CN117034306A - Data streaming method, device, computer equipment and computer readable storage medium - Google Patents

Data streaming method, device, computer equipment and computer readable storage medium Download PDF

Info

Publication number
CN117034306A
CN117034306A CN202310787121.4A CN202310787121A CN117034306A CN 117034306 A CN117034306 A CN 117034306A CN 202310787121 A CN202310787121 A CN 202310787121A CN 117034306 A CN117034306 A CN 117034306A
Authority
CN
China
Prior art keywords
data
target
security
target data
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310787121.4A
Other languages
Chinese (zh)
Inventor
丁帅
沈炜
严骞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Information and Data Security Solutions Co Ltd
Original Assignee
Information and Data Security Solutions Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Information and Data Security Solutions Co Ltd filed Critical Information and Data Security Solutions Co Ltd
Priority to CN202310787121.4A priority Critical patent/CN117034306A/en
Publication of CN117034306A publication Critical patent/CN117034306A/en
Pending legal-status Critical Current

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/10Protecting distributed programs or content, e.g. vending or licensing of copyrighted material ; Digital rights management [DRM]
    • G06F21/16Program or content traceability, e.g. by watermarking
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements

Abstract

The application discloses a data transfer method, a data transfer device, computer equipment and a computer readable storage medium, relates to the field of power marketing data security transfer management and control, and can improve the security of data in the transmission and storage processes and avoid the risk of hacking or internal personnel leakage of the data. The method comprises the following steps: responding to a target data request initiated by a target demand party, extracting data to be displayed from a target data source indicated by the target data request, encrypting the data to obtain encrypted data, and establishing a pre-constructed special network between a data security cabin and the target data source; verifying the target user authority of the target demand party; when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data, wherein the security processing comprises watermark adding processing and rechecking processing; and sending the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after the safe processing.

Description

Data streaming method, device, computer equipment and computer readable storage medium
Technical Field
The present application relates to the field of secure circulation control of power marketing data, and in particular, to a data circulation method, apparatus, computer device, and computer readable storage medium.
Background
Marketing professions, which are the core profession of a company towards users, involve a large number of informationized business systems, the use and operation of which involve a large amount of data information, among which there are sensitive information concerning the company's trade secrets and the users of electricity.
In the related art, a data requiring party and a data source generally confirm a key, the two parties encrypt data through the key, the encrypted data stream is transferred to the other party, and the other party decrypts the received encrypted data through the key so as to ensure that the sensitive information can be transmitted safely through a communication network.
In carrying out the present application, the applicant has found that the related art has at least the following problems:
the data demand side and the data source carry out point-to-point encrypted data transmission through the secret key, so that one data source is connected with a plurality of data demand sides, and the same data demand side also needs to be connected with a plurality of data sources, so that the data transmission network has a complex structure and high cost, and the data transmission process is difficult to carry out centralized management.
Disclosure of Invention
In view of this, the present application provides a data transfer method, apparatus, computer device and computer readable storage medium, and aims to solve the problems that in the prior art, a data source is connected to a plurality of data requesters by performing point-to-point encrypted data transmission by using a key, and one data requester needs to be connected to a plurality of data sources, so that a data transmission network is complex in structure and high in cost, and centralized management of a data transfer process is difficult.
According to a first aspect of the present application, there is provided a data transfer method, the method comprising:
responding to a target data request initiated by a target demand party, extracting data to be displayed from a target data source indicated by the target data request, and encrypting the data to obtain encrypted data, wherein a pre-constructed special network exists between the data security cabin and the target data source;
verifying the target user authority of the target demand party;
when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data, wherein the security processing comprises watermark adding processing and rechecking processing;
and sending the target data to the target demand party so that the target demand party calls an encryption interface to decrypt the target data to obtain the data to be displayed after the safe processing.
According to a second aspect of the present application, there is provided a data circulation apparatus, the apparatus comprising:
the encryption module is used for responding to a target data request initiated by a target demand side, extracting data to be displayed from a target data source indicated by the target data request and encrypting the data to obtain encrypted data, wherein a pre-constructed special network exists between the data security cabin and the target data source;
the verification module is used for verifying the target user permission of the target demand party;
the security processing module is used for performing security processing on the encrypted data to obtain target data when the verification result indicates that the verification result passes, wherein the security processing comprises watermark adding processing and rechecking processing;
and the sending module is used for sending the target data to the target demand party so that the target demand party calls an encryption interface to decrypt the target data to obtain the data to be displayed after the safety processing.
According to a third aspect of the present application there is provided a computer device comprising a memory storing a computer program and a processor implementing the steps of the method of any of the first aspects described above when the computer program is executed by the processor.
According to a fourth aspect of the present application there is provided a computer readable storage medium having stored thereon a computer program which when executed by a processor performs the steps of the method of any of the first aspects described above.
By means of the technical scheme, the data streaming method, the data streaming device, the computer equipment and the computer readable storage medium provided by the application are characterized in that firstly, the data security cabin responds to a target data request initiated by a target demand party, data to be displayed is extracted from a target data source indicated by the target data request and encrypted to obtain encrypted data, and a pre-built special network exists between the data security cabin and the target data source. And then the data security cabin verifies the target user permission of the target demander. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data. The security processing includes watermark adding processing and rechecking processing. And finally, the data security cabin sends the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after security processing. The embodiment of the application helps enterprises to protect sensitive data from illegal access, theft and leakage through the data security cabin, and can also ensure the security of the data in the transmission and storage processes, avoid the risk of hacking or leakage of internal personnel, and help the data assets of the enterprises to be better protected.
The foregoing description is only an overview of the present application, and is intended to be implemented in accordance with the teachings of the present application in order that the same may be more clearly understood and to make the same and other objects, features and advantages of the present application more readily apparent.
Drawings
Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiments. The drawings are only for purposes of illustrating the preferred embodiments and are not to be construed as limiting the application. Also, like reference numerals are used to designate like parts throughout the figures. In the drawings:
fig. 1 shows a flow chart of a data circulation method according to an embodiment of the present application;
fig. 2A is a schematic flow chart of a data circulation method according to an embodiment of the present application;
fig. 2B is a schematic flow chart of a data circulation method according to an embodiment of the present application;
fig. 2C is a schematic structural diagram of a data circulation system according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a data circulation device according to an embodiment of the present application;
Fig. 4 shows a schematic device structure of a computer device according to an embodiment of the present application.
Detailed Description
Exemplary embodiments of the present application will be described in more detail below with reference to the accompanying drawings. While exemplary embodiments of the present application are shown in the drawings, it should be understood that the present application may be embodied in various forms and should not be limited to the embodiments set forth herein. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the application to those skilled in the art.
The embodiment of the application provides a data circulation method, as shown in fig. 1, which comprises the following steps:
101. and responding to a target data request initiated by a target demand party, extracting data to be displayed from a target data source indicated by the target data request, encrypting the data to obtain encrypted data, and establishing a pre-constructed special network between the data security cabin and the target data source.
Marketing professions, which are the core profession of a company towards users, involve a large number of informationized business systems, the use and operation of which involve a large amount of data information, among which there are sensitive information concerning the company's trade secrets and the users of electricity. At present, a data demand party and a data source usually confirm a secret key, the two parties encrypt data through the secret key, the encrypted data flow is transferred to the other party, and the other party decrypts the received encrypted data through the secret key so as to ensure that the sensitive information can be safely transmitted through a communication network. However, the applicant realizes that the point-to-point encrypted data transmission of the data demand party and the data source through the secret key can enable one data source to be connected with a plurality of data demand parties, and one data demand party also needs to be connected with a plurality of data sources, so that the data transmission network has a complex structure, high cost and difficulty in centralized management of the data circulation process. Therefore, the application provides a data circulation method, firstly, a data security cabin responds to a target data request initiated by a target demand party, data to be displayed is extracted from a target data source indicated by the target data request and is encrypted, so as to obtain encrypted data, wherein a pre-built special network exists between the data security cabin and the target data source. And then the data security cabin verifies the target user permission of the target demander. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data. The security processing includes watermark adding processing and rechecking processing. And finally, the data security cabin sends the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after security processing. The embodiment of the application helps enterprises to protect sensitive data from illegal access, theft and leakage through the data security cabin, and can also ensure the security of the data in the transmission and storage processes, avoid the risk of hacking or leakage of internal personnel, and help the data assets of the enterprises to be better protected.
In the embodiment of the application, a user initiates a target data request on a web application interface of a data security cabin. The data processing front-end service of the data security cabin responds to a target data request initiated by a target demand party, extracts data to be displayed from a target data source indicated by the target data request to the security cabin through an isolating device, and completes data encryption so as to ensure that the data cannot be illegally accessed, stolen and leaked in the transmission and storage processes. In the transmission process of the encrypted data after encryption, even if the encrypted data is hacked or stolen, the encrypted data cannot be decrypted to obtain useful information. Only the person with the decryption key can decrypt and acquire the original useful data, so that the privacy of the sensitive data is protected. It should be noted that, the target data source is a sales service data production library indicated by the target data request, and the data security cabin establishes a data channel with the marketing service production library through kafka, es, oracle and other components. The data security cabin is constructed by technical measures such as security gatekeepers, network domain division and the like, is physically isolated from a marketing business data production library, and is internally provided with security capabilities such as data encryption, sensitive data discovery, watermarking, authority management and the like. The target demander is an operator or an operation and maintenance person who uses the data asset information.
102. And verifying the target user permission of the target demander.
It is contemplated that within an enterprise, different users may have different rights, e.g., certain sensitive data may only be available to a particular user or department. Therefore, in order to protect the security and confidentiality of sensitive data, the data security cabin needs to verify the user credentials provided by the target demander first to ensure that the user has access to the requested data. If the user does not have sufficient rights, the data cannot be accessed, thereby protecting the security and confidentiality of the sensitive data. In addition, after the special network is established between the data security cabin and the target data source, the target data source only opens a corresponding interface for the data security cabin, so that the data security and privacy protection are improved. The data security cabin becomes an independent data processing unit in the special network, and the target data source cannot directly communicate with the target demander, so that the risk of data attack or theft is further reduced. Therefore, verifying the target user authority is one of important measures for ensuring data security of the data security cabin.
103. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data, wherein the security processing comprises watermark adding processing and rechecking processing.
Wherein the watermarking process may provide traceable and non-tamperable evidence for the data. By watermarking the encrypted data, the data can be associated with a particular user, time and place, ensuring the legitimacy of the use of the data, and preventing unauthorized use of the data. The watermark can be detected at any time in the data transmission and storage processes, and the time, place and responsible person of the occurrence of the problem can be traced and positioned through the watermark under the condition of illegal use or data tampering, so that the data security and management efficiency are improved. The review process may help the enterprise ensure the integrity and security of the data. By monitoring and detecting the data in real time, abnormal behaviors and illegal access behaviors can be found, and the data protection effect is further improved. The rechecking process can analyze and trace the data afterwards to determine the cause and responsible person of data leakage or tampering and take corresponding countermeasures.
104. And sending the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after the safe processing.
After the data is encrypted, only the user with the key can decrypt and obtain the useful information. In general, the target demand side needs to display, analyze and utilize the data, so that the target data needs to be sent to the target demand side, and the data is decrypted by calling a corresponding decryption interface, so as to obtain the data to be displayed after the security processing.
According to the method provided by the embodiment of the application, firstly, the data security cabin responds to the target data request initiated by the target demand side, the data to be displayed is extracted from the target data source indicated by the target data request and is encrypted, and the encrypted data is obtained, wherein a pre-built special network exists between the data security cabin and the target data source. And then the data security cabin verifies the target user permission of the target demander. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data. The security processing includes watermark adding processing and rechecking processing. And finally, the data security cabin sends the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after security processing. The embodiment of the application helps enterprises to protect sensitive data from illegal access, theft and leakage through the data security cabin, and can also ensure the security of the data in the transmission and storage processes, avoid the risk of hacking or leakage of internal personnel, and help the data assets of the enterprises to be better protected.
The embodiment of the application provides a data circulation method, as shown in fig. 2A, which comprises the following steps:
201. And constructing a data security cabin.
In the embodiment of the application, the data security cabin establishes an access control strategy through a security gatekeeper technology, and the access control strategy is adopted to verify the target user authority of the target demand party. And establishing a special network by a network domain division technology, and isolating the special network from a target data source by adopting a preset isolation mode. As shown in fig. 2B, a user may initiate data download, share, copy, review, upload, edit requests, and screen capture watermark tracing based on a web application interface provided by the data security cabin. For the requests of uploading, sharing, copying, consulting and uploading, the data security cabin can carry out user authority verification on the user initiating the request, and only the user passing the authority verification can check, acquire or upload related data, otherwise, the data security cabin is blocked.
The data security cabin supports the functions of data collection security, compliance circulation use, data asset management, authorization configuration management, data security capability, data use abnormality monitoring and the like, and handles security management and risks in the business data interactive circulation process.
1. Data asset management
And automatically identifying and combing the dynamic assets of the business database through a special network between the business database and the business database of the production system, finishing the inventory checking of the total amount of assets, making data classification and classification standards, making data protection strategies, counting the number of the business classification tables, and deeply analyzing the safety protection condition of the business classification. The data asset management comprises four modules, namely database record, data classification and classification, data directory inquiry and data table configuration management. The database record module is used for newly adding and finding a database for the data security cabin and providing functions of inquiring, listing, details, newly adding and the like. In the actual operation process, the data source attribute of the data source to be newly added can be obtained, the data source attribute is adopted to record the data source to be newly added, and a scanning strategy is created for the data source to be newly added. Specifically, different types of databases need to be filled with different attribute information, and the corresponding relation of Chinese and English names is expressed in the synchronous library. The background asynchronously scans the tables in the database, providing more comprehensive data security control. Such as MySQL (port number, data source name, database name, IP, user name password, URL), es (data source name, cluster address), etc. The data classification and grading module provides data classification and grading functions for the data security cabin, supports the introduction of data classification and grading templates, automatically scans and classifies and grades newly-added and found data tables through a custom or default classification and grading strategy, and can generate classification and grading reports. In the actual operation process, responding to the asset management instruction, adopting a scanning strategy to asynchronously scan the data table in the newly added data source, classifying and grading the asset data in the data table according to a default classifying and grading strategy, and generating a classifying and grading report. Specifically, the data assets are classified and classified through the task form, a user-defined strategy can be selected, a system default classification and classification strategy can be selected, and a classification and classification report is output in the task form by referring to the related industry standard specification. The data catalog inquiry module is used for providing a data catalog function for the data security cabin and displaying the relevant attribute of the table in the database discovered by the record and the result of data classification and grading. For example, basic information of the data table is displayed, including attribute information such as the name of the data table, the english name of the data table, the data classification, the data hierarchy, the name of the database, the type of the data table (shared library, business library), the user name, and the update time. The data table configuration management is used for facilitating subsequent statistical analysis, establishing corresponding relation among network elements, service capacity and service classification, and providing functions of inquiring, editing, importing and exporting data table configuration information.
2. Authorization configuration management
The method comprises three modules, namely a service data application module, an authorized security configuration audit module and an authorized security configuration query module, wherein the three modules are a function entry for applying for using service data for internal and external personnel, the applicant can select required data according to a data catalog and a service capability list, and meanwhile, the application range, the authority and the security measure of the data are submitted by an initial strategy so as to realize user authority verification in the following steps.
3. Data security capability
The security application arrangement is realized through the security equipment interfacing and the security interface application, and the security application arrangement comprises an encryption and decryption service and a data watermark tracing service module, and the interactive sharing data security operation process is realized according to the security examination requirement and the security configuration strategy, and the encryption and decryption process and the data watermark adding process in the following steps are realized.
4. Data usage anomaly monitoring
The display function of the abnormal list of the service data use is provided, wherein the display function comprises a time-division query function related to service scenes, field names, field notes, database names, database server addresses, database table names, operation IP, database users, operation time and the like, and the abnormal list of the important data use is provided.
202. And the data security cabin responds to a target data request initiated by a target demand party, extracts data to be displayed from a target data source indicated by the target data request, encrypts the data to be displayed, and obtains encrypted data.
In the embodiment of the application, in order to ensure that the data cannot be illegally accessed, stolen and leaked in the transmission and storage processes, the acquired data to be displayed needs to be encrypted. In the transmission process of the encrypted data after encryption, even if the encrypted data is hacked or stolen, the encrypted data cannot be decrypted to obtain useful information, and only people with decryption keys can decrypt and obtain the original useful data, so that the privacy of sensitive data is protected. The specific process of obtaining the encrypted data is as follows:
first, as shown in FIG. 2B, the target demander initiates a target data request based on the web application interface of the data security cabin. The data security cabin provides a functional entrance for applying for using service data for internal and external personnel, and the applicant can select the required data according to the data catalogue and the service capability list, and simultaneously make initial policy submission for the range, authority and security measures of data use. In order to avoid the concurrent repeated operation of authority personnel on the same authorized application, a locking/unlocking function is introduced, the authorized application before the verification is not submitted can be locked or unlocked by the authority personnel, and the authorized application needs to be locked before the safety configuration is added in actual operation.
Next, as shown in fig. 2B, the data security cabin performs data preparation in response to a target data request initiated by the target demander. Specifically, the data security cabin receives the target data request, and identifies request information carried by the target data request to obtain a target data source and a data identifier. The data security cabin sends a data acquisition request carrying a data identifier to the target data source based on a private network between the data security cabin and the target data source, so that the target data source sends data to be displayed, which is associated with the data identifier, to the data security cabin through the private network according to the data acquisition request. And encrypting the data to be displayed to obtain encrypted data. Specifically, an encryption interface is called to inquire an encryption key preset by a target demand side and a classification and grading result of data to be displayed, and the data to be displayed is encrypted according to the encryption key and the classification and grading result to obtain encrypted data. It should be noted that, the encryption interface provided by the embodiment of the application supports national commercial cryptographic algorithms such as SM1, SM2, SM3, SM4, and the like, and specifically includes SM1/SM4 data encryption and decryption, SM2 digital envelope encapsulation and decapsulation, SM3 hash operation, SM2 message signature and verification, and the like.
The data to be displayed is extracted and encrypted through the response of the data security cabin to the target data request, so that the data can be protected, shared and controlled, the user experience and the user satisfaction are improved, and the data security and the data use efficiency are improved.
203. And the security policy engine of the data security cabin verifies the target user permission of the target demander.
In the embodiment of the application, it is considered that different users may have different rights inside an enterprise, for example, certain sensitive data can only be used by a specific user or department. Therefore, in order to protect the security and confidentiality of sensitive data, the data security cabin needs to verify the user credentials provided by the target demander first to ensure that the user has access to the requested data. If the user does not have sufficient rights, the data cannot be accessed, thereby protecting the security and confidentiality of the sensitive data.
As shown in fig. 2B, after the data preparation is completed, the security policy engine of the data security cabin receives the target data request based on the communication connection with the target demander, and identifies the request information carried by the target data request, so as to obtain the target user authority. And then detecting whether the data to be displayed is matched with the target user permission, specifically, the security policy engine applies a series of default security capabilities such as encryption, signature and the like to the data and the business capability in the application according to the results such as data classification and grading, and automatically verifies the information such as the application range and personnel of the data submitted by the applicant. And generating a verification result for indicating passing verification when the detection result indicates that the data to be displayed is matched with the target user authority. And when the detection result indicates that the data to be displayed is not matched with the target user authority, generating a verification result for indicating that the verification is not passed.
204. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data.
In the embodiment of the application, when the verification result indicates that the verification is passed, the data security cabin carries out security processing on the encrypted data to obtain target data. The security process includes a watermarking process and a rechecking process, wherein the watermarking process can provide traceable and non-tamperable evidence for the data. By watermarking the encrypted data, the data can be associated with a particular user, time and place, ensuring the legitimacy of the use of the data, and preventing unauthorized use of the data. The watermark can be detected at any time in the data transmission and storage processes, and the time, place and responsible person of the occurrence of the problem can be traced and positioned through the watermark under the condition of illegal use or data tampering, so that the data security and management efficiency are improved. The review process may help the enterprise ensure the integrity and security of the data. By monitoring and detecting the data in real time, abnormal behaviors and illegal access behaviors can be found, and the data protection effect is further improved. The rechecking process can analyze and trace the data afterwards to determine the cause and responsible person of data leakage or tampering and take corresponding countermeasures. The encrypted data is processed safely, and the specific process for obtaining the target data is as follows:
Firstly, when the verification result indicates that verification is passed, the data security cabin acquires a watermark adding strategy, and watermark information is added to the encrypted data according to the watermark adding strategy to obtain data to be rechecked. Specifically, after the verification result indicates that the verification is passed, the data security cabin can acquire a preconfigured watermark adding strategy, including information such as watermark type, watermark density, watermark position and the like. And then adding the watermark to the encrypted data according to the watermark adding strategy, and embedding watermark information into the encrypted data. The watermark information and the encrypted data can be mixed by an encryption algorithm, or the watermark information is embedded by changing certain bits of the encrypted data, so that the encrypted data added with the watermark, namely the data to be rechecked, is obtained.
Next, as shown in fig. 2B, the data to be rechecked and the target user permission carried by the target data request are sent to the rechecking terminal to recheck the permission, and a rechecking result is received. An administrator carries out manual review on the data application flow automatically reviewed by the security policy management and control engine, and belongs to the final review link of the data use authority. If the data application is approved, the user may use the relevant data. If the data application review does not pass, the data application will be returned to the applicant so that it can make adjustments or perfects to the data requirements. Through the manual review link, an administrator can conduct further review on safety measures adopted by the automatic review flow, so that the misjudgment rate and the vulnerability rate are reduced, and the quality and the accuracy of the data use application are improved.
If the result of the verification is passing or not, returning the flow state information to the authorized applicant if the result of the verification is passing; if the verification is not passed, returning to the authorized configurator for modification until the verification is passed, thereby forming a closed loop of the authorized business capability security configuration flow. That is, upon receiving the review result indicating passage, the data to be reviewed is set as target data. And returning the target data request to the target demander for modification when receiving the rechecking result indicating not to pass.
205. And sending the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after the safe processing.
After the data is encrypted, only the user with the key can decrypt and obtain the useful information. In general, the target demand side needs to display, analyze and utilize the data, so that the target data needs to be sent to the target demand side, and the data is decrypted by calling a corresponding decryption interface, so as to obtain the data to be displayed after the security processing. In addition, the data security cabin further provides a data security sharing function, taking sharing data to be displayed as an example, as shown in fig. 2C, the data security cabin generates access connection for target data, and sends the access connection to the target demand party, so that the target demand party shares the access connection to other demand parties in a mail manner. The other requesting party sends a specified data request to the data security cabin via the access connection. The data security cabin responds to the specified data request to verify the specified user rights of other demanding parties. And when the verification result indicates that the verification is passed, sending the target data associated with the access connection to other demanding parties for data display or data storage. It should be noted that, in order to ensure data security, the web interface provided by the data security cabin may limit the viewing personnel, the viewing times, the viewing time length, and the password protection.
When the target demand party needs to transfer the file, the data money security cabin receives a transfer request initiated by the target demand party, acquires the transfer file carried by the transfer request, and encrypts the transfer file by adopting an encryption key corresponding to the target demand party. And when the target demand side has the file uploading right, storing the encrypted transit file.
According to the method provided by the embodiment of the application, firstly, the data security cabin responds to the target data request initiated by the target demand side, the data to be displayed is extracted from the target data source indicated by the target data request and is encrypted, and the encrypted data is obtained, wherein a pre-built special network exists between the data security cabin and the target data source. And then the data security cabin verifies the target user permission of the target demander. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data. The security processing includes watermark adding processing and rechecking processing. And finally, the data security cabin sends the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after security processing. The embodiment of the application helps enterprises to protect sensitive data from illegal access, theft and leakage through the data security cabin, and can also ensure the security of the data in the transmission and storage processes, avoid the risk of hacking or leakage of internal personnel, and help the data assets of the enterprises to be better protected.
Further, as a specific implementation of the method shown in fig. 1, an embodiment of the present application provides a data circulation device, as shown in fig. 3, where the device includes: an encryption module 301, a verification module 302, a security processing module 303, and a transmission module 304.
The encryption module 301 is configured to respond to a target data request initiated by a target requiring party, extract data to be displayed from a target data source indicated by the target data request, encrypt the data to obtain encrypted data, and have a pre-built private network between the data security cabin and the target data source;
the verification module 302 is configured to verify a target user right of the target demander;
the security processing module 303 is configured to perform security processing on the encrypted data to obtain target data when the verification result indicates that the verification result passes, where the security processing includes watermark adding processing and rechecking processing;
the sending module 304 is configured to send the target data to the target demander, so that the target demander invokes an encryption interface to decrypt the target data, and obtain the data to be displayed after the security processing.
In a specific application scene, the data security cabin establishes an access control strategy through the security gatekeeper technology, and the access control strategy is adopted to verify the target user authority of the target demander; the data security cabin establishes the private network through the network domain technology and is isolated from the target data source by adopting a preset isolation mode.
In a specific application scenario, the encryption module 301 is configured to receive the target data request, and identify request information carried by the target data request, so as to obtain the target data source and the data identifier; based on a special network between the target data source and the target data source, sending a data acquisition request carrying the data identifier to the target data source, so that the target data source sends the data to be displayed, which is associated with the data identifier, to the data security cabin through the special network according to the data acquisition request; inquiring an encryption key preset by the target demand side and a classification and grading result of the data to be displayed, calling an encryption interface, and encrypting the data to be displayed according to the encryption key and the classification and grading result to obtain the encrypted data.
In a specific application scenario, the verification module 302 is configured to receive the target data request based on a communication connection with the target demander, and identify request information carried by the target data request, so as to obtain the target user right; detecting whether the data to be displayed is matched with the target user permission; generating a verification result for indicating passing verification when the detection result indicates that the data to be displayed is matched with the target user authority; and when the detection result indicates that the data to be displayed is not matched with the target user authority, generating a verification result for indicating that verification is not passed.
In a specific application scenario, the security processing module 303 is configured to obtain a watermark adding policy when the verification result indicates that the verification is passed, and add watermark information to the encrypted data according to the watermark adding policy to obtain data to be rechecked; transmitting the data to be rechecked and the target user permission carried by the target data request to a rechecking terminal for permission rechecking, and receiving a rechecking result; and when receiving a checking result indicating passing, setting the data to be checked as the target data.
In a specific application scenario, the apparatus further includes: a sharing module 305 and a display module 306.
The sharing module 305 is configured to generate an access connection for the target data, send the access connection to the target demander, so that the target demander shares the access connection to other demander, and the other demander sends a specified data request to the data security cabin through the access connection;
the verification module 302 is further configured to verify the specified user rights of the other requesters in response to the specified data request;
and the display module 306 is configured to send the target data associated with the access connection to the other requiring party for data display or data storage when the verification result indicates that the verification is passed.
In a specific application scenario, the apparatus further includes: an acquisition module 307, an asset management module 308.
The obtaining module 307 is configured to receive a transfer request initiated by a target demand side, obtain a transfer file carried by the transfer request, encrypt the transfer file with an encryption key corresponding to the target demand side, and store the encrypted transfer file when a file uploading right exists in the target demand side; and/or the number of the groups of groups,
the asset management module 308 is configured to obtain a data source attribute of a data source to be newly added, record the data source to be newly added by using the data source attribute, create a scanning policy for the data source to be newly added, asynchronously scan a data table in the data source to be newly added by using the scanning policy in response to an asset management instruction, classify and classify asset data in the data table according to a default classification policy, and generate a classification report.
According to the device provided by the embodiment of the application, firstly, the data security cabin responds to the target data request initiated by the target demand side, the data to be displayed is extracted from the target data source indicated by the target data request and is encrypted, and the encrypted data is obtained, wherein a pre-built special network exists between the data security cabin and the target data source. And then the data security cabin verifies the target user permission of the target demander. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data. The security processing includes watermark adding processing and rechecking processing. And finally, the data security cabin sends the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after security processing. The embodiment of the application helps enterprises to protect sensitive data from illegal access, theft and leakage through the data security cabin, and can also ensure the security of the data in the transmission and storage processes, avoid the risk of hacking or leakage of internal personnel, and help the data assets of the enterprises to be better protected.
Based on the above-mentioned methods shown in fig. 1 and fig. 2A to fig. 2C, correspondingly, the present embodiment further provides a storage medium, on which a computer program is stored, where the computer program implements the steps of the data circulation method when executed by a processor.
Based on such understanding, the technical solution of the present application may be embodied in the form of a software product, where the software product to be identified may be stored in a non-volatile storage medium (may be a CD-ROM, a U-disc, a mobile hard disk, etc.), and include several instructions for causing a computer device (may be a personal computer, a server, or a network device, etc.) to execute the method described in the various implementation scenarios of the present application.
In order to achieve the above object, in an exemplary embodiment, referring to fig. 4, there is further provided a device, which includes a communication bus, a processor, a memory, and a communication interface, and may further include an input-output interface and a display device, where each functional unit may complete communication with each other through the bus, based on the methods shown in fig. 1 and 2A to 2C. The memory stores a computer program and a processor for executing the program stored in the memory to perform the data transfer method in the above embodiment.
Optionally, the physical device may further include a user interface, a network interface, a camera, radio Frequency (RF) circuitry, sensors, audio circuitry, WI-FI modules, and the like. The user interface may include a Display screen (Display), an input unit such as a Keyboard (Keyboard), etc., and the optional user interface may also include a USB interface, a card reader interface, etc. The network interface may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), etc.
It will be appreciated by those skilled in the art that the structure of the physical device for data transfer provided in this embodiment is not limited to the physical device, and may include more or fewer components, or some components may be combined, or different arrangements of components.
The storage medium may also include an operating system, a network communication module. The operating system is a program for managing the entity equipment hardware and the software resources to be identified, and supports the operation of the information processing program and other software and/or programs to be identified. The network communication module is used for realizing communication among all components in the storage medium and communication with other hardware and software in the information processing entity equipment.
From the above description of the embodiments, it will be apparent to those skilled in the art that the present application may be implemented by means of software plus necessary general hardware platforms, or may be implemented by hardware. By applying the technical scheme of the application, firstly, the data security cabin responds to a target data request initiated by a target demand party, the data to be displayed is extracted from a target data source indicated by the target data request and is encrypted, and the encrypted data is obtained, wherein a pre-built special network exists between the data security cabin and the target data source. And then the data security cabin verifies the target user permission of the target demander. And when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data. The security processing includes watermark adding processing and rechecking processing. And finally, the data security cabin sends the target data to the target demand party so that the target demand party calls the encryption interface to decrypt the target data to obtain the data to be displayed after security processing. Compared with the prior art, the embodiment of the application helps enterprises to protect sensitive data from illegal access, theft and leakage through the data security cabin, and can also ensure the security of the data in the transmission and storage processes, avoid the risk of hacking or leakage of internal personnel, and help the data assets of the enterprises to be better protected.
Those skilled in the art will appreciate that the drawing is merely a schematic illustration of a preferred implementation scenario and that the modules or flows in the drawing are not necessarily required to practice the application.
Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.

Claims (10)

1. A data streaming method, the method being applicable to a data security capsule, comprising:
responding to a target data request initiated by a target demand party, extracting data to be displayed from a target data source indicated by the target data request, and encrypting the data to obtain encrypted data, wherein a pre-constructed special network exists between the data security cabin and the target data source;
verifying the target user authority of the target demand party;
when the verification result indicates that the verification is passed, carrying out security processing on the encrypted data to obtain target data, wherein the security processing comprises watermark adding processing and rechecking processing;
And sending the target data to the target demand party so that the target demand party calls an encryption interface to decrypt the target data to obtain the data to be displayed after the safe processing.
2. The method of claim 1, wherein the data security pod is constructed based on a security gatekeeper and network split domain technique, comprising:
the data security cabin establishes an access control strategy through the security gatekeeper technology, and the access control strategy is adopted to verify the target user authority of the target requiring party;
the data security cabin establishes the private network through the network domain technology and is isolated from the target data source by adopting a preset isolation mode.
3. The method according to claim 1, wherein the extracting the data to be displayed from the target data source indicated by the target data request and encrypting the data to obtain the encrypted data in response to the target data request initiated by the target demander includes:
receiving the target data request, and identifying request information carried by the target data request to obtain the target data source and the data identifier;
based on a special network between the target data source and the target data source, sending a data acquisition request carrying the data identifier to the target data source, so that the target data source sends the data to be displayed, which is associated with the data identifier, to the data security cabin through the special network according to the data acquisition request;
Inquiring an encryption key preset by the target demand side and a classification and grading result of the data to be displayed, calling an encryption interface, and encrypting the data to be displayed according to the encryption key and the classification and grading result to obtain the encrypted data.
4. The method of claim 1, wherein verifying the target user rights of the target demander comprises:
receiving the target data request based on communication connection with the target demand party, and identifying request information carried by the target data request to obtain the target user permission;
detecting whether the data to be displayed is matched with the target user permission;
generating a verification result for indicating passing verification when the detection result indicates that the data to be displayed is matched with the target user authority;
and when the detection result indicates that the data to be displayed is not matched with the target user authority, generating a verification result for indicating that verification is not passed.
5. The method according to claim 1, wherein the security processing the encrypted data to obtain target data when the verification result indicates that the verification is passed, includes:
When the verification result indicates that verification is passed, a watermark adding strategy is obtained, watermark information is added to the encrypted data according to the watermark adding strategy, and data to be rechecked is obtained;
transmitting the data to be rechecked and the target user permission carried by the target data request to a rechecking terminal for permission rechecking, and receiving a rechecking result;
and when receiving a checking result indicating passing, setting the data to be checked as the target data.
6. The method according to claim 1, wherein the method further comprises:
generating access connection for the target data, and sending the access connection to the target demand side so that the target demand side shares the access connection to other demand sides, and the other demand sides send specified data requests to the data security cabin through the access connection;
responding to the specified data request, and verifying the specified user rights of the other demanding parties;
and when the verification result indicates that the verification is passed, sending the target data associated with the access connection to the other requiring party for data display or data storage.
7. The method according to claim 1, wherein the method further comprises:
Receiving a transfer request initiated by a target demand side, acquiring a transfer file carried by the transfer request, encrypting the transfer file by adopting an encryption key corresponding to the target demand side, and storing the encrypted transfer file when the file uploading right exists in the target demand side; and/or the number of the groups of groups,
acquiring data source attributes of a data source to be newly added, recording the data source to be newly added by adopting the data source attributes, creating a scanning strategy for the data source to be newly added, asynchronously scanning a data table in the data source to be newly added by adopting the scanning strategy in response to an asset management instruction, classifying and classifying asset data in the data table according to a default classification and classification strategy, and generating a classification and classification report.
8. A data streaming apparatus, comprising:
the encryption module is used for responding to a target data request initiated by a target demand side, extracting data to be displayed from a target data source indicated by the target data request and encrypting the data to obtain encrypted data, wherein a pre-constructed special network exists between the data security cabin and the target data source;
the verification module is used for verifying the target user permission of the target demand party;
The security processing module is used for performing security processing on the encrypted data to obtain target data when the verification result indicates that the verification result passes, wherein the security processing comprises watermark adding processing and rechecking processing;
and the sending module is used for sending the target data to the target demand party so that the target demand party calls an encryption interface to decrypt the target data to obtain the data to be displayed after the safety processing.
9. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor implements the steps of the method of any of claims 1 to 7 when the computer program is executed.
10. A computer readable storage medium, on which a computer program is stored, characterized in that the computer program, when being executed by a processor, implements the steps of the method of any of claims 1 to 7.
CN202310787121.4A 2023-06-29 2023-06-29 Data streaming method, device, computer equipment and computer readable storage medium Pending CN117034306A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310787121.4A CN117034306A (en) 2023-06-29 2023-06-29 Data streaming method, device, computer equipment and computer readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310787121.4A CN117034306A (en) 2023-06-29 2023-06-29 Data streaming method, device, computer equipment and computer readable storage medium

Publications (1)

Publication Number Publication Date
CN117034306A true CN117034306A (en) 2023-11-10

Family

ID=88632504

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310787121.4A Pending CN117034306A (en) 2023-06-29 2023-06-29 Data streaming method, device, computer equipment and computer readable storage medium

Country Status (1)

Country Link
CN (1) CN117034306A (en)

Similar Documents

Publication Publication Date Title
US11868509B2 (en) Method and arrangement for detecting digital content tampering
CN107566116B (en) Method and apparatus for digital asset weight registration
CN103189872B (en) Safety in networked environment and the effectively method and apparatus of Content Selection
Gupta et al. Layer-based privacy and security architecture for cloud data sharing
CN106789029B (en) A kind of auditing system and auditing method and quantum fort machine system based on quantum fort machine
CN113495920A (en) Content auditing system, method and device based on block chain and storage medium
CN114844673B (en) Data security management method
CN110612698A (en) Security authentication system and security authentication method for generating security key by combining authentication factors of multiple users
CN106650372A (en) open method and device of administrator authority
CN114254269A (en) System and method for determining rights of biological digital assets based on block chain technology
CN113965370A (en) Data transmission method and device, computer equipment and readable storage medium
CN104735020A (en) Method, device and system for acquiring sensitive data
CN110708156B (en) Communication method, client and server
CN110955909B (en) Personal data protection method and block link point
CN110582986B (en) Security authentication method for generating security key by combining authentication factors of multiple users
CN116170143A (en) Intelligent community data safe transmission, storage and fusion use system based on national encryption algorithm
CN117034306A (en) Data streaming method, device, computer equipment and computer readable storage medium
CN115514523A (en) Data security access system, method, device and medium based on zero trust system
CN105743883B (en) A kind of the identity attribute acquisition methods and device of network application
CN213122985U (en) PIS authentication system
Aljahdali et al. Efficient and Secure Access Control for IoT-based Environmental Monitoring
Bhosale et al. Attribute-based storage control with smart de-duplication filter using hybrid cloud
CN111651776A (en) Access control record storage method and device
CN113608933B (en) Distributed backup synchronization system for public cloud tenant service sensitive data
US20230370270A1 (en) Anti-cloning architecture for device identity provisioning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination