CN117195297B - ERP-based data security and privacy protection system and method - Google Patents
ERP-based data security and privacy protection system and method Download PDFInfo
- Publication number
- CN117195297B CN117195297B CN202311205963.0A CN202311205963A CN117195297B CN 117195297 B CN117195297 B CN 117195297B CN 202311205963 A CN202311205963 A CN 202311205963A CN 117195297 B CN117195297 B CN 117195297B
- Authority
- CN
- China
- Prior art keywords
- data
- information
- sensitive
- erp
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 238000013507 mapping Methods 0.000 claims abstract description 26
- 238000007726 management method Methods 0.000 claims abstract description 25
- 238000011084 recovery Methods 0.000 claims abstract description 20
- 238000013474 audit trail Methods 0.000 claims abstract description 10
- 238000012502 risk assessment Methods 0.000 claims abstract description 10
- 238000013439 planning Methods 0.000 claims abstract description 5
- 230000035945 sensitivity Effects 0.000 claims description 38
- 230000004044 response Effects 0.000 claims description 12
- 238000011156 evaluation Methods 0.000 claims description 9
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 238000012986 modification Methods 0.000 claims description 6
- 230000004048 modification Effects 0.000 claims description 6
- 238000004364 calculation method Methods 0.000 claims description 3
- 230000006870 function Effects 0.000 description 8
- 238000010586 diagram Methods 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 5
- 230000008569 process Effects 0.000 description 5
- 230000009286 beneficial effect Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000004590 computer program Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000004422 calculation algorithm Methods 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 238000005206 flow analysis Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 230000001133 acceleration Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000007667 floating Methods 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000006386 memory function Effects 0.000 description 1
- 230000009897 systematic effect Effects 0.000 description 1
- 238000012384 transportation and delivery Methods 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The embodiment of the application discloses a data security and privacy protection system and method based on ERP, wherein the system comprises the following steps: the system comprises a data encryption module, a permission management module, an audit trail module, a data backup and recovery module, a risk assessment module and a risk management policy information generation module, wherein the data encryption module is used for encrypting sensitive data in an Enterprise Resource Planning (ERP) system to generate encrypted data, the permission management module is used for determining multiple data access permission information corresponding to a plurality of user IDs one by one based on a preset permission mapping table, the audit trail module is used for recording sensitive operations in the ERP system, the data backup and recovery module is used for backing up the data in the ERP system in a set period and responding to a data recovery instruction input by a user to recover the data in the ERP system, and the risk assessment module is used for identifying safety risk information of the sensitive data in the ERP system and generating the risk management policy information of the ERP system based on the safety risk information. Thereby safely protecting the data assets in the ERP system and reducing the risks of data leakage and abuse.
Description
Technical Field
The application relates to the technical field of data protection, in particular to a data security and privacy protection system and method based on ERP.
Background
ERP (Enterprise resource planning ) systems are management platforms which are based on information technology and provide decision operation means for enterprise decision-making layers and staff by using systematic management ideas. With the present digital age, the data assets of enterprises play a vital role, and especially the data surfaces involved in ERP systems are wider, and the data resources are more. The continued development of ERP systems also presents a range of security and privacy risks.
In the related art, some existing solutions exist, but a complete set of data security and privacy protection mechanism does not exist yet, so that the data security and privacy protection requirements of the ERP system cannot be completely met, and therefore, a data protection scheme of the ERP system is needed to avoid the risks of data leakage and data abuse in the ERP system.
Accordingly, in order to effectively solve the above problems, it is desirable to provide an ERP-based data security and privacy protection system to solve the above problems.
Disclosure of Invention
The embodiment of the application provides a data security and privacy protection system and method based on ERP, which can improve the data security of sensitive data in an ERP system and avoid the risks of data leakage and data abuse.
A first aspect of an embodiment of the present application provides an ERP-based data security and privacy protection system, the system including: the system comprises a data encryption module, a right management module, an audit trail module, a data backup and recovery module and a risk assessment module;
the data encryption module is used for encrypting the sensitive data in the enterprise resource planning ERP system to generate encrypted data;
the right management module is used for determining various data access right information corresponding to the user IDs one by one based on a preset right mapping table;
The audit trail module is configured to record sensitive operations in the ERP system, where the sensitive operations at least include: at least one of a data access operation, a data modification operation, and a data deletion operation;
The data backup and recovery module is used for backing up the data in the ERP system in a set period and responding to a data recovery instruction input by a user to recover the data in the ERP system;
The risk assessment module is used for identifying security risk information of the sensitive data in the ERP system and generating risk management policy information of the ERP system based on the security risk information.
Optionally, the step of encrypting the sensitive data in the network public gateway ERP system and generating the encrypted data includes:
Identifying data parameter type information of the sensitive data;
Determining a data sensitivity score of the sensitive data according to the data parameter type information;
Dynamically encrypting the sensitive data based on the data sensitivity score to generate the encrypted data.
Optionally, the step of dynamically encrypting the sensitive data based on the data sensitivity score to generate the encrypted data includes:
Identifying the service type of the sensitive data;
Determining service class information of the service type corresponding to the sensitive data based on a preset service class mapping table, wherein the preset service class mapping table comprises mapping relations between a plurality of service types and a plurality of service class information;
determining an encryption intensity adjustment coefficient according to the service level information;
Multiplying the encryption strength adjustment coefficient with the data sensitivity score to generate a dynamic encryption strength;
And dynamically encrypting the sensitive data in an AES encryption mode according to the dynamic encryption intensity to generate the encrypted data.
Optionally, the step of determining the data sensitivity score of the sensitive data according to the data parameter type information includes:
Determining data weight, data leakage risk score, loss degree score, data type coefficient and data scoring coefficient of the sensitive data in the ERP system according to the data parameter type information;
The data sensitivity score is determined by calculation as follows:
The data sensitivity score is Q, the data weight is W, the data leakage risk score is S leak, the loss degree score is S loss, the data parameter type information is K type, and the data scoring coefficient is K.
Optionally, the step of determining the data sensitivity score of the sensitive data according to the data parameter type information further includes:
determining a data protection cost score, a data generation time coefficient, a data security coefficient, a data importance coefficient and a data access frequency coefficient of the sensitive data according to the data parameter type information;
The data scoring coefficients are determined by:
K=SprotectionKtimeKclassKimportanceKfrequency
The K is the data scoring coefficient, the S protection is the data protection cost, the K time is the data generation time coefficient, the K class is the data security coefficient, the K importance is the data importance coefficient, and the K frequency is the data access frequency coefficient.
Optionally, the step of recording sensitive operations in the ERP system includes:
In response to detecting the sensitive operation in the ERP system, determining user ID information, browse record information and timestamp information of the sensitive operation;
And establishing a mapping relation between the user ID information, the browsing record information and the timestamp information through a preset hash table to generate a target hash table, wherein the target hash table is used for recording the sensitive operation.
Optionally, the step of recording sensitive operations in the ERP system further includes:
Determining first timestamp information and first browsing record information of a first sensitive operation based on the user ID information in response to detecting the first sensitive operation again;
and updating the target hash table according to the first timestamp information and the first browsing record information.
Optionally, the step of identifying security risk information of the sensitive data in the ERP system includes:
Acquiring data type information of the sensitive data;
determining the importance degree of the sensitive data according to the data type information;
And carrying out rationality evaluation on encryption setting of the encrypted data according to the importance degree so as to generate the security risk information.
Optionally, the step of performing rationality evaluation on the encryption setting of the encrypted data according to the importance degree to generate the security risk information includes:
identifying encryption grade information of the encrypted data;
Determining a rationality score of the encrypted data according to the importance level and the encryption grade information;
And generating the safety risk information according to the rationality score.
According to a second aspect of embodiments of the present disclosure, there is provided an ERP-based data security and privacy protection method applied to the system of any one of the first aspects of the present disclosure, the method including:
In response to detecting a data access request in an ERP system, determining user ID information corresponding to the data access request;
Determining data access authority information corresponding to the user ID information based on the preset authority mapping table;
recording the data access operation corresponding to the user ID information under the condition that the data access request is matched with the data access authority information, and generating a data access record;
If the data access record is determined to be sensitive operation, recording the sensitive operation to generate sensitive data;
Encrypting the sensitive data to generate encrypted data.
According to a third aspect of embodiments of the present disclosure, there is provided an ERP-based data security and privacy protection apparatus, the apparatus comprising:
The first determining module is used for determining user ID information corresponding to the data access request in response to the detection of the data access request in the ERP system;
The second determining module is used for determining data access authority information corresponding to the user ID information based on the preset authority mapping table;
the first generation module is used for recording the data access operation corresponding to the user ID information and generating a data access record under the condition that the data access request is matched with the data access authority information;
The second generation module is used for recording the sensitive operation if the data access record is determined to be the sensitive operation so as to generate sensitive data;
And the third generation module is used for encrypting the sensitive data and generating encrypted data.
An apparatus provided in a fourth aspect of an embodiment of the present application includes: a processor, a storage medium, and a bus, the storage medium storing machine-readable instructions executable by the processor, the processor and the storage medium communicating over the bus when the device is operating, the processor executing the machine-readable instructions to perform the steps of the method as provided in the second aspect when executed.
A fifth aspect of the embodiments of the present application also provides a storage medium having stored thereon a computer program which, when executed by a processor, performs the steps of the method as provided in the second aspect.
Therefore, the method of the embodiment of the application can bring the following beneficial effects:
(1) According to the scheme, the sensitive data in the ERP system can be encrypted through the ERP-based data security and privacy protection system, so that the security of the data in the transmission and storage processes is determined, and the loss caused by data leakage is avoided.
(2) According to the scheme, the system and the method for managing the data access rights under different user IDs manage the data access rights under different user IDs, and different access rights are set for different users, so that only authorized users can access sensitive data, the security of data access is further improved, and the data is prevented from being leaked.
(3) According to the scheme, the sensitive operation of the user in the ERP system is recorded through the ERP system, so that the safety problem of the data can be investigated and traced later, and the risk of misuse of the data is further reduced.
(4) According to the scheme, the data backup and recovery function is provided in the ERP system, so that the data in the ERP system can be backed up regularly, the data loss is avoided, and the integrity and the availability of the data are ensured.
(5) And (3) evaluating the security and privacy risks in the ERP system at regular intervals, and providing corresponding risk management suggestions according to the evaluation result to help enterprises to formulate proper security protection strategies of the ERP system so as to further improve the security of data in the ERP system.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
Fig. 1 is an application scenario schematic diagram of an ERP system provided by an embodiment of the present application;
FIG. 2 is a schematic diagram of an ERP-based data security and privacy protection system provided by an embodiment of the present application;
FIG. 3 is a flowchart illustrating an ERP-based data security and privacy protection method, according to an example embodiment;
FIG. 4 is a block diagram illustrating an ERP-based data security and privacy protection apparatus, according to an example embodiment;
Fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to fall within the scope of the application.
The embodiment of the application provides a passenger flow analysis method, device, equipment and storage medium based on an ERP system, wherein the equipment can be Internet of things equipment, and the storage medium can be a computer storage medium. The passenger flow analysis device based on the ERP system can be integrated in equipment, and the equipment can be a server, a terminal and other equipment.
The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, network acceleration services (Content Delivery Network, CDN), basic cloud computing services such as big data and an artificial intelligent platform.
The terminal may be, but not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, and the like. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the present application is not limited herein.
For example, as shown in fig. 1, the data security and privacy protection system based on ERP may be installed in a server, a user may establish a connection with the server through a terminal, access data in the server through operating the terminal, the server may obtain data in the ERP system, and the user may access the server through the terminal to perform operations such as looking up, adding, modifying, deleting, etc. the data in the ERP system.
The term "plurality" in the embodiments of the present application means two or more. "first" and "second" and the like in the embodiments of the present application are used for distinguishing descriptions and are not to be construed as implying relative importance.
The following will describe in detail. The following description of the embodiments is not intended to limit the preferred embodiments.
Referring to fig. 2, in this embodiment, an ERP-based data security and privacy protection system is provided, the system includes: the system comprises a data encryption module, a right management module, an audit trail module, a data backup and recovery module and a risk assessment module;
the data encryption module is used for encrypting the sensitive data in the enterprise resource planning ERP system to generate encrypted data;
the right management module is used for determining various data access right information corresponding to the user IDs one by one based on a preset right mapping table;
The audit trail module is configured to record sensitive operations in the ERP system, where the sensitive operations at least include: at least one of a data access operation, a data modification operation, and a data deletion operation;
The data backup and recovery module is used for backing up the data in the ERP system in a set period and responding to a data recovery instruction input by a user to recover the data in the ERP system;
The risk assessment module is used for identifying security risk information of the sensitive data in the ERP system and generating risk management policy information of the ERP system based on the security risk information.
For example, the data encryption module in this embodiment: the method is used for encrypting the sensitive data in the ERP system and ensuring the security of the data in the transmission and storage processes, wherein the sensitive data can be access record data generated based on sensitive operation of a user, and can also be historical data with sensitive data tags stored in the ERP system in advance. And encrypting the sensitive data in the ERP system according to the data encryption module so as to generate encrypted data.
In some embodiments, the step of encrypting the sensitive data in the ERP system to generate encrypted data includes:
Identifying data parameter type information of the sensitive data;
Determining a data sensitivity score of the sensitive data according to the data parameter type information;
Dynamically encrypting the sensitive data based on the data sensitivity score to generate the encrypted data.
In an example, in this embodiment, the sensitive data is analyzed to determine data parameter type information of the sensitive data, where the example data parameter type information of the sensitive data may include: business data, customer information data, security detection data, etc. And determining the data sensitivity degree of the corresponding sensitive data according to the data parameter type information, and generating a data sensitivity score of the sensitive data after quantifying the data sensitivity degree.
It can be understood that, in order to improve the security of data, different encryption modes are adopted for data with different sensitivity degrees to dynamically encrypt the sensitive data, so as to generate encrypted data. For example, the data parameter type of the sensitive data is business data, a mapping table may be set in the server, where the mapping table includes a plurality of data parameter types and a plurality of data sensitivity scores corresponding to each other one by one, the data sensitivity scores of the business data are determined by referring to the table, the scores are brought into a data encryption formula, a dynamic encryption mode of the sensitive data is calculated, and the sensitive data is dynamically encrypted based on the dynamic encryption mode to generate encrypted data.
For example, in one embodiment, the step of dynamically encrypting the sensitive data based on the data sensitivity score to generate the encrypted data includes:
Identifying the service type of the sensitive data;
Determining service class information of the service type corresponding to the sensitive data based on a preset service class mapping table, wherein the preset service class mapping table comprises mapping relations between a plurality of service types and a plurality of service class information;
determining an encryption intensity adjustment coefficient according to the service level information;
Multiplying the encryption strength adjustment coefficient with the data sensitivity score to generate a dynamic encryption strength;
And dynamically encrypting the sensitive data in an AES encryption mode according to the dynamic encryption intensity to generate the encrypted data.
For example, in this embodiment, after determining the data sensitivity score of the sensitive data through the above steps, dynamically encrypting the data, setting a service level according to the service type of the data, and obtaining the encryption strength adjustment coefficient E according to the service level; dynamic encryption intensity=q×e, and then dynamically encrypts the sensitive data by AES encryption:
encrypted data=aes- (sensitive data, dynamic encryption strength)
It should be noted that, according to the information provided by you, it seems that the present embodiment involves associating the service type of the data with the service class, and determining the encryption intensity adjustment coefficient E according to the service level. In the field of data security, data is generally classified and classified according to the type of service and the degree of sensitivity. In this way, appropriate security measures, including encryption strength, can be determined based on the importance and sensitivity of the data. Specifically, you can set the traffic class and get the encryption intensity adjustment coefficient E following the steps of:
(1) Defining service types: according to business requirements and data characteristics, different business types are determined. For example, data may be classified into financial data, medical data, personal identification data, and the like.
(2) Dividing service grades: a respective service class is defined for each service type. The service level can be divided according to factors such as importance, sensitivity, regulation requirement and the like of the data. A number or letter symbol is typically used to indicate different grades, such as 1,2,3 or A, B, C.
(3) Associating encryption strength adjustment coefficients: each service class is assigned a corresponding encryption strength adjustment coefficient E. The adjustment factor may be a floating point number that is used to adjust the key length, algorithm parameters, or other encryption parameters to increase or decrease the strength of encryption when the encryption algorithm is applied.
It will be appreciated that ensuring that the traffic class and encryption strength adjustment coefficients are defined takes into account relevant security standards, industry specifications and applicable legal regulations. In addition, proper risk assessment is ensured on the data, and classification and grading processing are performed according to the assessment result so as to ensure the safety and confidentiality of the data.
For example, in some embodiments, the step of determining the data sensitivity score of the sensitive data according to the data parameter type information includes:
Determining data weight, data leakage risk score, loss degree score, data type coefficient and data scoring coefficient of the sensitive data in the ERP system according to the data parameter type information;
The data sensitivity score is determined by calculation as follows:
The data sensitivity score is Q, the data weight is W, the data leakage risk score is S leak, the loss degree score is S loss, the data parameter type information is K type, and the data scoring coefficient is K.
Optionally, in some embodiments, the step of determining the data sensitivity score of the sensitive data according to the data parameter type information includes:
determining a data protection cost score, a data generation time coefficient, a data security coefficient, a data importance coefficient and a data access frequency coefficient of the sensitive data according to the data parameter type information;
The data scoring coefficients are determined by:
K=SprotectionKtimeKclassKimportanceKfrequency
The K is the data scoring coefficient, the S protection is the data protection cost, the K time is the data generation time coefficient, the K class is the data security coefficient, the K importance is the data importance coefficient, and the K frequency is the data access frequency coefficient.
In this embodiment, the data parameters of the data to be encrypted are first identified, and the data sensitivity score of the data to be encrypted is determined, and in this embodiment, the data sensitivity score is determined based on the following formula
Wherein, Q is a data sensitivity score, W is a data weight, S leak is a data leakage risk score, S loss is a loss degree score caused by data leakage, K type is a data type coefficient, and data type coefficients of different types of data can be set according to different ERP systems, for example, the ERP system is a system biased toward image data management, the data type coefficient of the corresponding image data is larger, the ERP system is a system biased toward text data management, and the data type coefficient of the corresponding text data is larger; s protection, scoring the data protection cost, generating a time coefficient by the K time data, wherein the time coefficient is inversely related to the storage time, and determining a data sensitivity score of sensitive data based on the formula by the K class data security coefficient, wherein the data security coefficient can be selectively written by a user creating data when the data is stored, the K importance data importance coefficient can also be written by the user, the K frequency data access frequency coefficient is higher, and the data access frequency coefficient is higher.
The right management module is used for determining various data access right information corresponding to the user IDs one by one based on a preset right mapping table.
For example, in the ERP system of this embodiment, a rights management module is installed, and the rights management module is used to determine access rights of different users in the ERP system, so as to ensure that only authorized users can access sensitive data.
The audit trail module is configured to record sensitive operations in the ERP system, where the sensitive operations at least include: at least one of a data access operation, a data modification operation, and a data deletion operation;
For example, an audit trail module is installed in the ERP system in the embodiment, and is used for recording sensitive operations in the ERP system, including data access, modification, deletion and the like, so as to facilitate subsequent investigation and tracing.
In some embodiments, the step of recording sensitive operations in the ERP system includes:
In response to detecting the sensitive operation in the ERP system, determining user ID information, browse record information and timestamp information of the sensitive operation;
And establishing a mapping relation between the user ID information, the browsing record information and the timestamp information through a preset hash table to generate a target hash table, wherein the target hash table is used for recording the sensitive operation.
Optionally, in some embodiments, the step of recording sensitive operations in the ERP system further includes:
Determining first timestamp information and first browsing record information of a first sensitive operation based on the user ID information in response to detecting the first sensitive operation again;
and updating the target hash table according to the first timestamp information and the first browsing record information.
In this embodiment, the sensitive operation is recorded, the data access records of different users are recorded by adopting a hash table, the mapping relationship between the operation records corresponding to the user ID and the operation time is established, and the hash table is updated when the subsequent user generates a new operation record.
The data backup and recovery module is used for backing up the data in the ERP system in a set period and responding to a data recovery instruction input by a user to recover the data in the ERP system;
for example, in this embodiment, a data backup and recovery module is configured in the ERP system, and is configured to backup data in the ERP system regularly, and provide a data recovery function for the ERP system, so as to ensure the integrity and availability of the data.
The risk assessment module is used for identifying security risk information of the sensitive data in the ERP system and generating risk management policy information of the ERP system based on the security risk information.
For example, in some embodiments, the step of identifying security risk information of the sensitive data in the ERP system includes:
Acquiring data type information of the sensitive data;
determining the importance degree of the sensitive data according to the data type information;
And carrying out rationality evaluation on encryption setting of the encrypted data according to the importance degree so as to generate the security risk information.
For example, in some embodiments, the step of "performing a rationality evaluation on the encryption setting of the encrypted data according to the importance level" to generate the security risk information includes:
identifying encryption grade information of the encrypted data;
Determining a rationality score of the encrypted data according to the importance level and the encryption grade information;
And generating the safety risk information according to the rationality score.
In an example, the security degree of the private data in the ERP data is identified based on the importance degree of the data, and the security level of various data in the ERP system may be identified by a machine learning method, and based on the security level, whether the encryption setting of each data in the current ERP system is reasonable is determined, so as to generate a risk management suggestion for part of the data, where the risk management suggestion may be a suggestion for improving the encryption level of different data.
Therefore, the method of the embodiment of the application can bring the following beneficial effects:
(1) According to the scheme, the sensitive data in the ERP system can be encrypted through the ERP-based data security and privacy protection system, so that the security of the data in the transmission and storage processes is determined, and the loss caused by data leakage is avoided.
(2) According to the scheme, the system and the method for managing the data access rights under different user IDs manage the data access rights under different user IDs, and different access rights are set for different users, so that only authorized users can access sensitive data, the security of data access is further improved, and the data is prevented from being leaked.
(3) According to the scheme, the sensitive operation of the user in the ERP system is recorded through the ERP system, so that the safety problem of the data can be investigated and traced later, and the risk of misuse of the data is further reduced.
(4) According to the scheme, the data backup and recovery function is provided in the ERP system, so that the data in the ERP system can be backed up regularly, the data loss is avoided, and the integrity and the availability of the data are ensured.
(5) And (3) evaluating the security and privacy risks in the ERP system at regular intervals, and providing corresponding risk management suggestions according to the evaluation result to help enterprises to formulate proper security protection strategies of the ERP system so as to further improve the security of data in the ERP system.
FIG. 3 is a flowchart illustrating an ERP-based data security and privacy protection method applied to the above system, according to an exemplary embodiment, comprising the following steps.
In step S101, in response to detecting the data access request in the ERP system, user ID information corresponding to the data access request is determined.
For example, in the ERP system of this embodiment, data query and data access are all required to be established on the user ID information, and when a data access request sent by a user is received, it is required to verify a priori whether the user ID information of the user is within an accessible range of the ERP system.
Step S102, based on a preset authority mapping table, determining data access authority information corresponding to the user ID information.
For example, a data access authority table based on ID information stored in the ERP system is queried according to the user ID information, and data access authority information corresponding to the user ID information is determined according to the table, wherein the data access authority information comprises a data range which can be accessed by a user in the ERP system, and data operation authority for corresponding data, and the data operation authority comprises data query, data deletion, data modification, new data and the like.
Step S103, when the data access request is matched with the data access authority information, recording the data access operation corresponding to the user ID information, and generating a data access record.
For example, in this embodiment, when the data access request matches with the data access authority information, it indicates that the current data operation under the user ID information is within the authority range, and records the corresponding data access operation of the user ID information in the ERP system, so as to generate a data access record based on the user ID information.
In step S104, if the data access record is determined to be a sensitive operation, the sensitive operation is recorded to generate sensitive data.
Step S105, encrypting the sensitive data to generate encrypted data.
For example, in this embodiment, when it is determined that the data access record is a sensitive operation, the sensitive operation is recorded to generate sensitive data, and then the sensitive data is encrypted to generate encrypted data. It should be noted that, in this embodiment, the data stored in the ERP system may also be directly encrypted to generate encrypted data.
By the mode, the method provided by the embodiment of the application has the following beneficial effects:
(1) According to the scheme, the sensitive data in the ERP system can be encrypted through the ERP-based data security and privacy protection system, so that the security of the data in the transmission and storage processes is determined, and the loss caused by data leakage is avoided.
(2) According to the scheme, the system and the method for managing the data access rights under different user IDs manage the data access rights under different user IDs, and different access rights are set for different users, so that only authorized users can access sensitive data, the security of data access is further improved, and the data is prevented from being leaked.
(3) According to the scheme, the sensitive operation of the user in the ERP system is recorded through the ERP system, so that the safety problem of the data can be investigated and traced later, and the risk of misuse of the data is further reduced.
(4) According to the scheme, the data backup and recovery function is provided in the ERP system, so that the data in the ERP system can be backed up regularly, the data loss is avoided, and the integrity and the availability of the data are ensured.
(5) And (3) evaluating the security and privacy risks in the ERP system at regular intervals, and providing corresponding risk management suggestions according to the evaluation result to help enterprises to formulate proper security protection strategies of the ERP system so as to further improve the security of data in the ERP system.
FIG. 4 is a block diagram illustrating an ERP-based data security and privacy protection apparatus 100, according to an example embodiment, the apparatus 100 comprising: the first determination module 110, the second determination module 120, the first generation module 130, the second generation module 140, and the third generation module 150.
A first determining module 110, configured to determine, in response to detecting a data access request in an ERP system, user ID information corresponding to the data access request;
A second determining module 120, configured to determine data access right information corresponding to the user ID information based on the preset right mapping table;
A first generating module 130, configured to record a data access operation corresponding to the user ID information and generate a data access record when the data access request matches the data access permission information;
A second generating module 140, configured to record the sensitive operation if the data access record is determined to be the sensitive operation, so as to generate sensitive data;
And a third generating module 150, configured to encrypt the sensitive data and generate encrypted data.
Therefore, the method of the embodiment of the application can bring the following beneficial effects:
(1) According to the scheme, the sensitive data in the ERP system can be encrypted through the ERP-based data security and privacy protection system, so that the security of the data in the transmission and storage processes is determined, and the loss caused by data leakage is avoided.
(2) According to the scheme, the system and the method for managing the data access rights under different user IDs manage the data access rights under different user IDs, and different access rights are set for different users, so that only authorized users can access sensitive data, the security of data access is further improved, and the data is prevented from being leaked.
(3) According to the scheme, the sensitive operation of the user in the ERP system is recorded through the ERP system, so that the safety problem of the data can be investigated and traced later, and the risk of misuse of the data is further reduced.
(4) According to the scheme, the data backup and recovery function is provided in the ERP system, so that the data in the ERP system can be backed up regularly, the data loss is avoided, and the integrity and the availability of the data are ensured.
(5) And (3) evaluating the security and privacy risks in the ERP system at regular intervals, and providing corresponding risk management suggestions according to the evaluation result to help enterprises to formulate proper security protection strategies of the ERP system so as to further improve the security of data in the ERP system.
Corresponding to the above method embodiment, the embodiment of the present invention further provides a computer device, where a computer device described below and an ERP-based data security and privacy protection method described above may be referred to correspondingly.
The computer device includes:
A memory for storing a computer program;
The processor is used for realizing the steps of the ERP-based data security and privacy protection method in the method embodiment when executing the computer program:
In response to detecting a data access request in an ERP system, determining user ID information corresponding to the data access request;
Determining data access authority information corresponding to the user ID information based on the preset authority mapping table;
recording the data access operation corresponding to the user ID information under the condition that the data access request is matched with the data access authority information, and generating a data access record;
If the data access record is determined to be sensitive operation, recording the sensitive operation to generate sensitive data;
Encrypting the sensitive data to generate encrypted data.
Fig. 5 is a schematic structural diagram of an apparatus according to an embodiment of the present application, where the apparatus may be a computing apparatus with a data processing function.
The apparatus may include: a processor 301, and a memory 302.
The memory 302 is used for storing a program, and the processor 301 calls the program stored in the memory 302 to execute the above-described method embodiment. The specific implementation manner and the technical effect are similar, and are not repeated here.
Therein, the memory 302 stores program code that, when executed by the processor 301, causes the processor 301 to perform various steps in the methods according to various exemplary embodiments of the application described in the above section of the exemplary method of this specification.
The processor 301 may be a general purpose processor such as a Central Processing Unit (CPU), digital signal processor (DIGITALSIGNAL PROCESSOR, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), field programmable gate array (Field Programmable GATE ARRAY, FPGA) or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or may implement or perform the methods, steps, and logic blocks disclosed in embodiments of the present application. The general purpose processor may be a microprocessor or any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in a hardware processor for execution, or in a combination of hardware and software modules in the processor for execution.
The memory 302 is used as a nonvolatile storage medium for storing nonvolatile software programs, nonvolatile computer-executable programs, and modules. The Memory may include at least one type of storage medium, and may include, for example, flash Memory, hard disk, multimedia card, card Memory, random access Memory (Random Access Memory, RAM), static random access Memory (Static Random Access Memory, SRAM), programmable Read-Only Memory (Programmable Read Only Memory, PROM), read-Only Memory (ROM), electrically erasable programmable Read-Only Memory (ELECT RICALLY Erasable Programmable Read-Only Memory, EERPOM), magnetic Memory, magnetic disk, optical disk, and the like. The memory is any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer, but is not limited to such. The memory 302 in embodiments of the present application may also be circuitry or any other device capable of performing memory functions for storing program instructions and/or data.
Optionally, the present application also provides a program product, such as a storage medium, comprising a program for performing the above-described method embodiments when being executed by a processor.
In the several embodiments provided by the present application, it should be understood that the disclosed apparatus and method may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, e.g., the division of the units is merely a logical function division, and there may be additional divisions when actually implemented, e.g., multiple units or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or units, which may be in electrical, mechanical or other form.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in the embodiments of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in hardware plus software functional units.
The integrated units implemented in the form of software functional units described above may be stored in a computer readable storage medium. The software functional unit is stored in a storage medium, and includes several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) or a processor (english: processor) to perform some of the steps of the methods according to the embodiments of the application. And the aforementioned storage medium includes: u disk, mobile hard disk, read-Only Memory (ROM), random access Memory (Random Access Memory, RA), magnetic disk or optical disk, etc.
Claims (7)
1. An ERP-based data security and privacy protection system, the system comprising: the system comprises a data encryption module, a right management module, an audit trail module, a data backup and recovery module and a risk assessment module;
the data encryption module is used for encrypting the sensitive data in the enterprise resource planning ERP system to generate encrypted data;
the right management module is used for determining various data access right information corresponding to the user IDs one by one based on a preset right mapping table;
The audit trail module is configured to record sensitive operations in the ERP system, where the sensitive operations at least include: at least one of a data access operation, a data modification operation, and a data deletion operation;
The data backup and recovery module is used for backing up the data in the ERP system in a set period and responding to a data recovery instruction input by a user to recover the data in the ERP system;
The risk assessment module is used for identifying security risk information of the sensitive data in the ERP system and generating risk management policy information of the ERP system based on the security risk information;
The step of encrypting the sensitive data in the ERP system and generating the encrypted data comprises the following steps:
Identifying data parameter type information of the sensitive data;
Determining a data sensitivity score of the sensitive data according to the data parameter type information;
Dynamically encrypting the sensitive data based on the data sensitivity score to generate the encrypted data;
the step of dynamically encrypting the sensitive data based on the data sensitivity score to generate the encrypted data comprises:
Identifying the service type of the sensitive data;
Determining service class information of the service type corresponding to the sensitive data based on a preset service class mapping table, wherein the preset service class mapping table comprises mapping relations between a plurality of service types and a plurality of service class information;
determining an encryption intensity adjustment coefficient according to the service level information;
Multiplying the encryption strength adjustment coefficient with the data sensitivity score to generate a dynamic encryption strength;
Dynamically encrypting the sensitive data in an AES encryption mode according to the dynamic encryption intensity to generate encrypted data;
The step of determining the data sensitivity score of the sensitive data according to the data parameter type information comprises the following steps:
Determining data weight, data leakage risk score, loss degree score, data type coefficient and data scoring coefficient of the sensitive data in the ERP system according to the data parameter type information;
The data sensitivity score is determined by calculation as follows:
The data sensitivity score is Q, the data weight is W, the data leakage risk score is S leak, the loss degree score is S loss, the data parameter type information is K type, and the data scoring coefficient is K.
2. The ERP-based data security and privacy protection system of claim 1, wherein the step of determining the data sensitivity score of the sensitive data from the data parameter type information further comprises:
determining a data protection cost score, a data generation time coefficient, a data security coefficient, a data importance coefficient and a data access frequency coefficient of the sensitive data according to the data parameter type information;
The data scoring coefficients are determined by:
K=SprotectionKtimeKclassKimportanceKfrequency
The K is the data scoring coefficient, the S protection is the data protection cost, the K time is the data generation time coefficient, the K class is the data security coefficient, the K importance is the data importance coefficient, and the K frequency is the data access frequency coefficient.
3. The ERP-based data security and privacy protection system of claim 1, wherein the step of recording sensitive operations in the ERP system comprises:
In response to detecting the sensitive operation in the ERP system, determining user ID information, browse record information and timestamp information of the sensitive operation;
And establishing a mapping relation between the user ID information, the browsing record information and the timestamp information through a preset hash table to generate a target hash table, wherein the target hash table is used for recording the sensitive operation.
4. The ERP-based data security and privacy protection system of claim 3, wherein the step of recording sensitive operations in the ERP system further comprises:
Determining first timestamp information and first browsing record information of a first sensitive operation based on the user ID information in response to detecting the first sensitive operation again;
and updating the target hash table according to the first timestamp information and the first browsing record information.
5. The ERP-based data security and privacy protection system of claim 1, wherein the step of identifying security risk information for the sensitive data in the ERP system comprises:
Acquiring data type information of the sensitive data;
determining the importance degree of the sensitive data according to the data type information;
And carrying out rationality evaluation on encryption setting of the encrypted data according to the importance degree so as to generate the security risk information.
6. The ERP-based data security and privacy protection system of claim 5, wherein the step of rationally evaluating the encryption settings of the encrypted data according to the level of importance to generate the security risk information comprises:
identifying encryption grade information of the encrypted data;
Determining a rationality score of the encrypted data according to the importance level and the encryption grade information;
And generating the safety risk information according to the rationality score.
7. An ERP-based data security and privacy protection method applied to the system of any one of claims 1-6, the method comprising:
In response to detecting a data access request in an ERP system, determining user ID information corresponding to the data access request;
Determining data access authority information corresponding to the user ID information based on the preset authority mapping table;
recording the data access operation corresponding to the user ID information under the condition that the data access request is matched with the data access authority information, and generating a data access record;
If the data access record is determined to be sensitive operation, recording the sensitive operation to generate sensitive data;
Encrypting the sensitive data to generate encrypted data.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311205963.0A CN117195297B (en) | 2023-09-18 | 2023-09-18 | ERP-based data security and privacy protection system and method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311205963.0A CN117195297B (en) | 2023-09-18 | 2023-09-18 | ERP-based data security and privacy protection system and method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117195297A CN117195297A (en) | 2023-12-08 |
| CN117195297B true CN117195297B (en) | 2024-04-30 |
Family
ID=88984810
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311205963.0A Active CN117195297B (en) | 2023-09-18 | 2023-09-18 | ERP-based data security and privacy protection system and method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117195297B (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060086619A (en) * | 2005-01-27 | 2006-08-01 | 주식회사 하이닉스반도체 | Audit information system based on erp, and method of management the same |
| CN104573547A (en) * | 2014-10-21 | 2015-04-29 | 江苏通付盾信息科技有限公司 | Information interaction safety protection system and operation realization method thereof |
| CN105553940A (en) * | 2015-12-09 | 2016-05-04 | 北京中科云集科技有限公司 | Safety protection method based on big data processing platform |
| CN107730128A (en) * | 2017-10-23 | 2018-02-23 | 上海携程商务有限公司 | Methods of risk assessment and system based on operation flow |
| CN109977690A (en) * | 2017-12-28 | 2019-07-05 | ***通信集团陕西有限公司 | A kind of data processing method, device and medium |
| CN110119629A (en) * | 2019-04-19 | 2019-08-13 | 国家电网有限公司 | Private data management and data safety unified platform |
| CN112287382A (en) * | 2020-09-10 | 2021-01-29 | 江上(上海)软件科技有限公司 | Safety compliance processing system and method for equipment data |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7757278B2 (en) * | 2001-01-04 | 2010-07-13 | Safenet, Inc. | Method and apparatus for transparent encryption |
-
2023
- 2023-09-18 CN CN202311205963.0A patent/CN117195297B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR20060086619A (en) * | 2005-01-27 | 2006-08-01 | 주식회사 하이닉스반도체 | Audit information system based on erp, and method of management the same |
| CN104573547A (en) * | 2014-10-21 | 2015-04-29 | 江苏通付盾信息科技有限公司 | Information interaction safety protection system and operation realization method thereof |
| CN105553940A (en) * | 2015-12-09 | 2016-05-04 | 北京中科云集科技有限公司 | Safety protection method based on big data processing platform |
| CN107730128A (en) * | 2017-10-23 | 2018-02-23 | 上海携程商务有限公司 | Methods of risk assessment and system based on operation flow |
| CN109977690A (en) * | 2017-12-28 | 2019-07-05 | ***通信集团陕西有限公司 | A kind of data processing method, device and medium |
| CN110119629A (en) * | 2019-04-19 | 2019-08-13 | 国家电网有限公司 | Private data management and data safety unified platform |
| CN112287382A (en) * | 2020-09-10 | 2021-01-29 | 江上(上海)软件科技有限公司 | Safety compliance processing system and method for equipment data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117195297A (en) | 2023-12-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11468192B2 (en) | Runtime control of automation accuracy using adjustable thresholds | |
| US10416966B2 (en) | Data processing systems for identity validation of data subject access requests and related methods | |
| JP6680840B2 (en) | Automatic detection of fraudulent digital certificates | |
| US10614233B2 (en) | Managing access to documents with a file monitor | |
| US12021874B2 (en) | Dynamic management of consent and permissioning between executed applications and programmatic interfaces | |
| US10972475B1 (en) | Account access security using a distributed ledger and/or a distributed file system | |
| US11188667B2 (en) | Monitoring and preventing unauthorized data access | |
| US10432622B2 (en) | Securing biometric data through template distribution | |
| US11757850B2 (en) | Distributed logging for securing non-repudiable multi-party transactions | |
| US10958687B2 (en) | Generating false data for suspicious users | |
| US10282461B2 (en) | Structure-based entity analysis | |
| CN112150113A (en) | Method, device and system for borrowing file data and method for borrowing data | |
| US20220129586A1 (en) | Methods and systems for processing agency-initiated privacy requests | |
| US10181039B1 (en) | Systems and methods for providing computing security by classifying organizations | |
| CN117195297B (en) | ERP-based data security and privacy protection system and method | |
| CN113498592B (en) | Method and system for digital property authentication and management | |
| WO2020228564A1 (en) | Application service method and device | |
| US20240127332A1 (en) | Secure Decentralized System and Method | |
| AlSadoon | Comparisons and Appropriate Solutions to Prevent Data Threats of Cloud Computing, Applied in Green Environment | |
| Nhan et al. | A Study on Accounting Information System Security | |
| CN117527296A (en) | Block chain-based data trusted access control method, device and equipment | |
| CN118296622A (en) | Database account management method, equipment, medium and product | |
| Aissa | A BASIC SECURITY REQUIREMENTS TAXONOMY TO QUANTIFY SECURITY THREATS: AN E-LEARNING APPLICATION |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |