CN115238247A - Data processing method based on zero trust data access control system - Google Patents
Data processing method based on zero trust data access control system Download PDFInfo
- Publication number
- CN115238247A CN115238247A CN202210936733.0A CN202210936733A CN115238247A CN 115238247 A CN115238247 A CN 115238247A CN 202210936733 A CN202210936733 A CN 202210936733A CN 115238247 A CN115238247 A CN 115238247A
- Authority
- CN
- China
- Prior art keywords
- data
- policy
- data access
- access
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 20
- 238000000034 method Methods 0.000 claims abstract description 78
- 238000012545 processing Methods 0.000 claims description 29
- 230000008569 process Effects 0.000 description 35
- 238000007726 management method Methods 0.000 description 19
- 238000000586 desensitisation Methods 0.000 description 17
- 238000010586 diagram Methods 0.000 description 12
- 238000004590 computer program Methods 0.000 description 11
- 230000000694 effects Effects 0.000 description 9
- 238000001914 filtration Methods 0.000 description 8
- 230000009471 action Effects 0.000 description 7
- 238000011217 control strategy Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 7
- 238000005516 engineering process Methods 0.000 description 5
- 230000004044 response Effects 0.000 description 5
- 230000005856 abnormality Effects 0.000 description 4
- 230000000717 retained effect Effects 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000001360 synchronised effect Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000008859 change Effects 0.000 description 2
- 230000008878 coupling Effects 0.000 description 2
- 238000010168 coupling process Methods 0.000 description 2
- 238000005859 coupling reaction Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012423 maintenance Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000011022 operating instruction Methods 0.000 description 1
- 230000002093 peripheral effect Effects 0.000 description 1
- 238000007670 refining Methods 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/10—Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
- G06F21/105—Arrangements for software license management or administration, e.g. for managing licenses at corporate level
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
Abstract
The application discloses a data processing method based on a zero-trust data access control system, which is characterized in that context information related to access control is acquired at an application end, a data access strategy based on business logic is flexibly configured, and finally the constructed data access strategy is executed to realize dynamic refined access control on data. The method in the specification further moves the breadth of the zero trust access control from the application end to the control end of the data access, meanwhile, further refines the granularity of the zero trust access control from the application level to the business logic level, and realizes technical landing by constructing and executing the data access strategy based on the business logic.
Description
Technical Field
The application belongs to the field of data processing research, and particularly relates to a data processing method based on a zero-trust data access control system.
Background
There is a myriad of connections between an enterprise's data assets and its business. In the data security management process of an enterprise, the service availability is considered, and the legal and compliant use problems of data are considered at the same time, the contradiction is particularly prominent in the field of data access control, especially in the scene of protecting private data, and the contradiction is embodied in how to solve different access subjects (people, systems, applications and the like), and based on different roles and authorities, various resources (a PC, a server, a mobile terminal, an IOT device and the like) are utilized to legally and compliantly access various data (access objects) under the minimum authority according to different service scenes so as to meet the requirements of various laws and regulations and industry constraints.
Therefore, how to improve the security of the data management process while meeting the data requirements of enterprises becomes a problem to be solved urgently.
Disclosure of Invention
In order to solve the defects of the prior art, the Application provides a data processing method based on a zero trust data access control system, context information related to access control is acquired at one end of an Application (Application), a data access strategy based on business logic is flexibly configured, and finally the constructed data access strategy is executed to realize dynamic refined access control on data. The method in the specification further moves the breadth of the zero trust access control from the application end to the control end of the data access (namely, a zero trust data access control-based system in the specification), meanwhile, further refines the granularity of the zero trust access control from the application level to the service logic level, and achieves technical landing by constructing and executing a data access strategy based on the service logic, thereby solving the problems that the data access control under the current zero trust system cannot be extended, the refined granularity of the access control of the traditional processing product is insufficient, and the hard coding of software cannot be dynamically and flexibly configured.
The technical effect that this application will reach is realized through following scheme:
in a first aspect, the present specification provides a data processing method based on a zero trust data access control system, the method comprising:
determining each service unit contained in the target application;
aiming at each service unit, generating alternative strategies corresponding to the service units by strategy elements according to service logic according to service requirements of the service units; wherein, the alternative strategy is a strategy which can be executed when processing the corresponding service unit;
sending the alternative strategies corresponding to the service units to the zero trust data-based access control system;
responding to a data access request, and determining a service unit to which the data access request aims as a target service unit;
acquiring the designated information corresponding to the target service unit from the context information of the target service unit; wherein the context information includes at least one of subject information of an access subject that triggers the data access request, and object information of an access object for which the data access request is directed;
taking the alternative strategy matched with the specified information in the alternative strategies configured in the zero-trust data access control system as a data access strategy;
and executing the data access policy.
In an alternative embodiment of the present specification, the method of claim 1, wherein the designation information further includes environment information of the access environment.
In an optional embodiment of this specification, determining the service unit to which the data access request is directed as the target service unit includes:
calling a service logic aiming at the target service unit;
based on the business logic, calling data access;
and when the data calling interface based on the calling data access returns the original data, determining the service unit aimed at by the data access request as a target service unit.
In an alternative embodiment of the present description, enforcing the data access policy includes:
determining an execution target for which the data access policy is directed; wherein the execution target comprises at least one of: the data row of the original data corresponding to the access object, the data column of the original data corresponding to the access object and the data unit of the original data corresponding to the access object;
and executing the data access policy aiming at the execution target.
In an optional embodiment of the present specification, the policy element indicates a field used when determining a data access policy, and the specifying information is composed of a target field; wherein, taking the alternative policy matched with the specified information in the alternative policies configured in the zero trust data access control system as the data access policy includes:
and taking the alternative policy of which the policy elements are matched with the target fields in the specified information in each alternative policy as the data access policy.
In an optional embodiment of the present specification, the alternative policies are arranged in order of priority from high to low; wherein, taking the alternative policy matched with the specified information in the various alternative policies configured in the zero trust data access control system as the data access policy includes:
comparing the alternative strategies and the designated information in sequence from high to low;
and taking the determined first matched alternative strategy as a data access strategy.
In an alternative embodiment of the present description, the data access policy is implemented, and includes any one of:
desensitizing the original data corresponding to the access object;
replacing original data corresponding to the access object;
original data corresponding to the access object is reserved;
and removing the original data corresponding to the access object.
In a second aspect, the present specification provides a data processing apparatus based on a zero trust data access control system for implementing the method of the first aspect.
In a third aspect, the present specification provides an electronic device comprising:
a processor; and
a memory arranged to store computer executable instructions that, when executed, cause the processor to perform the method of the first aspect.
In a fourth aspect, the present specification provides a computer readable storage medium storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of the first aspect.
Drawings
In order to more clearly illustrate the embodiments or prior art solutions of the present application, the drawings needed for describing the embodiments or prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments described in the present application, and that other drawings can be obtained by those skilled in the art without inventive exercise.
Fig. 1 is a flowchart of a data processing method based on a zero trust data access control system according to an embodiment of the present application;
fig. 2 is a schematic view of an implementation scenario of a data processing method based on a zero trust data access control system in an embodiment of the present application;
FIG. 3 is a schematic diagram of an architecture of a zero trust data based access control system in an embodiment of the present application;
FIG. 4 is a schematic diagram of a zero trust data based interface hierarchy for an access control system in an embodiment of the present application;
FIG. 5 is a schematic diagram of an interaction between at least some of the terminals included in the zero trust data based access control system according to an embodiment of the present application;
fig. 6 is a schematic diagram of a data processing method based on a zero trust data access control system according to an embodiment of the present application, which performs data processing for different execution targets;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
To make the objects, technical solutions and advantages of the present application more clear, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments and corresponding drawings. It should be apparent that the described embodiments are only some of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The present invention will be described in further detail with reference to the following detailed description and accompanying drawings. Wherein like elements in different embodiments are numbered with like associated elements. In the following description, numerous specific details are set forth in order to provide a better understanding of the present application. However, those skilled in the art will readily recognize that some of the features may be omitted or replaced with other elements, materials, methods in different instances. In some instances, certain operations related to the present application have not been shown or described in detail in order to avoid obscuring the core of the present application from excessive description, and it is not necessary for those skilled in the art to describe these operations in detail, so that they may be fully understood from the description in the specification and the general knowledge in the art.
Furthermore, the features, operations, or characteristics described in the specification may be combined in any suitable manner to form various embodiments. Also, the various steps or actions in the method descriptions may be transposed or transposed in order, as will be apparent to one of ordinary skill in the art. Thus, the various sequences in the specification and drawings are for the purpose of describing certain embodiments only and are not intended to imply a required sequence unless otherwise indicated where such sequence must be followed.
The numbering of the components as such, e.g., "first", "second", etc., is used herein only to distinguish the objects as described, and does not have any sequential or technical meaning. The term "connected" and "coupled" when used in this application, unless otherwise indicated, includes both direct and indirect connections (couplings).
The present specification provides a data processing method based on a zero trust data access control system to solve the problems existing in the related art. Various non-limiting embodiments of the present application are described in detail below with reference to the accompanying drawings. In this specification, a data processing method based on a zero trust data access control system includes the following steps:
s100: and determining each service unit contained in the target application.
The zero trust data based access control system in this specification may interface with several (one or more) applications, and the method in this specification is exemplified by the interfacing of one of several applications (i.e., the target application herein) with the zero trust data based access control system in this specification.
The application in this specification includes several service units, and the service logic of different service units may be different. Illustratively, in the field of financial services, the application may be an APP for bank a to provide services to customers, and the business units included in the application may be: deposit transaction, transfer transaction, inquiry transaction, etc.
The target service unit in the following is one of several service units. The method in the present specification is exemplarily described by taking a process of processing data for a target business unit based on a zero-trust data access control system as an example.
S102: aiming at each service unit, generating a strategy comprising a plurality of strategy rules by the strategy elements according to service logic according to the service requirements of the service units, and taking the strategy as an alternative strategy corresponding to the service units; wherein, the alternative strategy is a strategy which can be executed when processing the corresponding service unit.
In an alternative embodiment of the present specification, the editing operation performed to obtain the alternative policy is conditional editing. The conditional edit may be a canonical expression.
Optionally, the policy element indicates a field used when determining the data access policy, and optionally, the policy element corresponds to the field used when determining the data access policy one to one. The alternative strategy is obtained by performing Condition editing (Condition) on the strategy elements through regular expressions. The condition editing can realize the editing of the rule condition through a regular expression (for example, a variable + a relational operator + a variable < or a threshold >), wherein the variable can be configured to be the attribute of the policy element corresponding to the specified information. The relation operator is used for judging the logic relation between variables (or between variables and threshold values) in the strategy conditions, and common operators are more than, equal to, less than and not equal to, and the like.
S104: and issuing the alternative strategies corresponding to the service units to the zero trust data-based access control system.
The alternative policies in this specification are made up of policy elements. Alternative policies are policies that are available for adoption in processing the target business unit. The alternative strategy is sent to the access control system based on the zero trust data in advance for selection in the subsequent steps. Optionally, the alternative policies correspond to the service units one to one. An alternative policy is a set of a series of instructions that need to be executed when processing its corresponding service unit.
S106: in response to a data access request, determining a service unit to which the data access request is directed as a target service unit.
In an alternative embodiment of the present description, as shown in fig. 3, the service logic for the target service unit is first invoked; based on the business logic, invoking data access; and when the data calling interface based on the calling data access returns the original data, determining the service unit aimed at by the data access request as a target service unit.
S108: and acquiring the designated information corresponding to the target service unit from the context information of the target service unit.
Wherein the context information includes at least one of subject information of an access subject that triggers the data access request, and object information of an access object for which the data access request is directed.
An application scenario involved in the data processing method based on the zero-trust data access control system in the present specification is exemplarily shown in fig. 2. The interaction process between the zero-trust-based data access control system and other terminals in this specification is schematically shown in fig. 3. And the target application processes the data managed by the data source through the zero-trust-based data access control system. The terms "left side" and "right side" hereinafter are used in the orientation shown in fig. 2 as an example.
The access subject refers to an entity which is actively accessed, and the subject can access the object. The access principal in this specification is illustratively a person, system, application, or the like. Wherein "human" for example: user principal (User identity (User ID) entity accessing control policy); "System" is, for example: an Account body (Application Account entity) for accessing a control policy; "application" is for example: an Application body (Application) entity of the access control policy, including attributes of the Application, application category, and the like).
Different target applications have different roles in the data processing process, and therefore, in some optional scenarios, different data processing environments (e.g., local/remote/cloud, headquarter/branch/partner, time, connection mode, terminal environment, and other factors) have different requirements on access rights of the target applications according to resources (e.g., a PC, a mobile terminal, an IOT device, a server, and the like) that can be utilized by the different target applications in the data processing process.
The subject information of the access subject in this specification can indicate the attributes such as the identification, the authority and the like of the access subject, that is, the method in this specification can actually process data based on the authority of the target service unit on the basis of zero trust on the left side.
An access object in this specification is a passively accessed entity (i.e., accessed data), and access to the object is subject to policy control. The object information can characterize certain data of the access object. Illustratively, the access object in this specification may be any of: an API object (API interface entity called by a target application, including attributes such as associated data interface, interface code, data type, whether access control is enabled, etc.), an application object (accessed application entity, including belonging application, application category, whether access control is enabled, etc.), a column data object (accessed column data entity, applicable only in a column policy, including attributes such as attribute code, attribute code path, data classification, value, etc.), a row data object (accessed row data entity, applicable in a row policy and a column policy, the value of a row data object may refer to the actual value of the attribute of accessed data), and this process is exemplarily shown in fig. 6.
The designation information in this specification includes at least one of the subject information and the object information. Alternatively, the access object may be a row of data maintained by the data source, a column of data, or raw data in a data unit.
In an alternative embodiment of the present specification, the designation information is constituted by said object field. The process of generating the alternative Policy is a process of compiling Policy elements into a set of a plurality of Policy rules (Policy Rule) according to the business logic (execution conditions, execution operations, execution flows, etc.). In an alternative embodiment of the present disclosure, a policy Rule at least includes a Condition (Rule Condition), an operation (Rule Action), and a Priority (Rule Priority).
In an optional embodiment of the present description, the process of generating an alternative policy may comprise at least one of the following three aspects: condition editing (Condition), action editing (Action), and priority editing.
In an optional embodiment of this specification, the process of determining the specified information may be a process of performing field extraction on information carried in the data access request according to an alternative policy, where an extracted field is a target field. For example, alternative strategy 1 includes: field A, field B, and field C; the information carried in the data access request 1 includes: field a, field b, and field d. Wherein field a matches field a and field B matches field B. The fields a and b are fields contained in the specific information. The field d is not a field included in the specification information.
S110: and taking the alternative strategy matched with the specified information in all the alternative strategies configured in the zero-trust data access control system as a data access strategy.
Therefore, by the method in the specification, based on different business logics, dynamically refined data access control is realized, and continuous verification is performed so as to meet the requirements of various laws, regulations and industry constraints, namely the last kilometer of zero trust-zero trust on the right side.
The target field in the specified information obtained through the foregoing steps corresponds to a Policy Element (Policy Element) included in an alternative Policy set in advance in the trust data access control system, and the Policy Element is a Context (Context) constituting the Policy, that is, the Policy Element may correspond to the target field in the subject information, the target field in the object information, and the target field in the environment information to be mentioned in the subsequent steps.
In an optional embodiment of the present specification, it may be determined, for each target field in the specification information, whether an alternative policy contains a policy element matching the target field, and if so, the alternative policy is a data access policy. Following the aforementioned embodiment of alternative policy 1 and data access request 1, since the field matching field C is not extracted from data access request 1, data access request 1 does not hit alternative policy 1.
S112: and executing the data access policy.
In an optional embodiment of the present specification, the zero trust based data access control system determines an execution target to which the data access policy is directed, wherein the execution target comprises at least one of: the data unit comprises a data row to which the access object belongs, a data column to which the access object belongs, and a data unit to which the access object belongs. Then, the data access policy is executed against the execution target.
Alternatively, the executing process of the data access policy may be to execute the operation indicated by the data access policy for the execution target.
The operation (Rule Action) refers to an Action performed after the above Rule Condition (Rule Condition) is satisfied, that is, in what manner data output (data output Rule) is performed. In an alternative embodiment of the present specification, the operation represented by the data access policy includes any one of: desensitizing original data corresponding to the accessed object; replacing original data corresponding to the access object; original data corresponding to the access object is reserved; and removing the original data corresponding to the access object.
The method in the specification flexibly configures a data access strategy based on business logic by acquiring context information related to access control at one end of a target application, and finally executes the constructed data access strategy to realize dynamic refined access control on data. The method in this specification further moves the breadth of zero trust access control from the target application end to the control end of data access (i.e., "zero trust data-based access control system" in this specification), and at the same time, further refines the granularity of zero trust access control from the target application level to the business logic level, and implements technical landing by constructing and executing a data access policy based on business logic, thereby solving the problems that the data access control in the current zero trust system cannot be extended, the access control refinement granularity of the traditional processing product (illustratively, such as a database firewall, data desensitization, etc.) is insufficient, and the hard coding of software cannot be dynamically and flexibly configured.
The technical problems that can be solved by the method in the present specification include, but are not limited to, identity access control technology in the related art, which is limited to solving access control on the application level, and cannot further achieve access control from the application level to the data level; data access control technologies under the traditional IT visual angle, such as database firewall, data desensitization and the like, cannot meet the requirement of dynamically refined data access control under a complex service scene; the related art writes such complex data access control logic into the application program in a code manner, which may cause a great deal of service coupling, and cause many problems in the aspects of application program development, update, maintenance, and the like; the related art cannot well meet the requirement of dynamically refining data access control.
In order to further improve the comprehensiveness of the data access policy, the specification information in this specification may further include access environment information of the access environment. An access context refers to the context involved in accessing data. The access environment may include at least one of: request environment (environment attributes of the request initiating access to the API, including access time, attributes of http uri, http copy, http commands, http servers, http databases, http keys, and the like), client environment (environment attributes of the client initiating access, including attributes of client device type, client operating system, client browser, client IP, device code, and the like), server environment (environment attributes of the server accessing, including attributes of server Host, service port, and the like), and other environment parameters.
In an alternative embodiment of the present description, the context of the policy rules is illustrated in table 1 below:
TABLE 1
The method in this specification can start from the aspect of aiming at the target business unit and realize the management of the data processing process, and in addition, the method in this specification can start from the aspect of aiming at the access object and realize the management of the data processing process. The foregoing two aspects will now be described separately.
(1) Access control for the target business unit.
In an alternative embodiment, the subject information of the target application and the object information of the access object may be compared, and a data output rule (Action) may be executed according to the comparison result.
Optionally, the main information is compared with information of each data managed by the data source, and an obtained comparison result indicates data which the target service unit has authority to access in each data managed by the data source; and taking an alternative strategy matched with the comparison result in the preset access alternative strategies in the zero-trust data access control system as a data access strategy.
In another alternative embodiment, the subject information may also be compared with a set threshold (e.g., a policy element of an alternative policy preset in the trust data access control system), and the data output rule is executed according to the comparison result.
(2) Access control for access objects.
In an optional embodiment, the attributes of the access object are compared with the attributes of the target application, and the data output rule is executed according to the comparison result.
Optionally, comparing the subject information with the object information, and indicating the access authority of the target service unit to the access object by using an obtained comparison result; and taking an alternative strategy matched with the comparison result in the access alternative strategies preset in the trust data access control system as a data access strategy.
In another alternative embodiment, the attribute of the access object may be compared with a set threshold, and the data output rule may be executed according to the comparison result.
As can be seen from the foregoing, in alternative embodiments, the process of determining a data access policy in this specification may further include priority editing. The description will now be made with respect to priority editing.
In an alternative embodiment of the present disclosure, the different alternative policies have different priorities, and the alternative policies are arranged in order of priority from high to low. When determining the data access strategy from the alternative strategies, comparing whether the alternative strategies are matched with the designated information in sequence from high to low; and taking the determined first matched alternative strategy as a data access strategy. While other alternative strategies are not executed in subsequent steps.
The priority in this specification may be inversely related to the amount of resources consumed by this data access process. The more resources consumed, the lower the priority. The consumed resources can be time resources, interface resources, predicted calculation power provided by the zero trust data access control system in the data processing process, and the like.
In fact, different data access policies are generally required to be formulated for different applications, different interfaces, and different interface branches, and therefore, the policies need to be restricted to different use ranges (scopes) for management.
In an optional embodiment of this specification, based on a zero trust data access control system, a global policy that matches the specified information may be determined as a global target policy according to global policies (global policy scope may control all policies) preset in the trust data access control system; determining an application policy matched with the specified information from application policies (all policies of which the application policy scope can control one application) contained in the global target policy as an application target policy; determining an interface group policy (each interface group consists of a plurality of interfaces, and the interface group policy scope can control all the interface policies under the interface group) matched with the specified information from the interface group policies (a plurality of interfaces in the application can be divided into different interface groups, and each interface group policy scope can control all the interfaces in the group) contained in the application target policy as an interface group target policy; and determining the interface strategy matched with the specified information from the interface strategies (each interface strategy is composed of a plurality of interface branch strategies, and the interface strategy scope can control all the interface branch strategies under the interface) contained in the interface group target strategy as an interface target strategy. And determining an interface branch policy matched with the specified information from interface branch policies contained in the interface target policy, wherein one of the interface branch policies (the scope of the interface branch policy is limited to the policy for controlling the interface branch, the interface branch policy performs access control on branch data, and the branch data is the minimum unit capable of executing the access control data) is used as the target policy. Then in the foregoing step S102, an inverted index may be established for each candidate policy according to the hierarchy attribute of each candidate policy, and then the process of matching the policy may be a search process performed based on the inverted index.
Hereinafter, the aforementioned global policy, application policy \8230; such policy hierarchy ranging from coarse to fine, is referred to as a grouping policy. The grouping strategy can take effect in the interfaces which enable the access control under the belonged grouping, the group strategy can be a row strategy or a column strategy, the row strategy is suitable for carrying out the access control of row data on the group of interfaces, and the column strategy is suitable for carrying out the access control of column data on the group of interfaces. For example, data is displayed according to each branch company of an enterprise, the data belongs to the control of row data, and the established group policy is the row policy attribute. The grouping strategy acts on the data branch of the interface which enables the access control, the group strategy can have a plurality of groups, the group strategy of the row attribute executes the access control on the row of the data returned by all the interfaces of the group, and the group strategy of the column attribute executes the access control on the column of the data returned by all the interfaces of the group. The interface policy executes access control on the data returned under the interface, the interface policy can be a row policy or a column policy, the interface policy enables the access control under the interface, and all branches without any policy or with all policies disabled on the branches take effect.
The method in the present specification makes different data access policies for different applications, different interfaces, and different interface branches, and limits the policies to different application ranges (scopes) for management. The method in the specification makes a branch strategy for branch data, accurate data access control can be achieved, the branch strategy does not affect other branches, the branch strategy only takes effect on the branch which enables access control, and the influence range of the branch strategy is minimum. . Different policy management ranges can be set through a hierarchical management mode like a global policy scope, an application policy scope, an interface group policy scope, an interface policy scope, and an interface branch policy scope, so as to realize flexible and accurate data access control, as shown in fig. 4, fig. 4 shows that a grouping policy is in an image range.
The switch configuration for controlling each type of policy to be effective based on the condition for access control to be effective is shown in table 2 below.
TABLE 2
Access control of the disabled branch/interface/application is shown in table 3 below.
TABLE 3
In an alternative embodiment of the present description, the architecture of a zero trust data based access control system is shown in FIG. 5. In the system architecture shown in fig. 5, the zero trust Data-based Access Control system includes a DAC (Data Access Control) management console, a DAC server, and a DAC controller.
(1) DAC management console
The DAC management console is an operation control assembly used for editing, managing and issuing data access control strategies based on instructions of an administrator, and checking and analyzing various logs.
Specifically, when performing policy configuration and issuing in step S100, an administrator completes the data access control policy editing (generating an alternative policy) and the policy management (for example, adding, deleting, modifying, etc. the alternative policy) through the policy configuration management function according to the respective service logic of each service unit included in different applications by using the DAC management console, in combination with the corresponding data access control requirement, and stores the alternative policy configuration to the DAC server, and at the same time, synchronizes the alternative policy to the plurality of DAC controllers through the DAC server, thereby completing policy issuing.
During log viewing and analysis, the DAC server and the DAC controller may generate various logs, such as a system log, an operation log, a data access log, a policy flow log, and the like, during operation. These logs may be stored in the DAC server or in a separate storage device. An operation administrator can check various logs through the DAC management console, and meanwhile various abnormal conditions such as system abnormality, operation abnormality, data access abnormality, strategy flow abnormality and the like are discovered through log analysis, so that the administrator is helped to discover and solve problems.
(2) DAC server
And the DAC Server (DAC Server) is a component used for storing data access control strategies and various log information, and is also used for synchronizing the strategies to a DAC console, collecting DAC controller logs, synchronizing data with a third-party system and the like.
When policy storage and log storage are executed, the alternative policies configured by the administrator need to be stored in the DAC server or a separate storage device through the DAC server, so as to facilitate further operations such as policy management or policy synchronization; meanwhile, various logs generated by various parts of the DAC system also need to be stored in the DAC server or a separate storage device by the DAC server so as to be further viewed or analyzed.
The strategy synchronization means that the alternative strategy configured by the administrator is synchronized to the specified DAC controller from the DAC server, so that the DAC controller executes data access control according to the data access strategy. When strategy synchronization is executed, the strategy can be pushed to the DAC controller by the DAC server, or the strategy can be pulled from the DAC server by the DAC controller.
The log synchronization means that various logs generated by the DAC controller are synchronized to the DAC server and are stored in the DAC server or a separate storage device so as to be conveniently viewed and analyzed by an administrator. When the log synchronization is executed, the log can be pulled from the DAC server to the DAC controller, or the log can be uploaded or pushed to the DAC server or a separate storage device by the DAC controller.
In addition, in the process of policy editing, to construct policy elements (policy context), it is usually necessary to obtain related data from a third party in advance, for example, to obtain information such as user identity and authority from an AD (domain management system) and an IAM (identity access management system), obtain information such as data attributes from a database and a big data platform, and obtain information such as terminal and server environment from terminal access software and a zero-trust SDP system, and therefore, it is necessary to obtain related data from the third party. Generally, the third party data synchronization can be acquired from the third party in real time during use, or can be acquired from the third party periodically in advance in a non-real time manner, stored in a local DAC server or a separate storage device, and acquired from the local during use.
(3) DAC controller
A DAC Controller (DAC Controller) is a component that specifically executes a data access control policy, is deployed in an SDK manner and runs in an Application (Application), and can execute policy and log synchronization by cooperating with a DAC server.
In addition, the DAC controller may be further configured to execute the data processing method based on the zero trust data access control system in this specification.
When the DAC controller executes the engine call, because the DAC controller is deployed and operated in an Application program (Application) in an SDK mode, after the Application program obtains original service data, the DAC strategy execution engine in the DAC controller can be called to execute a relevant interface of the DAC strategy execution engine, and the original service data and relevant context information are input, the DAC strategy execution engine firstly constructs strategy elements according to the relevant context information, then strategy matching is carried out through the strategy elements, finally corresponding rule operation is executed on the original service data according to the matched strategy rules, access control on the original service data is completed, and finally the processed service data is returned to the Application program; once the strategy synchronized to the DAC controller changes, the DAC strategy execution engine executes access control according to the latest strategy, so that an administrator can dynamically adjust the strategy according to the service requirement and take effect immediately.
When the DAC controller executes input, an application program calls an interface of the DAC strategy execution engine to mainly input two parts of data: 1. original service data, namely a data object to be subjected to data access control operation; 2. the user information, the environment information, the service operation information and other context information are convenient for constructing the strategy elements and executing the strategy matching.
After the DAC strategy execution engine is called by the target application, the corresponding execution process is as follows: 1. accessing control strategy elements according to the constructed data of the input user information, environment information, service operation information and other context information; 2. matching a data access control strategy according to the strategy elements; 3. if the row strategy is matched, executing a row-level data access control strategy; 4. if the column strategy is matched, executing the column-level data access control strategy; 5. if the unit strategy is matched, executing the unit-level data access control strategy; and after the strategy execution is finished, returning the processed service data to the target application.
The method in the specification inherits the concept of zero trust such as untrusted, minimum authority and continuous verification, further expands the access control capability of the zero trust on the data side, simultaneously refines the granularity of the zero trust on the data access control, realizes dynamic refined data access control through strategy editing and strategy management based on business logic, solves the key problem of technology landing, finally realizes complete system composition from strategy editing, strategy issuing to strategy execution through a complete zero trust data access control system architecture, enables a user to timely complete strategy adjustment through the strategy editing mode according to the change of the business logic and issue execution to be immediately effective, avoids the problem that products such as traditional database firewall and database desensitization cannot provide refined access control according to the business logic, solves the flexibility problems of difficult development, update and maintenance of application programs caused by traditional hard coding, and truly realizes the dynamic refined data access control based on the zero trust.
"generating an alternative policy" in this specification includes a process of creating an alternative policy and/or modifying an alternative policy.
How to generate the alternative policies is now explained. In an alternative embodiment of this specification, function location, specifically, data access control platform- > application management- > operation column of application, API access control- > application interface policy configuration- > interface management- > operation column of interface under interface grouping- > interface management- > policy management. And then, triggering the newly added interface strategy, and adding the alternative strategy name to the strategy attribute editing window. Then, the alternative strategy type is selected, and the selectable items comprise a column strategy, a row strategy and most of the cases of the column strategy. The column strategy is used for controlling desensitization or removal of sensitive fields in the returned data, and the row strategy is used for controlling filtering of data set results in the returned data and only returning partial data. Then, whether the selection policy is related to the value or not is selected, most cases. If the selection is yes, each piece of data executes the strategy and then returns an execution result; if no, the strategy is irrelevant to the numerical value, after the first piece of data executes the strategy, the execution result is cached, and the subsequent data does not execute the strategy but directly uses the cached result; if the policy is independent of the data value, the performance will be greatly improved. And responding to the operation of completing the policy configuration, wherein the column policy of the unconfigured policy flow is successfully created.
When editing the strategies, firstly, in response to the triggering operation of the editing strategies in the operation columns in the newly created column strategies, acquiring the editing data of the process content collection required by editing the editing process page. Then, configuring a policy condition, specifically, selecting a condition edge, and acquiring the execution priority of the condition. A rule with a higher priority is executed with higher priority, and when the accessed data does not satisfy the condition of the rule with a high priority, the rule with the priority next to it is executed. Once a policy with a higher priority is matched, no policy with a lower priority than it will execute. In response to a trigger for editing the ABAC condition, acquiring configuration policy condition data in an ABAB rule (the ABAC rule edge is a carrier of the ABAC rule, and the ABAC condition is configured by setting an execution priority for the policy through the rule edge) editing window. Format of policy conditions: variables, operators, variables (or constants), wherein the variables are configurable to access subjects, objects, and environment information; if the policy condition is the judgment of the attribute and the threshold, the access control is performed on the subject of which the attribute is a designated value. In response to the save operation for the edited result, it is judged that the condition setting is successful.
Taking desensitization to the raw data as an example:
1) When dynamic desensitization is performed according to the data hierarchy.
First, the filtering requirements are determined. For example, the filtration requirements are: all data ranked >2 levels need to be desensitized, and the results phone, idNumber, debo cardnumber, password, debo cardbase are expected to be desensitized, with other data retained.
Then, policy configuration is performed. For example, a first policy condition is configured, after which a first data desensitization end node is configured. Then, a second policy condition is configured, after which a second data desensitization end node is configured.
Illustratively, when configuring the first policy condition, if the data rating of the current column is >2, the specific operation is as follows: and selecting a first policy condition, configuring the execution priority of the condition, triggering and editing the ABAC condition, and setting the data classification of the column data objects in the access objects in the ABAB rule editing window to be larger than a constant 2, namely setting the data processing of the specified data classification. When the first data desensitization ending node is configured, the node is set to be data desensitized, and the specific operation is as follows: and determining a second data desensitization end node, triggering editing output configuration, and executing a result code to select data desensitization.
When the second policy condition is configured, it is not so related to the first policy condition, so that the policy rule is not required to be configured for the condition. And when the second data desensitization end node is configured, setting the node to retain the original data.
The desensitizing effect is as follows: data with the data grading larger than 2 are desensitized and displayed, and data with the data grading smaller than or equal to 2 are output.
2) Upon dynamic desensitization according to the role of the current visitor:
illustratively, the filtering requirements are: the role of the post as the master manager outputs the original data when accessing the data, and the bank card number (debo card number) is desensitized when other employees access the data. Note: the application account of the visitor is transmitted into the setCtxAppcount () object, and the system can judge the identity of the visitor according to the transmitted value.
When generating the alternative strategy, firstly configuring the strategy conditions: if the role of accessing data is the master manager, the ABAC rule sets that the userPosition of the account main body in the access main body is equal to the master manager, and the role can be found. Then, the configuration data desensitization end node: and reserving the original data for the access role as a master manager. Then, configuring a policy condition: except the master role, the other roles are the employee roles, because no ABAC judgment rule is set for judging the employee roles; other employees access the data, the bank card number is desensitized: the ABAC rule is set to access the data object in the object, and the data of the attribute of the bank card number can be found when the attribute code of the data object in the object is equal to a constant debo card number. Then, the configuration data desensitization end node: the data is desensitized to having access to the role of employee. The desensitizing effect obtained was: and when the manager of the chief manager king accesses the staff information, the manager returns the original data. When the employee Zhang 29667 accesses the information, the bank card number in the information is desensitized.
3) In dynamic desensitization of data according to its value:
illustratively, the filtering requirements are: when the data with the bank card balance more than 1000 in the data information is accessed, the telephone number is dynamically desensitized, the bank card balance is not more than the value of 1000, and the original data is reserved for output.
The strategy configuration process comprises the following steps: policy conditions are first configured. Illustratively, if the bank card balance is greater than 1000, the debitCardBalance of the row data object to be accessed in the object is greater than 1000 in the ABAC policy editor; while using AND to set a further condition that is configured with the attribute code equal to the telephone number phone. The configuration data then desensitizes the end node. For example, if the bank card balance is greater than the telephone number corresponding to a value of 1000, the output data of the set node is desensitized. Thereafter, policy conditions are configured. For example, except the data of the balance of the bank card which is greater than 1000, the other data are less than or equal to 1000, and the other amounts are judged without setting an ABAC judgment rule. Thereafter, the configuration data desensitizes the end node. For example, for telephone numbers corresponding to values of 1000 or less, the output of the node is set to retain the original data. The desensitizing effect obtained was: the phone number corresponding to a debit card balance greater than 1000 is desensitized.
4) When fields are desensitised.
Illustratively, the filtering requirements are: and dynamically desensitizing the account number and the password in the data, wherein the expected execution result is that the password field is desensitized, and other information retains original data.
The strategy configuration process comprises the following steps: policy conditions are first configured. For example, if the data is a bank card password (password) field, the attribute code of the data object in the access object is set to password in the ABAC policy editor, that is, the data processing for the specified field can be set. The configuration data then desensitizes the end node. For example, data that is a bank card password (password) field is desensitized. Thereafter, policy conditions are configured. For example, except for the bank card password field, other data are non-bank card passwords, and other amounts are judged without setting the ABAC judgment rule. Then, desensitizing the configuration data ends the node. For example, for data in the non-bank card password field, the original data is retained. The desensitizing effect obtained was: the attribute code is a dynamic desensitization of the field of password.
5) Data filtering is performed according to the access IP.
Illustratively, the filtering requirements are: the system identifies the access request initiated by the client with the IP of 192.168.53.2, and directly filters the data without returning the data.
The strategy configuration process comprises the following steps: policy conditions are first configured. For example, if the client IP of the client environment initiating the data access request is 192.168.53.2, the client IP of the client environment in the access environment is set to be 192.168.53.2 in the ABAC editor, i.e., the access client IP can be determined to be 192.168.53.2. After that, the configuration data desensitizes the end node. For example, the client IP that initiated the data access request is 192.168.53.2 and the data is removed. Then, policy conditions are configured. For example, except that the IP of the client is 192.168.53.2, other data is not the client, and the other amount is not judged by setting the ABAC judgment rule. Thereafter, the configuration data desensitizes the end node. For example, for other client IPs, the original data is retained.
Based on the same idea, the embodiment of the present specification further provides a data processing apparatus based on a zero-trust data access control system, which corresponds to the partial process shown in fig. 1.
A data processing apparatus based on a zero trust data access control system in this specification may include one or more of the following modules:
a service unit determining module, wherein the quota is as follows: and determining each service unit contained in the target application.
An alternative policy generation module configured to: aiming at each service unit, generating alternative strategies corresponding to the service units by strategy elements according to service logic according to service requirements of the service units; wherein, the alternative strategy is a strategy which can be executed when processing the corresponding service unit.
The alternative strategy issuing module is configured to: and issuing the alternative strategies corresponding to the service units to the zero trust data-based access control system.
The target service unit determining module has the quota as follows: in response to a data access request, determining a service unit to which the data access request is directed as a target service unit.
An appointed information determining module, wherein the quota is as follows: acquiring the designated information corresponding to the target service unit from the context information of the target service unit; wherein the context information includes at least one of subject information of an access subject that triggers the data access request, and object information of an access object for which the data access request is directed.
The data access strategy determining module has quota as follows: and taking the alternative strategy matched with the specified information in the various alternative strategies configured in the zero trust data access control system as a data access strategy.
An execution module, wherein the quota is as follows: and executing the data access policy.
In an alternative embodiment of the present specification, the designation information further includes environment information of the access environment.
In an optional embodiment of this specification, the specific quota of the target service unit determining module is: calling business logic aiming at the target business unit; based on the business logic, calling data access; and when the data calling interface based on the calling data access returns the original data, determining the service unit aimed at by the data access request as a target service unit.
In an optional embodiment of this specification, the specific quota of the execution module is: determining an execution target for which the data access policy is directed; wherein the execution target comprises at least one of: the data row of the original data corresponding to the access object, the data column of the original data corresponding to the access object and the data unit of the original data corresponding to the access object; and executing the data access policy aiming at the execution target.
In an alternative embodiment of the present specification, the policy element indicates a field used when determining the data access policy, and the specifying information is composed of a target field.
In an optional embodiment of this specification, the specific quota of the data access policy determining module is: and taking the alternative policy of which the policy elements are matched with the target fields in the specified information in each alternative policy as the data access policy.
In an optional embodiment of this specification, the specific quota of the data access policy determining module is: comparing the alternative strategies and the designated information in sequence from high to low; and taking the determined first matched alternative strategy as a data access strategy.
In an optional embodiment of this specification, the specific quota of the data access policy determining module is: desensitizing the original data corresponding to the access object.
In an optional embodiment of the present specification, the original data corresponding to the access object is replaced.
In an optional embodiment of the present specification, original data corresponding to the access object is retained.
In an optional embodiment of the present description, the original data corresponding to the access object is removed.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. Referring to fig. 5, at a hardware level, the electronic device includes a processor, and optionally further includes an internal bus, a network interface, and a memory. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory, such as at least 1 disk Memory. Of course, the electronic device may also include hardware required for other services.
The processor, the network interface, and the memory may be connected to each other by an internal bus, which may be an ISA (Industry Standard Architecture) bus, a PCI (Peripheral Component Interconnect) bus, an EISA (Extended Industry Standard Architecture) bus, or the like. The bus may be divided into an address bus, a data bus, a control bus, etc. For ease of illustration, only one double-headed arrow is shown in FIG. 5, but this does not indicate only one bus or one type of bus.
And the memory is used for storing programs. In particular, the program may include program code comprising computer operating instructions. The memory may include both memory and non-volatile storage and provides instructions and data to the processor.
The processor reads a corresponding computer program from the nonvolatile memory to the memory and then runs the computer program, and a data processing method based on the zero-trust data access control system is formed on a logic level. And the processor is used for executing the program stored in the memory and is particularly used for executing any one of the data processing methods based on the zero-trust data access control system.
The data processing method based on the zero-trust data access control system disclosed in the embodiment of fig. 2 of the present application can be applied to or implemented by a processor (i.e., a deletion control module in this specification). The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or instructions in the form of software. The Processor may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), application Specific Integrated Circuits (ASICs), field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps, and logic blocks disclosed in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of the method disclosed in connection with the embodiments of the present application may be directly implemented by a hardware decoding processor, or implemented by a combination of hardware and software modules in the decoding processor. The software module may be located in ram, flash memory, rom, prom, or eprom, registers, etc. storage media as is well known in the art. The storage medium is located in a memory, and a processor reads information in the memory and completes the steps of the method in combination with hardware of the processor.
The electronic device may further execute a data processing method based on the zero trust data access control system in fig. 2, and implement the functions of the embodiment shown in fig. 2, which are not described herein again.
The present application further provides a computer-readable storage medium storing one or more programs, where the one or more programs include instructions, which, when executed by an electronic device including a plurality of application programs, enable the electronic device to perform a method performed by the data processing method based on the zero-trust data access control system in the embodiment shown in fig. 2, and are specifically configured to perform any one of the foregoing data processing methods based on the zero-trust data access control system.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In a typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include forms of volatile memory in a computer readable medium, random Access Memory (RAM) and/or non-volatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of a computer-readable medium.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic tape cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrases "comprising a," "8230," "8230," or "comprising" does not exclude the presence of other like elements in a process, method, article, or apparatus comprising the element.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art to which the present application pertains. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.
Claims (10)
1. A data processing method based on a zero trust data access control system, the method comprising:
determining each service unit contained in the target application;
aiming at each service unit, generating alternative strategies corresponding to the service units by strategy elements according to service logic according to service requirements of the service units; wherein, the alternative strategy is a strategy which can be executed when processing the corresponding service unit;
the alternative strategies corresponding to the service units are issued to the zero trust data access control system;
responding to a data access request, and determining a service unit to which the data access request aims as a target service unit;
acquiring the designated information corresponding to the target service unit from the context information of the target service unit; wherein the context information includes at least one of subject information of an access subject that triggers the data access request, and object information of an access object for which the data access request is directed;
taking the alternative strategy matched with the specified information in the alternative strategies configured in the zero-trust data access control system as a data access strategy;
and executing the data access policy.
2. The method of claim 1, wherein the designation information further includes environment information of an access environment.
3. The method of claim 1, wherein determining the service unit for which the data access request is directed as a target service unit comprises:
calling business logic aiming at the target business unit;
based on the business logic, invoking data access;
and when the data calling interface based on the calling data access returns the original data, determining the service unit aimed at by the data access request as a target service unit.
4. The method of claim 2, wherein enforcing the data access policy comprises:
determining an execution target for which the data access policy is directed; wherein the execution target comprises at least one of: the data row of the original data corresponding to the access object, the data column of the original data corresponding to the access object and the data unit of the original data corresponding to the access object;
and executing the data access policy aiming at the execution target.
5. The method of claim 1, wherein the policy element represents a field employed in determining a data access policy, the specifying information being constituted by a target field; wherein, taking the alternative policy matched with the specified information in the alternative policies configured in the zero trust data access control system as the data access policy includes:
and taking the alternative policy of which the policy elements are matched with the target fields in the specified information in each alternative policy as the data access policy.
6. The method of claim 1, wherein the alternative policies are ranked in order of priority from high to low; wherein, taking the alternative policy matched with the specified information in the alternative policies configured in the zero trust data access control system as the data access policy includes:
comparing the alternative strategies and the designated information in sequence from high to low according to the sequence;
and taking the determined first matched alternative strategy as a data access strategy.
7. The method of claim 1, wherein enforcing the data access policy comprises any one of:
desensitizing the original data corresponding to the access object;
replacing original data corresponding to the access object;
original data corresponding to the access object is reserved;
and removing the original data corresponding to the access object.
8. A data processing apparatus based on a zero trust data access control system, the apparatus being arranged to implement the method of any one of claims 1 to 7.
9. An electronic device, comprising:
a processor; and
a memory arranged to store computer executable instructions which, when executed, cause the processor to perform the method of any one of claims 1 to 7.
10. A computer readable storage medium storing one or more programs which, when executed by an electronic device comprising a plurality of application programs, cause the electronic device to perform the method of any of claims 1-7.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210936733.0A CN115238247A (en) | 2022-08-05 | 2022-08-05 | Data processing method based on zero trust data access control system |
| PCT/CN2023/098357 WO2024027328A1 (en) | 2022-08-05 | 2023-06-05 | Data processing method based on zero-trust data access control system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210936733.0A CN115238247A (en) | 2022-08-05 | 2022-08-05 | Data processing method based on zero trust data access control system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115238247A true CN115238247A (en) | 2022-10-25 |
Family
ID=83679814
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210936733.0A Pending CN115238247A (en) | 2022-08-05 | 2022-08-05 | Data processing method based on zero trust data access control system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115238247A (en) |
| WO (1) | WO2024027328A1 (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116974708A (en) * | 2023-09-25 | 2023-10-31 | 北京众图识人科技有限公司 | Service data processing system |
| WO2024027328A1 (en) * | 2022-08-05 | 2024-02-08 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Data processing method based on zero-trust data access control system |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
| CN113051602B (en) * | 2021-01-22 | 2022-11-22 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| CN113783844A (en) * | 2021-08-13 | 2021-12-10 | 中国光大银行股份有限公司 | Zero-trust access control method and device and electronic equipment |
| CN114499922A (en) * | 2021-11-30 | 2022-05-13 | 中国大唐集团科学技术研究总院有限公司 | Intelligent zero-trust dynamic authorization method |
| CN114218605A (en) * | 2021-12-14 | 2022-03-22 | 中国建设银行股份有限公司 | Data access control method, device, equipment and storage medium |
| CN115238247A (en) * | 2022-08-05 | 2022-10-25 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Data processing method based on zero trust data access control system |
-
2022
- 2022-08-05 CN CN202210936733.0A patent/CN115238247A/en active Pending
-
2023
- 2023-06-05 WO PCT/CN2023/098357 patent/WO2024027328A1/en unknown
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2024027328A1 (en) * | 2022-08-05 | 2024-02-08 | 盈适慧众(上海)信息咨询合伙企业(有限合伙) | Data processing method based on zero-trust data access control system |
| CN116974708A (en) * | 2023-09-25 | 2023-10-31 | 北京众图识人科技有限公司 | Service data processing system |
Also Published As
| Publication number | Publication date |
|---|---|
| WO2024027328A1 (en) | 2024-02-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR102514325B1 (en) | Model training system and method, storage medium | |
| JP2022000757A5 (en) | ||
| EP3133507A1 (en) | Context-based data classification | |
| CN115238247A (en) | Data processing method based on zero trust data access control system | |
| US10339330B2 (en) | Data aggregation system for enabling query operations on restricted data that originates from multiple independent multiple sources | |
| US20220100852A1 (en) | Distributed security introspection | |
| TW202013234A (en) | Data processing method, device and storage medium | |
| JP7266354B2 (en) | Data anonymization | |
| US9509722B2 (en) | Provisioning access control using SDDL on the basis of an XACML policy | |
| US11361106B2 (en) | Chaining, triggering, and enforcing entitlements | |
| US10834141B1 (en) | Service-level authorization policy management | |
| US8620911B2 (en) | Document registry system | |
| US11775681B2 (en) | Enforcement flow for pipelines that include entitlements | |
| US11416631B2 (en) | Dynamic monitoring of movement of data | |
| US10673905B1 (en) | Service-level authorization policy management | |
| US10860697B2 (en) | Private content in search engine results | |
| CN111464487B (en) | Access control method, device and system | |
| CN115658794A (en) | Data query method and device, computer equipment and storage medium | |
| CN115543428A (en) | Simulated data generation method and device based on strategy template | |
| CN115827589A (en) | Authority verification method and device, electronic equipment and storage medium | |
| CN110874305A (en) | User operation recording method and device and server | |
| CN111414591A (en) | Workflow management method and device | |
| CN114356848B (en) | Metadata management method, computer storage medium and electronic device | |
| US20230289409A1 (en) | Monetization and data rights enablement in a data management ecosystem | |
| CN112613075A (en) | Permission determination method and device, storage medium and electronic device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |