CN106790284A - A kind of method and system of the data isolation based on security domain - Google Patents

A kind of method and system of the data isolation based on security domain Download PDF

Info

Publication number
CN106790284A
CN106790284A CN201710108859.8A CN201710108859A CN106790284A CN 106790284 A CN106790284 A CN 106790284A CN 201710108859 A CN201710108859 A CN 201710108859A CN 106790284 A CN106790284 A CN 106790284A
Authority
CN
China
Prior art keywords
security domain
data
security
isolation
domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201710108859.8A
Other languages
Chinese (zh)
Inventor
覃璐
黄三伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hunan Ant Software Ltd By Share Ltd
Original Assignee
Hunan Ant Software Ltd By Share Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hunan Ant Software Ltd By Share Ltd filed Critical Hunan Ant Software Ltd By Share Ltd
Priority to CN201710108859.8A priority Critical patent/CN106790284A/en
Publication of CN106790284A publication Critical patent/CN106790284A/en
Pending legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0227Filtering policies

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a kind of method and system of the data isolation based on security domain, the method is comprised the following steps:S1, after login system, the security domain where obtaining the system receives the query statement of database in the security domain;If S2, receiving the query statement, the database into the security domain carries out data query.Present system is corresponding with the above method.The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;In addition, the present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the related data under the security domain, according to demand for security, physical isolation and logic isolation are supported simultaneously, solve the co-related risks of inter-system data leakage.

Description

A kind of method and system of the data isolation based on security domain
Technical field
The invention belongs to information security technology utilize, more particularly to a kind of data isolation based on security domain method and be System.
Background technology
With going from strength to strength for interconnectivity, information security accident emerges in an endless stream, and constantly exposes big and small company and goes out The news of existing database leakage, this is all a kind of greatly injury to user, to company.
With the interconnection of each system in company, single-sign-on and unified authorization become a kind of prevalence, and this The risk of correlation of leakage is brought, data are put together, when security risk occurs in a certain system, other systems may be caused And then there is security risk.
The content of the invention
It is an object of the invention to provide a kind of method and system of the data isolation based on security domain, it is intended to solve company Different system user data, when being stored in database, do not carry out necessary isolation, when causing to occur security risk, The problem for interacting, meanwhile, also solve different system when user oriented is opened because user name repeatedly caused by The disagreeableness problem in family.
The present invention is achieved in that a kind of method of the data isolation based on security domain, and the method is comprised the following steps:
S1, after login system, the security domain where obtaining the system, the inquiry for receiving database in the security domain refers to Order;
If S2, receiving the query statement, the database into the security domain carries out data query.
Preferably, step was also included before step S1:
S10, different system is divided into different security domains.
Preferably, step was also included before step S10:
S01, when newly-increased security domain, while the data table related needed for dynamically increasing the security domain newly.
Preferably, step was also included before step S01:
S00, when disabling or deleting security domain, while disabling or deleting data table related under the security domain.
The present invention further discloses a kind of system of the data isolation based on security domain, the system includes:
Isolation module, the security domain where for after login system, obtaining the system receives data in the security domain The query statement in storehouse;
Enquiry module, if for receiving the query statement, the database into the security domain carries out data query.
Preferably, the system also includes:Divide domain module, for different system to be divided into different security domains.
Preferably, the system also includes:Additions and deletions module, for when security domain is increased newly, while dynamically increasing the safety newly Data table related needed for domain.
Preferably, the additions and deletions module, is additionally operable to when disabling or deleting security domain, while disabling or deleting the security domain Under data table related.
Compared to the shortcoming and defect of prior art, the invention has the advantages that:The present invention is not influenceing system In the case of business, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, the present invention is by the user data of different system Isolated according to security domain, it is ensured that the user of same system is only capable of accessing the related data under the security domain, according to safety Demand, while supporting physical isolation and logic isolation, solves the co-related risks of inter-system data leakage.
Brief description of the drawings
The step of Fig. 1 is one embodiment of method of data isolation of the present invention based on security domain flow chart;
The step of Fig. 2 is the another embodiment of method of data isolation of the present invention based on security domain flow chart;
The step of Fig. 3 is the method another embodiment of data isolation of the present invention based on security domain flow chart;
Fig. 4 is the structural representation of the embodiment of system one of data isolation of the present invention based on security domain;
Fig. 5 is the structural representation of the another embodiment of system of data isolation of the present invention based on security domain;
Fig. 6 is the structural representation of the system another embodiment of data isolation of the present invention based on security domain.
Specific embodiment
In order to make the purpose , technical scheme and advantage of the present invention be clearer, it is right below in conjunction with drawings and Examples The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
Shown in reference picture 1, the invention discloses a kind of method of the data isolation based on security domain, the method includes following Step:
S1, after login system, the security domain where obtaining the system, the inquiry for receiving database in the security domain refers to Order;
If S2, receiving the query statement, the database into the security domain carries out data query.
As described in step S1, when logging in system by user, first according to the system for logging in, the safety where obtaining the system Domain;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the safety The query statement of database in domain.
As described in step S2, if after receiving query statement, entering the database of correspondence security domain, dependency number is inquired about According to;If inquiring corresponding data, returned data, otherwise ending request.
The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, The present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the peace Related data under universe, according to demand for security, while supporting physical isolation and logic isolation, solves inter-system data leakage Co-related risks.
More specifically, shown in reference picture 2, the invention discloses a kind of method of the data isolation based on security domain, the party Method is comprised the following steps:
S10, different system is divided into different security domains;
S1, after login system, the security domain where obtaining the system, the inquiry for receiving database in the security domain refers to Order;
If S2, receiving the query statement, the database into the security domain carries out data query.
As described in step S10, by different company or the different system of same company, different security domains are divided into.
As described in step S1, when logging in system by user, first according to the system for logging in, the safety where obtaining the system Domain;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the safety The query statement of database in domain.
As described in step S2, if after receiving query statement, entering the database of correspondence security domain, dependency number is inquired about According to;If inquiring corresponding data, returned data, otherwise ending request.
The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, The present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the peace Related data under universe, according to demand for security, while supporting physical isolation and logic isolation, solves inter-system data leakage Co-related risks.
More specifically, shown in reference picture 3, the invention discloses a kind of method of the data isolation based on security domain, the party Method is comprised the following steps:
S01, when newly-increased security domain, while the data table related needed for dynamically increasing the security domain newly;
S10, different system is divided into different security domains;
S1, after login system, the security domain where obtaining the system, the inquiry for receiving database in the security domain refers to Order;
If S2, receiving the query statement, the database into the security domain carries out data query.
As in step s 01, when newly-increased security domain is needed, while the related data needed for dynamically increasing the security domain newly Table.More specifically, in step S01, also including step:When disabling or deleting security domain, while disabling or deleting the safety Data table related under domain.
As described in step S10, by different company or the different system of same company, different security domains are divided into.
As described in step S1, when logging in system by user, first according to the system for logging in, the safety where obtaining the system Domain;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the safety The query statement of database in domain.
As described in step S2, if after receiving query statement, entering the database of correspondence security domain, dependency number is inquired about According to;If inquiring corresponding data, returned data, otherwise ending request.
The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, The present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the peace Related data under universe, according to demand for security, while supporting physical isolation and logic isolation, solves inter-system data leakage Co-related risks.
Additionally, key to the invention is that dynamic increases, deletes security domain, and reach the isolation of security domain is accessed.
Shown in reference picture 4, the present invention further discloses a kind of system of the data isolation based on security domain, the system bag Include:
Isolation module 1, the security domain where for after login system, obtaining the system receives number in the security domain According to the query statement in storehouse;
Enquiry module 2, if for receiving the query statement, the database into the security domain carries out data and looks into Ask.
In isolation module 1, when logging in system by user, first according to the system for logging in, the peace where obtaining the system Universe;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the peace The query statement of database in universe.
In enquiry module 2, if after receiving query statement, entering the database of correspondence security domain, dependency number is inquired about According to;If inquiring corresponding data, returned data, otherwise ending request.
The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, The present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the peace Related data under universe, according to demand for security, while supporting physical isolation and logic isolation, solves inter-system data leakage Co-related risks.
Shown in reference picture 5, the present invention further discloses a kind of system of the data isolation based on security domain, the system bag Include:
Divide domain module 3, for different system to be divided into different security domains;
In isolation module 1, when logging in system by user, first according to the system for logging in, the safety where obtaining the system Domain;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the safety The query statement of database in domain;
In enquiry module 2, if after receiving query statement, entering the database of correspondence security domain, query-relevant data; If inquiring corresponding data, returned data, otherwise ending request.
In point domain module 3, by different company or the different system of same company, different security domains are divided into.
In isolation module 1, when logging in system by user, first according to the system for logging in, the peace where obtaining the system Universe;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the peace The query statement of database in universe.
In enquiry module 2, if after receiving query statement, entering the database of correspondence security domain, dependency number is inquired about According to;If inquiring corresponding data, returned data, otherwise ending request.
The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, The present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the peace Related data under universe, according to demand for security, while supporting physical isolation and logic isolation, solves inter-system data leakage Co-related risks.
Shown in reference picture 6, the present invention further discloses a kind of system of the data isolation based on security domain, the system bag Include:
Additions and deletions module 4, for when security domain is increased newly, while the data table related needed for dynamically increasing the security domain newly;
Divide domain module 3, for different system to be divided into different security domains;
Isolation module 1, the security domain where for after login system, obtaining the system receives number in the security domain According to the query statement in storehouse;
Enquiry module 2, if for receiving the query statement, the database into the security domain carries out data and looks into Ask.
In additions and deletions module 4, when newly-increased security domain is needed, while the related data needed for dynamically increasing the security domain newly Table.More specifically, when needing to disable or delete security domain, while disabling or deleting the data table related under the security domain.
In point domain module 3, by different company or the different system of same company, different security domains are divided into.
In isolation module 1, when logging in system by user, first according to the system for logging in, the safety where obtaining the system Domain;If there is no the security domain, then direct ending request;If there is the security domain, then judge whether to receive the safety The query statement of database in domain.
In enquiry module 2, if after receiving query statement, entering the database of correspondence security domain, query-relevant data; If inquiring corresponding data, returned data, otherwise ending request.
The present invention is not in the case where system business is influenceed, it is only necessary to carry out appropriate reconstruction to DAO layers, you can realize;Additionally, The present invention is isolated the user data of different system according to security domain, it is ensured that the user of same system is only capable of accessing the peace Related data under universe, according to demand for security, while supporting physical isolation and logic isolation, solves inter-system data leakage Co-related risks.
Additionally, key to the invention is that dynamic increases or delete security domain, and reach the isolation of security domain is accessed.
Presently preferred embodiments of the present invention is the foregoing is only, is not intended to limit the invention, it is all in essence of the invention Any modification, equivalent and improvement made within god and principle etc., should be included within the scope of the present invention.

Claims (8)

1. a kind of method of the data isolation based on security domain, it is characterised in that the method is comprised the following steps:
S1, after login system, the security domain where obtaining the system receives the query statement of database in the security domain;
If S2, receiving the query statement, the database into the security domain carries out data query.
2. the method for the data isolation of security domain is based on as claimed in claim 1, it is characterised in that also wrapped before step S1 Include step:
S10, different system is divided into different security domains.
3. the method for the data isolation of security domain is based on as claimed in claim 2, it is characterised in that before step S10 also Including step:
S01, when newly-increased security domain, while the data table related needed for dynamically increasing the security domain newly.
4. the method for the data isolation of security domain is based on as claimed in claim 3, it is characterised in that also wrapped in step S01 Include step:When disabling or deleting security domain, while disabling or deleting the data table related under the security domain.
5. a kind of system of the data isolation based on security domain, it is characterised in that the system includes:
Isolation module, the security domain where for after login system, obtaining the system receives database in the security domain Query statement;
Enquiry module, if for receiving the query statement, the database into the security domain carries out data query.
6. the system of the data isolation of security domain is based on as claimed in claim 5, it is characterised in that the system also includes:
Divide domain module, for different system to be divided into different security domains.
7. the system of the data isolation of security domain is based on as claimed in claim 6, it is characterised in that the system also includes:
Additions and deletions module, for when security domain is increased newly, while the data table related needed for dynamically increasing the security domain newly.
8. the system of the data isolation of security domain is based on as claimed in claim 7, it is characterised in that the additions and deletions module, also For when disabling or deleting security domain, while disabling or deleting the data table related under the security domain.
CN201710108859.8A 2017-02-27 2017-02-27 A kind of method and system of the data isolation based on security domain Pending CN106790284A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201710108859.8A CN106790284A (en) 2017-02-27 2017-02-27 A kind of method and system of the data isolation based on security domain

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201710108859.8A CN106790284A (en) 2017-02-27 2017-02-27 A kind of method and system of the data isolation based on security domain

Publications (1)

Publication Number Publication Date
CN106790284A true CN106790284A (en) 2017-05-31

Family

ID=58959246

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201710108859.8A Pending CN106790284A (en) 2017-02-27 2017-02-27 A kind of method and system of the data isolation based on security domain

Country Status (1)

Country Link
CN (1) CN106790284A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7149858B1 (en) * 2003-10-31 2006-12-12 Veritas Operating Corporation Synchronous replication for system and data security
CN101562609A (en) * 2009-05-27 2009-10-21 西北大学 VPN network security loophole detection and global admittance controlling system
CN103902917A (en) * 2012-12-27 2014-07-02 北京中船信息科技有限公司 Full-view monitoring method for access range and motion trails of cross-domain files
CN105743899A (en) * 2016-02-29 2016-07-06 湖南蚁坊软件有限公司 User authentication method based on security domain

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7149858B1 (en) * 2003-10-31 2006-12-12 Veritas Operating Corporation Synchronous replication for system and data security
CN101562609A (en) * 2009-05-27 2009-10-21 西北大学 VPN network security loophole detection and global admittance controlling system
CN103902917A (en) * 2012-12-27 2014-07-02 北京中船信息科技有限公司 Full-view monitoring method for access range and motion trails of cross-domain files
CN105743899A (en) * 2016-02-29 2016-07-06 湖南蚁坊软件有限公司 User authentication method based on security domain

Similar Documents

Publication Publication Date Title
CN104270386B (en) Across application system user (asu) information integrating method and identity information management server
US9258288B2 (en) Method and apparatus for providing enhanced service authorization
CN102823218B (en) Method and apparatus for identity federation gateway
CN107426169A (en) A kind of method for processing business and device based on authority
CN108777699B (en) Application cross-domain access method based on Internet of things multi-domain collaborative architecture
WO2019129582A4 (en) A method for managing a verified digital identity
US9934394B1 (en) Non-resharable resource links
CN103078859A (en) Service system authority management method, equipment and system
CN107113613B (en) Server, mobile terminal, network real-name authentication system and method
CN106557269A (en) The method and apparatus of storage cloud disk resource
CN107370604A (en) A kind of more granularity access control methods under big data environment
CN103220151A (en) User correlation method based on voice recognition
CN106656958A (en) Mobile-terminal-based account login method, login apparatus and login system
DE102014204659A1 (en) Contact information recognition system for external text data displayed by an infotainment system in a vehicle
CN106055988B (en) For the authority control method and device of control
CN106131029B (en) A kind of efficient cipher text searching method for resisting attribute key abuse
CN110661798A (en) Authentication method based on authentication platform
CN104580210A (en) Hotlinking prevention method, hotlinking prevention assembly and cloud platform under cloud platform environment
CN107846676A (en) Safety communicating method and system based on network section security architecture
CN103198066A (en) Word list based information search method and search system
CN115396180A (en) Micro service gateway unified authentication method, device, micro service gateway and storage medium
CN103401703B (en) Method, relevant equipment and system for realizing privilege separation
CN103607508B (en) The management method of a kind of authority, device and mobile phone terminal
CN105893511A (en) Method for data copy trace retention through agent cloud
CN106790284A (en) A kind of method and system of the data isolation based on security domain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20170531