to data security arts, and in particular to a kind of data leakage prevention method of facing cloud desktop application environment
And system.
Background technology
In recent years, developing by leaps and bounds with computer software and hardware ability, cloud computing obtain extremely extensive with big data technology
Application, the daily life of the mankind is made to produce great variety.Important component of the cloud desktop as cloud computing, in numerous rows
Practical application is obtained in industry, lower cost puts into and greatly reduces enterprise in Basis of Computer Engineering facility the characteristics of easy to use
The operation cost of aspect, while great convenience when employee uses is also provided to, it improves work efficiency indirectly.It can as one kind
The computer software of leaking data probability is effectively reduced, anti-data-leakage system is mesh in effective application of cloud desktop environment
One of significant challenge of preceding DLP field faces.Wherein, it is the core of anti-data-leakage system to effective management and control of file outgoing operation
Target centroid.In this regard, Wanda Science and Technology Co., Ltd. of Beijing Ming Dynasty proposes a kind of optimization traditional data leak prevention system Working mould
Formula is effectively adapted to cloud desktop environment, the file outgoing management-control method for realizing user's unaware.
At present, anti-data-leakage system is generally using C/S deployment modes, based on terminal, supplemented by server end in a manner of
Realize the data management and control to deployed environment.Server end only has terminal management, user management, tactical management and system administration etc.
Common management function.The anti-data-leakage terminal being deployed on host is the system core, including peripheral hardware management and control, file outgoing pipe
Numerous data management and control measures such as control, network flow management and control, data manipulation management and control, process management and control.Available data leak prevention system
Operational mode is as shown in Figure 1.
Analysis conventional anti-data-leakage system, it can be found that:
The anti-data-leakage terminal technology of Intrusion Detection based on host is more mature, benefits from deployed position (host), can obtain a large amount of
Operation information and data, effectively to realize that anti-data-leakage provides important foundation.But host single-unit operation pattern is limited to, is stored
The repeatability of data is higher, occupies a large amount of memory spaces, while also leads to the data scanning largely to duplicate, analysis and detection work
Make, serious operation resource (storage and calculating) waste is caused, to the anti-data-leakage system even fortune of Basis of Computer Engineering facility
Line efficiency has some impact on.
In addition, disposing traditional data anti-leak terminal in cloud desktop environment, current main problem is cloud computing resources
Fail to be utilized effectively, not optimized for the characteristic of cloud computing mode, eventually lead to traditional data leak prevention system
Weakness significantly amplified, cause to raise that (anti-data-leakage terminal) is short to keep away the phenomenon that (cloud desktop) is long, reduce using cloud desktop
The advantage brought affects popularization and application of the anti-data-leakage function in cloud desktop environment.
Finally, consider a big advantage of cloud desktop application:Portability (it is unrestricted to log in scene), and user may be in enterprise
Portion place logs in, it is also possible to be logged in when going on business in remote location.It is different to the management and control demand of file outgoing under different scenes,
Traditional data leak prevention system is not directed to effectively distinguish user's scene, so as to load different management and control strategies, in effective document outgoing
The interference caused by user is reduced under the premise of management and control.
In conclusion available data leak prevention system is because of design original intention, (management and control of host single-unit operation is managed with networking with target
Reason) there is the limitation of stronger application scenarios, the Shortcomings in cloud desktop environment application outgoing outgoing management and control function are superfluous including calculating
Remaining (multiple scanning, analysis and detection), storage redundancy (a large amount of duplicate files) and strategy fixation (can not be distinguished according to usage scenario
Management and control) etc..This part phenomenon will not be impacted with problem during the unrestricted cloud desktop use of resource, but be considered most of
The cost control requirement of anti-data-leakage system deployment unit, need to realize anti-data-leakage mesh in the case of relatively low resource occupation
Mark is reduced the interference that anti-data-leakage operation uses normal users, improves the productivity of cloud desktop application, improved with this as possible
Staffing effectiveness.
Therefore, there is an urgent need to a kind of for the anti-data-leakage system of cloud desktop environment optimization and corresponding document outgoing management and control
Method, it is relevant to anti-leak to calculate, store and modify with operations such as accesses using cloud advantage, realize single (user's cloud
Desktop use) with effective combination of common (management and control of file outgoing), computing resource, storage are provided so as to reduce the management and control of file outgoing
The occupancy in source.Meanwhile the usage scenario of user is distinguished, so as to load and using different grades of file outgoing management and control strategy with arranging
It applies.
The present invention is improved, from meter for cloud desktop application environment based on available data leak prevention system terminal function
It calculates, store the file outgoing management and control measures being adapted to three aspects of access under cloud environment, the text being related to the operation of user's outgoing
Part, network flow etc. are supervised comprehensively, to the data storage and transmission under cloud desktop environment in the case of user's unaware
Effective management and control is carried out, identify and timely responds to sensitive users operation, the generation of leaking data event is reduced, improves anti-data-leakage
The validity of system ensures the data safety of cloud desktop.
Invention content
In order to solve the above technical problems, the present invention provides a kind of anti-data-leakage sides of facing cloud desktop application environment
Method, which is characterized in that this method includes the following steps:
1) anti-data-leakage terminal intercepts and the file operation process of take over cloud desktop user, obtains cloud desktop user in master
File operation information in machine operating process simultaneously pushes to platform side;
2) platform side establishes corresponding data object according to file operation information in data pool;
3) platform side maps data object and Hosts file, and save file map information;
4) cloud desktop user selection outgoing Hosts file and target user, anti-data-leakage capture terminal cloud desktop user
Outgoing Hosts file sends information and notification platform side;
5) platform side sends information inquiry file mapping information according to outgoing Hosts file, determines the pipe of outgoing Hosts file
Control strategy, and the outgoing Hosts file is sent according to the management and control strategy.
With the method for the invention it is preferred to, in the step 2), platform side reflects data object and Hosts file
It penetrates, file content is stored in the data object of data pool, not storage file content on host.
With the method for the invention it is preferred to, the step 2) platform side according to file operation information in data pool
After establishing corresponding data object, platform side also performs following operation:
It establishes data object reference record and stores reading, write-in file operation record;
Establish data object similarity characteristic information and calculation document susceptibility;
Data object information and data object reference record are fed back into anti-data-leakage terminal.
With the method for the invention it is preferred to, the step 5) platform side sends information inquiry according to outgoing Hosts file
File mapping information determines the management and control strategy of outgoing Hosts file, and sends the outgoing Hosts file according to the management and control strategy, wraps
It includes:
The data object of outgoing Hosts file mapping is positioned, determines the type and user right of target user;
And according to target user's type and user right, send the corresponding data object of outgoing Hosts file.
With the method for the invention it is preferred to, it is described according to target user's type and user's operation permission, send outgoing master
The corresponding data object of machine file includes:
If cloud desktop user and target user are internal user, and operating right is identical, then:
Platform side in data pool retrieves and determines the number of outgoing Hosts file mapping according to outgoing Hosts file information
According to object, object record information is updated the data, increases outgoing record, and according to data object access results, result is fed back to
Source user anti-leak data terminal;
The capture target user's receiving host file operation of target user's anti-leak data terminal and notification platform side;
Platform side updates the data object record information, increases and receives record.
With the method for the invention it is preferred to, it is described according to target user's type and user's operation permission, send outgoing master
The corresponding data object of machine file includes:
If cloud desktop user and target user are internal user, and operating right is different, then:
Platform side retrieves and determines the data object of outgoing Hosts file mapping in data pool according to outgoing document information,
And information is sent according to outgoing Hosts file, determine the data object operation for needing to perform, and add in outgoing record;
Platform side updates the data object record information, increases outgoing record, according to data object access results, result is anti-
It is fed to source user anti-leak data terminal;
The capture target user's receiving host file operation of target user's anti-leak data terminal and notification platform side;
Platform side obtains and calculates outgoing record, and retrieval is with the presence or absence of same data object in data pool, if existing
The same object is multiplexed, otherwise recording requirement according to outgoing creates new data object;
Platform side updates the data object record information, increases and receives record;
Platform side cooperates with the data object for completing to receive and target user's host text with target user's anti-leak data terminal
The mapping of part.
With the method for the invention it is preferred to, it is described according to target user's type and user's operation permission, send outgoing master
The corresponding data object of machine file includes:
If outgoing Hosts file is sent to external user by internal cloud desktop user,:
Platform side retrieves and determines the data of outgoing Hosts file mapping in data pool according to outgoing Hosts file information
Object, and information is sent according to outgoing Hosts file, it determines the data object operation for needing to perform, adds in outgoing record;
Platform side updates the data object record information, increases outgoing record;
Platform side obtains and calculates outgoing record, and retrieval is with the presence or absence of same data object in data pool, if existing
The same data object is multiplexed, otherwise recording requirement according to outgoing creates new data object.
With the method for the invention it is preferred to, the cloud desktop user sends host text by least one of in the following manner
Part:Mail is sent, webpage is sent, application program is sent or file-sharing.
With the method for the invention it is preferred to, the step 3) platform side maps data object with Hosts file,
And save file map information, wherein Hosts file need the information for being mapped to data object to include:Filename, file size,
File owning user, user right, file cryptographic Hash, creation time, modification time, last read access time and file read note
Record, write-in record, duplicated record, deletion record.
In order to solve the above technical problems, the present invention provides a kind of anti-data-leakage systems of facing cloud desktop application environment
System, which is characterized in that the system includes:At least two anti-data-leakage terminals and a platform side;
Anti-data-leakage terminal intercepts and the file operation process of take over cloud desktop user, obtains cloud desktop user in host
File operation information in operating process simultaneously pushes to platform side;
Anti-data-leakage capture terminal cloud desktop user selects outgoing Hosts file and cloud desktop user during target user
Outgoing Hosts file sends information and notification platform side;
Platform side establishes corresponding data object according to file operation information in data pool;
Platform side maps data object and Hosts file, and save file map information;
Platform side sends information according to the outgoing Hosts file of anti-data-leakage terminal, inquires file mapping information, determines
The management and control strategy of outgoing Hosts file, and the outgoing Hosts file is sent to target data anti-leak end according to the management and control strategy
End.
The system according to the present invention, it is preferred that platform side maps data object and Hosts file, by file content
It is stored in the data object of data pool, not storage file content on host.
The system according to the present invention, it is preferred that platform side establishes corresponding number according to file operation information in data pool
After object, platform side performs following operate:
It establishes data object reference record and stores reading, write-in file operation record;
Establish data object similarity characteristic information and calculation document susceptibility;
Data object information and data object reference record are fed back into anti-data-leakage terminal.
The system according to the present invention, it is preferred that the platform side sends information according to outgoing Hosts file, and inquiry file reflects
Information is penetrated, determines the management and control strategy of outgoing Hosts file, and the outgoing Hosts file is sent according to the management and control strategy, including:
The data object of outgoing Hosts file mapping is positioned, determines the type and user right of target user;
And according to target user's type and user right, send the corresponding data object of outgoing Hosts file.
The system according to the present invention, it is preferred that platform side maps data object and Hosts file, and save file
Map information, wherein Hosts file need the information for being mapped to data object to include:It is used belonging to filename, file size, file
Family, user right, file cryptographic Hash, creation time, modification time, last read access time and file read record, write-in note
Record, duplicated record, deletion record.
The system according to the present invention, it is preferred that the platform side includes the cloud for establishing data pool and data object
Data object storage server and the anti-data-leakage system management server for issuing management and control strategy.
In order to solve the above technical problems, the present invention provides a kind of anti-data-leakage systems of facing cloud desktop application environment
System, which is characterized in that the system includes:At least two anti-data-leakage terminals and a platform side;
At least two anti-data-leakages terminal and platform side are respectively provided with computer readable storage medium and computer
Processing unit;
The computer readable storage medium of at least two anti-data-leakages terminal and platform side stores respectively
There are computer program instructions;
It is performed respectively accordingly by the computer processor unit of at least two anti-data-leakages terminal and platform side
Computer program instructions, realize it is one of above-mentioned described in method.
The system according to the present invention, it is preferred that the platform side includes the cloud for establishing data pool and data object
Data object storage server and the anti-data-leakage system management server for issuing management and control strategy.
The system according to the present invention, it is preferred that the platform side includes the cloud for establishing data pool and data object
Data object storage server and the anti-data-leakage system management server for issuing management and control strategy.
Technical solution using the present invention using cloud advantage, orients augmentation data leak prevention system file outgoing management and control
Function carries out object-oriented data to the file on subscriber's main station and network flow, uniformly stores and manage on platform.For number
According to the different user object composition (inside identical permission to inside internal, different rights to internal and internal to outside) of outgoing,
Outgoing document is mapped as to the operation of platform side data object, the calculating operations such as uniform data similarity, susceptibility, encryption and decryption.
In a manner that above-mentioned data map, calculate caching, consumption of the anti-data-leakage system to computing resource and storage resource is reduced.
Meanwhile by difference access mechanism, scene is logged according to different user, loads corresponding data outgoing management and control strategy, reduction pair
The influence of user's Normal data operation improves the service efficiency of cloud desktop user.
Description of the drawings
Fig. 1 is available data leak prevention system compositional model figure.
The host computer side terminal that Fig. 2 is the present invention forms structure chart.
The platform side that Fig. 3 is the present invention forms structure chart.
Fig. 4 is that the file of the present invention and data object map flow chart.
Fig. 5 is to internal file outgoing management and control flow chart inside the identical permission of the present invention.
Fig. 6 is to internal file outgoing management and control flow chart inside the different rights of the present invention.
Fig. 7 is inside of the invention to external file outgoing management and control flow chart.
Fig. 8 is the access scene difference management and control flow chart of the present invention.
Fig. 9 is using the embodiment of the present invention structure composition schematic diagram.
Specific embodiment
Below in conjunction with the accompanying drawings and specific embodiment the present invention is further illustrated, but protection scope of the present invention is simultaneously
It is without being limited thereto.
The present invention provides a kind of designs of facing cloud desktop application environmental quality, combine traditional data leak prevention system advantage
Function realizes that low computing redundancy, low storage redundancy, difference access the file outgoing management-control method of management and control, which is characterized in that the party
Method includes the following steps:
Anti-data-leakage terminal obtains cloud desktop user log-on message, distinguishes login scene and (judges login user in inside
Environment or external environment), load and perform the strategies of different degree of protection;
Cloud desktop user during host service function creates or changes file;
Anti-data-leakage terminal intercept and take over document creation or modification process, obtain necessary fileinfo and push to
Platform side;
After platform side verification user information, host information and fileinfo, data object is established in data pool;
Platform side is mapped data object and Hosts file, and (file content is stored in data pool, is not deposited on host
Any file content is stored up, stores the index information of this document (data object) in data pool);
Platform side establishes data object reference record, the file operations record such as storage is read, write-in;
Platform side establishes data object similarity characteristic information and calculation document susceptibility;
The data object similarity characteristic information for example can be readable document (Office files, pdf document etc) packet
Similarity containing the contents such as word or picture, the binary system similarity of binary file etc..
Data object information and reference record are fed back to terminal by platform side, and file generated operation is completed;
User selects outgoing document and outgoing target user, capture terminal operation and notification platform side;
The data object of platform side positioning outgoing document mapping, parses outgoing parameter combination, including:
Any operation is not made to inside, outgoing document (data object) inside identical permission;What outgoing target user received
File is mapped directly into legacy data object, i.e., the data object that target user uses is with portion with sending user, is only passed through
Increase file outgoing record to identify;
Any operation is not made to inside, outgoing document (data object) inside different rights;Outgoing target user operation should
Data object is regenerated according to specific strategy during file and carries out File Mapping, it is identical with subscriber's main station generation document flow,
What target user opened is new data object;
Inside to outside, outgoing document (data object) are operated according to specific strategy, including encryption, susceptibility scanning
It (first carrying out in advance) etc. and regenerates and is sent to perimeter outside real file.
Method in accordance with the invention it is preferred that the method needs to include host lateral terminal and two class component of platform side.
Method in accordance with the invention it is preferred that the operation of data outgoing includes mail, webpage, application program, file-sharing.
Method in accordance with the invention it is preferred that the method management and control outgoing flow is included inside identical permission to internal, no
With inside permission to internal, internal to outside.
Method in accordance with the invention it is preferred that host computer side File Mapping needs storage file essential information (filename, file
Size possesses user, user right, file cryptographic Hash, creation time, modification time, last read access time) and additional reference letter
Breath (reads record, write-in record, duplicated record, deletion record).
Method in accordance with the invention it is preferred that data object calculating operation includes similarity calculation, susceptibility calculates and adds
Close decryption calculates.
Method in accordance with the invention it is preferred that the reference information of platform side difference access includes login user, logs in position
It puts, logs in IP, logs in host.
The present invention provides a kind of anti-data-leakage system data outgoing management and control subsystem suitable for cloud desktop environment, special
Sign is that the subsystem includes:
Outgoing management and control is acted on behalf of, host computer side terminal assembly, manages cloud file outgoing management and control operation corresponding to scheduling, and notify
Management and control result;
File information block, host computer side terminal assembly, auxiliary provide file, the flow letter needed for Miscellaneous Documents outgoing management and control
Breath;
File Mapping module, host computer side terminal assembly, managing main frame subscriber data file are simultaneously mapped as platform side number
According to object;
Data object management module, platform side component, all data objects in management platform;
Data object access module, platform side component provide the accessing operation of data object;
Data object pond module, platform side component, the file content data of storage subscriber's main station mapping;
Data similarity calculation module, platform side component carry out data object similarity calculation and are retrieved with set of metadata of similar data;
Data encrypting and deciphering computing module, platform side component carry out data object specified permission encryption and decryption operation;
Data sensitivity computing module, platform side component are scanned data object and calculate susceptibility;
Difference Access Management, platform side component differentiate login user log-on message, realize different access fields
Scape difference loads data outgoing management and control strategy;
Outgoing management and control journal module, platform side component record all data outgoing management and control operations.
The host computer side terminal that Fig. 2 is the present invention forms structure, and software aspects eliminate the components such as peripheral hardware management and control, adds this
Invent desired outgoing management and control agency, file information block (providing reference paper information) (transmits a document with File Mapping module
Operation logic and data to platform side, complete File Mapping purpose).
The platform side that Fig. 3 is the present invention forms structure, in addition to legacy data anti-leak server component, further includes the present invention
It is required that the data object management module added in, data object access module, data object pond module, data similarity calculation mould
Block, data encrypting and deciphering computing module, data sensitivity computing module, difference Access Management and outgoing management and control journal module.
Fig. 4 positions file of the present invention and data object map flow, cooperateed with by terminal with platform completion file operation capture,
The operations such as forwarding, mapping, access and response.
Fig. 5 is to internal file outgoing management and control flow, including following methods step inside the identical permission of the present invention:
Outgoing operation capture, user select outgoing document and outgoing target user, capture terminal operation and notification platform side;
Outgoing messages are analyzed, and platform side parsing outgoing parameter combination determines operation validity and outgoing messages;
Data object positions, and platform side retrieves and determine the number of outgoing document mapping in data pool according to fileinfo
According to object;
Data record updates, and platform side updates the data object record information, increases outgoing record;
Outgoing result is fed back, and whether platform side is according to the retrieval result to data object in data object pool, i.e., correctly fixed
Position determines data object access results, result is fed back to source data terminal completes outgoing document behaviour to corresponding data object
Make;
The feedack is the map information between file and data object, the mapping carried out in establishment file;
Operation capture is received, target data capture terminal target user receives outgoing document operation and notification platform side;
Data record updates, and platform side updates the data object record information, increases and receives record.
Fig. 6 is to internal file outgoing management and control flow, including following methods step inside different rights of the present invention:
Outgoing operation capture, user select outgoing document and outgoing target user, capture terminal operation and notification platform side;
Outgoing messages are analyzed, and platform side parsing outgoing parameter combination determines operation validity and outgoing messages;
Data object positions, and platform side retrieves and determine the number of outgoing document mapping in data pool according to fileinfo
According to object;
Data policy loads, and platform side determines that the data object operation for needing to perform is (encryption and decryption, quick according to outgoing messages
Sensitivity scanning etc.) add in outgoing record;
Data record updates, and platform side updates the data object record information, increases outgoing record;
Data object record information includes outgoing and records information;
Outgoing result is fed back, and whether platform side is according to the retrieval result to data object in data object pool, i.e., correctly fixed
Position determines data object access results, result is fed back to source data terminal completes outgoing document behaviour to corresponding data object
Make;
Operation capture is received, target data capture terminal target user receives outgoing document operation and notification platform side;
Data object is retrieved, and platform side obtains and calculates outgoing record, and retrieval is with the presence or absence of identical data in data pool
Object (file for having identical flow before i.e.), the same object is multiplexed if existing, and otherwise records requirement wound according to outgoing
Build new data object;
Even same file is sent from a certain department to an other department for the first time, needs to be carried out according to information such as permissions
The processing (such as encryption etc.) of source file (data object), so as to generate a copy a changed (i.e. new data pair
As);But it when sending for the second time or subsequently, because the modification copy of the source file is existing, does not need to generate again, before directly taking
Otherwise one copy is created that new data object (treated copy).
Data record updates, and platform side updates the data object record information, increases and receives record;
Data object maps, and platform side is cooperateed with target data terminal completes new data object and target user's host text
The mapping of part;
Operational feedback is received, platform side notice target terminal user is completed file and mapped with data object.
Fig. 7 is internal to external file outgoing management and control flow for the present invention, including following methods step:
Outgoing operation capture, user select outgoing document and outgoing target user, capture terminal operation and notification platform side;
Outgoing messages are analyzed, and platform side parsing outgoing parameter combination determines operation validity and outgoing messages;
Data object positions, and platform side retrieves and determine the number of outgoing document mapping in data pool according to fileinfo
According to object;
Data policy loads, and platform side determines that the data object operation for needing to perform is (encryption and decryption, quick according to outgoing messages
Sensitivity scanning etc.) add in outgoing record;
Data record updates, and platform side updates the data object record information, increases outgoing record;
Data object is retrieved, and platform side obtains and calculates outgoing record, and retrieval is with the presence or absence of identical data in data pool
Object (file for having identical flow before i.e.), the same object is multiplexed if existing, and otherwise records requirement wound according to outgoing
Build new data object;
Even same file is sent from a certain department to an other department for the first time, needs to be carried out according to information such as permissions
The processing (such as encryption etc.) of source file (data object), so as to generate a copy a changed (i.e. new data pair
As);But it when sending for the second time or subsequently, because the modification copy of the source file is existing, does not need to generate again, before directly taking
Otherwise one copy is created that new data object (treated copy).
Because perimeter can not map or store data object, data object can not be sent to outside, therefore this step
Operation is only that will be sent to external file to preserve, for the quick transmission of follow-up same file.
Outgoing result is fed back, and whether platform side is according to the retrieval result to data object in data object pool, i.e., correctly fixed
Position determines data object access results, result is fed back to source data terminal completes outgoing document behaviour to corresponding data object
Make;
Fig. 8 is present invention access scene difference management and control flow, including following methods step:
User accesses, and user logs in cloud desktop and anti-data-leakage terminal using Desktop Remote tool;
Information parses, and obtains login user information, logs in the information such as IP, log in means, and pass through the log-on messages such as IP into
Row parsing obtains geographical location;
Scene positions, polymerize all kinds of judgement information and parameter preset calculate obtain user log in cloud Desktop-scene (this department,
Other departments, enterprise external etc.);
Load and execution dynamically needs the management and control strategy loaded according to positioning scene selection and performs;
Access monitoring, the uninterrupted monitoring user accessing information of dynamic, analyzes and positions user behavior, falseness is avoided to connect in time
Enter or access deception etc..
<Specific embodiment>
As shown in figure 9, certain small business client for having built private clound desktop environment is mounted with based on the method for the present invention reality
Existing anti-data-leakage system constructs anti-data-leakage mechanism based on cloud data management and control measures.The mechanism is to all users
It is uniformly processed in the storage of cloud desktop, by the storage of the complete paired data file of common store spill-proof assembly, and is passed through multiple
Essay part verification scheme and file similarity calculating avoid the presence of redundant file;File susceptibility is introduced in platform side to calculate
The susceptibility of function, in advance calculation document.In addition, also by introducing access scene difference Strategic Measures, to enterprises with
Outgoing login user carries out different management and control strategies.Wherein, server end includes following server:
2 anti-data-leakage system management servers (1 core, 1 load) are used to implement traditional DLP servers work(
Energy;
2 cloud data object storage servers store for all user's cloud desktop data files;
1 cloud data object calculation server for file (data object) carry out encryption and decryption, similarity calculation with it is quick
The operations such as sensitivity calculating.
The anti-data-leakage system is deployed in cloud desktop environment, and anti-data-leakage overall operation is normal.By calculating,
Under scene with 300 cloud desktops (terminal), Hosts file operation increases delay 5ms, and file management and control increases the 5ms that is delayed, right
User's normal operating does not cause to significantly affect.Meanwhile higher data pipe is realized to the user that cloud desktop is logged in enterprise external
Control grade, the data management and control of enterprises then relative loose, so as to which the normal use to user be avoided to interfere.
Technical solution using the present invention, anti-data-leakage system are only needed to storage driving and management, network-driven and pipe
The components such as reason are transformed into racking, the advantage brought using cloud, reduce computing redundancy degree and storage redundancy, noninductive in user
Under the premise of knowing, data management and control operation is carried out to file with computation module using the storage for having high extended capability, in time to quick
Sense data transmission makes a response, the leaking data that effective management and control is likely to form, and ensures the customer data peace of deployment cloud desktop environment
Entirely.In addition, the on-position by distinguishing user's cloud desktop login, stringent or loose data are carried out according to predetermined policy grade
Management and control reduces the grade of part management and control measures in comparatively safe environment, so as to reduce the operation interference caused by user, carries
The friendly degree of high anti-data-leakage system.
Example of the above example only as protection scheme of the present invention does not limit the specific embodiment of the present invention
It is fixed.
Claims (17)
1. a kind of data leakage prevention method of facing cloud desktop application environment, which is characterized in that this method includes the following steps:
1) anti-data-leakage terminal intercepts and the file operation process of take over cloud desktop user, acquisition cloud desktop user are grasped in host
File operation information during work simultaneously pushes to platform side;
2) platform side establishes corresponding data object according to file operation information in data pool;
3) platform side maps data object and Hosts file, and save file map information;
4) cloud desktop user selection outgoing Hosts file and target user, the outgoing of anti-data-leakage capture terminal cloud desktop user
Hosts file sends information and notification platform side;
5) platform side sends information inquiry file mapping information according to outgoing Hosts file, determines the management and control plan of outgoing Hosts file
Slightly, and the outgoing Hosts file is sent according to the management and control strategy.
2. according to the method described in claim 1, in the step 2), platform side reflects data object and Hosts file
It penetrates, file content is stored in the data object of data pool, not storage file content on host.
3. it according to the method described in claim 1, is built in data pool according to file operation information in the step 2) platform side
After founding corresponding data object, platform side also performs following operation:
It establishes data object reference record and stores reading, write-in file operation record;
Establish data object similarity characteristic information and calculation document susceptibility;
Data object information and data object reference record are fed back into anti-data-leakage terminal.
4. according to the method described in claim 1, the step 5) platform side sends information inquiry text according to outgoing Hosts file
Part map information determines the management and control strategy of outgoing Hosts file, and sends the outgoing Hosts file according to the management and control strategy, wraps
It includes:The data object of outgoing Hosts file mapping is positioned, determines the type and user right of target user;
And according to target user's type and user right, send the corresponding data object of outgoing Hosts file.
It is 5. according to the method described in claim 4, described according to target user's type and user's operation permission, transmission outgoing host
The corresponding data object of file includes:
If cloud desktop user and target user are internal user, and operating right is identical, then:
Platform side in data pool retrieves and determines the data pair of outgoing Hosts file mapping according to outgoing Hosts file information
As updating the data object record information, increasing outgoing record, and according to data object access results, result is fed back to source and is used
Family anti-leak data terminal;
The capture target user's receiving host file operation of target user's anti-leak data terminal and notification platform side;
Platform side updates the data object record information, increases and receives record.
It is 6. according to the method described in claim 4, described according to target user's type and user's operation permission, transmission outgoing host
The corresponding data object of file includes:
If cloud desktop user and target user are internal user, and operating right is different, then:
Platform side retrieves and determines the data object of outgoing Hosts file mapping, and root in data pool according to outgoing document information
Information is sent according to outgoing Hosts file, determines the data object operation for needing to perform, and adds in outgoing record;
Platform side updates the data object record information, increases outgoing record, according to data object access results, result is fed back to
Source user anti-leak data terminal;
The capture target user's receiving host file operation of target user's anti-leak data terminal and notification platform side;
Platform side obtains and calculates outgoing record, is retrieved in data pool with the presence or absence of same data object, is multiplexed if existing
Otherwise the same object records requirement according to outgoing and creates new data object;
Platform side updates the data object record information, increases and receives record;
Platform side cooperates with the data object for completing to receive and target user's Hosts file with target user's anti-leak data terminal
Mapping.
It is 7. according to the method described in claim 4, described according to target user's type and user's operation permission, transmission outgoing host
The corresponding data object of file includes:
If outgoing Hosts file is sent to external user by internal cloud desktop user,:
Platform side retrieves and determines the data pair of outgoing Hosts file mapping in data pool according to outgoing Hosts file information
As, and information is sent according to outgoing Hosts file, it determines the data object operation for needing to perform, adds in outgoing record;
Platform side updates the data object record information, increases outgoing record;
Platform side obtains and calculates outgoing record, is retrieved in data pool with the presence or absence of same data object, is multiplexed if existing
Otherwise the same data object records requirement according to outgoing and creates new data object.
8. according to the method described in claim 1, the cloud desktop user sends Hosts file by least one of in the following manner:
Mail is sent, webpage is sent, application program is sent or file-sharing.
9. according to the method described in claim 1, the step 3) platform side maps data object with Hosts file, and
Save file map information, wherein Hosts file need the information for being mapped to data object to include:Filename, file size, text
Part owning user, user right, file cryptographic Hash, creation time, modification time, last read access time and file read note
Record, write-in record, duplicated record, deletion record.
10. a kind of anti-data-leakage system of facing cloud desktop application environment, which is characterized in that the system includes:At least two
Anti-data-leakage terminal and a platform side;
Anti-data-leakage terminal intercepts and the file operation process of take over cloud desktop user, obtains cloud desktop user in host service function
File operation information in the process simultaneously pushes to platform side;
Anti-data-leakage capture terminal cloud desktop user selects outgoing Hosts file and the outgoing of cloud desktop user during target user
Hosts file sends information and notification platform side;
Platform side establishes corresponding data object according to file operation information in data pool;
Platform side maps data object and Hosts file, and save file map information;
Platform side sends information according to the outgoing Hosts file of anti-data-leakage terminal, inquires file mapping information, determines outgoing
The management and control strategy of Hosts file, and the outgoing Hosts file is sent to target data anti-leak terminal according to the management and control strategy.
11. system according to claim 10, platform side map data object and Hosts file, by file content
It is stored in the data object of data pool, not storage file content on host.
12. system according to claim 10, platform side establishes corresponding number according to file operation information in data pool
After object, platform side performs following operate:
It establishes data object reference record and stores reading, write-in file operation record;
Establish data object similarity characteristic information and calculation document susceptibility;
Data object information and data object reference record are fed back into anti-data-leakage terminal.
13. system according to claim 10, the platform side sends information according to outgoing Hosts file, and inquiry file reflects
Information is penetrated, determines the management and control strategy of outgoing Hosts file, and the outgoing Hosts file is sent according to the management and control strategy, including:
The data object of outgoing Hosts file mapping is positioned, determines the type and user right of target user;
And according to target user's type and user right, send the corresponding data object of outgoing Hosts file.
14. system according to claim 10, platform side map data object and Hosts file, and save file
Map information, wherein Hosts file need the information for being mapped to data object to include:It is used belonging to filename, file size, file
Family, user right, file cryptographic Hash, creation time, modification time, last read access time and file read record, write-in note
Record, duplicated record, deletion record.
15. system according to claim 10, the platform side includes the cloud for establishing data pool and data object
Data object storage server and the anti-data-leakage system management server for issuing management and control strategy.
16. a kind of anti-data-leakage system of facing cloud desktop application environment, which is characterized in that the system includes:At least two
Anti-data-leakage terminal and a platform side;
At least two anti-data-leakages terminal and platform side are respectively provided with computer readable storage medium and computer disposal
Device;The computer readable storage medium of at least two anti-data-leakages terminal and platform side is stored with meter respectively
Calculation machine program instruction;
Corresponding meter is performed by the computer processor unit of at least two anti-data-leakages terminal and platform side respectively
Calculation machine program instruction realizes the method described in one of claim 1-9.
17. system according to claim 16, the platform side includes the cloud for establishing data pool and data object
Data object storage server and the anti-data-leakage system management server for issuing management and control strategy.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711321695.3A CN108133143B (en) | 2017-12-12 | 2017-12-12 | Data leakage prevention method and system for cloud desktop application environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201711321695.3A CN108133143B (en) | 2017-12-12 | 2017-12-12 | Data leakage prevention method and system for cloud desktop application environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN108133143A true CN108133143A (en) | 2018-06-08 |
CN108133143B CN108133143B (en) | 2020-02-28 |
Family
ID=62390230
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201711321695.3A Active CN108133143B (en) | 2017-12-12 | 2017-12-12 | Data leakage prevention method and system for cloud desktop application environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN108133143B (en) |
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109614812A (en) * | 2018-09-25 | 2019-04-12 | 北京计算机技术及应用研究所 | File outgoing managing and control system and method under a kind of security application environment |
CN110457923A (en) * | 2019-08-07 | 2019-11-15 | 北京明朝万达科技股份有限公司 | A kind of sensitive data scan method, device, electronic equipment and readable storage medium storing program for executing |
CN110798472A (en) * | 2019-11-01 | 2020-02-14 | 杭州数梦工场科技有限公司 | Data leakage detection method and device |
CN111259462A (en) * | 2020-01-13 | 2020-06-09 | 奇安信科技集团股份有限公司 | Peripheral management and control processing method and device of terminal, electronic equipment and storage medium |
Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110087690A1 (en) * | 2009-10-13 | 2011-04-14 | Google Inc. | Cloud based file storage service |
CN103326999A (en) * | 2012-12-14 | 2013-09-25 | 无锡华御信息技术有限公司 | File safety management system based on cloud service |
CN103581190A (en) * | 2013-11-07 | 2014-02-12 | 江南大学 | Method for control over file safety access based on cloud computing technology |
US20140149461A1 (en) * | 2011-11-29 | 2014-05-29 | Ravi Wijayaratne | Flexible permission management framework for cloud attached file systems |
US20140189352A1 (en) * | 2012-12-31 | 2014-07-03 | Prakash Baskaran | Method and system for secured data storage and sharing over cloud based network |
CN105512565A (en) * | 2015-11-26 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Method and server for preventing electronic document leakage |
CN106446707A (en) * | 2016-08-31 | 2017-02-22 | 北京明朝万达科技股份有限公司 | Dynamic data leakage prevention system and method |
CN106789964A (en) * | 2016-12-02 | 2017-05-31 | 中国移动通信集团新疆有限公司 | Cloud resource pool data safety detection method and system |
CN106790148A (en) * | 2016-12-28 | 2017-05-31 | 上海优刻得信息科技有限公司 | Prevent access, output checking method and device, the auditing system of leakage of data |
-
2017
- 2017-12-12 CN CN201711321695.3A patent/CN108133143B/en active Active
Patent Citations (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20110087690A1 (en) * | 2009-10-13 | 2011-04-14 | Google Inc. | Cloud based file storage service |
US20140149461A1 (en) * | 2011-11-29 | 2014-05-29 | Ravi Wijayaratne | Flexible permission management framework for cloud attached file systems |
CN103326999A (en) * | 2012-12-14 | 2013-09-25 | 无锡华御信息技术有限公司 | File safety management system based on cloud service |
US20140189352A1 (en) * | 2012-12-31 | 2014-07-03 | Prakash Baskaran | Method and system for secured data storage and sharing over cloud based network |
CN103581190A (en) * | 2013-11-07 | 2014-02-12 | 江南大学 | Method for control over file safety access based on cloud computing technology |
CN105512565A (en) * | 2015-11-26 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Method and server for preventing electronic document leakage |
CN106446707A (en) * | 2016-08-31 | 2017-02-22 | 北京明朝万达科技股份有限公司 | Dynamic data leakage prevention system and method |
CN106789964A (en) * | 2016-12-02 | 2017-05-31 | 中国移动通信集团新疆有限公司 | Cloud resource pool data safety detection method and system |
CN106790148A (en) * | 2016-12-28 | 2017-05-31 | 上海优刻得信息科技有限公司 | Prevent access, output checking method and device, the auditing system of leakage of data |
Non-Patent Citations (1)
Title |
---|
瞿飞: "基于云平台的企业数据安全研究与保护", 《基于云平台的企业数据安全研究与保护》 * |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109614812A (en) * | 2018-09-25 | 2019-04-12 | 北京计算机技术及应用研究所 | File outgoing managing and control system and method under a kind of security application environment |
CN110457923A (en) * | 2019-08-07 | 2019-11-15 | 北京明朝万达科技股份有限公司 | A kind of sensitive data scan method, device, electronic equipment and readable storage medium storing program for executing |
CN110798472A (en) * | 2019-11-01 | 2020-02-14 | 杭州数梦工场科技有限公司 | Data leakage detection method and device |
CN110798472B (en) * | 2019-11-01 | 2022-01-07 | 杭州数梦工场科技有限公司 | Data leakage detection method and device |
CN111259462A (en) * | 2020-01-13 | 2020-06-09 | 奇安信科技集团股份有限公司 | Peripheral management and control processing method and device of terminal, electronic equipment and storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN108133143B (en) | 2020-02-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP6835999B2 (en) | Virtual service provider zone | |
Liang et al. | Provchain: A blockchain-based data provenance architecture in cloud environment with enhanced privacy and availability | |
CN106874461B (en) | A kind of workflow engine supports multi-data source configuration security access system and method | |
CN108133143A (en) | A kind of data leakage prevention method and system of facing cloud desktop application environment | |
CN109791594A (en) | Data are segmented in order to persistently be stored in multiple immutable data structures | |
CN108268354A (en) | Data safety monitoring method, background server, terminal and system | |
CN107786551B (en) | Method for accessing intranet server and device for controlling access to intranet server | |
CN110795761A (en) | Dynamic desensitization method for sensitive data of ubiquitous power Internet of things | |
CN106708859B (en) | Resource access behavior auditing method and device | |
WO2022257226A1 (en) | Cyberspace mapping-based honeypot recognition method and apparatus, device, and medium | |
CN102227116A (en) | Safe local area network management method and local area network | |
CN111680900A (en) | Work order issuing method and device, electronic equipment and storage medium | |
US20180349983A9 (en) | A system for periodically updating backings for resource requests | |
CN111241104A (en) | Operation auditing method and device, electronic equipment and computer-readable storage medium | |
CN113064562A (en) | Man-machine interaction printing method and system based on block chain | |
CN112000984A (en) | Data leakage detection method, device, equipment and readable storage medium | |
CN111324456A (en) | Method and system for isolating resources among cloud tenants based on namespace binding | |
CN116582365B (en) | Network traffic safety control method and device and computer equipment | |
CN103678570A (en) | Multi-level storage and recovery method and system of journal file in cloud environment | |
US7693185B1 (en) | Method and apparatus for creation and management of intelligent packets | |
CN103023651B (en) | Be used for the method and apparatus of the access of monitoring movable equipment | |
CN115629880A (en) | Log desensitization method, device, equipment and storage medium | |
CN114793244A (en) | Resource processing method, device, equipment and medium for block chain | |
CN106575341A (en) | Composite document access | |
CN113672983A (en) | Service handling data privacy protection system and method based on block chain |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |