CN115952538A - Data product management method, system and storage medium - Google Patents
Data product management method, system and storage medium Download PDFInfo
- Publication number
- CN115952538A CN115952538A CN202211667820.7A CN202211667820A CN115952538A CN 115952538 A CN115952538 A CN 115952538A CN 202211667820 A CN202211667820 A CN 202211667820A CN 115952538 A CN115952538 A CN 115952538A
- Authority
- CN
- China
- Prior art keywords
- data
- product
- information
- target data
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02P—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN THE PRODUCTION OR PROCESSING OF GOODS
- Y02P90/00—Enabling technologies with a potential contribution to greenhouse gas [GHG] emissions mitigation
- Y02P90/30—Computing systems specially adapted for manufacturing
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a data product management method, a system and a storage medium. The method comprises the following steps: by publishing the defined at least one data product into a data marketplace; the data product at least comprises security policy information, and the data product does not comprise actual data; and determining a target data product according to the received data element certificate application information, and configuring the security policy information of the target data product at a target data demand end corresponding to the data element certificate application information, so that the target data demand end uses the actual data according to the security policy information after acquiring the actual data corresponding to the target data product. According to the technical scheme provided by the embodiment of the invention, when the subsequent data demand end develops by using the corresponding data of the target data product, the data safety can still be ensured according to the safety strategy information, the accuracy and the safety of data transmission are ensured, and the risk of data circulation is reduced.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method, a system, and a storage medium for managing data products.
Background
Under the legal and legal requirements of information and data security protection, how to safely and openly share data between different data providing and demand bodies gradually becomes a problem which needs to be solved by exerting the value of each industry data element.
In a conventional data circulation scheme, each data provider sends original data to a data transaction portal of a third party, and the original data is directly stored in a database of the data transaction portal. And the data request party provides a data application, and the data can directly access the data transaction portal database to obtain data after being permitted by the data provider, and any development operation is performed on the obtained data.
However, as the original data is stored in the non-private domain in the data circulation process, real data exchange is involved, data leakage can be caused once a data transaction portal or a data interaction link between a data demand party and the data transaction portal is broken, data security risks are large, the security management modes of a data provider and the data demand party are incomplete, data can be acquired after the data demand party performs verification once, and the data provider loses the control capability on the data once the data is opened, so that the data demand party can break through the data compliance requirement to use the data, and the data provision risk is increased.
Disclosure of Invention
The invention provides a data product management method, a data product management system and a storage medium, which ensure the confidentiality of data transmission in the data circulation process, perfect the safety management mode provided for data and reduce the risk of data circulation.
In a first aspect, an embodiment of the present invention provides a data product management method, which is applied to a data provider of a data product management system, and includes:
publishing the defined at least one data product into a data marketplace; the data product at least comprises security policy information, and the data product does not comprise actual data;
and determining a target data product according to the received data element certificate application information, and configuring the security policy information of the target data product at a target data demand side corresponding to the data element certificate application information, so that the target data demand side uses actual data according to the security policy information after acquiring the actual data corresponding to the target data product.
In a second aspect, an embodiment of the present invention further provides a data product management method, which is applied to a data demand side of a data product management system, and the method includes:
accessing the data market according to the obtained specific encryption certificate so as to read at least one data product issued in the data market; the data product at least comprises security policy information, and the data product does not comprise actual data;
determining a target data product from the data products, and generating data element voucher application information according to the target data product;
and sending data element certificate application information to a target data providing end corresponding to the target data product, and configuring security policy information corresponding to the target data product after receiving the data element certificate.
In a third aspect, an embodiment of the present invention further provides a data product management system, including at least one data providing end and at least one data requiring end, where each data providing end and each data requiring end are located in domains isolated from each other;
the data providing end is used for releasing the defined at least one data product into the data market; the data product at least comprises security policy information, and the data product does not comprise actual data;
the data demand end is used for accessing a data market after obtaining the specific encryption certificate, determining a target data product from each data product, and sending data element certificate application information generated according to the target data product to the corresponding data demand end;
the data demand end is used for determining a target data product according to the received data element certificate application information and configuring the security policy information of the target data product to the target data demand end corresponding to the data element certificate application information;
and the data demand end is used for using the actual data according to the configured security policy information after acquiring the actual data corresponding to the target data product.
In a fourth aspect, an embodiment of the present invention further provides a computer-readable storage medium, where computer instructions are stored, and the computer instructions are configured to, when executed by a processor, implement the data product management method according to any embodiment of the present invention.
According to the data product management method, the data product management system and the storage medium, at least one defined data product is issued to a data market; the data product at least comprises security policy information, and the data product does not comprise actual data; and determining a target data product according to the received data element certificate application information, and configuring the security policy information of the target data product at a target data demand end corresponding to the data element certificate application information, so that the target data demand end uses the actual data according to the security policy information after acquiring the actual data corresponding to the target data product. By adopting the technical scheme, the data providing terminal defines the data product which contains the security policy information but does not contain the actual data information, and issues the data product to the data market for the data demand terminal to access, when the data demand terminal accesses the target data product of the data providing terminal through the data element certificate, the data demand terminal is configured with the security policy information corresponding to the target data product, so that when the data demand terminal uses the data corresponding to the target data product, the data demand terminal uses the security policy information formulated by the data providing terminal, and the data compliance requirement given by the data providing terminal can not be broken through. The original data with higher importance can not be stored in the public network area, and the definite security policy information can be issued when the data product delivery is executed, so that the subsequent data demand side can still guarantee the data security according to the security policy information when developing by using the data corresponding to the target data product, the accuracy and the security of data transmission are guaranteed, and the risk of data circulation is reduced.
It should be understood that the statements in this section do not necessarily identify key or critical features of the embodiments of the present invention, nor do they necessarily limit the scope of the invention. Other features of the present invention will become apparent from the following description.
Drawings
In order to more clearly illustrate the technical solutions in the embodiments of the present invention, the drawings needed to be used in the description of the embodiments will be briefly introduced below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and it is obvious for those skilled in the art to obtain other drawings based on these drawings without creative efforts.
FIG. 1 is a flowchart illustrating a data product management method according to a first embodiment of the present invention;
FIG. 2 is a flowchart of a data product management method according to a second embodiment of the present invention;
FIG. 3 is a flowchart of a data product management method according to a third embodiment of the present invention;
FIG. 4 is a flowchart of a data product management method according to a fourth embodiment of the present invention;
FIG. 5 is a schematic structural diagram of a data product management system according to a fifth embodiment of the present invention;
fig. 6 is an exemplary diagram of control and data flow in a cross-domain data product management system according to a fifth embodiment of the present invention.
Detailed Description
In order to make those skilled in the art better understand the technical solutions of the present invention, the technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and claims of the present invention and in the drawings described above are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the invention described herein are capable of operation in sequences other than those illustrated or described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example one
Fig. 1 is a flowchart of a data product management method according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a situation where a data product is issued and managed in a data circulation process, and the method may be applied to a data providing end of a data product management system, where the data providing end may be implemented by software and/or hardware, and the data providing end may be configured in a private domain logically isolated from a public network, or in an environment where internal data privacy of the data providing end may be guaranteed, which is not limited in this respect.
As shown in fig. 1, a data product management method provided in an embodiment of the present invention specifically includes the following steps:
and S101, releasing the defined at least one data product to a data market.
Wherein the data product comprises at least the security policy information and the data product does not comprise the actual data.
In this embodiment, the data providing end may be specifically understood as a main body in the data product management system, which is used for publishing the data product and providing the actual data corresponding to the data product to the outside. The data demand side can be specifically understood as a main body in the data product management system, which needs to acquire actual data corresponding to the data product and develop the acquired actual data. A data product is to be understood as a product defined by a data provider, which contains basic data information and necessary configuration information for satisfying data distribution security requirements. The data market may be a body deployed in a public network and used to carry a plurality of data products for a data requesting end accessing the data market, and optionally, the data market may be an entity platform deployed in the public network, and may also be a link with a communication function, which is established in advance between a data providing end and a data requesting end having a specific encryption certificate, which is not limited in the embodiment of the present invention. The security policy information may be specifically understood as a set of policies defined by a data providing end to a data entity pointed by a data product, so as to ensure access security and use compliance of the data entity, may also be understood as a protection policy formulated according to national laws and regulations or industry guidelines when accessing data corresponding to the data product, and may be a policy for denying access or desensitizing access to a field of a certain security level or a field of a certain field type, or may be another access policy formulated according to sensitivity of data corresponding to the data product, which is not limited in this embodiment of the present invention.
Specifically, after the data providing end completes the development of the data in the acquired data source, a data product which does not contain actual data information and at least contains security policy information of the data which can be provided externally is defined for the externally provided data after the development is completed, and the defined data product is issued to a data market positioned in a public network so as to be viewed and accessed by a data demand end which can be accessed to the data market.
In the embodiment of the invention, the data product which is released by the data providing terminal to the data market in the public network does not contain actual data information, so that the safety of actual data storage is improved, and the condition that the actual data is leaked due to the fact that the data market in the public network is broken is avoided.
S102, determining a target data product according to the received data element voucher application information, and configuring the security policy information of the target data product at a target data demand end corresponding to the data element voucher application information, so that the target data demand end uses actual data according to the security policy information after acquiring the actual data corresponding to the target data product.
In this embodiment, the data element credential application information may be specifically understood as information that is sent by the data request end to the data providing end after determining the data product that the data request end wishes to apply for, and is used for applying for the corresponding data product. The target data product can be specifically understood as a data product which is determined by the data providing end according to the data element voucher application information and is expected to be acquired by the data demand end issued by the data providing end. The target data demand end can be specifically understood as a data demand end which sends data element certificate application information to the data providing end in the data product management system.
Specifically, when receiving data element credential application information sent by a data demand side, a data providing side determines a data product that needs to be provided to a target data demand side corresponding to the data element credential application information, and determines the data product as a target data product. Because each data product comprises corresponding security policy information for ensuring the access security and the use compliance of the data entity, in order to ensure the security and the compliance in the subsequent use process, the data providing end needs to issue the security policy information corresponding to the target data product to the target data requiring end, so that the target data requiring end completes the configuration of the security policy information. And the delivery of the actual data corresponding to the target data product can be completed to the target data demand end, and the target data demand end can correctly access and use the actual data corresponding to the target data product due to the fact that the target data demand end is configured with the security policy information in advance, so that the security of data content is guaranteed.
According to the technical scheme of the embodiment, at least one defined data product is released to a data market; the data product at least comprises security policy information, and the data product does not comprise actual data; and determining a target data product according to the received data element certificate application information, and configuring the security policy information of the target data product at a target data demand side corresponding to the data element certificate application information, so that the target data demand side uses actual data according to the security policy information after acquiring the actual data corresponding to the target data product. By adopting the technical scheme, the data providing end defines the data product which contains the security policy information but does not contain the actual data information, and issues the data product to the data market for the data requiring end to access, when the data requiring end accesses the target data product in the data providing short term through the data element certificate of the data requiring end, the data requiring end is configured with the security policy information corresponding to the target data product, so that when the data requiring end uses the data corresponding to the target data product, the data requiring end uses the security policy information formulated by the data providing end, and the data compliance requirement given by the data providing end cannot be broken through. The original data with higher importance can not be stored in the public network area, and the definite security policy information can be issued when the data product delivery is executed, so that the subsequent data demand side can still guarantee the data security according to the security policy information when developing by using the data corresponding to the target data product, the accuracy and the security of data transmission are guaranteed, and the risk of data circulation is reduced.
Example two
Fig. 2 is a flowchart of a data product management method provided by the second embodiment of the present invention, and the technical solution of the second embodiment of the present invention is further optimized based on the above optional technical solutions, so as to clarify a method in which a data providing end needs to check the identity and the data product application capability of a data requiring end first before receiving data element credential application information, and further clarify different information defined in a data product, influence on actual data delivery of the data product, and the data product needs to include version information corresponding to the data product when being defined, and the version information is updated along with the change of the data product, so that the data providing end can manage content update of the data product, and at the same time, the data content applied by the data requiring end can be traced back, so that the data requiring end can only obtain the version information corresponding to the data element credential, and develop the data product corresponding to the data element credential, thereby ensuring privacy of data update, and when the data requiring end needs to use a new version of data product, the product upgrade service can be executed for the data requiring end according to the version information, so that the management of the data product is more complete.
As shown in fig. 2, a data product management method provided in the second embodiment of the present invention specifically includes the following steps:
s201, releasing the defined at least one data product to a data market.
Wherein the data product comprises at least the security policy information and the data product does not comprise the actual data.
Further, the security policy information includes: accessing a security policy and a data security policy;
the access security policy at least comprises an application program interface access policy; the data security policy comprises at least one of a database authentication policy, a database authorization policy, a field access control policy, a security level access control policy, a data dynamic desensitization policy and a structured query statement auditing policy.
In this embodiment, the access security policy may be specifically understood as a policy for determining whether an access request such as data query meets a security requirement, and the policy may check information such as an internet protocol address, a user identity, and parameter validity of a data requester, and may intercept access or desensitize data according to a dynamic desensitization algorithm according to a rule in the access security policy, so as to ensure security of a sensitive data field.
In this embodiment, the data security policy may be specifically understood as a policy for performing security processing on actual data corresponding to a data product to ensure data security, and the policy may include a sensitive identification rule, a desensitization rule, and the like, which is not limited in this embodiment of the present invention.
In this embodiment, the database authentication policy may be specifically understood as a policy that, when a user passes through the user authentication information and connects to the database, the user needs to pass through the authentication before the user can successfully connect to the database. The database authorization policy may be specifically understood as a policy that, through policy definition, a user can use a database through an authority given by the user, and can operate the database according to the authority that the user has after authentication. The field access control policy can be specifically understood as a policy for realizing the judgment of the user on the accessibility of the access field, defining the fields accessible by the user and the fields inaccessible by the user and guaranteeing the security of the sensitive data fields through policy definition. The security level access control policy can be specifically understood as a policy that determines access accuracy of a data field according to a security level preset by the data field through policy definition, defines a security level of a user accessible field, and guarantees security of a sensitive data field. The dynamic data desensitization strategy can be specifically understood as a strategy for desensitizing data according to a desensitization algorithm in fields with certain security levels or certain preset sensitive fields when a user accesses the fields or the preset sensitive fields through strategy definition to ensure the security of the sensitive data fields. The structured query statement auditing policy can be specifically understood as a policy that when a user performs a structured query statement development operation on data, the policy disposes a structured query statement execution command of the user according to rules in the policy by policy definition. For example, the structural query statement auditing policy may be to prohibit execution when the number of UNION ALLs in the structural query statement is too many, or may be a policy set for other adaptations, which is not limited in this embodiment of the present invention.
S202, enterprise transaction voucher application information of the data demand side with the specific encryption voucher is received, and the enterprise transaction voucher application information is checked.
In this embodiment, the specific encryption certificate may be specifically understood as a Token issued by the data providing end to the trusted data demand end before the data product is issued, so that the corresponding data demand end can access the data product in the data market, optionally, the specific encryption certificate may be issued to one or more data demand ends in a preset white list of the data market, and a Token (Token) in the computer identity authentication may be used as the issued specific encryption certificate, which is not limited in the embodiment of the present invention. The enterprise transaction voucher application information can be specifically understood as an agreement signing request which is sent to a corresponding data providing terminal by a data product expected to be applied after a data demand terminal browses the data product in a data market.
Specifically, when enterprise transaction certificate application information sent by a data demand side with a specific encryption certificate is received, a data product which the data demand side wants to apply is determined, and then the data demand side is audited according to information such as security level, industry, labels, applicable scenes and delivery forms contained in the data product, so as to determine whether the data demand side can apply for each data product.
In the embodiment of the invention, for the data demand side which limits the access to the data market direction, a white list can be constructed in the data market in advance, when the data demand side needs to access the data market, the data demand side is preferentially qualified and checked, the data demand side is added into the white list after the checking is successful, and meanwhile, the data providing side issues the specific encryption certificate for the data demand side in the white list, so that the data demand side can carry the specific encryption certificate to access the data market and access each data product issued in the data market. Furthermore, the data demand end accessing the data market to access the data product needs to carry a specific encryption certificate, namely, compared with the data product disclosed aiming at all the data demand ends, the embodiment of the invention firstly carries out certain screening limitation aiming at the data demand end, thereby further improving the safety of the data circulation process.
And S203, if the verification is passed, respectively storing the generated enterprise transaction certificates in the data providing end and the corresponding data demand end with the specific encryption certificate, and determining the data demand end as a target data demand end.
In the embodiment, the enterprise transaction voucher is specifically understood to mean that the data providing end and the data requiring end sign up, and the data requiring end is specified to perform an agreement for applying for the data product.
Specifically, if the audit is passed, the data demand end sending the enterprise transaction voucher application information is considered to have the capability of applying for the corresponding data product, at this time, an enterprise transaction voucher containing the data product applicable by the data demand end is generated, and while the enterprise transaction voucher is stored, the enterprise transaction voucher is issued to the data demand end sending the enterprise transaction voucher application information to be stored, and the data demand end with the enterprise transaction voucher is determined as the target data demand end.
In the embodiment of the invention, after the application of the enterprise transaction voucher is completed, the enterprise transaction voucher is respectively stored in the data providing terminal and the target data demand terminal, and the trace of the data product circulation process is completed, so that when risks such as data leakage occur, abnormal data can be frozen and the like according to the trace of the data, and the safety of data circulation is improved.
And S204, receiving data element certificate application information of a target data demand side with the enterprise transaction certificate, and auditing the data element certificate application information.
Specifically, since the data providing end can provide data to a plurality of data requiring ends in the data product management system at the same time, when the data element certificate application information sent by the target data requiring end carrying the enterprise transaction certificate is received, the data requiring end needs to be checked in a targeted manner, and whether the target data requiring end can apply for the data product corresponding to the data element certificate application information is determined.
Further, the application information of the data element certificate is audited, which can be specifically realized by the following method:
determining an applicable data product of a target data demand end according to the enterprise transaction certificate; and if the data product corresponding to the data element certificate application information belongs to the data product which can be applied, receiving an auditing result corresponding to the data element certificate application information.
Specifically, since the enterprise transaction voucher defines the data product that the data demand side can apply to the data providing side when issued, the data product that the target data demand side can apply to and is provided by the data providing side can be determined as the applicable data product according to the enterprise transaction voucher of the target data demand side. And then because there is a one-to-one correspondence between data element voucher application information and data products, so can confirm the data product that the target data demand end needs to apply for to this data provider according to data element voucher application information, judge whether the data product that applies for belongs to and can apply for the data product at this moment. If not, the data providing end can be considered to fail to verify the data element voucher application information of the target data requiring end, and the step of receiving the data element voucher application information of the target data requiring end with the enterprise transaction voucher is executed again at the moment, and the next data element voucher application information is verified; if so, the data product applied by the target data demand end can be considered as the data product provided by the data providing end, and at this time, a negotiation result about whether the data product can be provided to the target data demand end can be received externally, and the negotiation result is determined as an auditing result corresponding to the data element certificate application information.
And S205, generating a data element certificate corresponding to the data element certificate application information when the audit is passed, and issuing the data element certificate to the target data demand side.
Specifically, when the verification result is determined to be that the verification is passed, the data providing end generates a data element certificate, stores the data element certificate in the data providing end, and simultaneously issues the data element certificate to the corresponding target data requiring end, so that the target data requiring end stores the data element certificate.
In the embodiment of the invention, after the application of the data element voucher is completed, the data element voucher is respectively stored in the data providing end and the target data demand end, the trace of the data product circulation process is completed, and meanwhile, the target data demand end can complete the data acquisition of the corresponding version data product in the data demand end according to the data element voucher, so that the version error of the acquired data is avoided, meanwhile, when risks such as data leakage occur, abnormal data can be frozen according to the data trace, and the like, and the safety of data circulation is improved.
And S206, determining a target data product according to the received data element certificate application information.
Further, the data product also comprises data communication information, product delivery information, product basic information and version information.
Wherein, determining the target data product according to the received data element voucher application information comprises:
and determining the data product corresponding to the product basic information and the version information in the data element certificate application information as the target data product.
In the present embodiment, the data communication information may be specifically understood as actual data used for describing the data product direction, and the connection information of the position in the data providing end may be represented in different forms according to different delivery forms. It should be clear that the data communication information is not open to the data demand side, and is called only after the delivery form is determined, and belongs to the default encrypted information, so as to avoid data leakage. The product delivery information may be specifically understood as information describing how the data product is delivered to the data requirement end, where the information may include information such as delivery form, for example, the delivery form may include API call, federal study, and the like, and the embodiment of the present invention is not limited thereto. The basic product information can be specifically understood as a set of information introducing data products in the aspects of names, industries, labels and the like, and can be used for helping a data demand end to quickly retrieve the corresponding data products and defining the applicable scenes of the products. The version information can be specifically understood as information used for recording the version condition of the data product and the actual content corresponding to each version, and the basic information of the product can be marked through the version information, so that the corresponding version of the data product can be determined when the data demand end searches and reads the basic information of the product of the data product.
The data providing end can modify different parameters in the data product and generate data products with different version information aiming at each modification, namely the data products with the same product basic information can be still distinguished into different data products according to different version information, and after receiving the data element voucher, the data providing end can uniquely determine the data product with the corresponding version which needs to be provided for the carrying data element voucher according to the product basic information and the version information in the data element voucher and determine the data product as the target data product.
In the embodiment of the invention, the target data product required to be provided is determined based on the product basic information and the version information, so that the data product provided for the target data demand side with the data element certificate is more accurate, only the data corresponding to the data product which passes the security examination is provided for the target data providing side, the security of the data circulation process is ensured, and the leakage of the data which cannot be provided for the data providing side is avoided.
And S207, according to the data communication information of the target data product, a secure data link is constructed between the data providing end and the target data requiring end.
In the present embodiment, the secure data link is specifically understood to be a data link using a specific link protocol to associate a target data demand side with a target data product storage location in a data providing side.
Specifically, the data providing end receives information of a data element certificate carried by the target data requiring end, and after the data element certificate is successfully compared with the data element certificate stored in the data providing end, the data providing end can be considered that the target data requiring end needs to apply for a target data product, and at the moment, the data providing end constructs a secure data link of the target data requiring end and a storage position of the target data product according to data communication information of the target data product and connection information of the target data requiring end determined in the data element certificate.
And S208, configuring the security policy information of the target data product to the target data demand end through the secure data link.
Specifically, the data providing end issues the security policy information corresponding to the target data product to the encryption database in the target data requiring end through the secure data link for storage, so that the target data requiring end completes configuration of the security policy information, and further the target data requiring end can use the data corresponding to the target data product, delivered by the subsequent data providing end, according to the configured security policy information.
S209, actual data corresponding to the target data product is delivered on the secure data link according to the product delivery information of the target data product.
Specifically, according to the product delivery information of the target data product, a delivery form in which the data providing end needs to deliver the data to the target data requiring end is determined, and the actual data corresponding to the target data product stored in the data providing end is sent to the target data requiring end in a corresponding delivery form through the secure data link, so that the delivery of the data corresponding to the target data product is completed.
And S210, disconnecting the secure data link.
Specifically, after the data providing end completes data delivery to the target data requiring end through the safety data link, the safety data link can be disconnected directly or after a preset time, disconnection of the safety data link can be performed automatically or manually, the sealing performance of the target data requiring end is guaranteed, and risks in data circulation and transmission processes are reduced.
Further, the data product further includes field description information, and the data product management method further includes:
updating the version information of the data product if the delivery information, the data communication information, the security policy information or the field description information in the data product is changed; and releasing the updated data product to the data market.
In this embodiment, the field description information may be specifically understood as information used for describing a field structure in actual data pointed by a data product, and for example, the field description information may include information such as a field name, a Chinese name, a field type, whether the actual data corresponds to the data product, and an enumerated value and specific content of the enumerated value, which is not limited in this embodiment of the present invention.
Specifically, in the actual data product circulation process, the data providing end updates and corrects the data product and the corresponding actual data contained in the data product according to the actual situation, and after any one of the delivery information, the data communication information, the security policy information and the field description information in the data product is corrected each time, the version of the data product can be considered to be updated, at this time, a new data product containing the updated content version information is generated, and the updated data product is released again in the data market by the data providing end.
Optionally, after the version information of the data product is updated, the data product of the previous version in the data market may be withdrawn, only the data product of the latest version is reserved in the data market for the same product basic information, or the data product of the historical version already released in the data market may not be withdrawn, and multiple versions of data products may be queried in the data market for the same product basic information.
Further, after the security policy information of the target data product is configured at the target data request end corresponding to the data element certificate application information, the method further includes:
and auditing the process of using the actual data corresponding to the target data product by the target data demand end according to the safety strategy information.
Specifically, the security policy information is configured for the target data demand side in advance before the data providing side provides the data product, and includes the provided data use specification, so that the provided data does not break through the policy required by the data compliance when used, and therefore, according to the security policy information, when the target data demand side uses the actual data corresponding to the target data product subsequently, the use process can be audited according to the security policy information, and the control capability of the data providing side for providing the data is ensured.
According to the technical scheme, before actual data corresponding to a data product are provided, a specific encryption certificate, an enterprise transaction certificate and a data element certificate of a data demand end are checked in sequence, a corresponding target data product is provided to the corresponding target data demand end under the condition that all the certificates are passed, the data providing end determines version information corresponding to the data product while defining the data product, the version information is updated along with the change of the data product, the data providing side can manage the content updating of the data product, meanwhile, the data content applied and used by the data demand end can be traced, the data demand end can only acquire the data product corresponding to the data element certificate, the data product with the version corresponding to the data element certificate is developed, the data updating privacy is guaranteed, the safety management for the data product is more complete, a safe data link connected after the delivery of the actual data corresponding to the target data product is completed, the closure of the data providing end and the data demand end is guaranteed, the data leakage risk is reduced, and the data circulation safety is improved. Meanwhile, after the data corresponding to the data product is provided, the follow-up use of the target data demand side is audited based on the pre-configured safety strategy information, and the control capability of the data providing side on providing the data is ensured.
EXAMPLE III
Fig. 3 is a flowchart of a data product management method provided in a third embodiment of the present invention, where the third embodiment of the present invention is applicable to a situation where a data product is applied for and managed in a data circulation process, and the method may be applied to a data demand side of a data product management system, where the data demand side may be implemented by software and/or hardware, and the data demand side may be configured in a private domain logically isolated from a public network, or in another environment capable of ensuring data privacy inside the data demand side, and the third embodiment of the present invention is not limited in this respect.
As shown in fig. 3, a data product management method provided by the third embodiment of the present invention specifically includes the following steps:
s301, accessing the data market according to the obtained specific encryption certificate so as to read at least one data product issued in the data market.
Wherein the data product comprises at least the security policy information and the data product does not comprise the actual data.
Before determining the required data, the data demand side needs to browse the data products which can be provided in the data market to determine whether the required data products exist in the data market, and in order to guarantee the safety of data circulation, the data market can also audit the main body accessed to the data market even if the data market is arranged in a public network, and the data demand side can be limited by setting a white list in the data market. When the data demand end determines that the data market needs to be accessed, the data market can be added into the white list through the data market, and the specific encryption certificate corresponding to the data market which is expected to be accessed is received, so that the data demand end can verify that the data market is accessed through the specific encryption certificate carried by the data demand end, and browse data products issued by different data providing ends in the data market.
S302, determining target data products from the data products, and generating data element voucher application information according to the target data products.
Specifically, after browsing each data product in the data market, a plurality of data products which can be applied for use can be determined according to the actual data processing capacity of the data demand side, and then the data product which needs to be applied for use is determined in the plurality of data products according to the data processing demand of the data demand side, and the data product is determined as a target data product, and then data element certificate application information used for applying for the data product is generated according to the specific information of the target data product read from the data market.
S303, sending data element certificate application information to a target data providing end corresponding to the target data product, and configuring security policy information corresponding to the target data product after receiving the data element certificate.
In this embodiment, the target data provider may be specifically understood as a data provider that provides a target data product in the data product management system.
Specifically, after the data demand end determines the target data product, the data providing end corresponding to the target data product can be determined as the target data providing end, and the determined data element voucher application information is sent to the target data providing end, so that the target data providing end audits the data demand end, and receives the data element voucher corresponding to the target data product after the audit is passed. Meanwhile, the data demand end sends the data element certificate application information to the target data providing end, namely the data demand end can be considered to have the requirement for applying the corresponding data product, so that the data demand end can complete the configuration of the security policy information corresponding to the target data product after the target data providing end completes the audit on the data element certificate application information.
According to the technical scheme of the embodiment, the data product application is performed on the data demand side in multiple levels through the specific encryption certificate and the data element certificate, the data product of the target data demand side can be obtained only when the data product is checked and approved, and the data product does not include actual data, so that the original data with higher importance cannot be stored in a public network area. And when the data element certificate is issued, the configuration of the security policy information can be synchronously completed for the data demand end, so that the subsequent data demand end can still guarantee the data security according to the security policy information when developing by using the data corresponding to the target data product, and further, the data demand end can use the security policy information formulated according to the data supply end when using the data corresponding to the target data product, the data compliance requirement given by the data supply end can not be broken through, the accuracy and the security of data transmission are guaranteed, and the risk of data circulation is reduced.
Example four
Fig. 4 is a flowchart of a data product management method according to a fourth embodiment of the present invention, where the technical solution of the fourth embodiment of the present invention is further optimized on the basis of the above optional technical solutions, so as to clarify a method for determining a target data product, and simultaneously, a method for providing enterprise transaction credential application information for verifying identity and data product application capability to a data providing end before sending data element credential application information is proposed, so as to further clarify a delivery method of a data product, thereby ensuring accuracy and security of data product application.
As shown in fig. 4, a data product management method provided by the fourth embodiment of the present invention specifically includes the following steps:
s401, accessing the data market according to the obtained specific encryption certificate so as to read at least one data product issued in the data market.
Wherein the data product comprises at least the security policy information and the data product does not comprise the actual data.
Further, the data product also comprises basic product information, version information, data communication information and product delivery information.
Further, the security policy information includes: accessing a security policy and a data security policy;
the access security policy at least comprises an application program interface access policy; the data security policy comprises at least one of a database authentication policy, a database authorization policy, a field access control policy, a security level access control policy, a data dynamic desensitization policy and a structured query statement auditing policy.
S402, determining the target data products according to the product basic information of each data product.
Specifically, product basic information of each data product in the data products is screened in the forms of browsing, retrieving and the like, so that the data product which needs to be applied by the data demand side can be determined, and the data product is determined as the target data product.
And S403, sending enterprise transaction certificate application information to a target data providing end corresponding to the target data product, and receiving an enterprise transaction certificate fed back by the data providing end.
Specifically, the data demand side may desire to request a plurality of data providers of the data product, and if the data demand side wants to obtain actual data corresponding to different data products, the data demand side needs to sign an agreement with the data providers corresponding to the data products, respectively, so as to ensure security. At this time, the target data products provided by the same data providing end can send enterprise transaction voucher application information to the expected corresponding data providing end, so that the corresponding data providing end can check whether the data requiring end has the capability of applying for the target data products, and the enterprise transaction voucher is fed back to the data requiring end when the checking is passed.
S404, generating data element voucher application information according to the product basic information and the version information of the target data product.
Specifically, the data demand side can apply for the data products allowed by the enterprise transaction voucher to the corresponding data providing side after receiving the fed back enterprise transaction voucher, and since the data demand side may not apply for all the data products at the same time, the data demand side can generate data element voucher application information including product basic information and version information according to product basic information and version information corresponding to the target data product acquired in the data market for the target data product to be applied.
S405, sending data element certificate application information to a target data providing end corresponding to the target data product, and after receiving the data element certificate, establishing a secure data link according to data communication information of the target data product.
Specifically, after the data demand end determines the target data product, the data providing end corresponding to the target data product can be determined as the target data providing end, and the determined data element voucher application information is sent to the target data providing end, so that the target data providing end audits the data demand end, and receives the data element voucher corresponding to the target data product after the audit is passed. The data demand end carries the data element certificate to apply for a target data product to a target data providing end, the storage position of actual data of the target data product is determined by the target data providing end based on the data communication information according to data communication information in the target data product and connection information of a data receiving position of the data demand end, and a safety data link for data transmission is constructed between the storage position and the corresponding position of the connection information, so that the data can be transmitted in the constructed safety data link, and potential safety hazards brought by direct public network transmission are reduced.
S406, receiving the security policy information of the target data product through the security data link, and configuring the security policy information in a database of the data demand side.
And S407, receiving delivery of actual data corresponding to the target data product on the secure data link according to the product delivery information of the target data product.
Specifically, the data requiring end receives the security policy information of the target data product issued by the target data providing end through the secure data link, stores the security policy information in the encrypted database, determines the delivery form of the actual data corresponding to the target data product according to the product delivery information of the target data product, and then completes the delivery of the actual data corresponding to the target data product through the secure data link according to the corresponding delivery form. Illustratively, the delivery of the actual data can be completed in an API form, and the delivered actual data is stored in an encrypted database of the data demand side, which is configured with the corresponding security policy information, so that the data demand side can obtain the applicable data according to the security policy information when developing according to the obtained data, thereby ensuring the compliance of data use.
Further, after accepting the delivery of the actual data corresponding to the target data product on the secure data link, the method further includes:
the secure data link is broken.
Specifically, in order to ensure the self-sealing performance of the data providing end and the data requiring end, after the data requiring end completes the delivery of the actual data corresponding to the target data product through the secure data link, the data providing end may be directly disconnected, or the secure data link may be disconnected after a preset time, and the secure data link may be disconnected in an automatic disconnection manner or a manual disconnection manner, which is not limited in the embodiment of the present invention.
According to the technical scheme of the embodiment, a data demand end is applied through three levels of the specific encryption certificate, the enterprise transaction certificate and the data element certificate, corresponding safety data connection is established with a target data providing end only when the data demand end passes the verification, safety strategy information of a target data product is issued through a safety data link, and data delivery is completed according to corresponding product delivery information, so that original data with higher importance cannot be stored in a public network area, and due to the fact that the definite safety strategy information is issued when the data product delivery is executed, when a subsequent data demand end develops by using the data corresponding to the target data product, data safety can still be guaranteed according to the safety strategy information, accuracy and safety of data transmission are guaranteed, and risk of data circulation is reduced.
EXAMPLE five
Fig. 5 is a schematic structural diagram of a data product management system for use in a quintuple of the embodiment of the present invention, and as shown in fig. 5, the data product management system includes: at least one data provider 51 and at least one data consumer 52, wherein each data provider 51 and each data consumer 52 are located in separate domains, and fig. 5 exemplifies one data provider 51 and one data consumer 52.
A data provider 51 for publishing the defined at least one data product into a data market; the data product at least comprises security policy information and the data product does not comprise actual data;
the data demand end 52 is used for accessing the data market after obtaining a specific encryption certificate, determining a target data product from each data product, and sending data element certificate application information generated according to the target data product to the corresponding data providing end 51;
a data providing end 51, configured to determine a target data product according to the received data element credential application information, and configure security policy information of the target data product at a target data requiring end 52 corresponding to the data element credential application information;
and a data requiring end 52, configured to use the actual data according to the configured security policy information after acquiring the actual data corresponding to the target data product.
Further, the data product also comprises basic product information, version information, data communication information and product delivery information.
Further, the security policy information includes: accessing a security policy and a data security policy;
the access security policy at least comprises an application program interface access policy; the data security policy comprises at least one of a database authentication policy, a database authorization policy, a field access control policy, a security level access control policy, a data dynamic desensitization policy and a structured query statement auditing policy.
Further, the data requiring terminal 52 is further configured to send enterprise transaction credential application information to the target data providing terminal 51 corresponding to the target data product before sending the data element credential application information generated according to the target data product to the corresponding data providing terminal 51, and receive an enterprise transaction credential fed back by the data providing terminal 51.
Further, the data providing end 51 is further configured to receive the enterprise transaction credential application information, audit the enterprise transaction credential information, if the audit is passed, respectively store the generated enterprise transaction credentials in the data providing end 51 and the corresponding data requiring end 52 with the specific encryption credential, and determine the data requiring end as the target data requiring end 52.
Further, the data providing terminal 51 is specifically configured to: according to the data communication information of the target data product, a secure data link is constructed between the data providing end 51 and the target data requiring end 52; and configuring the security policy information of the target data product to the target data consumer 52 through the secure data link.
Further, the data providing end 51 is further configured to deliver the actual data corresponding to the target data product on the secure data link according to the product delivery information of the target data product.
Further, the data providing end 51 is further configured to update version information of the data product if the delivery information, the data connectivity information, the security policy information, or the field description information in the data product is changed; and releasing the updated data product to the data market.
Further, after the actual data corresponding to the target data product is delivered over the secure data link, the method further includes: disconnecting the secure data link.
According to the technical scheme of the embodiment of the invention, a data product which does not contain actual data information is constructed through a data providing end, the data product is released to a data market for a data demand end to access, the data demand end can obtain and access the data corresponding to a target data product in the data providing end under the condition that a specific encryption certificate, an enterprise transaction certificate and a data element certificate are simultaneously arranged, the security verification of the data demand end before the data product is obtained is complete, a secure data link is separately constructed when the data in the target data product is obtained, the security policy information of the target data product is issued through the secure data link, and the data delivery is completed according to the corresponding product delivery information, so that the original data with higher importance cannot be stored in a public network area, and the clear security policy information is issued when the data product is delivered, so that the data security of a subsequent data demand end can still be ensured according to the security policy information when the data corresponding to the target data product is developed by using the data of the target data demand end, the accuracy and the security of data transmission are ensured, and the risk of data circulation is reduced.
Exemplarily, fig. 6 is an exemplary diagram of control and data flow in a cross-domain data product management system according to a fifth embodiment of the present invention, as shown in fig. 6, the cross-domain data product management system includes a data providing end 61 and a data demanding end 62, a first data market 63 corresponding to the data providing end 61 exists in a public network, and a second data market 64 corresponding to the data demanding end 62 exists in the public network at the same time, where the first data market 63 and the second data market 64 may be the same data market or may exist independently, and fig. 6 illustrates that the two markets exist independently.
The data providing terminal 61 at least comprises a data lake 611, after the data providing terminal 61 classifies and grades data which is expected to be provided externally, determines security policy information, extracts basic information of data products, extracts data field information and the like, the actual data to be provided is stored in the data lake 611, the storage condition of the actual data in the data lake 611 is obtained to determine data communication information, meanwhile, the data products corresponding to the actual data are defined according to determined product delivery information, data communication information, security policy information, field description information and version information in an encapsulation mode, and the data products are distributed in the first data market 63.
The data demand side 62 at least comprises an encryption database 621 and a development tool 622, the data demand side 62 is accessed to the second data market 64 through the obtained specific encryption certificate, the data product synchronized in the first data market 63 in the second data market 64 is read, after the data product to be requested is browsed and determined to be requested and expected to be applied, actual data corresponding to the data product is applied to the corresponding data providing side 61 sequentially through enterprise transaction certificate application information and data element certificate application information, after the applications are all passed, the data providing side 61 applies connection information of the data product according to data communication information in the data product and connection information of the encryption database 621 in the data demand side 62 carried in the data element certificate, a secure data link is constructed between the data lake 611 and the encryption database 621, security policy information is issued to the encryption database 621 through the secure data link, delivery of the data is completed according to product delivery information on the secure data link, the development tool in the data demand side 62 can extract the actual data from the encryption database 621 according to the secure policy information, data development work is completed, and data guarantee compliance in the data development process is ensured.
The data product management system provided by the embodiment of the invention can execute the data product management method provided by any embodiment of the invention, and has corresponding functional modules and beneficial effects of the execution method.
In some embodiments, the data product management method may be implemented as a computer program tangibly embodied in a computer-readable storage medium, such as a memory unit. In some embodiments, part or all of the computer program may be loaded and/or installed on the data product management device via ROM and/or the communication unit. When the computer program is loaded into RAM and executed by a processor, one or more steps of the data product management method described above may be performed. Alternatively, in other embodiments, the processor may be configured to perform the data product management method by any other suitable means (e.g., by way of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuitry, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), system on a chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be special or general purpose, receiving data and instructions from, and transmitting data and instructions to, a storage system, at least one input device, and at least one output device.
Computer programs for implementing the methods of the present invention can be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be performed. A computer program can execute entirely on a machine, partly on a machine, as a stand-alone software package partly on a machine and partly on a remote machine or entirely on a remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. A computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) by which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user can be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic, speech, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a back-end component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such back-end, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. A client and server are generally remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical host and VPS service are overcome.
It should be understood that various forms of the flows shown above, reordering, adding or deleting steps, may be used. For example, the steps described in the present invention may be executed in parallel, sequentially, or in different orders, and are not limited herein as long as the desired results of the technical solution of the present invention can be achieved.
The above-described embodiments should not be construed as limiting the scope of the invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may be made in accordance with design requirements and other factors. Any modification, equivalent replacement, and improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (20)
1. A data product management method is applied to a data providing end of a data product management system, and comprises the following steps:
publishing the defined at least one data product into a data marketplace; the data product at least comprises security policy information and the data product does not comprise actual data;
determining a target data product according to the received data element certificate application information, and configuring the security policy information of the target data product at a target data demand side corresponding to the data element certificate application information, so that the target data demand side uses the actual data according to the security policy information after acquiring the actual data corresponding to the target data product.
2. The method of claim 1, wherein upon said determining a target data product from the received data element credential application information, further comprising:
receiving data element voucher application information of a target data demand end with an enterprise transaction voucher, and auditing the data element voucher application information;
and generating a data element certificate corresponding to the data element certificate application information when the audit is passed, and issuing the data element certificate to the target data demand side.
3. The method of claim 2, prior to said receiving data element voucher application information for the target data consumer with enterprise transaction voucher, further comprising:
receiving enterprise transaction voucher application information of a data demand side with a specific encryption voucher, and auditing the enterprise transaction voucher application information;
if the verification is passed, the generated enterprise transaction certificates are respectively stored in the data providing end and the corresponding data demand end with the specific encryption certificate, and the data demand end is determined as a target data demand end.
4. The method of claim 2, wherein the reviewing the data element credential application information comprises:
determining an applicable data product of the target data demand side according to the enterprise transaction certificate;
and if the data product corresponding to the data element certificate application information belongs to the applicable data product, receiving an audit result corresponding to the data element certificate application information.
5. The method according to claim 1, wherein the data product further includes data connectivity information, and the configuring the security policy information of the target data product to the target data demand side corresponding to the data element credential application information includes:
according to the data communication information of the target data product, a secure data link is constructed between the data providing end and the target data demand end;
and configuring the security policy information of the target data product to the target data demand side through the security data link.
6. The method of claim 5, wherein the data product further comprises product delivery information, and further comprising, after said configuring security policy information of the target data product over the secure data link to the target data consumer:
and delivering actual data corresponding to the target data product on the secure data link according to the product delivery information of the target data product.
7. The method of claim 6, wherein the data product further comprises product base information and version information, and wherein determining the target data product based on the received data element voucher application information comprises:
and determining the data product corresponding to the product basic information and the version information in the data element certificate application information as a target data product.
8. The method of claim 7, wherein the data product further comprises field description information, the method further comprising:
updating version information of the data product if the product delivery information, the data communication information, the security policy information or the field description information in the data product is changed;
and releasing the updated data product to the data market.
9. The method of claim 5, further comprising, after the delivering actual data corresponding to the target data product over the secure data link according to the product delivery information of the target data product, the step of:
disconnecting the secure data link.
10. The method according to claim 1, wherein after the configuring the security policy information of the target data product to the target data requirement side corresponding to the data element credential application information, further comprising:
and auditing the process of using the actual data corresponding to the target data product by the target data demand side according to the safety strategy information.
11. The method according to any of claims 1-10, wherein the security policy information comprises: accessing a security policy and a data security policy;
wherein the access security policy comprises at least an application program interface access policy;
the data security policy comprises at least one of a database authentication policy, a database authorization policy, a field access control policy, a security level access control policy, a data dynamic desensitization policy and a structured query statement auditing policy.
12. A data product management method is applied to a data demand side of a data product management system, and comprises the following steps:
accessing a data market according to the obtained specific encryption certificate so as to read at least one data product issued in the data market; the data product at least comprises security policy information and the data product does not comprise actual data;
determining a target data product from each data product, and generating data element voucher application information according to the target data product;
and sending the data element certificate application information to a target data providing end corresponding to the target data product, and configuring security policy information corresponding to the target data product after receiving the data element certificate.
13. The method of claim 12, wherein the data products further include product basis information, and wherein determining a target data product from each of the data products comprises:
and determining a target data product according to the product basic information of each data product.
14. The method of claim 13, wherein the data product further comprises version information, and wherein generating data element credential application information from the target data product comprises:
and generating data element certificate application information according to the product basic information and the version information of the target data product.
15. The method of claim 12, further comprising, prior to said generating data element credential application information from said target data product:
and sending enterprise transaction certificate application information to a target data provider corresponding to the target data product, and receiving an enterprise transaction certificate fed back by the data provider.
16. The method of claim 12, wherein the data product further comprises data connectivity information, and wherein configuring security policy information corresponding to the target data product comprises:
constructing a secure data link according to the data communication information of the target data product;
and receiving the security policy information of the target data product through the security data link, and configuring the security policy information in a database of the data demand side.
17. The method of claim 16, wherein the data product further comprises product delivery information, and further comprising, after said configuring the security policy information in the database of the data consumer:
and receiving delivery of actual data corresponding to the target data product on the secure data link according to the product delivery information of the target data product.
18. The method according to any of claims 12-17, wherein the security policy information comprises: accessing a security policy and a data security policy;
wherein the access security policy comprises at least an application program interface access policy;
the data security policy comprises at least one of a database authentication policy, a database authorization policy, a field access control policy, a security level access control policy, a data dynamic desensitization policy and a structured query statement auditing policy.
19. A data product management system is characterized by comprising at least one data providing end and at least one data requiring end, wherein each data providing end and each data requiring end are positioned in mutually isolated domains;
the data providing end is used for releasing at least one defined data product to a data market; the data product at least comprises security policy information and the data product does not comprise actual data;
the data demand end is used for accessing the data market after obtaining a specific encryption certificate, determining a target data product from each data product, and sending data element certificate application information generated according to the target data product to a corresponding data providing end;
the data providing end is used for determining a target data product according to the received data element voucher application information and configuring the security policy information of the target data product to a target data demand end corresponding to the data element voucher application information;
and the data demand end is used for using the actual data according to the configured safety strategy information after acquiring the actual data corresponding to the target data product.
20. A computer-readable storage medium, having stored thereon computer instructions for causing a processor, when executed, to implement the data product management method of any one of claims 1-18.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211667820.7A CN115952538A (en) | 2022-12-23 | 2022-12-23 | Data product management method, system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211667820.7A CN115952538A (en) | 2022-12-23 | 2022-12-23 | Data product management method, system and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115952538A true CN115952538A (en) | 2023-04-11 |
Family
ID=87296286
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211667820.7A Pending CN115952538A (en) | 2022-12-23 | 2022-12-23 | Data product management method, system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115952538A (en) |
-
2022
- 2022-12-23 CN CN202211667820.7A patent/CN115952538A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11475137B2 (en) | Distributed data storage by means of authorisation token | |
| CN110266764B (en) | Gateway-based internal service calling method and device and terminal equipment | |
| US10484385B2 (en) | Accessing an application through application clients and web browsers | |
| US9641529B2 (en) | Methods, systems and computer program products for an application execution container for managing secondary application protocols | |
| US8250361B2 (en) | Server certificate issuing system and person authentication method | |
| US7320141B2 (en) | Method and system for server support for pluggable authorization systems | |
| CN111666578B (en) | Data management method, device, electronic equipment and computer readable storage medium | |
| US11481838B1 (en) | Secure data exchange | |
| US20200244464A1 (en) | Blockchain based authentication | |
| CN108289098B (en) | Authority management method and device of distributed file system, server and medium | |
| CN109831435B (en) | Database operation method, system, proxy server and storage medium | |
| CN103098068A (en) | Method and apparatus for an ephemeral trusted device | |
| WO2019210579A1 (en) | Verification method and apparatus for invoking api interface, computer device and storage medium | |
| CN107819743B (en) | Resource access control method and terminal equipment | |
| US20200159887A1 (en) | Managing the display of hidden proprietary software code to authorized licensed users | |
| CN111970254B (en) | Access control and configuration method, device, electronic equipment and storage medium | |
| CN112035861A (en) | Online document processing method and device and electronic equipment | |
| CN109286620A (en) | Method for managing user right, system, equipment and computer readable storage medium | |
| US20130318353A1 (en) | Method for Creating and Installing a Digital Certificate | |
| US10033535B2 (en) | Multifaceted assertion directory system | |
| CN109858235B (en) | Portable equipment and password obtaining method and device thereof | |
| CN111355583B (en) | Service providing system, method, device, electronic equipment and storage medium | |
| CN115952538A (en) | Data product management method, system and storage medium | |
| CN116244682A (en) | Database access method, device, equipment and storage medium | |
| CN110401674B (en) | Data access method, device, system, electronic equipment and computer readable medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |