CN108133143B - Data leakage prevention method and system for cloud desktop application environment - Google Patents
Data leakage prevention method and system for cloud desktop application environment Download PDFInfo
- Publication number
- CN108133143B CN108133143B CN201711321695.3A CN201711321695A CN108133143B CN 108133143 B CN108133143 B CN 108133143B CN 201711321695 A CN201711321695 A CN 201711321695A CN 108133143 B CN108133143 B CN 108133143B
- Authority
- CN
- China
- Prior art keywords
- file
- data
- data object
- outgoing
- platform side
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6209—Protecting access to data via a platform, e.g. using keys or access control rules to a single file or object, e.g. in a secure envelope, encrypted and accessed using a key, or with access control rules appended to the object itself
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Storage Device Security (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a data leakage prevention method and a data leakage prevention system for a cloud desktop application environment, wherein the method comprises the following steps: the data leakage-proof terminal intercepts and takes over the file operation process of the cloud desktop user, obtains file operation information of the cloud desktop user in the host operation process and pushes the file operation information to the platform side; the platform side establishes a corresponding data object in the data pool according to the file operation information; the platform side maps the data object with the host file and stores file mapping information; the cloud desktop user selects an outgoing host file and a target user; and the platform side sends information according to the outgoing host file and sends the outgoing host file according to the control strategy. According to the technical scheme, the corresponding data outgoing control strategy is loaded according to different user login scenes through a differential access mechanism, so that the influence on normal data operation of the user is reduced, and the use efficiency of the cloud desktop user is improved.
Description
Technical Field
The invention relates to the field of data security, in particular to a data leakage prevention method and system for a cloud desktop application environment.
Background
In recent years, with the rapid development of software and hardware capabilities of computers, cloud computing and big data technology are widely applied, and the daily life of human beings is greatly changed. The cloud desktop is used as an important component of cloud computing, is practically applied in various industries, has the characteristics of low cost investment and convenience in use, greatly reduces the operation cost of enterprises in the aspect of computer infrastructure, provides great convenience for employees in use, and indirectly improves the working efficiency. As a computer software system capable of effectively reducing the data leakage probability, the effective application of a data leakage prevention system in a cloud desktop environment is one of the important challenges facing the DLP field at present. Among them, effective management and control of file outgoing operations are core targets of data leakage prevention systems. In contrast, Beijing Mingda technologies GmbH proposes a method for optimizing the working mode of a traditional data leakage prevention system, effectively adapting to a cloud desktop environment and realizing the file outgoing control without perception of users.
At present, a data leakage prevention system generally adopts a C/S deployment mode, and realizes data management and control on a deployment environment in a mode of taking a terminal as a main part and taking a server side as an auxiliary part. The server only has common management functions such as terminal management, user management, policy management, system management and the like. The data leakage-proof terminal deployed on the host is a system core and comprises a plurality of data control measures such as peripheral control, file outgoing control, network flow control, data operation control, process control and the like. The mode of operation of the prior art data containment system is shown in fig. 1.
Analyzing the conventional data leakage prevention system, it can be found that:
the data leakage-proof terminal based on the host is mature in technology, benefits from the deployment position (host), can obtain a large amount of operation information and data, and provides an important basis for effectively preventing data leakage. But is limited by a single-host operation mode, has high repeatability of stored data, occupies a large amount of storage space, causes a large amount of identical data scanning, analyzing and detecting work, causes serious operation resource (storage and calculation) waste, and causes certain influence on the operation efficiency of a data leakage-preventing system and even a computer infrastructure.
In addition, the conventional data leakage prevention terminal is deployed in a cloud desktop environment, and the main problems at present are that cloud computing resources cannot be effectively utilized, the characteristics of a cloud computing mode are not optimized, and finally the short part of the conventional data leakage prevention system is obviously enlarged, so that the phenomenon that the conventional data leakage prevention terminal is short and the conventional data leakage prevention terminal is long (the cloud desktop) is caused, the advantages brought by the application of the cloud desktop are reduced, and the popularization and the application of a data leakage prevention function in the cloud desktop environment are influenced.
Finally, consider a big advantage of cloud desktop applications: portability (unlimited login scenario), the user may log in at an internal location of the enterprise, or at an external location while on business. Under different scenes, the control requirements for file outgoing are different, and the traditional data leakage-preventing system does not relate to effective user scene distinguishing, so that different control strategies are loaded, and the interference to users is reduced on the premise of effective file outgoing control.
In summary, the conventional data leakage prevention system has strong application scenario limitations with the target (host single-machine operation management and control and networking management) due to the original design, and has disadvantages when the cloud desktop environment applies the outgoing management and control function, including redundancy calculation (repeated scanning, analysis and detection), redundancy storage (a large number of repeated files), policy fixing (management and control cannot be distinguished according to the use scenario), and the like. The phenomenon and the problem cannot be influenced in the process of using the cloud desktop without limiting resources, but the cost control requirement of most data leakage prevention system deployment units is considered, the data leakage prevention target needs to be realized under the condition of low resource occupation, the interference of data leakage prevention operation on the use of normal users is reduced as far as possible, and the productivity of cloud desktop application is improved, so that the working efficiency of staff is improved.
Therefore, a data leakage prevention system and a corresponding file outgoing control method for cloud desktop environment optimization are urgently needed, operations such as calculation, storage and access related to leakage prevention are modified by utilizing the advantages of cloud, and effective combination of single (user cloud desktop use) and common (file outgoing control) is achieved, so that occupation of computing resources and storage resources by file outgoing control is reduced. Meanwhile, the use scenes of the users are distinguished, so that file outgoing control strategies and measures of different levels are loaded and applied.
Aiming at a cloud desktop application environment, the invention improves the functions based on the terminal of the existing data leakage prevention system, adapts file outgoing control measures under the cloud environment from three aspects of calculation, storage and access, carries out comprehensive supervision on files, network flow and the like related to user outgoing operation, effectively controls data storage and transmission under the cloud desktop environment under the condition that a user does not sense, identifies and timely responds to sensitive user operation, reduces the occurrence of data leakage events, improves the effectiveness of the data leakage prevention system, and ensures the data safety of the cloud desktop.
Disclosure of Invention
In order to solve the technical problem, the invention provides a data leakage prevention method for a cloud desktop application environment, which is characterized by comprising the following steps of:
1) the data leakage-proof terminal intercepts and takes over the file operation process of the cloud desktop user, obtains file operation information of the cloud desktop user in the host operation process and pushes the file operation information to the platform side;
2) the platform side establishes a corresponding data object in the data pool according to the file operation information;
3) the platform side maps the data object with the host file and stores file mapping information;
4) the cloud desktop user selects an outgoing host file and a target user, and the data leakage-preventing terminal captures outgoing host file sending information of the cloud desktop user and informs the platform side;
5) the platform side inquires file mapping information according to outgoing host file sending information, determines a control strategy of the outgoing host file, and sends the outgoing host file according to the control strategy.
According to the method of the present invention, preferably, in step 2), the platform side maps the data object with the host file, and stores the file content in the data object of the data pool, and the host does not store the file content.
According to the method of the present invention, preferably, after the platform side establishes the corresponding data object in the data pool according to the file operation information in the step 2), the platform side further executes the following operations:
establishing a data object reference record and storing read and write file operation records;
establishing data object similarity characteristic information and calculating file sensitivity;
and feeding back the data object information and the data object reference record to the data leakage-preventing terminal.
According to the method of the present invention, preferably, the step 5) of the platform side querying the file mapping information according to the outgoing host file sending information, determining the management and control policy of the outgoing host file, and sending the outgoing host file according to the management and control policy includes:
positioning a data object mapped by an outgoing host file, and determining the type and user authority of a target user;
and sending the data object corresponding to the file of the outgoing host according to the type of the target user and the user authority.
According to the method of the present invention, preferably, the sending the data object corresponding to the outgoing host file according to the type of the target user and the user operation authority includes:
if the cloud desktop user and the target user are both internal users and the operation authority is the same, then:
the platform side retrieves and determines a data object mapped by the file of the outgoing host in the data pool according to the file information of the outgoing host, updates the record information of the data object, increases the outgoing record, and feeds back the result to the leakage-proof data terminal of the source user according to the access result of the data object;
the target user leakage-proof data terminal captures the target user to receive host file operation and informs the platform side;
and the platform side updates the record information of the data object and adds the receiving record.
According to the method of the present invention, preferably, the sending the data object corresponding to the outgoing host file according to the type of the target user and the user operation authority includes:
if the cloud desktop user and the target user are both internal users and the operation authority is different, then:
the platform side retrieves and determines a data object mapped by the file of the outgoing host in the data pool according to the information of the outgoing file, determines the data object operation to be executed according to the file sending information of the outgoing host, and adds an outgoing record;
the platform side updates the record information of the data object, adds an outgoing record and feeds back the result to the source user leakage-proof data terminal according to the access result of the data object;
the target user leakage-proof data terminal captures the target user to receive host file operation and informs the platform side;
the platform side obtains and calculates an outgoing record, searches whether the same data object exists in the data pool, if so, multiplexes the same object, otherwise, creates a new data object according to the requirement of the outgoing record;
the platform side updates the record information of the data object and adds a receiving record;
and the platform side and the target user anti-leakage data terminal cooperate to complete the mapping of the received data object and the target user host file.
According to the method of the present invention, preferably, the sending the data object corresponding to the outgoing host file according to the type of the target user and the user operation authority includes:
if the outgoing host file is sent to the external user by the internal cloud desktop user, then:
the platform side retrieves and determines a data object mapped by the file of the outgoing host in the data pool according to the file information of the outgoing host, determines the data object operation to be executed according to the file sending information of the outgoing host, and adds an outgoing record;
the platform side updates the data object record information and adds outgoing records;
and the platform side acquires and calculates an outgoing record, searches whether the same data object exists in the data pool, multiplexes the same data object if the same data object exists, and otherwise creates a new data object according to the requirement of the outgoing record.
According to the method of the present invention, preferably, the cloud desktop user sends the host file by at least one of the following methods: mail sending, web page sending, application sending or file sharing.
According to the method of the present invention, preferably, the step 3) maps the data object with the host file on the platform side, and stores the file mapping information, where the information that the host file needs to be mapped to the data object includes: file name, file size, user to which the file belongs, user authority, file hash value, creation time, modification time, last read time, and file read record, write record, copy record, delete record.
In order to solve the technical problem, the invention provides a data leakage prevention system for a cloud desktop application environment, which is characterized by comprising: at least two data leakage prevention terminals and a platform side;
the data leakage-proof terminal intercepts and takes over the file operation process of the cloud desktop user, obtains file operation information of the cloud desktop user in the host operation process and pushes the file operation information to the platform side;
the data leakage prevention terminal captures outgoing host file sending information of the cloud desktop user when the cloud desktop user selects the outgoing host file and the target user, and informs the platform side;
the platform side establishes a corresponding data object in the data pool according to the file operation information;
the platform side maps the data object with the host file and stores file mapping information;
the platform side inquires file mapping information according to outgoing host file sending information of the data leakage-preventing terminal, determines a control strategy of the outgoing host file, and sends the outgoing host file to the target data leakage-preventing terminal according to the control strategy.
According to the system of the present invention, preferably, the platform side maps the data object with the host file, and stores the file content in the data object of the data pool, and the host does not store the file content.
According to the system of the present invention, preferably, after the platform side establishes the corresponding data object in the data pool according to the file operation information, the platform side executes the following operations:
establishing a data object reference record and storing read and write file operation records;
establishing data object similarity characteristic information and calculating file sensitivity;
and feeding back the data object information and the data object reference record to the data leakage-preventing terminal.
According to the system of the present invention, preferably, the platform side queries the file mapping information according to the outgoing host file sending information, determines the management and control policy of the outgoing host file, and sends the outgoing host file according to the management and control policy, including:
positioning a data object mapped by an outgoing host file, and determining the type and user authority of a target user;
and sending the data object corresponding to the file of the outgoing host according to the type of the target user and the user authority.
According to the system of the present invention, preferably, the platform side maps the data object with the host file and stores the file mapping information, wherein the information that the host file needs to be mapped to the data object includes: file name, file size, user to which the file belongs, user authority, file hash value, creation time, modification time, last read time, and file read record, write record, copy record, delete record.
According to the system of the present invention, preferably, the platform side includes a cloud data object storage server for establishing a data pool and a data object, and a data leakage prevention system management server for issuing a management and control policy.
In order to solve the technical problem, the invention provides a data leakage prevention system for a cloud desktop application environment, which is characterized by comprising: at least two data leakage prevention terminals and a platform side;
the at least two data leakage prevention terminals and the platform side are respectively provided with a computer readable storage medium and a computer processing device;
the at least two data leakage prevention terminals and the computer readable storage medium on the platform side respectively store computer program instructions;
the method of one of the above is realized by the at least two data leakage prevention terminals and the computer processing device on the platform side executing corresponding computer program instructions respectively.
According to the system of the present invention, preferably, the platform side includes a cloud data object storage server for establishing a data pool and a data object, and a data leakage prevention system management server for issuing a management and control policy.
According to the system of the present invention, preferably, the platform side includes a cloud data object storage server for establishing a data pool and a data object, and a data leakage prevention system management server for issuing a management and control policy.
By adopting the technical scheme of the invention, the cloud advantage is utilized, the file outgoing control function of the data leakage prevention system is directionally strengthened, the data objectification is carried out on the files and the network flow on the user host, and the files and the network flow are uniformly stored and managed on the platform. Aiming at different user object combinations (from inside to inside with the same authority, from inside to inside with different authorities and from inside to outside) of data outgoing, outgoing files are mapped into platform side data object operation, and data similarity, sensitivity, encryption and decryption and other calculation operations are unified. By the data mapping and calculation caching modes, the consumption of the data leakage prevention system on calculation resources and storage resources is reduced. Meanwhile, through a differential access mechanism, according to different user login scenes, a corresponding data outgoing control strategy is loaded, the influence on normal data operation of a user is reduced, and the use efficiency of a cloud desktop user is improved.
Drawings
Fig. 1 is a schematic diagram of a conventional data leakage prevention system.
Fig. 2 is a composition structure diagram of a host side terminal according to the present invention.
Fig. 3 is a structural view of the platform side composition of the present invention.
FIG. 4 is a flowchart of the file and data object mapping process of the present invention.
Fig. 5 is a flowchart illustrating the same-authority internal-to-internal file outgoing control according to the present invention.
Fig. 6 is a flowchart illustrating the control of the file outgoing from the internal to the internal with different permissions according to the present invention.
Fig. 7 is a flowchart illustrating an internal-to-external file outgoing control process according to the present invention.
Fig. 8 is a flow chart of access scenario differentiation management and control according to the present invention.
Fig. 9 is a schematic structural composition diagram of an embodiment to which the present invention is applied.
Detailed Description
The invention will be further described with reference to the following figures and specific examples, but the scope of the invention is not limited thereto.
The invention provides a file outgoing control method which is designed for the characteristics of a cloud desktop application environment, combines the advantages of a traditional data leakage prevention system and realizes low computing redundancy, low storage redundancy and differential access control, and is characterized by comprising the following steps:
the data leakage prevention terminal acquires login information of a cloud desktop user, distinguishes login scenes (judges whether the login user is in an internal environment or an external environment), and loads and executes strategies with different protection levels;
a cloud desktop user creates or modifies a file in the host operation process;
the data leakage prevention terminal intercepts and manages the file creation or modification process, acquires necessary file information and pushes the file information to the platform side;
after verifying the user information, the host information and the file information, the platform side establishes a data object in a data pool;
the platform side maps the data object with the host file (the file content is stored in the data pool, the host does not store any file content, and the index information of the file (data object) in the data pool is stored);
establishing a data object reference record at a platform side, and storing file operation records such as reading, writing and the like;
establishing data object similarity characteristic information and calculating file sensitivity by the platform side;
the data object similarity feature information may be, for example, similarity of contents including text or pictures in a readable document (Office file, PDF file, or the like), binary similarity of a binary file, or the like.
The platform side feeds back the data object information and the reference record to the terminal, and the file generation operation is completed;
the user selects an outgoing file and an outgoing target user, and the terminal captures operation and informs the platform side;
the platform side positions the data object mapped by the outgoing file and analyzes the outgoing parameter combination, and the method comprises the following steps:
the same authority is from inside to inside, and the outgoing file (data object) does not do any operation; the file received by the outgoing target user is directly mapped into the original data object, namely the data object used by the target user is the same as the sending user, and the file outgoing record is only added to identify the data object;
different authorities are from inside to inside, and outgoing files (data objects) do not operate; when the outgoing target user operates the file, the data object is regenerated according to a specific strategy and is subjected to file mapping, the process is the same as that of a file generated by a user host, and the target user opens a new data object;
from inside to outside, the outgoing files (data objects) are manipulated according to specific policies, including encryption, sensitivity scanning (performed in advance), etc. and the true files are regenerated and sent out to the outside area.
According to the method of the present invention, preferably, the method needs to include both host-side terminal and platform-side components.
According to the method of the present invention, preferably, the data outgoing operation includes mail, web page, application program, and file sharing.
According to the method of the present invention, preferably, the method manages the outgoing flow including the same authority from inside to inside, the different authorities from inside to inside, and from inside to outside.
According to the method of the present invention, the host-side file map preferably stores file basic information (file name, file size, owning user, user authority, file hash value, creation time, modification time, last read time) and additional reference information (read record, write record, copy record, delete record).
According to the method of the present invention, preferably, the data object calculation operation includes a similarity calculation, a sensitivity calculation, and an encryption/decryption calculation.
According to the method of the present invention, preferably, the reference information of the platform side differential access includes a login user, a login location, a login IP, and a login host.
The invention provides a data outward-sending control subsystem of a data leakage prevention system suitable for a cloud desktop environment, which is characterized by comprising the following components:
the system comprises an outgoing control agent and a host side terminal component, wherein the outgoing control agent manages and schedules the outgoing control operation of corresponding cloud files and informs a control result;
the file information module is a terminal component at the host side and is used for providing files and flow information required by the outgoing control of various files in an auxiliary manner;
the file mapping module is a host side terminal component and is used for managing host user data files and mapping the host user data files into platform side data objects;
the system comprises a data object management module, a platform side component and a management platform, wherein all data objects on the management platform are managed;
the data object access module is used for providing access operation of the data object;
the data object pool module and the platform side component are used for storing file content data mapped by the user host;
the data similarity calculation module is used for performing similarity calculation and similar data retrieval on the data object;
the data encryption and decryption computing module and the platform side component are used for carrying out encryption and decryption operation on the data object with the appointed authority;
the data sensitivity calculation module is used for scanning the data object and calculating the sensitivity;
the system comprises a differential access management module and a platform side component, wherein the differential access management module is used for identifying login information of a login user and realizing different access scene differential loading data outgoing control strategies;
and the outgoing control log module and the platform side assembly record all data outgoing control operations.
Fig. 2 is a composition structure of a host side terminal of the present invention, in software, components such as peripheral management and control are removed, and an outgoing management and control agent, a file information module (providing reference file information), and a file mapping module (forwarding file operation logic and data to a platform side to complete the purpose of file mapping) required by the present invention are added.
Fig. 3 is a platform side composition structure of the present invention, which includes a data object management module, a data object access module, a data object pool module, a data similarity calculation module, a data encryption/decryption calculation module, a data sensitivity calculation module, a differential access management module, and an outgoing control log module, which are required to be added in addition to the original data leakage-preventing server component.
FIG. 4 shows a process of mapping a file and a data object according to the present invention, in which a terminal and a platform cooperate to complete operations such as capturing, forwarding, mapping, accessing and responding of file operations.
Fig. 5 is a flow of controlling the outgoing of internal to internal files with the same authority according to the present invention, which includes the following steps:
the method comprises the following steps of (1) outgoing operation capture, wherein a user selects an outgoing file and an outgoing target user, and a terminal captures operation and informs a platform side;
analyzing outgoing information, analyzing outgoing parameter combinations by a platform side, and determining operation effectiveness and outgoing information;
positioning the data object, and searching and determining the data object mapped by the outgoing file in the data pool by the platform side according to the file information;
updating data records, namely updating data object record information at the platform side and adding outgoing records;
the platform side determines the access result of the data object according to the retrieval result of the data object in the data object pool, namely whether the corresponding data object is correctly positioned or not, and feeds the result back to the source data terminal to complete the operation of the outgoing file;
the feedback information is mapping information between the file and the data object, and is mapped when the file is created;
receiving operation capture, wherein a target data terminal captures the operation that a target user receives an outgoing file and informs a platform side;
and updating the data record, namely updating the record information of the data object at the platform side and adding a receiving record.
Fig. 6 is a flow of controlling the outgoing of internal to internal files with different permissions according to the present invention, which includes the following steps:
the method comprises the following steps of (1) outgoing operation capture, wherein a user selects an outgoing file and an outgoing target user, and a terminal captures operation and informs a platform side;
analyzing outgoing information, analyzing outgoing parameter combinations by a platform side, and determining operation effectiveness and outgoing information;
positioning the data object, and searching and determining the data object mapped by the outgoing file in the data pool by the platform side according to the file information;
loading a data strategy, and determining that data object operations (encryption and decryption, sensitivity scanning and the like) to be executed are added into outgoing records by a platform side according to outgoing information;
updating data records, namely updating data object record information at the platform side and adding outgoing records;
the data object record information comprises outgoing record information;
the platform side determines the access result of the data object according to the retrieval result of the data object in the data object pool, namely whether the corresponding data object is correctly positioned or not, and feeds the result back to the source data terminal to complete the operation of the outgoing file;
receiving operation capture, wherein a target data terminal captures the operation that a target user receives an outgoing file and informs a platform side;
retrieving data objects, namely acquiring and calculating outgoing records by a platform side, retrieving whether the same data objects (namely files which have the same flow before) exist in a data pool, multiplexing the same objects if the same data objects exist, and otherwise, creating new data objects according to the requirements of the outgoing records;
that is, if the same file is sent from one department to another department for the first time, the source file (data object) needs to be processed (for example, encrypted) according to the information such as authority, so as to generate a modified copy (i.e., a new data object); however, during the second or subsequent sending, since the modified copy of the source file already exists, the modified copy does not need to be generated again, and the previous copy is taken directly, otherwise, a new data object (processed copy) is created.
Updating data records, namely updating data object record information on the platform side and adding receiving records;
mapping the data object, namely, the platform side and the target data terminal cooperate to complete the mapping of a new data object and a target user host file;
and receiving operation feedback, and informing the target user terminal of completing the mapping of the file and the data object by the platform side.
Fig. 7 is a flow of controlling the outgoing of internal to external files according to the present invention, which includes the following steps:
the method comprises the following steps of (1) outgoing operation capture, wherein a user selects an outgoing file and an outgoing target user, and a terminal captures operation and informs a platform side;
analyzing outgoing information, analyzing outgoing parameter combinations by a platform side, and determining operation effectiveness and outgoing information;
positioning the data object, and searching and determining the data object mapped by the outgoing file in the data pool by the platform side according to the file information;
loading a data strategy, and determining that data object operations (encryption and decryption, sensitivity scanning and the like) to be executed are added into outgoing records by a platform side according to outgoing information;
updating data records, namely updating data object record information at the platform side and adding outgoing records;
retrieving data objects, namely acquiring and calculating outgoing records by a platform side, retrieving whether the same data objects (namely files which have the same flow before) exist in a data pool, multiplexing the same objects if the same data objects exist, and otherwise, creating new data objects according to the requirements of the outgoing records;
that is, if the same file is sent from one department to another department for the first time, the source file (data object) needs to be processed (for example, encrypted) according to the information such as authority, so as to generate a modified copy (i.e., a new data object); however, during the second or subsequent sending, since the modified copy of the source file already exists, the modified copy does not need to be generated again, and the previous copy is taken directly, otherwise, a new data object (processed copy) is created.
Since the external area cannot map or store the data object and cannot transmit the data object to the outside, the operation is only to save the file transmitted to the outside for fast transmission of the same file.
The platform side determines the access result of the data object according to the retrieval result of the data object in the data object pool, namely whether the corresponding data object is correctly positioned or not, and feeds the result back to the source data terminal to complete the operation of the outgoing file;
fig. 8 is an access scenario difference management and control flow of the present invention, which includes the following steps:
the user accesses the cloud desktop and the data leakage-preventing terminal by using a desktop remote tool;
analyzing information, namely acquiring information such as login user information, login IP (Internet protocol), login tools and the like, and analyzing the login information such as IP and the like to acquire a geographical position;
scene positioning, namely aggregating various judgment information and preset parameters to calculate to obtain a user login cloud desktop scene (the current department, other departments, the outside of an enterprise and the like);
loading execution, namely dynamically selecting a management and control strategy to be loaded according to a positioning scene and executing;
and access monitoring, namely dynamically and uninterruptedly monitoring user access information, analyzing and positioning user behaviors in time, and avoiding false access or access cheating and the like.
< specific examples >
As shown in fig. 9, a small enterprise customer who has built a private cloud desktop environment installs a data leakage prevention system implemented based on the method of the present invention, and constructs a data leakage prevention mechanism based on a cloud-based data management and control measure. The mechanism performs unified processing on the storage of all users on the cloud desktop, the universal storage leakage-proof assembly completes the storage of data files, and the existence of redundant files is avoided through a complex file checking mechanism and file similarity calculation; and introducing a file sensitivity calculation function at the platform side to calculate the sensitivity of the file in advance. In addition, different management and control strategies are implemented for login users inside and outside the enterprise by introducing access scene difference strategy measures. Wherein, the server end comprises the following servers:
2 data anti-leakage system management servers (1 core, 1 load) are used for realizing the function of the traditional DLP server;
2, the cloud data object storage servers are used for storing cloud desktop data files of all users;
the 1 cloud data object computing server is used for carrying out operations such as encryption and decryption, similarity computation, sensitivity computation and the like on files (data objects).
The data leakage prevention system is deployed in a cloud desktop environment, and the data leakage prevention overall operation is normal. Through measurement and calculation, under the scene of 300 cloud desktops (terminals), the host file operation is delayed by 5ms, the file management and control is delayed by 5ms, and the normal operation of a user is not obviously affected. Meanwhile, a higher data management and control level is realized for users logging in the cloud desktop outside the enterprise, and the data management and control inside the enterprise are relatively loose, so that the interference on the normal use of the users is avoided.
By adopting the technical scheme, the data leakage prevention system only needs to carry out cloud transformation on the components such as storage drive and management, network drive and management and the like, utilizes the advantages brought by the cloud transformation to reduce the computing redundancy and the storage redundancy, utilizes the storage and computing components with high expansion capability to carry out data control operation on files on the premise that a user does not sense, responds to sensitive data transmission in time, effectively controls data leakage which may be formed, and ensures the data safety of the client deploying the cloud desktop environment. In addition, strict or loose data management and control are carried out according to preset strategy levels by distinguishing access positions where the cloud desktop of the user logs in, and the levels of partial management and control measures are reduced in a relatively safe environment, so that operation interference caused to the user is reduced, and the friendliness of the data leakage prevention system is improved.
The above examples are merely illustrative of the protection scheme of the present invention and do not limit the specific embodiments of the present invention.
Claims (15)
1. A data leakage prevention method facing a cloud desktop application environment is characterized by comprising the following steps:
1) the data leakage-proof terminal intercepts and takes over the file operation process of the cloud desktop user, obtains file operation information of the cloud desktop user in the host operation process and pushes the file operation information to the platform side;
2) the platform side establishes a corresponding data object in the data pool according to the file operation information, the platform side maps the data object with a host file, the file content is stored in the data pool, the host does not store any file content, and index information of the file in the data pool is stored;
3) the platform side maps the data object with the host file and stores file mapping information;
4) the cloud desktop user selects an outgoing host file and a target user, and the data leakage-preventing terminal captures outgoing host file sending information of the cloud desktop user and informs the platform side;
5) the platform side inquires file mapping information according to outgoing host file sending information, determines a control strategy of the outgoing host file, and sends the outgoing host file according to the control strategy.
2. The method according to claim 1, wherein after the platform side establishes the corresponding data object in the data pool according to the file operation information in step 2), the platform side further performs the following operations:
establishing a data object reference record and storing read and write file operation records;
establishing data object similarity characteristic information and calculating file sensitivity;
and feeding back the data object information and the data object reference record to the data leakage-preventing terminal.
3. The method according to claim 1, wherein the step 5) of the platform side querying file mapping information according to outgoing host file sending information, determining a management and control policy of the outgoing host file, and sending the outgoing host file according to the management and control policy includes: positioning a data object mapped by an outgoing host file, and determining the type and user authority of a target user;
and sending the data object corresponding to the file of the outgoing host according to the type of the target user and the user authority.
4. The method of claim 3, wherein the sending the data object corresponding to the outgoing host file according to the type of the target user and the user operation authority comprises:
if the cloud desktop user and the target user are both internal users and the operation authority is the same, then:
the platform side retrieves and determines a data object mapped by the file of the outgoing host in the data pool according to the file information of the outgoing host, updates the record information of the data object, increases the outgoing record, and feeds back the result to the leakage-proof data terminal of the source user according to the access result of the data object;
the target user leakage-proof data terminal captures the target user to receive host file operation and informs the platform side;
and the platform side updates the record information of the data object and adds the receiving record.
5. The method of claim 3, wherein the sending the data object corresponding to the outgoing host file according to the type of the target user and the user operation authority comprises:
if the cloud desktop user and the target user are both internal users and the operation authority is different, then:
the platform side retrieves and determines a data object mapped by the file of the outgoing host in the data pool according to the information of the outgoing file, determines the data object operation to be executed according to the file sending information of the outgoing host, and adds an outgoing record;
the platform side updates the record information of the data object, adds an outgoing record and feeds back the result to the source user leakage-proof data terminal according to the access result of the data object;
the target user leakage-proof data terminal captures the target user to receive host file operation and informs the platform side;
the platform side obtains and calculates an outgoing record, searches whether the same data object exists in the data pool, if so, multiplexes the same object, otherwise, creates a new data object according to the requirement of the outgoing record;
the platform side updates the record information of the data object and adds a receiving record;
and the platform side and the target user anti-leakage data terminal cooperate to complete the mapping of the received data object and the target user host file.
6. The method of claim 3, wherein the sending the data object corresponding to the outgoing host file according to the type of the target user and the user operation authority comprises:
if the outgoing host file is sent to the external user by the internal cloud desktop user, then:
the platform side retrieves and determines a data object mapped by the file of the outgoing host in the data pool according to the file information of the outgoing host, determines the data object operation to be executed according to the file sending information of the outgoing host, and adds an outgoing record;
the platform side updates the data object record information and adds outgoing records;
and the platform side acquires and calculates an outgoing record, searches whether the same data object exists in the data pool, multiplexes the same data object if the same data object exists, and otherwise creates a new data object according to the requirement of the outgoing record.
7. The method of claim 1, the cloud desktop user sending the host file by at least one of: mail sending, web page sending, application sending or file sharing.
8. The method according to claim 1, wherein the step 3) of the platform side mapping the data object with the host file and saving the file mapping information, wherein the information that the host file needs to be mapped to the data object comprises: file name, file size, user to which the file belongs, user authority, file hash value, creation time, modification time, last read time, and file read record, write record, copy record, delete record.
9. A data leakage prevention system for a cloud desktop application environment, the system comprising: at least two data leakage prevention terminals and a platform side;
the data leakage-proof terminal intercepts and takes over the file operation process of the cloud desktop user, obtains file operation information of the cloud desktop user in the host operation process and pushes the file operation information to the platform side;
the data leakage prevention terminal captures outgoing host file sending information of the cloud desktop user when the cloud desktop user selects the outgoing host file and the target user, and informs the platform side;
the platform side establishes a corresponding data object in the data pool according to the file operation information, the platform side maps the data object with a host file, the file content is stored in the data pool, the host does not store any file content, and index information of the file in the data pool is stored;
the platform side maps the data object with the host file and stores file mapping information;
the platform side inquires file mapping information according to outgoing host file sending information of the data leakage-preventing terminal, determines a control strategy of the outgoing host file, and sends the outgoing host file to the target data leakage-preventing terminal according to the control strategy.
10. The system of claim 9, wherein after the platform side establishes the corresponding data object in the data pool according to the file operation information, the platform side performs the following operations:
establishing a data object reference record and storing read and write file operation records;
establishing data object similarity characteristic information and calculating file sensitivity;
and feeding back the data object information and the data object reference record to the data leakage-preventing terminal.
11. The system of claim 9, wherein the platform side queries file mapping information according to outgoing host file sending information, determines a management and control policy for the outgoing host file, and sends the outgoing host file according to the management and control policy, and the method comprises:
positioning a data object mapped by an outgoing host file, and determining the type and user authority of a target user;
and sending the data object corresponding to the file of the outgoing host according to the type of the target user and the user authority.
12. The system of claim 9, the platform side mapping the data object with the host file and storing file mapping information, wherein the information that the host file needs to be mapped to the data object comprises: file name, file size, user to which the file belongs, user authority, file hash value, creation time, modification time, last read time, and file read record, write record, copy record, delete record.
13. The system of claim 9, the platform side comprising a clouded data object storage server for establishing data pools and data objects and a data leakage prevention system management server for issuing governing policies.
14. A data leakage prevention system for a cloud desktop application environment, the system comprising: at least two data leakage prevention terminals and a platform side;
the at least two data leakage prevention terminals and the platform side are respectively provided with a computer readable storage medium and a computer processing device; the at least two data leakage prevention terminals and the computer readable storage medium on the platform side respectively store computer program instructions;
the method of one of claims 1 to 8 being implemented by the at least two data leakage prevention terminals and the computer processing means of the platform side executing respective computer program instructions.
15. The system of claim 14, the platform side comprising a clouded data object storage server for establishing data pools and data objects and a data leakage prevention system management server for issuing governing policies.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711321695.3A CN108133143B (en) | 2017-12-12 | 2017-12-12 | Data leakage prevention method and system for cloud desktop application environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711321695.3A CN108133143B (en) | 2017-12-12 | 2017-12-12 | Data leakage prevention method and system for cloud desktop application environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN108133143A CN108133143A (en) | 2018-06-08 |
| CN108133143B true CN108133143B (en) | 2020-02-28 |
Family
ID=62390230
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711321695.3A Active CN108133143B (en) | 2017-12-12 | 2017-12-12 | Data leakage prevention method and system for cloud desktop application environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108133143B (en) |
Families Citing this family (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109614812A (en) * | 2018-09-25 | 2019-04-12 | 北京计算机技术及应用研究所 | File outgoing managing and control system and method under a kind of security application environment |
| CN110457923A (en) * | 2019-08-07 | 2019-11-15 | 北京明朝万达科技股份有限公司 | A kind of sensitive data scan method, device, electronic equipment and readable storage medium storing program for executing |
| CN110798472B (en) * | 2019-11-01 | 2022-01-07 | 杭州数梦工场科技有限公司 | Data leakage detection method and device |
| CN111259462A (en) * | 2020-01-13 | 2020-06-09 | 奇安信科技集团股份有限公司 | Peripheral management and control processing method and device of terminal, electronic equipment and storage medium |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103326999A (en) * | 2012-12-14 | 2013-09-25 | 无锡华御信息技术有限公司 | File safety management system based on cloud service |
| CN103581190A (en) * | 2013-11-07 | 2014-02-12 | 江南大学 | Method for control over file safety access based on cloud computing technology |
| CN106790148A (en) * | 2016-12-28 | 2017-05-31 | 上海优刻得信息科技有限公司 | Prevent access, output checking method and device, the auditing system of leakage of data |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8620879B2 (en) * | 2009-10-13 | 2013-12-31 | Google Inc. | Cloud based file storage service |
| US9483491B2 (en) * | 2011-11-29 | 2016-11-01 | Egnyte, Inc. | Flexible permission management framework for cloud attached file systems |
| US9015483B2 (en) * | 2012-12-31 | 2015-04-21 | Prakash Baskaran | Method and system for secured data storage and sharing over cloud based network |
| CN105512565A (en) * | 2015-11-26 | 2016-04-20 | 浪潮电子信息产业股份有限公司 | Method and server for preventing electronic document leakage |
| CN106446707A (en) * | 2016-08-31 | 2017-02-22 | 北京明朝万达科技股份有限公司 | Dynamic data leakage prevention system and method |
| CN106789964B (en) * | 2016-12-02 | 2020-10-16 | 中国移动通信集团新疆有限公司 | Cloud resource pool data security detection method and system |
-
2017
- 2017-12-12 CN CN201711321695.3A patent/CN108133143B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103326999A (en) * | 2012-12-14 | 2013-09-25 | 无锡华御信息技术有限公司 | File safety management system based on cloud service |
| CN103581190A (en) * | 2013-11-07 | 2014-02-12 | 江南大学 | Method for control over file safety access based on cloud computing technology |
| CN106790148A (en) * | 2016-12-28 | 2017-05-31 | 上海优刻得信息科技有限公司 | Prevent access, output checking method and device, the auditing system of leakage of data |
Also Published As
| Publication number | Publication date |
|---|---|
| CN108133143A (en) | 2018-06-08 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11985170B2 (en) | Endpoint data loss prevention (DLP) | |
| US7673324B2 (en) | Method and system for tracking an operating performed on an information asset with metadata associated therewith | |
| CN108133143B (en) | Data leakage prevention method and system for cloud desktop application environment | |
| US8914412B2 (en) | Determining file ownership of active and inactive files based on file access history | |
| US10509905B2 (en) | Ransomware mitigation system | |
| JP6576563B2 (en) | System and method for efficiently classifying data objects | |
| CN109977690A (en) | A kind of data processing method, device and medium | |
| US20160156631A1 (en) | Methods and systems for shared file storage | |
| US20090019223A1 (en) | Method and systems for providing remote strage via a removable memory device | |
| US12164391B2 (en) | Multiple data labels within a backup system | |
| US10552089B2 (en) | Data processing for managing local and distributed storage systems by scheduling information corresponding to data write requests | |
| WO2020000716A1 (en) | Big data analysis system, server, data processing method, program and storage medium | |
| US11082494B2 (en) | Cross storage protocol access response for object data stores | |
| US8924359B1 (en) | Cooperative tiering | |
| US11005890B2 (en) | Secure software defined storage | |
| US12393494B2 (en) | Determining risks in data backups | |
| US9245132B1 (en) | Systems and methods for data loss prevention | |
| CN116226865A (en) | Security detection method, device, server, medium and product of cloud native application | |
| US9734195B1 (en) | Automated data flow tracking | |
| CN116561825B (en) | Data security control method and device and computer equipment | |
| US9111015B1 (en) | System and method for generating a point-in-time copy of a subset of a collectively-managed set of data items | |
| CN108063771B (en) | Method and device for monitoring encrypted compressed file | |
| US7974953B1 (en) | System and method for deletion of writeable PPIS | |
| CN118502985B (en) | A method and device for acquiring sub-application data based on a unified management platform | |
| CN114598536B (en) | Cloud platform virtualized data traffic safety monitoring method, system and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |