CN115879143A - Data security policy configuration method, device and system - Google Patents

Abstract

The application provides a data security policy configuration method, equipment and a system. The method comprises the following steps: applied to a service device, comprising: receiving a data security policy and indication information of client data, wherein the data security policy is formed by selecting one or more data security capabilities from a data security capability set provided by the service device according to the attribute of the client data, the client data is data which is stored at the service device side and is related to the client device, and the data security capability in the data security capability set is the capability of the service device to process data based on data security; applying the data security policy to the client data based on the indication information. The scheme can flexibly configure the data security policy of the specified data according to the requirement.

Description

Data security policy configuration method, device and system

technical field

The present application relates to the field of data communication, and in particular to a data security policy configuration method, device and system.

Background technique

Data, as an important asset, exerts great value in today's society. With the rapid development of technologies such as mobile Internet, cloud computing and big data in the data age, data mining and application have been continuously deepened, and various new business models have been incubated, such as location-based services such as taxis and food delivery, sharing Credit-based services such as bicycles and Internet finance, etc. These services provide customized and personalized services by collecting relevant information of users, bringing great convenience to people's lives. However, these user information often contain sensitive information such as income, assets, identity, etc. Direct or indirect operations may cause leakage of user privacy and bring great security risks. In order to solve the above problems, it is necessary to perform security protection on the stored data. In the existing technical conditions, each manufacturer stores data mechanized, simply classifies the data, and adopts different levels of security protection for the data according to the classification. However, different users may require different levels of protection for the same classified data.

Contents of the invention

The present application provides a data security policy configuration method, device and system, which can flexibly configure a data security policy for specified data as required.

In the first aspect, a data security policy configuration method is provided, which is applied to a service device, including:

Receive the data security policy and the instruction information of the client data sent by the client device, wherein the data security policy is that the client device selects one from the data security capability set provided by the service device according to the attributes of the client data Or multiple data security capabilities, the client data is stored on the side of the service device and related to the client device, and the data security capabilities in the data security capability set are the data security capabilities of the service device The ability to process data based on data security;

Applying the data security policy to the client data based on the indication information.

In the above solution, one or more data security capabilities can be selected from the data security capability set provided by the service device according to the attributes of the client data to form a data security policy, and the data security policy can be applied to the client indicated by the instruction information of the client data. In the client data, the data security policy of the specified client data can be flexibly configured according to the needs.

In some possible designs, the receiving the data security policy and the instruction information of the client data sent by the client device includes:

The data security policy and the instruction information of the client device sent by the client device are received through the network transmission mode corresponding to the data model, wherein the data security policy is carried in the data model.

In the above solution, the data security policy is carried by the data model and transmitted through the network transmission mode corresponding to the data model, which can realize the transmission of the flexibly configured data security policy between the client device and the server device.

In some possible designs, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF.

In the above solution, the data model is the YANG model, and the network transmission mode is the network configuration protocol NETCONF, which has a high degree of standardization, strong consistency, strong flexibility, and low adaptation cost.

In some possible designs, the data model is a structured data serialized file, and the network transmission mode is a remote procedure call (RPC) interface.

In the above solution, the data model is a serialized file of structural data, and the network transmission method is the remote procedure call RPC interface, which has strong consistency, flexibility, ease of use, and wide application range. In addition to being applicable to the field of data communication In addition, it can also be applied to the software field, and the applicable field is wider.

In some possible designs, the method also includes:

Receive operation instruction information sent by the client device;

Perform a maintenance operation on the data security policy based on the operation instruction information, wherein the maintenance operation includes one or more of querying the data security policy, deleting the data security policy, and modifying the data security policy.

In the above solution, the client device can query, delete and modify the data security capabilities in the data security capability set by operating the instruction information, so that the data security capability set can better match the user's needs.

In some possible designs, the data security capability set includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities.

In the above solution, the security capabilities in the data security capability set cover sensitive information, data encryption, storage mode, and data release, which can ensure the security of client data from multiple dimensions.

In the second aspect, a data security policy configuration method is provided, which is applied to a client device, including:

Select one or more data security capabilities from the set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy. The client data is stored on the server side and shared with the client device. For related data, the data security capability in the data security capability set is the capability of the service device to process data based on data security;

Send the data security policy to the service device.

In some possible designs, the data security policy is sent to the service device through a network transmission manner corresponding to the data model, where the data security policy is carried in the data model.

In some possible designs, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF.

In some possible designs, the data model is a structured data serialized file, and the network transmission mode is a remote procedure call (RPC) interface.

In some possible designs, the method also includes:

Sending operation instruction information to the service device, wherein the operation instruction information is used to instruct to perform maintenance operations on the data security policy, and the maintenance operations include querying the data security policy, deleting the data security policy, and modifying the data security policy. one or more of.

In some possible designs, the data security capability set includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities.

In some possible designs, before selecting one or more data security capabilities from a set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy, the method further includes:

Receive the data security capability set sent by the service device.

In the third aspect, a data security policy configuration system is provided, including a client device and a server device,

The client device is used to select one or more data security capabilities from a set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy. The client data is stored on the side of the service device, And for the data related to the client device, the data security capability in the data security capability set is the capability of the service device to process data based on data security;

The service device is configured to receive the data security policy and the instruction information of the client data sent by the client device,

The service device is further configured to apply the data security policy to the client data based on the indication information.

In some possible designs, the client device is configured to send the data security policy to the service device through a network transmission manner corresponding to the data model, where the data security policy is carried in the data model.

In some possible designs, the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF.

In some possible designs, the data model is a structured data serialized file, and the network transmission mode is a remote procedure call (RPC) interface.

In some possible designs, the client device is configured to send operation instruction information to the service device, where the operation instruction information is used to instruct to perform a maintenance operation on the data security policy, and the maintenance operation includes querying data One or more of security policies, deletion of data security policies, and modification of data security policies.

In some possible designs, the data security capability set includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities.

In some possible designs, the client device is further configured to receive the data security capability set sent by the service device.

In a fourth aspect, there is provided a service device, including: a processor and a memory, wherein the processor executes a program in the memory to run computing services and storage services, so as to perform any one of the first aspect Methods.

In a fifth aspect, there is provided a terminal device, including: a processor and a memory, wherein the processor executes a program in the memory, so as to execute the method according to any one of the second aspect.

According to the sixth aspect, there is provided a computer-readable storage medium, which is characterized by including instructions, and when the instructions are run on the computing node, the computing node is made to perform any one of the first aspect and any one of the second aspect. one of the methods described.

Description of drawings

In order to more clearly illustrate the technical solutions in the embodiment of the present application or the background art, the following will describe the drawings that need to be used in the embodiment of the present application or the background art.

Fig. 1 is a schematic structural diagram of a data security policy configuration system provided by the present application;

Fig. 2 is a more detailed structural diagram of the data security policy configuration system shown in Fig. 1;

FIG. 3 is a schematic structural diagram of a data security policy configuration method provided by the present application;

FIG. 4 is a schematic structural diagram of a data security policy configuration method provided by the present application;

FIG. 5 is a schematic structural diagram of a data security policy configuration system provided by the present application;

FIG. 6 is a schematic structural diagram of a service device provided by the present application;

FIG. 7 is a schematic structural diagram of a terminal device provided by the present application.

Detailed ways

Referring to FIG. 1 , FIG. 1 is a schematic structural diagram of a data security policy configuration system provided by the present application. As shown in FIG. 1 , the data security policy configuration system provided by this application includes: a client device side 110 and a server device side 120 .

The client device side 110 is a terminal device capable of transmitting and receiving data. For example, the client device side 110 may be various types of user equipment (user equipment, UE), mobile phone (mobile phone), tablet computer (pad), desktop computer, earphone, audio system and so on. The client device side 110 may also be a machine intelligent device such as an unmanned driving (self-driving) device, a transportation safety (transportation safety) device, a virtual reality (virtual reality, VR) terminal device, an augmented reality (augmented reality, AR) terminal device , machine type communication (machine type communication, MTC) equipment, industrial control (industrial control) equipment, telemedicine (remote medical) equipment, smart grid (smart grid) equipment, smart city (smart city) equipment, can also be wearable Devices (such as smart watches, smart bracelets, pedometers, etc.) and so on. In addition, the client device side 110 can also be a car cockpit domain device, or a module in the car cockpit device, for example, a cockpit domain controller (cockpit domain controller, CDC), camera, screen, microphone, audio, electronic key , keyless entry or start system controller and other modules or one or more modules. In some scenarios, the name of the terminal equipment with similar data sending and receiving capabilities may not be called the client device side 110, but for the convenience of description, terminals with data sending and receiving capabilities are collectively referred to as the client device side 110 in this embodiment of the application .

The server side 120 is an electronic device with data storage capability. For example, the service device side 120 can be various types of servers, it can be a local area network system composed of multiple servers, it can be a small or large system composed of servers, network equipment and storage equipment, such as data centers, cloud systems (including public cloud, private cloud, and hybrid cloud), edge computing systems, and more.

The client device is disposed on the client device side 110, and the service device is disposed on the service device side 120. The service device and the client device provide storage and related security services for data under joint action. Both the service device and the client device may be provided by a manufacturer or operator on the service device side. The client device provided by the manufacturer or operator can be uploaded to the line, and the client can download it to the client device side 110 from the line.

It can be understood that the network structure of the first layer of the data security policy configuration system shown in FIG. 1 and the number of terminal devices in the data security policy configuration system are only used as a specific example. In other embodiments, it can also be The network structure may also be a two-layer network structure, a three-layer network structure, etc., and the number of terminals may also be less or more, which is not specifically limited here.

Referring to FIG. 2 , FIG. 2 is a more detailed structural diagram of the data security policy configuration system shown in FIG. 1 . In FIG. 2, the server side 120 may be a distributed storage system or a centralized storage system. The centralized storage system will be described below as an example. The centralized storage system includes an application server 121 , a fiber switch 122 , and a storage system 123 . Users access data through applications. The computers running these applications are called "application servers". The application server 121 may be a physical machine or a virtual machine. Physical application servers include, but are not limited to, desktops, servers, laptops, and mobile devices. The application server 121 accesses the storage system 123 through the optical fiber switch 122 to access data. However, the optical fiber switch 122 is only an optional device, and the application server 121 can also directly communicate with the storage system 123 through the network. The characteristic of the centralized storage system is that there is a unified entrance, and all data from external devices must pass through this entrance, and this entrance is the engine 124 of the centralized storage system. The engine 124 is the most core component in the centralized storage system, where many advanced functions of the storage system are implemented.

There are one or more controllers in the engine 124 , and FIG. 2 illustrates that the engine 124 includes two controllers as an example. There is a mirror channel between controller 0 and controller 1, so when controller 0 writes a piece of data into its memory 126, it can send a copy of the data to controller 1 through the mirror channel, and controller 1 Store the copy in its own local memory 134 . Therefore, controller 0 and controller 1 are mutual backups. When controller 0 fails, controller 1 can take over the business of controller 0. When controller 1 fails, controller 0 can take over the business of controller 1. business, thereby avoiding the unavailability of the entire storage system caused by hardware failure. When four controllers are deployed in the engine 124, there is a mirror channel between any two controllers, so any two controllers are mutual backups.

The engine 124 also includes a front-end interface 127 and a back-end interface 128 , wherein the front-end interface 127 is used to communicate with the application server 121 to provide storage services for the application server 120 . The back-end interface 128 is used to communicate with the hard disk 129 to expand the capacity of the storage system. Through the back-end interface 128, the engine 124 can be connected with more hard disks 129, thereby forming a very large storage resource pool.

In terms of hardware, the controller 0 includes at least a processor 125 and a memory 126 . The processor 125 is a central processing unit (central processing unit, CPU), used for processing data access requests from outside the storage system (server or other storage systems), and also used for processing requests generated inside the storage system. Exemplarily, when the processor 125 receives the write data request sent by the application server 121 through the front-end interface 127 , it will temporarily save the data in the write data request in the memory 126 . When the total amount of data in the memory 126 reaches a certain threshold, the processor 125 sends the data stored in the memory 126 to the hard disk 129 through the backend interface 128 for persistent storage.

The memory 126 refers to an internal memory directly exchanging data with the processor. It can read and write data at any time, and the speed is very fast. It is used as a temporary data storage for the operating system or other running programs. The memory includes at least two types of memory, for example, the memory can be either a random access memory or a read only memory (ROM). For example, the random access memory is dynamic random access memory (DRAM), or storage class memory (storage class memory, SCM). DRAM is a semiconductor memory, and like most random access memories (random access memory, RAM), it is a volatile memory (volatile memory) device. SCM is a composite storage technology that combines the characteristics of traditional storage devices and memory. Storage-class memory can provide faster read and write speeds than hard disks, but the access speed is slower than DRAM, and the cost is also cheaper than DRAM. . However, the DRAM and the SCM are only illustrative in this embodiment, and the memory may also include other random access memories, such as static random access memory (static random access memory, SRAM). As for the read only memory, for example, it may be programmable read only memory (programmable read only memory, PROM), erasable programmable read only memory (erasable programmable read only memory, EPROM) and so on. In addition, the memory 126 can also be a dual in-line memory module or a dual in-line memory module (DIMM), that is, a module composed of dynamic random access memory (DRAM), or a solid state hard disk (solid state). disk, SSD). In practical applications, multiple memories 126 and different types of memories 126 may be configured in the controller 0 . This embodiment does not limit the quantity and type of the memory 126 . In addition, the memory 126 can be configured to have a power saving function. The power saving function means that the data stored in the internal memory 126 will not be lost when the system is powered off and then powered on again. Memory with a power saving function is called non-volatile memory.

The memory 126 stores software programs, and the processor 125 runs the software programs in the memory 126 to manage the hard disk. For example, hard disks are abstracted into storage resource pools, and then divided into LUNs for use by servers. The LUN here is actually the hard disk seen on the server. Of course, some centralized storage systems are also file servers themselves, which can provide shared file services for servers.

The hardware components and software structures of the controller 1 and other controllers not shown in the figure are similar to those of the controller 0, and will not be repeated here.

It should be noted that only one engine 124 is shown in FIG. 2 , but in practical applications, the storage system may include two or more engines 124 , and redundancy or load balancing is performed among the multiple engines 124 .

Figure 2 shows a centralized storage system with integrated disk control. In this system, the engine 124 has a hard disk slot, and the hard disk 129 can be directly deployed in the engine 124. The back-end interface 128 is an optional configuration. When the storage space of the system is insufficient, more hard disks can be connected through the back-end interface 128. or disk enclosure.

It can be understood that the data security policy configuration system shown in FIG. 2 is only used as a specific example. In other embodiments, the data security policy configuration system may also include more or fewer components, which are not specifically limited here.

Referring to FIG. 3 , FIG. 3 is a schematic structural diagram of a method for configuring a data security policy provided by the present application. As shown in Figure 3, the data security policy configuration method provided in this embodiment includes the following steps:

S101: The service device sends a data security capability set to the client device. Correspondingly, the client device receives the data security capability set sent by the service device.

In a specific embodiment, the data security capability set may include one or more data security capabilities. Wherein, the data security capability is the capability of the service device to process data based on data security. The data security capability set may include multiple dimensions of data security capabilities, and each dimension of data security capabilities may include one or more data security capabilities. The more data security capability dimensions the data security capability set contains, the more comprehensive the data security capability will be, but the more storage resources and transmission resources will be occupied. On the contrary, the data security capability set will contain fewer data security capability dimensions. The more one-sided the data security capability is, the less storage resources and transmission resources are occupied. It can be understood that different service devices can provide different sets of data security capabilities. For example, the first service device can provide data security capabilities in three dimensions, each dimension includes three data security capabilities, and the second service device can provide 10 data security capabilities. Dimension data security capabilities, each dimension includes 12 data security capabilities and so on. The dimension of the data security capability set in the data security capability set provided by the service device to the client device and the data security capability in each dimension may be fixed or variable. For example, the data security capability set provided by the service device to the client device fixedly includes data security capabilities in three dimensions, and each dimension includes three data security capabilities. Alternatively, the data security capability set that the service device can provide to the client device may first include data security capabilities in three dimensions, each dimension includes three data security capabilities, and is added later as a data security capability set that includes ten dimensions of data security capabilities , each dimension includes 12 data security capabilities. For the sake of simplicity, the above examples all take the same number of data security capabilities in each dimension as an example. In practical applications, the number of data security capabilities in each dimension may be unequal, and no specific details are given here. limited.

In a more specific embodiment, the set of data security capabilities may include one or more of the following dimensions of data security capabilities: sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities . Among them, the sensitive information security capability can provide different protection capabilities for different data categories, such as asset information, identity information, biometric information, consumption habit information, travel information, etc. Data encryption security capabilities can be achieved by using different encryption algorithms, for example, no encryption algorithm, data encryption algorithm (data encryption algorithm, DEA), Ronald Rivest (Ron Rivest)-Adi Shamir (Adi Shamir)-Len The Leonard Adleman algorithm (RSA algorithm for short) is used for encryption, thus providing the capability of different protection levels. The security capability of the storage mode can provide different protection capabilities by adopting different storage isolation methods, for example, physical isolation (physical_isolation) and logical isolation (logic_isolation). The data release security capability can provide different protection levels by providing different data release methods, such as direct release (direct), recycle (recycle), need to rewrite address (reset), and so on.

In a specific embodiment, the data security capability set may be obtained by the client device from the service device by querying a manual, protocol negotiation, and other methods.

S102: The client device selects one or more data security capabilities from the data security capability set provided by the service device according to the attributes of the client data to form a data security policy.

In a specific embodiment, the client data is data stored on the service device side and related to the client device. Client data may be stored in the service device, or in a memory connected to the service device, or the like. The client data can be any data related to the client device, for example, asset data, shopping data, travel data, identity data, address data, work data, biometric data, etc. uploaded by the client device.

In a specific embodiment, the attributes of client data may include data confidentiality, data volume, data structure, data length, data storage method, data repeatability, data collection method, data credibility, data commonality, data Directivity and so on. In addition, the attributes of the client data may also be other self-defined attributes, which are not specifically limited here.

In a specific embodiment, the data security policy may be composed of one or more data security capabilities selected from the data security capability set. The data security policy can be composed of multiple data security capabilities selected from the same dimension in the data security capability set, or can be composed of multiple data security capabilities selected from multiple dimensions in the data security capability set, which is not specifically limited here . To illustrate with an example, the data security policy can be selected from the biometric information selected from the sensitive information security capability, the RSA algorithm selected from the data encryption security capability, the physical isolation selected from the storage mode security capability, and the data release security capability Consists of the immediate release selected in the It can be understood that the above example is only a specific example. In other embodiments, the data security policy may also include more or less data security capabilities, or the data security capabilities may be selected from other dimensions. There is no specific limitation.

In a specific embodiment, the data security policy can be carried in the data model. Wherein, the data model may be a Yang model or a structural data serialization (proto) file, Json, extensible markup language (extensible markup language), thrift, and the like.

In a specific embodiment, the data security policy can be edited by the client device. Specifically, the client device sends operation instruction information to the service device. Correspondingly, the service device receives the operation indication information sent by the client device. The service device performs maintenance operations on the data security policy based on the operation instruction information. Wherein, the maintenance operation includes one or more of querying the data security policy, deleting the data security policy, and modifying the data security policy. In a more specific embodiment, the client device can negotiate the data security capability set of the perceived service device through the Hello message, and can modify the data security policy through the NETCONF edit-config command in the network configuration protocol (network configuration protocol, NETCONF) You can query and modify the data security policy through the NETCONF get-config command in NETCONF, and you can delete the data security policy through the NETCONF delete-config command in NETCONF.

S103: The client device sends the data security policy and instruction information of the client data to the server device. Correspondingly, the service device receives the data security policy and the indication information of the client data sent by the client device.

In a specific embodiment, in the data security policy sent by the client device to the server device and the instruction information of the client data, the data security policy sent by the client device to the server device and the instruction information of the client data sent by the client device to the server device It can be carried in the same command, or it can be carried in two successive commands respectively.

In a specific embodiment, the client device sends the data security policy to the service device through a network transmission manner corresponding to the data model. For example, when the data model is a YANG model, the client device can send the data security policy to the server device through NETCONF corresponding to the YANG model. When the data model is a YANG model, the client device can send the data security policy to the server device through a remote procedure call (remote procedure call, RPC) interface corresponding to the proto file.

In a specific embodiment, the indication information of the client data may be the unique identifier of the client data, for example, it may be the path information of the client data, it may be the label information of the client data, etc., and it is not specifically limited here . Indication information can be carried in the data model, or it can be independent of the data model. When the instruction information can be carried in the data model, the data security policy and the instruction information can be carried in different data models, for example, the data security policy can be carried in the YANG model, and the instruction information can be carried in the proto file; or, The data security policy and instruction information can also be carried in two different data models of the same data model, for example, the data security policy is carried in the first YANG model, and the instruction information is carried in the second YANG model; or, the data security policy and instruction information can also be carried in the same data model, for example, data security policy and instruction information are carried in the same YANG model.

S104: The service device applies the data security policy to the client data based on the indication information.

In a specific embodiment, the service device applies the data security policy to the client data based on the instruction information, including the following at least two ways: (1) The service device automatically applies the data security policy to the client data according to the instruction information . (2) The client device instructs the server device to apply the data security policy to the client data according to the instruction information through the NETCONF edit-config command.

In the above solution, one or more data security capabilities can be selected from the data security capability set provided by the service device according to the attributes of the client data to form a data security policy, and the data security policy can be applied to the client indicated by the instruction information of the client data. In the client data, the data security policy of the specified client data can be flexibly configured according to the needs.

When the client data includes multiple data, different data security policies may be specified for the multiple data through the data security policy configuration method shown in FIG. 3 . For example, when the client data includes data 1, data 2, and data 3, data security policy 1 can be specified for data 1, data security policy 2 can be specified for data 2, and data security policy 3 can be specified for data 3. For another example, when the client data includes data 1, data 2, and data 3, data security policy 1 can be specified for data 1, data security policy 1 can be specified for data 2, and data security policy 2 can be specified for data 3. It can be understood that the above example is only a specific example. In actual applications, the number of client data, the number of data security policies, and the corresponding relationship between client data and data security policies may be different, and no specific limitation is made here. .

Referring to FIG. 4 , FIG. 4 is a schematic structural diagram of a method for configuring a data security policy provided by the present application. As shown in Figure 4, the data security policy configuration method provided in this embodiment includes the following steps:

S201: The service device sends a data security capability set to the client device. Correspondingly, the client device receives the data security capability set sent by the service device.

S202: The client device selects one or more data security capabilities from the data security capability set provided by the service device according to the attributes of the client data to form a data security policy.

S203: the client device sends the data security policy and the identifier of the data security policy to the server device. Correspondingly, the service device receives the data security policy and the identifier of the data security policy sent by the client device.

In a specific embodiment, the client device may repeatedly execute steps S202 to S203 to configure multiple data security policies. For example, the client device may repeatedly execute steps S202 to S203 five times to configure data security policy 1 to data security policy 5, and then establish unique identifiers for data security policy 1 to data security policy 5, and set the data security policy 1 to data security policy 5 and their unique identifiers are sent to the service device respectively.

S204: The service device stores the data security policy.

In a specific embodiment, following the example in step S203, the service device may store data security policy 1 to data security policy 5 and their respective unique identifiers in correspondence. In a more specific embodiment, the data security policy table shown in Table 1 may be stored in the service device:

Table 1 Data Security Policy Table

It can be understood that the above Table 1 is only used as a specific example. In other embodiments, the identification of the data security policy and the storage method of the data security policy may also be in other forms, which are not specifically limited here.

S205: The client device sends the identification of the data security policy and the indication information of the client data to the server device. Correspondingly, the service device receives the identification of the data security policy and the indication information of the client data sent by the client device.

S206: The service device applies the data security policy found according to the identifier to the client data based on the indication information.

In a specific embodiment, following the example in step S203, the service device applies the data security policy to the client data as follows: the service device applies the data security policy 1 to the client data 1-1000, and applies the data security policy 2 is applied to client data 1001-10000, data security policy 3 is applied to client data 10001-20000 and so on.

For the sake of brevity, in this embodiment, there is no detailed description of the data security capability set, data security capability, editing method of the data security capability set, client data, attributes of client data, data security policies, and instruction information of client data. For the introduction, please refer to Figure 3 and related descriptions for details.

Referring to FIG. 5 , FIG. 5 is a schematic structural diagram of a data security policy configuration system provided by the present application. As shown in FIG. 5 , the data security policy configuration system in this embodiment includes: a client device 210 and a server device 220 .

The client device 210 may include a configuration module 211 and a sending module 212 .

The composition module 211 is used to select one or more data security capabilities from the data security capabilities set provided by the service device according to the attributes of the client data to form a data security policy, the client data is stored on the side of the service device, and For the data related to the client device, the data security capability in the data security capability set is the capability of the service device to process data based on data security.

The sending module 212 is configured to send the data security policy to the service device.

The service device 220 may include a receiving module 221 and an application module 222 .

The receiving module 221 is configured to receive the data security policy and the indication information of the client data sent by the client device, wherein the data security policy is the data security policy provided by the client device from the service device according to the attributes of the client data. One or more data security capabilities are selected from the capability set. The client data is data stored on the service device side and related to the client device. The data security capabilities in the data security capability set is the ability of the service device to process data based on data security;

The application module 222 is configured to apply the data security policy to the client data based on the indication information.

In the above solution, the client device 210 and the server device 220 are only illustrated by the division of the above-mentioned functional modules. In practical applications, the above-mentioned function allocation can be completed by different functional modules according to needs, that is, the client device 210 and the server device 220 The internal structure of the system is divided into different functional modules to complete all or part of the functions described above.

For the sake of brevity, in this embodiment, there is no detailed description of the data security capability set, data security capability, editing method of the data security capability set, client data, attributes of client data, data security policies, and instruction information of client data. For the introduction, please refer to Figure 3 and related descriptions for details. The client device 210 in the data security policy configuration system in FIG. 5 can execute the steps performed by the client device in the data security policy configuration method shown in FIG. 3 and FIG. 4 , and the service device 220 in the data security policy configuration system in FIG. 5 The steps performed by the service device in the data security policy configuration method shown in FIG. 3 and FIG. 4 can be executed.

Referring to FIG. 6, FIG. 6 shows a schematic structural diagram of a service device 300 provided by an exemplary embodiment of the present application. The service device 300 may be implemented by a general bus architecture.

The service device 300 includes at least one processor 301 , a communication bus 302 , a memory 303 and at least one communication interface 304 .

The processor 301 may be a general-purpose CPU, NP, microprocessor, or may be one or more integrated circuits for realizing the scheme of the present application, for example, an application-specific integrated circuit (application-specific integrated circuit, ASIC), programmable logic A device (programmable logic device, PLD) or a combination thereof. The aforementioned PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), a generic array logic (generic array logic, GAL) or any combination thereof.

The communication bus 302 is used to transfer information between the aforementioned components. The communication bus 302 can be divided into address bus, data bus, control bus and so on. For ease of representation, only one thick line is used in the figure, but it does not mean that there is only one bus or one type of bus.

The memory 303 may be a read-only memory (read-only memory, ROM) or other types of static storage devices capable of storing static information and instructions, or may be a random access memory (random access memory, RAM) or capable of storing information and instructions Other types of dynamic storage devices can also be electrically erasable programmable read-only memory (electrically erasable programmable read-only memory, EEPROM), read-only optical disc (compactdisc read-only memory, CD-ROM) or other optical disc storage, Optical disc storage (including compact discs, laser discs, optical discs, digital versatile discs, Blu-ray discs, etc.), magnetic disk storage media or other magnetic storage devices, or devices that can be used to carry or store desired program code in the form of instructions or data structures and Any other medium capable of being accessed by a computer, but not limited to. The memory 303 may exist independently, and is connected to the processor 301 through the communication bus 302 . The memory 303 can also be integrated with the processor 301 .

Communication interface 304 utilizes any transceiver-like device for communicating with other devices or a communication network. The communication interface 304 includes a wired communication interface, and may also include a wireless communication interface. Wherein, the wired communication interface may be an Ethernet interface, for example. The Ethernet interface can be an optical interface, an electrical interface or a combination thereof. The wireless communication interface may be a wireless local area network (wireless local area networks, WLAN) interface, a cellular network communication interface, or a combination thereof.

In a specific implementation, as an embodiment, the processor 301 may include one or more CPUs, such as CPU0 and CPU1 shown in FIG. 6 .

In a specific implementation, as an embodiment, the service device 300 may include multiple processors, such as the processor 301 and the processor 305 shown in FIG. 6 . Each of these processors can be a single-core processor (single-CPU) or a multi-core processor (multi-CPU). A processor herein may refer to one or more devices, circuits, and/or processing cores for processing data such as computer program instructions.

In a specific implementation, as an example, the service device 300 may further include an output device and an input device. Output devices are in communication with processor 301 and can display information in a variety of ways. For example, the output device may be a liquid crystal display (liquid crystal display, LCD), a light emitting diode (light emitting diode, LED) display device, a cathode ray tube (cathode ray tube, CRT) display device, or a projector (projector), etc. The input device communicates with the processor 301 and can receive user input in various ways. For example, the input device may be a mouse, a keyboard, a touch screen device, or a sensing device, among others.

In some embodiments, the memory 303 is used to store the program code 310 for implementing the solution of the present application, and the processor 301 can execute the program code 310 stored in the memory 303 . That is, the service device 300 can implement the steps performed by the service device in the method embodiments shown in FIG. 3 and FIG. 4 through the processor 301 and the program code 310 in the memory 303 . In other words, the service devices shown in FIG. 3 and FIG. 4 can be set on the service device shown in FIG. 6 .

The service device 300 in the embodiment of the present application may correspond to the service device in the above-mentioned method embodiments, and the processor 301, the communication interface 304, etc. in the service device 300 may realize the functions of the devices in the above-mentioned method embodiments And/or various steps and methods implemented. For the sake of brevity, details are not repeated here.

The receiving module 221 in the service device 220 in FIG. 5 may be equivalent to the communication interface 304 in the service device 300 ; the application module 222 in the service device 300 may be equivalent to the processor 301 in the service device 300 .

Referring to FIG. 7, FIG. 7 takes the terminal device as an example of a smart terminal, and FIG. 7 is a structural block diagram of a smart terminal in an implementation manner. As shown in FIG. 7 , the smart terminal may include: a baseband chip 410 , a memory 415 including one or more computer-readable storage media, a radio frequency (RF) module 416 , and a peripheral system 417 . These components may communicate over one or more communication buses 414 .

The peripheral system 417 is mainly used to realize the interactive function between the smart terminal and the user/external environment, and mainly includes the input and output devices of the smart terminal. In a specific implementation, the peripheral system 417 may include: a touch screen controller 418 , a button controller 419 , an audio controller 420 and a sensor management module 421 . Wherein, each controller can be coupled with its corresponding peripheral devices, such as touch screen 423 , keys 424 , audio circuit 425 and sensor 426 . In some embodiments, a gesture sensor in sensors 426 may be used to receive gesture control operations input by a user. The pressure sensor in the sensor 426 can be disposed under the touch screen 423 and can be used to collect the touch pressure acting on the touch screen 423 when the user inputs a touch operation through the touch screen 423 . It should be noted that the peripheral system 417 may also include other I/O peripherals.

The baseband chip 410 may include: one or more processors 411 , a clock module 412 and a power management module 413 . The clock module 412 integrated in the baseband chip 410 is mainly used for generating the clock required for data transmission and timing control for the processor 411 . The power management module 413 integrated in the baseband chip 410 is mainly used to provide stable and high-precision voltage for the processor 411, the radio frequency module 416 and peripheral systems.

The radio frequency (RF) module 416 is used to receive and send radio frequency signals, and mainly integrates the receiver and transmitter of the smart terminal. A radio frequency (RF) module 416 communicates with communication networks and other communication devices via radio frequency signals. In a specific implementation, the radio frequency (RF) module 416 may include, but is not limited to: an antenna system, an RF transceiver, one or more amplifiers, a tuner, one or more oscillators, a digital signal processor, a CODEC chip, a SIM card and storage media, etc. In addition, the radio frequency module 416 may also include short-distance wireless communication modules such as WIFI and Bluetooth. In some embodiments, radio frequency (RF) module 416 may be implemented on a separate chip.

Memory 415 may include random access memory (Random Access Memory, RAM), flash memory (Flash Memory), etc., and may also be RAM, read-only memory (Read-Only Memory, ROM) or hard disk (HardDisk Drive, HDD) Or solid-state drive (Solid-State Drive, SSD). The memory 415 can store operating systems, communication programs, user interface programs, browsers, data security applications, other data security applications, and the like.

In some embodiments, the memory 415 is used to store program codes for executing the solution of the present application, and the baseband chip 410 can execute the program codes stored in the memory 415 . That is, the terminal device can implement the steps performed by the client device in the method embodiments shown in FIG. 3 and FIG. 4 through the baseband chip 410 and the program codes in the memory 415 . Alternatively, the client devices shown in FIG. 3 and FIG. 4 may be set on the terminal device shown in FIG. 7 .

The terminal device in the embodiment of the present application may correspond to the client device in the above method embodiment, and the baseband chip 410, the radio frequency (RF) module 416, etc. in the terminal device may realize the functions of the devices in the above method embodiments functions and/or various steps and methods implemented. For the sake of brevity, details are not repeated here.

The sending module 212 in the client device 210 in FIG. 5 may be equivalent to the radio frequency (RF) module 416 in the terminal device; the constituent module 211 of the client device 210 may be equivalent to the baseband chip 410 in the terminal device.

In the above embodiments, all or part of them may be implemented by software, hardware, firmware or any combination thereof. When implemented using software, it may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on the computer, the processes or functions according to the embodiments of the present application will be generated in whole or in part. The computer can be a general purpose computer, a special purpose computer, a computer network, or other programmable devices. The computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from a website, computer, server or data center Transmission to another website site, computer, server, or data center by wired (eg, coaxial cable, optical fiber, DSL) or wireless (eg, infrared, wireless, microwave, etc.) means. The computer-readable storage medium may be any available medium that can be accessed by a computer, or a data storage device such as a server or a data center integrated with one or more available media. The available medium may be a magnetic medium (for example, a floppy disk, a storage disk, a magnetic tape), an optical medium (for example, DVD), or a semiconductor medium (for example, a Solid State Disk (SSD)).

Claims (18)

1. A data security policy configuration method, characterized in that it is applied to a service device, comprising: Receive the data security policy and the instruction information of the client data sent by the client device, wherein the data security policy is that the client device selects one from the data security capability set provided by the service device according to the attributes of the client data Or multiple data security capabilities, the client data is stored on the side of the service device and related to the client device, and the data security capabilities in the data security capability set are the data security capabilities of the service device The ability to process data based on data security; Applying the data security policy to the client data based on the indication information. 2. The method according to claim 1, wherein the receiving the data security policy and the indication information of the client data sent by the client device comprises: The data security policy and the instruction information of the client device sent by the client device are received through the network transmission mode corresponding to the data model, wherein the data security policy is carried in the data model. 3. The method according to claim 2, wherein the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF. 4. The method according to claim 2, wherein the data model is a structured data serialization file, and the network transmission mode is a remote procedure call (RPC) interface. 5. The method according to any one of claims 1 to 4, wherein the method further comprises: Receive operation instruction information sent by the client device; Perform a maintenance operation on the data security policy based on the operation instruction information, wherein the maintenance operation includes one or more of querying the data security policy, deleting the data security policy, and modifying the data security policy. 6. The method according to any one of claims 1 to 5, wherein the set of data security capabilities includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities Various. 7. A data security policy configuration method, characterized in that it is applied to a client device, comprising: Select one or more data security capabilities from the set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy. The client data is stored on the server side and shared with the client device. For related data, the data security capability in the data security capability set is the capability of the service device to process data based on data security; Send the data security policy to the service device. 8. The method of claim 7, wherein, The data security policy is sent to the service device through a network transmission manner corresponding to the data model, wherein the data security policy is carried in the data model. 9. The method according to claim 8, wherein the data model is a YANG model, and the network transmission mode is a network configuration protocol NETCONF. 10. The method according to claim 8, wherein the data model is a structured data serialization file, and the network transmission mode is a remote procedure call (RPC) interface. 11. The method according to any one of claims 7-10, further comprising: Sending operation instruction information to the service device, wherein the operation instruction information is used to instruct to perform maintenance operations on the data security policy, and the maintenance operations include querying the data security policy, deleting the data security policy, and modifying the data security policy. one or more of. 12. The method according to any one of claims 7 to 11, wherein the set of data security capabilities includes one or more of sensitive information security capabilities, data encryption security capabilities, storage mode security capabilities, and data release security capabilities Various. 13. The method according to any one of claims 7 to 12, wherein one or more data security capabilities are selected from the set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy Previously, the method further included: Receive the data security capability set sent by the service device. 14. A data security policy configuration system, characterized in that it includes a client device and a server device, The client device is used to select one or more data security capabilities from a set of data security capabilities provided by the service device according to the attributes of the client data to form a data security policy. The client data is stored on the side of the service device, And for the data related to the client device, the data security capability in the data security capability set is the capability of the service device to process data based on data security; The service device is configured to receive the data security policy and the instruction information of the client data sent by the client device, The service device is further configured to apply the data security policy to the client data based on the indication information. 15. The system of claim 14, wherein: The client device is further configured to receive the data security capability set sent by the service device. 16. A service device, characterized by comprising: a processor and a memory, wherein the processor executes the program in the memory to run computing services and storage services, thereby executing any one of claims 1 to 6 method as described. 17. A terminal device, characterized by comprising: a processor and a memory, wherein the processor executes a program in the memory, so as to execute the method according to any one of claims 7 to 13. 18. A computer-readable storage medium, comprising instructions, which, when the instructions are run on a computing node, cause the computing node to execute the method according to any one of claims 1 to 13.

Images