CN113010904A - Data processing method and device and electronic equipment - Google Patents
Data processing method and device and electronic equipment Download PDFInfo
- Publication number
- CN113010904A CN113010904A CN202110287826.0A CN202110287826A CN113010904A CN 113010904 A CN113010904 A CN 113010904A CN 202110287826 A CN202110287826 A CN 202110287826A CN 113010904 A CN113010904 A CN 113010904A
- Authority
- CN
- China
- Prior art keywords
- data
- application
- sensitive data
- sensitive
- desensitization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 22
- 238000000586 desensitisation Methods 0.000 claims abstract description 291
- 238000012545 processing Methods 0.000 claims abstract description 184
- 238000000034 method Methods 0.000 claims abstract description 52
- 238000004458 analytical method Methods 0.000 claims abstract description 16
- 230000006870 function Effects 0.000 claims description 53
- 230000014509 gene expression Effects 0.000 claims description 30
- 230000035945 sensitivity Effects 0.000 claims description 30
- 230000015654 memory Effects 0.000 claims description 21
- 238000011084 recovery Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 13
- 230000008569 process Effects 0.000 claims description 9
- 230000004044 response Effects 0.000 claims description 5
- 239000003550 marker Substances 0.000 claims 2
- 238000011022 operating instruction Methods 0.000 claims 2
- 239000003795 chemical substances by application Substances 0.000 description 44
- 238000007726 management method Methods 0.000 description 21
- 238000010586 diagram Methods 0.000 description 11
- 238000004891 communication Methods 0.000 description 9
- 238000013500 data storage Methods 0.000 description 5
- 238000013475 authorization Methods 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 4
- 238000001514 detection method Methods 0.000 description 4
- 230000000694 effects Effects 0.000 description 4
- 208000001613 Gambling Diseases 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 230000006399 behavior Effects 0.000 description 2
- 238000005034 decoration Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 229910000906 Bronze Inorganic materials 0.000 description 1
- BQCADISMDOOEFD-UHFFFAOYSA-N Silver Chemical group [Ag] BQCADISMDOOEFD-UHFFFAOYSA-N 0.000 description 1
- 239000010974 bronze Substances 0.000 description 1
- KUNSUQLRTQLHQQ-UHFFFAOYSA-N copper tin Chemical compound [Cu].[Sn] KUNSUQLRTQLHQQ-UHFFFAOYSA-N 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000007423 decrease Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 229910052709 silver Inorganic materials 0.000 description 1
- 239000004332 silver Substances 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/27—Replication, distribution or synchronisation of data between databases or within a distributed database system; Distributed database system architectures therefor
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Computing Systems (AREA)
- Automation & Control Theory (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a data processing method and device and electronic equipment. Wherein, the method comprises the following steps: acquiring first application data sent by a target application; sensitive data query and identification analysis processing is carried out on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are pre-configured conditions; performing data desensitization on sensitive data in the first application data to obtain second application data subjected to data desensitization; the second application data after the data desensitization processing is written into the target database, so that the purpose that the application data of the target application can be desensitized before the application data of the target application is written into the target database is achieved, and the technical problem that in the prior art, the application data of the target application is read from the target database for desensitization processing, and the instantaneity is poor is solved.
Description
Technical Field
The invention relates to the technical field of data processing, in particular to a data processing method and device and electronic equipment.
Background
With the development of technology, in order to facilitate the life of people, various types of application clients appear in a mobile terminal, when people use various types of applications, a lot of application data will be generated, for example, when WeChat applications are used, application data (such as chat data) of many users will be stored in a client or a WeChat server, under the condition that chat contents are more and more, the occupied memory will be more, in order to store more application data, data in the terminal or the WeChat server needs to be written into a database, the chat data generally includes sensitive data (privacy data) of the users, and therefore desensitization processing needs to be performed on the application data. For example, when a game application is used, by inputting account information at the time of login and retaining a game record after the game, there may be user identity information or user habit information in the account information or the game record, and therefore, desensitization processing of application data is required.
In the prior art, a desensitization processing method for application data is that a target application directly writes application data into a database, obtains data application data of the target application from the database, and desensitizes sensitive data in the application data, that is, stock data is read from the database at regular time, so that the real-time performance is poor.
In view of the above problems, no effective solution has been proposed.
Disclosure of Invention
The embodiment of the invention provides a data processing method and device and electronic equipment, and aims to at least solve the technical problem that in the prior art, the real-time performance is poor when application data of a target application is read from a target database for desensitization processing.
According to an aspect of an embodiment of the present invention, there is provided a data processing method including: acquiring first application data sent by a target application, wherein the first application data is application data requested to be written into a target database by the target application; sensitive data query and identification analysis processing is carried out on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are preconfigured conditions; performing data desensitization processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing; and writing the second application data subjected to the data desensitization processing into the target database.
According to another aspect of the embodiments of the present invention, there is also provided a data processing apparatus, including: the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring first application data sent by a target application, and the first application data is application data which is requested to be written into a target database by the target application; the query and identification unit is used for performing sensitive data query and identification analysis processing on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are preconfigured conditions; the desensitization processing unit is used for performing data desensitization processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing; and the first writing unit is used for writing the second application data subjected to the data desensitization processing into the target database.
According to still another aspect of the embodiments of the present invention, there is also provided a computer-readable storage medium in which a computer program is stored, wherein the computer program is configured to execute the above data processing method when running.
According to still another aspect of the embodiments of the present invention, there is also provided an electronic device, including a memory and a processor, where the memory stores therein a computer program, and the processor is configured to execute the data processing method described above through the computer program.
In the embodiment of the invention, first application data sent by a target application is obtained, wherein the first application data is application data requested to be written into a target database by the target application; sensitive data query and identification analysis processing is carried out on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are pre-configured conditions; performing data desensitization on sensitive data in the first application data to obtain second application data subjected to data desensitization; the second application data after the data desensitization processing is written into the target database, so that the purpose that the application data of the target application can be desensitized before the application data of the target application is written into the target database is achieved, the technical effect that the data written into the target database by the application data of the target application is non-sensitive data is achieved, and the technical problem that in the prior art, the application data of the target application is read from the target database for desensitization processing, and the instantaneity is poor is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this application, illustrate embodiment(s) of the invention and together with the description serve to explain the invention without limiting the invention. In the drawings:
FIG. 1 is a schematic diagram of an application environment of an alternative data processing method according to an embodiment of the invention;
FIG. 2 is a flow diagram of an alternative data processing method according to an embodiment of the invention;
FIG. 3 is an application data flow diagram of an alternative target application according to an embodiment of the present invention;
FIG. 4 is a target configuration interface of an alternative data processing application according to embodiments of the present invention;
FIG. 5 is a block diagram of an alternative cloud access security agent based database sensitive data discovery and desensitization system according to embodiments of the present invention;
FIG. 6 is an alternative sensitive data discovery and desensitization system data write flow diagram according to embodiments of the present invention;
FIG. 7 is a flow diagram of an alternative sensitive data desensitized read according to embodiments of the present invention;
FIG. 8 is a block diagram of an alternative data processing apparatus according to an embodiment of the present invention;
fig. 9 is a schematic structural diagram of an alternative electronic device according to an embodiment of the invention.
Detailed Description
In order to make the technical solutions of the present invention better understood, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
For a better understanding of the present solution, a partial noun description is explained as follows.
Sensitive data: namely, the private data, which is commonly referred to as a name, an identification number, and the like.
Data desensitization: sensitive data are subjected to data deformation through a desensitization rule, effective sensitive data cannot be identified through the deformed data, and the reliable protection of private data is achieved.
The Cloud Access Security Broker (CASB), the Cloud service and data Security Access center, and a software platform configured with data and Security policy. The cloud access security agent provides a universal access control point service for data protection and data governance of cloud applications. The CASB provides a consistent strategy for a user to safely access different cloud applications, can perform the capabilities of authentication, authorization, data encryption, sensitive data discovery, malicious behavior detection and protection and the like, and effectively protects the data in the cloud. The user can realize comprehensive data security services such as application discovery, data protection, threat detection, compliance and the like through the CASB.
CAM: and the Cloud Access Management is used for accessing Management services and realizing Access authority control and resource authority control of the Cloud account through identity Management and policy Management.
According to an aspect of the embodiments of the present invention, a data processing method is provided, and optionally, as an optional implementation manner, the data processing method may be applied, but not limited, to the environment shown in fig. 1. Terminal device 102, network 104, cloud access security agent 106, and database 108, wherein target application 102-1 is installed in terminal device 102.
The cloud access security agent 106 acquires first application data of a target application 102-1 sent by the terminal device 102 through the network 104, wherein the first application data is application data requested by the target application to be written into a target database; under the condition that the sensitive data discovery function is enabled, the cloud access security agent 106 searches for sensitive data meeting sensitive data discovery conditions in the first application data, wherein the sensitive data discovery conditions are pre-configured conditions; the cloud access security agent 106 finds the sensitive data meeting the sensitive data finding condition in the first application data and carries out desensitization processing on the sensitive data in the first application data under the condition that the sensitive data desensitization function is enabled, so that second application data are obtained; the cloud access security agent 106 writes the second application data into the target database, so that the purpose that desensitization can be performed on the application data of the target application before the application data of the target application is written into the target database is achieved, the technical effect that the data written into the target database by the application data of the target application is non-sensitive data is achieved, and the technical problem that in the prior art, desensitization processing is performed by reading the application data of the target application from the target database, and the real-time performance is poor is solved.
Optionally, in this embodiment, the terminal device may be a terminal device configured with a target application, and may include but is not limited to at least one of the following: mobile phones (such as Android phones, iOS phones, etc.), notebook computers, tablet computers, palm computers, MID (Mobile Internet Devices), PAD, desktop computers, smart televisions, etc. The target application may be a video application, an instant messaging application, a browser application, an educational application, and the like. Such networks may include, but are not limited to: a wired network, a wireless network, wherein the wired network comprises: a local area network, a metropolitan area network, and a wide area network, the wireless network comprising: bluetooth, WIFI, and other networks that enable wireless communication. The server may be a single server, a server cluster composed of a plurality of servers, or a cloud server. The above is merely an example, and this is not limited in this embodiment.
Optionally, as an optional implementation manner, as shown in fig. 2, the data processing method includes:
step S202, acquiring first application data sent by the target application, where the first application data is application data requested by the target application to be written into the target database.
Step S204, sensitive data query and identification analysis processing is carried out on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are pre-configured conditions.
And S206, performing data desensitization treatment on the sensitive data in the first application data to obtain second application data subjected to data desensitization treatment.
And step S208, writing the second application data subjected to the data desensitization processing into the target database.
Optionally, in this embodiment, the above-mentioned data processing method may include, but is not limited to, applying to a relational database (e.g., mysql), a non-relational database (e.g., mongodb), and the like. That is, the application data of the target application may be written to the relational database and may also be written to the non-relational database.
In this embodiment, before writing the application data of the target application into the target database, the sensitive data of the application data of the target application needs to be discovered and desensitized through a sensitive data discovery function and a sensitive data desensitization function in the cloud access security agent. Further, the cloud access security agent writes the data desensitized by the sensitive desensitization data and the non-sensitive data in the application data into the target database.
The sensitive data is understood as private data, and names, identification numbers, user mailboxes and the like are common. The first application data of the target application is data generated by a user using the target application, and the second application data is data desensitized to sensitive data in the first application data. If the first application data comprises 10 pieces of data, wherein 3 conditions exist and are identification card data, the first application data comprises 3 pieces of sensitive data and 7 pieces of non-sensitive data, desensitization processing is carried out on the 3 pieces of sensitive data through the cloud access security agent to obtain second application data comprising 10 pieces of non-sensitive data, and the cloud access security agent writes the second application data into the target database.
In this embodiment, sensitive data meeting a sensitive data discovery condition is searched for in first application data according to a preconfigured sensitive data discovery condition, and when the sensitive data exists in the first application data, the sensitive data in the first application data is desensitized by a sensitive data desensitization function, and then desensitization processing on the sensitive data in the target application is completed before the application data of the target application is written into the target database, so that it is ensured that data of the target application stored in the target database are all non-sensitive data. In this embodiment, because the application data of the target application is not directly written into the target database, the stock data is read from the target database at regular time, and the desensitization processing is performed on the sensitive data in the read data, but the desensitization processing is performed on the sensitive data in the application data before the application data is written into the target database, the real-time performance of the desensitization processing on the application data is better.
Furthermore, the sensitive data discovery service does not need to read out the application data of the target application from the target database, desensitizes the sensitive data after finding the sensitive data, and rewrites the sensitive data into the target database, so that extra read-write pressure on the target database can be avoided.
Optionally, in this embodiment, the target application may include, but is not limited to, an instant messaging application (e.g., WeChat), a game application (e.g., shooting game), a shopping application, an education application, and the like.
The data processing process in this embodiment is described by taking an example of writing application data of WeChat into a target database, specifically:
the user A uses the WeChat through the account a, the account a can communicate with a plurality of other accounts, the communication data of the account a and other accounts can be reserved in the terminal or WeChat server where the WeChat is located, such as chat data, picture data, etc., the memory in the terminal or the WeChat server where the WeChat is located decreases with the increase of communication contents, communication data needs to be written into the database, since the communication data stored in the terminal or the WeChat Server where the WeChat is located is generally private to the user, it is necessary to perform desensitization processing on the communication data, in the embodiment, the cloud access security agent establishes a protocol with a terminal or a wechat server where the wechat is located in advance, before writing the application data in the terminal or the application data in the WeChat server into the target database, desensitization processing of sensitive data in the application needs to be performed through a cloud access security agent. It should be noted that the wechat server may store application data generated by using the wechat application in the account a, and may further include data generated by using the wechat application on different terminal devices by using other multiple accounts.
It should be further noted that, in this embodiment, the data processing method may also be used in cloud storage of data, that is, writing application data of a target application into a distributed cloud storage system.
The distributed cloud storage system is a storage system which integrates a large number of storage devices (storage devices are also called storage nodes) of different types in a network through application software or application interfaces to cooperatively work through functions of cluster application, grid technology, distributed storage file system and the like, and provides data storage and service access functions to the outside.
At present, a storage method of a storage system is as follows: logical volumes are created, and when created, each logical volume is allocated physical storage space, which may be the disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as data identification (ID, ID entry), the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can allow the client to access the data according to the storage location information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided in advance into stripes according to a group of capacity measures of objects stored in a logical volume (the measures often have a large margin with respect to the capacity of the actual objects to be stored) and Redundant Array of Independent Disks (RAID), and one logical volume can be understood as one stripe, thereby allocating physical storage space to the logical volume.
It should be further noted that, in this embodiment, the target database, which may be regarded as an electronic file cabinet, that is, a place for storing electronic files, may be configured to enable a user to perform operations such as adding, querying, updating, and deleting on data in the files. A "database" is a collection of data that is stored together in a manner that can be shared by multiple users, has as little redundancy as possible, and is independent of the application.
In this embodiment, acquiring the first application data sent by the target application may include acquiring a plurality of first application data sent by a plurality of target applications correspondingly, that is, desensitizing sensitive data in the plurality of target applications, and then writing the desensitized data into the target database. The target database may include a plurality of sub-databases, and one sub-database is used for storing application data of one target application. Such as the application data storage sub-database 1 of the WeChat application and the application data storage sub-database 2 of the shooting game application.
According to the embodiment provided by the application, first application data sent by a target application is obtained, wherein the first application data is application data requested to be written into a target database by the target application; sensitive data query and identification analysis processing is carried out on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are pre-configured conditions; performing data desensitization on sensitive data in the first application data to obtain second application data subjected to data desensitization; the second application data after the data desensitization processing is written into the target database, so that the purpose that the application data of the target application can be desensitized before the application data of the target application is written into the target database is achieved, the technical effect that the data written into the target database by the application data of the target application is non-sensitive data is achieved, and the technical problem that in the prior art, the application data of the target application is read from the target database for desensitization processing, and the instantaneity is poor is solved.
In the embodiment, the application data of the target application written in the target database does not need to be additionally authorized and configured to read and write the target database by sensitive data discovery and desensitization services, so that the security risk of the application data is reduced.
Optionally, the performing, by performing sensitive data query and identification analysis processing on the first application data to query and identify sensitive data meeting the sensitive data discovery condition may include: loading a sensitive data discovery module and loading a sensitive data discovery condition; and searching the sensitive data meeting the sensitive data discovery condition in the first application data through a sensitive data discovery module.
In this embodiment, the sensitive data discovery module and the sensitive data discovery condition may be loaded only when the sensitive data is searched for the application data of the target application, so that the situation that the sensitive data discovery module is in a loading state when the sensitive data discovery is not needed is avoided, that is, the sensitive data discovery module and the sensitive data discovery condition are recorded only when the sensitive data in the application data needs to be discovered, the operation memory of the data processing system is reduced, and the operation speed of the data processing system is increased.
Optionally, the sensitive data meeting the sensitive data discovery condition may be searched for in the first application data by:
the first method is as follows: under the condition that the sensitive data discovery condition comprises a text matching condition and the text matching condition comprises a target text, inquiring and identifying the target text in the first application data; and under the condition that the target text is inquired and identified in the first application data, determining that the sensitive data meeting the sensitive data discovery condition is inquired and identified in the first application data, wherein the sensitive data can comprise the target text.
The second method comprises the following steps: in the case that the sensitive data discovery condition includes a binary matching condition and the binary matching condition includes a target binary string, querying and identifying the target binary string in the binary string into which the first application data is converted; in the case that the query and the identification of the target binary string are performed in the binary string into which the first application data is converted, the query and the identification of the sensitive data satisfying the sensitive data discovery condition in the first application data are determined, wherein the sensitive data may include data represented by the target binary string in the first application data.
The third method comprises the following steps: under the condition that the sensitive data discovery condition comprises a regular expression matching condition and the text matching condition comprises a target regular expression, querying and identifying data meeting the target regular expression in the first application data; under the condition that data meeting the target regular expression is queried and identified in the first application data, determining sensitive data which is queried and identified in the first application data and meets a sensitive data discovery condition, wherein the sensitive data can comprise data which meets the target regular expression in the first application data.
In this embodiment, the application data sent by the target application may be identified and matched according to the sensitive data discovery condition.
Wherein, the text matching condition is as follows: and matching character strings of the application data through the target text to obtain completely consistent character strings, namely, the hit rules. If the target text is a "gambling" character string, the presence of sensitive data "gambling" in the application data is determined when the "gambling" word is present in the application data.
Binary matching conditions: and converting the application data of the target application into a binary character string, and matching the target binary character string and the application data converted into the binary character string to obtain a completely consistent byte stream, namely a hit rule. If the identity card number of a certain user of sensitive data is found in the application data: 123499999934556790, the ID card number is identified by a binary string as 010101010100101010, and in the case that the 010101010100101010 string is consistent with the target binary string, it is determined that sensitive data of the ID card exists in the application data.
The regular expression matching condition is as follows: and performing regular matching on the application data of the target application according to the regular expression, and judging whether the data hit the regular rule. When the application data of the target application includes application data conforming to the regular expression, determining that sensitive data exists in the application data, if the regular expression is: mail box: @163, when there is application data satisfying the regular expression in the application data, it is determined that there is sensitive data in the application data.
In addition, when sensitive data in application data is found, the first, second, and third modes may be used in any combination. The method is used in combination with the method one and the method two for discovering sensitive data in application data.
It should be further noted that the sensitive data discovery condition may be configured according to the user's needs.
Optionally, desensitization processing may be performed on sensitive data in the first application data in the following manner, so as to obtain second application data after data desensitization processing:
the first method is as follows: and performing encryption desensitization processing on the sensitive data in the first application data to obtain second application data, wherein the data desensitization processing may include encryption desensitization processing.
The second method comprises the following steps: and performing deformation processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing, wherein the data desensitization processing may include deformation desensitization processing.
The third method comprises the following steps: and performing replacement desensitization processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing, wherein the data desensitization processing comprises replacement desensitization processing.
In this embodiment, the sensitive data may be desensitized by way of encryption, for example, the sensitive data is the id data 123499999934556790, and the id information may be encrypted by the target encryption key.
In this embodiment, desensitization to sensitive data may also be achieved by performing deformation desensitization processing on the sensitive data, for example, the sensitive data is the id data 123499999934556790, and the id data 123499999934556790 may be added with 1 by the deformation processing, that is, the desensitized id data may include 123499999934556790+ 1. It should be noted that the deformation processing on the sensitive data may include, but is not limited to, dividing/multiplying the sensitive data by a multiple, adding/subtracting a number, and the like.
In this embodiment, desensitization to sensitive data may also be implemented by performing replacement desensitization processing on the sensitive data, for example, the sensitive data is id card data 1234999934556790, 18-bit data, and any number of bits in the 18 bits may be replaced by |)! @ # -%, e.g., the data after desensitization is 12349999993455! @ #, it should be noted that, in order to recover the identity card data after desensitization, replacement of the sensitive data may be performed according to a predetermined replacement relationship, and the original data of the sensitive data before desensitization may be known according to the replacement relationship.
Optionally, in this embodiment, in the case that sensitive data meeting the sensitive data discovery condition is queried and identified in the first application data and the sensitive data desensitization function is not enabled, the first application data is written into the target database.
In this embodiment, the sensitive data desensitization function can be selected to be turned on or not according to needs, that is, the overall processing efficiency and flexibility of data are improved by using a pluggable and dynamically configured mode for loading the sensitive data desensitization function, and the read-write efficiency of the original database is not affected.
As an alternative embodiment, the method may further include: and under the condition that the sensitive data meeting the sensitive data discovery condition is inquired and identified in the first application data, generating a sensitive data mark, wherein the sensitive data mark is used for marking the inquiry and identification of the sensitive data in the first application data.
In this embodiment, only the sensitive data discovery function may be turned on to find whether the application data has sensitive data, and the sensitive data may be marked in the case that the sensitive data exists. And then knowing whether the application data has sensitive data or not and knowing which data is sensitive data according to the sensitive data mark.
After the sensitive data mark is generated, the sensitive data mark is transmitted to a first account using a cloud access security proxy, wherein the first account is used for indicating that application data sent by a target application is written into a target database after being processed by the cloud access security proxy, and the cloud access security proxy is used for enabling or disabling a sensitive data discovery function and enabling or disabling a sensitive data desensitization function.
Optionally, generating the sensitive data flag may include: acquiring attribute information of sensitive data; and determining a target sensitivity level of the sensitive data corresponding to the attribute information, wherein the sensitive data mark comprises the target sensitivity level of the sensitive data, an account with an access right matched with the target sensitivity level is set to allow the sensitive data to be acquired, and an account with an access right not matched with the target sensitivity level is set to allow part of data in the sensitive data to be acquired or is set not to allow the sensitive data to be acquired.
In this embodiment, the sensitivity level of the sensitive data may be determined according to the attribute information of the sensitive data, where the sensitivity level includes 1-5 levels from low to high, and the level 1: very low sensitivity, grade 2: low sensitivity, grade 3: moderate sensitivity, grade 4: highly sensitive, grade 5: is extremely sensitive. If the sensitive data is classified into 1 grade for the data of the name, the sensitive data is classified into 4 grades for the data of the mailbox, and the sensitive data is classified into 5 grades for the data of the identity card. The division can be based on the importance of the data application.
Wherein, the sensitive data mark may include a target sensitivity level of the sensitive data, such as the sensitive data mark is used for m indication, and in case that the sensitive data c is 2 level, the sensitive data of the sensitive data c may be marked as c-2.
It should be noted that, in this embodiment, the accounts that can read the target database may be divided into different access permissions in advance, for example, there are 3 accounts that can access the data in the target database, account 1, account 2, and account 3, account 1 may be configured to access the sensitive data with the sensitive level of 1-3, account 2 may be configured to access the sensitive data with the sensitive level of 1-4, and account 3 may be configured to access the sensitive data with the sensitive level of 1-5, that is, the accounts configured with different access permissions may only access the sensitive data with the corresponding level.
As an alternative embodiment, the method may further include: reading second application data from the target database, wherein the second application data comprises first desensitization data, and the first desensitization data is data obtained by performing data desensitization processing on sensitive data in the first application data; and under the condition that the sensitive data recovery function is started, recovering the first desensitized data in the second application data to obtain the first application data.
And after carrying out data desensitization on sensitive data in the application data of the target application, obtaining second application data subjected to data desensitization, and writing the second application data into a target database. Different accounts can access the target database, read the data written in the target database, further analyze and process the data to obtain useful information, because desensitized sensitive data, namely desensitized data, exists in the target database, the application data of the target application is reused, the second application read from the target database is required to be recovered, and the original first application data is obtained.
As shown in fig. 3, an application data flow diagram of a target application is shown in fig. 3, where original application data (first application data) of the target application is subjected to desensitization processing to obtain second application data, the second application data is written into a target database, the second application data of the target application is read from the target database, and the original data of the target application is obtained through sensitive data recovery.
Optionally, the first desensitization data in the second application data may be recovered to obtain the first application data by:
the first method is as follows: and under the condition that sensitive data in the first application data are subjected to encryption desensitization processing through the target encryption key to obtain second application data, decrypting the first desensitization data in the second application data through the target decryption key to obtain the first application data, wherein the target encryption key and the target decryption key are matched keys.
The second method comprises the following steps: and under the condition that the second application data is obtained by carrying out deformation desensitization treatment on the sensitive data in the first application data through the preset deformation rule, carrying out reverse deformation treatment on the first desensitization data in the second application data through the preset deformation rule to obtain the first application data.
The third method comprises the following steps: and under the condition that the second application data is obtained by carrying out replacement desensitization treatment on the sensitive data in the first application data through a preset replacement rule, carrying out reverse replacement treatment on the first desensitization data in the second application data through the preset replacement rule to obtain the first application data.
Optionally, in this embodiment, the desensitized original data is restored to obtain the original data.
As an alternative embodiment, the method may further include: reading the second application data from the target database may include: and reading the second application data from the target database in response to the access request of the second account.
After the recovering processing is performed on the first desensitization data in the second application data to obtain the first application data, the method may further include: under the condition that the access authority of the second account is matched with the target sensitivity level of the sensitive data, sending the first application data or the sensitive data in the first application data to the second account; and under the condition that the access authority of the second account is not matched with the target sensitivity level of the sensitive data, sending part of data in the sensitive data in the first application data to the second account, or sending target prompt information to the second account, wherein the target prompt information is used for prompting that the second account cannot acquire the sensitive data.
In this embodiment, a data range that an account can access may be determined according to an access permission of the account, that is, an account with permission of type 1 may access type 1 sensitive data, and an account with permission of type 2 may access type 2 sensitive data, where an account with permission of type 1 may access type 2 sensitive data, where the access permission of the account may be set in advance according to a type of the account, for example, the account a is a bronze account, the account a may access type 2 sensitive data, the account B is a silver account, the account B may access type 1 sensitive data and type 2 sensitive data, but the account a may not access type 1 sensitive data.
As an alternative embodiment, the method may further include at least one of:
acquiring a first operation instruction in a target configuration interface, wherein the first operation instruction is used for enabling or disabling a sensitive data discovery function; and enabling or disabling the sensitive data discovery function in response to the first operation instruction.
Acquiring a second operation instruction in the target configuration interface, wherein the second operation instruction is used for configuring a sensitive data discovery condition in a sensitive data discovery function, and the sensitive data discovery condition comprises at least one of the following conditions: text matching conditions, binary matching conditions and regular expression matching conditions; and responding to the second operation instruction, and configuring a sensitive data discovery condition in the sensitive data discovery function.
Acquiring a third operation instruction in the target configuration interface, wherein the third operation instruction is used for configuring a sensitive data desensitization mode in a sensitive data desensitization function, and the sensitive data desensitization mode comprises one of the following modes: carrying out encryption processing, deformation processing and replacement processing on part or all of the sensitive data; and responding to the third operation instruction, and configuring a sensitive data desensitization mode in the sensitive data desensitization function.
As shown in fig. 4, a target configuration interface of the data processing application, that is, an operation interface of the cloud access security agent, in which the sensitive data discovery function may be activated/deactivated and the sensitive data desensitization function may be activated/deactivated. And the operation interface can also be configured with a sensitive data discovery condition in a sensitive data discovery function and a sensitive data desensitization mode in a sensitive data desensitization function.
As an alternative embodiment, desensitizing the sensitive data in the first application data to obtain the second application data may include: loading a sensitive data desensitization module and loading a sensitive data desensitization mode; and desensitizing the sensitive data in the first application data by adopting a sensitive data desensitization mode through a sensitive data desensitization module to obtain second application data.
In this embodiment, the sensitive data desensitization module and the sensitive data desensitization condition may be loaded only when performing sensitive data desensitization on application data of a target application, so as to avoid that the sensitive data desensitization module is in a loaded state when the sensitive data desensitization is not required, that is, the sensitive data desensitization module and the sensitive data desensitization condition are recorded only when performing desensitization on sensitive data in the application data, so as to reduce an operating memory of the data processing system, thereby increasing an operation speed of the data processing system.
As an alternative embodiment, the present application further provides a database sensitive data discovery and desensitization system based on a cloud access security agent.
In this embodiment, the cloud access security agent based database sensitive data discovery and desensitization system may be applied to relational databases (e.g., mysql), non-relational databases (e.g., mongodb), and the like. The sensitive data discovery rule and the desensitization rule are configured at the management end, the system automatically loads the corresponding rule, before the data are written into the database, all sensitive data operations are discovered according to the rule, desensitization can be performed on the sensitive data according to the desensitization rule configuration of a user, and the processed data are written into the database, so that real-time sensitive data discovery and desensitization are realized.
As shown in fig. 5, a framework diagram of a database sensitive data discovery and desensitization system based on cloud access security agents. A database sensitive data discovery and desensitization system based on cloud access security agents is described in detail below.
The application program comprises the following steps: the user needs to read and write the service program of the database.
CAM: and the cloud access management service, the user and the application authority management module.
Cloud access security proxy: the unified access module of the application service provides the access and proxy functions of the application, and is an operation platform of a sensitive data discovery and desensitization system.
Sensitive data discovery and desensitization system: the data processing system running on the cloud access security agent provides real-time functions of sensitive data discovery and desensitization, rule management, information notification and the like.
A sensitive data discovery module: and the execution module is used for identifying and classifying the sensitive data of the contents of all the database operations according to the configured sensitive data rule.
A data desensitization module: and the execution module is used for desensitizing the sensitive data identified in the database reading and writing process according to the configured sensitive data desensitization rule and generating deformed data.
And (3) identification rule management: and the rule management module is used for judging whether the data is sensitive data or not.
Data desensitization rules: a rule management module for how to deform the identified sensitive data.
A resource management module: and managing all accessed user application and database resources such as application programs and databases.
The authority control module: and the management application service finds and desensitizes the sensitive data, and the access authority and the operation authority of the system and the database.
The information pushing module: and pushing the sensitive information discovered in real time to the user according to the rule configuration.
A data statistics module: and the comprehensive statistical management module is used for classifying, summarizing and analyzing all sensitive data.
A management console: the user applies and changes the sensitive data discovery rule, the sensitive data desensitization rule, the application and data warehouse authority management, the checking data statistics and other operations.
A data warehouse: the actual database that needs to be read and written is applied.
In this embodiment, the data writing of the sensitive data discovery and desensitization system is performed based on the database sensitive data discovery and desensitization system of the cloud access security agent, as shown in fig. 6, and a flow chart of data writing of the sensitive data discovery and desensitization system is shown. The concrete description is as follows.
Step S601, start;
in step S601, the application program is started, and the application data of the target account in the application program is stored in the server corresponding to the target account.
Step S602, an application program requests to connect a cloud access security proxy;
in step S602, the application program connects the request to the cloud access security agent between the first application data storage databases, after the cloud access security agent is successfully accessed and before the first application data storage database, the sensitive data can be queried and identified through the sensitive data discovery module in the cloud access security agent, or desensitization data can be performed on the sensitive data in the first application data through the sensitive data desensitization module in the cloud access security agent, so as to obtain desensitized second application data, and store the second application data in the database.
It should be noted that, in step S602, the application transmits data to the cloud access security agent through HTTPS encryption. The transmitted data comprises authentication information of the application, database data operation and the like. The cloud access security agent authenticates the application program according to the authentication information in the transmission data, the application program can be connected with the cloud access security agent only when the authentication is passed, and after the connection is established, the cloud access security agent can inquire and identify the sensitive data of the first application data of the application program and desensitize the sensitive data.
Step S603, the cloud access security agent analyzes authentication information in the application program request;
in this embodiment, the authentication information includes authentication of identity information and/or authentication of authority of the application program, and management of access authority is performed through the access management service, that is, different access authorities can access sensitive data with different sensitivity degrees. The sensitive data can be divided into 5 sensitive levels according to a preset rule, and the sensitive levels can be 5 levels, 4 levels, 3 levels, 2 levels and 1 levels from large to small.
Step S604, determining whether the authentication information passes, if yes, executing step S605, and if no, executing step S609;
in step S604, after receiving the application request data, the cloud access security agent first parses the authentication information of the request data, accesses the CAM system to perform application identity authentication, and checks and authenticates the authority of the application to access the cloud access security agent and the authorization information of accessing the data repository.
Step S605, judging whether the sensitive data discovery function is started, if so, executing step S606, and if not, executing step S609;
step S606, the sensitive data is inquired, identified and analyzed corresponding to the application data in the application program through the sensitive data discovery rule;
in step S606, the cloud access security agent includes a sensitive data discovery module, loads a sensitive data discovery condition through the sensitive data discovery module, and queries and identifies the sensitive data in the first application according to the sensitive data discovery condition.
Step S607, judging whether sensitive data exists, if yes, executing step S608, and if no, executing step S609;
in step S607, the sensitive discovery module is started, and the sensitive discovery module queries and identifies sensitive data in the first application data generated by the target application, where the sensitive data may be understood as private data of the user account, such as mailbox information, id card information, and a mobile phone number of the user account.
It should be noted that, after a user logs in a target application through an account and uses the target application, first application data is generated, for example, a wechat application is logged in through an account (a mobile phone number), text chat or video chat is performed with other wechat users through the wechat application, corresponding chat content is stored, the chat content may relate to sensitive data, and the first application data may be understood as the stored chat content.
Step S608, carrying out data desensitization processing on the sensitive data;
in step S608, performing data desensitization on the sensitive data may include, but is not limited to, performing encryption on the sensitive data to generate a ciphertext, so as to obtain application data after the desensitization. And performing replacement desensitization treatment on the sensitive data to obtain desensitized application data, and performing deformation desensitization treatment on the sensitive data to obtain desensitized application data.
Step S609, writing the application data subjected to desensitization processing into a database;
in this embodiment, the second application data subjected to desensitization processing may be obtained by performing encryption desensitization processing on the sensitive data in the first application, and the second application data may be written into the data warehouse.
And step S610, ending.
In this embodiment, when the sensitive data discovery module queries and identifies that the first application data contains sensitive data, the sensitive data in the first application data may be marked, the first application data with the sensitive mark is stored in the database, the sensitive data with the sensitive mark is counted, the sensitive mark may carry the sensitivity level of the sensitive data, and the counted sensitive data is pushed to the target account in the form of short message, mail, or the like.
It should be noted that, in this embodiment, the sensitive flag in the first application may be sent to the target account in a notification manner, so that the target account determines the accessible sensitive data according to the sensitive flag.
In this embodiment, the application transmits data to the cloud access security agent via HTTPS encryption. The transmitted data comprises authentication information of the application, database data operation and the like.
After receiving the request data, the cloud access security agent firstly analyzes authentication information of the request data, accesses the CAM system to perform application identity authentication, and checks and authenticates the authority of the application to access the cloud access security agent and the authorization information of accessing the data warehouse.
After the identity authentication and authorization are passed, the cloud access security agent can select whether to load the sensitive data discovery and desensitization module according to the user configuration.
The system loads an application and database authority authentication module, an application program and an operation data source carry out authority and identity verification, and database authority of the application, sensitive data discovery and desensitization authority of the application and the like are checked.
If the user does not enable the sensitive data discovery and desensitization functions, the data is written directly to the data warehouse at this time.
If the user enables the sensitive data discovery and desensitization function, at this time, the cloud access security system first loads the sensitive data discovery and desensitization system for performing sensitive data search and encryption processing on data. Through a pluggable and dynamic configuration loading mode, the overall processing efficiency and flexibility of data are improved, and the read-write efficiency of the original database is not influenced.
And if the sensitive data do not exist, directly writing the application data into the data warehouse.
And if the sensitive data exist, encrypting the sensitive information, and writing the encrypted ciphertext into a data warehouse. And meanwhile, updating the summary statistical information and sending a notice to the user.
The summary statistical information is used for carrying out multi-dimensional classification summary and data statistics on all the discovered sensitive data and behaviors. The method can comprise the following steps: the source of the sensitive data source (ip, database, table and column to which the sensitive data belongs, etc.), the number of times of sensitive data discovery, the number of times of sensitive rule hit, etc. The system can remind the user according to a notification mode configured by the user, wherein the notification mode comprises in-station mail, mails, short messages, telephones and the like.
It should be noted that, in this embodiment, if the user enables the sensitive data discovery and desensitization functions, the system first loads the sensitive data discovery module to detect whether the data contains sensitive data. Sensitive data may include various personal related private information such as name, identification number, address, telephone, bank account, mailbox, password, medical information, educational information, and the like.
And the sensitive data discovery module loads a sensitive data detection rule and identifies and matches the data sent by the application according to the rule.
Wherein, a complete sensitive data detection rule may include: data checking rules (sensitive data discovery conditions) and data classification results.
The data verification rule may include text matching (text matching condition), binary matching (binary matching condition), regular expression matching (regular expression matching condition), user-defined content matching manner, and the like.
Text matching: and performing character string matching of the application data, and matching to completely consistent character strings, namely, the hit rules.
Binary matching: and (3) performing matching operation on the binary byte stream (binary character string) of the application data, and matching to a completely consistent byte stream, namely a hit rule.
Matching the regular expressions: and performing regular expression matching on the application data, and judging whether the data hits a regular rule.
User-defined matching: and the user defines the matching rule of the data content.
It should be noted that the data classification result may include a sensitivity level of the data, a category to which the data asset belongs, and the like. Wherein, the sensitivity grade can be 1 ~ 5 grades from low to high, 1 grade: very low sensitivity, grade 2: low sensitivity, grade 3: moderate sensitivity, grade 4: highly sensitive, grade 5: is extremely sensitive. Such as: and the check rule is regular expression matching, and the data is matched to a rule ^ ([ a-zA-Z ] | [0-9]) (\\ w | \ -) + @ [ a-zA-Z0-9] + \. ([ a-zA-Z ] + $), and the data is judged to be of a mailbox type and belongs to highly sensitive information.
It should be noted that, in this embodiment, if the user starts the sensitive data desensitization module, the sensitive data desensitization module pulls the latest data desensitization rule, and performs desensitization processing on the sensitive data read from the application data. The desensitization treatment may include one of: encryption desensitization processing, text desensitization processing, byte desensitization processing, regular expression desensitization processing and custom desensitization rule processing.
Text desensitization: and deforming and replacing part or all of text content in the data.
Byte desensitization: some or all of the bytes in the data are morphed and replaced.
Regular desensitization: and deforming and replacing the data meeting the regular rule part in the data.
Self-defined desensitization: the user defines how to deform and replace the data content.
And writing the processed and deformed data into a data warehouse.
It should be further noted that the sensitive data read from the application data may be subjected to multi-order desensitization, the first-order desensitization may be performed by text desensitization, the second-order desensitization may be performed by regular expression desensitization, and the third-order desensitization may be performed by byte desensitization, so that the sensitive data can be protected from being stolen.
It should be further noted that, the first application data subjected to desensitization processing in the access account access database can be accessed according to the access authority of the access account, and the corresponding sensitive data subjected to multistage desensitization processing can be accessed, for example, the account of the a-type access authority can be accessed to the sensitive data subjected to first-order desensitization processing, the account of the b-type access authority can be accessed to the sensitive data subjected to second-order desensitization processing, and the sensitive data subjected to first-order desensitization processing can also be accessed, but the account of the a-type access authority cannot be accessed to the sensitive data subjected to second-order desensitization processing, the account of the c-type access authority can be accessed to the sensitive data subjected to third-order desensitization processing, and the account of the a-type access authority cannot be accessed to the sensitive data subjected to third-order desensitization processing and the sensitive data subjected to second-order desensitization processing, that is, an account with a high access right can access sensitive data accessed by an account with a low access right, and an account with a low access right cannot access sensitive data accessed by an account with a high access right.
In this embodiment, desensitization reading of sensitive data is performed based on a database sensitive data discovery and desensitization system of a cloud access security agent, as shown in fig. 7, a flowchart of desensitization reading of sensitive data is shown. The concrete description is as follows.
Step S701, start;
in step S701, the application program is started, and the application program will read application data from the data warehouse, where the application data may be data stored in the data warehouse by the application program, or data stored in the data warehouse by other application programs, and the data warehouse is application data subjected to desensitization processing.
Step S702, an application program requests to connect a cloud access security proxy;
in step S702, the application program wants to acquire desensitized application data from the data repository, and needs to establish a connection with the cloud access security agent first, and the cloud access security agent needs to configure a corresponding access right for the account type according to the application program account type.
In step S702, the application transmits data to the cloud access security agent through HTTPS encryption. The transmitted data comprises authentication information of the application, database data operation and the like.
Step S703, the cloud access security agent analyzes the authentication information in the application program request;
step S704, determining whether the authentication information passes the verification, if yes, executing step S705, and if no, executing step S708;
step S705, reading a data warehouse;
in step S705, in the case that the cloud access security agent verifies that the account of the application is legitimate, the application will be allowed to acquire the application of the corresponding account authority from the data repository.
Step S706, judging whether to start a sensitive data desensitization recovery function, if so, executing step S707, and if not, executing step S708;
step S707, desensitizing and recovering the sensitive data in the data warehouse according to the desensitizing and recovering rule of the sensitive data;
in step S707, because the acquired application data includes desensitized application data, and effective information cannot be acquired from the desensitized application data, desensitized recovery needs to be performed on the desensitized application data, that is, the encrypted desensitized data is decrypted, the deformed desensitized data is inversely deformed to obtain original information of the application data, and the replaced desensitized data is inversely replaced to obtain original information of the application data.
The sensitive data desensitization recovery module loads a corresponding desensitization recovery rule, can decrypt encrypted desensitized data according to the desensitization recovery rule, can perform inverse deformation on deformed desensitized data to obtain original information of application data, and can perform inverse replacement on replaced desensitized data to obtain the original information of the application data.
It should be noted that, the application data is decrypted, and desensitization recovery is performed on the sensitive data, so as to obtain original information of the desensitization data, for example, desensitization recovery is performed on the desensitized identity card information to obtain an 18-bit identity card.
Step S708 ends.
In this embodiment, since the data in the target database may include desensitized data, when the data in the target database is read, a desensitization rule for desensitizing the data may be loaded, and the application data is restored to the original data of the target application according to the desensitization rule.
By the embodiment provided by the application, the sensitive data discovery and desensitization system based on the cloud access security agent realizes a database sensitive data discovery and desensitization platform with complete functions of database operation, such as real-time sensitive data desensitization, sensitive data judgment rule management, data desensitization rule management, data and operation statistics, sensitive data notification and the like. The method provides high-efficiency and real-time sensitive data discovery and desensitization capability, all database operations are processed in real time in the database operation process, and extra reading and writing databases are not needed, so that extra burden on the databases is avoided.
The user can realize the discovery and the user reading and writing all data of the database and perform data desensitization through the cloud access security agent only after the corresponding sensitive data discovery and desensitization strategy rules are configured on the sensitive data discovery and desensitization strategy console at the cloud, service transformation is not needed for service, and an additional sensitive data discovery and desensitization system is not needed to be deployed.
And the CAM system is used for realizing the management and control of the identity and the access authority of the user and the application.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present invention is not limited by the order of acts, as some steps may occur in other orders or concurrently in accordance with the invention. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required by the invention.
According to another aspect of the embodiments of the present invention, there is also provided a data processing apparatus for implementing the above data processing method. As shown in fig. 8, the data processing apparatus includes: a first acquisition unit 81, an inquiry and identification unit 83, a desensitization processing unit 85, and a first writing unit 87.
The first obtaining unit 81 is configured to obtain first application data sent by a target application, where the first application data is application data requested by the target application to be written into a target database.
The query and identification unit 83 is configured to perform sensitive data query and identification analysis processing on the first application data to query and identify sensitive data that meets a sensitive data discovery condition, where the sensitive data discovery condition is a preconfigured condition.
And the desensitization processing unit 85 is configured to perform data desensitization processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing.
The first writing unit 87 is used for writing the second application data subjected to the data desensitization processing into the target database.
By the embodiment provided by the application, the first obtaining unit 81 obtains first application data sent by a target application, where the first application data is application data requested by the target application to be written into a target database; the query and identification unit 83 performs sensitive data query and identification analysis processing on the first application data to query and identify sensitive data meeting a sensitive data discovery condition, wherein the sensitive data discovery condition is a preconfigured condition; the desensitization processing unit 85 performs data desensitization processing on sensitive data in the first application data to obtain second application data subjected to data desensitization processing; the first writing unit 87 writes the second application data subjected to the data desensitization processing into the target database, so that the purpose of desensitizing the application data of the target application before writing the application data of the target application into the target database is achieved, the technical effect that the data written into the target database by the application data of the target application is non-sensitive data is achieved, and the technical problem that in the prior art, the application data of the target application is read from the target database for desensitization processing, and the real-time performance is poor is solved.
Optionally, the querying and identifying unit 83 may include: the first loading module is used for loading the sensitive data discovery module and loading the sensitive data discovery conditions; and the query module is used for searching the sensitive data meeting the sensitive data discovery condition in the first application data through the sensitive data discovery module.
Optionally, the querying and identifying unit 83 may further include:
1) the first determining module is used for inquiring and identifying a target text in the first application data under the condition that the sensitive data discovery condition comprises a text matching condition and the text matching condition comprises the target text; and under the condition that the target text is inquired and identified in the first application data, determining that the sensitive data meeting the sensitive data discovery condition is inquired and identified in the first application data, wherein the sensitive data comprises the target text.
2) The second determining module is used for inquiring and identifying the target binary character string in the binary character string converted from the first application data under the condition that the sensitive data discovery condition comprises a binary matching condition and the binary matching condition comprises the target binary character string; in the case that the target binary string is queried and identified in the binary string converted from the first application data, determining that the query and the identification of the sensitive data in the first application data meet the sensitive data discovery condition, wherein the sensitive data comprises data represented by the target binary string in the first application data.
3) The third determining module is used for inquiring and identifying data meeting the target regular expression in the first application data under the condition that the sensitive data discovery condition comprises a regular expression matching condition and the text matching condition comprises the target regular expression; under the condition that data meeting a target regular expression is inquired and identified in the first application data, sensitive data meeting a sensitive data discovery condition is inquired and identified in the first application data, wherein the sensitive data comprises the data meeting the target regular expression in the first application data.
Optionally, the desensitization processing unit 85 may include:
1) the first desensitization processing module is used for carrying out encryption desensitization processing on sensitive data in the first application data to obtain second application data, wherein the data desensitization processing comprises encryption desensitization processing.
2) And the second desensitization processing module is used for performing deformation desensitization processing on the sensitive data in the first application data to obtain second application data, wherein the data desensitization processing comprises deformation desensitization processing.
3) And the third desensitization processing module is used for carrying out replacement desensitization processing on the sensitive data in the first application data to obtain second application data, wherein the data desensitization processing comprises replacement desensitization processing.
Optionally, the data processing apparatus may further include: and the second writing unit is used for writing the first application data into the target database under the condition that the sensitive data meeting the sensitive data discovery condition is found in the first application data and the sensitive data desensitization function is not started.
Optionally, the data processing apparatus may further include: the generating unit is used for generating a sensitive data mark under the condition that the sensitive data meeting the sensitive data finding condition is inquired and identified in the first application data, wherein the sensitive data mark is used for marking that the sensitive data is found in the first application data.
Optionally, the data processing apparatus may further include: the transmission unit is used for transmitting the sensitive data mark to a first account using a cloud access security proxy after generating the sensitive data mark, wherein the first account is used for indicating that application data sent by a target application is written into a target database after being processed by the cloud access security proxy, and the cloud access security proxy is used for enabling or disabling a sensitive data discovery function and enabling or disabling a sensitive data desensitization function.
Wherein, the generating unit may include: the acquisition module is used for acquiring attribute information of the sensitive data; and the fourth determining module is used for determining a target sensitivity level of the sensitive data corresponding to the attribute information, wherein the sensitive data mark comprises the target sensitivity level of the sensitive data, an account with the access right matched with the target sensitivity level is set to allow the sensitive data to be acquired, and an account with the access right not matched with the target sensitivity level is set to allow part of data in the sensitive data to be acquired or is set not to allow the sensitive data to be acquired.
Optionally, the data processing apparatus may further include: the reading unit is used for reading second application data from the target database, wherein the second application data comprises first desensitization data, and the first desensitization data is data obtained by performing data desensitization processing on sensitive data in the first application data; and the desensitization recovery unit is used for recovering the first desensitization data in the second application data under the condition that the sensitive data recovery function is started to obtain the first application data.
Wherein, the desensitization recovery unit may include:
the first desensitization recovery module is used for decrypting the first desensitization data in the second application data through a target decryption key to obtain first application data under the condition that the sensitive data in the first application data are encrypted and desensitized through the target encryption key to obtain second application data, wherein the target encryption key and the target decryption key are matched keys; or
The second desensitization recovery module is used for performing deformation desensitization processing on the sensitive data in the first application data through a preset deformation rule to obtain second application data, and performing reverse deformation processing on the first desensitization data in the second application data through the preset deformation rule to obtain first application data; or
And the third desensitization recovery module is used for carrying out reverse replacement processing on the first desensitization data in the second application data through a preset replacement rule under the condition that the second application data is obtained by carrying out replacement desensitization processing on the sensitive data in the first application data through the preset replacement rule, so as to obtain the first application data.
Optionally, the reading unit may include: the reading module is used for responding to the access request of the second account and reading the second application data from the target database;
the data processing apparatus may further include: the first sending module is used for sending the first application data or the sensitive data in the first application data to the second account under the condition that the access authority of the second account is matched with the target sensitivity level of the sensitive data after the first desensitization data in the second application data is recovered to obtain the first application data; the second sending module is used for sending part of the sensitive data in the first application data to the second account under the condition that the access authority of the second account is not matched with the target sensitive level of the sensitive data, or the third sending module is used for sending target prompt information to the second account, wherein the target prompt information is used for prompting that the second account cannot acquire the sensitive data.
Optionally, the data processing apparatus may further include:
1) the second acquisition unit is used for acquiring a first operation instruction in the target configuration interface, wherein the first operation instruction is used for enabling or disabling the sensitive data discovery function; and the control unit is used for enabling or disabling the sensitive data discovery function in response to the first operation instruction.
2) A third obtaining unit, configured to obtain a second operation instruction in the target configuration interface, where the second operation instruction is used to configure a sensitive data discovery condition in the sensitive data discovery function, and the sensitive data discovery condition includes at least one of: text matching conditions, binary matching conditions and regular expression matching conditions; and the first configuration unit is used for responding to the second operation instruction and configuring the sensitive data discovery condition in the sensitive data discovery function.
3) A fourth obtaining unit, configured to obtain a third operation instruction in the target configuration interface, where the third operation instruction is used to configure a sensitive data desensitization mode in the sensitive data desensitization function, and the sensitive data desensitization mode includes one of: carrying out encryption processing, deformation processing and replacement processing on part or all of the sensitive data; and the second configuration unit is used for responding to the third operation instruction and configuring a sensitive data desensitization mode in the sensitive data desensitization function.
Optionally, the desensitization processing unit 85 may include: the second loading module is used for loading the sensitive data desensitization module and loading a sensitive data desensitization mode; and the fourth desensitization processing module is used for performing desensitization processing on the sensitive data in the first application data by adopting a sensitive data desensitization mode through the sensitive data desensitization module to obtain second application data.
According to another aspect of the embodiment of the present invention, there is also provided an electronic device for implementing the data processing method, where the electronic device may be the terminal device or the server shown in fig. 1. The present embodiment takes the electronic device as a server as an example for explanation. As shown in fig. 9, the electronic device comprises a memory 902 and a processor 904, the memory 902 having stored therein a computer program, the processor 904 being arranged to perform the steps of any of the above-described method embodiments by means of the computer program.
Optionally, in this embodiment, the electronic device may be located in at least one network device of a plurality of network devices of a computer network.
Optionally, in this embodiment, the processor may be configured to execute the following steps by a computer program:
s1, acquiring first application data sent by a target application, wherein the first application data is application data requested to be written into a target database by the target application;
s2, performing sensitive data query and identification analysis processing on the first application data to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are preconfigured conditions;
s3, performing data desensitization processing on sensitive data in the first application data to obtain second application data subjected to data desensitization processing;
and S4, writing the second application data subjected to the data desensitization processing into the target database.
Alternatively, it can be understood by those skilled in the art that the structure shown in fig. 9 is only an illustration, and the electronic device may also be a terminal device such as a smart phone (e.g., an Android phone, an iOS phone, etc.), a tablet computer, a palmtop computer, a Mobile Internet Device (MID), a PAD, and the like. Fig. 9 is a diagram illustrating a structure of the electronic device. For example, the electronics may also include more or fewer components (e.g., network interfaces, etc.) than shown in FIG. 9, or have a different configuration than shown in FIG. 9.
The memory 902 may be used to store software programs and modules, such as program instructions/modules corresponding to the data processing method and apparatus in the embodiments of the present invention, and the processor 904 executes the software programs and modules stored in the memory 902 to execute various functional applications and data processing, that is, to implement the data processing method. The memory 902 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 902 may further include memory located remotely from the processor 904, which may be connected to the terminal over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof. The storage 902 may be specifically, but not limited to, used for storing information such as sample characteristics of the item and the target virtual resource account number. As an example, as shown in fig. 9, the memory 902 may include, but is not limited to, the data processing apparatus: a first acquisition unit 81, an inquiry and identification unit 83, a desensitization processing unit 85, and a first writing unit 87. In addition, the data processing apparatus may further include, but is not limited to, other module units in the data processing apparatus, which are not described in detail in this example.
Optionally, the transmitting device 906 is used for receiving or sending data via a network. Examples of the network may include a wired network and a wireless network. In one example, the transmission device 906 includes a Network adapter (NIC) that can be connected to a router via a Network cable and other Network devices to communicate with the internet or a local area Network. In one example, the transmission device 906 is a Radio Frequency (RF) module, which is used for communicating with the internet in a wireless manner.
In addition, the electronic device further includes: a display 908 for displaying the target configuration interface; and a connection bus 910 for connecting the respective module components in the above-described electronic apparatus.
In other embodiments, the terminal device or the server may be a node in a distributed system, where the distributed system may be a blockchain system, and the blockchain system may be a distributed system formed by connecting a plurality of nodes through a network communication. Nodes can form a Peer-To-Peer (P2P, Peer To Peer) network, and any type of computing device, such as a server, a terminal, and other electronic devices, can become a node in the blockchain system by joining the Peer-To-Peer network.
According to an aspect of the application, a computer program product or computer program is provided, comprising computer instructions, the computer instructions being stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform the data processing method provided in the data processing aspect or the various alternative implementations of the data processing aspect. Wherein the computer program is arranged to perform the steps of any of the above method embodiments when executed.
Alternatively, in the present embodiment, the above-mentioned computer-readable storage medium may be configured to store a computer program for executing the steps of:
s1, acquiring first application data sent by a target application, wherein the first application data is application data requested to be written into a target database by the target application;
s2, performing sensitive data query and identification analysis processing on the first application data to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are preconfigured conditions;
s3, performing data desensitization processing on sensitive data in the first application data to obtain second application data subjected to data desensitization processing;
and S4, writing the second application data subjected to the data desensitization processing into the target database.
Alternatively, in this embodiment, a person skilled in the art may understand that all or part of the steps in the methods of the foregoing embodiments may be implemented by a program instructing hardware associated with the terminal device, where the program may be stored in a computer-readable storage medium, and the storage medium may include: flash disks, Read-Only memories (ROMs), Random Access Memories (RAMs), magnetic or optical disks, and the like.
The above-mentioned serial numbers of the embodiments of the present invention are merely for description and do not represent the merits of the embodiments.
The integrated unit in the above embodiments, if implemented in the form of a software functional unit and sold or used as a separate product, may be stored in the above computer-readable storage medium. Based on such understanding, the technical solution of the present invention may be embodied in the form of a software product, which is stored in a storage medium and includes several instructions for causing one or more computer devices (which may be personal computers, servers, network devices, etc.) to execute all or part of the steps of the method according to the embodiments of the present invention.
In the above embodiments of the present invention, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed client may be implemented in other manners. The above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implemented, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not executed. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection through some interfaces, units or modules, and may be in an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The foregoing is only a preferred embodiment of the present invention, and it should be noted that, for those skilled in the art, various modifications and decorations can be made without departing from the principle of the present invention, and these modifications and decorations should also be regarded as the protection scope of the present invention.
Claims (15)
1. A data processing method, comprising:
acquiring first application data sent by a target application, wherein the first application data is application data requested to be written into a target database by the target application;
sensitive data query and identification analysis processing is carried out on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are preconfigured conditions;
performing data desensitization processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing;
and writing the second application data subjected to the data desensitization processing into the target database.
2. The method of claim 1, wherein the performing a sensitive data query and identification analysis process on the first application data to query and identify sensitive data satisfying the sensitive data discovery condition comprises:
loading a sensitive data discovery module and loading the sensitive data discovery conditions;
and performing sensitive data query and identification analysis processing on the first application data through the sensitive data discovery module so as to query and identify sensitive data meeting sensitive data discovery conditions.
3. The method of claim 1, wherein the performing a sensitive data query and identification analysis process on the first application data to query and identify sensitive data satisfying the sensitive data discovery condition comprises:
in the case that the sensitive data discovery condition comprises a text matching condition and the text matching condition comprises a target text, querying and identifying the target text in the first application data; under the condition that the target text is inquired and identified in the first application data, determining that the sensitive data meeting the sensitive data discovery condition is inquired and identified in the first application data, wherein the sensitive data comprises the target text; and/or
Querying and identifying a target binary string into which the first application data is converted if the sensitive data discovery condition comprises a binary match condition and the binary match condition comprises the target binary string; in the case that the target binary string is queried and identified in the binary string into which the first application data is converted, determining that the sensitive data meeting the sensitive data discovery condition is queried and identified in the first application data, wherein the sensitive data comprises data represented by the target binary string in the first application data; and/or
Under the condition that the sensitive data discovery condition comprises a regular expression matching condition and the text matching condition comprises a target regular expression, querying and identifying data meeting the target regular expression in the first application data; and under the condition that data meeting the target regular expression is inquired and identified in the first application data, determining the sensitive data meeting the sensitive data discovery condition, which is inquired and identified in the first application data, wherein the sensitive data comprises the data meeting the target regular expression in the first application data.
4. The method according to claim 1, wherein the performing data desensitization processing on the sensitive data in the first application data to obtain the second application data after the data desensitization processing comprises:
carrying out encryption desensitization processing on the sensitive data in the first application data to obtain second application data, wherein the data desensitization processing comprises the encryption desensitization processing; and/or
Performing deformation desensitization processing on the sensitive data in the first application data to obtain second application data, wherein the data desensitization processing comprises the deformation desensitization processing; and/or
And carrying out replacement desensitization treatment on the sensitive data in the first application data to obtain the second application data, wherein the data desensitization treatment comprises the replacement desensitization treatment.
5. The method of claim 1, further comprising:
and under the condition that the sensitive data meeting the sensitive data discovery condition is inquired and identified in the first application data and a sensitive data desensitization function is not enabled, writing the first application data into the target database.
6. The method of claim 1, further comprising:
and under the condition that the sensitive data meeting the sensitive data discovery condition is inquired and identified in the first application data, generating a sensitive data mark, wherein the sensitive data mark is used for marking the inquiry and identification of the sensitive data in the first application data.
7. The method of claim 6, wherein after the generating the sensitive data marker, the method further comprises:
and transmitting the sensitive data mark to a first account using a cloud access security proxy, wherein the first account is used for indicating that application data sent by the target application is written into the target database after being processed by the cloud access security proxy, and the cloud access security proxy is used for enabling or disabling the sensitive data discovery function and enabling or disabling the sensitive data desensitization function.
8. The method of claim 7, wherein generating the sensitive data marker comprises:
acquiring attribute information of the sensitive data;
and determining a target sensitivity level of the sensitive data corresponding to the attribute information, wherein the sensitive data mark comprises the target sensitivity level of the sensitive data, an account with an access right matched with the target sensitivity level is set to allow the sensitive data to be acquired, and an account with an access right not matched with the target sensitivity level is set to allow a part of data in the sensitive data to be acquired or is set not to allow the sensitive data to be acquired.
9. The method of claim 1, further comprising:
reading the second application data from the target database, wherein the second application data comprises first desensitization data, and the first desensitization data is data obtained by performing data desensitization processing on the sensitive data in the first application data;
and under the condition that a sensitive data recovery function is started, performing recovery processing on the first desensitized data in the second application data to obtain the first application data.
10. The method according to claim 9, wherein the performing the recovery processing on the first desensitization data in the second application data to obtain the first application data comprises:
under the condition that the sensitive data in the first application data are subjected to encryption desensitization processing through a target encryption key to obtain second application data, decrypting the first desensitization data in the second application data through a target decryption key to obtain the first application data, wherein the target encryption key and the target decryption key are matched keys; or
Under the condition that deformation desensitization processing is carried out on the sensitive data in the first application data through a preset deformation rule to obtain second application data, reverse deformation processing is carried out on the first desensitization data in the second application data through the preset deformation rule to obtain the first application data; or
And under the condition that the second application data is obtained by carrying out replacement desensitization treatment on the sensitive data in the first application data through a preset replacement rule, carrying out reverse replacement treatment on the first desensitization data in the second application data through the preset replacement rule to obtain the first application data.
11. The method of claim 9, further comprising:
the reading the second application data from the target database includes: reading the second application data from the target database in response to an access request of a second account;
after performing recovery processing on the first desensitization data in the second application data to obtain the first application data, the method further includes: under the condition that the access authority of the second account is matched with the target sensitivity level of the sensitive data, the first application data or the sensitive data in the first application data is sent to the second account; and under the condition that the access authority of the second account is not matched with the target sensitivity level of the sensitive data, sending part of the sensitive data in the first application data to the second account, or sending target prompt information to the second account, wherein the target prompt information is used for prompting that the second account cannot acquire the sensitive data.
12. The method according to any one of claims 1 to 11, further comprising at least one of:
acquiring a first operation instruction in a target configuration interface, wherein the first operation instruction is used for enabling or disabling a sensitive data discovery function; enabling or disabling the sensitive data discovery function in response to the first operating instruction;
acquiring a second operation instruction in the target configuration interface, wherein the second operation instruction is used for configuring the sensitive data discovery condition in a sensitive data discovery function, and the sensitive data discovery condition includes at least one of the following conditions: text matching conditions, binary matching conditions and regular expression matching conditions; responding to the second operation instruction, configuring the sensitive data discovery condition in the sensitive data discovery function;
acquiring a third operation instruction in the target configuration interface, wherein the third operation instruction is used for configuring a sensitive data desensitization mode in a sensitive data desensitization function, and the sensitive data desensitization mode comprises one of the following modes: performing encryption processing, deformation processing and replacement processing on part or all of the sensitive data; and responding to the third operating instruction, and configuring a sensitive data desensitization mode in the sensitive data desensitization function.
13. The method according to any one of claims 1 to 11, wherein performing data desensitization processing on the sensitive data in the first application data to obtain second application data after performing data desensitization processing comprises:
loading a sensitive data desensitization module and loading a sensitive data desensitization mode;
and performing data desensitization processing on the sensitive data in the first application data by adopting the sensitive data desensitization mode through the sensitive data desensitization module to obtain the second application data subjected to data desensitization processing.
14. A data processing apparatus, comprising:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring first application data sent by a target application, and the first application data is application data which is requested to be written into a target database by the target application;
the query and identification unit is used for performing sensitive data query and identification analysis processing on the first application data so as to query and identify sensitive data meeting sensitive data discovery conditions, wherein the sensitive data discovery conditions are preconfigured conditions;
the desensitization processing unit is used for performing data desensitization processing on the sensitive data in the first application data to obtain second application data subjected to data desensitization processing;
and the first writing unit is used for writing the second application data subjected to the data desensitization processing into the target database.
15. An electronic device comprising a memory and a processor, characterized in that the memory has stored therein a computer program, the processor being arranged to execute the method of any of claims 1 to 13 by means of the computer program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110287826.0A CN113010904A (en) | 2021-03-17 | 2021-03-17 | Data processing method and device and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110287826.0A CN113010904A (en) | 2021-03-17 | 2021-03-17 | Data processing method and device and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113010904A true CN113010904A (en) | 2021-06-22 |
Family
ID=76409396
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110287826.0A Pending CN113010904A (en) | 2021-03-17 | 2021-03-17 | Data processing method and device and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113010904A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113705410A (en) * | 2021-08-20 | 2021-11-26 | 陈成 | Face image desensitization processing and verifying method and system |
| CN113992345A (en) * | 2021-09-13 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107704770A (en) * | 2017-09-28 | 2018-02-16 | 平安普惠企业管理有限公司 | Sensitive information desensitization method, system, equipment and readable storage medium storing program for executing |
| CN109271807A (en) * | 2018-08-20 | 2019-01-25 | 深圳萨摩耶互联网金融服务有限公司 | The data safety processing method and system of database |
| CN109960944A (en) * | 2017-12-14 | 2019-07-02 | 中兴通讯股份有限公司 | A kind of data desensitization method, server, terminal and computer readable storage medium |
| CN109977690A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团陕西有限公司 | A kind of data processing method, device and medium |
| CN110210241A (en) * | 2018-02-28 | 2019-09-06 | 中兴通讯股份有限公司 | A kind of data desensitization method and device |
| CN112417476A (en) * | 2020-11-24 | 2021-02-26 | 广州华熙汇控小额贷款有限公司 | Desensitization method and data desensitization system for sensitive data |
| CN112417443A (en) * | 2020-11-20 | 2021-02-26 | 平安普惠企业管理有限公司 | Database protection method and device, firewall and computer readable storage medium |
-
2021
- 2021-03-17 CN CN202110287826.0A patent/CN113010904A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107704770A (en) * | 2017-09-28 | 2018-02-16 | 平安普惠企业管理有限公司 | Sensitive information desensitization method, system, equipment and readable storage medium storing program for executing |
| CN109960944A (en) * | 2017-12-14 | 2019-07-02 | 中兴通讯股份有限公司 | A kind of data desensitization method, server, terminal and computer readable storage medium |
| CN109977690A (en) * | 2017-12-28 | 2019-07-05 | 中国移动通信集团陕西有限公司 | A kind of data processing method, device and medium |
| CN110210241A (en) * | 2018-02-28 | 2019-09-06 | 中兴通讯股份有限公司 | A kind of data desensitization method and device |
| CN109271807A (en) * | 2018-08-20 | 2019-01-25 | 深圳萨摩耶互联网金融服务有限公司 | The data safety processing method and system of database |
| CN112417443A (en) * | 2020-11-20 | 2021-02-26 | 平安普惠企业管理有限公司 | Database protection method and device, firewall and computer readable storage medium |
| CN112417476A (en) * | 2020-11-24 | 2021-02-26 | 广州华熙汇控小额贷款有限公司 | Desensitization method and data desensitization system for sensitive data |
Non-Patent Citations (1)
| Title |
|---|
| 卢昱: "《网络安全技术》", 28 February 2001, 中国物资出版社, pages: 276 * |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113705410A (en) * | 2021-08-20 | 2021-11-26 | 陈成 | Face image desensitization processing and verifying method and system |
| CN113992345A (en) * | 2021-09-13 | 2022-01-28 | 百度在线网络技术(北京)有限公司 | Method and device for encrypting and decrypting webpage sensitive data, electronic equipment and storage medium |
| CN113992345B (en) * | 2021-09-13 | 2024-05-28 | 百度在线网络技术(北京)有限公司 | Webpage sensitive data encryption and decryption method and device, electronic equipment and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230010452A1 (en) | Zero-Knowledge Environment Based Networking Engine | |
| CN111475841B (en) | Access control method, related device, equipment, system and storage medium | |
| EP2731044B1 (en) | Client computer for querying a database stored on a server via a network | |
| JP4870160B2 (en) | Method for encapsulating information in a database, encapsulated database for use in a communication system, and method for mediating instant messages in a system | |
| US20180285596A1 (en) | System and method for managing sensitive data | |
| US20130054611A1 (en) | Apparatus and method for processing partitioned data for securing content | |
| CN108769024B (en) | Data acquisition method and multi-data operator negotiation service system | |
| US20160117521A1 (en) | Computer system for storing and retrieval of encrypted data items, client computer, computer program product and computer-implemented method | |
| CN110268406B (en) | Password security | |
| US10783277B2 (en) | Blockchain-type data storage | |
| CN113010904A (en) | Data processing method and device and electronic equipment | |
| CN110363017A (en) | Mix the data safety sharing method and system based on client encryption under cloud environment | |
| CN111756684A (en) | System and method for transmitting confidential data | |
| CN113486060A (en) | Data access processing method and device, storage medium and electronic equipment | |
| CN106295366B (en) | Sensitive data identification method and device | |
| US9973339B1 (en) | Anonymous cloud data storage and anonymizing non-anonymous storage | |
| CN113658709B (en) | Method, device, computer equipment and storage medium for medical data information query | |
| CN113890753B (en) | Digital identity management method, device, system, computer equipment and storage medium | |
| CN115250467A (en) | Data processing method and device, electronic equipment and computer readable storage medium | |
| US11621944B2 (en) | Systems and methods for anonymous and consistent data routing in a client-server architecture | |
| CN113037743A (en) | Encryption method and system for cloud server file | |
| CN112464255A (en) | Data processing method and device, storage medium and electronic equipment | |
| CN114793156B (en) | Data processing method, device, equipment and storage medium | |
| CN111355710B (en) | Data request method and device of network service | |
| EP3757845A1 (en) | Systems and methods for anonymous and consistent data routing in a client-server architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code |
Ref country code: HK Ref legal event code: DE Ref document number: 40048273 Country of ref document: HK |