Disclosure of Invention
The invention provides a data access method, a data access device and electronic equipment based on a cloud control platform, which dynamically desensitize sensitive data according to access requests and preset strategies so as to meet data protection requirements in different scenes.
In a first aspect, the present invention provides a data access method based on a cloud control platform, including:
Acquiring a data access request, wherein the data access request is generated after a current user role is used for accessing a current data object type by using a current operation mode, the current user role comprises an administrator, a common staff, an external auditor or other personnel, the current operation mode comprises inquiring, updating, deleting or other operations, and the current data object type comprises personal identity information, financial data, a log file or other object types;
responding to the data access request, acquiring data to be accessed, inputting a current user role, a current operation mode and a current data object type into a preset rule function, obtaining a first desensitization algorithm output by the preset rule function, processing the data to be accessed by using the first desensitization algorithm, obtaining a first desensitization result, and sending the first desensitization result to the current user role;
Under the condition that a first desensitization algorithm cannot be output by utilizing the preset rule function, determining a target weight value according to the weight value and a first weight coefficient corresponding to the current user role, the weight value and a second weight coefficient corresponding to the current operation mode, the weight value and a third weight coefficient corresponding to the current data object type, determining a second desensitization algorithm according to a characteristic interval of the target weight value in a preset rule table, processing the data to be accessed by utilizing the second desensitization algorithm to obtain a second desensitization result, and sending the second desensitization result to the current user role;
The first desensitization algorithm and the second desensitization algorithm comprise fuzzy processing, pseudo data generation or encryption processing, and the preset rule table is constructed according to different characteristic intervals and the corresponding desensitization algorithm of each characteristic interval.
According to the cloud control platform-based data access method provided by the invention, the preset rule function is determined according to the mapping relation among different user roles, different operation modes, different data object types and different desensitization algorithms;
the step of inputting the current user role, the current operation mode and the current data object type into a preset rule function to obtain a first desensitization algorithm output by the preset rule function, which comprises the following steps:
Algorithm=f(User Role,Data Type,Operation Context)
wherein Algorithm is a first desensitization Algorithm, user Role is a current User Role, data Type is a current Data object Type, operation Context is a current operation mode.
According to the cloud control platform-based data access method provided by the invention, the determining the target weight according to the weight corresponding to the current user role and the first weight coefficient, the weight corresponding to the current operation mode and the second weight coefficient, the weight corresponding to the current data object type and the third weight coefficient comprises the following steps:
Feature Value=w1×URQ+w2×OCQ+w3×DTQ
Wherein Feature Value is a target weight, URQ is a weight corresponding to a current user role, w1 is a first weight coefficient, OCQ is a weight corresponding to a current operation mode, w2 is a second weight coefficient, DTQ is a weight corresponding to a current data object type, and w3 is a third weight coefficient.
According to the cloud control platform-based data access method provided by the invention, the preset rule table comprises a first characteristic interval corresponding to fuzzy processing, a second characteristic interval corresponding to pseudo data generation and a third characteristic interval corresponding to encryption processing, wherein the first characteristic interval is smaller than the second characteristic interval, and the second characteristic interval is smaller than the third characteristic interval:
determining the second desensitization algorithm as fuzzy processing under the condition that the target weight is positioned in the first characteristic interval;
Determining that the second desensitization algorithm is pseudo data generation under the condition that the target weight is located in the second characteristic interval;
and determining that the second desensitization algorithm is encryption processing under the condition that the target weight is located in the third characteristic interval.
According to the cloud control platform-based data access method provided by the invention, the user role and the desensitization algorithm corresponding to each packet are configured under the packet name corresponding to the packet identifier, and before the data access request is acquired, the method further comprises the following steps:
Acquiring a data writing request, wherein the data writing request is generated when a writing operation of data to be written is executed according to a current user role;
determining a target desensitization algorithm configured under a group name by using a group identifier corresponding to the current user role in response to the write operation;
and performing desensitization processing on the data to be written by using the target desensitization algorithm to obtain desensitized written data, and executing writing operation based on the desensitized written data.
According to the cloud control platform-based data access method provided by the invention, under the condition that the current user role is provided with the tenant identifier, performing writing operation after associating the tenant identifier corresponding to the current user role with the data to be written;
Generating a current tenant identifier with unique attribute based on each tenant identifier corresponding to all current user roles under the condition that the current user roles do not have tenant identifiers, and executing writing operation after associating the tenant identifier corresponding to the current user roles with the data to be written;
after performing a write operation based on the desensitized write data, the method further comprises:
Acquiring a data query request, wherein the data query request at least comprises a target tenant identifier corresponding to a user to be queried;
and responding to the data query request, acquiring all query data associated with the target tenant identifier, and returning the all query data to the user to be queried.
According to the cloud control platform-based data access method provided by the invention, before the data access request is acquired, the method further comprises the following steps:
The method comprises the steps of sending registration information to a third party application, wherein the registration information comprises an API interface provided by utilizing a Software Development Kit (SDK), and the API interface comprises an application ID, an application name, developer information, an application resource and an application model;
After obtaining the data access request, the method further comprises:
And verifying an access token or a key in the data access request, evaluating the data access request according to a policy engine after the permission verification is confirmed to pass, and responding to the data access request under the condition that the access control policy is confirmed to be met.
According to the cloud control platform-based data access method provided by the invention, the data access request is evaluated according to a policy engine, and the method comprises the following steps:
extracting context information according to the identity information in the data access request and the data resource to be accessed by a policy engine, wherein the context information comprises a user role, a data tag and a request time stamp;
and evaluating the data access request according to the tenant identifier, the user role, the data attribute and the view control corresponding to the context information.
In a second aspect, a data access device based on a cloud control platform is provided, including:
the system comprises an acquisition unit, a processing unit and a processing unit, wherein the acquisition unit is used for acquiring a data access request, the data access request is generated after a current user role is used for executing access to a current data object type according to a current operation mode, the current user role comprises an administrator, a common staff, an external auditor or other personnel, the current operation mode comprises inquiry, update, deletion or other operations, and the current data object type comprises personal identity information, financial data, a log file or other object types;
The response unit is used for responding to the data access request, acquiring data to be accessed, inputting a current user role, a current operation mode and a current data object type into a preset rule function, obtaining a first desensitization algorithm output by the preset rule function, processing the data to be accessed by using the first desensitization algorithm, obtaining a first desensitization result, and sending the first desensitization result to the current user role;
The determining unit is used for determining a target weight value according to the weight value and the first weight coefficient corresponding to the current user role, the weight value and the second weight coefficient corresponding to the current operation mode, the weight value and the third weight coefficient corresponding to the current data object type and determining a second desensitization algorithm according to the characteristic interval of the target weight value in a preset rule table when the first desensitization algorithm cannot be output by utilizing the preset rule function, processing the data to be accessed by utilizing the second desensitization algorithm to obtain a second desensitization result, and sending the second desensitization result to the current user role;
The first desensitization algorithm and the second desensitization algorithm comprise fuzzy processing, pseudo data generation or encryption processing, and the preset rule table is constructed according to different characteristic intervals and the corresponding desensitization algorithm of each characteristic interval.
In a third aspect, an electronic device is provided, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements the cloud control platform-based data access method when executing the program.
Aiming at a third party micro-service application deployed in a cloud environment, the invention realizes fine granularity control of application data access by integrating an SDK, including but not limited to row and column level data authority management, tenant isolation, data grouping strategy and data desensitization treatment, ensures data security and compliance, maintains non-perception experience of an end user, and improves the integration and management capability of a cloud control platform on the third party application;
In a multi-tenant and multi-service cloud environment, row-level and column-level control of data access of third party micro-service applications is realized, effective isolation of data among different tenants is ensured, data leakage and improper access are prevented, the cloud control platform can efficiently and conveniently integrate and manage the third party micro-service applications, the operation experience of an end user is ensured not to be affected while data security measures are enhanced, extra operation burden caused by the security measures is avoided, the security integration and management process of the cloud platform on the third party micro-service applications is simplified, and complexity and maintenance difficulty increased by introducing the security measures are reduced.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the present invention more apparent, the technical solutions of the present invention will be clearly and completely described below with reference to the accompanying drawings, and it is apparent that the described embodiments are some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Fig. 1 is a flow chart of a data access method based on a cloud control platform, provided by the invention, which comprises the following steps:
Step 101, acquiring a data access request, wherein the data access request is generated after a current user role is used for accessing a current data object type by using a current operation mode, the current user role comprises an administrator, a common employee, an external auditor or other personnel, the current operation mode comprises inquiring, updating, deleting or other operations, and the current data object type comprises personal identity information, financial data, a log file or other object types;
Step 102, responding to the data access request, obtaining data to be accessed, inputting a current user role, a current operation mode and a current data object type into a preset rule function, obtaining a first desensitization algorithm output by the preset rule function, processing the data to be accessed by using the first desensitization algorithm, obtaining a first desensitization result, and sending the first desensitization result to the current user role;
Step 103, under the condition that the first desensitization algorithm cannot be output by utilizing the preset rule function, determining a target weight according to the weight value and the first weight coefficient corresponding to the current user role, the weight value and the second weight coefficient corresponding to the current operation mode, the weight value and the third weight coefficient corresponding to the current data object type, determining a second desensitization algorithm according to the characteristic interval of the target weight in the preset rule table, processing the data to be accessed by utilizing the second desensitization algorithm to obtain a second desensitization result, and sending the second desensitization result to the current user role;
The first desensitization algorithm and the second desensitization algorithm comprise fuzzy processing, pseudo data generation or encryption processing, and the preset rule table is constructed according to different characteristic intervals and the corresponding desensitization algorithm of each characteristic interval.
In step 101, the data access method of the present invention is mainly applied to a cloud control platform, and particularly, for data access control of third party micro service applications deployed in a cloud environment, the method implements fine granularity control of data access and dynamic data desensitization processing through an integrated SDK (software development kit), and simultaneously maintains imperceptibility of user experience, whether an administrator, a common employee, an external auditor or other personnel, when a user attempts to access data (such as personal identity information, financial data, log files, etc.) through the cloud control platform, the system first obtains the data access request, where the data access request includes information of a current user role, a current operation mode (such as query, update, deletion, etc.), and a current data object type, etc.
In step 102, in response to a data access request, the system acquires data to be accessed, takes a current user role, a current operation mode and a current data object type as input parameters, inputs the input parameters into a preset rule function, and the preset rule function outputs a first desensitization algorithm according to the input parameters through a preset algorithm and logic judgment, processes the data to be accessed by the first desensitization algorithm to obtain a first desensitization result, and sends the first desensitization result to the current user role, so that dynamic data desensitization processing is realized, namely, sensitive data is dynamically desensitized according to the access request and a preset strategy, so as to meet data protection requirements in different scenes.
Optionally, the preset rule function is determined according to mapping relations among different user roles, different operation modes, different data object types and different desensitization algorithms;
the step of inputting the current user role, the current operation mode and the current data object type into a preset rule function to obtain a first desensitization algorithm output by the preset rule function, which comprises the following steps:
Algorithm=f(User Role,Data Type,Operation Context)
wherein Algorithm is a first desensitization Algorithm, user Role is a current User Role, data Type is a current Data object Type, operation Context is a current operation mode.
Optionally, in order to support multiple desensitization algorithms and dynamically select a proper desensitization mode according to the context information of the access request, a desensitization algorithm engine is introduced to evaluate and select an optimal algorithm, wherein different roles have different access rights to sensitive data, so that the priority of the roles should be considered when the desensitization algorithm is selected, different types of data have different sensitivity requirements, such as personal identity information and financial information are generally more sensitive than log files, query operations may require less desensitization processing, and other operations (such as updating or deleting) require stronger security measures. Specifically, the rule configuration table is shown in table 1 below:
TABLE 1
The method comprises the steps of extracting user roles, data types and operation modes from access request context information, searching the most suitable rules in a rule configuration table according to the extracted information, and processing sensitive data by applying a corresponding desensitization algorithm according to the searched rules. In an alternative embodiment, the user is a regular employee, assuming an access request, to query for personal identity information. Extracting context information, namely, a user role is a common employee, a data type is a personal identity information, an operation mode is a query, matching is carried out on a rule of the personal identity information queried by the common employee according to a rule configuration table to obtain a fuzzy processing desensitization algorithm, the desensitization algorithm is applied to an attribute marked as to-be-desensitized in a data object of the personal identity information, and the fuzzy processing algorithm is applied to convert the attribute marked as to-be-desensitized, namely, a mobile phone number "139 1234 5678" into 139 5678.
In step 103, if the preset rule function cannot output the first desensitization algorithm according to the current user role, the current operation mode and the current data object type, the system enters an alternative processing flow, calculates and determines a target weight according to the weight value corresponding to the current user role, the first weight coefficient, the weight value corresponding to the current operation mode, the second weight coefficient, the weight value corresponding to the current data object type and the third weight coefficient, determines a second desensitization algorithm according to the characteristic interval of the target weight value in the preset rule table, processes the data to be accessed by using the second desensitization algorithm to obtain a second desensitization result, and sends the second desensitization result to the current user role, so that even if the preset rule function cannot output the first desensitization algorithm, the system can select an appropriate desensitization algorithm to process according to the weight value and the preset rule table, and the security of the data is ensured.
Optionally, the determining the target weight according to the weight value and the first weight coefficient corresponding to the current user role, the weight value and the second weight coefficient corresponding to the current operation mode, the weight value and the third weight coefficient corresponding to the current data object type includes:
Feature Value=w1×URQ+w2×OCQ+w3×DTQ
Wherein Feature Value is a target weight, URQ is a weight corresponding to a current user role, w1 is a first weight coefficient, OCQ is a weight corresponding to a current operation mode, w2 is a second weight coefficient, DTQ is a weight corresponding to a current data object type, and w3 is a third weight coefficient.
Alternatively, the quantization value setting may be:
In the weight values (User Role Quantification, URQ) corresponding to the current user roles, the administrator is 3, the common staff is 2, the external auditor is 1 and defaults to 0, in the weight values (Data Type Quantification, DTQ) corresponding to the current data object types, the personal identity information is 3, the financial data is 2, the log file is 1 and defaults to 0, in the weight values (Operation Context Quantification, OCQ) corresponding to the current operation modes, the query is 1, the update is 2, the deletion is 3 and defaults to 0, and meanwhile, the weight values are set as follows that the weight configuration of w1=0.4, w2=0.4 and w3=0.2 reflects that the influence of the user roles and the data types on the desensitization strategy selection is larger, and the influence of the operation modes is relatively smaller.
Optionally, with increasing importance of data security, a data desensitization technology becomes one of important means for protecting sensitive information, and the present invention determines when and how to desensitize sensitive data by analyzing a context of an access request, so as to provide a powerful data protection function for an SDK, and ensure that sensitive information is not revealed under an unauthorized condition.
The invention can dynamically decide to desensitize sensitive data according to the context of the access request, support a plurality of desensitization algorithms, so as to select proper desensitization modes according to different scenes, provide a desensitization strategy definition mechanism easy to configure, enable an administrator to flexibly adjust the desensitization rules according to actual needs, integrate a desensitization engine in the SDK, support a plurality of desensitization algorithms, and dynamically execute desensitization operation before data output according to a predefined strategy. The administrator may define and manage these policies through the cloud control platform or directly through the APIs provided by the SDK. The main components comprise a desensitization engine responsible for executing specific desensitization operation, a policy management module used for defining and managing the desensitization policy, a context analyzer used for analyzing the context information of the access request, and a policy executor used for selecting a proper desensitization policy according to the analyzed context information.
The policy management module allows an administrator to define when, where and how sensitive data is to be desensitized, stores defined policies in a configuration file or database, and provides an interface to allow an administrator to update existing desensitization policies. The context analyzer extracts relevant context information, such as member roles, data packets and the like, from the access request, analyzes the extracted information, and judges whether the requested data needs to be desensitized. And the policy executor matches corresponding desensitization policies according to the context information, executes corresponding desensitization operations according to the matched policies, and returns the desensitized data to the requester. Specifically, in the policy configuration flow, an administrator defines a desensitization policy through a cloud control platform or an SDK API, the policy is stored in a system to wait for subsequent use, the administrator can update the policy at any time to meet changing requirements, in the data desensitization flow, the SDK receives a data query request, a context analyzer extracts relevant context information from the request, a policy executor matches a proper desensitization policy according to the context information, and a desensitization engine executes desensitization operation according to the matched policy, and desensitized data is returned to a requester. The invention provides a flexible and efficient data desensitization processing method, which can meet various business requirements while protecting sensitive information by combining a dynamic data desensitization technology and context analysis. The administrator can adjust the desensitization strategy by a simple configuration, so that the whole system is safe and easy to maintain.
Optionally, the desensitization algorithm supported by the desensitization engine comprises fuzzy processing, false data generation, encryption processing, randomization, random substitution of the sensitive data, and selection of a proper dynamic desensitization algorithm according to strategy configuration, wherein the partial characters of the substituted sensitive fields are asterisks or other symbols, the false data is generated to generate false data similar to the original data but not traceable, the encryption processing is performed on the sensitive data by using the encryption algorithm, and the randomization is performed on the sensitive data to lose the original meaning.
Optionally, recommending a rule function h, wherein the dynamic desensitization rule Recommendation based on the characteristic value comprises a function calculation formula of Recommendation= h (Feature Value);
Wherein the input is the integrated feature value, the output is the Recommendation, i.e. the recommended desensitization strategy, and the intermediate step comprises Feature Calculation, i.e. calculating an integrated feature value according to User roller, data Type and Operation Context. The input parameters are User roller, user roles (such as an administrator, a common employee, an external auditor and the like), data Type (such as personal identity information, financial Data, log files and the like), operation Context, and the operation environment (such as inquiry, update, deletion and the like) is output as the comprehensive characteristic value.
Optionally, the preset rule table includes a first feature interval corresponding to fuzzy processing, a second feature interval corresponding to pseudo data generation, and a third feature interval corresponding to encryption processing, where the first feature interval is smaller than the second feature interval, and the second feature interval is smaller than the third feature interval, and the determining a second desensitization algorithm according to the feature interval where the target weight is in the preset rule table includes:
determining the second desensitization algorithm as fuzzy processing under the condition that the target weight is positioned in the first characteristic interval;
Determining that the second desensitization algorithm is pseudo data generation under the condition that the target weight is located in the second characteristic interval;
and determining that the second desensitization algorithm is encryption processing under the condition that the target weight is located in the third characteristic interval.
Alternatively, the recommendation rules are shown in Table 2 below:
TABLE 2
| Feature Value Range | Recommendation |
| 0.0-1.5 | Default desensitization strategy (fuzzy processing) |
| 1.6-3.0 | Blur processing |
| 3.1-4.5 | Dummy data generation |
| 4.6-6.0 | Encryption processing |
Optionally, the predefined rule function f and the recommended rule function h are matched to realize the data desensitization process as follows, the SDK receives the data query request. The predefined rule function f finds the most appropriate desensitization algorithm based on the user role, data type and operating environment. If a matching rule is found, the algorithm is directly applied to desensitize, and if a predefined rule function f does not find a matching rule, the User roller, data Type and Operation Context are quantized. And calculating the comprehensive characteristic value by using a characteristic value calculation formula. And searching a corresponding desensitization strategy in a recommendation rule table according to the calculated characteristic value and applying a recommended desensitization algorithm to process the sensitive data. By introducing a eigenvalue calculation mechanism, the recommendation function h can provide more flexible and intelligent desensitization strategy recommendation when a predefined rule function f cannot find a matching rule. The design not only improves the flexibility and response speed of the system, but also ensures the safety and compliance of data. The characteristic value calculation enables the system to automatically adjust the desensitization strategy according to different context conditions, and the intelligent level of the system is remarkably improved.
Optionally, the user role and the desensitization algorithm corresponding to each packet are configured under the packet name corresponding to the packet identifier, and before the data access request is acquired, the method further includes:
Acquiring a data writing request, wherein the data writing request is generated when a writing operation of data to be written is executed according to a current user role;
determining a target desensitization algorithm configured under a group name by using a group identifier corresponding to the current user role in response to the write operation;
and performing desensitization processing on the data to be written by using the target desensitization algorithm to obtain desensitized written data, and executing writing operation based on the desensitized written data.
Optionally, the view data is managed in groups according to the sensitivity of the data and the service requirement of the application, and the view data set can be configured with different security policies, such as different encryption algorithms, etc. The design idea of the invention is based on a zero trust architecture, utilizes the minimum authority principle, namely, ensures that the access authority of each data packet is limited to the necessary minimum range, reduces potential security threat, and continuously verifies the validity of the request even if the data is authorized to be accessed by adopting a continuous verification mode, thereby ensuring the data security. The data grouping method has flexibility, groups according to the data sensitivity, the service requirement, the application scene and other multidimensional degrees, enables data management to be finer, supports an administrator to adjust grouping strategies at any time according to the service requirement, and ensures that the data security strategy is synchronous with service development. The invention can also realize customization of security policy, each group can select different encryption algorithms such as AES, RSA and the like according to the needs to meet the security demands of different levels, and can define specific desensitization rules such as blurring, replacement and the like for sensitive data to ensure the security of the data in the transmission and storage processes. The invention can realize fine grain access control, besides traditional role-based access control (RBAC), also supports attribute-based access control (ABAC), dynamically adjusts access rights according to the attribute of data, groups users or application programs, controls access rights through groups, and improves management efficiency. The method can realize the label management of the data, label the data, control the access through the label, for example, only allow the access to the data with the specific label, define the access strategy according to the data label, ensure that only the authorized user can access the data of the corresponding label.
Specifically, firstly, the data packet configuration interface is provided for the SDK, so that an administrator is allowed to define different data packets and security policies thereof. The administrator may configure security policies for each packet including, but not limited to, data encryption algorithms, data desensitization rules, access rights, etc. The packet definition and management then creates a new data packet through the management interface or API provided by the SDK and assigns it a unique identifier (Group ID). Attributes such as sensitivity level, traffic class, etc. are set for each packet, and security policies such as encryption algorithms, desensitization rules, etc. are defined for each packet. Next, data writing is realized, an application program prepares data to be written, a data writing request is initiated through an SDK, the SDK automatically matches corresponding packets according to the attribute of the data, a corresponding security policy is applied according to the matched packets, for example, encryption or desensitization processing is carried out on the data, the processed data is written into a database, and the data is stored into a corresponding table or partition according to the packet information. Finally, realizing data query, sending a data query request to the cloud control platform by the application program through the SDK, capturing the query request by the SDK, extracting corresponding grouping information according to the data attribute in the request, executing a corresponding security policy according to the extracted grouping information, for example, decrypting data or restoring desensitized content, returning the processed data to the application program, and ensuring that the finally returned data meets the security policy requirement of the grouping.
More specifically, the control steps and processes include initializing configuration, defining data grouping information including grouping identifier (Group ID), grouping name, contact information and the like by an administrator through a management interface provided by a cloud control platform, defining corresponding security policies such as encryption algorithm, desensitization rule, access right and the like for each grouping by the administrator, preparing data to be written by an application program, initiating a data writing request through an SDK, automatically acquiring a grouping identifier corresponding to a current request from a context when the SDK receives the data writing request and associating the grouping identifier with the data to be written by the SDK, adding the grouping identifier into data records as a data tag by the SDK before the data writing to ensure that each record can be accurately attributed to a specific grouping, applying corresponding security policies such as encryption or desensitization processing to the data according to the grouping identifier, writing the processed data into a database, and storing the processed data into a corresponding table or partition according to the grouping information. In data query, an application program sends a data query request to a cloud control platform through an SDK, the SDK captures the query request and extracts a packet identifier corresponding to the current request from the request, the SDK executes a corresponding security policy, such as decrypting data or restoring desensitized content, according to the extracted packet identifier, the processed data is returned to the application program, and the finally returned data is ensured to meet the security policy requirements of the packet. Through the detailed design and control steps, the invention ensures that the data can be reasonably grouped and managed according to the characteristics and service requirements when being written and inquired, and applies corresponding security policies. The grouping strategy not only improves the flexibility and the safety of data management, but also provides a finer control means for an administrator, and ensures the safety and the compliance of data. The data security and compliance are further enhanced by combining the front-edge technologies or ideas of zero trust architecture, data encryption and desensitization, attribute-based access control, data tagging management and the like.
Optionally, when the current user role has a tenant identifier, performing a write operation after associating the tenant identifier corresponding to the current user role with the data to be written;
Generating a current tenant identifier with unique attribute based on each tenant identifier corresponding to all current user roles under the condition that the current user roles do not have tenant identifiers, and executing writing operation after associating the tenant identifier corresponding to the current user roles with the data to be written;
after performing a write operation based on the desensitized write data, the method further comprises:
Acquiring a data query request, wherein the data query request at least comprises a target tenant identifier corresponding to a user to be queried;
and responding to the data query request, acquiring all query data associated with the target tenant identifier, and returning the all query data to the user to be queried.
Optionally, a multi-tenant architecture is applied at the data storage and processing level, ensuring that data of different tenants is isolated at the physical or logical level. The data is tagged at the database and application layer using a unique tenant identifier (Tenant ID). In use of the tenant identifier, the SDK automatically adds a unique tenant identifier based on the member information when the data is written to the database (Tenant ID). The identifier is embedded into the data records to ensure that each record has definite attribution of the tenant, and the SDK enforces tenant isolation policy when in data query to ensure that the query result only contains the data of authorized tenants. This means that when a query request arrives, the SDK will filter the data according to the tenant identifier in the request, returning only the data record belonging to that tenant.
In the application of the multi-tenant architecture, for the scene with high safety requirements, a physical isolation mode can be adopted, namely, an independent database instance or table space is allocated for each tenant, so that the data among different tenants are completely isolated, and for the scene with higher resource utilization rate, a logical isolation mode can be adopted, namely, different tables or partitions are allocated for different tenants in the same database instance, and the data are distinguished through tenant identifiers. In data tagging management, data is tagged at the database and application level, and the tag contains a tenant identifier, which facilitates subsequent data querying and filtering. At the time of the query, the SDK checks the tenant identifier in the request and accordingly obtains the data of the corresponding tenant from the database. In automated tenant identifier addition, the SDK automatically inserts the tenant identifier as a field into the data record when writing data, ensuring that each data item can be accurately attributed to a particular tenant. When querying data, the SDK screens the data according to the tenant identifier in the request, and only returns the data record matching the tenant. In the participation of the policy engine, an administrator defines tenant isolation policies, including usage rules of tenant identifiers, etc., through interfaces or APIs provided by the cloud control platform. Upon receiving a data access request, the policy engine evaluates the defined policy based on the context information of the request (e.g., identity of the requestor, tenant identifier, etc.). Based on the result of the policy evaluation, the policy engine decides whether to allow the access request to continue and screens the data according to the tenant identifier.
Optionally, the specific control steps and processes include defining tenant information including tenant identifier (Tenant ID), tenant name, contact information, etc. by an administrator through a management interface provided by the cloud control platform, defining a corresponding data access policy for each tenant by the administrator, such as data storage mode (physical isolation or logical isolation), data tag, access authority, etc., and assigning each tenant a unique tenant identifier to be used as a tag of data in subsequent data writing and querying. The application program prepares data to be written and initiates a data writing request through the SDK, the SDK automatically acquires a tenant identifier corresponding to the current request from a context when receiving the data writing request and associates the identifier with the data to be written, the SDK adds the tenant identifier into data records as a data tag before data writing to ensure that each record can be accurately attributed to a specific tenant, selects a data storage mode of physical isolation or logical isolation according to tenant policy configuration, writes the data into a data storage space exclusive to the tenant if the physical isolation is adopted, and stores the tenant identifier as a condition when the data is written if the physical isolation is adopted, such as adding a tenant identification field into a data table. In data query, an application program sends a data query request to a cloud control platform through an SDK, the SDK captures the query request and extracts a tenant identifier corresponding to the current request from the request, and the SDK executes a tenant isolation strategy according to the extracted tenant identifier. The method comprises the steps that the SDK filters data according to tenant identifiers and only returns data records belonging to the tenant, constructs query conditions according to the extracted tenant identifiers, ensures that the query is only specific to the data of the specific tenant, applies the constructed query conditions to database queries, ensures that the returned data only contains the data of the specific tenant, and returns the data subjected to tenant isolation policy screening to an application program. Through the detailed steps and flow explanation, the method ensures that under the multi-tenant architecture, data of different tenants can be effectively isolated on a physical or logical level, thereby ensuring the safety and compliance of the data.
Optionally, before acquiring the data access request, the method further includes:
The method comprises the steps of sending registration information to a third party application, wherein the registration information comprises an API interface provided by utilizing a Software Development Kit (SDK), and the API interface comprises an application ID, an application name, developer information, an application resource and an application model;
After obtaining the data access request, the method further comprises:
And verifying an access token or a key in the data access request, evaluating the data access request according to a policy engine after the permission verification is confirmed to pass, and responding to the data access request under the condition that the access control policy is confirmed to be met.
Optionally, the evaluating the data access request according to a policy engine includes:
extracting context information according to the identity information in the data access request and the data resource to be accessed by a policy engine, wherein the context information comprises a user role, a data tag and a request time stamp;
and evaluating the data access request according to the tenant identifier, the user role, the data attribute and the view control corresponding to the context information.
Alternatively, the present invention employs a mechanism of role-based access control (RBAC) in combination with attribute-based access control (ABAC) to implement row-level and column-level data access control. By defining the data access policy, the access rights can be dynamically generated according to multidimensional information such as member tenants, member roles, data attributes, view control and the like. Specifically, the SDK provides a policy engine, and an administrator defines access control logic through policy configuration. After policy definition, when a request arrives, the policy engine evaluates the policy based on the requested context information (household information, attributes of the data item, etc.), and grants or denies access. And the third party application completes application registration and access to the cloud control platform through integrating the SDK and an application registration module of the SDK, and completes necessary identity verification and authority allocation. The registration needs to provide basic information, resource attributes, model attributes and the like of the application.
Optionally, the third party application completes registration through an API or interface provided by the cloud control platform SDK, submits application information (such as application ID, application name, developer information, resources, models and the like), the cloud control platform audits the submitted application information, issues an access token or a key after confirming the submitted application information without errors, an administrator defines initial access authority according to the nature and the purpose of the application, and the third party application resource is registered, wherein the application needs to register data resources to be accessed by the third party application resource to the cloud control platform.
Optionally, the attribute, access control policy, etc. of the resource need to be defined during registration, specifically, the application defines the data resource which needs to be accessed through the API provided by the SDK, including the resource type, the resource identifier, the resource description, etc., defines the access control policy based on the roles and attribute, such as which roles can be accessed, under which conditions, etc., for each resource, and the third party application accesses initiate the access request to the registered resource through the SDK data sharing module.
Optionally, the request needs to carry effective authentication information and request context, specifically, the application sends a data access request to the cloud control platform through the SDK, the request contains the authentication information (such as a token and a secret key) and the specific context of the request (such as the attribute of the data item of the request), the cloud control platform verifies the identity and the authority of the requester after receiving the request, and if the authority verification passes, the data access service is provided according to the request content.
Optionally, the SDK is used as a middleware and is responsible for executing an access control strategy to ensure that only legal requests can access data resources, and specifically, a strategy engine is integrated in the SDK and is responsible for evaluating the validity of the requests, and when the requests arrive, the strategy engine evaluates the strategy according to the context information (such as member information, the attribute of the data item and the like) of the requests and authorizes or refuses access according to the evaluation result.
Optionally, the policy engine is one of the core components of the SDK control system, and is mainly used for managing and enforcing the data access policy to ensure that the security and privacy of the data is protected. In this control system constructed based on data sharing, the working principle of the policy engine can be understood as follows:
First, the policy engine needs to define a series of policy rules. These rules are typically set by a system administrator or data owner based on business needs and security policies. Rules may include, but are not limited to, access Control Lists (ACLs), role-based access controls (RBACs), attribute-based access controls (ABACs), and other control approaches such as member grouping and data tagging, etc., whose requests are passed to the policy engine when a user attempts to access data in the system. The policy engine evaluates the request according to preset rules. For example, it may examine the identity of the requester, the content of the request, the time of the request, etc., to determine if a predetermined access condition is met, if the policy engine evaluation indicates that the request is in compliance with the policy rules, access may be allowed, otherwise, access may be denied. In addition, the policy engine can dynamically adjust access rights as needed, for example, in some cases, even if the identity of the requester is correct, the policy engine can refuse access if the accessed data has higher sensitivity, and the policy engine can realize fine-grained rights control, i.e. can set different access rights for different users or roles. For example, some users may only be able to view data, while others may have editing rights, and the policy engine may also desensitize or encrypt the data according to defined security rules prior to data transmission. This means that even users with access rights can only see or acquire the processed data, not the original data, and the policy engine will monitor the metadata changes in the system. If any change is detected, the system can intelligently remind service manager and possibly propose a change suggestion to keep the data access strategy consistent with the latest business requirement and security policy, and the strategy engine plays a key role throughout the whole life cycle of the service from the steps of issuing, approving, registering, synchronizing data, to the steps of service application, auditing, using and the like.
In particular implementations, the policy engine is typically integrated into the service gateway and the data security module, which are responsible for the security of the request and the security of the data, respectively. The service gateway ensures that all requests are legitimate and the data security module ensures that data is not accessed or tampered with by unauthorized access during transmission. In this way, the policy engine helps achieve efficient data exchange and sharing while ensuring data security and compliance.
The policy engine work step includes the policy engine allowing an administrator to define and configure access control policies through interfaces or APIs provided by the cloud control platform. The policies may be static (e.g., fixed access rights) or dynamic (e.g., rights dynamically generated based on attributes such as a group of requester members), when a third party application initiates a data access request through the SDK, the policy engine captures the requests and obtains details of the request, such as the identity of the requester, the target data resources of the request, etc., the policy engine extracts the context information of the request, including but not limited to the role of the requester, the tag of the data, the timestamp of the request, etc., and based on the extracted context information, the policy engine evaluates whether the request meets the defined policy. The evaluation process may involve multiple dimensions, such as member tenants, member roles, data attributes, view control, etc., the policy engine may generate access authorization if the request meets the policy, and deny access if not. In addition, the policy engine can dynamically adjust the access authority according to the specific condition of the request, and the policy engine returns access authority or refusal information to the requester to control whether the requester can access the target data. If access is authorized, the data is further desensitized or encrypted, and the policy engine continuously monitors the metadata changes of the system and alerts service managers of the need for policy changes if necessary. If a metadata change is detected, the policy engine may intelligently alert the administrator and possibly make a change suggestion.
In an alternative embodiment, the third party application hopes to access a certain data resource, firstly, the application sends an access request to the cloud control platform through the SDK, the request comprises identity information of a requester and data resource information required to be accessed, and after receiving the request, the policy engine extracts the context information of the request and evaluates whether the request accords with a preset access control policy. If the role of the requester allows access to the resource and the resource has no special tag limit, the policy engine generates access authorization, then the data is processed by the policy engine according to the defined desensitization policy before transmission to ensure that sensitive information is not revealed, and finally the data portal returns the processed data to the requester.
In order to more comprehensively analyze the technical effect of the SDK on data management and control, four dimensions of data authority control, tenant isolation, data grouping strategy and data desensitization processing are analyzed one by one:
Data rights control-fine grained access control by defining detailed rights levels and access rules, the SDK can ensure that only authorized users can access a particular data set. The accurate control not only improves the security, but also allows an administrator to customize rights according to different business requirements so as to better manage data access, the enhanced security, the fine-grained rights control reduces security risks caused by excessive rights granting, effectively prevents unauthorized data access and potential data leakage events, and auditability, each access attempt is recorded, whether successful or failed, provides necessary basis for post audit and helps to discover and track any potential security threats.
Tenant isolation, namely data security in a multi-tenant environment, wherein the tenant isolation technology ensures that the data of each tenant is completely isolated from the data of other tenants, so that data confusion or leakage across tenants is avoided, which is important for enterprises providing cloud services; the system has the advantages of resource independence, each tenant has independent configuration and management interfaces, which means that the system can independently configure own security setting without affecting other tenants, improves the flexibility and manageability of the system, reduces risks of other tenants due to the problem of one tenant by physically or logically isolating tenant data, and ensures the stability and reliability of the whole system.
The data grouping strategy is used for organizing and managing data, can more easily apply uniform security strategies by classifying the data according to groups, simplifies the management and retrieval processes of the data, is flexible and expandable, allows the system to expand along with the increase of service, and is convenient to adjust the strategy to adapt to new service requirements or data protection requirements, improves the efficiency, and the data grouping can help reduce unnecessary data access requests because users can only access the data grouping related to the work of the users, thereby improving the work efficiency and reducing the resource waste.
The data desensitization processing comprises dynamic desensitization, dynamic decision of when and how to desensitize data according to the context of an access request, compliance, flexible security policy configuration and data desensitization processing, system rapid adaptation to changing data protection regulation requirements, enterprise avoidance of adverse consequences possibly faced by regulation violation, user experience, transparent and unaware security control mechanism, end user no burden of security measures when cloud service is used, good user experience is maintained, and data security is guaranteed.
The design of the SDK simplifies the implementation and management process of the security policy, reduces the complexity and cost of a cloud platform operator when integrating third party application, enables security measures to be more easy to use, synthesizes the security and combines the technical measures of the four aspects to form a multi-layer and all-dimensional data security and guarantee system, greatly enhances the security of the whole system, provides a reliable data processing environment for enterprises and users, has strong adaptability, and can adapt to business requirements of different scales and types through flexible configuration options.
Fig. 2 is a schematic structural diagram of a data access device based on a cloud control platform, where the data access device based on a cloud control platform includes an obtaining unit 1, where the obtaining unit is configured to obtain a data access request, where the data access request is generated after a current user role performs access to a current data object type by using a current operation mode, where the current user role includes an administrator, a common employee, an external auditor, or other personnel, and the current operation mode includes a query, an update, a deletion, or other operations, and the current data object type includes personal identity information, financial data, a log file, or other object types, and the working principle of the obtaining unit 1 may refer to the foregoing step 101 and is not described herein.
The data access device based on the cloud control platform further comprises a response unit 2, the response unit is configured to respond to the data access request, obtain data to be accessed, input a current user role, a current operation mode and a current data object type to a preset rule function, obtain a first desensitization algorithm output by the preset rule function, process the data to be accessed by using the first desensitization algorithm, obtain a first desensitization result, and send the first desensitization result to the current user role, and the working principle of the response unit 2 may refer to the foregoing step 102 and is not repeated herein.
The data access device based on the cloud control platform further includes a determining unit 3, where the determining unit is configured to determine, when the first desensitization algorithm cannot be output by using the preset rule function, a target weight according to a weight value and a first weight coefficient corresponding to the current user role, a weight value and a second weight coefficient corresponding to the current operation mode, a weight value and a third weight coefficient corresponding to the current data object type, determine, according to a feature interval where the target weight is located in the preset rule table, a second desensitization algorithm, process the data to be accessed by using the second desensitization algorithm, obtain a second desensitization result, and send the second desensitization result to the current user role, and the working principle of the determining unit 3 may refer to the foregoing step 103 and is not repeated herein.
The first desensitization algorithm and the second desensitization algorithm comprise fuzzy processing, pseudo data generation or encryption processing, and the preset rule table is constructed according to different characteristic intervals and the corresponding desensitization algorithm of each characteristic interval.
Aiming at a third party micro-service application deployed in a cloud environment, the invention realizes fine granularity control of application data access by integrating an SDK, including but not limited to row and column level data authority management, tenant isolation, data grouping strategy and data desensitization treatment, ensures data security and compliance, maintains non-perception experience of an end user, and improves the integration and management capability of a cloud control platform on the third party application;
In a multi-tenant and multi-service cloud environment, row-level and column-level control of data access of third party micro-service applications is realized, effective isolation of data among different tenants is ensured, data leakage and improper access are prevented, the cloud control platform can efficiently and conveniently integrate and manage the third party micro-service applications, the operation experience of an end user is ensured not to be affected while data security measures are enhanced, extra operation burden caused by the security measures is avoided, the security integration and management process of the cloud platform on the third party micro-service applications is simplified, and complexity and maintenance difficulty increased by introducing the security measures are reduced.
Fig. 3 is a schematic structural diagram of an electronic device according to the present invention, as shown in fig. 3, the electronic device may include a processor 310, a communication interface (Communications Interface), a memory 330 and a communication bus 340, where the processor 310, the communication interface 320 and the memory 330 complete communication with each other through the communication bus 340. The processor 310 may invoke logic instructions in the memory 330 to execute a cloud platform-based data access method comprising obtaining a data access request generated after access to a current data object type is performed by a current operating mode according to a current user role including an administrator, a general employee, an external auditor, or other personnel, the current operating mode including querying, updating, deleting, or other operations, the current data object type including personal identity information, financial data, log files, or other object types, obtaining data to be accessed in response to the data access request, inputting a current user role, a current operating mode, and a current data object type to a preset rule function, obtaining a first desensitization algorithm output by the preset rule function, processing the data to be accessed by the first desensitization algorithm to obtain a first desensitization result, transmitting the first desensitization result to the current user role, transmitting a first desensitization algorithm to the current user role, and determining a first desensitization algorithm in a first state according to a weight value and a first weight coefficient corresponding to the current user role, and a second weight coefficient corresponding to the first weight coefficient and a first weight coefficient corresponding to the first weight coefficient and a second weight coefficient and determining a first desensitization algorithm corresponding to the first weight coefficient and a first desensitization algorithm corresponding to the first weight coefficient, and generating or encrypting the pseudo data, wherein the preset rule table is constructed according to different characteristic intervals and a desensitization algorithm corresponding to each characteristic interval.
Further, the logic instructions in the memory 330 described above may be implemented in the form of software functional units and may be stored in a computer-readable storage medium when sold or used as a stand-alone product. Based on this understanding, the technical solution of the present invention may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present invention. The storage medium includes a U disk, a removable hard disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a magnetic disk, an optical disk, or other various media capable of storing program codes.
In another aspect, the present invention also provides a computer program product, the computer program product comprising a computer program, the computer program being storable on a non-transitory computer readable storage medium, the computer program when executed by a processor being capable of performing a cloud control platform-based data access method provided by the above methods, the method comprising obtaining a data access request, the data access request being generated after performing an access to a current data object type according to a current user role, the current user role comprising an administrator, a general employee, an external auditor, or other personnel, the current operation mode comprising a query, an update, a delete, or other operation, the current data object type comprising personal identity information, financial data, a log file, or other object type; obtaining data to be accessed, inputting a current user role, a current operation mode and a current data object type to a preset rule function to obtain a first desensitization algorithm output by the preset rule function, processing the data to be accessed by utilizing the first desensitization algorithm to obtain a first desensitization result, sending the first desensitization result to the current user role, under the condition that the first desensitization algorithm cannot be output by utilizing the preset rule function, determining a target weight according to a weight value and a first weight coefficient corresponding to the current user role, a weight value and a second weight coefficient corresponding to the current operation mode, a weight value and a third weight coefficient corresponding to the current data object type, determining a second desensitization algorithm according to a characteristic interval of the target weight in a preset rule table, and the first desensitization algorithm and the second desensitization algorithm comprise fuzzy processing, pseudo data generation or encryption processing, and the preset rule table is constructed according to different characteristic intervals and the desensitization algorithm corresponding to each characteristic interval.
In yet another aspect, the present invention further provides a non-transitory computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements a cloud platform-based data access method provided by the above methods, the method comprising obtaining a data access request generated after an access to a current data object type is performed according to a current user role, the current user role comprising an administrator, a general employee, an external auditor other personnel, the current operation mode comprising a query, an update, a delete or other operations, the current data object type comprising personal identity information, financial data, a log file or other object types, obtaining data to be accessed in response to the data access request, inputting a current user role, a current operation mode and a current data object type to a preset rule function, obtaining a first desensitization algorithm output by the preset rule function, processing the data to be accessed using the first desensitization algorithm, obtaining a first desensitization result, sending the first desensitization result to the current user role, determining a value in a corresponding to the first desensitization algorithm and a value in a preset rule function, determining a value in a corresponding to the current rule function, obtaining a first desensitization algorithm, and a value in a corresponding to the current rule function, obtaining a first rule function, obtaining a corresponding value in the current rule function, obtaining a value in response to the current rule function, the first desensitization algorithm and the second desensitization algorithm comprise fuzzy processing, pseudo data generation or encryption processing, and the preset rule table is constructed according to different characteristic intervals and the desensitization algorithm corresponding to each characteristic interval.
The apparatus embodiments described above are merely illustrative, wherein the elements illustrated as separate elements may or may not be physically separate, and the elements shown as elements may or may not be physical elements, may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. Those of ordinary skill in the art will understand and implement the present invention without undue burden.
From the above description of the embodiments, it will be apparent to those skilled in the art that the embodiments may be implemented by means of software plus necessary general hardware platforms, or of course may be implemented by means of hardware. Based on this understanding, the foregoing technical solution may be embodied essentially or in a part contributing to the prior art in the form of a software product, which may be stored in a computer readable storage medium, such as ROM/RAM, a magnetic disk, an optical disk, etc., including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the method described in the respective embodiments or some parts of the embodiments.
It should be noted that the above-mentioned embodiments are merely for illustrating the technical solution of the present invention, and not for limiting the same, and although the present invention has been described in detail with reference to the above-mentioned embodiments, it should be understood by those skilled in the art that the technical solution described in the above-mentioned embodiments may be modified or some technical features may be equivalently replaced, and these modifications or substitutions do not make the essence of the corresponding technical solution deviate from the spirit and scope of the technical solution of the embodiments of the present invention.