CN115309840A - Classification and grading labeling method and equipment and data access control system - Google Patents
Classification and grading labeling method and equipment and data access control system Download PDFInfo
- Publication number
- CN115309840A CN115309840A CN202211038405.5A CN202211038405A CN115309840A CN 115309840 A CN115309840 A CN 115309840A CN 202211038405 A CN202211038405 A CN 202211038405A CN 115309840 A CN115309840 A CN 115309840A
- Authority
- CN
- China
- Prior art keywords
- classification
- data
- database
- gateway
- zero trust
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/28—Databases characterised by their database models, e.g. relational or object models
- G06F16/284—Relational databases
- G06F16/285—Clustering or classification
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
- G06F16/24553—Query execution of query operations
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Databases & Information Systems (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Computational Linguistics (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a classification and grading marking method, equipment and a data access control system, relating to the technical field of data security. Therefore, automatic labeling of data levels is realized through classification and classification labeling equipment, and the technical problems of data classification roughness and fineness particle loss in the prior art are solved.
Description
Technical Field
The invention relates to the technical field of data security, in particular to a classification and grading marking method, classification and grading marking equipment and a data access control system.
Background
The development of technology has promoted the continuous progress of network technology. Before data access is carried out, a user completes knocking through a Single Packet Authorization (SPA) technology, and the access authority of an application server is obtained. After the authorization is successful, in the process that the user accesses the application server, the zero trust platform comprehensively evaluates the identity credibility and the risk of the user through the terminal security perception capability, the access condition acquisition and analysis capability, the security state of the target application server and the like, so that the dynamic authority development or degradation is carried out on the user, and a more precise and rapid automatic risk response capability is provided for an application scene.
In order to improve the information security, information service providers generally classify and grade information data according to data classification and grading standards of countries, industries and the like, so that a reasonable minimum set of data access services are provided for users with different authorities, and the occurrence of events such as unauthorized, secret leakage and invasion of citizen privacy is reduced. Among them, data desensitization is a data security technique commonly used in the related art. However, in view of identification of database visitors, the existing database dynamic desensitization products basically perform dynamic desensitization on query data generated by connection according to an application server IP address and a database account connected with a database, and only can perform application server-level authority identification and control, but cannot perform user level of a service layer. In terms of data labeling of a database, the existing data classification and classification products generally perform classification and classification labeling on attributes of the database, tables and tables, and only do column classification, which cannot achieve data classification, and are difficult to meet the requirements of some high-security-level application scenarios.
Therefore, the technical problems of coarse data classification and missing fine particles exist in the prior art.
Disclosure of Invention
In view of the above, the present invention provides a classification and classification labeling method, device and data access control system, so as to overcome the problems of coarse data classification and missing fine particles.
In order to realize the purpose, the invention adopts the following technical scheme:
in one aspect, a classification and grading labeling method includes:
receiving target database scanning information sent by a zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database;
and carrying out attribute-level and/or data-level classification and grading labeling on the data structure table and the data table, and sending a classification and grading labeling result to the zero trust database gateway, so that the zero trust database gateway adds a classification and grading attribute column corresponding to the labeled data to the data structure table and/or the data table according to the classification and grading labeling result, and fills a corresponding classification and grading attribute value in the classification and grading attribute column corresponding to the labeled data to finish data-level labeling.
In yet another aspect, a data access control system includes: the system comprises a service server, a zero trust database gateway, a zero trust controller and classification and grading marking equipment; the classification and grading marking equipment is used for executing the classification and grading marking method;
the service server is used for accessing the target database through the zero trust database gateway;
the zero trust controller is used for configuring the classification and classification authority of the user according to the configuration operation; after the user successfully logs in, the classification and classification authority of the user successfully logging in is sent to a zero trust gateway and a zero trust database gateway, so that the user successfully logging in can access the service server under the classification and classification authority;
the zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions; analyzing the query request, removing the query condition and acquiring real user identity information; and inquiring information in the target database according to the real user identity information so as to send an inquiry result to the service server.
Optionally, the zero-trust data gateway is further configured to: and converting the classification attribute value into an integer based on a preset rule.
Optionally, the zero-trust database gateway is specifically configured to receive an inquiry result, desensitize the inquiry result according to the classification and classification authority corresponding to the user identity information, and send the desensitization result to the service server.
Optionally, the zero trust database gateway is specifically configured to supplement, according to the classification hierarchical authority corresponding to the real user identity information, an authority screening condition in the query request, and query, according to the supplemented query request, information in the target database; and receiving a query result and sending the query result to the service server.
Optionally, the zero-trust controller is further configured to: when an abnormal condition occurs, the classification and classification permission level of the user is reduced; and sending the reduced classification authority level to a zero trust gateway and a zero trust database gateway.
Optionally, the abnormal condition includes: the service server is attacked, the user side is attacked and the user access behavior is abnormal.
Optionally, the zero-trust controller is further configured to: and judging whether the abnormal condition is over, recovering the classification and classification authority level of the user when the abnormal condition is over, and sending the recovered classification and classification authority level to a zero trust gateway and a zero trust database gateway.
In yet another aspect, a classification and classification labeling apparatus includes: a processor and a memory, the processor coupled to the memory:
the processor is used for calling and executing the program stored in the memory;
the memory is used for storing the program, and the program is at least used for executing the classification and grading marking method.
The technical scheme provided by the invention at least comprises the following beneficial effects:
by adopting the technical scheme provided by the invention, the classified classification and classification marking equipment carries out classified classification and classification marking of attribute level and/or data level according to the data structure table and the data table in the scanning information of the target database sent by the zero trust database gateway, and sends the classified classification and classification marking result to the zero trust database gateway so as to carry out data level marking on the zero trust database gateway. Therefore, the automatic labeling of the data level is realized through the classification and classification labeling equipment, and the technical problems of coarse data classification and missing fineness particles in the prior art are solved.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of a classification and grading labeling method according to an embodiment of the present invention;
FIG. 2 is a schematic structural diagram of a classification and classification labeling apparatus according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of a data access control system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be described in detail below. It should be apparent that the described embodiments are only some embodiments of the present invention, and not all embodiments. All other embodiments, which can be derived by a person skilled in the art from the examples given herein without making any creative effort, shall fall within the protection scope of the present invention.
From the identification of database visitors, the existing database dynamic desensitization products basically perform dynamic desensitization on query data generated by connection according to an IP address of an application server connected with a database, a database account and the like, and only can achieve authority identification and control at an application server level and cannot achieve a user level at a service layer. In terms of data labeling of a database, the existing data classification and classification products generally perform classification and classification labeling on attributes of the database, tables and tables, and only do column classification, which cannot achieve data classification, and are difficult to meet the requirements of some high-security-level application scenarios.
Therefore, the technical problems of rough data classification and missing fine particles exist in the prior art.
Data desensitization is the current scenario of main application and application servers and databases, development/operation and maintenance personnel accessing databases, and the like. Data desensitization is divided into two major techniques, static desensitization and dynamic desensitization. Wherein static desensitization mainly applies conversion scenarios such as data database copy, production database transfer to development database, and the like. Dynamic desensitization is mainly applied in data protection scenarios of real-time access, such as between an application server and a database.
In terms of data labeling of a database, existing data classification and classification products generally perform classification and classification labeling on attributes of the database, tables and tables. Corresponding to certain high-security level application scenes, access permissions of different data rows in the same table are different, so that classification and classification labeling of database data by the traditional scheme only achieves column level and cannot achieve data level.
Meanwhile, the existing data security products generally implement static authorization of data of an accessor based on an authority policy mapping configuration mode, but cannot dynamically update an authorization policy based on dynamic factors such as the current security environment of the accessor, whether the accessor is attacked or not, whether the accessor is still trusted or not and the like.
Based on the above, the embodiment of the invention provides a classification and grading marking method, a classification and grading marking system and a data access control system.
First, in the embodiment of the present application, a data classification and classification technology and a database data dynamic desensitization technology are briefly introduced.
The existing database classification and grading products mainly acquire the attribute names of a database, a table and a column through database table scanning, structure scanning and the like, establish a database ledger and finish classification and grading marking of data outside a business database.
Dynamic desensitization technology of database data: in architecture, data access control is mainly completed by dynamic desensitization of data at present, a numerical control dynamic desensitization technology mainly adopts a database agent mode, namely desensitization components/services operate independently, and a service server accesses a real database by desensitization component agents. In the SQL (Structured Query Language) request phase, a database desensitization component initializes desensitization strategy rules according to whether SQL is accessed by Query and an accessed database table, analyzes data returned by the SQL according to the rules, and executes desensitization by using a corresponding dynamic desensitization algorithm according to the attribute types of columns. The data desensitization strategy rules are specified by taking an application server IP (Internet protocol) and an account from an SQL (structured query language) source as granularity.
Therefore, in the prior art scheme: the implementation of a third-party component is a current mainstream scheme, meets a general data desensitization scene, and cannot be used in a specific high-security scene. The following drawbacks exist: the data marking granularity can only be arranged at a column level, and the data level is not realized; the access control granularity is only the IP level of the service server and the account level of the database of the service server, and is not the real user level of the service server.
Fig. 1 is a schematic flow chart of a classification and classification labeling method according to an embodiment of the present invention, and referring to fig. 1, the classification and classification labeling method according to an embodiment of the present invention may include the following steps:
and S11, receiving target database scanning information sent by the zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database.
The execution subject of the application can be a classification and grading marking device, wherein the database needing to be accessed can be defined as a target database.
Specifically, the zero trust database gateway may be deployed in a user server area in a bypass manner, and establishes a connection with a specified target database by configuring database access information, where the target database may be one or more databases; during the connection establishment, administrator access rights to the database are required. After the connection is established, the zero trust data gateway executes the table structure and data scanning and reading actions, and sends the scanned data structure table and data table of the target database to the classification and grading marking equipment.
For example, the scanned data structure table is shown in table 1, and the data table is shown in table 2:
table 1 data structure table
Attribute name | Type (B) | Remarks to note |
Name | Varchar(32) | User name |
Age | int(2) | Age(s) |
Phone | Varchar(32) | Telephone number |
Varchar(64) | Mail address |
TABLE 2 data sheet
And S12, carrying out attribute-level and/or data-level classification and grading labeling on the data structure table and the data table, and sending a classification and grading labeling result to the zero trust database gateway, so that the zero trust database gateway adds a classification and grading attribute column corresponding to the labeled data to the data structure table and/or the data table according to the classification and grading labeling result, and fills a corresponding classification and grading attribute value in the classification and grading attribute column corresponding to the labeled data to finish data-level labeling.
It should be noted that, an administrator may perform manual data classification and classification labeling on the classification and classification labeling device, or may set the classification and classification labeling device to automatically perform classification and classification labeling on data. And carrying out classification hierarchical labeling of attribute level and/or data level on the data structure table and the data table. When classification and classification labeling is performed, classification and classification can be labeled respectively.
For example, the labeling methods can be classified into attribute-level labeling and data-level labeling. And marking the attribute of the data structure table, and simultaneously giving the marked classification grading value to all data of the attribute. If the specified attribute of the single data in the data table is marked, the marked value of the specified attribute of the data can cover the standard value of the column level.
For example, table 3 is a labeled data table provided in the embodiments of the present application.
TABLE 3 labeled data sheet
Name | Age【G1_5】 | Phone【G2_10】 | |
Zhang San | 20[G1_6] | 13888888888 | zhangsan@a.com |
Li Si | 25 | 18077776666[G2_12] | lisi@a.com |
Wangsan | 30 | 13688885555 | wanger@a.com |
See table 3, where [ represents attribute level label, [ ] represents data level label; if the data level labeling is not carried out, the value labeled by the attribute level is used; data that does not need to be guarded, such as the Email field, may also be unmarked.
In the labeled content, G represents the classification, and G1 and G2 represent different data classifications. The numbers after "-" represent the ranking. G1-5 represent Category 1, level 5. The user can also set marking standards according to requirements.
And after the labeling of the classification and classification labeling equipment is finished, sending a classification and classification labeling result to a zero trust database gateway, adding a classification and classification attribute column of the data to a corresponding table by the zero trust database gateway after receiving the data classification and classification labeling result, and filling a corresponding classification and classification attribute value in the classification and classification attribute column corresponding to the data to finish the data classification labeling. For example, referring to table 4, table 4 is a data table labeled by a zero trust database gateway according to an embodiment of the present invention.
TABLE 4
Name | Age | Phone | Age_L | Phone_L | |
Zhang San | 20 | 13888888888 | zhangsan@a.com | 16(G1_6) | (110)G2_10 |
Li Si | 25 | 18077776666 | lisi@a.com | 15(G1_5) | (112)G2_12 |
Wangsan | 30 | 13688885555 | wanger@a.com | 15(G1_5) | (110)G2_10 |
And representing the classification hierarchical attribute column corresponding to the attribute column by adding a 'L' suffix behind the original attribute column name. See table 4, where Age _ L is a classification rating label column added to the Age attribute column. Phone _ L is a classification hierarchical label column with added Phone attributes. Meanwhile, for convenience of grade calculation, classified and graded values are uniformly converted into integral grades according to certain rules.
In some embodiments, the zero trust data gateway is further configured to: and converting the classification attribute value into an integer based on a preset rule.
For example, to avoid level conflicts, relatively large differences exist between different classifications, and the classification to which the value belongs can be visually distinguished according to the value size. For example, G1=10, G2=100, G3=1000, and the like. For example, G1-6 is converted to 10+6=16, G2-10 is converted to 1000+10=1010.
It can be understood that, by adopting the technical scheme provided by the invention, the classification and classification marking equipment performs classification and classification marking at attribute level and/or data level according to the data structure table and the data table in the target database scanning information sent by the zero trust database gateway, and sends the classification and classification marking result to the zero trust database gateway so as to perform data level marking on the zero trust database gateway. Therefore, the automatic labeling of the data level is realized through the classification and classification labeling equipment, and the technical problems of coarse data classification and missing fineness particles in the prior art are solved.
Based on a general inventive concept, the embodiment of the present invention further provides a classification and grading marking device.
Fig. 2 is a schematic structural diagram of a classification and classification labeling apparatus according to an embodiment of the present invention, which is used for implementing the foregoing method embodiment. As shown in fig. 2, the classification and hierarchical labeling apparatus of the present embodiment includes a processor 21 and a memory 22, and the processor 21 is connected to the memory 22. Wherein, the processor 21 is used for calling and executing the program stored in the memory 22; the memory 22 is used for storing a program for executing at least the classification hierarchical labeling apparatus method in the above embodiment.
The specific implementation of the classification and classification labeling apparatus provided in the embodiment of the present application may refer to the implementation of the classification and classification labeling method in any of the above embodiments, which is not described herein again.
Based on a general inventive concept, embodiments of the present invention also provide a data access control system.
Fig. 3 is a schematic structural diagram of a data access control system according to an embodiment of the present invention, and referring to fig. 3, the system according to the embodiment of the present application may include the following structures:
a service server 31, a zero trust database gateway 32, a zero trust controller 33 and a classification and grading marking device 34; the classification and classification labeling device is used for executing the classification and classification labeling method described in the above embodiment.
The service server is used for accessing the target database A through the zero trust database gateway;
the zero trust controller is used for configuring the classification and classification authority of the user according to the configuration operation; after the user successfully logs in, the classification and classification authority of the successfully logged user is sent to the zero trust gateway and the zero trust database gateway, so that the successfully logged user can access the service server with the classification and classification authority;
the zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions; analyzing the query request, removing the query condition, and acquiring real user identity information; and inquiring information in the target database according to the real user identity information so as to send an inquiry result to the service server.
Wherein the service server access configuration can be adjusted to the target database. For example, the original service address of the target database is: 192.168.100.1:3306
The service server account/password a/123456,
admin/123456 Admin/password
The zero trust database gateway service address is 192.168.100.2
Business server account/password b/123456
The database information of the zero trust database gateway proxy is configured 192.168.100.1
And modifying the connection information of the target database of the service server:
192.168.100.1, a/123456 is 192.168.100.2, b/123456 then the traffic server subsequent database access will be done through the zero trust database gateway proxy.
In the application, the classification and grading authority of the authorized access user can be configured on the zero-trust controller. E.g., admin1 (G1-5), that is, administrator admin1 has access to data in class G1 at level 5 and below; admin2 (G1-10, G2 _10), that is, administrator admin2 has access to data at class 10 of class G1 and at class 10 and below of class G2.
After administrators admin1 and admin2 log in through the zero trust controller respectively, the zero trust controller issues data authorization configuration of users to the zero trust gateway and the zero trust database gateway:
admin1 (G1 _5, G2 _0), where G2_0 is automatically added, representing that the classification has no authority;
admin2(G1_10,G2_10)。
and the administrators admin1 and admin2 access the service server according to the marked classification and classification authority.
And after receiving the query request sent by the service server, the zero trust database gateway removes the query condition, acquires the real user identity information, queries information in the target database according to the real user identity information, and sends the query result to the service server.
In some embodiments, the zero trust database gateway is specifically configured to receive the query result, desensitize the query result according to the classification and classification authority corresponding to the user identity information, and send the desensitization result to the service server.
Specifically, the service server sends an inquiry request through SQL, and according to session control and the like, the service server obtains a user name that triggers the current service SQL, adds a specified inquiry condition, and brings out user information through the SQL inquiry condition.
For example, the original query request is:
enquiry USER list (SELECT FROM USER)
When the administrator 1 uses the SQL statement, the SQL statement is formed as follows:
SELECT*FROM USER WHERE reqUserName=`admin1`
when the administrator 2 uses the method, conditional query is carried out, and the formed SQL statement is as follows:
SELECT*FROM USER WHERE age>=20AND reqUserName=`admin2`
the reqUserName is an added specified query condition, the reqUserName can identify the identity information of the user, the zero-trust database gateway analyzes the SQL statement, analyzes the current real application server access user name according to the specified query condition, removes the condition from the SQL statement and forwards the condition to the database.
For example, after the SQL statement of the administrator 1 reaches the zero trust database gateway, the real access user of the SQL statement is analyzed to admin1 according to the reqUserName attribute, and the SQL statement is restored after removing the redundant conditions: SELECT FROM USER.
In the same way, the SQL statement of the administrator 2 is recognized, and after processing, the restored SQL statement is:
SELECT*FROM USER WHERE age>=20。
the zero trust database gateway intercepts the final query result of the database, acquires the classification and classification authority of the user according to the identity of the current user, selects different dynamic desensitization algorithms for dynamic desensitization treatment of the query result according to the values of the classification and classification attribute column and the data values which do not meet the authority requirement and different attribute types and service meanings, repacks the treated data and returns the repacked data to the service server.
For example, for administrator 1, authority (G1 _ 5) for the data returned by the SQL request is performed according to the authority of administrator 1, after dynamic desensitization is performed on the specified field, and the flag column is automatically removed, the obtained results are shown in table 5:
TABLE 5
Name | Age | Phone | |
Zhang San | 0 | 138****8888 | zhangsan@a.com |
Li Si | 25 | 180****6666 | lisi@a.com |
Wangsan | 30 | 136****5555 | wanger@a.com |
Referring to table 5, bold is the satisfied field and the tilt is the field that has undergone dynamic desensitization.
For Administrator 2, authorities (G1 _10, G2 _10), the results obtained after performing dynamic desensitization on data that does not meet the authority requirements are shown in Table 6:
TABLE 6
Name | Age | Phone | |
Zhang San | 20 | 13888888888 | zhangsan@a.com |
Li Si | 25 | 180****6666 | lisi@a.com |
Wangsan | 30 | 13688885555 | wanger@a.com |
Referring to table 6, bold is the satisfied fields and the tilt is the fields that are dynamically desensitized.
In some embodiments, the zero trust database gateway is specifically configured to supplement the authority screening condition in the query request according to the classification hierarchical authority corresponding to the real user identity information, and query information in the target database according to the supplemented query request; and receiving the query result and sending the query result to the service server.
When the high-sensitivity data are in the same table due to the same business; or, the security levels of different entity objects are different, if all the attributes are not available, when the entity data cannot be accessed, in order to ensure the data security, row-level access control can be performed, that is, when a single attribute does not meet the requirement of the authority, the whole row of data is not returned.
Specifically, the zero trust database gateway parses SQL, parses the current real application server access user name according to the specified query conditions, removes the conditions from the SQL statements, and forwards the SQL statements to the database. If the contents of the query contain empty information, such as "+", then all real data column names of the table are automatically replaced.
For example, when the SQL statement of the administrator 1 reaches the zero trust database gateway, after analysis, the real access user of this SQL statement is admin1 according to the reqUserName attribute, and according to the authority G1_5 (the corresponding calculated value is 15), the redundant conditions are removed, and after the authority screening conditions are complemented, the SQL statement is:
SELECT Name,Age,Phone,Email FROM USER WHERE Age_L<=15AND Phone_L<=1000。
in the same manner, the SQL statement of administrator 2 is recognized, and according to the authority G1_10 (the corresponding calculated value is 10+10= 20), G2_12 (1012) removes the redundant condition, and after the authority screening condition is complemented, the SQL statement is:
SELECT Name,Age,Phone,Email FROM USER WHERE age>=20AND Age_L<=20AND Phone_L<=1020。
the mechanism of the target database can automatically screen out the columns which do not meet the query condition, and the returned data content under the condition is not analyzed and processed any more and is directly returned to the service server.
For the administrator 1, the authority (G1 _ 5) performs dynamic desensitization on the specified field for the data returned by the SQL request according to the authority of the administrator 1, and after the mark column is automatically removed, the following results are obtained:
TABLE 7
Name | Age | Phone | |
Referring to table 7, since the authority has all the designated columns not satisfied, the return data is empty.
For Administrator 2, authorities (G1 _10, G2 _10), the results obtained after performing dynamic desensitization on data that does not meet the authority requirements are shown in Table 8:
TABLE 8
Name | Age | Phone | |
Zhang San | 20 | 13888888888 | zhangsan@a.com |
Wangsan tea | 30 | 13688885555 | wanger@a.com |
Referring to table 8, since lie four has an attribute column that does not satisfy the authority requirement, it is not returned.
In some embodiments, the zero trust controller is further to: when an abnormal condition occurs, the classification and classification authority level of the user is reduced; and sending the reduced classification and classification authority level to a zero trust gateway and a zero trust database gateway.
In some embodiments, the abnormal condition includes: the service server is attacked, the user side is attacked and the user access behavior is abnormal.
For example, when the zero trust controller finds that the application server is under attack or the user terminal is under attack, and the user access behavior is abnormal, the access authorization of the user is automatically reduced, such as reducing the authorization of the administrator 1: g1-5 is G1-1, and the updated authorization rule is issued to the zero trust database gateway, so that the zero trust database gateway takes effect in time, and the subsequent request is automatically subjected to access control by using the updated authority without any cooperation action of an administrator and an application server.
In some embodiments, the zero trust controller is further to: and judging whether the abnormal condition is over, recovering the classification and classification authority level of the user when the abnormal condition is over, and sending the recovered classification and classification authority level to the zero trust gateway and the zero trust database gateway.
For example, when the zero trust controller finds the risk relieved, the authority of administrator 1 may be automatically restored: g1-1 is G1-5, and after the authorization is updated to the zero trust gateway, the administrator can restore the access authority of the related data without any coordination action of the administrator and the application server.
It can be understood that, in the technical scheme provided by the application, the data stored in the target database is kept complete, and the data obtained by the user is different according to different user identities accessing the target database; when the user identity or the user authority changes, the obtained data changes along with the change, so that dynamic desensitization is realized.
According to the technical scheme, the classification and grading marking method of the data grade is completed in a mode of automatically adding the marking columns, and the problem that the granularity of marking the data in the existing classification and grading system is not fine enough can be solved. By means of adding specific query conditions, the method for transparently transmitting real users by the application server is completed, the problem that the past access control of the database protection component only can be achieved at a server IP level and a database account level can be solved, and user-level fine-grained appeal requirements under the current zero-trust environment are met. By means of the line-level data desensitization thought, the performance and safety requirements can be met in a high-safety scene and a high-performance scene by combining the capacity of the database, and the dynamic desensitization thought is inconsistent with the dynamic desensitization thought after data are returned by a common database. Through a data level desensitization thought and analysis of classification attribute columns in a database, the problems of difficult storage and fine granularity of data classification rules with finer granularity and larger scale are solved, the requirement that a user obtains minimum authority data is better guaranteed, any component which meets the zero trust concept is not trusted, including an application server, and the safety of data is further ensured.
It is understood that the same or similar parts in the above embodiments may be mutually referred to, and the same or similar parts in other embodiments may be referred to for the content which is not described in detail in some embodiments.
It should be noted that the terms "first," "second," and the like in the description of the present invention are used for descriptive purposes only and are not to be construed as indicating or implying relative importance. Further, in the description of the present invention, the meaning of "a plurality" means at least two unless otherwise specified.
Any process or method descriptions in flow charts or otherwise described herein may be understood as representing modules, segments, or portions of code which include one or more executable instructions for implementing specific logical functions or steps of the process, and alternate implementations are included within the scope of the preferred embodiment of the present invention in which functions may be executed out of order from that shown or discussed, including substantially concurrently or in reverse order, depending on the functionality involved, as would be understood by those reasonably skilled in the art of the present invention.
It should be understood that portions of the present invention may be implemented in hardware, software, firmware, or a combination thereof. In the above embodiments, various steps or methods may be implemented in software or firmware stored in a memory and executed by a suitable instruction execution system. For example, if implemented in hardware, as in another embodiment, any one or combination of the following techniques, which are known in the art, may be used: a discrete logic circuit having a logic gate circuit for implementing a logic function on a data signal, an application specific integrated circuit having an appropriate combinational logic gate circuit, a Programmable Gate Array (PGA), a Field Programmable Gate Array (FPGA), or the like.
It will be understood by those skilled in the art that all or part of the steps carried by the method for implementing the above embodiments may be implemented by hardware related to instructions of a program, which may be stored in a computer readable storage medium, and when the program is executed, the program includes one or a combination of the steps of the method embodiments.
In addition, functional units in the embodiments of the present invention may be integrated into one processing module, or each unit may exist alone physically, or two or more units are integrated into one module. The integrated module can be realized in a hardware mode, and can also be realized in a software functional module mode. The integrated module, if implemented in the form of a software functional module and sold or used as a stand-alone product, may also be stored in a computer readable storage medium.
The storage medium mentioned above may be a read-only memory, a magnetic or optical disk, etc.
In the description herein, references to the description of the term "one embodiment," "some embodiments," "an example," "a specific example," or "some examples," etc., mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples.
Although embodiments of the present invention have been shown and described above, it is understood that the above embodiments are exemplary and should not be construed as limiting the present invention, and that variations, modifications, substitutions and alterations can be made to the above embodiments by those of ordinary skill in the art within the scope of the present invention.
Claims (9)
1. A classification and grading marking method is characterized by comprising the following steps:
receiving target database scanning information sent by a zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database;
and carrying out attribute-level and/or data-level classification and grading labeling on the data structure table and the data table, and sending a classification and grading labeling result to the zero trust database gateway, so that the zero trust database gateway adds a classification and grading attribute column corresponding to the labeled data to the data structure table and/or the data table according to the classification and grading labeling result, and fills a corresponding classification and grading attribute value in the classification and grading attribute column corresponding to the labeled data to finish data-level labeling.
2. A data access control system, comprising: the system comprises a service server, a zero trust database gateway, a zero trust controller and classification and grading marking equipment; the classification and classification labeling device is used for executing the classification and classification labeling method of claim 1;
the service server is used for accessing the target database through the zero trust database gateway;
the zero trust controller is used for configuring classification and grading authorities of users according to configuration operation; after the user successfully logs in, the classification and classification authority of the user successfully logging in is sent to a zero trust gateway and a zero trust database gateway, so that the user successfully logging in can access the service server under the classification and classification authority;
the zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions; analyzing the query request, removing the query condition and acquiring real user identity information; and inquiring information in the target database according to the real user identity information so as to send an inquiry result to the service server.
3. The system of claim 2, wherein the zero trust data gateway is further configured to: and converting the classification grading attribute value into an integer based on a preset rule.
4. The system of claim 2, wherein the zero-trust database gateway is specifically configured to receive the query result, desensitize the query result according to the classification and classification authority corresponding to the user identity information, and send the desensitization result to the service server.
5. The system according to claim 2, wherein the zero-trust database gateway is specifically configured to supplement, according to the classification hierarchical rights corresponding to the real user identity information, a right screening condition in the query request, and query, according to the supplemented query request, information in the target database; and receiving a query result, and sending the query result to the service server.
6. The system of claim 2, wherein the zero trust controller is further configured to: when an abnormal condition occurs, the classification and classification permission level of the user is reduced; and sending the reduced classification authority level to a zero trust gateway and a zero trust database gateway.
7. The system of claim 6, wherein the abnormal condition comprises: the service server is attacked, the user side is attacked, and the user access behavior is abnormal.
8. The system of claim 6, wherein the zero trust controller is further configured to: and judging whether the abnormal condition is over, recovering the classification and classification authority level of the user when the abnormal condition is over, and sending the recovered classification and classification authority level to a zero trust gateway and a zero trust database gateway.
9. A classification and classification labeling apparatus, comprising: a processor and a memory, the processor coupled to the memory:
the processor is used for calling and executing the program stored in the memory;
the memory for storing the program for performing at least the classification hierarchical annotation method of claim 1.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211038405.5A CN115309840A (en) | 2022-08-29 | 2022-08-29 | Classification and grading labeling method and equipment and data access control system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202211038405.5A CN115309840A (en) | 2022-08-29 | 2022-08-29 | Classification and grading labeling method and equipment and data access control system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115309840A true CN115309840A (en) | 2022-11-08 |
Family
ID=83864867
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202211038405.5A Pending CN115309840A (en) | 2022-08-29 | 2022-08-29 | Classification and grading labeling method and equipment and data access control system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115309840A (en) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117171800A (en) * | 2023-10-23 | 2023-12-05 | 深圳竹云科技股份有限公司 | Sensitive data identification method and device based on zero trust protection system |
CN117744129A (en) * | 2023-09-18 | 2024-03-22 | 苏州天安慧网络运营有限公司 | Intelligent operation and maintenance method and system based on CIM |
-
2022
- 2022-08-29 CN CN202211038405.5A patent/CN115309840A/en active Pending
Cited By (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN117744129A (en) * | 2023-09-18 | 2024-03-22 | 苏州天安慧网络运营有限公司 | Intelligent operation and maintenance method and system based on CIM |
CN117744129B (en) * | 2023-09-18 | 2024-08-06 | 苏州天安慧网络运营有限公司 | Intelligent operation and maintenance method and system based on CIM |
CN117171800A (en) * | 2023-10-23 | 2023-12-05 | 深圳竹云科技股份有限公司 | Sensitive data identification method and device based on zero trust protection system |
CN117171800B (en) * | 2023-10-23 | 2024-02-06 | 深圳竹云科技股份有限公司 | Sensitive data identification method and device based on zero trust protection system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US20230164155A1 (en) | Systems and methods for automated retrieval, processing, and distribution of cyber-threat information | |
CN115309840A (en) | Classification and grading labeling method and equipment and data access control system | |
US10764320B2 (en) | Structuring data and pre-compiled exception list engines and internet protocol threat prevention | |
US8146134B2 (en) | Scalable firewall policy management platform | |
EP3149582B1 (en) | Method and apparatus for a scoring service for security threat management | |
US7089246B1 (en) | Overriding content ratings and restricting access to requested resources | |
JPH11338840A (en) | Distribution system and method for control of access to network resources and event report | |
DE202013012765U1 (en) | System for protecting cloud services from unauthorized access and malicious software attack | |
KR102005646B1 (en) | Privacy protection for third party data sharing | |
CN103746982B (en) | A kind of http network condition code automatic generation method and its system | |
CN113468511B (en) | Data processing method and device, computer readable medium and electronic equipment | |
US10609060B2 (en) | Clustering network addresses | |
US7181513B1 (en) | Restricting access to requested resources | |
US20210227014A1 (en) | Technique for Monitoring Activity in a Content Delivery Network | |
CN114817974A (en) | Dynamic data desensitization method and system, and data security processing method and system | |
CN100586123C (en) | A safe audit method based on role management and system thereof | |
DE112021005862T5 (en) | SELF-CHECKING BLOCKCHAIN | |
CN114417278A (en) | Interface unified management system and platform interface management system | |
EP3373551A1 (en) | Access control in a computer system | |
CN113761000A (en) | Data processing method and device, computing equipment and storage medium | |
CN113778991B (en) | Method for realizing resource access control of big data | |
JP2002342143A (en) | Access control system, processing program thereof and recording medium | |
CN112948874B (en) | Secret state data access method | |
CN118555106A (en) | Dynamic access control rule construction method, device, equipment and medium | |
DE102023210076A1 (en) | METHOD AND SYSTEM FOR CREATING INCREMENTAL APPROXIMATION BACKUPS OF CLOUD DATA WITH LIMITED ACCESS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |