CN112231654B - Operation and data isolation method and device, electronic equipment and storage medium - Google Patents

Operation and data isolation method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN112231654B
CN112231654B CN202011114807.XA CN202011114807A CN112231654B CN 112231654 B CN112231654 B CN 112231654B CN 202011114807 A CN202011114807 A CN 202011114807A CN 112231654 B CN112231654 B CN 112231654B
Authority
CN
China
Prior art keywords
account
maintenance
shadow
application server
shadow account
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202011114807.XA
Other languages
Chinese (zh)
Other versions
CN112231654A (en
Inventor
刘振超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Original Assignee
Beijing Topsec Technology Co Ltd
Beijing Topsec Network Security Technology Co Ltd
Beijing Topsec Software Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Topsec Technology Co Ltd, Beijing Topsec Network Security Technology Co Ltd, Beijing Topsec Software Co Ltd filed Critical Beijing Topsec Technology Co Ltd
Priority to CN202011114807.XA priority Critical patent/CN112231654B/en
Publication of CN112231654A publication Critical patent/CN112231654A/en
Application granted granted Critical
Publication of CN112231654B publication Critical patent/CN112231654B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/30Authentication, i.e. establishing the identity or authorisation of security principals
    • G06F21/31User authentication

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Stored Programmes (AREA)

Abstract

The application provides a method and a device for isolating operation and maintenance data, electronic equipment and a storage medium, and relates to the technical field of computer and network security audit. The method comprises the following steps: acquiring login information of an operation and maintenance user, wherein the login information comprises an operation and maintenance account; and calling a shadow account number bound with the operation and maintenance account to log in an application server, so that the operation and maintenance user logs in the operation and maintenance in the application server through the shadow account number. By establishing the shadow account numbers of the same account numbers for different users, data isolation among different users is achieved, the problem of data pollution caused by operating the same account numbers by multiple users is avoided, data isolation among multiple users is achieved, meanwhile, a plurality of account numbers do not need to be established, and operation steps are simplified.

Description

Operation and data isolation method and device, electronic equipment and storage medium
Technical Field
The application relates to the technical field of computer and network security audit, in particular to a method, a device, electronic equipment and a storage medium for isolating operation and maintenance data.
Background
In most cases, in order to more significantly expose business logic provided by certain services to clients, application servers are typically configured for the services, with the user services typically installing graphical clients of the services. In addition, the application server also ensures the safety of the server, load balancing and the like, so that the safety of the application server can be ensured to be particularly important.
The application server is typically a desktop operating system, and most application servers are currently based on Windows systems. With the development of informatization, after many enterprises introduce operation and maintenance security audit systems, the establishment of services and the application of servers become extremely convenient.
However, the security problem caused by sharing the same application server by multiple users is often ignored, when multiple users log in the application server by the same account number to connect services, all generated data are commonly visible, often resulting in data pollution, and cannot truly control the authority of different users, and when the application server is created by the users, an account number needs to be built for each user, so that the operation is complicated.
Disclosure of Invention
In view of this, an objective of the embodiments of the present application is to provide a method, an apparatus, an electronic device, and a storage medium for data isolation, so as to solve the problems in the prior art that multiple account numbers need to be established for multiple users in data isolation, the data isolation effect is poor, and the operation is complicated.
The embodiment of the application provides a method for isolating operation and data, which comprises the following steps: acquiring login information of an operation and maintenance user, wherein the login information comprises an operation and maintenance account; and calling a shadow account number bound with the operation and maintenance account to log in an application server, so that the operation and maintenance user logs in the operation and maintenance in the application server through the shadow account number.
In the implementation process, the shadow account numbers of the same account number are established for different operation and maintenance users, so that data isolation among different users is achieved, the problem of data pollution caused by multi-user operation of the same account number is avoided, and data isolation among multiple users is achieved. Meanwhile, the configuration is simple, only one administrator account needs to be configured, and the operation steps of data isolation are simplified.
Optionally, the acquiring login information of the operation and maintenance user includes: receiving the login information sent by the operation and maintenance user through a remote terminal protocol program; and after the login information passes the verification, connecting the equipment of the operation and maintenance user based on a remote terminal protocol.
In the implementation process, login verification is completed with the operation and maintenance user through a remote terminal protocol, so that the user can conduct remote operation and maintenance operation, and meanwhile operation and maintenance safety is guaranteed.
Optionally, before the calling the shadow account bound with the operation and maintenance account logs in the application server, the method further comprises: judging whether a shadow account number bound with the operation and maintenance account exists on the application server; and when the shadow account number bound with the operation and maintenance account exists on the application server, acquiring the shadow account number.
In the implementation process, the binding judgment of the corresponding operation and maintenance account is carried out before the login of the shadow account, so that the subsequent operation can be rapidly carried out under the two conditions that the operation and maintenance account exists or does not exist corresponding to the shadow account, and the operation and maintenance efficiency is improved.
Optionally, the determining whether the shadow account bound with the operation and maintenance account exists on the application server includes: and inquiring whether the shadow account number bound with the operation and maintenance account exists in a database based on the operation and maintenance account and the application server model.
In the implementation process, the shadow account number and the binding relation between the shadow account number and the operation and maintenance account number are stored through the database, so that the shadow account number can be quickly and accurately inquired based on the operation and maintenance account number, the application server model number and the like, and the inquiring and judging efficiency of the shadow account number is improved.
Optionally, after the determining whether the shadow account bound to the operation and maintenance account exists on the application server, the method further includes: creating a shadow account on the application server when the shadow account bound with the operation and maintenance account does not exist on the application server; and binding the shadow account with the operation and maintenance account.
In the implementation process, through binding of the shadow account and the operation and maintenance account, data isolation of different operation and maintenance users on the same application server is realized, and operation steps of data isolation are reduced.
Optionally, when the shadow account number bound with the operation and maintenance account does not exist on the application server, creating the shadow account number on the application server includes: and when the shadow account number bound with the operation and maintenance account number does not exist on the application server, calling a shadow account number creation script to create the shadow account number on the application server.
In the implementation process, the shadow account creation script is called to create the shadow account, so that the shadow account creation efficiency can be improved.
Optionally, the binding the shadow account with the operation and maintenance account includes: determining a unique credential for the operation and maintenance account; and associating the shadow account with the operation and maintenance account based on the unique certificate to finish binding.
In the implementation process, the unique credentials of the operation and maintenance account are used as the identification to carry out the association binding of the shadow account and the operation and maintenance account, so that the binding accuracy is improved, the shadow account can be directly inquired in the database according to the operation and maintenance account information, and the inquiring efficiency is improved.
The embodiment of the application also provides a operation and data isolation device, which comprises: the login information acquisition module is used for acquiring login information of the operation and maintenance user, wherein the login information comprises an operation and maintenance account; and the shadow account login module is used for calling the shadow account bound with the operation and maintenance account to login in the application server so that the operation and maintenance user can login the operation and maintenance in the application server through the shadow account.
In the implementation process, the shadow account numbers of the same account number are established for different operation and maintenance users, so that data isolation among different users is achieved, the problem of data pollution caused by multi-user operation of the same account number is avoided, and data isolation among multiple users is achieved. Meanwhile, the configuration is simple, only one administrator account needs to be configured, and the operation steps of data isolation are simplified.
Optionally, the login information obtaining module is configured to: receiving the login information sent by the operation and maintenance user through a remote terminal protocol program; and after the login information passes the verification, connecting the equipment of the operation and maintenance user based on a remote terminal protocol.
In the implementation process, login verification is completed with the operation and maintenance user through a remote terminal protocol, so that the user can conduct remote operation and maintenance operation, and meanwhile operation and maintenance safety is guaranteed.
Optionally, the operation and data isolation device further includes: the shadow account acquisition module is used for judging whether a shadow account bound with the operation and maintenance account exists on the application server or not; and when the shadow account number bound with the operation and maintenance account exists on the application server, acquiring the shadow account number.
In the implementation process, the binding judgment of the corresponding operation and maintenance account is carried out before the login of the shadow account, so that the subsequent operation can be rapidly carried out under the two conditions that the operation and maintenance account exists or does not exist corresponding to the shadow account, and the operation and maintenance efficiency is improved.
Optionally, the shadow account obtaining module is configured to: and inquiring whether the shadow account number bound with the operation and maintenance account exists in a database based on the operation and maintenance account and the application server model.
In the implementation process, the shadow account number and the binding relation between the shadow account number and the operation and maintenance account number are stored through the database, so that the shadow account number can be quickly and accurately inquired based on the operation and maintenance account number, the application server model number and the like, and the inquiring and judging efficiency of the shadow account number is improved.
Optionally, the operation and data isolation device further includes: the shadow account creation module is used for creating a shadow account on the application server when the shadow account bound with the operation and maintenance account does not exist on the application server; and binding the shadow account with the operation and maintenance account.
In the implementation process, through binding of the shadow account and the operation and maintenance account, data isolation of different operation and maintenance users on the same application server is realized, and operation steps of data isolation are reduced.
Optionally, the shadow account creation module is configured to: and when the shadow account number bound with the operation and maintenance account number does not exist on the application server, calling a shadow account number creation script to create the shadow account number on the application server.
In the implementation process, the shadow account creation script is called to create the shadow account, so that the shadow account creation efficiency can be improved.
Optionally, the shadow account creation module is configured to: determining a unique credential for the operation and maintenance account; and associating the shadow account with the operation and maintenance account based on the unique certificate to finish binding.
In the implementation process, the unique credentials of the operation and maintenance account are used as the identification to carry out the association binding of the shadow account and the operation and maintenance account, so that the binding accuracy is improved, the shadow account can be directly inquired in the database according to the operation and maintenance account information, and the inquiring efficiency is improved.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores program instructions, and the processor executes the steps in any implementation mode when reading and running the program instructions.
Embodiments of the present application also provide a readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the steps of any of the above implementations.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the embodiments of the present application will be briefly described below, it should be understood that the following drawings only illustrate some embodiments of the present application and should not be considered as limiting the scope, and other related drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is a flow chart of a method for isolating operation and data according to an embodiment of the present application.
Fig. 2 is a flowchart illustrating a shadow account determining step according to an embodiment of the present application.
Fig. 3 is a schematic block diagram of a motion-dimension data isolation device according to an embodiment of the present application.
Icon: 20-operation data isolation device; 21-a login information acquisition module; 22-a shadow account login module.
Detailed Description
The technical solutions in the embodiments of the present application will be described below with reference to the drawings in the embodiments of the present application.
The applicant researches find that the security problem generated by sharing the same application server by multiple users is often ignored, and when multiple users log in the application server by the same account number to connect services, all generated data are commonly visible, so that data pollution is often caused, and authority control cannot be truly performed on different users.
For example, the operator A, B logs in to the fort machine and then logs in to an application server with the same account number for operation, the a user owns the operation rights of the enterprise MySQL database service and the Oracle database service, and the B user can only operate the MySQL database. Since A, B is logged on with the same account, A, B records generated at the application server are visible to each other, at which point user B can operate the Oracle database based on data generated by user a's operation. And more effective data isolation is realized, when multiple users are required to operate and maintain by using the same application server account, the generated data are isolated from each other, and the users can only check the data generated by the related operation.
At present, the technology for mutually isolating data generated by logging in an application server by multiple users through the same account number mainly comprises the following steps: when creating an application server, a user needs to establish an account for each user. In the technical scheme, under the condition that different users establish entity accounts, other users can log in under the condition that the users know account passwords, and data isolation cannot be achieved; because the system accounts are increased, each account can influence the system when being attacked by viruses, the risk of the system is increased, and the safety is lower.
In order to solve the above-mentioned problems, an embodiment of the present application provides a method for isolating operation and data, please refer to fig. 1, fig. 1 is a flow chart of the method for isolating operation and data provided in the embodiment of the present application. The operation and data isolation method comprises the following specific steps:
step S12: and acquiring login information of the operation and maintenance user.
It should be understood that, the operation and maintenance user typically logs in the fort machine, and then performs the server login and operation and maintenance operation on the application server through the login information, and the steps of the operation and maintenance data isolation method in this embodiment may be executed by the fort machine.
The application server is a server needing operation and maintenance, is also called an application program server, and provides service logic for an application program. It is component-based, middleware that sits in a server-centric architecture. This architecture is typically a major Web-based interface. The middleware is an application server where the business logic is located. And the third layer, the back end is the server responsible for the database. The application server acts as an interaction between the user and the database, so the application server opens business logic to the client application through various protocols. It may also include a graphical user interface on a computer, web server, or other application server, with business logic implemented through component APIs. It can also manage its own resources and execution security, transactions, pools of resources and connections, and messaging.
Further, the application server may be connected to a database.
In order to ensure that the network and the data are not invaded and destroyed by external and internal users under a specific network environment, the fort machine monitors and records the operation behaviors of operation and maintenance personnel on devices such as servers, network devices, security devices, databases and the like in the network by using various technical means so as to centralize alarm, timely process and audit responsibility. The system integrates two main functions of operation and security audit management of a core system in terms of functions, and takes over the access of a terminal computer to a network and a server in terms of technical realization by cutting off the direct access of the terminal computer to the network and the server resources and adopting a protocol agent mode.
Specifically, the key idea of the bastion machine is to logically separate a person from a target device, and establish a mode of' person- & gt primary account number (bastion machine user account number) & gt authorization- & gt secondary account number (operation and maintenance account). In this mode, account management, authorization management and auditing of the security policies are managed and controlled centrally based on the identity. In the logic, a plurality of operation and maintenance accounts can be logged on one fort machine, so that the situation that data of different operation and maintenance accounts are polluted by each other is necessarily caused, and the problems of poor data isolation effect, complex operation and large system risk are caused when data isolation is carried out only through different entity operation and maintenance accounts.
The bastion machine in this embodiment may select a business bastion machine or an open source bastion machine, and a hardware bastion machine or a software bastion machine according to specific operation and maintenance requirements.
Optionally, the login information may include other information such as login time, operation and maintenance account type identifier, operation and maintenance account security level, and the like, besides the operation and maintenance account.
The operation and maintenance account can be an account number allocated to each user accessing the application server, so that each user can store own private files, each person can check own files before unauthorized, and meanwhile, an administrator can conveniently verify the operation behavior of each user in the system in real time or later.
Alternatively, the operation and maintenance account may be classified as an administrator account, a general account, or a system account, etc. The administrator account is an account with ROOT authority, the common account is an account outside the administrator account and the system account, and the system account is used for running certain service programs of the system.
Specifically, step S12 may include the following sub-steps:
step S122: and receiving login information sent by the operation and maintenance user through a remote terminal protocol program.
Step S124: after the login information passes the verification, the equipment of the operation and maintenance user is connected based on a remote terminal protocol.
The remote terminal (Telnet) protocol is a member of the TCP/IP protocol family, being the standard protocol and the main way of Internet Telnet services. It provides the user with the ability to complete remote host work on a local computer, using Telnet programs on the end user's (operation and maintenance user's) equipment (the fort machine), with which to connect to the application server. The end user can enter commands in the Telnet program that will run on the server as if entered directly on the console of the server, so that the server can be controlled locally. To start a Telnet session, a user name and password must be entered to log into the server, i.e., the operation and maintenance account in this embodiment.
Step S14: and calling the shadow account number bound with the operation and maintenance account to log in the application server, so that an operation and maintenance user logs in the operation and maintenance in the application server through the shadow account number.
The shadow account is in the form of an internal account and an external account, and mainly has the function of checking and processing data inconvenient to put in the external account. The account is called a hidden account, so called a 'shadow account', because the account cannot be seen by tools or methods provided in the system, and cannot be deleted in user accounts, computer management and command lines, and has extremely high stability and authority. Meanwhile, data and operation among shadow account numbers on the same device (such as an application server) are not interfered with each other and isolated from each other.
It should be understood that before logging in through the shadow account, it is further required to determine whether the shadow account of the operation and maintenance account exists on the application server, please refer to fig. 2, fig. 2 is a schematic flow chart of a shadow account determining step provided in the embodiment of the present application, and specific steps of step S14 may be as follows:
step S142: and judging whether a shadow account number bound with the operation and maintenance account exists on the application server.
Specifically, step S142 may be to query whether a shadow account number bound to the operation and maintenance account exists in the database based on the operation and maintenance account and the application server model.
The operation and maintenance account can be a character string composed of English letters, numbers, chinese characters or any other character, and the character string of each operation and maintenance account is unique so as to identify the operation and maintenance account.
The application server model may be a character string representing the type of application server or specific identity, and the character string may also be composed of english alphabets, numerals, chinese characters or any other character.
When the operation and maintenance account and the application server model are used as search fields to query in the database, the corresponding shadow account can be more effectively matched by adding the search fields of the application server model. In addition, besides the model of the application server, in order to further improve the matching accuracy and efficiency of the shadow account and the operation and maintenance account, information such as an operation and maintenance account login area can be added for database inquiry.
Alternatively, the database may be any type of database, such as MySQL database, oracle database, etc. Specifically, the database may store the operation and maintenance account, the application server model, and the like as keys and the shadow account as a value.
Step S144: and when the shadow account number bound with the operation and maintenance account exists on the application server, acquiring the shadow account number.
Step S146: and when the shadow account number bound with the operation and maintenance account number does not exist on the application server, creating the shadow account number on the application server.
Specifically, in this embodiment, a shadow account creation script may be called to create a shadow account on an application server, where the shadow account creation script may implement the creation of a shadow account by operating a registry of the application server.
Optionally, the shadow account number bound to the operation and maintenance account is the same in user name to represent the binding relationship.
Step S148: and binding the shadow account with the operation and maintenance account.
The embodiment can be that the user name of the operation and maintenance account is used as a unique credential, and the shadow account is associated with the operation and maintenance account based on the unique credential to complete binding.
Under the scheme of determining the binding relation between the shadow account number and the operation and maintenance user through the database, the specific association mode can be to store the unique certificate (user name) of the operation and maintenance account number as a key and the corresponding shadow account number as a value in the database.
Alternatively, in addition to using the operation and maintenance account user name as a unique credential, the operation and maintenance account user name can be bound according to a plurality of credentials at the same time, for example, an application server model is also used as a credential.
In addition, the operation and maintenance are essentially acceptable states in terms of cost, stability and efficiency for operation and maintenance of the network, server and service at each stage of the life cycle. The operation and maintenance operations implemented in the application server in this embodiment may be service monitoring, service fault management, service capacity management, service performance optimization, service global traffic scheduling, service task scheduling, service security assurance, service cluster management, service automatic release deployment, database management, data transmission management, and the like.
In order to cooperate with the above-mentioned operation and data isolation method provided in this embodiment, the embodiment of the present application further provides an operation and data isolation device 20.
Referring to fig. 3, fig. 3 is a schematic block diagram of a dimension isolation device according to an embodiment of the present application.
The operation data isolation device 20 includes:
a login information obtaining module 21, configured to obtain login information of an operation and maintenance user, where the login information includes an operation and maintenance account;
the shadow account login module 22 is configured to invoke a shadow account bound to the operation and maintenance account to login in the application server, so that the operation and maintenance user logs in the operation and maintenance in the application server through the shadow account.
Alternatively, the login information obtaining module 21 is configured to: receiving login information sent by an operation and maintenance user through a remote terminal protocol program; after the login information passes the verification, the equipment of the operation and maintenance user is connected based on a remote terminal protocol.
Optionally, the operation-data isolation device 20 further includes: the shadow account acquisition module is used for judging whether a shadow account bound with the operation and maintenance account exists on the application server; and when the shadow account number bound with the operation and maintenance account exists on the application server, acquiring the shadow account number.
Optionally, the shadow account obtaining module is configured to: and inquiring whether a shadow account number bound with the operation and maintenance account exists in the database based on the operation and maintenance account and the application server model.
Optionally, the operation-data isolation device 20 further includes: the shadow account creation module is used for creating a shadow account on the application server when the shadow account bound with the operation and maintenance account does not exist on the application server; and binding the shadow account with the operation and maintenance account.
Optionally, the shadow account creation module is configured to: and when the shadow account number bound with the operation and maintenance account number does not exist on the application server, calling a shadow account number creation script to create the shadow account number on the application server.
Optionally, the shadow account creation module is configured to: determining a unique credential of the operation and maintenance account; and associating the shadow account with the operation and maintenance account based on the unique certificate to complete binding.
The embodiment of the application also provides electronic equipment, which comprises a memory and a processor, wherein the memory stores program instructions, and when the processor reads and runs the program instructions, the processor executes the steps in any one of the operation and data isolation methods provided by the embodiment.
It should be understood that the electronic device may be a personal computer (Personal Computer, PC), tablet computer, smart phone, personal digital assistant (Personal Digital Assistant, PDA), or the like, having a logic computing function.
Embodiments of the present application also provide a readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform steps in a method of operation and data isolation.
In summary, the embodiments of the present application provide a method, an apparatus, an electronic device, and a storage medium for operation and data isolation, where the method includes: acquiring login information of an operation and maintenance user, wherein the login information comprises an operation and maintenance account; and calling a shadow account number bound with the operation and maintenance account to log in an application server, so that the operation and maintenance user logs in the operation and maintenance in the application server through the shadow account number.
In the implementation process, the shadow account numbers of the same account number are established for different operation and maintenance users, so that data isolation among different users is achieved, the problem of data pollution caused by multi-user operation of the same account number is avoided, and data isolation among multiple users is achieved. Meanwhile, the configuration is simple, only one administrator account needs to be configured, and the operation steps of data isolation are simplified.
In the several embodiments provided in this application, it should be understood that the disclosed apparatus may be implemented in other ways. The apparatus embodiments described above are merely illustrative, for example, block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of devices according to various embodiments of the present application. In this regard, each block in the block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams, and combinations of blocks in the block diagrams, can be implemented by special purpose hardware-based systems that perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. The present embodiment therefore also provides a readable storage medium having stored therein computer program instructions which, when read and executed by a processor, perform the steps of any one of the methods of block data storage. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a RanDom Access Memory (RAM), a magnetic disk or an optical disk, or other various media capable of storing program codes.
The foregoing is merely exemplary embodiments of the present application and is not intended to limit the scope of the present application, and various modifications and variations may be suggested to one skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principles of the present application should be included in the protection scope of the present application. It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application.
It is noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.

Claims (10)

1. A method of operation and data isolation, the method comprising:
acquiring login information of an operation and maintenance user, wherein the login information comprises an operation and maintenance account, and the operation and maintenance account represents a user account accessing a server;
and calling the shadow account bound with the operation and maintenance account to log in an application server so that the operation and maintenance user logs in the operation and maintenance in the application server through the shadow account, wherein the shadow account bound by different operation and maintenance users is different under the condition that different operation and maintenance users log in the same operation and maintenance account, and the shadow account represents a hidden account and is used for searching and processing data which are not put in an external account.
2. The method of claim 1, wherein the obtaining login information of the operation and maintenance user comprises:
receiving the login information sent by the operation and maintenance user through a remote terminal protocol program;
and after the login information passes the verification, connecting the equipment of the operation and maintenance user based on a remote terminal protocol.
3. The method of claim 1, wherein prior to the invoking the shadow account bound to the operation and maintenance account logging on to the application server, the method further comprises:
judging whether a shadow account number bound with the operation and maintenance account exists on the application server;
and when the shadow account number bound with the operation and maintenance account exists on the application server, acquiring the shadow account number.
4. The method of claim 3, wherein the determining whether the shadow account number bound to the operation and maintenance account exists on the application server comprises:
and inquiring whether the shadow account number bound with the operation and maintenance account exists in a database based on the operation and maintenance account and the model of the application server.
5. The method of claim 3, wherein after the determining whether the shadow account number bound to the operation and maintenance account exists on the application server, the method further comprises:
creating a shadow account on the application server when the shadow account bound with the operation and maintenance account does not exist on the application server;
and binding the shadow account with the operation and maintenance account.
6. The method of claim 3, wherein creating a shadow account on the application server when there is no shadow account bound to the operation and maintenance account on the application server comprises:
and when the shadow account number bound with the operation and maintenance account number does not exist on the application server, calling a shadow account number creation script to create the shadow account number on the application server.
7. The method of claim 5, wherein binding the shadow account number with the operation and maintenance account comprises:
determining a unique credential for the operation and maintenance account;
and associating the shadow account with the operation and maintenance account based on the unique certificate to finish binding.
8. A dimension isolation device, the device comprising:
the login information acquisition module is used for acquiring login information of an operation and maintenance user, wherein the login information comprises an operation and maintenance account, and the operation and maintenance account represents a user account accessing a server;
and the shadow account login module is used for calling the shadow account bound with the operation and maintenance account to log in an application server so that the operation and maintenance user logs in the operation and maintenance in the application server through the shadow account, wherein the shadow account bound by different operation and maintenance users is different under the condition that different operation and maintenance users log in the same operation and maintenance account, and the shadow account represents a hidden account and is used for checking and processing data which are not put in an external account.
9. An electronic device comprising a memory and a processor, the memory having stored therein program instructions which, when executed by the processor, perform the steps of the method of any of claims 1-7.
10. A readable storage medium, characterized in that the readable storage medium has stored therein computer program instructions which, when executed by a processor, perform the steps of the method of any of claims 1-7.
CN202011114807.XA 2020-10-16 2020-10-16 Operation and data isolation method and device, electronic equipment and storage medium Active CN112231654B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202011114807.XA CN112231654B (en) 2020-10-16 2020-10-16 Operation and data isolation method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202011114807.XA CN112231654B (en) 2020-10-16 2020-10-16 Operation and data isolation method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN112231654A CN112231654A (en) 2021-01-15
CN112231654B true CN112231654B (en) 2024-02-06

Family

ID=74118864

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202011114807.XA Active CN112231654B (en) 2020-10-16 2020-10-16 Operation and data isolation method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN112231654B (en)

Families Citing this family (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110895603B (en) * 2019-11-05 2021-11-26 泰康保险集团股份有限公司 Multi-system account information integration method and device
CN112988295B (en) * 2021-02-04 2024-08-02 中国农业银行股份有限公司 Data acquisition method and device
CN113378245B (en) * 2021-07-07 2024-07-19 北京安天网络安全技术有限公司 Operation and maintenance method and device for security state data, electronic equipment and storage medium
CN114338115A (en) * 2021-12-21 2022-04-12 北京三快在线科技有限公司 Remote login method and device for unmanned equipment
CN118101347B (en) * 2024-04-25 2024-08-27 深圳昂楷科技有限公司 Database firewall protection method and device, terminal equipment and storage medium

Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102456015A (en) * 2010-10-25 2012-05-16 中国移动通信集团河南有限公司 Method, system and device for managing account number information in database
CN102843256A (en) * 2012-05-11 2012-12-26 摩卡软件(天津)有限公司 IT (Information Technology) system management method based on lightweight directory access protocol (LDAP)
CN104081742A (en) * 2011-12-12 2014-10-01 诺基亚公司 Method and apparatus for providing federated service accounts
CN104702463A (en) * 2014-12-17 2015-06-10 北京百度网讯科技有限公司 Method, device and system for bypass testing of multiple machine rooms
CN105139139A (en) * 2015-08-31 2015-12-09 国家电网公司 Data processing method, device and system for operation and maintenance audit
CN106920022A (en) * 2015-12-28 2017-07-04 上海烟草集团有限责任公司 The Security Vulnerability appraisal procedure of cigarette industry control system, system and equipment
CN107528830A (en) * 2017-08-03 2017-12-29 携程旅游信息技术(上海)有限公司 account login method, system and storage medium
CN109670297A (en) * 2018-12-14 2019-04-23 泰康保险集团股份有限公司 Activating method, device, storage medium and the electronic equipment of service authority
CN110417820A (en) * 2019-09-05 2019-11-05 曙光信息产业(北京)有限公司 Processing method, device and the readable storage medium storing program for executing of single-node login system
CN110636055A (en) * 2019-09-05 2019-12-31 深圳龙图腾创新设计有限公司 Login authentication management system, login method, login device and computer equipment
CN110730153A (en) * 2018-07-16 2020-01-24 阿里巴巴集团控股有限公司 Account configuration method, device and system of cloud equipment and data processing method
CN111125759A (en) * 2019-12-19 2020-05-08 上海上讯信息技术股份有限公司 Database login account shielding method and device and electronic equipment
CN111324876A (en) * 2020-02-25 2020-06-23 海南新软软件有限公司 Exchange login method and device
CN111488306A (en) * 2020-03-26 2020-08-04 浙江口碑网络技术有限公司 Attack and defense architecture system and construction method thereof
CN111737232A (en) * 2020-06-24 2020-10-02 深圳前海微众银行股份有限公司 Database management method, system, device, equipment and computer storage medium

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9501635B2 (en) * 2008-06-25 2016-11-22 Microsoft Technology Licensing, Llc Isolation of services or processes using credential managed accounts
US10282558B2 (en) * 2016-09-02 2019-05-07 The Toronto-Dominion Bank System and method for maintaining a segregated database in a multiple distributed ledger system
WO2020010348A1 (en) * 2018-07-06 2020-01-09 Averon Us, Inc. Methods, apparatuses, systems, and computer program products for managing and using shadow addresses

Patent Citations (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102456015A (en) * 2010-10-25 2012-05-16 中国移动通信集团河南有限公司 Method, system and device for managing account number information in database
CN104081742A (en) * 2011-12-12 2014-10-01 诺基亚公司 Method and apparatus for providing federated service accounts
CN102843256A (en) * 2012-05-11 2012-12-26 摩卡软件(天津)有限公司 IT (Information Technology) system management method based on lightweight directory access protocol (LDAP)
CN104702463A (en) * 2014-12-17 2015-06-10 北京百度网讯科技有限公司 Method, device and system for bypass testing of multiple machine rooms
CN105139139A (en) * 2015-08-31 2015-12-09 国家电网公司 Data processing method, device and system for operation and maintenance audit
CN106920022A (en) * 2015-12-28 2017-07-04 上海烟草集团有限责任公司 The Security Vulnerability appraisal procedure of cigarette industry control system, system and equipment
CN107528830A (en) * 2017-08-03 2017-12-29 携程旅游信息技术(上海)有限公司 account login method, system and storage medium
CN110730153A (en) * 2018-07-16 2020-01-24 阿里巴巴集团控股有限公司 Account configuration method, device and system of cloud equipment and data processing method
CN109670297A (en) * 2018-12-14 2019-04-23 泰康保险集团股份有限公司 Activating method, device, storage medium and the electronic equipment of service authority
CN110417820A (en) * 2019-09-05 2019-11-05 曙光信息产业(北京)有限公司 Processing method, device and the readable storage medium storing program for executing of single-node login system
CN110636055A (en) * 2019-09-05 2019-12-31 深圳龙图腾创新设计有限公司 Login authentication management system, login method, login device and computer equipment
CN111125759A (en) * 2019-12-19 2020-05-08 上海上讯信息技术股份有限公司 Database login account shielding method and device and electronic equipment
CN111324876A (en) * 2020-02-25 2020-06-23 海南新软软件有限公司 Exchange login method and device
CN111488306A (en) * 2020-03-26 2020-08-04 浙江口碑网络技术有限公司 Attack and defense architecture system and construction method thereof
CN111737232A (en) * 2020-06-24 2020-10-02 深圳前海微众银行股份有限公司 Database management method, system, device, equipment and computer storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
公安云平台运维实践的思考;王彪;袁琪;;湖北职业技术学院学报(第04期);全文 *
基于医科类院校堡垒机的建设及应用展望初探;彭桂芬;者明伟;韩华;;现代信息科技(第10期);全文 *

Also Published As

Publication number Publication date
CN112231654A (en) 2021-01-15

Similar Documents

Publication Publication Date Title
CN112231654B (en) Operation and data isolation method and device, electronic equipment and storage medium
US10462148B2 (en) Dynamic data masking for mainframe application
US10938827B2 (en) Automatically provisioning new accounts on managed targets by pattern recognition of existing account attributes
US8301653B2 (en) System and method for capturing and reporting online sessions
Natan Implementing database security and auditing
JP2008097419A (en) Application operation control system and application operation control method
JP5102556B2 (en) Log analysis support device
CN110719298A (en) Method and device for supporting user-defined change of privileged account password
KR20140035146A (en) Apparatus and method for information security
CN109271807A (en) The data safety processing method and system of database
US7305374B2 (en) Method, system and program product for automated testing of changes to externalized rules
RU2481633C2 (en) System and method for automatic investigation of safety incidents
Fehér et al. Log file authentication and storage on blockchain network
CN108933678A (en) O&M auditing system
JP5102555B2 (en) Log analysis support device
Giuseppini et al. Microsoft Log Parser Toolkit: A complete toolkit for Microsoft's undocumented log analysis tool
CN109257213B (en) Method and device for judging computer terminal access verification failure
CN114036505A (en) Safety operation and maintenance analysis server, safety operation and maintenance analysis method and computer equipment
JP5069057B2 (en) Log analysis support device
CN102752318B (en) Information security verification method and system based on internet
Bakshi et al. Improving threat detection capabilities in windows endpoints with osquery
KR102660695B1 (en) Data management device, data management method and a computer-readable storage medium for storing data management program
Stanek Microsoft SQL Server 2012 Pocket Consultant
Lindskog et al. Different Aspects of Security Problems in Network Operating Systems
Cherry Why IT Security Matters

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant