CN115238292A - Data security management and control method and device, electronic equipment and storage medium - Google Patents
Data security management and control method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN115238292A CN115238292A CN202210921916.5A CN202210921916A CN115238292A CN 115238292 A CN115238292 A CN 115238292A CN 202210921916 A CN202210921916 A CN 202210921916A CN 115238292 A CN115238292 A CN 115238292A
- Authority
- CN
- China
- Prior art keywords
- data
- migration
- controlled
- service
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 71
- 230000005012 migration Effects 0.000 claims abstract description 197
- 238000013508 migration Methods 0.000 claims abstract description 197
- 238000004458 analytical method Methods 0.000 claims abstract description 36
- 238000012545 processing Methods 0.000 claims description 71
- 238000007726 management method Methods 0.000 claims description 52
- 230000008569 process Effects 0.000 claims description 18
- 238000004590 computer program Methods 0.000 claims description 16
- 238000010586 diagram Methods 0.000 claims description 7
- 230000006378 damage Effects 0.000 claims description 5
- 230000000694 effects Effects 0.000 abstract description 5
- 238000004891 communication Methods 0.000 description 10
- 230000008859 change Effects 0.000 description 9
- 238000013500 data storage Methods 0.000 description 8
- 230000005540 biological transmission Effects 0.000 description 4
- 230000010485 coping Effects 0.000 description 4
- 230000014509 gene expression Effects 0.000 description 4
- 238000012550 audit Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000007405 data analysis Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008033 biological extinction Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 239000003086 colorant Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001105 regulatory effect Effects 0.000 description 1
- 238000012216 screening Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a data security management and control method, a device, electronic equipment and a storage medium, wherein the method comprises the following steps: determining to-be-controlled service data corresponding to at least one service system; when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold value, determining a data migration path of the service data to be controlled and corresponding data migration information; the data migration information comprises at least one item of a migration node, a data type of the service data to be controlled and a data source of the service data to be controlled; and generating and displaying a data migration analysis graph based on the data migration path and the data migration information. According to the technical scheme of the embodiment of the invention, the effect of quickly positioning the data nodes with data leakage conditions is realized, so that the data tracing efficiency and accuracy are effectively improved.
Description
Technical Field
The invention relates to the technical field of big data processing, in particular to a data security management and control method, a data security management and control device, electronic equipment and a storage medium.
Background
With the development of network scale and the deep application of a big data analysis method, the operation data has higher and higher social value and commercial value. The development of related fields such as big data and cloud computing brings new opportunities to the communication industry and potential data safety hazards, and network data risk management and control under new circumstances face many new challenges such as new fields, new means, new modes, new objects and the like.
At present, the existing data security management and control method is generally based on a large data platform of a distributed system to manage network data. Because the existing big data platform only focuses on developing data processing capacity when being initially built and neglects the importance of data security, the risk of data leakage caused by improper use or management of the data storage device may exist, or it is difficult to determine a corresponding coping strategy when an information security problem occurs.
Disclosure of Invention
The invention provides a data security management and control method, a data security management and control device, electronic equipment and a storage medium, so that the effect of quickly positioning data nodes with data leakage conditions can be realized, and the data tracing efficiency and accuracy are effectively improved.
According to an aspect of the present invention, there is provided a data security management method, the method including:
determining to-be-controlled service data corresponding to at least one service system;
when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold value, determining a data migration path of the service data to be controlled and corresponding data migration information; the data migration information comprises at least one of a migration node, a data type of the service data to be controlled and a data source of the service data to be controlled;
and generating and displaying a data migration analysis graph based on the data migration path and the data migration information.
According to another aspect of the present invention, there is provided a data security management apparatus, including:
the service data determining module is used for determining service data to be controlled corresponding to at least one service system;
the data migration information determining module is used for determining a data migration path of the service data to be controlled and corresponding data migration information when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold; the data migration information comprises at least one of a migration node, a data type of the service data to be controlled and a data source of the service data to be controlled;
and the data migration analysis graph generation module is used for generating and displaying a data migration analysis graph based on the data migration path and the data migration information.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor, the computer program being executable by the at least one processor to enable the at least one processor to perform a method of data security management according to any of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer-readable storage medium storing computer instructions for causing a processor to implement the data security management method according to any one of the embodiments of the present invention when the computer instructions are executed.
According to the technical scheme of the embodiment of the invention, the business data to be managed and controlled corresponding to at least one business system is determined, further, when the data migration attribute of the business data to be managed and controlled is detected to be larger than the preset migration threshold value, the data migration path and the corresponding data migration information of the business data to be managed and controlled are determined, and finally, a data migration analysis graph is generated and displayed based on the data migration path and the data migration information, so that the problems that data leakage risks caused by improper use or management of data storage equipment possibly exist in the prior art, or corresponding coping strategies are difficult to determine when information security problems occur are solved, the effect of improving the data security of the business data in the data storage and processing processes is achieved, and when the data security problems occur, data nodes with data leakage conditions can be quickly positioned, so that the data tracing efficiency and the accuracy are effectively improved.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
Fig. 1 is a flowchart of a data security management method according to an embodiment of the present invention;
FIG. 2 is a flowchart of a data tracking method according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data security management and control system according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a data security management and control apparatus according to a second embodiment of the present invention;
fig. 5 is a schematic structural diagram of an electronic device implementing the data security control method according to the embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a data security management and control method according to an embodiment of the present invention, which is applicable to a situation where data tracing is performed when data migration occurs to service data to be managed, and the method may be executed by a data security management and control device, which may be implemented in a form of hardware and/or software, and the data security management and control device may be configured in a terminal and/or a server. As shown in fig. 1, the method includes:
s110, determining to-be-controlled service data corresponding to at least one service system.
In this embodiment, the business system may be a basic platform for business processing informatization management of a communication enterprise, and may be used to support foreground sales, customer service, and internal support full flow and analysis management. Alternatively, the business system may include, but is not limited to, a billing and settlement system, an accounting system, a customer service system, a decision support system, and the like. The service data to be managed and controlled may be data that needs to be managed and controlled in each service system. The service data to be managed may include all fields characterizing the identity of the user, may also include fields characterizing all services associated with the user, and may also include fields characterizing the system login condition of the user, and the like. For example, the service data to be managed and controlled may be service data including a sensitive data field in each service system.
In practical application, each business system collects tens of thousands of pieces of data in one day, some of the data are only common business data containing non-sensitive fields, however, some data are business data to be managed and controlled, which need to be focused on and need to be managed and controlled, so that all the business data of each business system can be screened before the business data to be managed and controlled are obtained, so as to obtain the business data to be managed and controlled.
Optionally, determining to-be-managed service data corresponding to at least one service system includes: acquiring service data corresponding to at least one service system; and processing the service data based on a preset data identification method to obtain the service data to be controlled.
The initial service data may be raw log data that has not undergone data processing. Optionally, the initial service data may include, but is not limited to, system sensitive information operation data and audit data, audit data generated by network devices and hosts, site page network traffic data, database fine-grained audit data, login record data of a virtual private network, and the like. The preset data identification method may be a method that is set in advance and is used for identifying whether the data contains the key field. Optionally, the preset data identification method may be a keyword identification method or a regular expression. Regular expressions, which may also be referred to as regular expressions, are a pattern of text that includes both normal characters and special characters, and are commonly used to retrieve or replace text that conforms to a certain rule. Illustratively, when the preset data identification method is a keyword identification method, a plurality of keyword fields may be preset, and when the preset keyword fields are detected to exist in the service data, the service data may be determined to be the service data to be controlled; when the preset data identification method is a regular expression, different rule character strings can be set according to the finally obtained data type of the service data to be controlled, and the rule character strings are respectively adopted to filter the service data, so that the service data to be controlled is finally obtained.
It should be noted that, after the service data is acquired, in order to manage the distribution and circulation of the service data, and meanwhile, in order to construct a full life cycle management and guarantee system for data security, each stage of the service data may be recorded, so that relevant personnel may clearly know the source path of the data and the change of each data node, thereby ensuring the reliability of the data source.
Based on this, on the basis of above-mentioned technical scheme, still include: determining at least one data processing phase associated with a data lifecycle of the traffic data; and determining data processing information corresponding to each data processing stage, and generating a data processing label based on the data processing information so as to label corresponding business data.
The data life cycle is the whole process from data acquisition to data destruction of the service data. Correspondingly, the data processing stage may include a data acquisition stage, a data transmission stage, a data storage stage, a data exchange stage, and a data destruction stage. The data processing information may be detail information generated during processing of the service data in each data processing stage. For example, the data processing information in the data acquisition stage may include, but is not limited to, a data source of the business data, an account number for acquiring the business data, a data type of the business data, and the like; the data processing information in the data transmission stage may include a transmission account corresponding to the service data at each transmission node, a data class of the service data, a data type of the service data, and the like. The data processing label can be a key field which is automatically generated by the system and has strong correlation with the business data in each data processing stage. The data processing tag can help users to easily describe and classify the business data so as to facilitate retrieval and sharing. The data processing tags are matched with the data processing stages, namely, each data processing stage corresponds to one data processing tag.
In practical application, after the service data is obtained, each data processing stage of the service data in the data life cycle can be determined, the data processing information generated in the processing process of each data processing stage is recorded, the system can automatically generate a corresponding data processing label when detecting the corresponding data processing information, and then the service data can be standardized based on the data processing label, so that the data processing information generated by the service data in each data processing stage can be stored in the form of the label for subsequent query.
It should be noted that the data processing information may be allowed to be changed subsequently, but it is also possible to set a version number and a signature for the data processing information stored after each change and record a change reason at the time of change, while recording a change log after each change. Illustratively, the version number may be a timestamp saved after each change, and the version number may include 4-bit year, 2-bit month, 2-bit day, 2-bit hour, 2-bit minute, 2-bit second, and no delimiter in between, e.g., when the timestamp saved after a change is 2019, 12, 24, 14, minute, 32 seconds, the corresponding version number is 20191224141432.
Specifically, after the service data corresponding to each service system is obtained, the service data can be processed according to a preset data identification method, so that the service data meeting the conditions are screened and filtered out, the service data to be controlled is obtained, the system can achieve targeted management on the service data to be controlled, and the safety control capability of the system on the data is improved.
And S120, when the data migration attribute of the service data to be controlled is detected to be larger than a preset migration threshold value, determining a data migration path of the service data to be controlled and corresponding data migration information.
In this embodiment, the data migration attribute may be the number of times of migration of the service data to be controlled, or may also be a migration area range of the service data to be controlled, that is, when the service data to be controlled is migrated from the a area to the B area, the data migration attribute may be a distance from the a area to the B area. The preset migration threshold may be preset, and is a detection standard for detecting whether data migration occurs to the service data to be managed and controlled. For example, when the data migration attribute is the migration number, the preset migration threshold may be 0; when the data migration attribute is the migration area range, the preset migration threshold may be 0 meter. The data migration path may be an association relationship formed between data in the processes of generation, processing, circulation to extinction, that is, a link for data generation, which may characterize the data source and which processes and stages the data passes through. The data migration path may be used to find associations between related data in a data tracing process. The data migration information includes at least one of a migration node, a data type of the service data to be managed and controlled, and a data source of the service data to be managed and controlled. The migration nodes may include a primary node, a data egress node, and a data ingress node. For example, the number of data egress nodes may be 1 or more, and the number of data ingress nodes may be 1 or more. The data migration path can be converged from the data inflow node to the main node, and can be diffused from the main node to the data outflow node.
In practical application, when it is detected that a data migration attribute of service data to be controlled exceeds a preset migration threshold, it may be determined that data migration has occurred to the service data to be controlled, and in order to perform data tracking on the service data having data migration to determine a data leakage source, a data migration path and corresponding data migration information of the service data to be controlled may be determined by analyzing migration records of the service data to be controlled in a corresponding system.
Optionally, determining a data migration path of the service data to be managed and controlled and corresponding data migration information includes: acquiring a data operation log corresponding to service data to be controlled; and traversing the data operation log based on a preset data tracking method to obtain a data migration path and data migration information.
The data operation log can be all operation records associated with the service data to be managed and controlled. The data oplogs can be used to locate and analyze various problems that arise during data processing. The preset data tracing method may be a preset method for tracing the source of the service data to be controlled. Optionally, the preset data tracking method may include, but is not limited to, performing data tracking based on a Hadoop Distributed File System (HDFS), performing data tracking based on Hive, and the like.
For example, as shown in fig. 2, when the preset data tracking method is based on a Hadoop Distributed File System (HDFS) for data tracking, the specific tracking process may be: acquiring a data operation log corresponding to service data to be controlled, and carrying out standardized processing on the data operation log to generate standardized data which can be used for unified analysis; performing data origin analysis on the service data to be controlled, and taking an analysis result as a service data source to be controlled; inputting the data operation log after standardized processing and a service data source to be controlled into a data migration relationship analysis program, continuously and circularly traversing the data operation log based on the service data source to be controlled and a corresponding operation account number until the service data to be controlled continuously rotates, obtaining detailed information and a corresponding data migration path of the service data to be controlled in the copying, transferring and deforming processes, and storing the detailed information and the corresponding data migration path into a distributed Search and analysis engine (Elastic Search).
It should be understood by those skilled in the art that data tracing based on Hive is a common technical means for data tracing, and the embodiments of the present invention are not described in detail herein.
Specifically, when it is detected that the data migration attribute of the service data to be controlled is greater than the preset migration threshold, it may be determined that data leakage has occurred in the service data to be controlled, in order to perform data tracing to determine a source of the data leakage, a data operation log of the service data to be controlled may be obtained, and the data operation log is traversed by a predetermined data tracking method, so that a data migration path and corresponding data migration information of the service data to be controlled are finally obtained.
And S130, generating and displaying a data migration analysis chart based on the data migration path and the data migration information.
In this embodiment, the data migration analysis graph may be a data chain graph representing an association relationship between data in the data migration process. The data migration analysis graph may include an operation account, operation time, operation content, and the like corresponding to each migration node.
In practical application, after the data migration path and the data migration information are obtained, in order to display the data migration result in a manner that is easy to understand and understand, the data migration path and the data migration information can be converted into an image form, so that relevant personnel can clearly know the source path of the service data to be managed and the change of each migration node.
Optionally, generating a data migration analysis graph based on the data migration path and the data migration information includes: storing the data migration path and the data migration information to a target database; and generating a data migration analysis chart based on a data migration analysis framework preset in the target database.
In this embodiment, the target database may be a graph database. The data migration analysis framework may be a preset data migration analysis model.
Specifically, after the data migration path and the data migration information are obtained, the data migration path and the data migration information may be stored in a target database, so that the data migration path and the data migration information may be input into a data migration analysis frame preset in the target database, and a data migration analysis chart is finally generated and displayed on a display interface.
It should be noted that, since the to-be-controlled service data is sensitive data composed of sensitive data fields, when data leakage of the to-be-controlled service data is detected, if an alarm is not given in time, there is a high possibility that a certain data security risk exists.
Based on this, on the basis of each technical scheme, the method further comprises the following steps: when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold value, determining an early warning level based on the data migration attribute; and carrying out early warning according to the early warning grade and issuing early warning information.
The early warning level may be a level set according to a degree of harm, an emergency degree and a development situation possibly caused by a service data leakage condition to be managed. Illustratively, the alarm levels may be classified into IV (general), III (heavy), II (severe), I (particularly severe), etc., and different levels of the alarm may be indicated by colors, such as blue for general, yellow for heavy, orange for severe, and red for particularly severe, etc. In practical application, the corresponding relationship between the data migration attribute and the early warning level can be established in advance, so that after the data migration attribute of the service data to be controlled is determined, the current early warning level can be confirmed in time, and an alarm can be sent according to early warning information corresponding to the early warning level. The warning information may be information for informing a user of a current emergency. For example, the warning information may be a warning sound emitted through a buzzer or a speaker, or a warning notification emitted through a display screen, or the like.
Specifically, when it is determined that the data migration attribute of the service data to be controlled is greater than a preset migration threshold, the data migration attribute of the service data to be controlled at the current moment is determined, then, the current early warning level is determined according to the pre-established corresponding relationship between the data migration attribute and the early warning level, and early warning is performed, further, early warning information including the data migration condition of the service data to be controlled is issued, so that a user is reminded based on the early warning information, and therefore the user can take appropriate measures for the service data to be controlled according to the acquired early warning information.
It should be noted that, for different service data to be managed and controlled, the service data to be managed and controlled may be classified according to different key fields included in the service data to be managed and controlled, so that the service data to be managed and controlled of different classes may be managed in a targeted manner.
On the basis of the above technical solutions, the method further comprises: and determining a control grade corresponding to the service data to be controlled based on a predetermined control grade determination standard so as to process the data to be controlled based on the control grade.
The control level determination standard may be a preset standard for classifying the service data to be controlled in a hierarchical manner. For example, the regulation level determination criterion may be divided based on key fields included in the service data to be regulated. In this embodiment, the regulation level may include 9 levels, and the smaller the number, the higher the level. For example, when the service data to be managed contains a field associated with user information, the service data to be managed may be determined as the level with the highest management and control level; when the service data to be managed and controlled includes a field associated with the user service information, the service data to be managed and controlled may be determined as a level with a lower management and control level.
It should be noted that the technical solution provided in this embodiment may be implemented based on a data security management and control system, and as shown in fig. 3, for example, the data security management and control system may include: the system comprises a display module, a safety operation module, a to-be-controlled service data processing module, an early warning module and a system management module. The display module is used for displaying contents required by a current login user through an intelligent instrument panel and displaying various data results, namely a data analysis view; the safety operation module is used for classifying and grading the service data and managing the life cycle; the system comprises a to-be-controlled business data processing module, a to-be-controlled business data processing module and a to-be-controlled business data processing module, wherein the to-be-controlled business data processing module is used for screening the to-be-controlled business data from the business data, storing the to-be-controlled business data into a to-be-controlled business database, and determining a data migration path and data migration information when detecting that data migration occurs to the to-be-controlled business data; the early warning module is used for carrying out risk early warning according to the data migration attribute when detecting that the data migration of the service data to be controlled occurs; and the system management module is used for performing organization management, user information management, post role management, system external interface management and authority setting management.
According to the technical scheme of the embodiment of the invention, the business data to be managed and controlled corresponding to at least one business system is determined, further, when the data migration attribute of the business data to be managed and controlled is detected to be larger than the preset migration threshold value, the data migration path and the corresponding data migration information of the business data to be managed and controlled are determined, and finally, a data migration analysis graph is generated and displayed based on the data migration path and the data migration information, so that the problems that data leakage risks caused by improper use or management of data storage equipment possibly exist in the prior art, or corresponding coping strategies are difficult to determine when information security problems occur are solved, the effect of improving the data security of the business data in the data storage and processing processes is achieved, and when the data security problems occur, data nodes with data leakage conditions can be quickly positioned, so that the data tracing efficiency and the accuracy are effectively improved.
Example two
Fig. 4 is a schematic structural diagram of a data security management and control apparatus according to a third embodiment of the present invention. As shown in fig. 4, the apparatus includes: a business data determining module 210, a data migration information determining module 220 and a data migration analysis graph generating module 230.
A service data determining module 210, configured to determine to-be-managed service data corresponding to at least one service system;
a data migration information determining module 220, configured to determine a data migration path of the service data to be managed and controlled and corresponding data migration information when it is detected that the data migration attribute of the service data to be managed and controlled is greater than a preset migration threshold; the data migration information comprises at least one of a migration node, a data type of the service data to be controlled and a data source of the service data to be controlled;
the data migration analysis graph generating module 230 is configured to generate and display a data migration analysis graph based on the data migration path and the data migration information.
According to the technical scheme of the embodiment of the invention, the business data to be managed and controlled corresponding to at least one business system is determined, further, when the data migration attribute of the business data to be managed and controlled is detected to be larger than the preset migration threshold value, the data migration path and the corresponding data migration information of the business data to be managed and controlled are determined, and finally, a data migration analysis graph is generated and displayed based on the data migration path and the data migration information, so that the problems that data leakage risks caused by improper use or management of data storage equipment possibly exist in the prior art, or corresponding coping strategies are difficult to determine when information security problems occur are solved, the effect of improving the data security of the business data in the data storage and processing processes is achieved, and when the data security problems occur, data nodes with data leakage conditions can be quickly positioned, so that the data tracing efficiency and the accuracy are effectively improved.
Optionally, the service data determining module 210 includes a service data acquiring unit and a service data processing unit.
A service data acquiring unit, configured to acquire service data corresponding to at least one service system;
and the service data processing unit is used for processing the service data based on a preset data identification method so as to obtain the service data to be controlled.
Optionally, the apparatus further comprises: the device comprises a data processing stage determining module and a data processing label generating module.
A data processing phase determination module for determining at least one data processing phase associated with a data lifecycle of the business data; the data life cycle is the whole process from data acquisition to data destruction of the service data;
and the data processing label generating module is used for determining data processing information corresponding to each data phase and generating a data processing label based on the data processing information so as to label corresponding business data.
Optionally, the data migration information determining module 220 includes a data operation log obtaining unit and a data operation log processing unit.
The data operation log acquiring unit is used for acquiring a data operation log corresponding to the service data to be controlled;
and the data operation log processing unit is used for performing traversal processing on the data operation log based on a preset data tracking method to obtain the data migration path and the data migration information.
Optionally, the data migration analysis graph generation module 230 includes a data migration information storage unit and a data migration analysis graph generation unit.
The data migration information storage unit is used for storing the data migration path and the data migration information to a target database;
and the data migration analysis chart generating unit is used for generating the data migration analysis chart based on a data migration analysis frame preset in the target database.
Optionally, the apparatus further comprises: the early warning device comprises an early warning grade determining module and an early warning information issuing module.
The early warning grade determining module is used for determining an early warning grade based on the data migration attribute when the data migration attribute of the service data to be controlled is detected to be larger than a preset migration threshold;
and the early warning information issuing module is used for carrying out early warning according to the early warning grade and issuing early warning information.
Optionally, the apparatus further comprises: and a management and control level determination module.
And the control level determining module is used for making rules based on the predetermined control level, determining the control level corresponding to the service data to be controlled, and processing the data to be controlled based on the control level.
The data security management and control device provided by the embodiment of the invention can execute the data security management and control method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
EXAMPLE III
FIG. 5 illustrates a schematic diagram of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital assistants, cellular phones, smart phones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 5, the electronic device 10 includes at least one processor 11, and a memory communicatively connected to the at least one processor 11, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, and the like, wherein the memory stores a computer program executable by the at least one processor, and the processor 11 can perform various suitable actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from a storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data necessary for the operation of the electronic apparatus 10 can also be stored. The processor 11, the ROM 12, and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
A number of components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, or the like; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, or the like. The processor 11 performs the various methods and processes described above, such as the data security management method.
In some embodiments, the data security management method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the data security management method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the data security management method by any other suitable means (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for implementing the methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user can be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the Internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above may be used, with steps reordered, added, or deleted. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (10)
1. A data security management and control method is characterized by comprising the following steps:
determining to-be-controlled service data corresponding to at least one service system;
when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold value, determining a data migration path of the service data to be controlled and corresponding data migration information; the data migration information comprises at least one of a migration node, a data type of the service data to be controlled and a data source of the service data to be controlled;
and generating and displaying a data migration analysis graph based on the data migration path and the data migration information.
2. The method according to claim 1, wherein the determining the traffic data to be managed corresponding to at least one traffic system comprises:
acquiring service data corresponding to at least one service system;
and processing the service data based on a preset data identification method to obtain the service data to be controlled.
3. The method of claim 2, further comprising:
determining at least one data processing phase associated with a data lifecycle of the traffic data; the data life cycle is the whole process from data acquisition to data destruction of the service data;
and determining data processing information corresponding to each data phase, and generating a data processing label based on the data processing information so as to label corresponding business data.
4. The method according to claim 1, wherein the determining data consanguinity relationship and corresponding data migration information of the business data to be managed comprises:
acquiring a data operation log corresponding to the service data to be controlled;
and traversing the data operation log based on a preset data tracking method to obtain the data migration path and the data migration information.
5. The method of claim 1, wherein generating a data migration analysis graph based on the data migration path and the data migration information comprises:
storing the data migration path and the data migration information to a target database;
and generating the data migration analysis diagram based on a data migration analysis framework preset in the target database.
6. The method of claim 1, further comprising:
when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold value, determining an early warning level based on the data migration attribute;
and carrying out early warning according to the early warning grade and issuing early warning information.
7. The method of claim 1, further comprising:
and formulating rules based on a predetermined management and control level, and determining the management and control level corresponding to the service data to be managed and controlled so as to process the data to be managed and controlled based on the management and control level.
8. A data security management and control device is characterized by comprising:
the service data determining module is used for determining service data to be controlled corresponding to at least one service system;
the data migration information determining module is used for determining a data migration path of the service data to be controlled and corresponding data migration information when detecting that the data migration attribute of the service data to be controlled is greater than a preset migration threshold; the data migration information includes at least one of a migration node, a data type of the service data to be controlled, and a data source of the service data to be controlled;
and the data migration analysis graph generation module is used for generating and displaying a data migration analysis graph based on the data migration path and the data migration information.
9. An electronic device, characterized in that the electronic device comprises:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the data security management method of any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a processor to perform the data security management method of any one of claims 1-7 when executed.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210921916.5A CN115238292A (en) | 2022-08-02 | 2022-08-02 | Data security management and control method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210921916.5A CN115238292A (en) | 2022-08-02 | 2022-08-02 | Data security management and control method and device, electronic equipment and storage medium |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115238292A true CN115238292A (en) | 2022-10-25 |
Family
ID=83676752
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210921916.5A Pending CN115238292A (en) | 2022-08-02 | 2022-08-02 | Data security management and control method and device, electronic equipment and storage medium |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115238292A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117709517A (en) * | 2023-11-24 | 2024-03-15 | 武汉索元数据信息有限公司 | Optimization information determining method and device |
-
2022
- 2022-08-02 CN CN202210921916.5A patent/CN115238292A/en active Pending
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117709517A (en) * | 2023-11-24 | 2024-03-15 | 武汉索元数据信息有限公司 | Optimization information determining method and device |
CN117709517B (en) * | 2023-11-24 | 2024-05-10 | 武汉索元数据信息有限公司 | Optimization information determining method and device |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11295034B2 (en) | System and methods for privacy management | |
US20200160230A1 (en) | Tool-specific alerting rules based on abnormal and normal patterns obtained from history logs | |
US20170109657A1 (en) | Machine Learning-Based Model for Identifying Executions of a Business Process | |
CN112639845A (en) | Machine learning system and method for determining personal information search result credibility | |
US20170109676A1 (en) | Generation of Candidate Sequences Using Links Between Nonconsecutively Performed Steps of a Business Process | |
US8856144B2 (en) | Typed relevance scores in an identity resolution system | |
US20200327470A1 (en) | Cognitively-Derived Knowledge Base of Supply Chain Risk Management | |
CN104956376A (en) | Method and technique for application and device control in a virtualized environment | |
US20170109636A1 (en) | Crowd-Based Model for Identifying Executions of a Business Process | |
US11373101B2 (en) | Document analyzer | |
US20180089304A1 (en) | Generating parsing rules for log messages | |
US20170109639A1 (en) | General Model for Linking Between Nonconsecutively Performed Steps in Business Processes | |
US11171835B2 (en) | Automated generation of an information technology asset ontology | |
CN110955801B (en) | Knowledge graph analysis method and system for cognos report indexes | |
US20230281249A1 (en) | Computer-implemented methods, systems comprising computer-readable media, and electronic devices for enabled intervention into a network computing environment | |
US20170109638A1 (en) | Ensemble-Based Identification of Executions of a Business Process | |
US20170109640A1 (en) | Generation of Candidate Sequences Using Crowd-Based Seeds of Commonly-Performed Steps of a Business Process | |
US11687598B2 (en) | Determining associations between services and computing assets based on alias term identification | |
CN115204733A (en) | Data auditing method and device, electronic equipment and storage medium | |
CN117609994B (en) | Non-invasive data monitoring method and system based on data security | |
CN115238292A (en) | Data security management and control method and device, electronic equipment and storage medium | |
US20170109670A1 (en) | Crowd-Based Patterns for Identifying Executions of Business Processes | |
US20170109637A1 (en) | Crowd-Based Model for Identifying Nonconsecutive Executions of a Business Process | |
CN116149824A (en) | Task re-running processing method, device, equipment and storage medium | |
CN115906135A (en) | Tracing method and device for target data leakage path, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |