Search

CN-115309840-B - Classification hierarchical labeling method, equipment and data access control system

CN115309840BCN 115309840 BCN115309840 BCN 115309840BCN-115309840-B

Abstract

The invention relates to a classification and grading labeling method, equipment and a data access control system, which relate to the technical field of data security, and carrying out attribute-level and/or data-level classification hierarchical labeling according to a data structure table and a data table in the target database scanning information sent by the zero-trust database gateway, and sending a classification hierarchical labeling result to the zero-trust database gateway so as to carry out data-level labeling on the zero-trust database gateway. Therefore, the automatic labeling of the data level is realized through the classifying and grading labeling equipment, and the technical problem of data grading coarseness and fineness particle deletion in the prior art is solved.

Inventors

  • LI WEN

Assignees

  • 北京从云科技有限公司

Dates

Publication Date
20260508
Application Date
20220829

Claims (6)

  1. 1. A classification hierarchical labeling method is characterized by comprising the steps of receiving target database scanning information sent by a zero-trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database, carrying out attribute-level and/or data-level classification hierarchical labeling on the data structure table and the data table, sending classification hierarchical labeling results to the zero-trust database gateway, enabling the zero-trust database gateway to add classification hierarchical attribute columns corresponding to labeling data to the data structure table and/or the data table according to the classification hierarchical labeling results, filling corresponding classification hierarchical attribute values in the classification hierarchical attribute columns corresponding to the labeling data to complete data-level labeling, and further comprising the zero-trust database gateway, receiving a query request carrying user identity information added with query conditions, analyzing the query request to remove the query conditions, obtaining real user identity information according to classification hierarchical rights corresponding to the real user identity information, supplementing screening conditions based on the classification hierarchical attribute columns in the query request, and completing the query request according to the classification hierarchical rights corresponding to the real user identity information, and completing the query rights in the query request when the classification rights change in the classification rights of the query rights of the user identity information, and completing the query rights change in the classification rights of the query rights of the user identity information.
  2. 2. The data access control system is characterized by comprising a service server, a zero trust database gateway, a zero trust controller and classification and grading labeling equipment; the classification and grading labeling device is used for executing the classification and grading labeling method according to claim 1; the service server is used for accessing the target database through the zero trust database gateway; The zero trust controller is used for configuring the classification and grading rights of a user according to configuration operation, sending the classification and grading rights of the user who successfully logs in to the zero trust gateway and the zero trust database gateway after the user successfully logs in, so that the user who successfully logs in accesses the service server by the classification and grading rights, reducing the classification and grading rights grade of the user when an abnormal condition occurs, recovering the classification and grading rights grade of the user when the abnormal condition is over, and sending the reduced or recovered classification and grading rights grade to the zero trust database gateway; The zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions, analyzing the query request, removing the query conditions to obtain real user identity information, supplementing the right screening conditions based on the classification attribute column in the query request according to classification rights corresponding to the real user identity information, and querying information in the target database according to the supplemented query request to send a query result to the service server.
  3. 3. The system of claim 2, wherein the zero trust data gateway is further configured to convert the classification hierarchy attribute value to an integer based on a preset rule.
  4. 4. The system of claim 2, wherein the zero trust database gateway is specifically configured to receive a query result, desensitize the query result according to classification and classification rights corresponding to the user identity information, and send the desensitized result to the service server.
  5. 5. The system of claim 2, wherein the abnormal situation comprises the service server being attacked, the user side being attacked, and the user access behavior being abnormal.
  6. 6. The classification and grading labeling device is characterized by comprising a processor and a memory, wherein the processor is connected with the memory, and is used for calling and executing a program stored in the memory, and the memory is used for storing the program, and the program is at least used for executing the classification and grading labeling method according to claim 1.

Description

Classification hierarchical labeling method, equipment and data access control system Technical Field The invention relates to the technical field of data security, in particular to a classification and grading labeling method, equipment and a data access control system. Background Technological developments have driven the continual progress of network technology. Before data access, a user completes knocking a gate through a SINGLE PACKET Authorization (SPA) technology to acquire access rights of an application server. After the authorization is successful, the zero trust platform comprehensively evaluates the identity credibility and risk of the user through the terminal safety perception capability, the access condition acquisition and analysis capability, the safety state of the target application server and the like in the process of accessing the application server by the user, so that dynamic authority development or degradation is carried out on the user, and finer and rapid automatic risk response capability is provided for application scenes. In order to improve the information security capability, information data is classified and graded by an information service provider according to data classification and grading standards of countries, industries and the like, so that reasonable minimum set of data access services are provided for users with different authorities, and events such as override, disclosure, infringement of citizen privacy and the like are reduced. Among them, data desensitization is a data security technology commonly used in the related art. However, from the aspect of identity recognition of a database visitor, the existing dynamic desensitization product of the database basically performs dynamic desensitization on query data generated by connection according to an IP address of an application server, an account of the database and the like of the connection database, only right recognition and control of an application server level can be achieved, and a user level of a service layer cannot be achieved. From the data annotation of the database, the existing data classification hierarchical products generally carry out classification hierarchical annotation on the attributes of the database, the table and the table, only the column level is needed, the data level cannot be achieved, and the requirements of some high-security-level application scenes are difficult to meet. Therefore, the technical problems of data grading coarseness and fineness grain missing exist in the prior art. Disclosure of Invention Therefore, the invention aims to provide a classification labeling method, classification labeling equipment and a data access control system, so as to solve the problems of rough classification and fineness grain deletion of the current data. In order to achieve the above purpose, the invention adopts the following technical scheme: in one aspect, a classification hierarchical labeling method includes: Receiving target database scanning information sent by a zero trust database gateway, wherein the target database scanning information comprises a data structure table and a data table of a target database; And carrying out classification and grading labeling on attribute levels and/or data levels of the data structure table and the data table, and sending classification and grading labeling results to a zero trust database gateway so that the zero trust database gateway adds classification and grading attribute columns corresponding to labeling data to the data structure table and/or the data table according to the classification and grading labeling results, and filling corresponding classification and grading attribute values in the classification and grading attribute columns corresponding to the labeling data to finish data grade labeling. In still another aspect, a data access control system includes a service server, a zero trust database gateway, a zero trust controller, and a classification hierarchical labeling device, where the classification hierarchical labeling device is configured to execute the classification hierarchical labeling method described above; the service server is used for accessing the target database through the zero trust database gateway; The zero trust controller is used for configuring the classification and grading rights of the user according to configuration operation, and sending the classification and grading rights of the user who successfully logs in to the zero trust gateway and the zero trust database gateway after the user successfully logs in, so that the user who successfully logs in accesses the service server by the classification and grading rights; The zero trust database gateway is used for receiving a query request sent by the service server, wherein the query request carries user identity information added with query conditions, analyzing the query request, removing the query conditions to obtain real user identity inform