CN116341029A - Security protection method, system, device and medium for service resources of storage system - Google Patents

Security protection method, system, device and medium for service resources of storage system Download PDF

Info

Publication number
CN116341029A
CN116341029A CN202310341142.3A CN202310341142A CN116341029A CN 116341029 A CN116341029 A CN 116341029A CN 202310341142 A CN202310341142 A CN 202310341142A CN 116341029 A CN116341029 A CN 116341029A
Authority
CN
China
Prior art keywords
service data
service
data
attribute
security protection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310341142.3A
Other languages
Chinese (zh)
Inventor
邢希双
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Suzhou Inspur Intelligent Technology Co Ltd
Original Assignee
Suzhou Inspur Intelligent Technology Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Suzhou Inspur Intelligent Technology Co Ltd filed Critical Suzhou Inspur Intelligent Technology Co Ltd
Priority to CN202310341142.3A priority Critical patent/CN116341029A/en
Publication of CN116341029A publication Critical patent/CN116341029A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/70Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer
    • G06F21/78Protecting specific internal or peripheral components, in which the protection of a component leads to protection of the entire computer to assure secure storage of data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Storage Device Security (AREA)

Abstract

The invention provides a security protection method, a system, a device and a medium for service resources of a storage system, wherein the method comprises the following steps: setting the security protection attribute of the service resource when the service resource of the storage system is created; acquiring a service data processing request of a service resource; determining the set safety protection attribute according to the service data processing request; and carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data. The invention solves the limitation of security protection of the host, greatly improves the security of service data storage, and simplifies the complexity of security processing of service software on a host system.

Description

Security protection method, system, device and medium for service resources of storage system
Technical Field
The present invention relates to the field of computer technologies, and in particular, to a method, a system, an apparatus, and a medium for protecting security of service resources of a storage system.
Background
With the leading effect of modern information technology in social production and life becoming more and more prominent, the supporting function of information technology means in various fields of society becomes more and more important. Meanwhile, whether the information provider or the visitor is the information provider, the information security requirement and the importance degree are higher and higher, and the information security requirement of people is higher and higher.
The data of the business system is the core asset of the data center, and as shown in fig. 1, the business data is mainly stored on a storage system, and the storage system becomes the core infrastructure of the current data center. The business data contains a lot of sensitive information, and after a hacker obtains the sensitive information, interests can be easily obtained. Therefore, service data is focused by external hackers, and preventing sensitive information in the service data from being revealed is also important. In recent years, since illegal acquisition of service data has been advanced year by year, protection of service data is becoming more and more important.
Currently, protection of service data is generally implemented in a host system, and service software on the host adopts modes of encryption, desensitization and the like, so that the security of the data is ensured. First, because the business data is ultimately stored on the storage system, even if the host takes security measures, the data is exposed if the storage system lacks the corresponding process, for example: although a certain file has been deleted on the file system, in practice the data of the file on the storage medium still exists, if a hacker can access the medium space storing the file, the service data can be obtained illegally as well. Second, various software on the host system changes and updates relatively quickly, and if some of the service data is secured (e.g., encrypted) by some software on the host, the software is replaced, which is likely to result in a situation where the secured data is unusable. And thirdly, the business software on the host computer is required to complete both business logic and security operation, so that the complexity of the business software is increased, and the performance of the business software is lowered.
Disclosure of Invention
Aiming at the problems, the invention aims to provide a security protection method, a security protection system, a security protection device and a security protection medium for service resources of a storage system, which solve the limitation of security protection of a host, greatly improve the security of service data storage and simplify the complexity of security processing of service software on the host system.
The invention aims to achieve the aim, and the aim is achieved by the following technical scheme:
in a first aspect, the present invention discloses a method for protecting security of service resources of a storage system, including: setting the security protection attribute of the service resource when the service resource of the storage system is created;
acquiring a service data processing request of a service resource;
determining the set safety protection attribute according to the service data processing request;
and carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
Further, the security protection attribute of the service resource includes:
any one or any combination of a data encryption attribute, a data desensitization attribute, a digital signature attribute, a digital watermark attribute, an integrity patrol attribute, a media cleanup attribute, and an automatic time aging attribute.
Further, the performing the security protection on the service data and performing the processing operation of the service data according to the determined security protection attribute includes:
If the determined security protection attribute is a data encryption attribute, performing the following security protection operation when performing the read-write operation of the service data:
when the writing operation of the service data is carried out, an encryption algorithm and an encryption key stored in a storage system are obtained, the service data is automatically encrypted, and the encrypted service data is written into a storage medium;
when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is plaintext or ciphertext is judged; if the service data is the ciphertext, acquiring an encryption algorithm and a decryption key which are stored in a storage system, automatically decrypting the service data, and transmitting the plaintext of the service data to service software.
Further, the performing the security protection on the service data and performing the processing operation of the service data according to the determined security protection attribute includes:
if the determined security protection attribute is a data desensitization attribute, performing the following security protection operation when performing the read-write operation of the service data:
when writing operation of service data is carried out, the regular expression stored in the storage system is used for automatically carrying out desensitization processing on the service data, the changed data in the desensitization process is automatically recorded, and the desensitized service data is written into the storage medium;
When the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, the data changed in the desensitization process is read, the desensitization inverse operation is carried out, the original data of the service data is restored, and the original data is sent to the service software.
Further, the performing the security protection on the service data and performing the processing operation of the service data according to the determined security protection attribute includes:
if the determined security protection attribute is a digital signature attribute, performing the following security protection operation when performing the read-write operation of the service data:
when the writing operation of service data is carried out, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained; automatically digitally signing the service data to generate a digitally signed message of the service data; writing the digital signature message of the service data into a storage medium;
when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is plaintext or a digital signature message of the service data is judged; if the digital signature information of the service data is the digital signature information, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained, the service data is automatically subjected to signature decoding, and the plaintext of the service data is sent to service software;
If the determined security protection attribute is a digital watermark attribute, performing the following security protection operation when performing the read-write operation of the service data:
when the writing operation of service data is carried out, the identification information stored in the storage system is obtained; automatically adding a digital watermark containing identification information on service data, and recording the position of the digital watermark in the service data; writing the service data into a storage medium;
when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is added with the digital watermark is judged; if yes, removing the digital watermark in the service data according to the identification information stored in the storage system, and sending the service data to the service software.
Further, the performing the security protection on the service data and performing the processing operation of the service data according to the determined security protection attribute includes:
if the determined security protection attribute is an integrity inspection attribute, performing the following security protection operation when executing the processing operation of the service data:
when the writing operation of the service data is carried out, automatically calculating a hash value for the service data, and recording the hash value at a designated position of a storage system;
When the inspection operation of the service data is carried out, calculating the hash value of the service data on the storage medium, and comparing the hash value with the recorded hash value; if the two types of the information are inconsistent, triggering an alarm instruction;
reading the service data from the storage medium when the service data reading operation is performed; calculating a hash value of the read service data, and comparing the hash value with the recorded hash value; if not, returning data error, otherwise, returning read service data.
Further, the performing the security protection on the service data and performing the processing operation of the service data according to the determined security protection attribute includes:
if the determined security protection attribute is a medium cleaning attribute, overwriting random data in a storage medium space of the service data when the deletion operation of the service data is executed;
if the determined safety protection attribute is an automatic time aging attribute, reading the current time when the processing operation of the service data is executed, and judging whether an alarm time point and an aging time point are reached or not: when the alarm time point is reached, sending a pre-clearing alarm according to preset alarm parameters; and when the aging time point is reached, deleting the service data and cleaning the corresponding storage medium.
In a second aspect, the present invention also discloses a security protection system for service resources of a storage system, including: the setting unit is used for setting the security protection attribute of the service resource when the service resource of the storage system is created; a request acquisition unit, configured to acquire a service data processing request of a service resource;
the protection identification unit is used for determining the set safety protection attribute according to the service data processing request;
and the execution unit is used for carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
In a third aspect, the present invention discloses a security protection device for service resources of a storage system, including:
the memory is used for storing a security protection program for storing system service resources;
and the processor is used for realizing the steps of the security protection method of the storage system business resources when executing the security protection program of the storage system business resources.
In a fourth aspect, the present invention discloses a readable storage medium, on which a security protection program for a storage system service resource is stored, where the security protection program for the storage system service resource, when executed by a processor, implements the steps of the security protection method for the storage system service resource according to any one of the preceding claims.
Compared with the prior art, the invention has the beneficial effects that:
1. the invention realizes that the service resource with the security attribute capable of being set is externally provided through the storage system, and the security operation is automatically carried out on the data stored on the service resource by the storage system. When the service resource of the storage system is created, the corresponding security attribute is simply set, and the service software on the host system can use the secure storage service resource like the common storage service resource, so that the purpose of secure downward movement is achieved.
2. The storage system adopts the security protection means of encryption, desensitization, digital signature, digital watermark, integrity inspection, medium cleaning, time aging and the like, and effectively improves the security of service resources. All security protection operations are completed by the storage system, so that the limitation of security protection of a host computer end is solved, the security of service data storage is greatly improved, meanwhile, the complexity of security processing of service software on the host computer system is simplified, the processing performance of the service software is improved, and the whole operation and maintenance of an information system are facilitated.
It can be seen that the present invention has outstanding substantial features and significant advances over the prior art, as well as the benefits of its implementation.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are required to be used in the embodiments or the description of the prior art will be briefly described below, and it is obvious that the drawings in the following description are only embodiments of the present invention, and that other drawings can be obtained according to the provided drawings without inventive effort for a person skilled in the art.
Fig. 1 is a schematic diagram of a current business data storage environment.
Fig. 2 is a flow chart of a method of an embodiment of the present invention.
Fig. 3 is a system configuration diagram of an embodiment of the present invention.
Fig. 4 is a schematic structural view of a setting unit according to an embodiment of the present invention.
In the figure, 1, a setting unit; 2. a request acquisition unit; 3. a protection recognition unit; 4. an execution unit; 11. a data encryption module; 12. a data desensitization module; 13. a digital signature module; 14. a digital watermarking module; 15. an integrity inspection module; 16. a medium cleaning module; 17. and a time aging module.
Detailed Description
The core of the invention is to provide a security protection method for service resources of a storage system, in the related technology, the protection of service data is usually realized by a host system, and the security of the data is ensured by adopting encryption, desensitization and other modes by service software on the host. However, the security protection mode has the problems of incomplete security protection of the host, service data unavailability caused by software change of the host system, complex logic of the host service software, performance degradation and the like.
The security protection method for the service resources of the storage system firstly sets the security protection attribute of the service resources when the service resources of the storage system are created. And then, acquiring a service data processing request of the service resource. At this time, the set security protection attribute is determined according to the service data processing request. And finally, carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data. Therefore, the invention solves the limitation of security protection of the host, greatly improves the security of service data storage, and simplifies the complexity of security processing of service software on a host system.
In order to better understand the aspects of the present invention, the present invention will be described in further detail with reference to the accompanying drawings and detailed description. It will be apparent that the described embodiments are only some, but not all, embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Referring to fig. 2, the invention discloses a security protection method for service resources of a storage system, which comprises the following steps:
S1: and setting the security protection attribute of the service resource when the service resource of the storage system is created.
In a specific embodiment, any one or any combination of a data encryption attribute, a data desensitization attribute, a digital signature attribute, a digital watermark attribute, an integrity patrol attribute, a media cleaning attribute and an automatic time aging attribute of a service resource of the storage system are set when the service resource is created. The object is to make the data stored in a storage medium be data after security processing.
The safety protection attributes can be set simultaneously and the sequence is designated, so that the effect of enhancing safety is achieved.
As an example, a data desensitization attribute, a data encryption attribute, an integrity inspection attribute and an automatic time aging attribute are sequentially set for service resources, confidentiality during storage is guaranteed through the desensitization mode and the encryption mode, integrity during storage is guaranteed through the integrity inspection, and after a specified aging time point is reached, data can be automatically and safely deleted and cannot be recovered.
The setting process of the safety protection attribute is specifically as follows:
1. setting the data encryption attribute: acquiring encryption parameters, including encryption type (symmetric encryption or asymmetric encryption), encryption algorithm and encryption key (symmetric encryption shared key or asymmetric encryption public and private key), and storing the encryption parameters in a designated position of a storage system; if the storage system is required to create the key, the storage system automatically generates the key and stores the key in a designated position of the storage system.
2. Setting the data desensitization attribute: and generating a data processing regular expression according to the desensitization rule. And saving the regular expression to a designated location of the storage system.
3. When the digital signature attribute is set: the signature parameters including encryption algorithm, public and private keys and hash algorithm are obtained and stored in the appointed position of the storage system; if the public and private keys are required to be created by the storage system, the storage system automatically generates the keys and stores the keys in the designated positions of the storage system.
4. When the digital watermark attribute is set: and acquiring the identification information and storing the identification information in a designated position of a storage system.
5. When the integrity inspection attribute is set: and designating the integrity inspection identifier and storing the integrity inspection identifier in a designated position of a storage system. Meanwhile, a patrol period and an alarm mode are set. The alarm mode can adopt modes such as mail or short message.
6. When the medium cleaning attribute is set: and designating a medium cleaning identifier and storing the medium cleaning identifier in a designated position of a storage system.
7. Setting the automatic time aging attribute: and designating the time aging identifier, acquiring time aging parameters, acquiring alarm setting parameters and storing the alarm setting parameters in designated positions of a storage system.
S2: and acquiring a service data processing request of the service resource.
In a specific embodiment, the storage system receives a data processing request sent by service software at a host end in real time. The data processing request comprises, but is not limited to, a writing request of service data, a reading request of service data, a deleting request of service data and a patrol request of service data.
S3: and determining the set safety protection attribute according to the service data processing request.
In a specific embodiment, the corresponding service resource is determined according to the service data processing request, and the corresponding security protection attribute may be determined from the setting list according to the service resource.
S4: and carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
In a specific embodiment, when a writing request of service data, a reading request of service data, a deleting request of service data or a routing inspection request of service data is executed, corresponding data security protection operation is executed according to the determined security protection attribute.
The safety protection operation process of each safety protection attribute is specifically as follows:
1. the security protection operation process of the data encryption attribute comprises the following steps: when the writing operation of the service data is carried out, an encryption algorithm and an encryption key stored in a storage system are obtained, the service data is automatically encrypted, and the encrypted service data is written into a storage medium; when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is plaintext or ciphertext is judged; if the service data is the ciphertext, acquiring an encryption algorithm and a decryption key which are stored in a storage system, automatically decrypting the service data, and transmitting the plaintext of the service data to service software.
2. The security protection operation process of the data desensitization attribute comprises the following steps: when writing operation of service data is carried out, the regular expression stored in the storage system is used for automatically carrying out desensitization processing on the service data, the changed data in the desensitization process is automatically recorded, and the desensitized service data is written into the storage medium; when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, the data changed in the desensitization process is read, the desensitization inverse operation is carried out, the original data of the service data is restored, and the original data is sent to the service software.
3. The security protection operation process of the digital signature attribute comprises the following steps: when the writing operation of service data is carried out, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained; automatically digitally signing the service data to generate a digitally signed message of the service data; writing the digital signature message of the service data into a storage medium; when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is plaintext or a digital signature message of the service data is judged; if the digital signature information of the service data is the digital signature information, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained, the service data is automatically subjected to signature decoding, and the plaintext of the service data is sent to service software.
4. The security protection operation process of the digital watermark attribute comprises the following steps: when the writing operation of service data is carried out, the identification information stored in the storage system is obtained; automatically adding a digital watermark containing identification information on service data, and recording the position of the digital watermark in the service data; writing the service data into a storage medium; when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is added with the digital watermark is judged; if yes, removing the digital watermark in the service data according to the identification information stored in the storage system, and sending the service data to the service software.
5. The safety protection operation process of the integrity inspection attribute comprises the following steps: when the writing operation of the service data is carried out, automatically calculating a hash value for the service data, and recording the hash value at a designated position of a storage system; when the inspection operation of the service data is carried out, calculating the hash value of the service data on the storage medium, and comparing the hash value with the recorded hash value; if the two types of the information are inconsistent, triggering an alarm instruction; reading the service data from the storage medium when the service data reading operation is performed; calculating a hash value of the read service data, and comparing the hash value with the recorded hash value; if not, returning data error, otherwise, returning read service data.
6. The safety protection operation process of the medium cleaning attribute comprises the following steps: when the deleting operation of the service data is executed, the random data is overwritten in the storage medium space of the service data, or the safe erasing command of the bottom firmware is directly called to carry out the data deleting operation, so that the data is ensured to be unrecoverable.
7. The safety protection operation process of the automatic time aging attribute comprises the following steps: reading the current time, and judging whether an alarm time point and an aging time point are reached: when the alarm time point is reached, sending a pre-clearing alarm according to preset alarm parameters; and when the aging time point is reached, deleting the service data and cleaning the corresponding storage medium.
The invention provides a security protection method for service resources of a storage system, which adopts security protection means such as encryption, desensitization, digital signature, digital watermark, integrity inspection, medium cleaning, time aging and the like in the storage system, thereby effectively improving the security of the service resources. All security protection operations are completed by the storage system, so that the limitation of security protection of a host computer end is solved, the security of service data storage is greatly improved, meanwhile, the complexity of security processing of service software on the host computer system is simplified, the processing performance of the service software is improved, and the whole operation and maintenance of an information system are facilitated.
Referring to fig. 3, the invention also discloses a security protection system for service resources of a storage system, which comprises: a setting unit 1, a request acquisition unit 2, a guard identification unit 3, and an execution unit 4.
And the setting unit 1 is used for setting the security protection attribute of the service resource when the service resource of the storage system is created.
Specifically, the setting unit 1 is configured to set any one or any combination of a data encryption attribute, a data desensitization attribute, a digital signature attribute, a digital watermark attribute, an integrity patrol attribute, a medium cleaning attribute, and an automatic time aging attribute of a service resource of a storage system when the service resource is created. And when the processing operation of the service data is executed, the corresponding security protection operation is executed according to the security protection attribute set by the service resource, so as to ensure that the data stored on the storage medium is the data after the security processing.
A request acquisition unit 2, configured to acquire a service data processing request of a service resource.
Specifically, the request acquisition unit 2 is configured to: and controlling the storage system to receive the data processing request sent by the service software of the host computer in real time. The data processing request comprises, but is not limited to, a writing request of service data, a reading request of service data, a deleting request of service data and a patrol request of service data.
And the protection identification unit 3 is used for determining the set security protection attribute according to the service data processing request.
Specifically, the guard recognition unit 3 is configured to: corresponding business resources are determined according to the business data processing request, and corresponding safety protection attributes can be determined from the setting list according to the business resources.
And the execution unit 4 is used for carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
Specifically, the execution unit 4 is configured to: when executing a writing request of service data, a reading request of service data, a deleting request of service data or a patrol request of service data, corresponding data security protection operation is executed by using the setting unit 1 according to the determined security protection attribute.
In a specific embodiment, as shown in fig. 4, the setting unit 1 includes a data encryption module 11, a data desensitization module 12, a digital signature module 13, a digital watermark module 14, an integrity inspection module 15, a media cleaning module 16, and a time aging module 17.
The data encryption module 11 is configured to set a data encryption attribute of the service resource, and encrypt and decrypt corresponding service data when performing service data operation.
As an example, the data encryption module 11 is specifically configured to: acquiring encryption parameters, including encryption type (symmetric encryption or asymmetric encryption), encryption algorithm, encryption key (symmetric encryption shared key or asymmetric encryption public and private key), and storing the encryption parameters to a designated position of a storage system; if the storage system is required to create the key, the storage system automatically generates the key and saves the key to the designated position of the system. When the writing operation of service data is carried out, an encryption algorithm and an encryption key stored in a storage system are obtained; automatically encrypting the data (symmetric encryption uses a shared key, asymmetric encryption uses a private key); and writing the encrypted data into a storage medium. Reading data from the storage medium while performing the service data reading operation; judging whether the plaintext or ciphertext is returned; if the ciphertext is returned, an encryption algorithm and a decryption key are obtained, and the data is automatically decrypted (the symmetric encryption uses a shared key and the asymmetric encryption uses a public key); if decryption fails, returning a data error; and if the decryption is successful, returning the plaintext data to the service software.
The data desensitizing module 12 is configured to set a data desensitizing attribute of the service resource, and desensitize and restore corresponding service data when performing service data operation.
As an example, the data desensitization module 12 is specifically configured to: and generating a data processing regular expression according to the desensitization rule. When the writing operation of service data is carried out, the regular expression is used for carrying out desensitization processing on the original data, and the changed data in the desensitization process is automatically recorded; writing the desensitized data to a storage medium. Reading data from the storage medium while performing the service data reading operation; reading a data record of the desensitization process variation; performing desensitization inverse operation to restore original data; returning the original data to the business software.
The digital signature module 13 is configured to set a digital signature attribute of the service resource, and digitally sign corresponding service data when performing service data operation, so as to ensure the integrity and source legitimacy of the data.
As an example, the digital signature module 13 is specifically configured to: acquiring signature parameters, including an encryption algorithm, a public key, a private key and a hash algorithm, and storing the signature parameters in a designated position of a storage system; if the public and private keys are required to be created by the storage system, the storage system automatically generates the keys and stores the keys in the designated positions of the storage system. When the writing operation of service data is carried out, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained; automatically digitally signing the data (invoking a hash algorithm to take a digest, encrypting the digest with a private key to form a digitally signed message); writing the digitally signed data to a storage medium. Reading data from the storage medium while performing the service data reading operation; judging whether a plaintext message or a digital signature message is returned; if the digital signature information is returned, an encryption algorithm, a hash algorithm and a public and private key are obtained, the data is automatically subjected to signature removal (the original information and the digest value after decryption are obtained), signature verification is performed, and a data plaintext is generated; judging whether the data is damaged, and if so, returning a data error; and if the data is not damaged, returning the plaintext data to the service software.
The digital watermark module 14 is configured to set a digital watermark attribute of a service resource, and perform operations of adding and removing a digital watermark to corresponding service data when performing service data operation, so as to ensure anti-counterfeiting tracing of the data.
As an example, the digital watermarking module 14 is specifically configured to: and acquiring the identification information and storing the identification information in a designated position of a storage system. When the writing operation of service data is carried out, the identification information stored in the storage system is obtained; automatically marking the data with a digital watermark containing identification information, and recording the position of the watermark in the data; the digitally watermarked data is written to a storage medium. Reading data from the storage medium while performing the service data reading operation; judging whether the original data is returned or the data containing the digital watermark; if the data containing the digital watermark is returned, the digital watermark is removed; returning the original data to the business software.
The integrity inspection module 15 is configured to set an integrity inspection attribute of a service resource, record an integrity fingerprint for corresponding service data when performing service data operation, periodically check whether the service data is modified, and automatically alarm after detecting the modification.
As an example, the integrity inspection module 15 is specifically configured to: and designating the integrity inspection identifier and storing the integrity inspection identifier in a designated position of a storage system. When the writing operation of the service data is carried out, the hash value is automatically calculated for the complete data contained in the service resource, and the hash value is recorded to the appointed position of the storage system. When the inspection operation is started, the hash value is automatically calculated for the complete data stored in the service resource on the storage medium, the hash value is compared with the recorded hash value, and an alarm is triggered after the comparison is inconsistent. Reading data from the storage medium while performing a read operation of the service data; and automatically calculating a hash value of the read complete data of the service resource, comparing the hash value with the recorded hash value, and returning a data error after inconsistent comparison, or else, returning the read data.
The medium cleaning module 16 is configured to set a medium cleaning attribute of the service resource, and thoroughly clean the service data from the storage medium when performing the service data deletion operation.
By way of example, the media cleaning module 16 is specifically configured to: and designating a medium cleaning identifier, and storing the medium cleaning identifier in a designated position of a storage system. When the deleting operation of the service data is carried out, the medium space containing the data of the service resource is automatically and safely cleared according to the medium clearing identification, and the data can be ensured to be unrecoverable by adopting a mode of overwriting random data or a mode of calling a safe erasing command of the bottom firmware.
And the time aging module 17 is used for setting the automatic time aging attribute of the service resource, automatically judging whether the alarm time point and the aging time point are reached, and performing alarm operation and data aging operation.
As an example, the time aging module 17 is specifically configured to: and designating time aging identification, acquiring time aging parameters, acquiring alarm setting parameters and storing the alarm setting parameters in designated positions of a storage system. And when the alarm time point arrives, sending a pre-clearing alarm according to alarm parameters configured by an administrator. When the aging time point arrives, deleting and medium cleaning are carried out on the complete data contained in the service resources of the storage system, so that the data is ensured to be unrecoverable.
The invention discloses a security protection system for service resources of a storage system, which realizes that the service resources with security properties can be set are externally provided through the storage system, and data stored on the service resources are automatically operated by the storage system in a security type. When the service resource of the storage system is created, the corresponding security attribute is simply set, and the service software on the host system can use the secure storage service resource like the common storage service resource, so that the purpose of secure downward movement is achieved.
The invention also discloses a safety protection device for the service resources of the storage system, which comprises a processor and a memory; the processor executes the security protection program of the service resource of the storage system stored in the memory to realize the following steps:
1. and setting the security protection attribute of the service resource when the service resource of the storage system is created.
2. And acquiring a service data processing request of the service resource.
3. And determining the safety protection attribute set by the service resource according to the service data processing request.
4. And carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
Further, the security protection apparatus for a service resource of a storage system in this embodiment may further include:
the input interface is used for acquiring the security protection program of the externally imported storage system service resource, storing the acquired security protection program of the storage system service resource into the memory, and also can be used for acquiring various instructions and parameters transmitted by the external terminal equipment and transmitting the various instructions and parameters into the processor so that the processor can develop corresponding processing by utilizing the various instructions and parameters. In this embodiment, the input interface may specifically include, but is not limited to, a USB interface, a serial interface, a voice input interface, a fingerprint input interface, a hard disk reading interface, and the like.
And the output interface is used for outputting various data generated by the processor to the terminal equipment connected with the output interface so that other terminal equipment connected with the output interface can acquire various data generated by the processor. In this embodiment, the output interface may specifically include, but is not limited to, a USB interface, a serial interface, and the like.
And the communication unit is used for establishing remote communication connection between the safety protection device for the storage system service resources and the external server so that the safety protection device for the storage system service resources can mount the image file to the external server. In this embodiment, the communication unit may specifically include, but is not limited to, a remote communication unit based on a wireless communication technology or a wired communication technology.
And the keyboard is used for acquiring various parameter data or instructions input by a user by knocking the key cap in real time.
And the display is used for running the related information of the short-circuit positioning process of the power supply line of the server to display in real time.
A mouse may be used to assist a user in inputting data and to simplify user operations.
The invention also discloses a readable storage medium, which includes Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, removable disk, CD-ROM, or any other form of storage medium known in the art. The readable storage medium stores a security protection program for storing system service resources, and when the security protection program for storing the system service resources is executed by the processor, the following steps are implemented:
1. and setting the security protection attribute of the service resource when the service resource of the storage system is created.
2. And acquiring a service data processing request of the service resource.
3. And determining the safety protection attribute set by the service resource according to the service data processing request.
4. And carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
In summary, the invention solves the limitation of security protection of the host, greatly improves the security of service data storage, and simplifies the complexity of security processing of service software on a host system.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described in a different point from other embodiments, so that the same or similar parts between the embodiments are referred to each other. For the method disclosed in the embodiment, since it corresponds to the system disclosed in the embodiment, the description is relatively simple, and the relevant points refer to the description of the method section.
Those of skill would further appreciate that the various illustrative elements and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both, and that the various illustrative elements and steps are described above generally in terms of functionality in order to clearly illustrate the interchangeability of hardware and software. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present invention.
In the several embodiments provided by the present invention, it should be understood that the disclosed systems, and methods may be implemented in other ways. For example, the system embodiments described above are merely illustrative, e.g., the division of the elements is merely a logical functional division, and there may be additional divisions when actually implemented, e.g., multiple elements or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interface, system or unit indirect coupling or communication connection, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in the embodiments of the present invention may be integrated in one processing unit, or each module may exist alone physically, or two or more modules may be integrated in one unit.
Similarly, each processing unit in the embodiments of the present invention may be integrated in one functional module, or each processing unit may exist physically, or two or more processing units may be integrated in one functional module.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. The software modules may be disposed in Random Access Memory (RAM), memory, read Only Memory (ROM), electrically programmable ROM, electrically erasable programmable ROM, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
The method, the system, the device and the readable storage medium for protecting the service resources of the storage system provided by the invention are described in detail. The principles and embodiments of the present invention have been described herein with reference to specific examples, the description of which is intended only to facilitate an understanding of the method of the present invention and its core ideas. It should be noted that it will be apparent to those skilled in the art that various modifications and adaptations of the invention can be made without departing from the principles of the invention and these modifications and adaptations are intended to be within the scope of the invention as defined in the following claims.

Claims (10)

1. The method for protecting the safety of the service resources of the storage system is characterized by comprising the following steps:
setting the security protection attribute of the service resource when the service resource of the storage system is created;
acquiring a service data processing request of a service resource;
determining the set safety protection attribute according to the service data processing request;
and carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
2. The method for protecting security of a service resource of a storage system according to claim 1, wherein the security protection attribute of the service resource comprises:
Any one or any combination of a data encryption attribute, a data desensitization attribute, a digital signature attribute, a digital watermark attribute, an integrity patrol attribute, a media cleanup attribute, and an automatic time aging attribute.
3. The method for protecting the security of service resources of a storage system according to claim 2, wherein the performing the security protection on the service data and the processing operation of the service data according to the determined security protection attribute comprises:
if the determined security protection attribute is a data encryption attribute, performing the following security protection operation when performing the read-write operation of the service data:
when the writing operation of the service data is carried out, an encryption algorithm and an encryption key stored in a storage system are obtained, the service data is automatically encrypted, and the encrypted service data is written into a storage medium;
when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is plaintext or ciphertext is judged; if the service data is the ciphertext, acquiring an encryption algorithm and a decryption key which are stored in a storage system, automatically decrypting the service data, and transmitting the plaintext of the service data to service software.
4. The method for protecting the security of service resources of a storage system according to claim 2, wherein the performing the security protection on the service data and the processing operation of the service data according to the determined security protection attribute comprises:
If the determined security protection attribute is a data desensitization attribute, performing the following security protection operation when performing the read-write operation of the service data:
when writing operation of service data is carried out, the regular expression stored in the storage system is used for automatically carrying out desensitization processing on the service data, the changed data in the desensitization process is automatically recorded, and the desensitized service data is written into the storage medium;
when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, the data changed in the desensitization process is read, the desensitization inverse operation is carried out, the original data of the service data is restored, and the original data is sent to the service software.
5. The method for protecting the security of service resources of a storage system according to claim 2, wherein the performing the security protection on the service data and the processing operation of the service data according to the determined security protection attribute comprises:
if the determined security protection attribute is a digital signature attribute, performing the following security protection operation when performing the read-write operation of the service data:
when the writing operation of service data is carried out, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained; automatically digitally signing the service data to generate a digitally signed message of the service data; writing the digital signature message of the service data into a storage medium;
When the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is plaintext or a digital signature message of the service data is judged; if the digital signature information of the service data is the digital signature information, a hash algorithm, an encryption algorithm and a public and private key which are stored in a storage system are obtained, the service data is automatically subjected to signature decoding, and the plaintext of the service data is sent to service software;
if the determined security protection attribute is a digital watermark attribute, performing the following security protection operation when performing the read-write operation of the service data:
when the writing operation of service data is carried out, the identification information stored in the storage system is obtained; automatically adding a digital watermark containing identification information on service data, and recording the position of the digital watermark in the service data; writing the service data into a storage medium;
when the reading operation of the service data is carried out, the corresponding service data is read from the storage medium, and whether the read service data is added with the digital watermark is judged; if yes, removing the digital watermark in the service data according to the identification information stored in the storage system, and sending the service data to the service software.
6. The method for protecting the security of service resources of a storage system according to claim 2, wherein the performing the security protection on the service data and the processing operation of the service data according to the determined security protection attribute comprises:
If the determined security protection attribute is an integrity inspection attribute, performing the following security protection operation when executing the processing operation of the service data:
when the writing operation of the service data is carried out, automatically calculating a hash value for the service data, and recording the hash value at a designated position of a storage system;
when the inspection operation of the service data is carried out, calculating the hash value of the service data on the storage medium, and comparing the hash value with the recorded hash value; if the two types of the information are inconsistent, triggering an alarm instruction;
reading the service data from the storage medium when the service data reading operation is performed; calculating a hash value of the read service data, and comparing the hash value with the recorded hash value; if not, returning data error, otherwise, returning read service data.
7. The method for protecting the security of service resources of a storage system according to claim 2, wherein the performing the security protection on the service data and the processing operation of the service data according to the determined security protection attribute comprises:
if the determined security protection attribute is a medium cleaning attribute, overwriting random data in a storage medium space of the service data when the deletion operation of the service data is executed;
If the determined safety protection attribute is an automatic time aging attribute, reading the current time when the processing operation of the service data is executed, and judging whether an alarm time point and an aging time point are reached or not: when the alarm time point is reached, sending a pre-clearing alarm according to preset alarm parameters; and when the aging time point is reached, deleting the service data and cleaning the corresponding storage medium.
8. A security protection system for a storage system service resource, comprising:
the setting unit is used for setting the security protection attribute of the service resource when the service resource of the storage system is created; a request acquisition unit, configured to acquire a service data processing request of a service resource;
the protection identification unit is used for determining the set safety protection attribute according to the service data processing request;
and the execution unit is used for carrying out safety protection on the service data according to the determined safety protection attribute and executing the processing operation of the service data.
9. A security protection apparatus for a service resource of a storage system, comprising:
the memory is used for storing a security protection program for storing system service resources;
a processor for implementing the steps of the method for protecting the security of the storage system service resource according to any one of claims 1 to 7 when executing the security protection program of the storage system service resource.
10. A readable storage medium, characterized by: the readable storage medium stores a security protection program for a storage system service resource, the security protection program for a storage system service resource implementing the steps of the security protection method for a storage system service resource according to any one of claims 1 to 7 when executed by a processor.
CN202310341142.3A 2023-03-31 2023-03-31 Security protection method, system, device and medium for service resources of storage system Pending CN116341029A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310341142.3A CN116341029A (en) 2023-03-31 2023-03-31 Security protection method, system, device and medium for service resources of storage system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310341142.3A CN116341029A (en) 2023-03-31 2023-03-31 Security protection method, system, device and medium for service resources of storage system

Publications (1)

Publication Number Publication Date
CN116341029A true CN116341029A (en) 2023-06-27

Family

ID=86887661

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310341142.3A Pending CN116341029A (en) 2023-03-31 2023-03-31 Security protection method, system, device and medium for service resources of storage system

Country Status (1)

Country Link
CN (1) CN116341029A (en)

Similar Documents

Publication Publication Date Title
CN102945355B (en) Fast Data Encipherment strategy based on sector map is deferred to
CN100508448C (en) Content processing apparatus and content protection program
CN102855452B (en) Fast Data Encipherment strategy based on encryption chunk is deferred to
CN109308421B (en) Information tamper-proofing method and device, server and computer storage medium
CN112231647A (en) Software authorization verification method
CN101727558B (en) Method for clearing password of computer, computer and server
CN109064596B (en) Password management method and device and electronic equipment
CN109190401A (en) A kind of date storage method, device and the associated component of Qemu virtual credible root
JP4185546B2 (en) Information leakage prevention device, information leakage prevention program, information leakage prevention recording medium, and information leakage prevention system
CN112231754B (en) Method, system and storage medium for monitoring configuration information of power edge computing node
CN117592108A (en) Interface data desensitization processing method and device
CN115080324B (en) Method, system, device and medium for testing password write protection function of HDD (hard disk drive) disk
CN110737925A (en) storage system hard disk protection method and device
CN107330340B (en) File encryption method, file encryption equipment, file decryption method, file decryption equipment and storage medium
CN116341029A (en) Security protection method, system, device and medium for service resources of storage system
CN110378133B (en) File protection method and device, electronic equipment and storage medium
CN111008389B (en) Data processing method and device based on file system in satellite
CN110598426B (en) Data communication method, device, equipment and storage medium based on information security
JP4765262B2 (en) Electronic data storage device, program
JP6923311B2 (en) Data erasure method
CN115134143B (en) Global Internet of things equipment authentication method, device and storage medium
JP4899196B2 (en) Data management system, terminal computer, management computer, data management method and program thereof
JP4671913B2 (en) Originality assurance electronic storage device, originality assurance electronic storage method and program
CN111291387B (en) File protection method and file processing system thereof
JP2010146300A (en) Apparatus, system, program and method for information management

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination