CN114817990A - Sensitive data management method and device, electronic equipment and storage medium - Google Patents

Sensitive data management method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114817990A
CN114817990A CN202210482152.4A CN202210482152A CN114817990A CN 114817990 A CN114817990 A CN 114817990A CN 202210482152 A CN202210482152 A CN 202210482152A CN 114817990 A CN114817990 A CN 114817990A
Authority
CN
China
Prior art keywords
data
target
sensitive
access instruction
database
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210482152.4A
Other languages
Chinese (zh)
Inventor
钟丹东
刘怡彤
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Jiangsu Baowangda Software Technology Co ltd
Original Assignee
Jiangsu Baowangda Software Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Jiangsu Baowangda Software Technology Co ltd filed Critical Jiangsu Baowangda Software Technology Co ltd
Priority to CN202210482152.4A priority Critical patent/CN114817990A/en
Publication of CN114817990A publication Critical patent/CN114817990A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6227Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F18/00Pattern recognition
    • G06F18/20Analysing
    • G06F18/24Classification techniques
    • G06F18/241Classification techniques relating to the classification model, e.g. parametric or non-parametric approaches
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • Data Mining & Analysis (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Bioinformatics & Computational Biology (AREA)
  • Databases & Information Systems (AREA)
  • Evolutionary Computation (AREA)
  • Computer Vision & Pattern Recognition (AREA)
  • Bioinformatics & Cheminformatics (AREA)
  • Artificial Intelligence (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Evolutionary Biology (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

The embodiment of the disclosure discloses a method and a device for managing sensitive data, electronic equipment and a storage medium. The method comprises the following steps: when a data access instruction is received, analyzing the data access instruction, and determining a target analysis statement; determining a target access database corresponding to the data access instruction, and calling configured sensitive data corresponding to the target access database; and when the target analysis statement passes verification based on the configured sensitive data, calling target access data corresponding to the data access instruction and feeding back. Based on the technical scheme, accurate identification of the sensitive data is achieved, the sensitive data is controlled based on the identification result, information safety is guaranteed, and the effect of improving operation experience of a user is achieved.

Description

Sensitive data management method and device, electronic equipment and storage medium
Technical Field
The present disclosure relates to network security technologies, and in particular, to a method and an apparatus for managing sensitive data, an electronic device, and a storage medium.
Background
With the rapid development of internet technology and mobile communication technology, users can access relevant information stored in a database through a computer device. However, since the access behavior of the user is often accompanied by the sending of information, it is easy to cause the relevant sensitive data to be leaked, and therefore, the sensitive data needs to be managed and controlled.
However, the existing sensitive data management and control method is too wide, and does not divide the type of the sensitive data in detail, so that the identification of the sensitive data is not accurate enough, the normal operation of a user is influenced, and the operation experience of the user is reduced.
BRIEF SUMMARY OF THE PRESENT DISCLOSURE
The embodiment of the disclosure provides a management method and device for sensitive data, an electronic device and a storage medium, so as to realize accurate identification of the sensitive data, further manage and control the sensitive data, ensure the information safety and improve the operation experience of a user.
In a first aspect, an embodiment of the present disclosure provides a method for managing sensitive data, where the method includes:
when a data access instruction is received, analyzing the data access instruction, and determining a target analysis statement;
determining a target access database corresponding to the data access instruction, and calling configured sensitive data corresponding to the target access database;
and when the target analysis statement passes verification based on the configured sensitive data, calling target access data corresponding to the data access instruction and feeding back.
In a second aspect, an embodiment of the present disclosure further provides an apparatus for managing sensitive data, where the apparatus includes:
the analysis module is used for analyzing and processing the data access instruction when the data access instruction is received, and determining a target analysis statement;
the data calling module is used for determining a target access database corresponding to the data access instruction and calling configured sensitive data corresponding to the target access database;
and the verification module is used for calling target access data corresponding to the data access instruction and feeding back the target access data when the target analysis statement passes verification based on the configured sensitive data.
In a third aspect, an embodiment of the present disclosure further provides an electronic device, where the electronic device includes:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method for managing sensitive data as in any of the embodiments of the present disclosure.
In a fourth aspect, the disclosed embodiments also provide a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the management method for sensitive data according to any one of the disclosed embodiments.
According to the technical scheme, when a data access instruction is received, the data access instruction is analyzed, a corresponding target analysis statement is determined, a target access database corresponding to the data access instruction is determined, configured sensitive data corresponding to the target access database are called, further, the target analysis statement can be verified based on the configured sensitive data, and when the target analysis statement is verified based on the configured sensitive data, the target access data corresponding to the data access instruction is called and fed back. And then realized the accurate discernment to sensitive data to carry out the management and control to sensitive data based on the recognition result, guarantee the safety of information, reached the effect that improves user's operation experience.
Drawings
In order to more clearly illustrate the technical solutions of the exemplary embodiments of the present disclosure, a brief description is given below of the drawings used in describing the embodiments. It should be understood that the drawings described are only for a portion of the embodiments described in this disclosure and not all of them, and that those skilled in the art will be able to derive other drawings from them without any inventive effort.
Fig. 1 is a flowchart of a method for managing sensitive data according to an embodiment of the present disclosure;
FIG. 2 is a flowchart of a method for managing sensitive data according to an embodiment of the disclosure;
fig. 3 is a block diagram illustrating a structure of a device for managing sensitive data according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure.
Detailed Description
The present disclosure is described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the disclosure and are not limiting of the disclosure. It should be further noted that, for the convenience of description, only some of the structures relevant to the present disclosure are shown in the drawings, not all of them.
Example one
Fig. 1 is a flowchart of a method for managing sensitive data according to an embodiment of the present disclosure, where the present embodiment is applicable to a case of managing sensitive data, and the method may be executed by a device for managing sensitive data according to an embodiment of the present disclosure, where the device may be implemented in a software and/or hardware manner, and optionally implemented by an electronic device, where the electronic device may be a mobile terminal, a PC end, a server end, or the like. The apparatus may be configured in a computing device, and the method for determining target data provided in this embodiment specifically includes the following steps:
and S110, when a data access instruction is received, analyzing the data access instruction, and determining a target analysis statement.
The data access instruction can be a data access instruction sent by a user based on the terminal device. The target parsing statement may be understood as a parsing statement determined after the data access instruction is parsed.
Specifically, a user may send a corresponding data access instruction through the terminal device, and after receiving the data access instruction, analyze the data access instruction to obtain a corresponding target analysis statement. It should be noted that the data access instruction issued by the user may be a structured query language issued by the user when operating the database, and further, the data may be accessed and queried based on the structured query language issued by the user, and the relational database system may be updated and managed.
On the basis of the above technical solution, when a data access instruction is received, parsing the data access instruction to determine a target parsing statement includes: acquiring an SQL statement edited in a data calling control, and taking the SQL statement as the data access instruction; and determining a database protocol corresponding to the data access instruction according to the user identification of the target user, analyzing the data access instruction based on the database protocol, and determining the target analysis statement.
The data calling control may be a control for inputting a data access instruction, for example, when a user needs to call data in a database, the data calling control may input a corresponding data access instruction, so that the data calling control accesses and queries the data based on the data access instruction. The SQL statement may be Structured Query Language (SQL) and a user may perform an operation of adding, deleting, modifying, and checking data stored in the database through the SQL statement. The target user may be understood as the user who is currently logged into the database system by the master pump. The user identifier may be a user ID of a user logging in the database system, and it should be noted that the user identifiers corresponding to different users are different, and the authority and the corresponding operation content of the current user may be determined according to the user identifier corresponding to the user. The database protocol may be a data model supported by a database, and it is understood that the storage form of different database data is different, and thus the corresponding database protocol is also different.
Specifically, the SQL sentences input by the user in the data calling control are obtained, the obtained SQL sentences are used as data access instructions, a database protocol corresponding to the data access instructions is determined according to the user identification of the current user, and the data access instructions are analyzed based on the database protocol to obtain corresponding target analysis sentences. For example, after the user inputs the SQL statement, the user identifier of the current user is acquired, and the database logged by the current user is determined to be the MySQL database according to the user identifier, and then the SQL statement input by the user is analyzed based on the database protocol of the MySQL database, so as to obtain a target analysis statement corresponding to the SQL statement input by the user.
According to the technical scheme provided by the embodiment, the SQL sentences input by the user based on the data calling control are used as the data access instructions, the corresponding database protocol is determined based on the user identification, and the data access instructions are analyzed based on the database protocol to obtain the corresponding target analysis sentences, so that the flexibility and the convenience of user operation data are improved, and the data access efficiency is improved.
And S120, determining a target access database corresponding to the data access instruction, and calling configured sensitive data corresponding to the target access database.
Wherein the target access database may be the database to which the data access instruction points. The configured sensitive data may be understood as a sensitive data set configured for different types of databases, and it may be understood that the configured sensitive data corresponding to different databases are different because different databases have different structures and different ways of storing data.
Specifically, a target access database which needs to be accessed by a user is determined according to the data access instruction, and then configured sensitive data corresponding to the target access database is called, for example, when the user inputs an SQL statement in the data calling control, the database which needs to be accessed is explicitly pointed out in the input SQL statement, and then the corresponding target access database can be determined based on the database pointed in the SQL statement, and data in the target access database is accessed.
On the basis of the above technical solution, the determining a target access database corresponding to the data access instruction, and retrieving configured sensitive data corresponding to the target access database includes: determining a target access database according to the user identification of the target user; and searching configured sensitive data corresponding to the target access database from a pre-stored sensitive data table.
The sensitive data table stores the pre-configured sensitive data corresponding to each database.
Specifically, a target user needs to log in an operation account of the user before accessing the database, the target access database is determined based on the identification information according to a user mark input by the target user, and after the target access database is determined, configured sensitive data corresponding to the target access database is searched from a pre-stored sensitive data table based on the type of the database. For example, based on the identification information of the user, the database accessed by the current user is determined to be an Oracle database, sensitive data information corresponding to the Oracle database is searched from a preset sensitive data table based on the type of the database, and configured sensitive data corresponding to the Oracle database is obtained.
And S130, when the target analysis statement passes the verification based on the configured sensitive data, calling the target access data corresponding to the data access instruction, and feeding back.
The target access data can be data which the user needs to access through the data access instruction.
Specifically, the target analysis statement is verified based on the acquired configured sensitive data, and if the current verification is passed, it is proved that the data access instruction does not point to the content of the sensitive data, so that the corresponding target access data can be called based on the data access instruction and fed back to the user.
On the basis of the above technical solution, when the target parsing statement passes verification based on configured sensitive data, invoking target access data corresponding to the data access instruction includes: comparing each field in the target analysis statement based on the configured sensitive data, and determining whether a superposed sensitive field exists; and if not, determining target access data based on the target analysis statement.
A field is understood to be a data item that describes a feature, and a unique field identifier is present in the field for computer recognition. The sensitive field may be a preset field containing sensitive data, it should be noted that the configured sensitive data includes at least one sensitive field, and each sensitive field may be a row data field and/or a column data field in the form.
Specifically, each field in the target parsing statement is compared according to configured sensitive data, because the field has a unique field identifier, the corresponding characteristics of different fields are different, and a user can set the corresponding sensitive field in advance, and then after the target parsing statement is obtained, the target parsing statement can be matched based on the preset sensitive field information, and if the matching is not successful, it is proved that the target parsing statement does not include the sensitive field, that is, the data access instruction does not access the sensitive data.
On the basis of the technical scheme, the method further comprises the following steps: if so, reporting the target analysis statement to check the target analysis statement; and when the feedback passing the audit is received, feeding back the target access data corresponding to the data access instruction.
The auditing can be understood as that after the target analysis statement is reported, the upper level carries out manual auditing on the target analysis statement.
Specifically, field matching is performed on a target analysis statement based on configured sensitive data to determine that the target analysis statement includes a corresponding sensitive field, the target analysis statement is intercepted and reported to a superior department, and the superior department performs collaborative approval on the target analysis statement. And after the approval result is obtained, feeding back the target access data corresponding to the data access instruction to the user.
On the basis of the technical scheme, the method further comprises the following steps: and when feedback that the audit is not passed is received, hiding the data corresponding to the sensitive field, and feeding back target access data which are inconsistent with the sensitive field in the target analysis statement.
Specifically, if the result of the higher leader checking the target analysis statement is that the result is not passed, hiding the data corresponding to the sensitive field pointed in the statement, and feeding back the target access data which does not include the data corresponding to the sensitive field for the user. For example, if the target analysis statement includes A, B, C, D four fields, after performing field matching on the target analysis statement based on configured sensitive data, it is determined that the field a is a sensitive field, the target analysis statement is reported to an upper department for approval, and if the approval is not passed, the target access data corresponding to the field a is not fed back to the user, but only the data corresponding to the user feedback field B, C, D.
According to the technical scheme, when a data access instruction is received, the data access instruction is analyzed, a corresponding target analysis statement is determined, a target access database corresponding to the data access instruction is determined, configured sensitive data corresponding to the target access database are called, further, the target analysis statement can be verified based on the configured sensitive data, and when the target analysis statement is verified based on the configured sensitive data, the target access data corresponding to the data access instruction is called and fed back. And then realized the accurate discernment to sensitive data to carry out the management and control to sensitive data based on the recognition result, guarantee the safety of information, reached the effect that improves user's operation experience.
Example two
Fig. 2 is a flowchart of a management method for sensitive data according to an embodiment of the present disclosure, which is further optimized based on the foregoing embodiment. The specific implementation manner can be referred to the technical scheme of the embodiment. The technical terms that are the same as or corresponding to the above embodiments are not repeated herein.
As shown in fig. 2, the method specifically includes the following steps:
setting a sensitive table, fields and resources: the sensitive table or sensitive field is included in the administration. Specifically, the information such as the table or table field, the database resource, the slave account information and the like which needs to be managed and controlled can be incorporated into the database for management and control, and the resource and the table which need to be managed and controlled can be conveniently determined.
Acquiring and analyzing SQL: and determining a corresponding database protocol based on the SQL input by the user, and analyzing the database SQL according to the database protocol. Specifically, by acquiring the sql input by the user, the database such as Oracle or mysql is determined according to the resource logged by the user, and the information such as the table, the field, and the table operation of the sql statement is analyzed through the sql analysis package according to the database protocol.
Comparing the analysis data with the set sensitive words: and determining the input operation of the user according to the SQL input by the user, matching the information of the table, the field, the table operation and the like of the SQL statement obtained by analysis with the set sensitive data, and determining the corresponding operation according to the matching result.
Specifically, after the resource is determined to have the high-risk sensitive table, the SQL analysis result input by the user is matched with the configured sensitive data one by one. And if the matching is successful, intercepting the statement, triggering a process application, selecting a superior leader by a user for collaborative approval, if the approval is passed, releasing the statement, inquiring the statement result, and if the approval is not passed, directly performing intercepting operation.
It should be noted that, in the conventional method for managing and controlling sensitive data, management and control processing is often performed as long as a sensitive table is accessed or a table is included in sql, and these methods cannot be accurately matched, so that even if the sensitive data table is not used, management and control are performed, and the management and control range is too wide, so that data that should not be managed is also managed and controlled, and normal access of the data by a user is affected. According to the method and the device, the sensitive fields are set according to the fields, and only when the sensitive fields exist, the corresponding control mechanism is triggered, so that the sensitive data is prevented from being excessively controlled, and meanwhile, the sensitive data can be accurately controlled. For example, in the conventional method, a single table is set, and management and control processing is performed on operations such as create, select, insert, update, delete, and the like stored in the table. This in turn causes all fields and select in the form to be in effect, which in turn affects the normal operation of the user. Whereas in the present application only a single field is configured. For example: the table name is "sm _ user", and the fields are: and the user _ name only accesses the select from sm _ user or the select user _ name from sm _ user to control, so that the excessive control of the data is avoided.
According to the technical scheme, when a data access instruction is received, the data access instruction is analyzed, a corresponding target analysis statement is determined, a target access database corresponding to the data access instruction is determined, configured sensitive data corresponding to the target access database are called, further, the target analysis statement can be verified based on the configured sensitive data, and when the target analysis statement is verified based on the configured sensitive data, the target access data corresponding to the data access instruction is called and fed back. And then realized the accurate discernment to sensitive data to carry out the management and control to sensitive data based on the recognition result, guarantee the safety of information, reached the effect that improves user's operation experience.
EXAMPLE III
Fig. 3 is a block diagram illustrating a structure of a device for managing sensitive data according to an embodiment of the present disclosure. The device includes: a parsing module 310, a data retrieval module 320, and a verification module 330.
The analysis module 310 is configured to, when a data access instruction is received, analyze the data access instruction, and determine a target analysis statement;
the data calling module 320 is configured to determine a target access database corresponding to the data access instruction, and call configured sensitive data corresponding to the target access database;
and the verification module 330 is configured to, when the target parsing statement passes verification based on the configured sensitive data, invoke target access data corresponding to the data access instruction and feed back the target access data.
On the basis of the above technical solution, the parsing module further includes:
a data access instruction determination unit: the system comprises a data calling control and a data processing control, wherein the data calling control is used for editing SQL sentences in the data calling control and taking the SQL sentences as data access instructions;
a target analysis sentence determination unit: and the database protocol corresponding to the data access instruction is determined according to the user identifier of the target user, and the target analysis statement is determined by analyzing the data access instruction based on the database protocol.
On the basis of the above technical solution, the data retrieving module further includes:
the target access database determining unit is used for determining a target access database according to the user identification of the target user;
the configured sensitive data acquisition unit is used for searching configured sensitive data corresponding to the target access database from a pre-stored sensitive data table;
and the sensitive data table stores the pre-configured sensitive data corresponding to each database.
On the basis of the above technical solution, the verification module is specifically configured to:
comparing each field in the target analysis statement based on the configured sensitive data, and determining whether a superposed sensitive field exists;
and if not, determining target access data based on the target analysis statement.
On the basis of the above technical solution, the verification module further includes:
a target analysis data reporting unit, configured to, if yes, report the target analysis statement to audit the target analysis statement;
and when the feedback passing the audit is received, feeding back the target access data corresponding to the data access instruction.
On the basis of the above technical solution, the target analysis data reporting unit is further configured to:
and when feedback that the audit is not passed is received, hiding the data corresponding to the sensitive field, and feeding back target access data which are inconsistent with the sensitive field in the target analysis statement.
On the basis of the technical scheme, the configured sensitive data comprises at least one sensitive field, and each sensitive field can be a row data field and/or a column data field in a form.
According to the technical scheme, when a data access instruction is received, the data access instruction is analyzed, a corresponding target analysis statement is determined, a target access database corresponding to the data access instruction is determined, configured sensitive data corresponding to the target access database are called, further, the target analysis statement can be verified based on the configured sensitive data, and when the target analysis statement is verified based on the configured sensitive data, the target access data corresponding to the data access instruction is called and fed back. And then realized the accurate discernment to sensitive data to carry out the management and control to sensitive data based on the recognition result, guarantee the safety of information, reached the effect that improves user's operation experience.
The management device for sensitive data provided by the embodiment of the disclosure can execute the management method for sensitive data provided by any embodiment of the disclosure, and has corresponding functional modules and beneficial effects of the execution method.
It should be noted that, the units and modules included in the apparatus are merely divided according to functional logic, but are not limited to the above division as long as the corresponding functions can be implemented; in addition, specific names of the functional units are only used for distinguishing one functional unit from another, and are not used for limiting the protection scope of the embodiments of the present disclosure.
Example four
Fig. 4 is a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. FIG. 4 illustrates a block diagram of an exemplary electronic device 40 suitable for use in implementing embodiments of the present disclosure. The electronic device 40 shown in fig. 4 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 4, electronic device 40 is embodied in the form of a general purpose computing device. The components of electronic device 40 may include, but are not limited to: one or more processors or processing units 401, a system memory 402, and a bus 403 that couples the various system components (including the system memory 402 and the processing unit 401).
Bus 403 represents one or more of any of several types of bus structures, including a memory bus or memory controller, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures include, but are not limited to, Industry Standard Architecture (ISA) bus, micro-channel architecture (MAC) bus, enhanced ISA bus, Video Electronics Standards Association (VESA) local bus, and Peripheral Component Interconnect (PCI) bus.
Electronic device 40 typically includes a variety of computer system readable media. Such media may be any available media that is accessible by electronic device 40 and includes both volatile and nonvolatile media, removable and non-removable media.
The system memory 402 may include computer system readable media in the form of volatile memory, such as Random Access Memory (RAM)404 and/or cache memory 405. The electronic device 40 may further include other removable/non-removable, volatile/nonvolatile computer system storage media. By way of example only, storage system 406 may be used to read from and write to non-removable, nonvolatile magnetic media (not shown in FIG. 4, and commonly referred to as a "hard drive"). Although not shown in FIG. 4, a magnetic disk drive for reading from and writing to a removable, nonvolatile magnetic disk (e.g., a "floppy disk") and an optical disk drive for reading from or writing to a removable, nonvolatile optical disk (e.g., a CD-ROM, DVD-ROM, or other optical media) may be provided. In these cases, each drive may be connected to the bus 403 by one or more data media interfaces. Memory 402 may include at least one program product having a set (e.g., at least one) of program modules that are configured to carry out the functions of embodiments of the disclosure.
A program/utility 408 having a set (at least one) of program modules 407 may be stored, for example, in memory 402, such program modules 407 including, but not limited to, an operating system, one or more application programs, other program modules, and program data, each of which examples or some combination thereof may comprise an implementation of a network environment. Program modules 407 generally perform the functions and/or methods of the embodiments described in this disclosure.
The electronic device 40 may also communicate with one or more external devices 409 (e.g., keyboard, pointing device, display 410, etc.), with one or more devices that enable a user to interact with the electronic device 40, and/or with any devices (e.g., network card, modem, etc.) that enable the electronic device 40 to communicate with one or more other computing devices. Such communication may be through input/output (I/O) interface 411. Also, the electronic device 40 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network, such as the internet) via the network adapter 412. As shown, the network adapter 412 communicates with the other modules of the electronic device 40 over the bus 403. It should be appreciated that although not shown in FIG. 4, other hardware and/or software modules may be used in conjunction with electronic device 40, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
The processing unit 401 executes various functional applications and data processing by executing programs stored in the system memory 402, for example, implementing a management method for determining sensitive data provided by the embodiments of the present disclosure.
EXAMPLE five
Embodiments of the present disclosure also provide a storage medium containing computer-executable instructions for performing a method of managing sensitive data when executed by a computer processor. The method comprises the following steps:
when a data access instruction is received, analyzing the data access instruction, and determining a target analysis statement;
determining a target access database corresponding to the data access instruction, and calling configured sensitive data corresponding to the target access database;
and when the target analysis statement passes verification based on the configured sensitive data, calling target access data corresponding to the data access instruction and feeding back.
The computer storage media of the disclosed embodiments may take any combination of one or more computer-readable media. The computer readable medium may be a computer readable signal medium or a computer readable storage medium. A computer readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the computer readable storage medium would include the following: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this document, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
A computer readable signal medium may include a propagated data signal with computer readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Computer program code for carrying out operations for embodiments of the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, Smalltalk, C + +, and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computer, partly on the user's computer, as a stand-alone software package, partly on the user's computer and partly on a remote computer or entirely on the remote computer or server. In the case of a remote computer, the remote computer may be connected to the user's computer through any type of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or the connection may be made to an external computer (for example, through the Internet using an Internet service provider).
It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present disclosure and the technical principles employed. Those skilled in the art will appreciate that the present disclosure is not limited to the particular embodiments described herein, and that various obvious changes, adaptations, and substitutions are possible, without departing from the scope of the present disclosure. Therefore, although the present disclosure has been described in greater detail with reference to the above embodiments, the present disclosure is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present disclosure, the scope of which is determined by the scope of the appended claims.

Claims (10)

1. A method for managing sensitive data, comprising:
when a data access instruction is received, analyzing the data access instruction, and determining a target analysis statement;
determining a target access database corresponding to the data access instruction, and calling configured sensitive data corresponding to the target access database;
and when the target analysis statement passes verification based on the configured sensitive data, calling target access data corresponding to the data access instruction and feeding back.
2. The method according to claim 1, wherein the parsing the data access instruction to determine a target parsing statement upon receiving the data access instruction comprises:
acquiring an SQL statement edited in a data calling control, and taking the SQL statement as the data access instruction;
and determining a database protocol corresponding to the data access instruction according to the user identification of the target user, analyzing the data access instruction based on the database protocol, and determining the target analysis statement.
3. The method of claim 1, wherein determining a target access database corresponding to the data access instruction and retrieving configured sensitive data corresponding to the target access database comprises:
determining a target access database according to the user identification of the target user;
searching configured sensitive data corresponding to the target access database from a pre-stored sensitive data table;
and the sensitive data table stores the pre-configured sensitive data corresponding to each database.
4. The method of claim 1, wherein when the target parsing statement is validated based on configured sensitive data, invoking target access data corresponding to the data access instruction comprises:
comparing each field in the target analysis statement based on the configured sensitive data, and determining whether a superposed sensitive field exists;
and if not, determining target access data based on the target analysis statement.
5. The method of claim 4, further comprising:
if so, reporting the target analysis statement to check the target analysis statement;
and when the feedback passing the audit is received, feeding back the target access data corresponding to the data access instruction.
6. The method of claim 5, further comprising:
and when feedback that the audit is not passed is received, hiding the data corresponding to the sensitive field, and feeding back target access data which are inconsistent with the sensitive field in the target analysis statement.
7. The method of claim 1, wherein the configured sensitive data comprises at least one sensitive field, and each sensitive field can be a row data field and/or a column data field in a form.
8. An apparatus for managing sensitive data, comprising:
the analysis module is used for analyzing and processing the data access instruction when the data access instruction is received, and determining a target analysis statement;
the data calling module is used for determining a target access database corresponding to the data access instruction and calling configured sensitive data corresponding to the target access database;
and the verification module is used for calling target access data corresponding to the data access instruction and feeding back the target access data when the target analysis statement passes verification based on the configured sensitive data.
9. An electronic device, characterized in that the device comprises:
one or more processors;
a storage device for storing one or more programs,
when executed by the one or more processors, cause the one or more processors to implement a method of managing sensitive data as recited in any of claims 1-7.
10. A computer-readable storage medium, on which a computer program is stored which, when being executed by a processor, carries out a method of managing sensitive data according to any one of claims 1 to 7.
CN202210482152.4A 2022-05-05 2022-05-05 Sensitive data management method and device, electronic equipment and storage medium Pending CN114817990A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210482152.4A CN114817990A (en) 2022-05-05 2022-05-05 Sensitive data management method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210482152.4A CN114817990A (en) 2022-05-05 2022-05-05 Sensitive data management method and device, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114817990A true CN114817990A (en) 2022-07-29

Family

ID=82512145

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210482152.4A Pending CN114817990A (en) 2022-05-05 2022-05-05 Sensitive data management method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114817990A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117235406A (en) * 2023-11-14 2023-12-15 广东省电信规划设计院有限公司 Information content security management and control method and device based on block chain

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117235406A (en) * 2023-11-14 2023-12-15 广东省电信规划设计院有限公司 Information content security management and control method and device based on block chain
CN117235406B (en) * 2023-11-14 2024-03-19 广东省电信规划设计院有限公司 Information content security management and control method and device based on block chain

Similar Documents

Publication Publication Date Title
CN112035858A (en) API access control method, device, equipment and medium
AU2016302371A1 (en) Building and managing data-processing attributes for modeled data sources
CN111416811A (en) Unauthorized vulnerability detection method, system, equipment and storage medium
CN110334545B (en) SQL-based permission control method and device and electronic equipment
CN112463800A (en) Data reading method and device, server and storage medium
CN110489310B (en) Method and device for recording user operation, storage medium and computer equipment
US11487742B2 (en) Consistency checks between database systems
CN112231407B (en) DDL synchronization method, device, equipment and medium of PostgreSQL database
CN112269799A (en) Data query method, device, equipment and medium
CN114328574A (en) Data query method and device, electronic equipment and computer-readable storage medium
US11687593B2 (en) Query generation using natural language input
CN111949693A (en) Data processing device, data processing method, storage medium and electronic equipment
CN113254969B (en) Business data processing method and device, electronic equipment and storage medium
CN113760947A (en) Data center, data processing method, device, equipment and storage medium
CN112307052B (en) Data management method, service system, terminal and storage medium
CN110781505A (en) System construction method and device, retrieval method and device, medium and equipment
CN112948396A (en) Data storage method and device, electronic equipment and storage medium
CN114281803A (en) Data migration method, device, equipment, medium and program product
CN117407414A (en) Method, device, equipment and medium for processing structured query statement
CN116644223A (en) Data query method, device, equipment and readable medium
CN115357590A (en) Recording method and device for data change, electronic device and storage medium
CN114817990A (en) Sensitive data management method and device, electronic equipment and storage medium
CN112579632A (en) Data verification method, device, equipment and medium
CN116955314A (en) Unified maintenance management and control method, device, equipment and storage medium for database
CN115576978A (en) Method, device, system and medium for responding service processing request

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination