CN111209575A - Data protection method, generation method, transmission method, device and storage medium - Google Patents

Data protection method, generation method, transmission method, device and storage medium Download PDF

Info

Publication number
CN111209575A
CN111209575A CN201811401407.XA CN201811401407A CN111209575A CN 111209575 A CN111209575 A CN 111209575A CN 201811401407 A CN201811401407 A CN 201811401407A CN 111209575 A CN111209575 A CN 111209575A
Authority
CN
China
Prior art keywords
additional information
data
access
target data
security
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201811401407.XA
Other languages
Chinese (zh)
Other versions
CN111209575B (en
Inventor
吴晓昕
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Group Holding Ltd
Original Assignee
Alibaba Group Holding Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Group Holding Ltd filed Critical Alibaba Group Holding Ltd
Priority to CN201811401407.XA priority Critical patent/CN111209575B/en
Publication of CN111209575A publication Critical patent/CN111209575A/en
Application granted granted Critical
Publication of CN111209575B publication Critical patent/CN111209575B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the application provides a data protection method, a generation method, a transmission method, equipment and a storage medium, wherein the data protection method comprises the following steps: according to an access request of a current application program to target data, acquiring security additional information corresponding to the target data; determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data; and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request. In the embodiment of the application, active protection of the data can be realized based on the safety additional information corresponding to the data, and abnormal access behaviors aiming at the data are blocked from the source, so that the data safety can be effectively improved.

Description

Data protection method, generation method, transmission method, device and storage medium
Technical Field
The present application relates to the field of data security technologies, and in particular, to a data protection method, a data generation method, a data transmission device, and a storage medium.
Background
With the popularization of computers and networks, digital technology is changing the social environment on which people live, and the life and working modes of people are changing greatly. Digital technology enables people's living and working environments to have more digital features, and a great deal of information exists in computers and networks in the form of data.
At present, data protection mainly adopts a passive protection mode, for example, traffic monitoring can be performed in the data use process, and whether data is abnormally accessed is judged according to information such as the flow direction of traffic. However, the passive protection method can only respond after the data has been accessed abnormally, still causes a part of data loss, and the data protection effect is not good.
Disclosure of Invention
Aspects of the present application provide a data protection method, a generation method, a transmission method, a device, and a storage medium to improve data security.
An embodiment of the present application provides a data protection method, including:
according to an access request of a current application program to target data, acquiring security additional information corresponding to the target data;
determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data;
and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request.
The embodiment of the application also provides data protection equipment, which comprises a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
according to an access request of a current application program to target data, acquiring security additional information corresponding to the target data;
determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data;
and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request.
An embodiment of the present application further provides a data generation method, including:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating second safety additional information according to an access object corresponding to the original data, wherein the second safety additional information comprises an access object blacklist or a white list;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first, second and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
An embodiment of the present application further provides a data generation method, including:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
An embodiment of the present application further provides a data transmission method, including:
acquiring a unique identifier corresponding to data to be transmitted;
acquiring security additional information associated with the unique identifier according to the unique identifier;
decrypting the security additional information to obtain a security level and a communication protocol type;
determining that the transmission target address of the data to be transmitted meets a preset condition based on the security level;
and sending the data to be transmitted to the transmission target address based on the communication protocol type.
The embodiment of the application also provides a computing device, which comprises a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating second safety additional information according to an access object corresponding to the original data, wherein the second safety additional information comprises an access object blacklist or a white list;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first, second and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
The embodiment of the application also provides a computing device, which comprises a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
The embodiment of the application also provides a computing device, which comprises a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
acquiring a unique identifier corresponding to data to be transmitted;
acquiring security additional information associated with the unique identifier according to the unique identifier;
decrypting the security additional information to obtain a security level and a communication protocol type;
determining that the transmission target address of the data to be transmitted meets a preset condition based on the security level;
and sending the data to be transmitted to the transmission target address based on the communication protocol type.
Embodiments of the present application also provide a computer-readable storage medium storing computer instructions that, when executed by one or more processors, cause the one or more processors to perform the aforementioned data protection method.
Embodiments of the present application also provide a computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to execute the aforementioned data generation method.
Embodiments of the present application also provide a computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to execute the aforementioned data transmission method.
In the embodiment of the application, the access authority of each application program to the target data can be determined based on the security additional information corresponding to the target data, so that when the current application program requests to access the target data, whether the access request of the current application program is within the access authority range of the current application program to the target data can be judged, and when the access request exceeds the corresponding access authority range, the access request can be rejected. Therefore, in the embodiment of the application, active protection of the data can be realized based on the security additional information corresponding to the data, and abnormal access behaviors aiming at the data are blocked from the source, so that the data security can be effectively improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the application and together with the description serve to explain the application and not to limit the application. In the drawings:
fig. 1 is a schematic flowchart of a data protection method according to an embodiment of the present application;
fig. 2 is a schematic flow chart of another data protection method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of a data generation method according to another embodiment of the present application;
fig. 4 is a schematic flowchart of a data generation method according to another embodiment of the present application;
fig. 5 is a schematic flowchart of a data transmission method according to another embodiment of the present application;
fig. 6 is a schematic structural diagram of a data protection device according to another embodiment of the present application;
FIG. 7 is a schematic block diagram of a computing device according to yet another embodiment of the present application;
FIG. 8 is a schematic block diagram of a computing device according to yet another embodiment of the present application;
fig. 9 is a schematic structural diagram of a computing device according to another embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions of the present application will be described in detail and completely with reference to the following specific embodiments of the present application and the accompanying drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
Currently, in the field of data security, a passive protection method is usually adopted for data protection, but this method still causes partial data loss, and the data protection effect is not good. In some embodiments of the present application: based on the security additional information corresponding to the target data, the access authority of each application program to the target data can be determined, accordingly, when the current application program requests to access the target data, whether the access request of the current application program is within the access authority range of the current application program to the target data can be judged, and when the access request exceeds the corresponding access authority range, the access request can be rejected. Therefore, active protection of the data can be realized based on the safety additional information corresponding to the data, and abnormal access behaviors aiming at the data are blocked from the source, so that the data safety can be effectively improved.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Fig. 1 is a schematic flow chart of a data protection method according to an embodiment of the present application. As shown in fig. 1, the method includes:
100. acquiring security additional information corresponding to target data according to an access request of a current application program to the target data;
101. determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data;
102. and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request.
The data protection method provided by the embodiment may be applicable to various scenarios requiring data protection, for example, data protection in a cloud storage scenario, data protection in an enterprise internal storage scenario, and the like, which is only exemplary, and the data protection method provided by the embodiment may also be applied to other scenarios.
The target data in the present embodiment may be stored in different storage devices according to different application scenarios, for example, in the above-described cloud storage scenario, the target data may be stored in a storage device in a cloud architecture, in the above-described enterprise internal storage scenario, the target data may be stored in a storage device inside an enterprise, and so on.
In this embodiment, the target data and the corresponding security additional information are stored in association with each other. In some practical applications, the security additional information corresponding to the target data may be carried in a header of the target data. In other practical applications, the target data and the corresponding security additional information may be stored separately after the association relationship between the target data and the corresponding security additional information is established.
In order to more fully authenticate the access request for the target data, in some practical applications, an authentication mechanism may be set in the storage device where the target data is located to control the storage device where the target data is located to initiate the authentication request when receiving the access request for the target data. In step 100, security additional information corresponding to the target data may be obtained upon receiving the authentication request. In other practical applications, an access request received by a storage device where the target data is located may be monitored, and when the access request for the target data is monitored, the security additional information corresponding to the target data may be obtained. Of course, in this embodiment, the operation of acquiring the secure additional information corresponding to the target data may also be triggered based on other triggering conditions, which is not limited in this embodiment.
In this embodiment, information such as the relevant attribute of the application program, the relevant attribute of the target data, and the relevant attribute of the access request may also be obtained according to the access request of the application program to the target data. For example, the identity, type, security level, etc. of the application, the identity, storage location of the corresponding secure additional information, etc. of the target data, the access type of the access request, etc. Of course, other information is also possible and is not exhaustive here.
Based on the difference of the storage form of the security additional information corresponding to the target data, in this embodiment, the way of obtaining the security additional information corresponding to the target data may also be adaptively adjusted. For example, when the security additional information corresponding to the target data is carried in the header of the target data, the security additional information corresponding to the target data can be read from the header of the target data. For another example, when the target data and the corresponding security additional information are separately stored, after the security additional information corresponding to the target data is determined according to the association relationship between the target data and the security additional information, the corresponding security additional information may be read from the storage location of the security additional information.
In this embodiment, the security additional information may be used to reflect the data's own attributes and the details of data changes that occur during the lifecycle. The security additional information may carry information related to the data, such as the data type, security level, basic access right configuration rule, access behavior information, and the like, reflecting the self-attribute of the data and details of data changes occurring in the life cycle. The access behavior information can record data related to one or more access behaviors occurring in the data life cycle.
In order to enhance the effect of data protection, the content carried in the secure additional information can be enriched from a plurality of content levels, and the generation process of the secure additional information will be explained from several exemplary content levels below.
First, the content of the secure additional information can be enriched from the data itself level. In some practical applications, data can be scanned, data types can be determined through means such as clustering based on data content, and the security level of the data can be determined according to the data types and the industry fields to which the data belong, so that classification and grading of the data can be realized, and information such as data classification and security level of the data can be carried in security additional information. On the basis, the corresponding relation between the authority influence parameters such as data types, security levels and the like and the basic access authority can be set in the basic access authority configuration rule.
Second, the content of the secure additional information can be enriched from the application level. In some practical applications, the corresponding relationship between the authority influence parameters such as the identity, the type, the security level, and the like of the application program and the basic access authority can be set in the basic access authority configuration rule. In other practical applications, the data types, security levels and other contents in the secure additional information, which may be affected by the access behavior of the application program, may be updated based on the access behavior of the application program on the target data, so as to maintain the freshness of the contents.
Again, the content of the secure additional information can also be enriched from the access role level. In some practical applications, the corresponding relationship between the access authority influence parameters such as the identity, the security level and the like of the access role and the basic access authority can be set in the basic access authority configuration rule. The access request is usually generated by the access role calling application program initiating the access to the data, so the comprehensiveness of the security additional information can be improved from the access role level.
It should be noted that the above-mentioned several content layers are only exemplary and should not be construed as limiting the scope of protection of the present application. In this embodiment, the content of the secure additional information may be enriched from other content levels, and further, more details of the content may be added to the above content levels, which is not exhaustive here.
Based on the safety additional information of the target data, the contents of all layers contained in the safety additional information can be comprehensively considered, so that the access right of the current application program to the target data can be more accurately determined. In this embodiment, based on the basic access right configuration rule of the target data, the access right of the current application program on the target data may be determined according to the right influence parameters of the data type and security level of the target data, the type and security level of the current application program, the access role corresponding to the caller of the current application program, the influence of the access behavior of the previous application program on the data type and security level of the target data, and the like.
According to the determined access authority of the current application to the target data, whether the access request of the current application program to the target data is within the range of the determined access authority can be judged. When the access request of the current application program to the target data exceeds the range of the corresponding access right, the access request can be refused. When the access request of the current application program to the target data does not exceed the range of the corresponding access authority, the current application program can be allowed to access the target data according to the access request initiated by the current application program, and certainly, in order to save the processing efficiency, the current application program can also be allowed to initiate other access behaviors to the target data, wherein the access behaviors of the current application program are not beyond the range of the access authority of the current application program to the target data.
In this embodiment, the access authority of each application program to the target data may be determined based on the security additional information corresponding to the target data, and accordingly, when the current application program requests to access the target data, it may be determined whether the access request of the current application program is within the access authority range of the current application program to the target data, and when the access request exceeds the corresponding access authority range, the access request may be denied. Therefore, the data protection method provided by the embodiment can authenticate the access request of the current application program to the target data, so as to realize active protection of the data, block abnormal access behavior aiming at the data from the source, and effectively improve the data security.
In the above or below embodiments, the secure additional information corresponding to the target data may be encrypted.
In order to avoid that the abnormal application program achieves the purpose of abnormally accessing the target data by tampering the safety additional information of the target data, the safety additional information corresponding to the target data can be encrypted and stored. In addition, the target data can be stored in an encrypted manner, so that the safety of the target data is further improved.
Accordingly, in this embodiment, when the security additional information corresponding to the target data is obtained, the security additional information corresponding to the target data may be decrypted according to a preset encryption and decryption rule, so as to obtain the security additional information corresponding to the target data. Moreover, when the above-mentioned updating operation of the secure additional information needs to be performed, the content of the secure additional information may also be updated based on a preset encryption and decryption rule, thereby ensuring the security of the secure additional information corresponding to the target data. The preset encryption and decryption rule may be an encryption and decryption rule of a public key and a private key, or may also adopt other encryption and decryption rules, which is not limited in this embodiment.
In the above or below real time, if the access request of the current application program to the target data meets the corresponding access right, it can be determined whether the security additional information corresponding to the target data carries a sensitive data tag, and if yes, the sensitive level of the target data and the security level of the current application program can be obtained; determining the security level requirement of an application program corresponding to the sensitivity level according to the sensitivity level of the target data; and if the security level of the current application program does not meet the security level requirement, performing desensitization processing on the target data, and responding to the access request of the current application program based on the desensitized target data.
In this embodiment, in the above-mentioned data scanning process, it may be determined whether the target data includes sensitive information, and if the target data includes the sensitive information, the sensitive data tag may be carried in the security additional information of the target data, where the sensitive information may be an identity card, a mobile phone number, a bank card number, or the like. Meanwhile, a desensitization rule can be carried in the security additional information of the target data, and a corresponding relation between a sensitive level and a security level of the application program is preconfigured in the desensitization rule, wherein the security level of the application program can be determined comprehensively based on the security level of the application program and the security level of an access role of a caller thereof, and the security level of the application program and the security level of the access role of the caller thereof can be determined based on attribute information such as the type of the application program and the type of the access role.
If the security additional information of the target data carries the sensitive data tag, the sensitive level of the target data can be determined based on the preset corresponding relationship between the sensitive data tag and the sensitive level, wherein the corresponding relationship between the sensitive data tag and the sensitive level can be carried in the security additional information, and certainly, the sensitive data tag and the sensitive level can also be stored in other positions for querying.
According to the sensitivity level of the target data, the security level requirement of the application program corresponding to the target data can be determined, before the access request of the current application program is responded, whether the security level of the current application program meets the security level requirement can be judged, if not, desensitization processing can be executed on the target data before the access request of the current application program is responded, and the access request of the current application program is responded based on the desensitized target data. Thus, data security can be further improved.
In the above or the following embodiments, if the access request of the current application program to the target data is an external transmission request, the external transmission permission corresponding to the target data may also be obtained from the security additional information corresponding to the target data; and if the outbound permission is that the outbound is not allowed, rejecting the outbound request.
In this embodiment, the external transmission permission may be pre-configured in the security additional information corresponding to the target data, the external transmission permission corresponding to the target data may also be determined according to the data type, the security level, the access behavior information, the anti-leakage rule, and other contents included in the security additional information corresponding to the target data, and of course, the external transmission permission of the target data may also be determined according to the security additional information corresponding to the target data based on other policies.
In this embodiment, the leakage-proof protection for the target data may be performed by using a lightweight data leakage-proof method, and certainly, other leakage-proof methods may also be used, which is not limited in this embodiment.
In this embodiment, leakage protection for the target data can be achieved based on the security additional information of the target data. In the process of anti-leakage protection, whether anti-leakage processing needs to be executed or not can be judged by calling the safety additional information, processing such as scanning data is not needed, and the complexity of anti-leakage protection is simplified.
In the above or following embodiments, the access behavior information may also be obtained from the security additional information corresponding to the target data, where the access behavior information includes actual access behavior data of the at least one application program to the target data; determining the actual access behavior of at least one application program to the target data according to the actual access behavior data of the at least one application program to the target data, and determining the application program of which the actual access behavior is not consistent with the access authority to the target data as an abnormal application program; and adjusting the access authority of the abnormal application program to the target data according to the actual access behavior of the abnormal application program and a preset risk response strategy.
In some application scenarios, when the amount of data of the user is small or the requirement for data protection is not high, a lower data protection policy may be adopted, for example, only security additional information corresponding to the data may be maintained without authenticating the access request. In this case, a situation may be caused in which the access behavior of the application program exceeds its corresponding access right. Of course, this may be the case for other reasons and is not exhaustive.
For this situation, in this embodiment, the access behavior information may be obtained from the secure additional information corresponding to the target data. And determining the actual access behavior of the at least one application program to the target data according to the actual access behavior data of the at least one application program to the target data, wherein the actual access behavior data can contain information such as access behavior types. For example, when the actual access behavior type of one of the applications is a write data class, the actual access behavior of the application may be determined to be a write operation.
If the actual access behavior of the application program exceeds the access right of the application program to the target data, the application program can be determined as an abnormal application program. And the access authority of the abnormal application program to the target data can be adjusted according to the access behavior of the abnormal application program to the target data based on the preset risk response strategy. The access authority adjustment modes and other rules corresponding to various abnormal access behaviors can be configured in the preset risk response strategy, and the risk response strategy can be flexibly set according to actual needs.
In addition, in this embodiment, various implementation manners may be adopted to adjust the access authority of the exception application to the target data.
In some implementations, the access right adjustment for the abnormal application program can be implemented by adjusting a basic access right configuration rule in the security additional information corresponding to the target data. For example, the access right corresponding to information such as the type of the abnormal application in the basic right configuration rule may be lowered.
In other implementation manners, the access authority adjustment of the abnormal application program can be realized by adjusting the attribute information of the target data in the security additional information corresponding to the target data. For example, the security level in the security additional information corresponding to the target data may be increased or the data type in the security additional information corresponding to the target data may be changed, etc.
It should be noted that other implementations may also be adopted in the present embodiment to adjust the access right of the exception application to the target data.
In the embodiment, the abnormal access behavior can be found by analyzing the access behavior occurring in the life cycle of the target data, and the safety additional information corresponding to the target data can be optimized based on the abnormal access behavior, so that the rationality and the accuracy of the access authority determined according to the safety additional information corresponding to the target data are ensured, and the safety of the data is effectively improved.
Fig. 2 is a schematic flow chart of another data protection method according to an embodiment of the present application. In fig. 2, a plurality of protection angles in the data protection process of target data are shown. Firstly, data scanning is carried out on target data, classification and grading are carried out on the target data according to the content of the target data, and the classification and grading result, the basic access right configuration rule and other contents are carried in safety additional information corresponding to the target data. Although fig. 2 only shows the process of adding content to the corresponding secure additional information when the target data is generated, it should be understood that in the lifecycle of the target data, various data change details can be updated to the secure additional information at any time, and the secure additional information can be circulated with the target data. And then, encrypting the target data and the corresponding safety additional information, and storing the encrypted target data and the corresponding safety additional information. And when an access request of the application program to the target data is received, the decryption operation can be carried out to obtain the safety additional information corresponding to the target data. Desensitization processing may also be performed on the target data according to desensitization requirements. Subsequently, whether the access request of the application program exceeds the corresponding access authority can be determined according to the safety additional information corresponding to the target data so as to authenticate the access request of the application program. And performing anti-leakage protection on the target data according to the safety additional information corresponding to the target data. In addition, whether abnormal access behaviors occur in the life cycle of the target data can be monitored based on the safety additional information corresponding to the target data, and the safety additional information of the target data is adjusted accordingly, so that the data protection effect on the target data is improved.
In addition, for convenience of composition, fig. 2 shows an execution sequence among the protection angles, but this should not be construed as limiting the scope of the present application, and it should be understood that other execution sequences among the protection angles involved in the data protection method provided by the present application may also be adopted.
Fig. 3 is a schematic flow chart of a data generation method according to another embodiment of the present application. As shown in fig. 3, the method includes:
300. acquiring original data and a unique identifier corresponding to the original data;
301. generating first security additional information according to the security level of the original data;
302. generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
303. combining and encrypting the first and third security additional information to obtain encrypted security additional information;
304. associating the unique identifier with the encrypted security additional information;
305. storing the associated encrypted security additional information.
In this embodiment, the method and the device can be applied to various data security management scenarios, for example, a data security management scenario in a public cloud and a private cloud, and a data security management scenario in an enterprise internal server, for example. For different application scenarios, the format, content, industry field, and the like of the original data may be different, and this embodiment does not limit this.
On the basis of the original data, in this embodiment, the first security additional information may be generated according to the security level of the original data. The security level of the original data may be determined based on the data classification and classification manner in the foregoing embodiments, and of course, may also be determined in other manners, which is not limited in this embodiment. The security level of the original data is used for representing the protection degree required by the original data, and the higher the security level of the original data is, the higher the corresponding protection degree is.
On the basis of the original data, in this embodiment, the third secure additional information may also be generated according to the access protocol corresponding to the original data. The third security additional information may set respective communication protocol types corresponding to different access objects, and when the original data is transmitted, the communication protocol types corresponding to the access objects need to be followed, so as to ensure the security of the original data. One access object in the third security additional information may correspond to one or more communication protocol types, and the communication protocol type corresponding to the access object may be determined according to the security level of the original data, the type of the access object, the security level, and other information. For example, when the security level of the original data is high, all types of access objects may be restricted to HTTP.
In this embodiment, the first and third security additional information described above may be combined to generate the security additional information of the original data. The security additional information is stored in association with the original data, wherein the form of the associated storage may refer to the storage manner provided in the foregoing embodiments, and is not described herein again.
Further, in order to ensure the security of the security additional information, the security additional information may be encrypted, and the encrypted security additional information may be stored in association with the original data. Therefore, unsafe behaviors such as tampering or malicious access aiming at the safe additional information can be avoided.
In this embodiment, both the security level in the security additional information and the access object communication protocol type can be dynamically adjusted according to the data change of the original data in the lifecycle.
In this embodiment, the security additional information may be streamed together with the original data, and by carrying information such as the security level of the original data and the type of the access object communication protocol in the security additional information, the various types of information may be directly obtained from the associated security additional information in the process of streaming the original data. Therefore, the range of the access authority corresponding to the original data can be conveniently determined, the access control on the original data is further realized, complex processing such as scanning and analysis on the original data is not needed, the efficiency of the access control can be improved, and the accuracy of the access control can be ensured.
Fig. 4 is a schematic flowchart of a data generation method according to another embodiment of the present application. As shown in fig. 4, the method includes:
400. acquiring original data and a unique identifier corresponding to the original data;
401. generating first security additional information according to the security level of the original data;
402. generating second safety additional information according to the access object corresponding to the original data, wherein the second safety additional information comprises a blacklist or a white list of the access object;
403. generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
404. combining and encrypting the first, second and third security additional information to obtain encrypted security additional information;
405. associating the unique identifier with the encrypted security additional information;
406. storing the associated encrypted security additional information.
In addition, the steps 400, 401, 403 to 406 refer to the description in the foregoing embodiments, and are not repeated herein.
On the basis of the foregoing embodiment, the present embodiment may further generate second secure additional information according to an access object corresponding to the original data. The access object corresponding to the original data may be an access object obtained from a historical access record of the original data, or an access object predicted according to related information of an industry field and the like of the original data and possibly accessing the original data, or of course, an access object determined according to other parameter levels, which is not limited in this embodiment. Wherein, the second secure additional information may define whether the access object can access the original data in a blacklist or whitelist manner. If the access object belongs to the access object blacklist in the second security additional information or the access object does not belong to the access object whitelist in the second security additional information, the access object will not have access to the original data.
In addition, when determining the access object blacklist or whitelist, historical access behavior of the access object corresponding to the original data may be based. For example, an access object in which abnormal access behaviors such as unauthorized operation, large-volume download and the like occur may be added to an access object blacklist and the like. But also on the security level of the raw data. For example, when the original data is contract-like data and the security level is the highest level, an access object such as an administrator account that allows access to the original data may be added to an access object white list or the like. Of course, other policies may also be used to determine the access object blacklist or whitelist, which is not limited in this embodiment. In addition, the access object may be defined from different dimensions, for example, the access object may be defined from dimensions such as an access role that initiates a data transfer request, a transfer destination address of an application or original data, and the like. Accordingly, the access object blacklist or whitelist in the security additional information can be determined based on various dimensions by using the above-mentioned manner of determining the access object blacklist or whitelist.
In this embodiment, the access object blacklist or whitelist may be carried in the security additional information, so that the reasonability and accuracy of the range of the access right of the original data determined based on the security additional information may be further improved, and the security of the original data may be better guaranteed.
Fig. 5 is a schematic flowchart of a data transmission method according to another embodiment of the present application, and as shown in fig. 5, the method includes:
500. acquiring a unique identifier corresponding to data to be transmitted;
501. according to the unique identifier, acquiring security additional information associated with the unique identifier;
502. decrypting the security additional information to obtain a security level and a communication protocol type;
503. determining that a transmission target address of the data to be transmitted meets a preset condition based on the security level;
504. and sending the data to be transmitted to the transmission target address based on the communication protocol type.
In this embodiment, the data to be transmitted is associated with security additional information. When the security additional information is encrypted, the security additional information may be decrypted to obtain the security level and the communication protocol type in the security additional information.
The security level is used for representing the protection degree required by the data to be transmitted. In this embodiment, whether the transmission target address of the data to be transmitted meets the preset condition may be determined based on the security level of the data to be transmitted. For example, when the security level of the data to be transmitted is three levels, if the security level of the transmission destination address is lower than three levels, the transmission destination address may be considered to be not compliant with the preset condition. Wherein, the security level of the transmission target address can be determined according to the access record of the transmission target address, the address type and other information. The corresponding relationship between the security level of the data to be transmitted and the security level of the transmission destination address can also be adjusted according to different application scenarios, which is not limited in this embodiment.
The security additional information includes a communication protocol type supported by the data to be transmitted. In some practical applications, the security additional information may include respective communication protocol types corresponding to different transmission destination addresses, and accordingly, in this embodiment, for different transmission destination addresses, the data to be transmitted may be transmitted based on the corresponding communication protocol types, so as to ensure the security of the data to be transmitted.
In this embodiment, by reading the information such as the security level and the communication protocol type in the security additional information of the data to be transmitted, it can be determined whether the transmission destination address of the data to be transmitted meets the transmission condition, and on the basis that the transmission destination address meets the transmission condition, the data to be transmitted can be further transmitted by adopting the communication protocol type individually matched with the transmission destination address, so that the security of data transmission can be ensured.
Further, in this embodiment, the security additional information may further include an access object blacklist or a white list. The security additional information defines whether the access object can access the original data in the form of a blacklist or a whitelist of the access object. The access object blacklist or the access object whitelist in the security additional information corresponding to the data to be transmitted may be configured according to the method for determining the access object blacklist or the access object whitelist described in the foregoing embodiment, and of course, may also be configured in other manners, which is not limited in this embodiment. In addition, the access object may be defined from different dimensions, for example, the access object may be defined from dimensions such as an access role of initiating a data transfer request, an application program, or a transfer target address mentioned in the present embodiment. Accordingly, the access object blacklist or whitelist in the security additional information can be determined based on various dimensions by using the above-mentioned manner of determining the access object blacklist or whitelist.
When the security additional information includes the access object blacklist, in this embodiment, it may be determined that the access object of the data to be transmitted does not belong to the access object blacklist based on the access object blacklist.
When the security additional information includes the access object white list, in this embodiment, it may be determined that the access object of the data to be transmitted belongs to the access object white list based on the access object white list.
In this embodiment, on the basis of determining that the transmission target address of the data to be transmitted meets the preset condition, when it is determined that the access object of the data to be transmitted belongs to the white list or does not belong to the black list, it is allowed to send the data to be transmitted to the transmission target address based on the communication protocol type determined according to the security additional information. Thus, the security of the data transmission process can be further improved.
Fig. 6 is a schematic structural diagram of a data protection device according to another embodiment of the present application. As shown in fig. 6, the data protection apparatus includes: a memory 60 and a processor 61.
A memory 60 for storing computer programs and may be configured to store other various data to support operations on the bluetooth device. Examples of such data include instructions for any application or method operating on a bluetooth device, contact data, phonebook data, information, pictures, videos, and the like.
The memory 60 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 61, coupled to the memory 60, for executing computer programs in the memory 60 for:
acquiring security additional information corresponding to target data according to an access request of a current application program to the target data;
determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data;
and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request.
In an alternative embodiment, the processor 61 is further configured to:
encrypting the safety additional information corresponding to the target data;
when the processor acquires the safety additional information corresponding to the target data, the processor is used for:
and decrypting the security additional information corresponding to the target data to acquire the security additional information corresponding to the target data.
In an alternative embodiment, the processor 61 is further configured to:
and if the access request of the current application program to the target data accords with the access authority, allowing the current application program to access the target data according to the access request.
In an alternative embodiment, the processor 61 is further configured to:
if the security additional information corresponding to the target data carries the sensitive data label, acquiring the sensitive level of the target data and the security level of the current application program;
determining the security level requirement of an application program corresponding to the sensitivity level according to the sensitivity level of the target data;
and if the security level of the current application program does not meet the security level requirement, performing desensitization processing on the target data, and responding to the access request of the current application program based on the desensitized target data.
In an alternative embodiment, when the access request is an outgoing request, the processor 61 is further configured to:
determining an external transmission authority corresponding to the target data according to the safety additional information corresponding to the target data;
and if the outbound permission is that the outbound is not allowed, rejecting the outbound request.
In an alternative embodiment, the security additional information includes one or more of a data type, a security level, a base access rights configuration rule, access behavior information, a desensitization rule, or a leakage prevention rule.
In an alternative embodiment, when the access behavior information is included in the security additional information, the processor 61 is configured to:
acquiring access behavior information from the security additional information corresponding to the target data, wherein the access behavior information comprises actual access behavior data of at least one application program to the target data;
determining the actual access behavior of at least one application program to the target data according to the actual access behavior data of the at least one application program to the target data, and determining the application program of which the actual access behavior is not consistent with the access authority to the target data as an abnormal application program;
and adjusting the access authority of the abnormal application program to the target data according to the actual access behavior of the abnormal application program and a preset risk response strategy. Further, as shown in fig. 6, the data protection apparatus further includes: communication components 62, power components 63, and the like. Only some of the components are schematically shown in fig. 6, and it is not meant that the data protection apparatus includes only the components shown in fig. 6.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be performed by the data protection device in the foregoing method embodiments when executed.
Fig. 7 is a schematic structural diagram of a computing device according to another embodiment of the present application. As shown in fig. 7, the computing device includes: a memory 70 and a processor 71.
The memory 70 is used to store computer programs and may be configured to store other various data to support operations on the bluetooth device. Examples of such data include instructions for any application or method operating on a bluetooth device, contact data, phonebook data, information, pictures, videos, and the like.
The memory 70 may be implemented by any type or combination of volatile or non-volatile memory devices such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 71, coupled to the memory 70, for executing computer programs in the memory 70 for:
acquiring original data and a unique identifier corresponding to the original data;
generating first security additional information according to the security level of the original data;
generating second safety additional information according to the access object corresponding to the original data, wherein the second safety additional information comprises a blacklist or a white list of the access object;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first, second and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information. Further, as shown in fig. 7, the computing device further includes: communication components 72, power components 73, and the like. Only some of the components are schematically shown in fig. 7, and the computing device is not meant to include only the components shown in fig. 7.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be executed by a computing device in the foregoing method embodiments when executed.
Fig. 8 is a schematic structural diagram of a computing device according to another embodiment of the present application. As shown in fig. 8, the computing device includes: a memory 80 and a processor 81.
The memory 80 is used to store computer programs and may be configured to store other various data to support operations on the bluetooth device. Examples of such data include instructions for any application or method operating on a bluetooth device, contact data, phonebook data, information, pictures, videos, and the like.
The memory 80 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 81, coupled to the memory 80, for executing the computer program in the memory 80 for:
acquiring original data and a unique identifier corresponding to the original data;
generating first security additional information according to the security level of the original data;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information. Further, as shown in fig. 8, the computing device further includes: communication components 82, power components 83, and the like. Only some of the components are schematically shown in fig. 8, and the computing device is not meant to include only the components shown in fig. 8.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be executed by a computing device in the foregoing method embodiments when executed.
Fig. 9 is a schematic structural diagram of a computing device according to another embodiment of the present application. As shown in fig. 9, the computing device includes: a memory 90 and a processor 91.
The memory 90 is used to store computer programs and may be configured to store other various data to support operations on the bluetooth device. Examples of such data include instructions for any application or method operating on a bluetooth device, contact data, phonebook data, information, pictures, videos, and the like.
The memory 90 may be implemented by any type or combination of volatile or non-volatile memory devices, such as Static Random Access Memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic memory, flash memory, magnetic or optical disks.
A processor 91, coupled to the memory 90, for executing the computer program in the memory 90 for:
acquiring a unique identifier corresponding to data to be transmitted;
according to the unique identifier, acquiring security additional information associated with the unique identifier;
decrypting the security additional information to obtain a security level and a communication protocol type;
determining that a transmission target address of the data to be transmitted meets a preset condition based on the security level;
and sending the data to be transmitted to the transmission target address based on the communication protocol type.
In an optional embodiment, the security additional information further includes an access object blacklist, and the processor 91, before sending the data to be transmitted to the transmission destination address based on the communication protocol type, is further configured to: determining that the access object of the data to be transmitted does not belong to the access object blacklist based on the access object blacklist; or
The secure additional information further comprises an access object white list, and the processor 91, before sending the data to be transmitted to the transmission destination address based on the communication protocol type, is further configured to: and determining that the access object of the data to be transmitted belongs to the access object white list based on the access object white list. Further, as shown in fig. 9, the computing device further includes: communication components 92, power components 93, and the like. Only some of the components are schematically shown in fig. 9, and the computing device is not meant to include only the components shown in fig. 9.
Accordingly, the present application further provides a computer-readable storage medium storing a computer program, where the computer program can implement the steps that can be executed by a computing device in the foregoing method embodiments when executed.
The communication components of fig. 6, 7, 8 and 9 are configured to facilitate wired or wireless communication between the device in which the communication component is located and other devices. The device in which the communication component is located may access a wireless network based on a communication standard, such as WiFi, 2G or 3G, or a combination thereof. In an exemplary embodiment, the communication component receives a broadcast signal or broadcast related information from an external broadcast management system via a broadcast channel. In an exemplary embodiment, the communication component further includes a Near Field Communication (NFC) module that may be implemented based on Radio Frequency Identification (RFID) technology, infrared data association (IrDA) technology, Ultra Wideband (UWB) technology, Bluetooth (BT) technology, and other technologies to facilitate short-range communications.
The power supply components of figures 6, 7, 8 and 9, among others, provide power to the various components of the device in which the power supply components are located. The power components may include a power management system, one or more power supplies, and other components associated with generating, managing, and distributing power for the device in which the power component is located.
As will be appreciated by one skilled in the art, embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a general purpose computer, special purpose computer, embedded access machine, or other programmable data access device to produce a machine, such that the instructions, which execute via the computer or other programmable data access device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data access apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data access device to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more accessors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, Random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (25)

1. A method for protecting data, comprising:
according to an access request of a current application program to target data, acquiring security additional information corresponding to the target data;
determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data;
and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request.
2. The method of claim 1, further comprising:
encrypting the safety additional information corresponding to the target data;
the acquiring of the security additional information corresponding to the target data includes:
and decrypting the security additional information corresponding to the target data to obtain the security additional information corresponding to the target data.
3. The method of claim 1, further comprising:
and if the access request of the current application program to the target data accords with the access authority, allowing the current application program to access the target data according to the access request.
4. The method of claim 3, further comprising:
if the security additional information corresponding to the target data carries a sensitive data label, acquiring the sensitive level of the target data and the security level of the current application program;
determining the security level requirement of an application program corresponding to the sensitivity level according to the sensitivity level of the target data;
and if the security level of the current application program does not meet the security level requirement, performing desensitization processing on the target data, and responding to the access request of the current application program based on the desensitized target data.
5. The method of claim 1, wherein when the access request is an outbound request, the method further comprises:
according to the safety additional information corresponding to the target data, determining the corresponding uploading authority of the target data;
and if the external transmission permission is that external transmission is not allowed, rejecting the external transmission request.
6. The method of claim 1, wherein the secure additional information comprises one or more of a data type, a security level, a base access rights configuration rule, access behavior information, a desensitization rule, or a leakage prevention rule.
7. The method according to claim 6, wherein when the security additional information includes access behavior information, the method further comprises:
acquiring the access behavior information from the security additional information corresponding to the target data, wherein the access behavior information comprises actual access behavior data of at least one application program to the target data;
determining the actual access behavior of the at least one application program to the target data according to the actual access behavior data of the at least one application program to the target data, and determining the application program of which the actual access behavior is not consistent with the access authority to the target data as an abnormal application program;
and adjusting the access authority of the abnormal application program to the target data according to the actual access behavior of the abnormal application program and a preset risk response strategy.
8. A data protection device comprising a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
according to an access request of a current application program to target data, acquiring security additional information corresponding to the target data;
determining the access authority of the current application program to the target data according to the safety additional information corresponding to the target data;
and if the access request of the current application program to the target data does not accord with the access authority, rejecting the access request.
9. The device of claim 8, wherein the processor is further configured to:
encrypting the safety additional information corresponding to the target data;
when the processor acquires the security additional information corresponding to the target data, the processor is configured to:
and decrypting the security additional information corresponding to the target data to obtain the security additional information corresponding to the target data.
10. The device of claim 8, wherein the processor is further configured to:
and if the access request of the current application program to the target data accords with the access authority, allowing the current application program to access the target data according to the access request.
11. The device of claim 10, wherein the processor is further configured to:
if the security additional information corresponding to the target data carries a sensitive data label, acquiring the sensitive level of the target data and the security level of the current application program;
determining the security level requirement of an application program corresponding to the sensitivity level according to the sensitivity level of the target data;
and if the security level of the current application program does not meet the security level requirement, performing desensitization processing on the target data, and responding to the access request of the current application program based on the desensitized target data.
12. The device of claim 8, wherein when the access request is an outbound request, the processor is further configured to:
according to the safety additional information corresponding to the target data, determining the corresponding uploading authority of the target data;
and if the external transmission permission is that external transmission is not allowed, rejecting the external transmission request.
13. The device of claim 8, wherein the secure additional information comprises one or more of a data type, a security level, a base access rights configuration rule, access behavior information, a desensitization rule, or a leakage prevention rule.
14. The device of claim 13, wherein when the security additional information comprises access behavior information, the processor is configured to:
acquiring the access behavior information from the security additional information corresponding to the target data, wherein the access behavior information comprises actual access behavior data of at least one application program to the target data;
determining the actual access behavior of the at least one application program to the target data according to the actual access behavior data of the at least one application program to the target data, and determining the application program of which the actual access behavior is not consistent with the access authority to the target data as an abnormal application program;
and adjusting the access authority of the abnormal application program to the target data according to the actual access behavior of the abnormal application program and a preset risk response strategy.
15. A computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to perform the data protection method of any one of claims 1 to 7.
16. A method of generating data, comprising:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating second safety additional information according to an access object corresponding to the original data, wherein the second safety additional information comprises an access object blacklist or a white list;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first, second and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
17. A method of generating data, comprising:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
18. A method of data transmission, comprising:
acquiring a unique identifier corresponding to data to be transmitted;
acquiring security additional information associated with the unique identifier according to the unique identifier;
decrypting the security additional information to obtain a security level and a communication protocol type;
determining that the transmission target address of the data to be transmitted meets a preset condition based on the security level;
and sending the data to be transmitted to the transmission target address based on the communication protocol type.
19. The method of claim 18, wherein the secure additional information further comprises an access object blacklist, and wherein before sending the data to be transmitted to the transmission destination address based on the communication protocol type, the method further comprises: determining that the access object of the data to be transmitted does not belong to the access object blacklist based on the access object blacklist; or
The secure additional information further includes an access object white list, and before sending the data to be transmitted to the transmission destination address based on the communication protocol type, the method further includes: and determining that the access object of the data to be transmitted belongs to the access object white list based on the access object white list.
20. A computing device comprising a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating second safety additional information according to an access object corresponding to the original data, wherein the second safety additional information comprises an access object blacklist or a white list;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first, second and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
21. A computing device comprising a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
acquiring original data and a unique identifier corresponding to the original data;
generating first safety additional information according to the safety level of the original data;
generating third safety additional information according to an access protocol corresponding to the original data, wherein the third safety additional information comprises an access object communication protocol type;
combining and encrypting the first and third security additional information to obtain encrypted security additional information;
associating the unique identifier with the encrypted security additional information;
storing the associated encrypted security additional information.
22. A computing device comprising a memory and a processor;
the memory to store one or more computer instructions;
the processor, coupled with the memory, to execute the one or more computer instructions to:
acquiring a unique identifier corresponding to data to be transmitted;
acquiring security additional information associated with the unique identifier according to the unique identifier;
decrypting the security additional information to obtain a security level and a communication protocol type;
determining that the transmission target address of the data to be transmitted meets a preset condition based on the security level;
and sending the data to be transmitted to the transmission target address based on the communication protocol type.
23. A computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to perform the data generation method of claim 16.
24. A computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to perform the data generation method of claim 17.
25. A computer-readable storage medium storing computer instructions, which when executed by one or more processors, cause the one or more processors to perform the data transmission method of claim 18.
CN201811401407.XA 2018-11-22 2018-11-22 Data protection method, generation method, transmission method, device and storage medium Active CN111209575B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201811401407.XA CN111209575B (en) 2018-11-22 2018-11-22 Data protection method, generation method, transmission method, device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201811401407.XA CN111209575B (en) 2018-11-22 2018-11-22 Data protection method, generation method, transmission method, device and storage medium

Publications (2)

Publication Number Publication Date
CN111209575A true CN111209575A (en) 2020-05-29
CN111209575B CN111209575B (en) 2023-05-26

Family

ID=70789406

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201811401407.XA Active CN111209575B (en) 2018-11-22 2018-11-22 Data protection method, generation method, transmission method, device and storage medium

Country Status (1)

Country Link
CN (1) CN111209575B (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112187794A (en) * 2020-09-28 2021-01-05 深圳市雁云信息技术有限公司 Data transmission method and system for ensuring data security
CN112651039A (en) * 2020-11-18 2021-04-13 国网江苏省电力有限公司营销服务中心 Electric power data differentiation desensitization method and device fusing service scenes
CN113221099A (en) * 2021-05-06 2021-08-06 支付宝(杭州)信息技术有限公司 Processing method and device for interface call request
CN113221098A (en) * 2021-05-06 2021-08-06 支付宝(杭州)信息技术有限公司 Processing method and device for interface call request
CN113254932A (en) * 2021-06-16 2021-08-13 百度在线网络技术(北京)有限公司 Application program risk detection method and device, electronic equipment and medium
CN114025358A (en) * 2020-07-15 2022-02-08 成都鼎桥通信技术有限公司 Data desensitization method, device, equipment and storage medium
CN114244583A (en) * 2021-11-30 2022-03-25 珠海大横琴科技发展有限公司 Data processing method and device based on mobile client
CN114499901A (en) * 2020-10-26 2022-05-13 中国移动通信有限公司研究院 Information processing method and device, server, terminal and data platform

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130111220A1 (en) * 2011-10-31 2013-05-02 International Business Machines Corporation Protecting sensitive data in a transmission
US20140380484A1 (en) * 2013-06-19 2014-12-25 International Business Machines Corporation Intelligent Risk Level Grouping for Resource Access Recertification
CN107292183A (en) * 2017-06-29 2017-10-24 国信优易数据有限公司 A kind of data processing method and equipment
CN107679372A (en) * 2017-09-26 2018-02-09 努比亚技术有限公司 Access control method, terminal and the storage medium of application program
CN107729764A (en) * 2017-09-30 2018-02-23 广东欧珀移动通信有限公司 Guard method, device, storage medium and the electronic equipment of sensitive information

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130111220A1 (en) * 2011-10-31 2013-05-02 International Business Machines Corporation Protecting sensitive data in a transmission
US20140380484A1 (en) * 2013-06-19 2014-12-25 International Business Machines Corporation Intelligent Risk Level Grouping for Resource Access Recertification
CN107292183A (en) * 2017-06-29 2017-10-24 国信优易数据有限公司 A kind of data processing method and equipment
CN107679372A (en) * 2017-09-26 2018-02-09 努比亚技术有限公司 Access control method, terminal and the storage medium of application program
CN107729764A (en) * 2017-09-30 2018-02-23 广东欧珀移动通信有限公司 Guard method, device, storage medium and the electronic equipment of sensitive information

Cited By (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114025358A (en) * 2020-07-15 2022-02-08 成都鼎桥通信技术有限公司 Data desensitization method, device, equipment and storage medium
CN114025358B (en) * 2020-07-15 2024-02-13 成都鼎桥通信技术有限公司 Data desensitization method, device, equipment and storage medium
CN112187794A (en) * 2020-09-28 2021-01-05 深圳市雁云信息技术有限公司 Data transmission method and system for ensuring data security
CN114499901A (en) * 2020-10-26 2022-05-13 中国移动通信有限公司研究院 Information processing method and device, server, terminal and data platform
CN112651039A (en) * 2020-11-18 2021-04-13 国网江苏省电力有限公司营销服务中心 Electric power data differentiation desensitization method and device fusing service scenes
CN113221099A (en) * 2021-05-06 2021-08-06 支付宝(杭州)信息技术有限公司 Processing method and device for interface call request
CN113221098A (en) * 2021-05-06 2021-08-06 支付宝(杭州)信息技术有限公司 Processing method and device for interface call request
WO2022233269A1 (en) * 2021-05-06 2022-11-10 支付宝(杭州)信息技术有限公司 Method and device for processing interface call request
CN113254932A (en) * 2021-06-16 2021-08-13 百度在线网络技术(北京)有限公司 Application program risk detection method and device, electronic equipment and medium
CN113254932B (en) * 2021-06-16 2024-02-27 百度在线网络技术(北京)有限公司 Application risk detection method and device, electronic equipment and medium
CN114244583A (en) * 2021-11-30 2022-03-25 珠海大横琴科技发展有限公司 Data processing method and device based on mobile client

Also Published As

Publication number Publication date
CN111209575B (en) 2023-05-26

Similar Documents

Publication Publication Date Title
CN111209575B (en) Data protection method, generation method, transmission method, device and storage medium
US20240330509A1 (en) Using fake personal data to create a policy to protect personal information on client computing devices
Wang et al. Bring your own device security issues and challenges
US8819768B1 (en) Split password vault
US10616344B2 (en) System-on-chip data security appliance encryption device and methods of operating the same
Subahi et al. Ensuring compliance of IoT devices with their privacy policy agreement
Alasmari et al. Security & privacy challenges in IoT-based health cloud
US20140020072A1 (en) Security access protection for user data stored in a cloud computing facility
Kumar et al. User privacy, identity and trust in 5G
US20160242143A1 (en) Mobile communication device monitoring systems and methods
US10462185B2 (en) Policy-managed secure code execution and messaging for computing devices and computing device security
US11812261B2 (en) System and method for providing a secure VLAN within a wireless network
US10454933B2 (en) System and methods for policy-based active data loss prevention
EP3200114A1 (en) Trusted execution environment
US20150200972A1 (en) Methods and systems for facilitating decoding of application defined or proprietary protocols in lawful intercepts
CN111901285B (en) Credibility verification method, system, equipment and storage medium
US20230091179A1 (en) System and method for building a trusted network of devices
WO2024198933A1 (en) Private key protection method, server access method, system, device, and storage medium
CN116233158A (en) Data storage method, device, equipment and storage medium
US11937169B2 (en) Mobile office realization method, apparatus, device, and medium
KR101467228B1 (en) Method for preventing outflow file and device thereof
CN113285952B (en) Network vulnerability plugging method, device, storage medium and processor
US11438153B2 (en) Method and device for transmitting data
CN115118426A (en) Data processing method, device and equipment of block chain system and storage medium
US10389719B2 (en) Parameter based data access on a security information sharing platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant