CN112434310A - Storage facility digital right protection method and device - Google Patents
Storage facility digital right protection method and device Download PDFInfo
- Publication number
- CN112434310A CN112434310A CN201910786160.6A CN201910786160A CN112434310A CN 112434310 A CN112434310 A CN 112434310A CN 201910786160 A CN201910786160 A CN 201910786160A CN 112434310 A CN112434310 A CN 112434310A
- Authority
- CN
- China
- Prior art keywords
- digital
- storage
- data
- digital right
- rights
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 33
- 238000011217 control strategy Methods 0.000 claims abstract description 55
- 238000007726 management method Methods 0.000 claims description 38
- 238000004422 calculation algorithm Methods 0.000 claims description 19
- 238000013500 data storage Methods 0.000 claims description 16
- 238000006243 chemical reaction Methods 0.000 claims description 4
- 238000000926 separation method Methods 0.000 abstract description 7
- 230000006870 function Effects 0.000 description 21
- 238000012423 maintenance Methods 0.000 description 16
- 230000007246 mechanism Effects 0.000 description 10
- 238000010586 diagram Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 230000008569 process Effects 0.000 description 5
- 230000011218 segmentation Effects 0.000 description 4
- 230000009286 beneficial effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000000638 solvent extraction Methods 0.000 description 3
- 238000012550 audit Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000008520 organization Effects 0.000 description 2
- 241000282414 Homo sapiens Species 0.000 description 1
- 230000004075 alteration Effects 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000004590 computer program Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000005192 partition Methods 0.000 description 1
- 238000011084 recovery Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 238000011426 transformation method Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
- G06F21/46—Structures or tools for the administration of authentication by designing passwords or checking the strength of passwords
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Health & Medical Sciences (AREA)
- Automation & Control Theory (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a storage facility digital right protection method and a device, wherein the method comprises the following steps: setting and controlling a digital right control strategy by a safety manager; the digital right controller provides digital right protection storage service according to digital right control strategy, and the digital right protection storage service provided by different digital right control strategies outputs different secret storage data codes; the secret storage data coding can be decoded out the customer data only by the digital right controller with the same digital right control strategy; the storage client uses the digital right protection storage service to store client data, and the client data is encrypted by the digital right controller according to the digital right control strategy to be encrypted to be stored in a ciphertext form after being encoded into the encrypted storage data. The apparatus includes a rights console for managing a rights control policy and a rights gateway for executing the policy. The invention is used for guaranteeing the use control right of the data ownership person to the data and solving the problem of data safety runaway caused by mutual separation of the data ownership and the use right.
Description
Technical Field
The invention relates to the field of information security, in particular to a storage facility digital right protection method and device.
Background
In the big data age, the digital rights become another basic right of human beings after the personal rights and the property rights, and the digital rights relate to personal data privacy, enterprise data property rights and even national data ownership. Data ownership and use right separation are the main contradictions of data security, and a series of security problems such as data leakage, stealing, tampering and the like are caused.
The digital rights refer to rights generated by data in the whole life cycle treatment process and relate to personal privacy, data property rights, national ownership and other rights and interests. The digital rights body refers to the owner of the data control rights, may be a natural person, a legal person, an illegal person organization, and the like, and is often a specific object to which the data is directed or a collector, storage, transmission, and processor of the data. The weight object is data, namely a coded set of information with certain rules or values related to the weight. The digital right protection is the complete control right which is shared by the digital right subject to the digital right object, so that the digital right object is under the legal control of the digital right subject, and the digital right subject has the right of the legal control data object which can be freely exercised and is not interfered by others. The essence of the digital rights protection is the control of a digital rights object by a digital rights subject, in order to guarantee the rights and interests of the digital rights subject, the digital rights subject is used as an administrator to influence and dominate controlled objects related to the whole life cycle of the digital rights object, and the controlled objects comprise software and hardware facilities in the aspects of calculation, storage and transmission, such as a signal source, a channel, a signal sink, an encoder, a decoder and the like.
Network Storage (Network Storage) is a way of storing data, and Network Storage structures are roughly divided into three types: direct Attached Storage (DAS), Network Attached Storage (NAS), and Storage Area Network (SAN). Cloud storage (Cloud storage) is a mode of online storage, i.e., data is stored on multiple virtual servers, usually hosted by third parties, rather than on dedicated storage devices. The cloud storage is a system which integrates and works together a large number of different types of storage devices in a network through application software through functions of cluster application, a grid technology or a distributed file system and the like, and provides data storage and service access functions to the outside.
The storage facilities such as network storage and cloud storage have the following security defects: the user of the storage facility deploys the service system program code and the service data on the storage facility, the ownership and the use right of the storage client data are separated from each other, and personnel (such as system administrators, operation and maintenance personnel, DB engineers, hackers, spyware and the like) with higher access rights of the storage facility can directly steal and reveal the storage client data from the storage facility, wherein the storage client data comprises sensitive authentication data, important service data, important audit data, important configuration data, important video data, important personal information and the like.
Disclosure of Invention
The embodiment of the invention provides a method and a device for protecting the data rights of storage facilities, which are used for guaranteeing the use control rights of data ownership persons to data, solving the problem of data security runaway caused by mutual separation of the data ownership rights and the use rights, and preventing the security risks of stealing, leaking and diffusing the data of storage customers from the storage facilities by personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers, spyware and the like) with higher access rights of the storage facilities.
In one aspect, an embodiment of the present invention provides a method for protecting storage facility rights, where the method includes:
setting and controlling a digital right control strategy by a safety manager;
the digital right controller provides digital right protection storage service according to the digital right control strategy;
the storage client uses the digital right protection storage service to store client data, and the client data is encrypted by the digital right controller according to the digital right control strategy to be encrypted to be stored in a form of ciphertext.
Preferably, the number right control strategy is set by a security manager, and is encrypted and stored by using a number right protection password provided by the security manager, and the security manager has complete control right to the number right control strategy; the security manager manufactures a plurality of mutually-replaced digital right controllers by using the same digital right control strategy; and when the digital right controller starts the digital right control strategy, the digital right protection password of the security manager is input.
Preferably, the digital rights control strategy comprises an algorithm used for encoding the secret storage data, and the algorithm supports cryptographic algorithms SM1, SM2, SM3, SM4, SM9 and secret partitioning algorithm.
Preferably, the security manager controls the digital right protection storage service provided by the digital right controller through the digital right control strategy, and the confidential storage data codes output by the digital right protection storage service provided by different digital right control strategies are different; the secure storage data encoding is performed by the digital rights controller with the same digital rights control strategy to decode the client data.
Preferably, the number right controller can execute N different number right control strategies, wherein N is a natural number larger than 0.
Preferably, the digital rights protection storage service adopts standard storage protocols, including NAS protocol and SAN protocol.
Preferably, the digital right controller is a storage boundary security protection facility, takes over data storage space of the storage facility, and provides digital right protection storage service for users in a manner of a logical hard disk, and a storage client deploys client data on the logical hard disk, and the control right of the storage client belongs to security management personnel but not to the storage client; the digital right controller performs data coding conversion on the client data on the logic hard disk according to a digital right protection strategy to obtain ciphertext data, and stores the ciphertext data in the storage facility; data on the storage facility is ciphertext data which must pass through the digital rights controller to recover the client data by using the digital rights protection strategy.
On the other hand, the embodiment of the present invention provides a storage facility digital right protection device, where the device includes two component unit modules, namely a digital right console and a digital right gateway, where:
the digital right console is a unit module for setting and controlling a digital right control strategy by a security manager;
the digital right gateway is a unit module for executing the digital right control strategy, provides digital right protection storage service according to the digital right control strategy, stores client data by using the digital right protection storage service, and stores the client data in a form of a ciphertext after carrying out secret coding on the client data according to the digital right control strategy by the digital right gateway for providing the digital right protection storage service to obtain secret storage data code.
Preferably, the digital right console provides a digital right control policy setting function for security management personnel, and encrypts the digital right control policy by using a digital right protection password provided by the security management personnel; the security manager creates a plurality of mutually-replaced digital rights gateways at the digital rights console by using the same digital rights control strategy.
Preferably, when the digital right gateway executes different digital right control strategies, the secret storage data codes generated by the digital right protection storage service are different, and the secret storage data codes can be decoded by the digital right gateway with the same digital right control strategy; when the digital right control strategy is started, a digital right protection password of a security manager needs to be input.
The technical scheme has the following beneficial effects: 1. aiming at the data security risks such as data leakage, stealing and tampering caused by separation of data ownership and use right in the data storage process, a storage data security control technical mechanism is provided for storage customers, and a data security back door of a storage facility is prevented. The security protection function for preventing the high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) of the storage facility from directly stealing the user data from the storage facility by taking the storage facility as a back door, thereby realizing the unusable security protection function of copying the data from the storage equipment of the storage facility. 2. The data owner guarantees the control right of the data through a management control digital right protection strategy and a digital right controller, the safety intensity that the data cannot be stolen even if the storage facility is taken away is achieved, and the user data safety bottom line is watched from the data storage protocol level. 3. The data security multi-person management technical mechanism is realized, and technical support is provided for establishing a network security level protection work responsibility system and implementing a responsibility pursuit system. The security technology guarantee system is characterized in that a secret segmentation technology is preferentially adopted on the general technical route, data are divided into a plurality of secret data packets, the secret data packets are respectively stored on a plurality of different storage devices and are respectively managed by a plurality of operation and maintenance personnel, a safety mechanism of multi-person management is technically realized, the risk of data leakage caused by over-centralized storage and management authority is prevented, and the security technology guarantee system with the functions of division of work and responsibility, division of operation and maintenance, division of security and treatment and incapability of disclosure of any single party is established.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flow chart of a method for protecting the digital rights of a storage facility according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a storage facility digital rights protection apparatus according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a storage facility digital rights protection system according to an embodiment of the present invention;
FIG. 4 is a flow chart of a method for protecting storage rights according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a digital rights protection network storage system according to an application example of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, a flowchart of a method for protecting storage device rights according to an embodiment of the present invention is shown, where the method includes:
101. setting and controlling a digital right control strategy by a safety manager;
102. the digital right controller provides digital right protection storage service according to the digital right control strategy;
103. the storage client uses the digital right protection storage service to store client data, and the client data is encrypted by the digital right controller according to the digital right control strategy to be encrypted to be stored in a form of ciphertext.
Preferably, the number right control strategy is set by a security manager, and is encrypted and stored by using a number right protection password provided by the security manager, and the security manager has complete control right to the number right control strategy; the security manager manufactures a plurality of mutually-replaced digital right controllers by using the same digital right control strategy; and when the digital right controller starts the digital right control strategy, the digital right protection password of the security manager is input.
Preferably, the security manager controls the digital right protection storage service provided by the digital right controller through the digital right control strategy, and the confidential storage data codes output by the digital right protection storage service provided by different digital right control strategies are different; the secure storage data encoding is performed by the digital rights controller with the same digital rights control strategy to decode the client data.
Preferably, the number right controller can execute N different number right control strategies, wherein N is a natural number larger than 0.
Preferably, the digital rights protection storage service adopts standard storage protocols, including NAS protocol and SAN protocol.
Preferably, the digital right controller is a storage boundary security protection facility, takes over data storage space of the storage facility, and provides digital right protection storage service for users in a manner of a logical hard disk, and a storage client deploys client data on the logical hard disk, and the control right of the storage client belongs to security management personnel but not to the storage client; the digital right controller performs data coding conversion on the client data on the logic hard disk according to a digital right protection strategy to obtain ciphertext data, and stores the ciphertext data in the storage facility; data on the storage facility is ciphertext data which must pass through the digital rights controller to recover the client data by using the digital rights protection strategy.
Preferably, the digital rights control strategy comprises an algorithm used for encoding the secret storage data, and the algorithm supports cryptographic algorithms SM1, SM2, SM3, SM4, SM9 and secret partitioning algorithm.
Fig. 2 is a schematic structural diagram of a storage facility digital rights protection apparatus according to an embodiment of the present invention, where the apparatus includes: the digital right control platform 21 and the digital right gateway 22, wherein the digital right control platform 21 is a unit module for setting and controlling a digital right control strategy by a security manager; the digital right gateway 22 is a unit module for executing the digital right control strategy, provides digital right protection storage service according to the digital right control strategy, stores client data by using the digital right protection storage service, and stores the client data in the form of ciphertext after the client data is encrypted and encoded into the encrypted storage data by the digital right gateway 22 for providing the digital right protection storage service according to the digital right control strategy.
Preferably, the digital right console 21 provides a function of setting a digital right control policy for security management personnel, and encrypts the digital right control policy by using a digital right protection password provided by the security management personnel; the security manager creates a plurality of mutually-replaced digital rights gateways at the digital rights console by using the same digital rights control strategy.
Preferably, when the digital right gateway 22 executes different digital right control policies, the secret storage data codes generated by the digital right protection storage service provided by the digital right protection storage service are different, and the secret storage data codes can be decoded by the digital right gateways with the same digital right control policies; when the digital right control strategy is started, a digital right protection password of a security manager needs to be input.
The digital rights refer to rights generated by data in the whole life cycle treatment process, and relate to personal privacy, data property rights, national ownership and other rights and interests. The digital rights body refers to the owner of the data control rights, may be a natural person, a legal person, an illegal person organization, and the like, and is often a specific object to which the data is directed or a collector, storage, transmission, and processor of the data. The weight object is data, namely a coded set of information with certain rules or values related to the weight.
The digital rights protection is the complete control right which is shared by the digital rights subject to the digital rights object, so that the digital rights object is under the legal control of the digital rights subject, and the digital rights subject has the right of the legal control data object which can be freely exercised and is not interfered by others. The essence of the digital rights protection is the control of the digital rights object by the digital rights host, and in order to guarantee the rights of the digital rights host, the digital rights host is used as an administrator to influence and govern the information source, the channel, the information sink, the encoder and the decoder related to the full life cycle of the digital rights object.
The above-described embodiments of the invention are explained in detail below by way of application examples:
as shown in fig. 3, a schematic structural diagram of a storage facility digital rights protection system according to an application example of the present invention is shown, where the storage facility digital rights protection system includes: storage facilities, a digital right controller and a logic hard disk.
The logic hard disk is storage infrastructure service provided by the digital right controller to the outside, data storage space is provided for users, and users use the logic hard disk through computing facilities and deploy user data on the logic hard disk; the computing facility includes: computers, servers, mobile phones, cloud computing virtual machines; the user data includes: a user's service system program code and user service data; the user refers to a user of the logic hard disk, and the method comprises the following steps: individuals, enterprises, governments and military forces.
The digital right controller is a storage boundary safety protection facility, takes over the data storage space of the storage facility, provides a logic hard disk for users, the storage facility does not directly provide data storage service to the outside, users deploy user data on the logic hard disk for protecting digital rights, and the control right of the digital right controller belongs to a data ownership person but not to the users.
The storage facility is a storage resource pool formed by uniformly managing and scheduling a plurality of storage resources connected by a network, provides data storage service, and comprises: physical storage devices, network storage, cloud storage.
The storage facility digital rights protection system is characterized as follows:
the digital right controller is arranged in a storage security domain, is a boundary security protection facility of a storage facility, takes over a data storage space of the storage facility, and provides a logic hard disk service to the outside, and the storage facility does not directly provide a data storage service to the outside; and providing the logic hard disk for a user through the digital right controller, wherein the user deploys program codes and data on the logic hard disk, and the user data can be stored on the storage facility only through the digital right controller.
The digital right controller carries out data coding conversion on the user data on the logic hard disk according to a digital right protection strategy to obtain ciphertext data, and the ciphertext data is stored on the storage facility; data on the storage facility is ciphertext data which must pass through the digital right controller and the digital right protection strategy is used for recovering the user data.
The data owner manages and controls the digital right controller by managing the digital right protection strategy to realize absolute control on the user data on the logic hard disk; the data ownership person refers to an ownership person of the data storage space of the logical hard disk, and is an owner and a management controller of the logical hard disk; the digital right controller is only an execution unit of the digital right protection strategy, and the digital right controller cannot independently restore ciphertext data to the user data and must use the corresponding digital right protection strategy.
The data coding transformation method adopted by the digital right protection strategy can comprise data encryption cryptographic algorithms SM1, SM2, SM3, SM4, SM9 and secret partition algorithm.
Preferably, the data encryption method adopted by the digital rights protection policy adopts a cryptographic algorithm, specifically including algorithms of SM1, SM2, SM3, SM4 and the like.
Preferably, the digital rights protection strategy adopts a data partitioning technical route.
Preferably, the digital right controller provides a digital right protection management function for the user, and the data owner manages the mounting of the storage facility, the access security authentication of the storage space of the logic hard disk and the logic hard disk, and the management of the secret segmentation algorithm and the algorithm parameters thereof through the digital right protection management function.
Preferably, the data owner realizes the uniform security management control of the digital rights controller through the digital rights protection strategy, so that the security protection effect of the user data stored in the storage facility cannot be recovered under the condition that a matched digital rights protection strategy or a starting password of the matched digital rights protection strategy does not exist; in the case that the digital rights protection policy is changed, the digital rights controller cannot read the stored data stored in the storage facility; after the right controller fails, new equipment can be replaced, data storage access is recovered through the right protection strategy recovery function, and data loss and data damage cannot be caused.
As shown in fig. 4, a flowchart of a storage right protection method according to an application example of the present invention is shown, where the method includes:
401. the digital rights protection mechanism setting comprises the following steps: the digital right controller and the storage facility are deployed in a storage security domain, so that the digital right controller is ensured to play a role in security protection of a storage boundary; setting a multi-member management mechanism, and setting different management roles of data security management personnel, system operation and maintenance management personnel, logic hard disk users and the like; the data security manager sets a digital protection strategy on behalf of a data owner, the system operation and maintenance manager performs operation and maintenance management on system software and system hardware, and a logic hard disk user mounts and uses the logic hard disk on a computing facility.
402. The logical hard disk stores user data. And installing and deploying program codes and business data in the storage facility service unit by the system operation and maintenance manager.
403. And converting the user data into ciphertext data for storage. According to the setting of the digital right protection strategy, the digital right controller encodes and converts the user data into ciphertext data and writes the ciphertext data into the storage facility. Data on the storage facility are all ciphertext data, and user data can be reconstructed only by using a digital right protection strategy through a digital right controller.
The technical scheme has the following beneficial effects:
1. a data security back door of the storage facility is guarded against. The security protection function for preventing the high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) of the storage facility from directly stealing the user data from the storage facility by taking the storage facility as a back door, thereby realizing the unusable security protection function of copying the data from the storage equipment of the storage facility.
2. The data owner guarantees the absolute control right of the data through a management control digital right protection strategy and a digital right controller, the safety intensity that the data cannot be stolen even if the storage facility is taken away is achieved, and the user data safety bottom line is watched from the data storage protocol level.
3. The technical mechanism of data safety multi-member management is realized, the risk of data leakage caused by too concentrated storage management authority is prevented, a secret segmentation technology is preferentially adopted on the overall technical route, data are divided into a plurality of confidential data packets which are respectively stored on a plurality of different storage devices and are respectively managed by a plurality of operation and maintenance personnel, the safety mechanism of multi-member management is technically realized, and a safety technical support system with the functions of division of labor, separation of duties, division of management of operation and maintenance and division of treatment of safety and incapability of secret leakage of any single party is established.
As shown in fig. 5, a schematic diagram of a structure of a digital rights protection network storage system according to an application example of the present invention includes: the system comprises a storage facility, a digital right controller, a logic hard disk and a terminal management and control platform.
The storage facility and the digital rights controller are deployed in the storage security domain, wherein the digital rights controller is a security boundary protection facility of the storage security domain and protects the data ownership and the management rights on the storage facility.
The logic hard disk and the terminal management and control platform are deployed in the computing security domain, wherein the terminal management and control platform is a security boundary protection facility of the computing security domain and protects the data access security of the logic hard disk.
The digital rights controller provides a secure boundary guard function for the storage facility. The digital rights controller takes over the storage space on the storage facility and protects against illegal theft and tampering of data from the storage device and storage media.
Preferably, the digital right controller adopts a secret division technical route to establish a safety technical mechanism of role division, role separation, data division, operation and maintenance management and safety division, wherein any one party cannot be divulged.
The digital right controller provides logic hard disks for the computing equipment for computing the security domain according to a standard storage protocol, the use mode of the logic hard disks is the same as that of the built-in hard disk of the computing equipment, and the logic hard disks are taken over by an operating system of the computing equipment for use.
The terminal management and control platform provides a computing facility security boundary protection function for the computing security domain, and on the computing equipment, the terminal security management and control platform is used for enhancing the security of the terminal equipment, including terminal audit, terminal management and control and the like, user authority division, user password setting meeting corresponding strength requirements, unnecessary service and port closing are well done, and the security protection strength and efficiency of the operating system are enhanced.
The technical scheme has the following beneficial effects:
1. the safety boundary protection of the computing facility is realized, the data is prevented from being illegally copied from the logic hard disk of the computing facility, and the safety risk of data leakage of the computing facility is prevented;
2. a data security back door of the storage facility is guarded against. The security protection function for preventing the high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) of the storage facility from directly stealing the user data from the storage facility by taking the storage facility as a back door, thereby realizing the unusable security protection function of copying the data from the storage equipment of the storage facility.
3. The data owner guarantees the absolute control right of the data through a management control digital right protection strategy and a digital right controller, the safety intensity that the data cannot be stolen even if the storage facility is taken away is achieved, and the user data safety bottom line is watched from the data storage protocol level.
4. The technical mechanism of data safety multi-member management is realized, the risk of data leakage caused by too concentrated storage management authority is prevented, a secret segmentation technology is preferentially adopted on the overall technical route, data are divided into a plurality of confidential data packets which are respectively stored on a plurality of different storage devices and are respectively managed by a plurality of operation and maintenance personnel, the safety mechanism of multi-member management is technically realized, and a safety technical support system with the functions of division of labor, separation of duties, division of management of operation and maintenance and division of treatment of safety and incapability of secret leakage of any single party is established.
It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be located in a user terminal. In the alternative, the processor and the storage medium may reside in different components in a user terminal.
In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Additionally, any connection is properly termed a computer-readable medium, and, thus, is included if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, Digital Subscriber Line (DSL), or wirelessly, e.g., infrared, radio, and microwave. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A storage facility rights protection method, the method comprising:
setting and controlling a digital right control strategy by a safety manager;
the digital right controller provides digital right protection storage service according to the digital right control strategy;
the storage client uses the digital right protection storage service to store client data, and the client data is encrypted by the digital right controller according to the digital right control strategy to be encrypted to be stored in a form of ciphertext.
2. The storage facility rights protection method of claim 1, wherein the rights control policy is set by a security manager and stored in an encrypted manner using a rights protection password provided by the security manager, and the security manager has complete control over the rights control policy; the security manager manufactures a plurality of mutually-replaced digital right controllers by using the same digital right control strategy; and when the digital right controller starts the digital right control strategy, the digital right protection password of the security manager is input.
3. The method for protecting the digital rights of the storage facility according to claim 1, wherein the security manager controls the digital rights protection storage service provided by the digital rights controller through digital rights control policies, and the secret storage data codes output by the digital rights protection storage service provided by different digital rights control policies are different; the secure storage data encoding is performed by the digital rights controller with the same digital rights control strategy to decode the client data.
4. The storage facility rights protection method of claim 1, wherein the rights controller is capable of executing N different rights control policies, N being a natural number greater than 0.
5. The storage facility digital rights protection method of claim 1, wherein the digital rights protection storage service employs standard storage protocols including NAS protocol, SAN protocol.
6. The storage facility digital rights protection method of claim 1, wherein the digital rights controller is a storage boundary security protection facility, takes over the data storage space of the storage facility, and provides digital rights protection storage service for users by a logical hard disk on which storage customers deploy customer data, the control right of which belongs to security management personnel and not to the storage customers; the digital right controller performs data coding conversion on the client data on the logic hard disk according to a digital right protection strategy to obtain ciphertext data, and stores the ciphertext data in the storage facility; data on the storage facility is ciphertext data which must pass through the digital rights controller to recover the client data by using the digital rights protection strategy.
7. The storage facility digital rights protection method of claim 2, wherein the digital rights control policy includes an algorithm used for secure storage data encoding, the algorithm supporting cryptographic algorithms SM1, SM2, SM3, SM4, SM9, secret split algorithm.
8. A storage facility rights protection apparatus, the apparatus comprising: a digital rights console, a digital rights gateway, wherein,
the digital right console is a unit module for setting and controlling a digital right control strategy by a security manager;
the digital right gateway is a unit module for executing the digital right control strategy, provides digital right protection storage service according to the digital right control strategy, stores client data by using the digital right protection storage service, and stores the client data in a form of a ciphertext after carrying out secret coding on the client data according to the digital right control strategy by the digital right gateway for providing the digital right protection storage service to obtain secret storage data code.
9. The storage facility digital rights protection device of claim 8, wherein the digital rights console provides a digital rights control policy setting function for security management personnel, and encrypts the digital rights control policy using a digital rights protection password provided by the security management personnel; the security manager creates a plurality of mutually-replaced digital rights gateways at the digital rights console by using the same digital rights control strategy.
10. The storage facility digital rights protection device of claim 8, wherein the digital rights gateway, when executing different digital rights control policies, provides digital rights protection storage services with different security storage data codes, and the security storage data codes are decoded by the digital rights gateway having the same digital rights control policy; when the digital right control strategy is started, a digital right protection password of a security manager needs to be input.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910786160.6A CN112434310A (en) | 2019-08-24 | 2019-08-24 | Storage facility digital right protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910786160.6A CN112434310A (en) | 2019-08-24 | 2019-08-24 | Storage facility digital right protection method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN112434310A true CN112434310A (en) | 2021-03-02 |
Family
ID=74689922
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910786160.6A Pending CN112434310A (en) | 2019-08-24 | 2019-08-24 | Storage facility digital right protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112434310A (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767745A (en) * | 2015-03-26 | 2015-07-08 | 浪潮集团有限公司 | Cloud data security protection method |
| US20170272472A1 (en) * | 2016-03-21 | 2017-09-21 | Vireshwar K. Adhar | Method and system for digital privacy management |
| CN107911393A (en) * | 2017-12-28 | 2018-04-13 | 北京明朝万达科技股份有限公司 | A kind of data safety management system and method |
| CN109862564A (en) * | 2019-01-24 | 2019-06-07 | 洋浦吉商生物科技有限公司 | The data-sharing systems of encryption |
-
2019
- 2019-08-24 CN CN201910786160.6A patent/CN112434310A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104767745A (en) * | 2015-03-26 | 2015-07-08 | 浪潮集团有限公司 | Cloud data security protection method |
| US20170272472A1 (en) * | 2016-03-21 | 2017-09-21 | Vireshwar K. Adhar | Method and system for digital privacy management |
| CN107911393A (en) * | 2017-12-28 | 2018-04-13 | 北京明朝万达科技股份有限公司 | A kind of data safety management system and method |
| CN109862564A (en) * | 2019-01-24 | 2019-06-07 | 洋浦吉商生物科技有限公司 | The data-sharing systems of encryption |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11036869B2 (en) | Data security with a security module | |
| JP7045837B2 (en) | Federated key management | |
| US9516016B2 (en) | Storage array password management | |
| US10211977B1 (en) | Secure management of information using a security module | |
| EP2957063B1 (en) | Policy enforcement with associated data | |
| CN202795383U (en) | Device and system for protecting data | |
| CN101594360B (en) | Local area network system and method for maintaining safety thereof | |
| CN108701094A (en) | The safely storage and distribution sensitive data in application based on cloud | |
| US10887088B2 (en) | Virtualizing a key hierarchy using a partially-oblivious pseudorandom function (P-OPRF) | |
| US10700859B2 (en) | Efficient computation of a threshold partially-oblivious pseudorandom function | |
| JP6669929B2 (en) | System and method for managing encryption keys for single sign-on applications | |
| CN110324358B (en) | Video data management and control authentication method, module, equipment and platform | |
| CN110061983A (en) | A kind of data processing method and system | |
| CN101043335A (en) | Information security control system | |
| CN101827101A (en) | Information asset protection method based on credible isolated operating environment | |
| CN104320389A (en) | Fusion identify protection system and fusion identify protection method based on cloud computing | |
| CN108306972A (en) | A kind of cloud cryptographic service method, platform, system and computer readable storage medium | |
| CN113039542A (en) | Secure counting in cloud computing networks | |
| CN103236930A (en) | Data encryption method and system | |
| US11469880B2 (en) | Data at rest encryption (DARE) using credential vault | |
| CN102333068B (en) | SSH and SFTP (Secure Shell and Ssh File Transfer Protocol)-based tunnel intelligent management and control system and method | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| Gupta et al. | A light weight centralized file monitoring approach for securing files in cloud environment | |
| CN112434310A (en) | Storage facility digital right protection method and device | |
| CN110457920A (en) | A kind of data ciphering method and encryption device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |