CN114780949B

CN114780949B - Method and system for lightweight data security protection based on virtual container

Info

Publication number: CN114780949B
Application number: CN202210547194.1A
Authority: CN
Inventors: 王文宇
Original assignee: Beijing Shuanhang Technology Co ltd
Current assignee: Beijing Shuanhang Technology Co ltd
Priority date: 2022-05-20
Filing date: 2022-05-20
Publication date: 2022-09-16
Anticipated expiration: 2042-05-20
Also published as: CN114780949A

Abstract

The embodiment of the application provides a method and a system for lightweight data security protection based on a virtual container, wherein the method comprises the following steps: creating a parent virtual container for storing the data file based on a security operation protection request of a provider for the data file; determining a target data file and a first use permission corresponding to the user identity of a user based on a received operation request of the user for the data file; and if the user side meets the first access condition of the parent virtual container for storing the target data file and the first use permission meets the use permission of the target data file, creating a corresponding child virtual container for each target data file in the parent virtual container. This application carries out multilayer isolation safety protection to data through double-deck nested virtual container, and the security is strong, simultaneously through multilayer virtual container, reduces the occupation to the resource in the use of data to reach the safety control of lightweight data to the dependence of other subassemblies.

Description

Method and system for lightweight data security protection based on virtual container

Technical Field

The application relates to the field of information security, in particular to a method and a system for lightweight data security protection based on a virtual container.

Background

In the context of digitization, data flow has been shown to be a trend of normalization. In a data flow scenario, a user may use data in a unit, may use data in a remote office, may make a business trip with the data, or may give data to a temporary project member for use due to a specific project. For non-essential data, the flow of data in these scenarios may not be of interest. Once the flow of important data is required, the data, which carries valuable information, once flowed, cannot control the security of the data. In order to protect the security of data, appropriate protection measures need to be taken, so that the data can flow and the security of the data can be guaranteed.

In the prior art, enterprises adopt different means to protect data security, and the means either hinder data flow, or occupy a large amount of system resources to realize security, or need to deploy a plurality of components and perform linkage with the components to complete a protection process, or cannot individually control and independently protect each piece of data in a fine-grained manner. An enterprise manager needs to obtain the use requirement of data flow, obtain light-weight data security protection and perform fine-grained independent access control and protection on data, and no effective means is provided. Therefore, the above problems have become technical problems to be solved in the art.

Disclosure of Invention

Aiming at the problems in the prior art, the embodiment of the application provides a method and a system for lightweight data security protection based on a virtual container.

In a first aspect, an embodiment of the present application provides a method for lightweight data security protection based on a virtual container, including:

creating a parent virtual container for storing a data file based on a security operation protection request of a provider for the data file; the parent virtual container stores one or more data files and is configured with first access conditions of different user identities; the data file is provided with an authority identifier;

determining a target data file and a first use permission corresponding to the user identity of a user based on a received operation request of the user for the data file;

if the user meets the first access condition of a parent virtual container for storing the target data file and the first usage right meets the usage right of the target data file, creating a corresponding child virtual container for each target data file in the parent virtual container, and providing security protection for the target data file;

wherein the target data file is any one or more of all the data files included in the security operation protection request.

Optionally, the creating a parent virtual container for storing the data file based on a security operation protection request of a provider for the data file includes:

creating a parent virtual container for storing the data file in a fixed unit size, wherein the fixed unit size is dynamically expanded according to the size of the data file;

configuring first access conditions of different user identities to the parent virtual container and authority identifications of all the data files included in the security operation protection request;

encrypting the first access condition and the authority identification of each data file by taking the identification of a parent virtual container as a key;

wherein the identity of the parent virtual container is determined based on a virtual container identity determination rule, and the virtual container identity determination rule is stored in the parent virtual container; the virtual container identification determination rule includes: and encrypting the provider carried by the parent virtual container and required for creating the parent virtual container and the creation time by adopting a domestic cryptographic algorithm SM 3.

Optionally, the configuring a first access condition of different user identities to the parent virtual container and the authority identifier of all the data files included in the security operation protection request includes:

configuring a user identity authentication condition in a first access condition of the father virtual container based on the first user identifier or the second user identifier; the first user identification is determined by the provider based on a short message authentication condition generation rule; the second user identification is determined by the provider based on the authentication condition generation rule combining the password and the short message;

configuring a time allowed to be used in a first access condition of the parent virtual container based on a security operation protection request of a provider for a data file;

configuring an authority identifier of each data file stored in the parent virtual container based on a security operation protection request of a provider for the data file;

the short message authentication condition generation rule is that the identification of the father virtual container and the identification of a user are combined and encrypted by adopting a domestic cryptographic algorithm SM 4; the password and short message combined authentication condition generation rule is that the identifier of the father virtual container, the identifier of the user and the password of the user are combined and encrypted by adopting a domestic cryptographic algorithm SM 4; the authority identification is used for indicating different use authorities corresponding to different data files.

Optionally, the usage right corresponding to the right identifier includes read only, edit, positioning read only, and positioning edit; the positioning read-only instruction performs read-only operation on the data file and simultaneously performs positioning; and the positioning editing instruction performs positioning simultaneously when the editing operation is performed on the data file.

Optionally, the determining, based on the received operation request for the data file by the user, a target data file and a first usage right corresponding to a user identity of the user includes:

determining the parent virtual container storing the target data file;

acquiring the identifier of the parent virtual container generated by the user according to the virtual container identifier determination rule;

decrypting the first access condition of the parent virtual container and the authority identification of the data file stored therein based on the identification of the parent virtual container; and the authority identification corresponds to the user identity one to one.

Optionally, if the user satisfies the first access condition of the parent virtual container storing the target data file and the first usage right satisfies the usage right of the target data file, the method includes:

acquiring a third user identifier determined by the user based on the short message authentication condition generation rule and a fourth user identifier determined by the user based on the password and short message combined authentication condition generation rule;

if the third user identifier is consistent with the first user identifier stored in the parent virtual container, or the fourth user identifier is consistent with the second user identifier stored in the parent virtual container, determining that the user identity of the user meets the first access condition of the parent virtual container;

under the condition that a first access condition of the parent virtual container is met, determining whether the use permission corresponding to the user identity of the user is in a first permission set of the target data file, wherein the first permission set comprises the use permission corresponding to the permission identification of all different user identities on the target data file;

and if the use permission corresponding to the user identity of the user is in the first permission set, determining that the use permission corresponding to the permission identification of the target data file is satisfied.

Optionally, the creating, in the parent virtual container, a corresponding child virtual container for each target data file, so as to provide security protection for the target data file, includes:

creating a corresponding child virtual container for each of the target data files in the parent virtual container in which it is stored;

acquiring the use permission corresponding to the permission identifier of the target data file, and binding the use permission with the corresponding sub-virtual container;

and monitoring the operation request of the target data file based on the use permission bound by the sub-virtual container.

Optionally, the method further comprises:

determining whether the system where the father virtual container is located is normally connected with the network or not under the condition that the use permission is positioning read-only or positioning editing;

and if the system where the parent virtual container is located is normally connected with the network, acquiring the positioning information of the user, recording the positioning information through the parent virtual container, and recording the corresponding read-only operation or editing operation through the child virtual container corresponding to the target data file.

Optionally, the method further comprises:

if the provider stores the identifier of the second parent virtual container in the first parent virtual container, the provider executes the operation request of the first target data file when meeting the first access condition corresponding to the first parent virtual container and the second parent virtual container, and the usage right of the first target data file in the first parent virtual container and the usage right of the second target data file in the second parent virtual container, so as to realize unidirectional circulation of data from the first target data file to the second target data file.

In a second aspect, an embodiment of the present application further provides a system for lightweight data security protection based on a virtual container, including:

the device comprises a creating unit, a storage unit and a processing unit, wherein the creating unit is used for creating a father virtual container for storing a data file based on a security operation protection request of a provider for the data file; the parent virtual container stores one or more data files and is configured with first access conditions of different user identities; the data file is provided with an authority identifier;

the determining unit is used for determining a target data file and a first use right corresponding to the user identity of a user based on a received operation request of the user on the data file;

an access unit, configured to create a corresponding child virtual container for each target data file in the parent virtual container if the user satisfies a first access condition of a parent virtual container storing the target data file and the first usage right satisfies the usage right of the target data file, so as to provide security protection for the target data file;

wherein the target data file is any one or more of the data files included in the security operation protection request.

Optionally, the creating unit, in a process of creating a parent virtual container for storing the data file based on a security operation protection request of a provider for the data file, is specifically configured to:

creating a parent virtual container for storing the data file according to the size of a fixed unit space, wherein the size of the fixed unit space is dynamically expanded according to the size of the data file;

Optionally, the creating unit, in configuring a first access condition of different user identities to the parent virtual container and authority identifiers of all the data files included in the security operation protection request, is further configured to:

configuring a user identity authentication condition in the first access condition of the parent virtual container based on the first user identifier or the second user identifier; the first user identification is determined by the provider based on a short message authentication condition generation rule; the second user identification is determined by the provider based on the authentication condition generation rule combining the password and the short message;

the short message authentication condition generation rule is to combine the identifier of the parent virtual container and the identifier of a user and encrypt the combined identifier by adopting a domestic cryptographic algorithm SM 4; the password and short message combined authentication condition generation rule is that the identifier of the father virtual container, the identifier of the user and the password of the user are combined and encrypted by adopting a domestic cryptographic algorithm SM 4; the authority identification is used for indicating different use authorities corresponding to different data files.

Optionally, the determining unit, after determining the target data file and the first usage right corresponding to the user identity of the user based on the received operation request for the data file by the user, is further configured to:

determining the parent virtual container storing the target data file;

Optionally, the accessing unit, in a process of determining that the user satisfies a first access condition of a parent virtual container storing the target data file and that the first usage right satisfies the usage right of the target data file, is specifically configured to:

if the third user identifier is consistent with the first user identifier stored in the parent virtual container, or the fourth user identifier is consistent with the second user identifier stored in the parent virtual container, determining that the user identity of the user satisfies the first access condition of the parent virtual container;

Optionally, the access unit creates a corresponding child virtual container for each target data file in the parent virtual container, and is specifically configured to:

Optionally, the system further comprises a positioning module for:

Optionally, the access unit is further configured to:

The method and the system for lightweight data security protection based on the virtual container have the advantages that through the double-layer nested virtual container, the identity authentication and the authority control are combined, the multilayer isolation security protection is carried out on the data, the security is high, meanwhile, through the method for dynamically adjusting the size of the multilayer virtual container, the occupation of the data storage space is controlled, the occupation of resources in the data using process is reduced, the dependence on other components is reduced, and the lightweight data security control is achieved.

Drawings

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are some embodiments of the present application, and other drawings can be obtained by those skilled in the art without creative efforts.

Fig. 1 is a schematic flowchart of a method for lightweight data security protection based on a virtual container according to an embodiment of the present application;

fig. 2 is a schematic structural diagram of a system for lightweight data security protection based on a virtual container according to an embodiment of the present application;

fig. 3 is a schematic diagram of a parent virtual container creation flow provided by an embodiment of the present application;

FIG. 4 is a schematic diagram of a process for operating a child virtual container as provided by an embodiment of the present application;

FIG. 5 is a schematic flowchart of a user operating a data file according to an embodiment of the present application;

FIG. 6 is a flowchart illustrating an operation of a data file with location authority according to an embodiment of the present application;

fig. 7 is a second schematic structural diagram of a system for lightweight data security protection based on a virtual container according to an embodiment of the present application.

Detailed Description

In order to make the objects, technical solutions and advantages of the embodiments of the present application clearer, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the drawings in the embodiments of the present application, and it is obvious that the described embodiments are some embodiments of the present application, but not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.

With the advance of digital transformation, enterprises need to fully exert the value of data, accordingly, the flowing range of the data is expanded, and the use scene of the data is changed from the use in a specific computer to a plurality of use scenes such as unit interior, remote office, third-party project cooperation and the like. Protecting the security of data, and controlling the use and flow of data are particularly important, which also becomes an urgent problem to be solved by enterprise managers. Especially, the data containing the core information of the enterprise, and whether the use and the flow of the data are safe or not are a great threat to the development of the enterprise if no corresponding monitoring method exists. Aiming at data use and flow, different measures are taken by enterprises, and the enterprises can be mainly divided into four types:

1) the safety measure is characterized by boundary protection, so that the data flow is prevented, the data are fixed in a specific computer for use, and the data safety is protected by sacrificing the data flow;

2) the safety means needs huge resource occupation and needs support and cooperation of other huge components to operate. In order to achieve the purpose of safely using data, a user needs to have sufficient system resources, so that the cost of user resources is increased, and the efficiency of using data by the user is influenced;

3) the security protection of data cannot be fine-grained protection, and cannot be individually protected against each piece of data, especially for different files of the same file type, and cannot be individually controlled and protected. For example, two word files are opened or edited at the same time, the authority of each word file cannot be controlled respectively, and only the same control can be used for two words. Such as one word read only, a second word can be modified. If opened or edited at the same time, only two words can be modified to protect the security of the file.

4) And adding authority control to the data by changing the data format. After the formats of some data are changed, the function of processing the data by the application software is influenced;

5) the security means mixes important data and unimportant data for use, and is restricted by the technical level, sometimes the data protection strength is insufficient, and sometimes the unimportant data is also strictly protected.

Based on the characteristics of various data formats, strong data mobility and high data value, the method determines that the enterprise has particularity in the aspect of solving the safety problem of the data in the digital background. At present, the processing for data security protection has the following limitations:

1) by way of containment blocks, data is restricted to use in a particular computer. The method is suitable under the condition that the office environment is in the interior of a unit in the past, but the data is not only used in the unit but also used in remote office of staff, business trip of the staff or participation of third-party staff in project cooperation at present, and the blocking method hinders the use of the data;

2) heavy software needs to be installed and a third-party component is needed to be matched while data security protection is carried out, so that high requirements are invisibly put forward for the use resources of users, and the cost is increased for enterprises;

3) under the condition that a plurality of data copies are opened and used simultaneously, only one authority can be adopted to control the plurality of data copies, and the use experience of the user is influenced for the user;

4) the data format has diversity, the use authority is controlled by changing the data format, the attribute of the original data is lost for a large proportion of data, and the original software function which can be utilized in the original data cannot be used for the data with the converted format;

5) the technology of data security protection also faces the challenge of attack from hackers and spyware, and the security is not guaranteed strongly.

Therefore, the method and the system for lightweight data security protection based on the virtual container are provided, and the problem that in the prior art, the integrity of data is guaranteed, and meanwhile, different fine granularities of different data are protected through smaller resource consumption is solved.

The method and system for lightweight data security protection based on virtual container provided by the embodiments of the present application are described below with reference to fig. 1 to 7.

Fig. 1 is a schematic flowchart of a method for lightweight data security protection based on a virtual container according to an embodiment of the present application; as shown in fig. 1, the method includes:

step 101, based on a security operation protection request of a provider for a data file, creating a parent virtual container for storing the data file; the parent virtual container stores one or more data files and is configured with first access conditions of different user identities; the data file is provided with an authority identifier;

specifically, a data file provider shares data files to other users according to the requirements of the data file provider, needs to monitor the operation of each user on the data files, and creates corresponding parent virtual containers for storing the data files by sending a security operation protection request of the data files, wherein each parent virtual container comprises one or more data files and is provided with first access conditions and authority identifications of different user identities; the first access condition of the different user identities is to distinguish whether different users have identities for accessing one or some father virtual containers, and it can be understood that different users all have corresponding different user identities, or that multiple users correspond to one user identity, which is equivalent to grouping users, and the specific setting can be revised according to actual requirements. Thereby enabling control of access to different parent virtual containers, possibly having one or more data files stored therein, by different users. And the authority identification is the finer-grained monitoring of the data files and is the use authority aiming at a single data file.

The parent virtual container is created by a provider according to the use requirement and operates in a self-driven mode, namely the parent virtual container does not need to be additionally registered with other components and managed by other components, and the parent virtual container completes self management, scheduling and loading to form a first light weight characteristic. Meanwhile, the father virtual container is isolated from the operating system to form a first safety protection layer. The first access condition of the parent virtual container is used for checking when the parent virtual container is scheduled and loaded. The verification process is carried out in a self-driven mode, namely the father virtual container completes self access condition verification without carrying out additional interaction on other components, and a second lightweight characteristic is formed. The verification process of the first access condition to the parent virtual container forms a second security protection layer.

Generally, different parent virtual containers are completely isolated from each other. If a shared parent virtual container is set for a parent virtual container, the circulation of data between two parent virtual containers can be performed conditionally.

A plurality of data files can be stored in the same parent virtual container, and each data file can be independently provided with different authority identifications.

102, determining a target data file and a first use permission corresponding to the user identity of a user based on a received operation request of the user for the data file; wherein the target data file is any one or more of all the data files included in the security operation protection request.

After the parent virtual container is created, when a user needs to operate a certain or some data files, it is first determined which data file needs to be operated is, and it can be determined in the form of file identification or file name, and then the parent virtual container storing the data file is scheduled and loaded. And when the parent virtual container is scheduled and loaded, verifying the first access condition, and after the verification is passed, finishing scheduling and loading by the parent virtual container.

Further, before the user needs to operate the data file in the parent virtual container, the user identity corresponding to the user is obtained, and the usage right corresponding to the user identity is determined as the first usage right, where the first usage right may be a usage right for one or more data files, and is not specifically limited herein.

Step 103, if the user meets the first access condition of the parent virtual container storing the target data file and the first usage right meets the usage right of the target data file, creating a corresponding child virtual container for each target data file in the parent virtual container, so as to provide security protection for the target data file.

The created parent virtual container is configured with first access conditions of different user identities, and according to the user identity of the user determined in the previous step, it is determined whether the user identity satisfies the first access conditions, for example, whether the user identities of the user identities in the first access conditions are consistent or not is compared, and if so, it is determined that the first access conditions of the parent virtual container are satisfied.

Further, comparing a first usage right corresponding to the user identity of the user with a usage right corresponding to a right identifier of a data file to be operated by the user, if the first usage right is within the usage right corresponding to the right identifier, or the first usage right is consistent with the usage right corresponding to the right identifier, determining that the first usage right satisfies the usage right corresponding to the right identifier of the data file, and creating a child virtual container for the data file, wherein the child virtual container is created by taking one data file as a unit and is located in a parent virtual container for storing the data file. When the data file is used, an independent child virtual container is automatically established in the parent virtual container, and the data can be only used in the child virtual container started by the parent virtual container and cannot be transferred to other positions. The size of the created child virtual container can also be dynamically expanded, the child virtual container is initially created to be a fixed space size, and the child virtual container is expanded according to the size of the data file in the file loading process. Different data are used in different child virtual containers to form a third security barrier. And (3) running each child virtual container, and dynamically allocating required resources by the parent virtual container according to the size of data as required to form a third lightweight characteristic. This may enable a multi-layered protection to be provided for the security of data files.

The utility model provides a method of lightweight data security protection based on virtual container, through double-deck nested virtual container, combine authentication, authority control, carry out multilayer isolation security protection to data, the security is strong, simultaneously through the virtual space of initialization of multilayer virtual container, reduce the occupation of resource in the data use, and to the dependency of other subassemblies, carry out authentication and authority control to data use, obtain the detailed state of data in real time, when data obtains security protection, the flow and the use that obtain data freedom with the minimum cost have been realized, reach lightweight data management and control.

Specifically, the initial size of creating the parent virtual container is usually a fixed unit space size, such as 10K or 3K, and occupies a small storage space, and dynamically expands according to the usage needs of the provider or the user, forming a fourth lightweight feature. The basis for dynamic expansion is the total size of all data files that the user subsequently places into the parent virtual container.

When the parent virtual container is created, based on the combination of the provider for creating the parent virtual container and the creation time, the domestic cryptographic algorithm SM3 is used to calculate the obtained identifier of the parent virtual container, and the provider and the user both use the same rule to calculate the identifier of the parent virtual container. And this same rule would be stored in the parent virtual container. The identity of each parent virtual container is unique. And encrypting the first access condition by using the unique identifier of the parent virtual container as a key to obtain the encrypted first access condition, and storing the encrypted first access condition in the parent virtual container.

In addition, the provider can set different use authorities for different data files to form authority identifications of the data files, and the unique identification of the parent virtual container is used as a key to encrypt the authority identifications. Both the data file and the encrypted rights identification are stored in the parent virtual container. And the data file and the encrypted authority identifier can not be circulated out of the parent virtual container, so that a fourth safety protection layer is formed. The data file and the encrypted authority identification are bound and cannot be separated.

The method for protecting the lightweight data based on the virtual container, provided by the embodiment of the application, combines identity authentication and authority control through the double-layer nested virtual container, performs multilayer isolation safety protection on the data, is high in safety, controls the occupation of a data storage space through a method for dynamically adjusting the size of the multilayer virtual container, reduces the occupation of resources in the data use process, and achieves the management and control of the lightweight data.

Specifically, configuring a first access condition of different user identities to the parent virtual container, wherein the first access condition comprises a user identity authentication condition and a permitted use time; the user identity authentication condition comprises a condition of passing short message authentication or a condition of passing password and short message combined authentication.

The provider of the data file encrypts the identifier of the user by using a domestic cryptographic algorithm SM4 by taking the identifier of the parent virtual container as a key according to the identifier of the user, and determines the encrypted identifier of the user as a first identifier of the user and also as a condition for short message authentication;

and splicing according to the identifier of the user and the password of the user to obtain a string of spliced character strings, encrypting the character strings by using the identifier of the parent virtual container as a key and adopting a domestic cryptographic algorithm SM4 to determine the encrypted character strings as a second user identifier, which is also a condition for the combination authentication of the password and the short message.

And configuring the user identity authentication condition in the first access condition of the virtual container to comprise the condition of the short message authentication or the condition of the password and short message combined authentication.

And the data file provider can set the allowed time of the data file according to the requirement, and can realize the purpose by configuring the allowed time of the parent virtual container storing the data file, specifically by configuring any one or combination of the allowed use period, the allowed use specified time length and the allowed use start and stop time.

According to the requirement of a data file provider, the use permission of each data file is determined, namely permission identification is carried out on the data files, and independent identification is carried out on each data file. The data in the identified data file keeps the original format and the original content without changing the format or the content of the data.

And carrying out authority identification on the data file, wherein the authority identification is the identification of the data use authority. The use right corresponding to the right identifier comprises: read-only, edit, position read-only, and position edit.

Wherein, the read-only representation allows the user to read the data file but can not modify the data therein; if the user modifies the data, after the data file is closed, the data file is opened, the displayed content is the original data, and the last modified content is not displayed. When a user opens a data file, the operation of data opening is automatically captured through the corresponding sub virtual container, and the identifier or user name of the user, the opening time and the identifier or name of the data file are recorded. And capturing and recording the reading time of the user in the process of reading the data by the user. And the information is automatically uploaded to a data centralized management center.

Editing indicates that a user is allowed to read the data file and can modify the data in the data file; if the user modifies the data, after the data file is closed, the data file is opened, the displayed content is the modified data, and the last modified content can be normally displayed. When the user modifies the data, the operation of data modification in the data file is automatically captured through the corresponding sub-virtual container, and the identifier or the user name of the user, the opening time and the identifier or the name of the data file are recorded at the same time. When the user modifies the data in the data file, the length of the modified content is captured and recorded by the corresponding child virtual container, calculated in bytes. And the information is automatically uploaded to a data centralized management center.

Locate read-only means a location that allows a user to read a data file and locate a read operation at the same time; the method comprises the steps of acquiring position information corresponding to opening operation while capturing data opening operation, and recording the identifier or user name of a user, the opening time, the identifier or name of a data file, the position of the user for opening operation and the reading time of the user. And the information is automatically uploaded to a data centralized management center.

The positioning editing representation allows a user to read the data file, modify the data in the data file and simultaneously position the position of the operation; the method comprises the steps of acquiring position information corresponding to modification operation while capturing the operation of modifying data in a data file, recording the identifier or user name of a user, the opening time, the identifier or name of the data file, the position of editing operation performed by the user and the length of the modified content of the user, and calculating according to the number of bytes. And the information is automatically uploaded to a data centralized management center.

And recording the process and the positioning of the use data, uploading the record to a data centralized management center, and tracking the state of the data in real time to form a fifth safety protection layer.

Optionally, the determining, based on the received operation request for the data file by the user, a target data file and a first usage right corresponding to a user identity of the user, then includes:

determining the parent virtual container storing the target data file;

Specifically, when a user needs to operate a data file, the corresponding target data file is determined, a parent virtual container used for storing the data file is obtained, a provider which is required by the parent virtual container to be created is obtained, and a parent virtual container identifier is generated according to the same virtual container identifier determination rule at the creation time.

And decrypting the first access condition of the parent virtual container and the authority identification of the data file in the parent virtual container according to the identification of the parent virtual container.

Thereby providing for verifying whether the user satisfies the first access condition of the parent virtual container and the rights identification of the data file therein. Each authority mark corresponds to different use authorities of the data file, and each user identity also has a corresponding relation with the use authorities of the data file.

Specifically, when a user needs to perform corresponding operation on a target data file, an identifier of the user is input into a corresponding parent virtual container, the identifier of the parent virtual container is used as a key, and a domestic cryptographic algorithm SM4 is used for encryption to obtain an encrypted identifier of the user, when the encrypted identifier of the user is consistent with a first user identifier stored in the parent virtual container, the parent virtual container sends verification information to the identifier of the user, and the user inputs the verification information into the parent virtual container to verify the parent virtual container, so that scheduling and loading of the parent virtual container can be completed.

Or when the user needs to perform corresponding operation on the target data file, the password and the identifier of the user are input into the corresponding parent virtual container, the identifier of the parent virtual container is used as a key, the encryption algorithm SM4 is adopted for encryption, an encrypted character string is obtained, when the encrypted character string is consistent with the identifier of the second user stored in the parent virtual container, the parent virtual container sends verification information to the identifier of the user, and the user inputs the verification information into the parent virtual container to verify the parent virtual container, so that the scheduling and loading of the parent virtual container can be completed.

The user identifier may be a mobile phone number, and the corresponding verification information may be a short message including a verification code.

When any of the above conditions is satisfied, it is determined that the user satisfies the first access condition of the parent virtual container, and it is necessary to further determine whether the usage right corresponding to the user identity of the user satisfies the usage right of the target data file.

The target data file may have multiple authority identifiers, which represent corresponding use authorities of different users, and the use authorities corresponding to all the authority identifiers are used as a first authority set.

And when the use authority corresponding to the user identity of the user is not in the first authority set, the user does not satisfy the authority identification of the target data file, and the corresponding operation cannot be executed on the target data file.

Specifically, when the user meets the first access condition of the parent virtual container and meets the authority identifier of the data file in the parent virtual container, a corresponding child virtual container is created for each target data file.

The child virtual container is automatically created by the parent virtual container when the parent virtual container is scheduled and loaded and the user starts to use (operate) the data file.

The child virtual container is a child virtual isolated secure space that is dynamically loaded in the parent virtual container. The child virtual isolation security space is a virtual memory space which is dynamically allocated by the parent virtual container from the operating system automatically, the size of the virtual memory space is based on the size of the data file, dynamic allocation is carried out along with the requirement of data display in the data file, and the minimum occupation of the child virtual container on the memory is ensured.

The child virtual isolated secure space is isolated from other memory spaces of the parent virtual isolated secure space. Different data files run in independent sub-virtual containers, and the different sub-virtual containers are isolated from each other and do not allow the circulation of data of the data files. Different data are used in different child virtual containers to form a sixth security barrier. And (3) running each child virtual container, and dynamically allocating required resources by the parent virtual container according to the size of data as required to form a fifth light weight characteristic.

Different data files have different usage rights, which are independently controlled by the sub-virtual containers. Furthermore, different data files comprise different files with the same file type, or different files with different file types, and isolation and control of the use authority are respectively performed through the sub virtual containers.

The parent virtual container and the child virtual container ensure light weight in the following aspects through self-driving, dynamic creation, scheduling, loading, allocation and operation: the first is to guarantee lightweight on physical storage; secondly, the interaction with other components is less, and the lightweight is guaranteed; and thirdly, controlling the needed resources to be used according to the minimum requirement to ensure the lightweight, wherein the control of the memory to be distributed according to the requirement of the data size and the occupancy rate of a system CPU (Central processing Unit) to be within 1 percent are included.

Optionally, the method further comprises:

Specifically, in the case where the authority of the target data file is location-only reading or location-editing, it is necessary to determine whether the system in which the parent virtual container for storing the target data file is located is normally connected to the network.

Under the condition that the parent virtual container can be normally connected with the network, the user can execute corresponding operation on the target data file, the operation certainly meets the authority identification of the target data file, and the positioning information when the user operates the target data file is obtained and recorded through the parent virtual container. If the parent virtual container can not be normally connected with the network, the user can not perform related operations on the target data file.

Optionally, the method further comprises:

In particular, the provider of the data file may specify a shared parent virtual container (i.e., a second parent virtual container) for the current parent virtual container (i.e., a first parent virtual container). I.e., the identity of the second parent virtual container is saved to the first parent virtual container. When the data file in the first father virtual container is operated by a user and circulated to the second father virtual container, the first father virtual container automatically checks whether the identification of the second father virtual container is consistent with the identification of the shared father virtual container stored by the first father virtual container. If so, the data of the first parent virtual container successfully enters the second parent virtual container. When the data stream of the first parent virtual container is transmitted to the second parent virtual container, the data stream comprises the data file and the encrypted authority identifier bound by the data file. The usage rights of the data in the second parent virtual container are controlled by the bound usage rights. Specifically, the data of the second parent virtual container may not be circulated to the first parent virtual container unless the user sets the first parent virtual container as the shared parent virtual container of the second parent virtual container. Through the mode, single-phase circulation of data in the data file can be realized, and meanwhile, the data file can be further expanded only by executing operation in the corresponding parent virtual container.

The method for lightweight data security protection based on the virtual container, provided by the embodiment of the application, has the advantages that through the double-layer nested virtual container, the identity authentication and the authority control are combined, six layers of isolation security protection are carried out on data, the security is high, meanwhile, through the characteristic of dynamic adjustment of the size of the multilayer virtual container, the occupation of a data storage space is controlled, the occupation of resources in the data use process is reduced, the dependence on other components is reduced, and five lightweight characteristics are formed. When the user uses the data, excessive support on the aspect of system resources is not needed, and the cost of using the data by the user is reduced. Identity authentication and authority control are carried out on data use, the detailed state of the data is obtained in real time, the data is protected safely, free flowing and use of the data are achieved with the minimum cost, and lightweight control over data operation is achieved.

Fig. 2 is a schematic structural diagram of a system for lightweight data security protection based on a virtual container according to an embodiment of the present application, and as shown in fig. 2, the system includes:

the system comprises a data centralized management center, a virtual container management center and a data processing center;

wherein, the data centralized management center comprises: the data log collection unit, the data retrieval unit and the data visualization unit;

the data log collection unit is used for collecting a use log of data;

the data retrieval unit is used for retrieving detailed conditions of the using process and the position of the data;

the data visualization unit is used for displaying the geographical position distribution of each data by taking the file name of the data as an identifier as a unit;

the virtual container management center includes: a parent virtual container management unit and a child virtual container management unit;

the father virtual container management unit is used for creating, scheduling, loading and identity authentication of a father virtual container and security isolation protection of the father virtual container;

and the child virtual container management unit is used for creating and operating a child virtual container and performing security isolation protection on data.

The data processing system includes: the system comprises a data file authority management unit, a data log recording unit and a data use positioning unit;

the data file authority management unit is used for recording the authority of the data file;

the data log recording unit: the system comprises a data centralized management center, a data file operation log and a data file operation log, wherein the data centralized management center is used for recording process logs of data file operations and uploading the process logs to the data centralized management center;

the data positioning unit: and the data processing system is used for positioning and operating the position of the data file and uploading the position to the data centralized management center.

The data centralized management center is installed at a server side of an enterprise or deployed in a public cloud, and the virtual container management center and the data processing center are installed in a computer. The specific implementation method comprises the following steps:

first, a parent virtual container is constructed.

Fig. 3 is a schematic diagram of a parent virtual container creation process provided in an embodiment of the present application, and as shown in fig. 3, the process includes:

step 301, creating a parent virtual container through the virtual container system.

And step 302, generating a unique identifier of the parent virtual container. Based on the provider of the requirement for creating the parent virtual container and the creation time, the domestic cryptographic algorithm SM3 is used for encryption to determine the identifier of the parent virtual container, and the identifier of each parent virtual container is unique.

Step 303, setting a first access condition through the virtual container system. The first access condition includes a user authentication condition, a time allowed to use the parent virtual container. The first access condition is used for controlling scheduling and loading of the parent virtual container.

The user identity authentication condition comprises short message identity authentication or identity authentication combining a password and a short message.

According to specific requirements, a mobile phone number can be set, and the identity authentication can be realized through a short message, or the identity authentication can be realized by combining a password and a short message. And the condition of user identity authentication is bound with the parent virtual container and stored in the parent virtual container.

The time allowed to use the parent virtual container includes a time control using the parent virtual container, controlling the parent virtual container to be used only on weekdays, or limiting the validity period of use for N days, or the cycle time.

The first access condition is bound with the parent virtual container and cannot be separated, namely, one parent virtual container corresponds to one set of first access conditions.

And step 304, setting authority identification of the data file through the virtual container system, wherein the authority identification comprises read-only, editing, positioning read-only and positioning editing. Wherein, the read-only representation allows the user to read the data file but can not modify the data therein; editing means for allowing a user to read the data file and to modify the data therein; locating read-only means allowing a user to read a data file while locating a position of a read operation; the positioning editing representation allows a user to read the data file, modify the data in the data file and simultaneously position the position of the operation;

step 305, storing the data file and the authority identification of the data file into the corresponding parent virtual container.

Second, the child virtual container is run.

Fig. 4 is a schematic diagram of a flow for running a child virtual container according to an embodiment of the present application, and as shown in fig. 4, when a user operates a data file, the child virtual container is dynamically scheduled by a virtual container system. The method comprises the following steps:

step 401, the user requests to use the data in the data file.

Step 402, through the virtual container management center, the user submits a first access condition. And according to the determined first access condition in the construction process of the parent virtual container, the virtual container system executes the verification of the first access condition.

And step 403, after the first access condition is checked, scheduling and loading the parent virtual container.

And step 404, the virtual container system allocates the sub virtual container to isolate the security space according to the size of the data.

And step 405, scheduling the virtual container system and operating the sub virtual containers.

Step 406, the virtual container system loads the data in the data file into the child virtual container.

Third, the user uses the data.

Fig. 5 is a schematic flowchart of a process of operating a data file by a user according to an embodiment of the present application, and as shown in fig. 5, a specific processing flow when the user starts to operate the data file is as follows:

step 501, a user initiates an operation request for a data file.

Step 502, the data processing management center confirms the authority of the request, the user requests to open the data, if the data file allows the user to open, the confirmation is successful, step 504 is executed, otherwise, step 503 is executed.

Step 503, the operation request for the data file initiated by the user is inconsistent with the authority identifier, and the data file is not allowed to be opened, and the operation log is uploaded.

And step 504, the operation request of the user to the data file is consistent with the authority identification, and the data is displayed.

And 505, capturing the operation of opening the data file by the data processing center to form a data use log.

Step 506, the user closes the data file.

Step 507, the data processing center captures closing operation to form a data use log;

and step 508, uploading the log to a data centralized management center.

Fourth, data is located.

Fig. 6 is a schematic flowchart of a process of operating a data file with a location permission according to an embodiment of the present application, and as shown in fig. 6, a data file operated by a user has a location permission identifier, and the process includes:

step 601, the user operates the data, the operation mode comprises operations such as opening and modification, and positioning is started in the authority identification of the data.

Step 602, verifying whether the operating system of the current parent virtual container can be connected with the network through the data processing center. If the connection is successful, step 604 is executed, otherwise step 603 is executed.

Step 603, the connection network fails, and the process exits.

Step 604, the network is successfully connected, and positioning information is tried to be obtained.

Step 605, obtaining the positioning information successfully, executing step 606, otherwise executing step 603.

And step 606, the data processing system uploads the acquired positioning information to a data centralized management center.

And step 607, the user operates the data file according to the condition of the authority identifier.

Step 608, the user completes the operation of the data file and closes the data file.

Fig. 7 is a second schematic structural diagram of a system for lightweight data security protection based on a virtual container according to an embodiment of the present application; as shown in fig. 7, the system includes:

a creating unit 701, configured to create a parent virtual container for storing a data file based on a security operation protection request for the data file from a provider; the parent virtual container stores one or more data files and is configured with first access conditions of different user identities; the data file is provided with an authority identifier;

a determining unit 702, configured to determine, based on a received operation request for the data file by a user, a target data file and a first usage right corresponding to a user identity of the user;

an accessing unit 703, configured to create, if the user satisfies a first access condition of a parent virtual container storing the target data file and the first usage right satisfies the usage right of the target data file, a corresponding child virtual container for each target data file in the parent virtual container, so as to provide security protection for the target data file;

Optionally, the creating unit 701, in a process of creating a parent virtual container for storing a data file based on a security operation protection request of a provider for the data file, is specifically configured to:

encrypting the first access condition and the authority identification of each data file by taking the identification of the parent virtual container as a key;

Optionally, the creating unit 701, in a process of configuring a first access condition of different user identities to the parent virtual container and authority identifiers of all the data files included in the security operation protection request, is specifically configured to:

Optionally, the determining unit 702, after determining the target data file and the first usage right corresponding to the user identity of the user based on the received operation request for the data file by the user, is further configured to:

determining the parent virtual container storing the target data file;

Optionally, the accessing unit 703 is specifically configured to, in the process of determining that the user satisfies the first access condition of the parent virtual container storing the target data file and that the first usage right satisfies the usage right of the target data file:

Optionally, the accessing unit 703 creates a corresponding child virtual container for each target data file in the parent virtual container, and is specifically configured to:

Optionally, the system further comprises a positioning module 704 for:

under the condition that the use authority is positioning read-only or positioning editing, determining whether a system where the father virtual container is located is normally connected with a network or not;

Optionally, the accessing unit 703 is further configured to:

It should be noted that, in the system for lightweight data security protection based on a virtual container provided in the embodiment of the present application, all the method steps implemented by the method embodiment can be implemented, and the same technical effect can be achieved.

The above-described system embodiments are merely illustrative, and the units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.

Finally, it should be noted that: the above embodiments are only used to illustrate the technical solutions of the present application, and not to limit the same; although the present application has been described in detail with reference to the foregoing embodiments, it should be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions in the embodiments of the present application.

Claims

1. A method for lightweight data security protection based on virtual containers, comprising:

2. The method for lightweight data security protection based on virtual containers as claimed in claim 1, wherein said creating a parent virtual container for storing a data file based on a security operation protection request of a provider for the data file comprises:

3. The method for lightweight data security protection based on virtual container as claimed in claim 2, wherein said configuring the first access condition of different user identities to the parent virtual container and the authority identification of all the data files included in the security operation protection request comprises:

4. The method for lightweight data security protection based on virtual containers as claimed in claim 3, wherein the rights identification corresponds to usage rights including read only, editing, positioning read only and positioning editing; the positioning read-only instruction performs read-only operation on the data file and simultaneously performs positioning; and the positioning editing instruction performs positioning simultaneously when the editing operation is performed on the data file.

5. The method for lightweight data security protection based on virtual container as claimed in claim 4, wherein said determining a target data file and a first usage right corresponding to a user identity of a user based on a received operation request of the user to the data file, thereafter comprises:

determining the parent virtual container storing the target data file;

acquiring the identifier of the parent virtual container generated by the user according to the virtual container identifier determining rule;

6. The method for lightweight data security protection based on virtual containers according to claim 5, wherein if the user satisfies the first access condition of the parent virtual container storing the target data file and the first usage right satisfies the usage right of the target data file, the method comprises:

7. The method of claim 6, wherein said creating a corresponding child virtual container for each said target data file within said parent virtual container for providing security protection for said target data file comprises:

8. The method of light weight virtual container-based data security protection according to claim 7, further comprising:

9. The method for lightweight virtual container-based data security protection as claimed in claim 1, further comprising:

10. A system for lightweight data security protection based on virtual containers, the system comprising: