Search

CN-114091051-B - Data compliance management and control method and system based on security capability scene arrangement

CN114091051BCN 114091051 BCN114091051 BCN 114091051BCN-114091051-B

Abstract

The invention provides a data compliance management and control method and system based on security capability scene arrangement, wherein the method and system comprise the steps of determining data security software and hardware tools to be called from a preset workflow engine based on a data security protection flow to be executed, acquiring state information of the data security software and hardware tools, and generating a call instruction for calling the data security software and hardware tools based on the state information of the workflow engine, the data security software and hardware tools and a preset call mode, wherein the workflow engine adopts a computer language to describe security policies related to the data security protection flow, the data security software and hardware tools required by the security policies and cooperation relations among the data security software and hardware tools. The invention realizes the consistency of the security policy and better plays the efficacy of the protection policy.

Inventors

  • YU PENGFEI
  • SHI CONGCONG
  • ZHOU XIAOMING
  • WANG LEI
  • HUANG XIULI

Assignees

  • 全球能源互联网研究院有限公司
  • 国家电网有限公司
  • 国网辽宁省电力有限公司
  • 国网辽宁省电力有限公司信息通信分公司

Dates

Publication Date
20260512
Application Date
20211028

Claims (14)

  1. 1. A data compliance management and control method based on security capability scenerization arrangement, comprising: determining a data security software and hardware tool to be called from a preset workflow engine based on a data security protection flow to be executed, and acquiring state information of the data security software and hardware tool; Determining a cooperative relationship between data security software and hardware tools to be used based on the workflow engine; The execution mode is serial, or the measurement results of the data security software and hardware tools with the mutual influence of the execution results are strong consistency; the measurement results of the data security software and hardware tools with parallel execution modes or execution results not imaged are in weak consistency; Judging whether the state information of the data security software and hardware tool exceeds the upper limit of the capacity of the data security software and hardware tool; When the capacity upper limit of the load of the data security software and hardware tools is exceeded and the measurement results among the data security software and hardware tools are of strong consistency, controlling the rate of service requests entering the system by adopting a leaky bucket algorithm or a token bucket algorithm, and generating function starting and function ending instructions; When the capacity upper limit of the load of the data security software and hardware tools is exceeded and the measurement result among the data security software and hardware tools is weak consistency, generating function suspension according to the workflow engine; when the capacity upper limit of the load of the data security software and hardware tools is not exceeded and the measurement results among the data security software and hardware tools are of strong consistency, generating function starting and function ending instructions according to the workflow engine; When the capacity upper limit of the load of the data security software and hardware tools is not exceeded and the measurement results among the data security software and hardware tools are in weak consistency, generating a function suspension instruction according to the workflow engine; The workflow engine is obtained by describing security policies related to a data security protection flow, data security software and hardware tools required by the security policies and cooperation relations among the data security software and hardware tools by adopting a computer language.
  2. 2. The method of claim 1, wherein the workflow engine is formulated by: Determining a related security policy based on the data security protection flow; determining a data security software and hardware tool to be adopted based on each security policy; Generating an execution sequence of each data security software and hardware tool based on the cooperation relation among the data security software and hardware tools; And describing by the data security software and hardware tools according to the execution sequence by adopting a computer language to obtain a workflow engine.
  3. 3. The method of claim 2, wherein the collaboration relationship includes a chain mode, a parallel aggregation mode, and a branch mode.
  4. 4. The method of claim 1, wherein invoking comprises sequentially automatically invoking or scene triggering invoking.
  5. 5. A system for implementing the data compliance management and control method based on security capability scenerization orchestration according to any one of claims 1-4, comprising a data security software and hardware tool and a data security capability scheduling module; The data security software and hardware tool is used for executing tasks based on the calling instruction and feeding back state information to the data security capability scheduling module; The data security capability scheduling module is used for determining a data security software and hardware tool from a preset workflow engine according to a data security protection flow to be executed, acquiring state information fed back by the data security software and hardware tool, and generating a calling instruction according to the preset workflow engine and the state information fed back by the data security software and hardware tool; The workflow engine is obtained by describing security policies related to a data security protection flow, data security software and hardware tools required by the security policies and cooperation relations among the data security software and hardware tools by adopting a computer language.
  6. 6. The system of claim 5, further comprising a scene scenario description module; The scene scenario description module is used for determining related security policies based on a data security protection flow, determining data security software and hardware tools to be adopted based on each security policy, generating execution sequences of the data security software and hardware tools based on cooperation relations among the data security software and hardware tools, and describing the data security software and hardware tools according to the execution sequences by adopting a computer language to obtain a workflow engine.
  7. 7. The system of claim 6, wherein the scenario description module comprises a scenario editing sub-module and a workflow engine conversion module, wherein the scenario editing sub-module is used for describing a security policy corresponding to each scenario, data security software and hardware tools required by the security policy, a mutual cooperation relationship among the data security software and hardware tools and a calling mode by adopting a computer language to obtain a scenario corresponding to each scenario, and the workflow engine conversion module is used for generating an execution sequence of each data security software and hardware tool according to the calling mode of each scenario and combining the cooperation relationship among the data security software and hardware tools, constructing a workflow engine by each data security software and hardware tool and the execution sequence, and sending the workflow engine to the data security capability scheduling module.
  8. 8. The system of claim 7, wherein the data security capability scheduling module comprises a resource on-demand scheduling sub-module, a policy consistency determination sub-module, and a capability normalization interface sub-module; the strategy consistency judging sub-module is used for receiving the state information fed back by the data security software and hardware tools, measuring the consistency among the data security software and hardware tools and sending the measurement result to the resource on-demand scheduling sub-module; The resource scheduling sub-module is used for generating a calling instruction according to the workflow engine sent by the workflow engine conversion module, the received state information fed back by the data security software and hardware tools and the measurement result among the data security software and hardware tools, and sending the calling instruction to the capability standardization interface sub-module; The capacity standardized interface sub-module is used for controlling the safety software and hardware tool according to the calling instruction.
  9. 9. The system of claim 8, wherein the policy consistency determination submodule comprises a strong consistency unit, a weak consistency unit and a forwarding unit; The strong consistency unit is used for enabling the measurement results of the data security software and hardware tools with the execution mode of serial execution or the mutual influence of the execution results to be strong consistency; the weak consistency unit is used for making the measurement results of the data security software and hardware tools with parallel execution or the execution results not affected by each other be weak consistency; and the forwarding unit is used for sending the measurement results of the strong consistency and the weak consistency determined by the strong consistency unit and the weak consistency unit to the resource on-demand scheduling sub-module.
  10. 10. The system of claim 9, wherein the resource on-demand scheduling sub-module comprises a judging unit and an instruction generating unit; the judging unit is used for judging whether the capacity of the load of the data security software and hardware tool exceeds the capacity upper limit according to the received state information fed back by the data security software and hardware tool, and sending a judging result to the instruction generating unit; The instruction generating unit is used for controlling the rate of the business request entering the system by adopting a leaky bucket algorithm or a token bucket algorithm when the judging result is that the capacity upper limit is exceeded and the measuring result among the data security software and hardware tools is strong consistency, and generating function starting and function ending instructions; When the judging result is that the capacity upper limit is exceeded and the measuring result among the data security software and hardware tools is weak consistency, generating a function suspension according to the workflow engine; When the judging result is that the capability upper limit is not exceeded and the measuring result among the data security software and hardware tools is strong consistency, generating function starting and function ending instructions according to the workflow engine; And when the judging result is that the capability upper limit is not exceeded and the measuring result between the data security software and hardware tools is weak consistency, generating a function suspension instruction according to the workflow engine.
  11. 11. The system of claim 7, wherein each scene comprises at least one of a sensitive data identification scene, a data classification hierarchy scene, a data desensitization scene, and a data watermark scene.
  12. 12. The system of claim 7, wherein the inter-collaboration relationship includes a chain mode, a parallel aggregation mode, and a branch mode; the calling mode comprises automatic calling and scene triggering calling.
  13. 13. A computer device, comprising: one or more processors; The processor is used for generating a calling instruction for calling the data security software and hardware tool according to the state information of the data security software and hardware tool generated by the pre-constructed workflow engine and the scene script description module; The data compliance management method of any one of claims 1-4, when the call instruction is executed by the processor.
  14. 14. A computer readable storage medium, having stored thereon a computer program which, when executed, implements the data compliance management method of any one of claims 1 to 4; The workflow engine is obtained by describing security policies related in a data security protection flow, data security software and hardware tools required by the security policies and cooperation relations among the data security software and hardware tools by adopting a computer language.

Description

Data compliance management and control method and system based on security capability scene arrangement Technical Field The invention relates to the field of scene editing, in particular to a data compliance management and control method and system based on security capability scene editing. Background In the data security protection process, different data security protection measures can be used simultaneously, the due protection effect can be exerted only if the security policies are consistent, otherwise, the protection policies are likely to fail, and even the data cannot be used. Most of the current data security tools are independently provided by manufacturers, the data security measures are arranged in a fragmented mode, the data security strategies are difficult to ensure to be consistent, and the due efficacy of the data security tools is limited. The application scene of the power grid data is complex, and the facing data security risks are different, so that various data security capabilities are flexibly called for the scene on the premise of unifying various data security tools of the nano-tube, and collaborative protection is realized. Disclosure of Invention In order to solve the problems that the security policy is inconsistent, so that the protection policy fails and even data cannot be used in the prior art, the invention provides a data compliance management and control method based on security capability scene arrangement, which comprises the following steps: determining a data security software and hardware tool to be called from a preset workflow engine based on a data security protection flow to be executed, and acquiring state information of the data security software and hardware tool; generating a calling instruction for calling the data security software and hardware tool based on the workflow engine, the state information of the data security software and hardware tool and a preset calling mode; The workflow engine is obtained by describing security policies related to a data security protection flow, data security software and hardware tools required by the security policies and cooperation relations among the data security software and hardware tools by adopting a computer language. Preferably, the workflow engine is formulated by: Determining a related security policy based on the data security protection flow; determining a data security software and hardware tool to be adopted based on each security policy; Generating an execution sequence of each data security software and hardware tool based on the cooperation relation among the data security software and hardware tools; And describing by the data security software and hardware tools according to the execution sequence by adopting a computer language to obtain a workflow engine. Preferably, the collaboration relationship includes a chain mode, a parallel aggregation mode and a branch mode. Preferably, the generating a call instruction for calling the data security software and hardware tool based on the workflow engine, the state information of the data security software and hardware tool and a preset call mode includes: Determining a cooperative relationship between data security software and hardware tools to be used based on the workflow engine; Measuring the consistency of the data security software and hardware tools based on the cooperation relation among the data security software and hardware tools and the state information of the data security software and hardware tools to obtain a measurement result; Generating a calling instruction for calling the data security software and hardware tool based on the state information of the data security software and hardware tool, the measurement result and the calling mode; the calling mode comprises sequential automatic calling or scene triggering calling. Preferably, the measuring the consistency between the data security software and hardware tools based on the collaboration relationship between the data security software and hardware tools and the state information of the data security software and hardware tools to obtain a measurement result includes: The execution mode is serial, or the measurement results of the data security software and hardware tools with the mutual influence of the execution results are strong consistency; And the measurement results of the data security software and hardware tools with parallel execution modes or execution results not imaged mutually are in weak consistency. Preferably, the generating the call instruction of the data security software and hardware tool based on the state information of the data security software and hardware tool and the measurement result includes: Judging whether the state information of the data security software and hardware tool exceeds the upper limit of the capacity of the data security software and hardware tool; When the capacity upper limit of the load of the data security software and hardware tools