CN115309840A - Classification and grading labeling method and equipment and data access control system - Google Patents

Classification and grading labeling method and equipment and data access control system Download PDF

Info

Publication number
CN115309840A
CN115309840A CN202211038405.5A CN202211038405A CN115309840A CN 115309840 A CN115309840 A CN 115309840A CN 202211038405 A CN202211038405 A CN 202211038405A CN 115309840 A CN115309840 A CN 115309840A
Authority
CN
China
Prior art keywords
classification
data
database
gateway
zero trust
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211038405.5A
Other languages
Chinese (zh)
Inventor
李文
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Congyun Technology Co ltd
Original Assignee
Beijing Congyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Congyun Technology Co ltd filed Critical Beijing Congyun Technology Co ltd
Priority to CN202211038405.5A priority Critical patent/CN115309840A/en
Publication of CN115309840A publication Critical patent/CN115309840A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/28Databases characterised by their database models, e.g. relational or object models
    • G06F16/284Relational databases
    • G06F16/285Clustering or classification
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24553Query execution of query operations
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Databases & Information Systems (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Computational Linguistics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a classification and grading marking method, equipment and a data access control system, relating to the technical field of data security. Therefore, automatic labeling of data levels is realized through classification and classification labeling equipment, and the technical problems of data classification roughness and fineness particle loss in the prior art are solved.

Description

Classification and grading labeling method and equipment and data access control system
Technical Field
The invention relates to the technical field of data security, in particular to a classification and grading marking method, classification and grading marking equipment and a data access control system.
Background
The development of technology has promoted the continuous progress of network technology. Before data access is carried out, a user completes knocking through a Single Packet Authorization (SPA) technology, and the access authority of an application server is obtained. After the authorization is successful, in the process that the user accesses the application server, the zero trust platform comprehensively evaluates the identity credibility and the risk of the user through the terminal security perception capability, the access condition acquisition and analysis capability, the security state of the target application server and the like, so that the dynamic authority development or degradation is carried out on the user, and a more precise and rapid automatic risk response capability is provided for an application scene.
In order to improve the information security, information service providers generally classify and grade information data according to data classification and grading standards of countries, industries and the like, so that a reasonable minimum set of data access services are provided for users with different authorities, and the occurrence of events such as unauthorized, secret leakage and invasion of citizen privacy is reduced. Among them, data desensitization is a data security technique commonly used in the related art. However, in view of identification of database visitors, the existing database dynamic desensitization products basically perform dynamic desensitization on query data generated by connection according to an application server IP address and a database account connected with a database, and only can perform application server-level authority identification and control, but cannot perform user level of a service layer. In terms of data labeling of a database, the existing data classification and classification products generally perform classification and classification labeling on attributes of the database, tables and tables, and only do column classification, which cannot achieve data classification, and are difficult to meet the requirements of some high-security-level application scenarios.
Therefore, the technical problems of coarse data classification and missing fine particles exist in the prior art.
Disclosure of Invention
In view of the above, the present invention provides a classification and classification labeling method, device and data access control system, so as to overcome the problems of coarse data classification and missing fine particles.
In order to realize the purpose, the invention adopts the following technical scheme:
in one aspect, a classification and grading labeling method includes:
receiving target database scanning information sent by a zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database;
and carrying out attribute-level and/or data-level classification and grading labeling on the data structure table and the data table, and sending a classification and grading labeling result to the zero trust database gateway, so that the zero trust database gateway adds a classification and grading attribute column corresponding to the labeled data to the data structure table and/or the data table according to the classification and grading labeling result, and fills a corresponding classification and grading attribute value in the classification and grading attribute column corresponding to the labeled data to finish data-level labeling.
In yet another aspect, a data access control system includes: the system comprises a service server, a zero trust database gateway, a zero trust controller and classification and grading marking equipment; the classification and grading marking equipment is used for executing the classification and grading marking method;
the service server is used for accessing the target database through the zero trust database gateway;
the zero trust controller is used for configuring the classification and classification authority of the user according to the configuration operation; after the user successfully logs in, the classification and classification authority of the user successfully logging in is sent to a zero trust gateway and a zero trust database gateway, so that the user successfully logging in can access the service server under the classification and classification authority;
the zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions; analyzing the query request, removing the query condition and acquiring real user identity information; and inquiring information in the target database according to the real user identity information so as to send an inquiry result to the service server.
Optionally, the zero-trust data gateway is further configured to: and converting the classification attribute value into an integer based on a preset rule.
Optionally, the zero-trust database gateway is specifically configured to receive an inquiry result, desensitize the inquiry result according to the classification and classification authority corresponding to the user identity information, and send the desensitization result to the service server.
Optionally, the zero trust database gateway is specifically configured to supplement, according to the classification hierarchical authority corresponding to the real user identity information, an authority screening condition in the query request, and query, according to the supplemented query request, information in the target database; and receiving a query result and sending the query result to the service server.
Optionally, the zero-trust controller is further configured to: when an abnormal condition occurs, the classification and classification permission level of the user is reduced; and sending the reduced classification authority level to a zero trust gateway and a zero trust database gateway.
Optionally, the abnormal condition includes: the service server is attacked, the user side is attacked and the user access behavior is abnormal.
Optionally, the zero-trust controller is further configured to: and judging whether the abnormal condition is over, recovering the classification and classification authority level of the user when the abnormal condition is over, and sending the recovered classification and classification authority level to a zero trust gateway and a zero trust database gateway.
In yet another aspect, a classification and classification labeling apparatus includes: a processor and a memory, the processor coupled to the memory:
the processor is used for calling and executing the program stored in the memory;
the memory is used for storing the program, and the program is at least used for executing the classification and grading marking method.
The technical scheme provided by the invention at least comprises the following beneficial effects:
by adopting the technical scheme provided by the invention, the classified classification and classification marking equipment carries out classified classification and classification marking of attribute level and/or data level according to the data structure table and the data table in the scanning information of the target database sent by the zero trust database gateway, and sends the classified classification and classification marking result to the zero trust database gateway so as to carry out data level marking on the zero trust database gateway. Therefore, the automatic labeling of the data level is realized through the classification and classification labeling equipment, and the technical problems of coarse data classification and missing fineness particles in the prior art are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a classification and grading labeling method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a classification and classification labeling apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data access control system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It should be apparent that the described embodiments are only some embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without making any creative effort, shall fall within the protection scope of the present invention.
From the identification of database visitors, the existing database dynamic desensitization products basically perform dynamic desensitization on query data generated by connection according to an IP address of an application server connected with a database, a database account and the like, and only can achieve authority identification and control at an application server level and cannot achieve a user level at a service layer. In terms of data labeling of a database, the existing data classification and classification products generally perform classification and classification labeling on attributes of the database, tables and tables, and only do column classification, which cannot achieve data classification, and are difficult to meet the requirements of some high-security-level application scenarios.
Therefore, the technical problems of rough data classification and missing fine particles exist in the prior art.
Data desensitization is the current scenario of main application and application servers and databases, development/operation and maintenance personnel accessing databases, and the like. Data desensitization is divided into two major techniques, static desensitization and dynamic desensitization. Wherein static desensitization mainly applies conversion scenarios such as data database copy, production database transfer to development database, and the like. Dynamic desensitization is mainly applied in data protection scenarios of real-time access, such as between an application server and a database.
In terms of data labeling of a database, existing data classification and classification products generally perform classification and classification labeling on attributes of the database, tables and tables. Corresponding to certain high-security level application scenes, access permissions of different data rows in the same table are different, so that classification and classification labeling of database data by the traditional scheme only achieves column level and cannot achieve data level.
Meanwhile, the existing data security products generally implement static authorization of data of an accessor based on an authority policy mapping configuration mode, but cannot dynamically update an authorization policy based on dynamic factors such as the current security environment of the accessor, whether the accessor is attacked or not, whether the accessor is still trusted or not and the like.
Based on the above, the embodiment of the invention provides a classification and grading marking method, a classification and grading marking system and a data access control system.
First, in the embodiment of the present application, a data classification and classification technology and a database data dynamic desensitization technology are briefly introduced.
The existing database classification and grading products mainly acquire the attribute names of a database, a table and a column through database table scanning, structure scanning and the like, establish a database ledger and finish classification and grading marking of data outside a business database.
Dynamic desensitization technology of database data: in architecture, data access control is mainly completed by dynamic desensitization of data at present, a numerical control dynamic desensitization technology mainly adopts a database agent mode, namely desensitization components/services operate independently, and a service server accesses a real database by desensitization component agents. In the SQL (Structured Query Language) request phase, a database desensitization component initializes desensitization strategy rules according to whether SQL is accessed by Query and an accessed database table, analyzes data returned by the SQL according to the rules, and executes desensitization by using a corresponding dynamic desensitization algorithm according to the attribute types of columns. The data desensitization strategy rules are specified by taking an application server IP (Internet protocol) and an account from an SQL (structured query language) source as granularity.
Therefore, in the prior art scheme: the implementation of a third-party component is a current mainstream scheme, meets a general data desensitization scene, and cannot be used in a specific high-security scene. The following drawbacks exist: the data marking granularity can only be arranged at a column level, and the data level is not realized; the access control granularity is only the IP level of the service server and the account level of the database of the service server, and is not the real user level of the service server.
Fig. 1 is a schematic flow chart of a classification and classification labeling method according to an embodiment of the present invention, and referring to fig. 1, the classification and classification labeling method according to an embodiment of the present invention may include the following steps:
and S11, receiving target database scanning information sent by the zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database.
The execution subject of the application can be a classification and grading marking device, wherein the database needing to be accessed can be defined as a target database.
Specifically, the zero trust database gateway may be deployed in a user server area in a bypass manner, and establishes a connection with a specified target database by configuring database access information, where the target database may be one or more databases; during the connection establishment, administrator access rights to the database are required. After the connection is established, the zero trust data gateway executes the table structure and data scanning and reading actions, and sends the scanned data structure table and data table of the target database to the classification and grading marking equipment.
For example, the scanned data structure table is shown in table 1, and the data table is shown in table 2:
table 1 data structure table
Attribute name Type (B) Remarks to note
Name Varchar(32) User name
Age int(2) Age(s)
Phone Varchar(32) Telephone number
Email Varchar(64) Mail address
TABLE 2 data sheet
Figure BDA0003819641250000061
Figure BDA0003819641250000071
And S12, carrying out attribute-level and/or data-level classification and grading labeling on the data structure table and the data table, and sending a classification and grading labeling result to the zero trust database gateway, so that the zero trust database gateway adds a classification and grading attribute column corresponding to the labeled data to the data structure table and/or the data table according to the classification and grading labeling result, and fills a corresponding classification and grading attribute value in the classification and grading attribute column corresponding to the labeled data to finish data-level labeling.
It should be noted that, an administrator may perform manual data classification and classification labeling on the classification and classification labeling device, or may set the classification and classification labeling device to automatically perform classification and classification labeling on data. And carrying out classification hierarchical labeling of attribute level and/or data level on the data structure table and the data table. When classification and classification labeling is performed, classification and classification can be labeled respectively.
For example, the labeling methods can be classified into attribute-level labeling and data-level labeling. And marking the attribute of the data structure table, and simultaneously giving the marked classification grading value to all data of the attribute. If the specified attribute of the single data in the data table is marked, the marked value of the specified attribute of the data can cover the standard value of the column level.
For example, table 3 is a labeled data table provided in the embodiments of the present application.
TABLE 3 labeled data sheet
Name Age【G1_5】 Phone【G2_10】 Email
Zhang San 20[G1_6] 13888888888 zhangsan@a.com
Li Si 25 18077776666[G2_12] lisi@a.com
Wangsan 30 13688885555 wanger@a.com
See table 3, where [ represents attribute level label, [ ] represents data level label; if the data level labeling is not carried out, the value labeled by the attribute level is used; data that does not need to be guarded, such as the Email field, may also be unmarked.
In the labeled content, G represents the classification, and G1 and G2 represent different data classifications. The numbers after "-" represent the ranking. G1-5 represent Category 1, level 5. The user can also set marking standards according to requirements.
And after the labeling of the classification and classification labeling equipment is finished, sending a classification and classification labeling result to a zero trust database gateway, adding a classification and classification attribute column of the data to a corresponding table by the zero trust database gateway after receiving the data classification and classification labeling result, and filling a corresponding classification and classification attribute value in the classification and classification attribute column corresponding to the data to finish the data classification labeling. For example, referring to table 4, table 4 is a data table labeled by a zero trust database gateway according to an embodiment of the present invention.
TABLE 4
Name Age Phone Email Age_L Phone_L
Zhang San 20 13888888888 zhangsan@a.com 16(G1_6) (110)G2_10
Li Si 25 18077776666 lisi@a.com 15(G1_5) (112)G2_12
Wangsan 30 13688885555 wanger@a.com 15(G1_5) (110)G2_10
And representing the classification hierarchical attribute column corresponding to the attribute column by adding a 'L' suffix behind the original attribute column name. See table 4, where Age _ L is a classification rating label column added to the Age attribute column. Phone _ L is a classification hierarchical label column with added Phone attributes. Meanwhile, for convenience of grade calculation, classified and graded values are uniformly converted into integral grades according to certain rules.
In some embodiments, the zero trust data gateway is further configured to: and converting the classification attribute value into an integer based on a preset rule.
For example, to avoid level conflicts, relatively large differences exist between different classifications, and the classification to which the value belongs can be visually distinguished according to the value size. For example, G1=10, G2=100, G3=1000, and the like. For example, G1-6 is converted to 10+6=16, G2-10 is converted to 1000+10=1010.
It can be understood that, by adopting the technical scheme provided by the invention, the classification and classification marking equipment performs classification and classification marking at attribute level and/or data level according to the data structure table and the data table in the target database scanning information sent by the zero trust database gateway, and sends the classification and classification marking result to the zero trust database gateway so as to perform data level marking on the zero trust database gateway. Therefore, the automatic labeling of the data level is realized through the classification and classification labeling equipment, and the technical problems of coarse data classification and missing fineness particles in the prior art are solved.
Based on a general inventive concept, the embodiment of the present invention further provides a classification and grading marking device.
Fig. 2 is a schematic structural diagram of a classification and classification labeling apparatus according to an embodiment of the present invention, which is used for implementing the foregoing method embodiment. As shown in fig. 2, the classification and hierarchical labeling apparatus of the present embodiment includes a processor 21 and a memory 22, and the processor 21 is connected to the memory 22. Wherein, the processor 21 is used for calling and executing the program stored in the memory 22; the memory 22 is used for storing a program for executing at least the classification hierarchical labeling apparatus method in the above embodiment.
The specific implementation of the classification and classification labeling apparatus provided in the embodiment of the present application may refer to the implementation of the classification and classification labeling method in any of the above embodiments, which is not described herein again.
Based on a general inventive concept, embodiments of the present invention also provide a data access control system.
Fig. 3 is a schematic structural diagram of a data access control system according to an embodiment of the present invention, and referring to fig. 3, the system according to the embodiment of the present application may include the following structures:
a service server 31, a zero trust database gateway 32, a zero trust controller 33 and a classification and grading marking device 34; the classification and classification labeling device is used for executing the classification and classification labeling method described in the above embodiment.
The service server is used for accessing the target database A through the zero trust database gateway;
the zero trust controller is used for configuring the classification and classification authority of the user according to the configuration operation; after the user successfully logs in, the classification and classification authority of the successfully logged user is sent to the zero trust gateway and the zero trust database gateway, so that the successfully logged user can access the service server with the classification and classification authority;
the zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions; analyzing the query request, removing the query condition, and acquiring real user identity information; and inquiring information in the target database according to the real user identity information so as to send an inquiry result to the service server.
Wherein the service server access configuration can be adjusted to the target database. For example, the original service address of the target database is: 192.168.100.1:3306
The service server account/password a/123456,
admin/123456 Admin/password
The zero trust database gateway service address is 192.168.100.2
Business server account/password b/123456
The database information of the zero trust database gateway proxy is configured 192.168.100.1
And modifying the connection information of the target database of the service server:
192.168.100.1, a/123456 is 192.168.100.2, b/123456 then the traffic server subsequent database access will be done through the zero trust database gateway proxy.
In the application, the classification and grading authority of the authorized access user can be configured on the zero-trust controller. E.g., admin1 (G1-5), that is, administrator admin1 has access to data in class G1 at level 5 and below; admin2 (G1-10, G2 _10), that is, administrator admin2 has access to data at class 10 of class G1 and at class 10 and below of class G2.
After administrators admin1 and admin2 log in through the zero trust controller respectively, the zero trust controller issues data authorization configuration of users to the zero trust gateway and the zero trust database gateway:
admin1 (G1 _5, G2 _0), where G2_0 is automatically added, representing that the classification has no authority;
admin2(G1_10,G2_10)。
and the administrators admin1 and admin2 access the service server according to the marked classification and classification authority.
And after receiving the query request sent by the service server, the zero trust database gateway removes the query condition, acquires the real user identity information, queries information in the target database according to the real user identity information, and sends the query result to the service server.
In some embodiments, the zero trust database gateway is specifically configured to receive the query result, desensitize the query result according to the classification and classification authority corresponding to the user identity information, and send the desensitization result to the service server.
Specifically, the service server sends an inquiry request through SQL, and according to session control and the like, the service server obtains a user name that triggers the current service SQL, adds a specified inquiry condition, and brings out user information through the SQL inquiry condition.
For example, the original query request is:
enquiry USER list (SELECT FROM USER)
When the administrator 1 uses the SQL statement, the SQL statement is formed as follows:
SELECT*FROM USER WHERE reqUserName=`admin1`
when the administrator 2 uses the method, conditional query is carried out, and the formed SQL statement is as follows:
SELECT*FROM USER WHERE age>=20AND reqUserName=`admin2`
the reqUserName is an added specified query condition, the reqUserName can identify the identity information of the user, the zero-trust database gateway analyzes the SQL statement, analyzes the current real application server access user name according to the specified query condition, removes the condition from the SQL statement and forwards the condition to the database.
For example, after the SQL statement of the administrator 1 reaches the zero trust database gateway, the real access user of the SQL statement is analyzed to admin1 according to the reqUserName attribute, and the SQL statement is restored after removing the redundant conditions: SELECT FROM USER.
In the same way, the SQL statement of the administrator 2 is recognized, and after processing, the restored SQL statement is:
SELECT*FROM USER WHERE age>=20。
the zero trust database gateway intercepts the final query result of the database, acquires the classification and classification authority of the user according to the identity of the current user, selects different dynamic desensitization algorithms for dynamic desensitization treatment of the query result according to the values of the classification and classification attribute column and the data values which do not meet the authority requirement and different attribute types and service meanings, repacks the treated data and returns the repacked data to the service server.
For example, for administrator 1, authority (G1 _ 5) for the data returned by the SQL request is performed according to the authority of administrator 1, after dynamic desensitization is performed on the specified field, and the flag column is automatically removed, the obtained results are shown in table 5:
TABLE 5
Name Age Phone Email
Zhang San 0 138****8888 zhangsan@a.com
Li Si 25 180****6666 lisi@a.com
Wangsan 30 136****5555 wanger@a.com
Referring to table 5, bold is the satisfied field and the tilt is the field that has undergone dynamic desensitization.
For Administrator 2, authorities (G1 _10, G2 _10), the results obtained after performing dynamic desensitization on data that does not meet the authority requirements are shown in Table 6:
TABLE 6
Name Age Phone Email
Zhang San 20 13888888888 zhangsan@a.com
Li Si 25 180****6666 lisi@a.com
Wangsan 30 13688885555 wanger@a.com
Referring to table 6, bold is the satisfied fields and the tilt is the fields that are dynamically desensitized.
In some embodiments, the zero trust database gateway is specifically configured to supplement the authority screening condition in the query request according to the classification hierarchical authority corresponding to the real user identity information, and query information in the target database according to the supplemented query request; and receiving the query result and sending the query result to the service server.
When the high-sensitivity data are in the same table due to the same business; or, the security levels of different entity objects are different, if all the attributes are not available, when the entity data cannot be accessed, in order to ensure the data security, row-level access control can be performed, that is, when a single attribute does not meet the requirement of the authority, the whole row of data is not returned.
Specifically, the zero trust database gateway parses SQL, parses the current real application server access user name according to the specified query conditions, removes the conditions from the SQL statements, and forwards the SQL statements to the database. If the contents of the query contain empty information, such as "+", then all real data column names of the table are automatically replaced.
For example, when the SQL statement of the administrator 1 reaches the zero trust database gateway, after analysis, the real access user of this SQL statement is admin1 according to the reqUserName attribute, and according to the authority G1_5 (the corresponding calculated value is 15), the redundant conditions are removed, and after the authority screening conditions are complemented, the SQL statement is:
SELECT Name,Age,Phone,Email FROM USER WHERE Age_L<=15AND Phone_L<=1000。
in the same manner, the SQL statement of administrator 2 is recognized, and according to the authority G1_10 (the corresponding calculated value is 10+10= 20), G2_12 (1012) removes the redundant condition, and after the authority screening condition is complemented, the SQL statement is:
SELECT Name,Age,Phone,Email FROM USER WHERE age>=20AND Age_L<=20AND Phone_L<=1020。
the mechanism of the target database can automatically screen out the columns which do not meet the query condition, and the returned data content under the condition is not analyzed and processed any more and is directly returned to the service server.
For the administrator 1, the authority (G1 _ 5) performs dynamic desensitization on the specified field for the data returned by the SQL request according to the authority of the administrator 1, and after the mark column is automatically removed, the following results are obtained:
TABLE 7
Name Age Phone Email
Referring to table 7, since the authority has all the designated columns not satisfied, the return data is empty.
For Administrator 2, authorities (G1 _10, G2 _10), the results obtained after performing dynamic desensitization on data that does not meet the authority requirements are shown in Table 8:
TABLE 8
Name Age Phone Email
Zhang San 20 13888888888 zhangsan@a.com
Wangsan tea 30 13688885555 wanger@a.com
Referring to table 8, since lie four has an attribute column that does not satisfy the authority requirement, it is not returned.
In some embodiments, the zero trust controller is further to: when an abnormal condition occurs, the classification and classification authority level of the user is reduced; and sending the reduced classification and classification authority level to a zero trust gateway and a zero trust database gateway.
In some embodiments, the abnormal condition includes: the service server is attacked, the user side is attacked and the user access behavior is abnormal.
For example, when the zero trust controller finds that the application server is under attack or the user terminal is under attack, and the user access behavior is abnormal, the access authorization of the user is automatically reduced, such as reducing the authorization of the administrator 1: g1-5 is G1-1, and the updated authorization rule is issued to the zero trust database gateway, so that the zero trust database gateway takes effect in time, and the subsequent request is automatically subjected to access control by using the updated authority without any cooperation action of an administrator and an application server.
In some embodiments, the zero trust controller is further to: and judging whether the abnormal condition is over, recovering the classification and classification authority level of the user when the abnormal condition is over, and sending the recovered classification and classification authority level to the zero trust gateway and the zero trust database gateway.
For example, when the zero trust controller finds the risk relieved, the authority of administrator 1 may be automatically restored: g1-1 is G1-5, and after the authorization is updated to the zero trust gateway, the administrator can restore the access authority of the related data without any coordination action of the administrator and the application server.
It can be understood that, in the technical scheme provided by the application, the data stored in the target database is kept complete, and the data obtained by the user is different according to different user identities accessing the target database; when the user identity or the user authority changes, the obtained data changes along with the change, so that dynamic desensitization is realized.
According to the technical scheme, the classification and grading marking method of the data grade is completed in a mode of automatically adding the marking columns, and the problem that the granularity of marking the data in the existing classification and grading system is not fine enough can be solved. By means of adding specific query conditions, the method for transparently transmitting real users by the application server is completed, the problem that the past access control of the database protection component only can be achieved at a server IP level and a database account level can be solved, and user-level fine-grained appeal requirements under the current zero-trust environment are met. By means of the line-level data desensitization thought, the performance and safety requirements can be met in a high-safety scene and a high-performance scene by combining the capacity of the database, and the dynamic desensitization thought is inconsistent with the dynamic desensitization thought after data are returned by a common database. Through a data level desensitization thought and analysis of classification attribute columns in a database, the problems of difficult storage and fine granularity of data classification rules with finer granularity and larger scale are solved, the requirement that a user obtains minimum authority data is better guaranteed, any component which meets the zero trust concept is not trusted, including an application server, and the safety of data is further ensured.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present invention, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.

Claims (9)

1. A classification and grading marking method is characterized by comprising the following steps:
receiving target database scanning information sent by a zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database;
and carrying out attribute-level and/or data-level classification and grading labeling on the data structure table and the data table, and sending a classification and grading labeling result to the zero trust database gateway, so that the zero trust database gateway adds a classification and grading attribute column corresponding to the labeled data to the data structure table and/or the data table according to the classification and grading labeling result, and fills a corresponding classification and grading attribute value in the classification and grading attribute column corresponding to the labeled data to finish data-level labeling.
2. A data access control system, comprising: the system comprises a service server, a zero trust database gateway, a zero trust controller and classification and grading marking equipment; the classification and classification labeling device is used for executing the classification and classification labeling method of claim 1;
the service server is used for accessing the target database through the zero trust database gateway;
the zero trust controller is used for configuring classification and grading authorities of users according to configuration operation; after the user successfully logs in, the classification and classification authority of the user successfully logging in is sent to a zero trust gateway and a zero trust database gateway, so that the user successfully logging in can access the service server under the classification and classification authority;
the zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions; analyzing the query request, removing the query condition and acquiring real user identity information; and inquiring information in the target database according to the real user identity information so as to send an inquiry result to the service server.
3. The system of claim 2, wherein the zero trust data gateway is further configured to: and converting the classification grading attribute value into an integer based on a preset rule.
4. The system of claim 2, wherein the zero-trust database gateway is specifically configured to receive the query result, desensitize the query result according to the classification and classification authority corresponding to the user identity information, and send the desensitization result to the service server.
5. The system according to claim 2, wherein the zero-trust database gateway is specifically configured to supplement, according to the classification hierarchical rights corresponding to the real user identity information, a right screening condition in the query request, and query, according to the supplemented query request, information in the target database; and receiving a query result, and sending the query result to the service server.
6. The system of claim 2, wherein the zero trust controller is further configured to: when an abnormal condition occurs, the classification and classification permission level of the user is reduced; and sending the reduced classification authority level to a zero trust gateway and a zero trust database gateway.
7. The system of claim 6, wherein the abnormal condition comprises: the service server is attacked, the user side is attacked, and the user access behavior is abnormal.
8. The system of claim 6, wherein the zero trust controller is further configured to: and judging whether the abnormal condition is over, recovering the classification and classification authority level of the user when the abnormal condition is over, and sending the recovered classification and classification authority level to a zero trust gateway and a zero trust database gateway.
9. A classification and classification labeling apparatus, comprising: a processor and a memory, the processor coupled to the memory:
the processor is used for calling and executing the program stored in the memory;
the memory for storing the program for performing at least the classification hierarchical annotation method of claim 1.
CN202211038405.5A 2022-08-29 2022-08-29 Classification and grading labeling method and equipment and data access control system Pending CN115309840A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211038405.5A CN115309840A (en) 2022-08-29 2022-08-29 Classification and grading labeling method and equipment and data access control system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211038405.5A CN115309840A (en) 2022-08-29 2022-08-29 Classification and grading labeling method and equipment and data access control system

Publications (1)

Publication Number Publication Date
CN115309840A true CN115309840A (en) 2022-11-08

Family

ID=83864867

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211038405.5A Pending CN115309840A (en) 2022-08-29 2022-08-29 Classification and grading labeling method and equipment and data access control system

Country Status (1)

Country Link
CN (1) CN115309840A (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117171800A (en) * 2023-10-23 2023-12-05 深圳竹云科技股份有限公司 Sensitive data identification method and device based on zero trust protection system
CN117744129A (en) * 2023-09-18 2024-03-22 苏州天安慧网络运营有限公司 Intelligent operation and maintenance method and system based on CIM

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117744129A (en) * 2023-09-18 2024-03-22 苏州天安慧网络运营有限公司 Intelligent operation and maintenance method and system based on CIM
CN117744129B (en) * 2023-09-18 2024-08-06 苏州天安慧网络运营有限公司 Intelligent operation and maintenance method and system based on CIM
CN117171800A (en) * 2023-10-23 2023-12-05 深圳竹云科技股份有限公司 Sensitive data identification method and device based on zero trust protection system
CN117171800B (en) * 2023-10-23 2024-02-06 深圳竹云科技股份有限公司 Sensitive data identification method and device based on zero trust protection system

Similar Documents

Publication Publication Date Title
US20230164155A1 (en) Systems and methods for automated retrieval, processing, and distribution of cyber-threat information
CN115309840A (en) Classification and grading labeling method and equipment and data access control system
US10764320B2 (en) Structuring data and pre-compiled exception list engines and internet protocol threat prevention
US8146134B2 (en) Scalable firewall policy management platform
EP3149582B1 (en) Method and apparatus for a scoring service for security threat management
US7089246B1 (en) Overriding content ratings and restricting access to requested resources
JPH11338840A (en) Distribution system and method for control of access to network resources and event report
DE202013012765U1 (en) System for protecting cloud services from unauthorized access and malicious software attack
KR102005646B1 (en) Privacy protection for third party data sharing
CN103746982B (en) A kind of http network condition code automatic generation method and its system
CN113468511B (en) Data processing method and device, computer readable medium and electronic equipment
US10609060B2 (en) Clustering network addresses
US7181513B1 (en) Restricting access to requested resources
US20210227014A1 (en) Technique for Monitoring Activity in a Content Delivery Network
CN114817974A (en) Dynamic data desensitization method and system, and data security processing method and system
CN100586123C (en) A safe audit method based on role management and system thereof
DE112021005862T5 (en) SELF-CHECKING BLOCKCHAIN
CN114417278A (en) Interface unified management system and platform interface management system
EP3373551A1 (en) Access control in a computer system
CN113761000A (en) Data processing method and device, computing equipment and storage medium
CN113778991B (en) Method for realizing resource access control of big data
JP2002342143A (en) Access control system, processing program thereof and recording medium
CN112948874B (en) Secret state data access method
CN118555106A (en) Dynamic access control rule construction method, device, equipment and medium
DE102023210076A1 (en) METHOD AND SYSTEM FOR CREATING INCREMENTAL APPROXIMATION BACKUPS OF CLOUD DATA WITH LIMITED ACCESS

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination