CN117951729A - Anti-leakage safety prevention and control system for data management - Google Patents
Anti-leakage safety prevention and control system for data management Download PDFInfo
- Publication number
- CN117951729A CN117951729A CN202311717967.7A CN202311717967A CN117951729A CN 117951729 A CN117951729 A CN 117951729A CN 202311717967 A CN202311717967 A CN 202311717967A CN 117951729 A CN117951729 A CN 117951729A
- Authority
- CN
- China
- Prior art keywords
- module
- data
- client
- security
- risk
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013523 data management Methods 0.000 title claims abstract description 38
- 230000002265 prevention Effects 0.000 title claims abstract description 11
- 238000011156 evaluation Methods 0.000 claims abstract description 26
- 238000007726 management method Methods 0.000 claims abstract description 24
- 238000012795 verification Methods 0.000 claims abstract description 20
- 238000012544 monitoring process Methods 0.000 claims abstract description 15
- 238000013500 data storage Methods 0.000 claims abstract description 14
- 238000001514 detection method Methods 0.000 claims abstract description 10
- 238000013475 authorization Methods 0.000 claims abstract description 4
- 238000012502 risk assessment Methods 0.000 claims description 21
- 230000005540 biological transmission Effects 0.000 claims description 4
- 230000003993 interaction Effects 0.000 abstract description 2
- 238000000034 method Methods 0.000 abstract description 2
- 238000010586 diagram Methods 0.000 description 2
- 238000013499 data model Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/31—User authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a leakage-proof safety prevention and control system for data management, which belongs to the field of safety prevention and control systems, and comprises a client, a data management terminal and a data storage server; the client is internally provided with an identity verification module, a data decryption module, an auxiliary detection module and a storage module; a plurality of sub-databases are arranged in the data storage server, and each sub-database is provided with a security level; the data management terminal is connected with a data management module, a monitoring module, a secret key management module, an evaluation module, a permission management module, an access management module and an encryption module; the access management module is used for key allocation and authority authorization; the method and the device realize the direct connection between the isolated visitor and the database to strengthen the safety performance of the database information, firstly transmit the encrypted data and then evaluate the risk of the client when transmitting the data, and select whether the data is decrypted according to the security level and the risk level of the data, thereby effectively ensuring the security of the data during the data interaction of the database.
Description
Technical Field
The invention relates to a leakage-proof safety prevention and control system for data management, in particular to a leakage-proof safety prevention and control system for data management, which is applied to the field of safety prevention and control systems.
Background
The database is a large storage device for storing information for user records in various industry fields, enterprises, groups and the like, and the security of the database is very important because the database can relate to important information of the enterprise groups, information records of a plurality of associated users and the like.
In order to solve the problem of data security, a certain data security prevention and control system in the market adopts the design of identity verification and firewall, and has a certain market ratio.
The Chinese patent CN114006760B discloses a database information security prevention and control system, which comprises a front end user layer, a front end protection layer, a middle end application layer, a rear end protection layer, a rear end data layer and a system monitoring layer, wherein the front end user layer, the front end protection layer, the middle end application layer, the rear end protection layer and the rear end data layer are all connected with the system monitoring layer, a user login module and an administrator login module are arranged in the front end user layer, the front end user layer is connected with the front end protection layer, a first firewall and a verification module are arranged in the front end protection layer, the front end protection layer is connected with the middle end application layer, and a data module and a data isolation box are arranged in the middle end application layer.
The traditional database can not well meet the safety requirement because of a data model and a predefined operation mode, the access mode of the traditional database data is mostly account identification verification for logging in, certain safety is lacked, the condition that the database information is leaked or tampered easily occurs, a more complex verification mode of device hardware address identification is partially adopted, and the problem that the content of the database is leaked because the device is hijacked to access the database also exists.
Disclosure of Invention
Aiming at the prior art, the invention aims to solve the technical problems that the prior database data is accessed in most account identification verification, is lack of certain security and is easy to be leaked or tampered.
In order to solve the problems, the invention provides a leakage-proof safety prevention and control system for data management, which comprises a client, a data management terminal and a data storage server;
the client is internally provided with an identity verification module, a data decryption module, an auxiliary detection module and a storage module;
a plurality of sub-databases are arranged in the data storage server, and each sub-database is provided with a security level;
The data management terminal is connected with a data management module, a monitoring module, a secret key management module, an evaluation module, a permission management module, an access management module and an encryption module;
the access management module is used for key allocation and authority authorization;
the rights management module is connected with a personnel database, personnel information data with different rights levels are stored in the personnel database, and the rights levels are associated with access rights of the security level sub-database;
the evaluation module is used for evaluating the risk level of the client, and the auxiliary detection module is called to detect the security of the client during the risk level evaluation; each risk level is associated with a corresponding authority level;
the encryption module is used for encrypting the data packet output by the sub-database, generating a corresponding decryption key after encryption and storing the decryption key;
the monitoring module is used for monitoring access, data transmission and network environment of the system.
As a further improvement of the application, a temporary storage unit is arranged in the data storage server, and the encrypted data of the encryption module is stored in the temporary storage unit.
As a still further improvement of the present application, the encryption module includes a whole data full encryption and a partial data encryption when encrypting, and the partial data encryption is used for encrypting the multimedia file.
As a further improvement of the present application, the key management module randomly generates and stores a set of encryption key and decryption key each time the visitor issues a data call request, the set of encryption key and decryption key being bound to the visitor, and the encryption module uses the encryption key to encrypt the data call by the visitor.
As a further improvement of the present application, a recording unit is provided in the data management module, in which a key used in each access and an access record, a request record, and a risk assessment record are recorded.
As a further improvement of the application, when the evaluation module works, the auxiliary detection module and the monitoring module in the client side are used for carrying out risk evaluation on the use environment of the visitor, and the risk evaluation comprises operating system security, application software security, equipment integrity, network environment security and encryption protection measure intensity according to quantitative indexes; each security level is associated with a risk level.
In addition to the further improvement of the application, after the risk assessment is carried out by the assessment module, whether the security level of the encrypted data packet meets the associated risk level requirement is judged, if so, the encrypted data packet in the temporary storage unit is transmitted to the client, otherwise, the encrypted data packet in the temporary storage unit is deleted.
As a further improvement of the present application, the risk assessment is judged to be a risk if the difference in the background of use at the time of authentication and the risk assessment is larger than the set range.
As still another improvement of the present application, the authentication mode of the authentication module includes: user name and password, mobile phone verification code, digital certificate and token authentication.
As a further improvement of the application, when the client terminal is accessed temporarily, the identity information is submitted through the identity verification module, the risk assessment is carried out on the client terminal by the assessment module, the set authority level is authorized after analysis and assessment, and meanwhile, the identity information and the address information of the accessing party are recorded in the personnel database.
In summary, the direct connection between the visitor and the database is isolated, so that the security performance of the database information is enhanced, the encrypted data is transmitted first and then the risk of the client is evaluated when the data is transmitted, and whether the data is decrypted or not is selected according to the security level and the risk level of the data, so that the security of the data during the data interaction of the database is effectively ensured.
Drawings
FIG. 1 is a system block diagram of embodiments 1 and 2 of the present application;
FIG. 2 is a schematic diagram of the system operation of embodiments 1 and 2 of the present application;
FIG. 3 is a flowchart showing the operation of embodiment 1 of the present application;
FIG. 4 is a flowchart showing the operation of embodiment 2 of the present application;
FIG. 5 is a flowchart illustrating the key management module according to embodiment 2 of the present application.
Detailed Description
2 Embodiments of the present application will be described in detail with reference to the accompanying drawings.
Embodiment 1:
FIGS. 1-3 illustrate a leak-proof security control system for data management, comprising a client, a data management terminal, and a data storage server;
the client is internally provided with an identity verification module, a data decryption module, an auxiliary detection module and a storage module;
The data storage server is internally provided with a plurality of sub-databases, each sub-database is provided with a security level, and the data packets output by the sub-databases have the same security level as the sub-databases;
The data management terminal is connected with a data management module, a monitoring module, a secret key management module, an evaluation module, a permission management module, an access management module and an encryption module;
the access management module is used for key allocation and authority authorization;
The authority management module is connected with a personnel database, personnel information data with different authority levels are stored in the personnel database, the authority levels are associated with access authorities of the corresponding security level sub-databases, the personnel authority levels of the scheme are associated with security levels and risk levels, the codes of the authority levels and the security levels are arranged from low to high, and the greater the codes of the authority levels and the security levels are, the higher the codes of the authority levels and the security levels of the sub-databases are;
The risk level codes are arranged from low to high; a larger risk level encoding indicates a larger client environment risk,
For example: the first-level authority level corresponds to a first-level security level and a first-level risk level, and represents that the first-level authority has the access authority of a sub-database with higher security level and higher client risk requirement;
the evaluation module is used for evaluating the risk level of the client, and the auxiliary detection module is called to detect the security of the client during the risk level evaluation; each risk level is associated with a corresponding authority level;
The encryption module is used for encrypting the data packet output by the sub-database, generating a corresponding decryption key after encryption and storing the decryption key;
the monitoring module is used for monitoring access, data transmission and network environment of the system.
The encryption module is used for encrypting the whole data and part of the data, and the part of the data is used for encrypting the multimedia file.
The data management module is internally provided with a recording unit, and the recording unit is internally recorded with keys and access records used in each access, request records and risk assessment records.
When the evaluation module works, risk evaluation is carried out on the use environment of the visitor through an auxiliary detection module and a monitoring module in the client, and the risk evaluation comprises operating system security, application software security, equipment integrity, network environment security and encryption protection measure intensity according to quantitative indexes; each security level is associated with a risk level, the fewer the indicators that the client meets, the higher the risk level.
Judging the difference of the use backgrounds in the authentication and the risk assessment in the risk assessment, wherein the use backgrounds comprise network environments and software and hardware states, and if the difference of the two use backgrounds is larger than a set range, the risk assessment is large.
The identity verification mode of the identity verification module comprises the following steps: user name and password, mobile phone verification code, digital certificate and token authentication.
When the temporary access is performed through the client, the identity information is submitted through the identity verification module, the risk assessment is performed on the client by the assessment module, the set authority level is authorized after the analysis and assessment, and meanwhile, the identity information and the address information of the accessing party are recorded in the personnel database.
When the scheme works, a visitor uses an identity verification module of the client to verify the identity of the visitor to the data management terminal, and after the data management terminal recognizes the identity of the visitor, the data management terminal detects and records the use background of the client and then authorizes the visitor;
The data access authority of the sub data repository of the corresponding authority is opened, and after a visitor sends out a data access request, the encryption module encrypts the accessed data packet and transmits the data packet to the client;
And then when the client needs to decrypt the data packet, the evaluation module performs risk evaluation on the client, and the risk evaluation is performed according to the security of an operating system, the security of application software, the integrity of equipment, the security of a network environment and the strength of encryption protection measures, wherein the strength of the encryption protection measures comprises: the security of the encrypted data storage module and the reliability of the decryption module;
The method comprises the steps that the weight ratio of the indexes of operating system safety, application software safety, equipment integrity, network environment safety and encryption protection measure intensity is the same, when risk assessment is carried out, each risk level corresponds to the meeting requirements of set quantity and variety indexes, and the risk level is assessed according to the meeting degree of each index of a client;
And after the evaluation, acquiring the risk level of the client, and if the risk level is lower than or equal to the security level corresponding to the data packet, transmitting a decryption key to a decryption module of the client by the key management module, and decrypting the data packet by the decryption module.
Judging the difference of the use backgrounds in the authentication and the risk assessment in the risk assessment, wherein the use backgrounds comprise network environments and software and hardware states, if the difference of the two use backgrounds is larger than a set range, the risk assessment is large, and only the data with the lowest or no security level can be decrypted.
The embodiment is easy to output the encrypted data corresponding to the security level only according to the authority when the access party performs data calling, and after the access terminal is verified for the second time to use the background, the transmission of the decryption key is performed, so that the client terminal is ensured to view and call the data under the safe use background, the client terminal can decrypt the data only under the risk environment matched with the security level of the data, the security of the data is effectively ensured, and the leakage of the data due to the unsafe environment of the access terminal is avoided.
Second embodiment:
In which the same or corresponding parts as those in embodiment 1 are denoted by the corresponding reference numerals as those in embodiment 1, only the points of distinction from embodiment 1 will be described below for the sake of brevity. This 2 nd embodiment differs from the 1 st embodiment in that:
Fig. 2-4 show that a temporary storage unit is disposed in the data storage server, and the encrypted data is stored in the temporary storage unit by the encryption module.
After risk assessment is carried out by the assessment module, judging whether the security level of the encrypted data packet meets the associated risk level requirement, if so, transmitting the encrypted data packet in the temporary storage unit to the client, otherwise, deleting the encrypted data packet in the temporary storage unit.
The key management module randomly generates and stores a group of encryption keys and decryption keys when each visitor sends a data calling request, the group of encryption keys and decryption keys are bound with the visitor, and the encryption module encrypts by using the encryption keys when the visitor calls the data.
The implementation mode realizes that a visitor establishes indirect connection with a data storage end through a temporary storage unit, when the visitor makes a data calling request, and when the data is called to a data storage server through a data management terminal, the called data packet is processed by an encryption module and then is transmitted to the temporary storage unit;
Then, the evaluation module carries out risk evaluation on the access terminal, and when the risk evaluation level is higher than the data security level, the connection is disconnected; meanwhile, the data processing end deletes the decryption secret key; the data security is ensured, the data is stored in the data management terminal, and the data security is further ensured, but compared with the first embodiment, the server load of the data management terminal is larger.
The present application is not limited to the above-described embodiments, which are adopted in connection with the actual demands, and various changes made by the person skilled in the art without departing from the spirit of the present application are still within the scope of the present application.
Claims (10)
1. A data management is with security prevention and control system who prevents leaking which characterized in that: the system comprises a client, a data management terminal and a data storage server;
The client is internally provided with an identity verification module, a data decryption module, an auxiliary detection module and a storage module;
a plurality of sub-databases are arranged in the data storage server, and each sub-database is provided with a security level;
the data management terminal is connected with a data management module, a monitoring module, a key management module, an evaluation module, a permission management module, an access management module and an encryption module;
the access management module is used for key distribution and authority authorization;
The rights management module is connected with a personnel database, personnel information data with different rights levels are stored in the personnel database, and the rights levels are associated with access rights of the security level sub-database;
the evaluation module is used for evaluating the risk level of the client, and an auxiliary detection module is called to detect the security of the client during the risk level evaluation; each risk level is associated with a corresponding authority level;
The encryption module is used for encrypting the data packet output by the sub-database, generating a corresponding decryption key after encryption and storing the decryption key;
the monitoring module is used for monitoring access, data transmission and network environment of the system.
2. The leak-proof security control system for data management according to claim 1, wherein: the data storage server is internally provided with a temporary storage unit, and the encrypted data of the encryption module is stored in the temporary storage unit.
3. The leak-proof security control system for data management according to claim 2, wherein: the encryption module is used for encrypting the whole data and part of the data, and the part of the data is used for encrypting the multimedia file.
4. A leak-proof security control system for data management as defined in claim 3, wherein: the key management module randomly generates and stores a group of encryption keys and decryption keys when each visitor sends a data calling request, the group of encryption keys and decryption keys are bound with the visitor, and the encryption module encrypts by using the encryption keys when the visitor calls the data.
5. The leak-proof security control system for data management as defined in claim 4, wherein: the data management module is internally provided with a recording unit, and the recording unit is internally recorded with keys and access records used in each access, request records and risk assessment records.
6. The leak-proof security control system for data management as defined in claim 5, wherein: when the evaluation module works, risk evaluation is carried out on the use environment of a visitor through an auxiliary detection module and a monitoring module in the client, and the risk evaluation comprises operating system security, application software security, equipment integrity, network environment security and encryption protection measure intensity according to quantitative indexes; each security level is associated with a risk level.
7. The leak-proof security control system for data management as defined in claim 6, wherein: and after the risk assessment is carried out by the assessment module, judging whether the security level of the encrypted data packet meets the associated risk level requirement, if so, transmitting the encrypted data packet in the temporary storage unit to the client, otherwise, deleting the encrypted data packet in the temporary storage unit.
8. The leak-proof security control system for data management as defined in claim 6, wherein: and judging the difference of the use backgrounds in the authentication and the risk assessment in the risk assessment, and if the difference of the two use backgrounds is larger than a set range, judging that the risk assessment is large.
9. The leak-proof security control system for data management according to claim 1, wherein: the identity verification mode of the identity verification module comprises the following steps: user name and password, mobile phone verification code, digital certificate and token authentication.
10. The leak-proof security control system for data management according to claim 1, wherein: when the client terminal is accessed temporarily, the identity information is submitted through the identity verification module, the risk assessment is carried out on the client terminal by the assessment module, the set authority level is authorized after analysis and assessment, and meanwhile, the identity information and the address information of the accessing party are recorded in the personnel database.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311717967.7A CN117951729A (en) | 2023-12-14 | 2023-12-14 | Anti-leakage safety prevention and control system for data management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311717967.7A CN117951729A (en) | 2023-12-14 | 2023-12-14 | Anti-leakage safety prevention and control system for data management |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117951729A true CN117951729A (en) | 2024-04-30 |
Family
ID=90793581
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311717967.7A Pending CN117951729A (en) | 2023-12-14 | 2023-12-14 | Anti-leakage safety prevention and control system for data management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117951729A (en) |
-
2023
- 2023-12-14 CN CN202311717967.7A patent/CN117951729A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| KR101769282B1 (en) | Data security service | |
| US7058971B1 (en) | Access privilege transferring method | |
| US5557765A (en) | System and method for data recovery | |
| CN107231346A (en) | A kind of method of cloud platform identification | |
| CN106453384A (en) | Security cloud disk system and security encryption method thereof | |
| CN112468995B (en) | Searchable encryption privacy protection method and system based on Internet of vehicles | |
| CN101079882A (en) | Posture-based data protection | |
| CN113420319A (en) | Data privacy protection method and system based on block chain and permission contract | |
| CN111954211B (en) | Novel authentication key negotiation system of mobile terminal | |
| CN114844673B (en) | Data security management method | |
| CN105740725A (en) | File protection method and system | |
| CN102299920A (en) | Electronic document safety management system | |
| CN105978855A (en) | System and method for protecting personal information security in real-name system | |
| CN117812582B (en) | Guard mode data supervision method and system for vehicle | |
| CN112329042A (en) | Big data secure storage system and method | |
| CN118410505A (en) | Enterprise-level data encryption and access control method and system | |
| CN101197822B (en) | System for preventing information leakage and method based on the same | |
| CN111538973A (en) | Personal authorization access control system based on state cryptographic algorithm | |
| CN117951729A (en) | Anti-leakage safety prevention and control system for data management | |
| CN115955363B (en) | Communication terminal based on desktop fusion | |
| CN114826644B (en) | Data protection encryption management system | |
| CN114095156B (en) | Data protection method for rail transit mobile terminal | |
| CN118740420A (en) | Security protection system and method for Internet of things server | |
| Jie | Design of Personal Information Security Protection System in Computer Network | |
| CN117240570A (en) | Identity verification and access control method based on blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |