CN115296883A - Method and device for data security access and electronic equipment - Google Patents
Method and device for data security access and electronic equipment Download PDFInfo
- Publication number
- CN115296883A CN115296883A CN202210914426.2A CN202210914426A CN115296883A CN 115296883 A CN115296883 A CN 115296883A CN 202210914426 A CN202210914426 A CN 202210914426A CN 115296883 A CN115296883 A CN 115296883A
- Authority
- CN
- China
- Prior art keywords
- user
- data
- resource server
- file data
- storage space
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/06—Protocols specially adapted for file transfer, e.g. file transfer protocol [FTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/08—Protocols specially adapted for terminal emulation, e.g. Telnet
Abstract
The embodiment of the application discloses a method for safely accessing data, which comprises the following steps: acquiring an access request of a user to a first resource server, and establishing connection between the user and the first resource server; creating a first data storage space for the user, wherein the first data storage space is configured to be used for storing first file data acquired by the user from the first resource server, and the first file data is file data acquired by the user from the first resource server through a downloading right in configured first rights; and creating a second data storage space for the user, wherein the second data storage space is configured to be used for storing second file data acquired by the user from the first resource server, and the second file data is file data acquired by the user from the first resource server after the user passes the submission and approval.
Description
Technical Field
The present application relates to the field of data security, and in particular, to a method and an apparatus for data security access, and an electronic device.
Background
With the rapid development of digitization, the value of data becomes more and more important, and data security becomes the focus of current attention. The current data security scheme focuses on database auditing, data desensitization, data encryption, data leakage prevention and the like, and data security access and resource management and control are difficult to realize in the scenes of data sharing, third-party data security access and the like. The current schemes of a cloud desktop, a bastion machine and the like adopted by data security access also have more limitations and can not solve the problems of operation data leakage and source code leakage.
The existing data security access is usually in a cloud desktop mode, data resources are deployed inside the cloud desktop to control data broadcasting, but the data security inside the cloud desktop is limited to be controlled, and the data access outside the cloud desktop cannot be controlled.
The operation and maintenance personnel usually adopt the fort machine to visit the core server, but the personnel that insert inside through the fort machine can directly link the server, can directly acquire and download server data, can't carry out data security management and control, though some fort machines can restrict file downloading, can't manage and control authority such as pasting and shooting leakage to the copy of mode access such as SSH, VNC, can't satisfy the demand that data security visited.
Disclosure of Invention
An embodiment of the present application provides a method, an apparatus, and an electronic device for secure access to data, so as to solve at least one of the above technical problems.
In order to achieve the above purpose, the embodiments of the present application adopt the following technical solutions:
in a first aspect, an embodiment of the present application provides a method for secure access to data, where the method includes:
acquiring an access request of a user to a first resource server, and establishing connection between the user and the first resource server;
creating a first data storage space for the user, wherein the first data storage space is configured to be used for storing first file data acquired by the user from the first resource server, and the first file data is file data acquired by the user from the first resource server through a downloading right in configured first rights;
and creating a second data storage space for the user, wherein the second data storage space is configured to be used for storing second file data acquired by the user from the first resource server, and the second file data is file data acquired by the user from the first resource server after the user passes the submission and approval.
In a second aspect, an embodiment of the present application provides a data security access apparatus, where the apparatus includes:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring an access request of a user to a first resource server and establishing the connection between the user and the first resource server;
a first creating unit, configured to create a first data storage space for the user, where the first data storage space is configured to store first file data that is obtained by the user from the first resource server, and the first file data is file data that is obtained by the user from the first resource server through a download right in the configured first rights;
the second creating unit is configured to create a second data storage space for the user, where the second data storage space is configured to store second file data that is obtained by the user from the first resource server, and the second file data is file data that is obtained by the user from the first resource server after the user has passed the submission and approval.
In a third aspect, an embodiment of the present application provides an electronic device, which includes a processor and a memory, where at least one instruction, at least one program, a set of codes, or a set of instructions is stored in the memory, and the at least one instruction, the at least one program, the set of codes, or the set of instructions is executed by the processor to implement the method for modeling a methanol synthesis reactor network for a digital twin system according to any one of the first aspect or the method for securely accessing data according to the second aspect.
In a fourth aspect, embodiments of the present application provide a computer-readable storage medium having at least one instruction, at least one program, a set of codes, or a set of instructions stored therein, which is executed by a processor to implement the method for modeling a methanol synthesis reactor network for a digital twin system according to the first aspect or the method for secure access to data according to the second aspect.
The beneficial effects of the embodiment of the application are that: the embodiment of the application provides a method and a device for data security access and electronic equipment, and at least part of embodiments are based on a brand-new data resource security access, use and sharing mechanism, so that the method and the device can be suitable for authority control of data resource access of internal and external users, and have the following advantages:
1. the data use right and the data ownership can be effectively ensured to be separated, and events such as data leakage and data tampering are prevented;
2. the data resources are published in the security domain, and the resources in the security domain can freely use the unified security data disk;
3. all the applied files are out of the security domain, and can be controlled and approved, so that data leakage is avoided;
4. the user and the data resource are completely isolated, so that the problem of data leakage is fundamentally solved for various automatic attack immunity. Drawings
Fig. 1 is a schematic flowchart of a method for secure data access according to an embodiment of the present application;
fig. 2 is a schematic structural diagram of an apparatus for securely accessing data according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
The technical solutions of the present application are further described in detail with reference to the following specific embodiments, and it is obvious that the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application.
The existing data security access is usually in a cloud desktop mode, data resources are deployed inside the cloud desktop to control data broadcasting, but the data security inside the cloud desktop is limited to be controlled, and the data access outside the cloud desktop cannot be controlled.
The operation and maintenance personnel usually adopt the fort machine to visit the core server, but the personnel that insert inside through the fort machine can directly link the server, can directly acquire and download server data, can't carry out data security management and control, though some fort machines can restrict file downloading, can't manage and control authority such as pasting and shooting leakage to the copy of mode access such as SSH, VNC, can't satisfy the demand that data security visited.
Based on at least the above part of contents, embodiments of the present application provide a method, an apparatus, and an electronic device for secure access to data, so as to implement user-oriented secure restricted access and download of data resources.
The technical solutions provided by the embodiments of the present application are described in detail below with reference to the accompanying drawings.
Referring to fig. 1, a schematic flow chart of a method for secure access to data according to an embodiment of the present application is shown, where the method includes:
s101, acquiring an access request of a user to a first resource server, and establishing connection between the user and the first resource server;
s102, creating a first data storage space for the user, wherein the first data storage space is configured to be used for storing first file data acquired by the user from the first resource server, and the first file data is file data acquired by the user from the first resource server through a downloading authority in configured first authorities;
s103, creating a second data storage space for the user, wherein the second data storage space is configured to be used for storing second file data acquired by the user from the first resource server, and the second file data is file data acquired by the user from the first resource server after the user passes the submission and approval.
In one embodiment, based on a redirected cross-platform data security sharing technology, an independent secure data disk (i.e., a first data storage space) is allocated to different users, a mapping relationship is established when the users are connected to a first resource server (e.g., a data resource platform), the first data storage space is mounted to the data resource server in a redirected manner, the data resource server can directly operate the content of the first data storage space, downloaded file data is uniformly stored in the first data storage space, and data sharing can also be performed between different resource servers through the first data storage space.
In one embodiment, the establishing the connection of the user with the first resource server includes:
determining a first connection mode of the first resource server based on the first type of the first resource server;
and establishing the connection between the user and the first resource server based on the first connection mode.
It can be understood that, in the above embodiments, different types of data resource servers are managed, and connection and authentication manners of the data resource servers are set and stored, for example, a connection relationship may be established with the data resource servers through an SSH, a VNC, an RDP, or a K8S protocol, a HTTP Tunnel technology encapsulates the protocol or the application, and a user may directly access various data server resources through a browser. The database layer can be connected through the integrated DBeaver, the system layer can be connected through the RDP and the VNC, all resource access is uniformly distributed by the gateway, the state and resources of the gateway are monitored, and the idle resource gateway connection is automatically selected to realize the distributed data resource access architecture.
In one embodiment, the first data storage spaces of each user are independent of each other, and the second data storage spaces of each user are independent of each other.
It may be understood that, in order to ensure secure access to data, a secure data disk (that is, a first data storage space) is independently created for each user, that is, an independent secure space, and in some embodiments, the secure data disk may further perform encrypted storage on data, for example, an encryption algorithm such as a hash algorithm may be used, which is not limited in this application.
In one embodiment, when a user needs to send a file from the secure data disc (i.e. the first data storage space) to at least one second user:
the user sends a first instruction for sending the first file data to at least one second user;
and after the first instruction is approved, sending the first file data from the first data storage space to the second user.
It can be understood that, in order to ensure the safe access of the data, the authority judgment is carried out during the data forwarding, and the user without the download authority needs to submit an approval application and can send and download the data only after the approval.
In one embodiment, the first right further includes an access right through which the user accesses the file data in the first resource server.
In some embodiments, the user loads the watermark and audits the behavior during the use of the data resource server, and the user is isolated from the data resource server, so that security control over the data without falling to the ground is realized.
It can be understood that, the first resource server described in the above embodiment may be one or multiple, the first resource server may be a cloud server, for example, an application-oriented cloud sandbox isolation control technology may be adopted, cloud resources are virtualized into multiple independent sandbox environments, applications such as a remote browser, a remote database, and a remote development tool built in the system are preset in the sandbox, a user may select different applications to access cloud data resources, the sandbox environments are completely isolated, the sandbox is automatically reset after disconnection, an independent security domain is isolated between the application and the server, and application-oriented data resource isolation control is implemented. The first resource server may also be a physical server, and in some embodiments, a part of the first resource server is configured as a cloud server, and a part of the first resource server is configured as a physical server.
Referring to fig. 2, a data security access apparatus according to an embodiment of the present application is shown, where the apparatus includes:
a first obtaining unit 201, configured to obtain an access request of a user to a first resource server, and establish a connection between the user and the first resource server;
a first creating unit 202, configured to create a first data storage space for the user, where the first data storage space is configured to store first file data acquired by the user from the first resource server, where the first file data is file data acquired by the user from the first resource server through a download right in the configured first rights;
a second creating unit 203, configured to create a second data storage space for the user, where the second data storage space is configured to store second file data that is obtained by the user from the first resource server, and the second file data is file data that is obtained by the user from the first resource server after the user passes the submission and approval.
Referring to fig. 3, a schematic structural diagram of an electronic device according to an embodiment of the present application is shown, where the electronic device may include: at least one network interface 302, memory 303, and at least one processor 301. The various components in the electronic device are coupled together by a bus system 304. It will be appreciated that the bus system 304 is used to enable communications among the components. The bus system 304 includes a power bus, a control bus, and a status signal bus in addition to a data bus, but for clarity of illustration, the various buses are labeled as bus system 304 in FIG. 3.
In some embodiments, memory 303 stores the following elements, executable modules or data structures, or a subset thereof, or an expanded set thereof: an operating system 3031 and application programs 3032.
The operating system 3031 includes various system programs, such as a framework layer, a core library layer, and a driver layer, and is configured to implement various outgoing services and process hardware-based tasks. The application program 3032 includes various application programs such as a development tool (IDEA), a Browser (Browser), and the like, and is used to implement various application services. The program for implementing the method of the embodiment of the present application may be included in an application program.
In the above embodiment, the electronic device further includes: at least one instruction, at least one program, set of codes, or set of instructions stored on the memory 303, which is executable by the processor 301 to perform the steps of the method for secure access to data as described in any of the embodiments of the present application.
In one embodiment, the present application further provides a computer-readable storage medium having at least one instruction, at least one program, a set of codes, or a set of instructions stored therein, which when executed by a processor, implement the steps of the method for secure access to data described in any of the embodiments of the present application.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above may be implemented by hardware instructions of a computer program, and that the at least one instruction, the at least one program, the code set, or the instruction set may be stored in a non-volatile computer-readable storage medium, and when executed, the at least one instruction, the at least one program, the code set, or the instruction set may implement the steps of any of the mapping methods described in the embodiments of the present application. Any reference to memory, storage, database or other medium used in the embodiments provided herein can include non-volatile and/or volatile memory. Non-volatile memory can include read-only memory (ROM), programmable ROM (PROM), electrically Programmable ROM (EPROM), electrically Erasable Programmable ROM (EEPROM), or flash memory. Volatile memory can include Random Access Memory (RAM) or external cache memory. By way of illustration and not limitation, RAM is available in a variety of forms such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (DDRSDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), rambus (Rambus) direct RAM (RDRAM), direct memory bus dynamic RAM (DRDRAM), and memory bus dynamic RAM (RDRAM).
The embodiments of the present application have been described above with reference to the accompanying drawings, but the present application is not limited to the above-described embodiments, which are only illustrative and not restrictive; meanwhile, for a person skilled in the art, according to the idea of the present application, there may be variations in the specific embodiments and the application scope, which are within the protection scope of the present application.
Claims (10)
1. A method for secure access to data, the method comprising:
acquiring an access request of a user to a first resource server, and establishing a connection between the user and the first resource server;
creating a first data storage space for the user, wherein the first data storage space is configured to be used for storing first file data acquired by the user from the first resource server, and the first file data is file data acquired by the user from the first resource server through a downloading right in configured first rights;
and creating a second data storage space for the user, wherein the second data storage space is configured to be used for storing second file data acquired by the user from the first resource server, and the second file data is file data acquired by the user from the first resource server after the user passes the submission and approval.
2. A method of securing access to data as claimed in claim 1, wherein said establishing said security access is by a user
The connection of the user with the first resource server comprises:
determining a first connection mode of the first resource server based on the first type of the first resource server;
and establishing the connection between the user and the first resource server based on the first connection mode.
3. A method of securing access to data as claimed in claim 1, wherein each user's premises
The first data storage spaces are independent of each other.
4. A method of securing access to data as claimed in claim 1, wherein each user's premises
The second data storage spaces are independent from each other.
5. A method of securing access to data as claimed in claim 1, wherein the method further comprises
Comprises the following steps:
the user sends a first instruction for sending the first file data to at least one second user;
after the first instruction is approved, the first file data is stored in the first data storage space
To the second user.
6. A method of securing access to data as claimed in claim 2, wherein the user communicates with the organization
The connection mode of the first resource server comprises any one of SSH, VNC, RDP or K8S protocols.
7. A method of securing access to data as claimed in claim 1, wherein the first privilege level is defined as a first privilege level
The file data in the first resource server are accessed by the user through the access authority.
8. A data security access device, the device comprising:
the system comprises a first acquisition unit, a second acquisition unit and a third acquisition unit, wherein the first acquisition unit is used for acquiring an access request of a user to a first resource server and establishing the connection between the user and the first resource server;
a first creating unit, configured to create a first data storage space for the user, where the first data storage space is configured to store first file data acquired by the user from the first resource server, where the first file data is file data acquired by the user from the first resource server through a download right in configured first rights;
the second creating unit is configured to create a second data storage space for the user, where the second data storage space is configured to store second file data that is obtained by the user from the first resource server, and the second file data is file data that is obtained by the user from the first resource server after the user has passed the submission and approval.
9. An electronic device, characterized in that said electronic device comprises a processor and a memory, said memory
Stored with at least one instruction, at least one program, set of codes or set of instructions to be executed by the processor for implementing the method for secure access to data according to any of claims 1-7.
10. A computer-readable storage medium having stored therein a computer program product
At least one instruction, at least one program, set of code or set of instructions for execution by a processor to perform a method of secure access to data as claimed in any of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210914426.2A CN115296883A (en) | 2022-08-01 | 2022-08-01 | Method and device for data security access and electronic equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210914426.2A CN115296883A (en) | 2022-08-01 | 2022-08-01 | Method and device for data security access and electronic equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115296883A true CN115296883A (en) | 2022-11-04 |
Family
ID=83827035
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210914426.2A Pending CN115296883A (en) | 2022-08-01 | 2022-08-01 | Method and device for data security access and electronic equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115296883A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441986A (en) * | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
| CN106778337A (en) * | 2016-11-30 | 2017-05-31 | 广东欧珀移动通信有限公司 | Document protection method, device and terminal |
| CN106778355A (en) * | 2017-01-19 | 2017-05-31 | 深圳市云点科技有限公司 | The isolation access method and device of data |
| CN108536783A (en) * | 2018-03-29 | 2018-09-14 | 广东欧珀移动通信有限公司 | Data processing method and device, terminal, computer readable storage medium |
| WO2020007226A1 (en) * | 2018-07-06 | 2020-01-09 | 中兴通讯股份有限公司 | Cloud desktop-based disc management method, virtual machines and storage medium |
| CN110730233A (en) * | 2019-10-15 | 2020-01-24 | 深圳市瑞云科技有限公司 | Library database query and document cloud downloading system and method |
| CN112100648A (en) * | 2020-08-03 | 2020-12-18 | 西安万像电子科技有限公司 | Data security processing method and system |
-
2022
- 2022-08-01 CN CN202210914426.2A patent/CN115296883A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103441986A (en) * | 2013-07-29 | 2013-12-11 | 中国航天科工集团第二研究院七〇六所 | Data resource security control method in thin client mode |
| CN106778337A (en) * | 2016-11-30 | 2017-05-31 | 广东欧珀移动通信有限公司 | Document protection method, device and terminal |
| CN106778355A (en) * | 2017-01-19 | 2017-05-31 | 深圳市云点科技有限公司 | The isolation access method and device of data |
| CN108536783A (en) * | 2018-03-29 | 2018-09-14 | 广东欧珀移动通信有限公司 | Data processing method and device, terminal, computer readable storage medium |
| WO2020007226A1 (en) * | 2018-07-06 | 2020-01-09 | 中兴通讯股份有限公司 | Cloud desktop-based disc management method, virtual machines and storage medium |
| CN110730233A (en) * | 2019-10-15 | 2020-01-24 | 深圳市瑞云科技有限公司 | Library database query and document cloud downloading system and method |
| CN112100648A (en) * | 2020-08-03 | 2020-12-18 | 西安万像电子科技有限公司 | Data security processing method and system |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP5522307B2 (en) | System and method for remote maintenance of client systems in electronic networks using software testing with virtual machines | |
| US10659523B1 (en) | Isolating compute clusters created for a customer | |
| US9350610B2 (en) | System and method for configuration management service | |
| US7043524B2 (en) | Network caching system for streamed applications | |
| CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
| CN110704375B (en) | File management method, device, equipment and computer storage medium | |
| US20050050319A1 (en) | License control for web applications | |
| JP3630087B2 (en) | Automatic data processor | |
| CN102685115B (en) | Resource access method, resource management device and system | |
| CN115296883A (en) | Method and device for data security access and electronic equipment | |
| CN112732403B (en) | Container-based file management method and electronic equipment | |
| CN112416522A (en) | Virtual machine control method and device | |
| CN113966604A (en) | Web application wrapper | |
| CN111400251A (en) | File access method, device, server and storage medium based on gateway | |
| JP2006229747A (en) | Server, program and method for data provision | |
| US20180293261A1 (en) | Methods and systems for storing and retrieving data items | |
| CN116566656A (en) | Resource access method, device, equipment and computer storage medium | |
| TW201732583A (en) | Method for executing request and associated server | |
| JP2002351733A (en) | Network access system and server | |
| CN117851991A (en) | Non-invasive micro-service system authority control method and system | |
| CN115633084A (en) | K8s cluster access method and device and computer readable storage medium | |
| CN117081845A (en) | Interception method and related device of data acquisition request | |
| CN115242516A (en) | Access authority management method, device, equipment and storage medium | |
| CN115883191A (en) | Communication method, computer-readable storage medium and communication system for enterprise intranet | |
| CN117807568A (en) | Installation permission control method and device based on Linux operating system, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |