CN115879143A - Data security policy configuration method, device and system - Google Patents
Data security policy configuration method, device and system Download PDFInfo
- Publication number
- CN115879143A CN115879143A CN202111152460.2A CN202111152460A CN115879143A CN 115879143 A CN115879143 A CN 115879143A CN 202111152460 A CN202111152460 A CN 202111152460A CN 115879143 A CN115879143 A CN 115879143A
- Authority
- CN
- China
- Prior art keywords
- data
- data security
- client
- security policy
- service device
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/54—Interprogram communication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/02—Standardisation; Integration
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Bioethics (AREA)
- Signal Processing (AREA)
- Computer Networks & Wireless Communication (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a data security policy configuration method, equipment and a system. The method comprises the following steps: applied to a service device, comprising: receiving a data security policy and indication information of client data, wherein the data security policy is formed by selecting one or more data security capabilities from a data security capability set provided by the service device according to the attribute of the client data, the client data is data which is stored at the service device side and is related to the client device, and the data security capability in the data security capability set is the capability of the service device to process data based on data security; applying the data security policy to the client data based on the indication information. The scheme can flexibly configure the data security policy of the specified data according to the requirement.
Description
Technical Field
The present application relates to the field of data communications, and in particular, to a method, a device, and a system for configuring a data security policy.
Background
Data, an important asset, is of great value in today's society. With the rapid development of technologies such as mobile internet, cloud computing and big data in the data era, data are continuously and deeply mined and applied, and various new business modes such as location-based services for taxi taking, take-out and the like, credit-based services for sharing a single vehicle, internet finance and the like are developed. The services provide customized and personalized services for users by collecting the related information of the users, and great convenience is brought to the lives of people. However, the user information often includes sensitive information such as income, assets, identities, and the like, and direct or indirect operations may cause privacy disclosure of the user, thereby bringing great potential safety hazards. In order to solve the above problem, security protection of stored data is required. In the existing technical conditions, all manufacturers store data mechanically, classify the data simply in a grading way, and adopt different degrees of safety protection for the data according to the grading classification. However, the protection level required by different users for data of the same hierarchical classification may be different.
Disclosure of Invention
The application provides a data security policy configuration method, equipment and a system, which can flexibly configure a data security policy of specified data according to needs.
In a first aspect, a data security policy configuration method is provided, which is applied to a service device, and includes:
receiving a data security policy and indication information of client data, wherein the data security policy is composed of one or more data security capabilities selected by a client device from a data security capability set provided by a service device according to an attribute of the client data, the client data is data stored on the service device side and related to the client device, and the data security capability in the data security capability set is a capability of the service device to process data based on data security;
applying the data security policy to the client data based on the indication information.
In the above-described scheme, one or more data security capabilities can be selected from the set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy, and the data security policy is applied to the client data indicated by the indication information of the client data, so that the data security policy of the specified client data can be flexibly configured as needed.
In some possible designs, the receiving the data security policy sent by the client device and the indication information of the client data includes:
and receiving a data security policy and indication information of client data sent by a client device through a network transmission mode corresponding to a data model, wherein the data security policy is carried in the data model.
In the above scheme, the data security policy is carried through the data model and transmitted through a network transmission mode corresponding to the data model, so that the flexibly configured data security policy can be transmitted between the client device and the service device.
In some possible designs, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF.
In the scheme, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF, which has the advantages of high standardization degree, strong consistency, strong flexibility and low adaptation cost.
In some possible designs, the data model is a structured data serialization file, and the network transmission mode is a Remote Procedure Call (RPC) interface.
In the above scheme, the data model is a structured data serialization file, the network transmission mode is a Remote Procedure Call (RPC) interface which has the advantages of strong consistency, strong flexibility, strong usability, wide application range, suitability for the software field and wider application field besides the digital communication field.
In some possible designs, the method further comprises:
receiving operation instruction information sent by a client device;
and performing maintenance operation on the data security policy based on the operation indication information, wherein the maintenance operation comprises one or more of querying the data security policy, deleting the data security policy and modifying the data security policy.
In the above scheme, the client device can query, delete and modify the data security capabilities in the data security capability set by operating the indication information, so that the data security capability set can better match the needs of the user.
In some possible designs, the set of data security capabilities includes one or more of a sensitive information security capability, a data encryption security capability, a storage mode security capability, and a data release security capability.
In the above scheme, the security capabilities in the data security capability set cover sensitive information, data encryption, storage modes and data release, and the security of the client data can be ensured from multiple dimensions.
In a second aspect, a data security policy configuration method is provided, which is applied to a client device, and includes:
selecting one or more data security capabilities from a data security capability set provided by a service device according to the attributes of client data to form a data security policy, wherein the client data is data which is stored on the service device side and is related to the client device, and the data security capabilities in the data security capability set are capabilities of the service device for data processing based on data security;
sending the data security policy to the serving device.
In some possible designs, the data security policy is sent to the service device through a network transmission mode corresponding to a data model, wherein the data security policy is carried in the data model.
In some possible designs, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF.
In some possible designs, the data model is a structured data serialization file, and the network transmission mode is a Remote Procedure Call (RPC) interface.
In some possible designs, the method further comprises:
and sending operation indication information to the service device, wherein the operation indication information is used for indicating maintenance operation on the data security policy, and the maintenance operation comprises one or more of querying the data security policy, deleting the data security policy and modifying the data security policy.
In some possible designs, the set of data security capabilities includes one or more of a sensitive information security capability, a data encryption security capability, a storage mode security capability, and a data release security capability.
In some possible designs, before selecting one or more data security capabilities from a set of data security capabilities provided by a service device to constitute a data security policy according to an attribute of the client data, the method further comprises:
and receiving the data security capability set sent by the service device.
In a third aspect, a data security policy configuration system is provided, which comprises a client device and a service device,
the client device is used for selecting one or more data security capabilities from a data security capability set provided by a service device according to the attribute of client data to form a data security policy, the client data is data which is stored at the service device side and is related to the client device, and the data security capabilities in the data security capability set are capabilities of the service device for data processing based on data security;
the service device is used for receiving the data security policy sent by the client device and indication information of client data,
the service device is further configured to apply the data security policy to the client data based on the indication information.
In some possible designs, the client device is configured to send the data security policy to the service device through a network transmission manner corresponding to a data model, where the data security policy is carried in the data model.
In some possible designs, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF.
In some possible designs, the data model is a structured data serialized file, and the network transport is a Remote Procedure Call (RPC) interface.
In some possible designs, the client device is configured to send operation indication information to the service device, where the operation indication information is used to indicate that a maintenance operation is performed on the data security policy, and the maintenance operation includes one or more of querying the data security policy, deleting the data security policy, and modifying the data security policy.
In some possible designs, the set of data security capabilities includes one or more of a sensitive information security capability, a data encryption security capability, a storage mode security capability, and a data release security capability.
In some possible designs, the client device is further configured to receive a set of data security capabilities sent by the service device.
In a fourth aspect, a service device is provided, which includes: a processor and a memory, wherein the processor executes a program in the memory to run a computing service and a storage service to perform the method of any of the first aspects.
In a fifth aspect, a terminal device is provided, which includes: a processor and a memory, wherein the processor executes a program in the memory to perform the method of any of the second aspects.
In a sixth aspect, a computer-readable storage medium is provided, which includes instructions that, when executed on a computing node, cause the computing node to perform the method of any of the first and second aspects.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments or the background art of the present application, the drawings required to be used in the embodiments or the background art of the present application will be described below.
Fig. 1 is a schematic structural diagram of a data security policy configuration system provided in the present application;
FIG. 2 is a more detailed structural schematic diagram of the data security policy configuration system shown in FIG. 1;
FIG. 3 is a schematic structural diagram of a data security policy configuration method provided in the present application;
FIG. 4 is a schematic structural diagram of a data security policy configuration method provided in the present application;
FIG. 5 is a schematic structural diagram of a data security policy configuration system provided in the present application;
FIG. 6 is a schematic structural diagram of a service device provided in the present application;
fig. 7 is a schematic structural diagram of a terminal device provided in the present application.
Detailed Description
Referring to fig. 1, fig. 1 is a schematic structural diagram of a data security policy configuration system provided in the present application. As shown in fig. 1, the data security policy configuration system provided in the present application includes: a client device side 110 and a service device side 120.
The client apparatus side 110 is a terminal device having data transmission and reception capabilities. For example, the client device side 110 may be various types of User Equipment (UE), a mobile phone (mobile phone), a tablet (pad), a desktop computer, a headset, a stereo, and the like. The client device side 110 may also be a machine intelligence device such as a self-driving (self-driving) device, a transportation security (transportation safety) device, a Virtual Reality (VR) terminal device, an Augmented Reality (AR) terminal device, a Machine Type Communication (MTC) device, an industrial control (industrial control) device, a remote medical (remote medical) device, a smart grid (smart grid) device, a smart city (smart city) device, a wearable device (such as a smart watch, a smart bracelet, a pedometer, etc.), and the like. Furthermore, the client device side 110 may also be a car cabin (cockpit main) device, or a module in a car cabin device, such as one or more of a cabin zone controller (CDC), a camera, a screen, a microphone, a stereo, an electronic key, a keyless entry or start system controller, etc. In some scenarios, the name of a terminal device with similar data transceiving capability may not be referred to as the client device side 110, but for convenience of description, the terminal with data transceiving capability is referred to as the client device side 110 in the present embodiment.
The service device side 120 is an electronic device with data storage capability. For example, the service apparatus side 120 may be various types of servers, may be a local area network system composed of a plurality of servers, may be a small or large system composed of servers, network devices, and storage devices, such as a data center, a cloud system (including public, private, and hybrid clouds), an edge computing system, and so on.
The client device is disposed on the client device side 110, the service device is disposed on the service device side 120, and the service device and the client device provide storage and related security services for data under the cooperation of the service device and the client device. The service device and the client device may both be provided by the manufacturer or operator on the service device side. A client device provided by a manufacturer or an operator may be uploaded to the line and downloaded by a client from the line to the client device side 110.
It is understood that the network structure of one layer of the data security policy configuration system and the number of terminal devices in the data security policy configuration system shown in fig. 1 are only used as a specific example, in other embodiments, the network structure may also be a network structure of two layers, a network structure of three layers, and the like, and the number of terminals may also be fewer or more, which is not limited herein.
Referring to fig. 2, fig. 2 is a more detailed structural schematic diagram of the data security policy configuration system shown in fig. 1. In fig. 2, the service device side 120 may be a distributed storage system or a centralized storage system. The following description will be made taking a centralized storage system as an example. The centralized storage system includes an application server 121, a fabric switch 122, and a storage system 123. The user accesses the data through the application. The computer running these applications is called an "application server". The application server 121 may be a physical machine or a virtual machine. Physical application servers include, but are not limited to, desktop computers, servers, laptops, and mobile devices. The application server 121 accesses the storage system 123 through the fabric switch 122 to access data. However, the fabric switch 122 is only an optional device, and the application server 121 may also communicate with the storage system 123 directly through a network. The centralized storage system is characterized by a unified entry through which all data from external devices pass, which is the engine 124 of the centralized storage system. The engine 124 is the most central component in a centralized storage system in which the high-level functionality of many storage systems is implemented.
There are one or more controllers in the engine 124, and fig. 2 illustrates an example where the engine 124 includes two controllers. If there is a mirror channel between controller 0 and controller 1, then after controller 0 writes a copy of data into its memory 126, controller 1 may send a copy of the data to controller 1 via the mirror channel, and controller 1 stores the copy in its local memory 134. Therefore, the controller 0 and the controller 1 are mutually backup, when the controller 0 breaks down, the controller 1 can be connected with the service of the controller 0, and when the controller 1 breaks down, the controller 0 can be connected with the service of the controller 1, so that the unavailability of the whole storage system caused by hardware failure is avoided. When 4 controllers are deployed in the engine 124, any two controllers have mirror channels therebetween, so that any two controllers are backup to each other.
The engine 124 further comprises a front-end interface 127 and a back-end interface 128, wherein the front-end interface 127 is used for communicating with the application server 121, thereby providing a storage service for the application server 120. And a back-end interface 128 for communicating with a hard disk 129 to expand the capacity of the storage system. The engine 124 may be connected to more hard disks 129 through the backend interface 128, thereby forming a very large pool of storage resources.
In hardware, the controller 0 includes at least a processor 125 and a memory 126. Processor 125 is a Central Processing Unit (CPU) that processes data access requests from outside the storage system (server or other storage system) as well as requests generated internally within the storage system. For example, when the processor 125 receives the write data requests sent by the application server 121 through the front-end interface 127, the data in the write data requests is temporarily stored in the memory 126. When the total amount of data in the memory 126 reaches a certain threshold, the processor 125 sends the data stored in the memory 126 to the hard disk 129 through the backend interface 128 for persistent storage.
The memory 126 is an internal memory that exchanges data directly with the processor, can read and write data at any time, and is fast enough to serve as a temporary data storage for an operating system or other programs that are running. The memory includes at least two types of memory, for example, the memory may be a random access memory (ram) or a Read Only Memory (ROM). For example, the random access memory is a Dynamic Random Access Memory (DRAM), or a Storage Class Memory (SCM). DRAM is a semiconductor memory, and belongs to a volatile memory (volatile memory) device, like most Random Access Memory (RAM). SCM is a hybrid storage technology that combines the features of both traditional storage devices and memory, memory-class memory providing faster read and write speeds than hard disks, but slower access speeds and lower cost than DRAM. However, the DRAM and the SCM are only exemplary in this embodiment, and the memory may also include other random access memories, such as Static Random Access Memory (SRAM). As the read-only memory, for example, a Programmable Read Only Memory (PROM), an Erasable Programmable Read Only Memory (EPROM), and the like may be used. In addition, the memory 126 may also be a dual in-line memory module (DIMM), a module composed of Dynamic Random Access Memory (DRAM), or a Solid State Disk (SSD). In practical applications, the controller 0 may be configured with a plurality of memories 126 and different types of memories 126. The number and type of the memories 126 are not limited in this embodiment. In addition, the memory 126 may be configured to have power conservation. The power conservation function means that when the system is powered down and powered up again, the data stored in the memory 126 will not be lost. A memory having a power retention function is called a nonvolatile memory.
The memory 126 stores software programs, and the processor 125 runs the software programs in the memory 126 to manage the hard disk. For example, the hard disk is abstracted into a storage resource pool, and then divided into LUNs for use by the server. The LUN here is in fact the hard disk seen on the server. Of course, some centralized storage systems are themselves file servers, and may provide shared file services for the servers.
The hardware components and software structure of the controller 1, and other controllers not shown in the figure, are similar to those of the controller 0, and are not described herein again.
It should be noted that only one engine 124 is shown in fig. 2, however, in practical applications, two or more engines 124 may be included in the storage system, and redundancy or load balancing is performed among the engines 124.
FIG. 2 illustrates a centralized storage system with integrated disk control. In the system, the engine 124 has a hard disk slot, the hard disk 129 can be directly disposed in the engine 124, the backend interface 128 is an optional configuration, and when the storage space of the system is insufficient, more hard disks or hard disk frames can be connected through the backend interface 128.
It is understood that the data security policy configuration system shown in fig. 2 is merely a specific example, and in other embodiments, the data security policy configuration system may include more or less components, which are not specifically limited herein.
Referring to fig. 3, fig. 3 is a schematic structural diagram of a data security policy configuration method provided in the present application. As shown in fig. 3, the data security policy configuration method provided in this embodiment includes the following steps:
s101: the service device sends the set of data security capabilities to the client device. Accordingly, the client device receives the set of data security capabilities sent by the service device.
In a particular embodiment, the set of data security capabilities may include one or more data security capabilities. The data security capability is the capability of the service device to process data based on data security. The set of data security capabilities may include multiple dimensions of data security capabilities, and the data security capabilities of each dimension may include one or more data security capabilities. The more the data security capability set comprises the more dimensionality of the data security capability, the more comprehensive the data security capability is, but the more occupied storage resources and transmission resources, and conversely, the less the data security capability set comprises the more unilateral the data security capability is, but the less occupied storage resources and transmission resources. It will be appreciated that different service devices may provide different sets of data security capabilities, for example, a first service device may provide 3 dimensions of data security capabilities, each dimension comprising 3 data security capabilities, a second service device may provide 10 dimensions of data security capabilities, each dimension comprising 12 data security capabilities, and so on. The dimensions of the set of data security capabilities in the set of data security capabilities provided by the service device to the client device and the data security capabilities in each dimension may be fixed or may vary. For example, the service device may fix a set of data security capabilities provided to the client device that includes 3 dimensions of data security capabilities, each dimension including 3 data security capabilities. Alternatively, the set of data security capabilities that the service device may provide to the client device may first include 3 dimensions of data security capabilities, each dimension including 3 data security capabilities, followed by an addition of 10 dimensions of data security capabilities for the set of data security capabilities, each dimension including 12 data security capabilities. For simplicity, the above examples are all described by taking the case that the number of data security capabilities of each dimension is equal, and in practical applications, the number of data security capabilities of each dimension may be unequal, and is not specifically limited herein.
In a more specific embodiment, the set of data security capabilities may include one or more of the following dimensions of data security capabilities: sensitive information security capability, data encryption security capability, storage mode security capability, and data release security capability. The sensitive information security capability can provide different protection capabilities for different data categories, such as asset information, identity information, biometric information, consumption habit information, travel information, and the like. The data encryption security capability can be encrypted by using different encryption algorithms, for example, a no encryption algorithm, a Data Encryption Algorithm (DEA), a ronard-lie-virster (Ron Rivest) -addi Shamir-lunard-Adleman (Leonard Adleman) algorithm (RSA algorithm for short), thereby providing capabilities of different protection strengths. The storage mode security capability may provide different protection capabilities by employing different storage isolation approaches, e.g., physical isolation (physical isolation), logical isolation (logical isolation). The data release security capability may provide different protection power capabilities by providing different data release manners, such as direct release (direct), recycle (recycle), duplicate address (reset) and the like.
In a specific embodiment, the set of data security capabilities may be obtained by the client device from the service device by querying a manual, negotiating protocols, and the like.
S102: the client device selects one or more data security capabilities from a set of data security capabilities provided by the service device to constitute a data security policy according to the attributes of the client data.
In a specific embodiment, the client data is data stored on the service device side and associated with the client device. The client data may be stored in the service device or in a memory connected to the service device, etc. The client data may be any data related to the client device, such as asset data, shopping data, travel data, identity data, address data, work data, biometric data, and the like uploaded by the client device.
In a particular embodiment, the attributes of the client data may include data confidentiality, data volume, data structure, data length, data storage manner, data repeatability, data collection manner, data credibility, data commonality, data directionality, and the like. Furthermore, the attribute of the client data may be other self-defined attributes, and is not limited in detail herein.
In a particular embodiment, the data security policy may be comprised of one or more data security capabilities selected from a set of data security capabilities. The data security policy may be formed by selecting multiple data security capabilities from the same dimension in the data security capability set, or may be formed by selecting multiple data security capabilities from multiple dimensions in the data security capability set, which is not specifically limited herein. For example, the data security policy may consist of biometric information selected from sensitive information security capabilities, an RSA algorithm selected from data encryption security capabilities, physical isolation selected from storage mode security capabilities, and direct release selected from data release security capabilities. It is understood that the above examples are merely specific examples, and in other embodiments, the data security policy may include more or less data security capabilities, or the data security capabilities may be selected from other dimensions, and are not limited thereto.
In a specific embodiment, the data security policy may be carried in the data model. The data model may be a Yang model or a structured data serialization (proto) file, json, extensible markup language (extensible markup language), thrift, or the like.
In a particular embodiment, the data security policy may be edited by the client device. Specifically, the client apparatus transmits operation instruction information to the service apparatus. Accordingly, the service apparatus receives the operation instruction information transmitted by the client apparatus. And the service device carries out maintenance operation on the data security policy based on the operation indication information. Wherein the maintenance operation comprises one or more of querying the data security policy, deleting the data security policy, and modifying the data security policy. In a more specific embodiment, the client device may sense a data security capability set of the service device through Hello message negotiation, may complete an operation of modifying a data security policy through a network configuration edge-configuration instruction in a network configuration protocol (NETCONF), may complete an operation of querying and modifying a data security policy through a network configget-configuration instruction in a NETCONF, may complete an operation of deleting a data security policy through a network conf delete-configuration instruction in a NETCONF, and the like.
S103: the client device transmits the data security policy and the indication information of the client data to the service device. Accordingly, the service device receives the data security policy sent by the client device and the indication information of the client data.
In a specific embodiment, in the indication information of the data security policy and the client data sent by the client device to the service device, the data security policy sent by the client device to the service device and the indication information of the client data sent by the client device to the service device may be carried in the same instruction, or may be carried in two consecutive instructions, respectively.
In a specific embodiment, the client device sends the data security policy to the service device through a network transmission mode corresponding to the data model. For example, when the data model is a YANG model, the client device may send the data security policy to the service device through the NETCONF corresponding to the YANG model. When the data model is a YANG model, the client device may send the data security policy to the service device through a Remote Procedure Call (RPC) interface corresponding to the proto file.
In a specific embodiment, the indication information of the client data may be a unique identifier of the client data, for example, path information of the client data, tag information of the client data, and the like, which are not limited in this respect. The indication information may be carried in the data model or may be independent of the data model. When the indication information can be carried in the data model, the data security policy and the indication information can be respectively carried in different data models, for example, the data security policy can be carried in a YANG model, and the indication information is carried in a proto file; alternatively, the data security policy and the indication information may be carried in two different data models of the same data model, for example, the data security policy is carried in the first YANG model, and the indication information is carried in the second YANG model; alternatively, the data security policy and the indication information can be carried in the same data model, for example, the data security policy and the indication information are carried in the same YANG model.
S104: the service device applies the data security policy to the client data based on the indication information.
In a specific embodiment, the service device applies the data security policy to the client data based on the indication information, and includes at least two ways: (1) The service device automatically applies the data security policy to the client data according to the indication information. (2) The client device instructs the service device to apply the data security policy to the client data according to the instruction information through the NETCONF edge-config instruction.
In the above-described scheme, one or more data security capabilities can be selected from the set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy, and the data security policy is applied to the client data indicated by the indication information of the client data, so that the data security policy of the specified client data can be flexibly configured as needed.
When the client data includes a plurality of data, different data security policies may be specified for the plurality of data by the data security policy configuration method shown in fig. 3. For example, when the client data includes data 1, data 2, and data 3, data security policy 1 may be specified for data 1, data security policy 2 may be specified for data 2, and data security policy 3 may be specified for data 3. For another example, when the client data includes data 1, data 2, and data 3, data security policy 1 may be specified for data 1, data security policy 1 may be specified for data 2, and data security policy 2 may be specified for data 3. It is understood that the above examples are only specific examples, and in practical applications, the number of client data, the number of data security policies, and the corresponding relationship between the client data and the data security policies may be different, and are not limited in detail herein.
Referring to fig. 4, fig. 4 is a schematic structural diagram of a data security policy configuration method provided in the present application. As shown in fig. 4, the data security policy configuration method provided in this embodiment includes the following steps:
s201: the service device sends the set of data security capabilities to the client device. Accordingly, the client device receives the set of data security capabilities sent by the service device.
S202: the client device selects one or more data security capabilities from a set of data security capabilities provided by the service device to constitute a data security policy according to the attributes of the client data.
S203: the client device sends the data security policy and an identification of the data security policy to the service device. Accordingly, the service device receives the data security policy sent by the client device and an identification of the data security policy.
In a specific embodiment, the client device may repeatedly perform steps S202 to S203, thereby configuring a plurality of data security policies. For example, the client device may repeatedly perform steps S202 to S203 5 times, thereby configuring the data security policies 1 to 5, then establish respective unique identifiers for the data security policies 1 to 5, and transmit the data security policies 1 to 5 and the respective unique identifiers to the service device.
S204: the service device stores the data security policy.
In a specific embodiment, for example, in the adapting step S203, the service device may correspondingly store the data security policies 1 to 5 and the unique identifiers thereof. In a more specific embodiment, the service device may store therein a data security policy table as shown in table 1:
TABLE 1 data Security policy Table
It is understood that the above table 1 is only used as a specific example, and in other embodiments, the identification of the data security policy and the storage manner of the data security policy may also be in other forms, which are not limited herein.
S205: the client device sends an identification of the data security policy and an indication of the client data to the service device. Accordingly, the service device receives the identification of the data security policy sent by the client device and the indication information of the client data.
S206: and the service device applies the data security policy searched according to the identification to the client data based on the indication information.
In a specific embodiment, for example in the accepting step S203, the applying, by the service device, the data security policy to the client data may be: the service device applies data security policy 1 to client data 1-1000, data security policy 2 to client data 1001-10000, data security policy 3 to client data 10001-20000, and so on.
For simplicity, the data security capability set, the data security capability, the editing manner of the data security capability set, the client data, the attribute of the client data, the data security policy, and the indication information of the client data are not specifically described in this embodiment, and refer to fig. 3 and the related description.
Referring to fig. 5, fig. 5 is a schematic structural diagram of a data security policy configuration system provided in the present application. As shown in fig. 5, the data security policy configuration system according to this embodiment includes: client device 210 and service device 220.
The client device 210 may include a composition module 211 and a transmission module 212.
The configuration module 211 is configured to select one or more data security capabilities from a set of data security capabilities provided by a service device according to an attribute of client data, the client data being data stored on the service device side and related to the client device, the data security capabilities in the set of data security capabilities being capabilities of the service device for data processing based on data security.
The sending module 212 is configured to send the data security policy to the service device.
The service device 220 may include a receiving module 221 and an application module 222.
The receiving module 221 is configured to receive a data security policy and indication information of client data, where the data security policy is formed by selecting, by the client device, one or more data security capabilities from a set of data security capabilities provided by the service device according to an attribute of the client data, the client data is data that is stored on the service device side and is related to the client device, and the data security capabilities in the set of data security capabilities are capabilities of the service device for performing data processing based on data security;
the application module 222 is configured to apply the data security policy to the client data based on the indication information.
In the above-mentioned solution, the client device 210 and the service device 220 are only illustrated by the division of the above-mentioned function modules, and in practical applications, the above-mentioned function allocation may be completed by different function modules according to needs, that is, the internal structures of the client device 210 and the service device 220 are divided into different function modules to complete all or part of the above-mentioned functions.
For simplicity, the data security capability set, the data security capability, the editing manner of the data security capability set, the client data, the attribute of the client data, the data security policy, and the indication information of the client data are not specifically described in this embodiment, and refer to fig. 3 and the related description. The client device 210 in the data security policy configuration system in fig. 5 may perform the steps performed by the client device in the data security policy configuration method shown in fig. 3 and 4, and the service device 220 in the data security policy configuration system in fig. 5 may perform the steps performed by the service device in the data security policy configuration method shown in fig. 3 and 4.
Referring to fig. 6, fig. 6 shows a schematic structural diagram of a service device 300 provided in an exemplary embodiment of the present application, where the service device 300 may be implemented by a general bus architecture.
The service device 300 comprises at least one processor 301, a communication bus 302, a memory 303 and at least one communication interface 304.
The processor 301 may be a general purpose CPU, NP, microprocessor, or may be one or more integrated circuits such as an application-specific integrated circuit (ASIC), a Programmable Logic Device (PLD), or a combination thereof for implementing aspects of the present disclosure. The PLD may be a Complex Programmable Logic Device (CPLD), a field-programmable gate array (FPGA), a General Array Logic (GAL), or any combination thereof.
A communication bus 302 is used to transfer information between the above components. The communication bus 302 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown, but this does not mean that there is only one bus or one type of bus.
The communication interface 304 uses any transceiver or the like for communicating with other devices or communication networks. The communication interface 304 includes a wired communication interface and may also include a wireless communication interface. The wired communication interface may be an ethernet interface, for example. The ethernet interface may be an optical interface, an electrical interface, or a combination thereof. The wireless communication interface may be a Wireless Local Area Network (WLAN) interface, a cellular network communication interface, or a combination thereof.
In particular implementations, processor 301 may include one or more CPUs, such as CPU0 and CPU1 shown in fig. 6, as one embodiment.
In particular implementations, service device 300 may include a plurality of processors, such as processor 301 and processor 305 shown in FIG. 6, as an example. Each of these processors may be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data (e.g., computer program instructions).
In a specific implementation, the service device 300 may further include an output device and an input device, as an embodiment. An output device, which is in communication with the processor 301, may display information in a variety of ways. For example, the output device may be a Liquid Crystal Display (LCD), a Light Emitting Diode (LED) display device, a Cathode Ray Tube (CRT) display device, a projector (projector), or the like. The input device is in communication with the processor 301 and may receive user input in a variety of ways. For example, the input device may be a mouse, a keyboard, a touch screen device, a sensing device, or the like.
In some embodiments, the memory 303 is used to store program code 310 for performing aspects of the present application, and the processor 301 may execute the program code 310 stored in the memory 303. That is, the service device 300 may implement the steps performed by the service apparatus in the method embodiments shown in fig. 3 and fig. 4 through the processor 301 and the program code 310 in the memory 303. Alternatively, the service apparatus in fig. 3 and 4 may be disposed on the service device shown in fig. 6.
The service device 300 of the embodiment of the present application may correspond to the service apparatus in the foregoing method embodiment, and the processor 301, the communication interface 304, and the like in the service device 300 may implement the functions of the device in the foregoing method embodiments and/or various steps and methods implemented. For brevity, further description is omitted herein.
The receiving module 221 in the service apparatus 220 in fig. 5 may correspond to the communication interface 304 in the service device 300; the application module 222 of the service apparatus 300 may correspond to the processor 301 in the service apparatus 300.
Referring to fig. 7, fig. 7 is a structural block diagram of an intelligent terminal in an implementation manner, taking a terminal device as an example. As shown in fig. 7, the smart terminal may include: baseband chip 410, memory 415, including one or more computer-readable storage media, radio Frequency (RF) module 416, peripheral system 417. These components may communicate over one or more communication buses 414.
The peripheral system 417 is mainly used to implement an interactive function between the intelligent terminal and a user/external environment, and mainly includes an input/output device of the intelligent terminal. In a specific implementation, the peripheral system 417 may include: a touch screen controller 418, a key controller 419, an audio controller 420, and a sensor management module 421. Wherein each controller may be coupled to a respective peripheral device such as touch screen 423, buttons 424, audio circuitry 425, and sensors 426. In some embodiments, a gesture sensor of sensors 426 may be used to receive gesture control operations of user input. The pressure sensor of the sensors 426 may be disposed below the touch screen 423 and may be configured to collect a touch pressure applied to the touch screen 423 when a user inputs a touch operation through the touch screen 423. It should be noted that the peripheral system 417 may also include other I/O peripherals.
The baseband chip 410 may integrally include: one or more processors 411, a clock module 412, and a power management module 413. The clock module 412 integrated in the baseband chip 410 is mainly used for generating clocks required for data transmission and timing control for the processor 411. The power management module 413 integrated in the baseband chip 410 is mainly used to provide stable and high-precision voltages for the processor 411, the rf module 416, and peripheral systems.
A Radio Frequency (RF) module 416 is used to receive and transmit RF signals, and mainly integrates a receiver and a transmitter of the smart terminal. Radio Frequency (RF) module 416 communicates with communication networks and other communication devices via radio frequency signals. In particular implementations, the Radio Frequency (RF) module 416 may include, but is not limited to: an antenna system, an RF transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a CODEC chip, a SIM card, a storage medium, and the like. In addition, the rf module 416 may further include a short-range wireless communication module such as WIFI, bluetooth, etc. In some embodiments, the Radio Frequency (RF) module 416 may be implemented on a separate chip.
The Memory 415 may include a Random Access Memory (RAM), a Flash Memory (Flash Memory), and the like, and may also be a RAM, a Read-Only Memory (ROM), a Hard Disk Drive (HDD), or a Solid-State Drive (SSD). The memory 415 may store an operating system, communication programs, user interface programs, browsers, data security applications, other data security applications, and the like.
In some embodiments, the memory 415 is used to store program code for performing aspects of the present application, and the baseband chip 410 may execute the program code stored in the memory 415. That is, the terminal device may implement the steps performed by the client apparatus in the method embodiments shown in fig. 3 and fig. 4 through the baseband chip 410 and the program code in the memory 415. Alternatively, the client apparatus shown in fig. 3 and 4 may be provided on the terminal device shown in fig. 7.
The terminal device of the embodiment of the present application may correspond to the client apparatus in the foregoing method embodiments, and the baseband chip 410, the Radio Frequency (RF) module 416, and the like in the terminal device may implement the functions of the device in the foregoing method embodiments and/or various steps and methods implemented by the device. For brevity, no further description is provided herein.
The transmission module 212 in the client device 210 in fig. 5 may correspond to a Radio Frequency (RF) module 416 in the terminal equipment; the constituent module 211 of the client device 210 may correspond to the baseband chip 410 in the terminal apparatus.
In the above embodiments, all or part of the implementation may be realized by software, hardware, firmware, or any combination thereof. When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, cause the processes or functions described in accordance with the embodiments of the application to occur, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a network of computers, or other programmable device. The computer instructions may be stored in a computer readable storage medium or transmitted from one computer readable storage medium to another, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by wire (e.g., coaxial cable, fiber optic, digital subscriber line) or wirelessly (e.g., infrared, wireless, microwave, etc.). The computer-readable storage medium can be any available medium that can be accessed by a computer or a data storage device, such as a server, a data center, etc., that incorporates one or more of the available media. The usable medium may be a magnetic medium (e.g., floppy Disk, memory Disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium (e.g., solid State Disk (SSD)), among others.
Claims (18)
1. A data security policy configuration method is applied to a service device, and comprises the following steps:
receiving a data security policy and indication information of client data, wherein the data security policy is formed by selecting one or more data security capabilities from a data security capability set provided by the service device according to the attribute of the client data, the client data is data which is stored at the service device side and is related to the client device, and the data security capability in the data security capability set is the capability of the service device to process data based on data security;
applying the data security policy to the client data based on the indication information.
2. The method of claim 1, wherein receiving the indication of the client data and the data security policy sent by the client device comprises:
and receiving a data security policy and indication information of client data sent by a client device through a network transmission mode corresponding to a data model, wherein the data security policy is carried in the data model.
3. The method of claim 2, wherein the data model is a YANG model, and the network transport is a network configuration protocol NETCONF.
4. The method of claim 2, wherein the data model is a structured data serialized file and the network transport is a Remote Procedure Call (RPC) interface.
5. The method according to any one of claims 1 to 4, further comprising:
receiving operation instruction information sent by a client device;
and performing maintenance operation on the data security policy based on the operation indication information, wherein the maintenance operation comprises one or more of querying the data security policy, deleting the data security policy and modifying the data security policy.
6. The method of any one of claims 1 to 5, wherein the set of data security capabilities includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities.
7. A data security policy configuration method, applied to a client device, includes:
selecting one or more data security capabilities from a data security capability set provided by a service device according to the attributes of client data to form a data security policy, wherein the client data is data which is stored on the service device side and is related to the client device, and the data security capabilities in the data security capability set are capabilities of the service device for data processing based on data security;
sending the data security policy to the serving device.
8. The method of claim 7,
and sending the data security policy to the service device through a network transmission mode corresponding to the data model, wherein the data security policy is loaded in the data model.
9. The method of claim 8, wherein the data model is a YANG model and the network transport is a network configuration protocol NETCONF.
10. The method of claim 8, wherein the data model is a structured data serialization file and the network transport is a Remote Procedure Call (RPC) interface.
11. The method according to any of claims 7-10, further comprising:
and sending operation indication information to the service device, wherein the operation indication information is used for indicating maintenance operation on the data security policy, and the maintenance operation comprises one or more of querying the data security policy, deleting the data security policy and modifying the data security policy.
12. The method of any one of claims 7 to 11, wherein the set of data security capabilities includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities.
13. The method of any of claims 7 to 12, wherein before selecting one or more data security capabilities from a set of data security capabilities provided by a service device to constitute a data security policy according to attributes of client data, the method further comprises:
and receiving the data security capability set sent by the service device.
14. A data security policy configuration system is characterized by comprising a client device and a service device,
the client device is used for selecting one or more data security capabilities from a data security capability set provided by a service device according to the attribute of client data to form a data security policy, the client data is data which is stored at the service device side and is related to the client device, and the data security capabilities in the data security capability set are capabilities of the service device for data processing based on data security;
the service device is used for receiving the data security policy sent by the client device and indication information of client data,
the service device is further configured to apply the data security policy to the client data based on the indication information.
15. The system of claim 14,
the client device is also used for receiving the data security capability set sent by the service device.
16. A service device, comprising: a processor and a memory, wherein the processor executes a program in the memory to run a computing service and a storage service to perform the method of any of claims 1 to 6.
17. A terminal device, comprising: a processor and a memory, wherein the processor executes a program in the memory to perform the method of any of claims 7 to 13.
18. A computer-readable storage medium comprising instructions that, when executed on a computing node, cause the computing node to perform the method of any of claims 1 to 13.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152460.2A CN115879143A (en) | 2021-09-29 | 2021-09-29 | Data security policy configuration method, device and system |
| PCT/CN2022/122075 WO2023051595A1 (en) | 2021-09-29 | 2022-09-28 | Data security policy configuration method, device and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111152460.2A CN115879143A (en) | 2021-09-29 | 2021-09-29 | Data security policy configuration method, device and system |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115879143A true CN115879143A (en) | 2023-03-31 |
Family
ID=85756170
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111152460.2A Pending CN115879143A (en) | 2021-09-29 | 2021-09-29 | Data security policy configuration method, device and system |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN115879143A (en) |
| WO (1) | WO2023051595A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101854625B (en) * | 2009-04-03 | 2014-12-03 | 华为技术有限公司 | Selective processing method and device of security algorithm, network entity and communication system |
| CN103023682A (en) * | 2011-09-26 | 2013-04-03 | 腾讯科技(深圳)有限公司 | Security policy management method and device |
| CN105069362B (en) * | 2015-06-30 | 2018-04-20 | 广东轩辕网络科技股份有限公司 | A kind of storage method and device |
| US10182055B2 (en) * | 2016-06-06 | 2019-01-15 | Cisco Technology, Inc. | Security policy efficacy visualization |
| US10412113B2 (en) * | 2017-12-08 | 2019-09-10 | Duo Security, Inc. | Systems and methods for intelligently configuring computer security |
-
2021
- 2021-09-29 CN CN202111152460.2A patent/CN115879143A/en active Pending
-
2022
- 2022-09-28 WO PCT/CN2022/122075 patent/WO2023051595A1/en active Application Filing
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023051595A1 (en) | 2023-04-06 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10212217B2 (en) | Method and apparatus for data transmission in a distributed storage system | |
| EP3502879B1 (en) | Method for preloading application, storage medium, and terminal device | |
| CN109992398B (en) | Resource management method, resource management device, mobile terminal and computer-readable storage medium | |
| EP3968702A1 (en) | Communication method and apparatus, entity and computer readable storage medium | |
| CN107959582B (en) | Slice instance management method and device | |
| CN111767143A (en) | Transaction data processing method, device, equipment and system | |
| CN109992399B (en) | Resource management method, resource management device, mobile terminal and computer-readable storage medium | |
| CN112805980B (en) | Techniques for mobile device management based on query-less device configuration determination | |
| KR20160008885A (en) | Memory Managing Method and Electonic Device | |
| US20190199795A1 (en) | Method and device for synchronizing backup data, storage medium, electronic device, and server | |
| US20240097985A1 (en) | Information processing method based on internet of things device, related device and storage medium | |
| US20230222469A1 (en) | System and method for distributed enforcement of configuration limitations | |
| CN114817120A (en) | Cross-domain data sharing method, system-on-chip, electronic device and medium | |
| CN114637703B (en) | Data access device, method, readable medium and electronic equipment | |
| US20220197355A1 (en) | Method for implementing power and/or heat generation control and electronic device therefor | |
| CN115658348A (en) | Micro-service calling method, related device and storage medium | |
| CN118051344A (en) | Method and device for distributing hardware resources and hardware resource management system | |
| US20210049048A1 (en) | Inter device transfer of resources for executing application updates cycles | |
| CN115879143A (en) | Data security policy configuration method, device and system | |
| CN115640567B (en) | TEE integrity authentication method, device, system and storage medium | |
| CN106576329B (en) | Context-based resource access mediation | |
| US12079663B2 (en) | Provisioning of physical servers through hardware composition | |
| CN109992369B (en) | Application program processing method and device, electronic equipment and computer readable storage medium | |
| CN111026504B (en) | Processing method and device for configuring instruction for acquiring processor information in virtual machine, CPU chip, system on chip and computer | |
| CN114629951A (en) | Address service switching method and device, computer equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |