CN119357988A - A non-intrusive data information security management method and device - Google Patents
A non-intrusive data information security management method and device Download PDFInfo
- Publication number
- CN119357988A CN119357988A CN202411299152.6A CN202411299152A CN119357988A CN 119357988 A CN119357988 A CN 119357988A CN 202411299152 A CN202411299152 A CN 202411299152A CN 119357988 A CN119357988 A CN 119357988A
- Authority
- CN
- China
- Prior art keywords
- data
- middleware
- encryption
- database
- new
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/242—Query formulation
- G06F16/2433—Query languages
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
-
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- Databases & Information Systems (AREA)
- Computer Hardware Design (AREA)
- Data Mining & Analysis (AREA)
- Health & Medical Sciences (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computational Linguistics (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Mathematical Physics (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a non-invasive data information security management method and device, wherein the method comprises the steps of deploying database middleware between an application program and a database, managing database connection by the middleware, receiving an SQL request from the application program by the middleware, analyzing the received SQL request by the middleware, judging whether the SQL request contains a sensitive field which needs special processing by the middleware, automatically applying an encryption and decryption algorithm by the middleware, executing the modified SQL request on the database to perform data access operation, returning an execution result to the application program, decrypting data by the middleware, configuring and managing encryption strategies, algorithms and keys by using a Web interface provided by the middleware, re-encrypting the existing data processed by using an old encryption scheme, and completing a data security management flow. The invention recognizes the access to the sensitive field through the SQL analysis module, automatically applies the encryption and decryption algorithm, and ensures the security of the data in the transmission and storage processes.
Description
Technical Field
The invention relates to the field of information security, in particular to a non-invasive data information security management method and device.
Background
The traditional data information security management method has a plurality of defects, and mainly comprises the following aspects:
The variety of enterprise business requirements requires that the data security management scheme can perform customized development aiming at different data structures, which not only consumes time and labor, but also increases development and maintenance costs.
Code maintenance complexity-encryption and decryption logic is directly embedded in the application code, resulting in poor code maintainability, and each upgrade or modification may require re-inspection and modification of the encryption and decryption logic.
The development and maintenance cost is high, and because of the lack of a unified encryption management mechanism, the development and maintenance of each set of system are independent, and the complexity and risk of the whole system are increased.
The encryption algorithm limits that the traditional system usually only supports a limited encryption algorithm, and is difficult to adapt to different application scenes and business requirements.
Programming languages and platforms limit that different programming languages and platforms support different encryption algorithms, older systems may only support specific encryption algorithms, and modern systems recommend safer algorithms.
Interoperability and compatibility problems in cross-system and cross-platform environments, different implementations of the same encryption algorithm by different systems may cause problems in data exchange and integration
The security and maintainability problems are that the key and the encryption configuration are distributed and managed, a unified encryption management mechanism is lacked, and the complexity and the risk of the system are increased.
And the lack of an effective key management strategy causes potential safety hazards in the processes of key generation, storage, rotation and the like.
Data desensitization requirements for stock data, data desensitization processing is required to ensure data security, consistency and compatibility with new systems.
Disclosure of Invention
In order to solve the problems in the prior art, the invention provides a non-invasive data information security management method and device, which are characterized in that an SQL analysis module is used for identifying the access to sensitive fields and automatically applying a corresponding encryption and decryption algorithm, so that the security of data in the transmission and storage processes is ensured.
In order to achieve the above purpose, the present invention adopts the following technical scheme:
in an embodiment of the present invention, a non-invasive data information security management method is provided, which includes:
S01, middleware deployment, namely deploying database middleware between an application program and a database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
As shown in fig. 2, S02, connection management, middleware management database connection, uses a connection pool to optimize resource usage;
Further, the database middleware is an agent layer between the application program and the database, and provides a unified connection interface, so that the interaction flow of the application program and the database is simplified;
The database middleware adopts an efficient database connection pool mechanism to uniformly manage the connection with a plurality of database instances;
And the database middleware applies a load balancing strategy, and selects optimal database connection according to real-time system load conditions, wherein the optimal database connection comprises a database instance with the shortest response time, the lightest load or the closest geographic position.
The resource consumption of frequently creating and destroying the connection is obviously reduced, so that the overall performance of the system is improved.
According to the enterprise scale and business requirement, a single-node or multi-node deployment architecture is flexibly selected to enhance the availability of the system and realize load balancing.
Further, the functions of the database middleware integration comprise connection management, SQL statement analysis and rewriting, data encryption and decryption processing and a cache management mechanism.
The design of middleware focuses on providing the highest level of data security without sacrificing performance. Through configuration and intelligent analysis in the memory, middleware can quickly respond to SQL requests, and meanwhile confidentiality and integrity of data are ensured.
The middleware can provide a high-efficiency, safe and transparent data encryption and decryption solution for application programs, simplifies the complexity of data security management, and improves the security of data operation.
Through the measures, the middleware not only improves the efficiency and the safety of data access, but also provides a flexible and extensible database access solution for enterprises.
Middleware provides a visual Web interface for administrators to configure and manage encryption policies and algorithms. The interface is the core configuration center of the middleware system and is responsible for all encryption related settings.
Standard encryption algorithm the Web interface lists a range of standard encryption algorithms, such as AES, MD5, RC4, SM3/SM4, etc. The administrator may select the appropriate algorithm and configure the relevant parameters such as encryption key, encryption mode (e.g., CBC, ECB, etc.), encryption strength (e.g., AES-128, AES-256, etc.).
Key management, an administrator may manage encryption keys on an interface, including key generation, storage, rotation, and the like. The system provides hierarchical management of keys, ensuring that data of different sensitivities uses different keys.
Uploading and configuring a custom encryption and decryption algorithm, and uploading a custom Java library, wherein an administrator uploads the custom Java library on a Web interface, and the library comprises a custom encryption algorithm 'CustomEncrypt'. This algorithm may be designed according to specific traffic requirements, providing encryption characteristics or performance advantages that standard algorithms cannot meet.
Custom algorithm selection and configuration in the Web interface, the administrator chooses to apply the "CustomEncrypt" algorithm to the custom_field field of the users table. The administrator may further configure parameters of the algorithm such as encryption strength, mode, etc.
Uploading of key management script in addition to Java library of custom encryption algorithm, administrator also needs to upload a key management script. The script is used to manage the keys required by the "CustomEncrypt" algorithm.
The method comprises the following functions:
key generation and distribution the script may contain logic to dynamically generate keys, which are generated or selected based on specific contexts (e.g., field names, usage scenarios).
And (3) key rotation and updating, namely defining a rotation strategy of the key so as to update the key periodically and improve the security of the system. The script may implement the revocation of the old key and the replacement flow of the new key.
Key access control, namely setting access rights to the key through a script, and ensuring that only authorized users or system components can access and use the key.
Encryption and decryption policy definition and selection:
Encryption policies an administrator may define encryption policies through a Web interface, including selection of which fields need to be encrypted, which encryption algorithm to use, selection of keys, and so forth. For example, AES-256 encryption may be selected for the password field of the users table and a particular key specified.
Decryption policies, corresponding to encryption policies, may also be defined by an administrator. The decryption policy defines how the encrypted data is restored, typically including selecting a corresponding decryption algorithm and key. For example, when reading data, decryption is required using the same key and algorithm as when encrypting.
Policy refinement, an administrator may choose different encryption and decryption policies based on the sensitivity and type of data. For example, for highly sensitive data (e.g., financial information), a stronger encryption algorithm and more complex key management policies may be selected, and for less sensitive data (e.g., published user information), a simple hash process may be selected.
S03, receiving an SQL request, and receiving the SQL request from the application program by the middleware;
further, the step S03 includes:
s031, configuration predefining, wherein middleware uses a centralized configuration file or database table to maintain sensitive field information, wherein the sensitive field information comprises field names, associated tables, data types and encryption requirements, and the information is defined and loaded during system initialization;
s032, loading configuration data into the memory when the middleware is started so as to facilitate quick access, wherein the configuration data comprises field encryption requirements and possible access control rules.
S04, analyzing the SQL request, and analyzing the received SQL request by the middleware to identify the operation type and related data;
further, the step S04 includes that after the middleware receives the SQL request, the key information is extracted by utilizing the analysis engine, wherein the key information includes operation types, data tables, fields and query conditions.
S05, the sensitive field, the middleware judges whether the SQL request contains the sensitive field which needs special treatment;
further, the step S05 comprises the step that the parsing engine compares the fields related to the request with a sensitive field list in the memory, and identifies the fields needing encryption or decryption operation.
S06, encryption and decryption are applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
further, the step S06 includes:
S061, configuring an algorithm, wherein the encryption or decryption requirement of each sensitive field is defined in detail in the configuration, and the encryption or decryption requirement comprises parameters such as the type of the selected algorithm, an encryption key, an encryption mode and the like;
and S062, loading and applying the algorithm, loading a corresponding algorithm by the middleware according to configuration at the starting time, and dynamically inserting an encryption or decryption function during SQL execution.
S063, determining function names and parameters, and determining the inserted function names and required parameters, including field values, keys, encryption modes and the like, by middleware according to encryption configuration of the fields.
S07, executing SQL operation, and executing the modified SQL request on a database to perform data access operation;
S08, returning a result, returning an execution result to the application program, and decrypting the data by the middleware;
Further, the S08 includes that the middleware calls a corresponding decryption function before sending the encrypted data back to the application program, and converts the encrypted field back to the original format, so as to ensure that the application program receives and processes the plaintext data.
S09, managing configuration, namely configuring and managing encryption strategies, algorithms and secret keys by using a Web interface provided by the middleware;
S010, processing stock data, re-encrypting the existing data processed by using the old encryption scheme to ensure compatibility with the new scheme;
The stock data, although already subjected to the desensitization processing of the old scheme, may not be decrypted by the new scheme due to the change of the encryption algorithm or key management policy in the new scheme. Thus, the stock data must be re-desensitized to ensure data security, consistency, and compatibility with the new system.
Assuming that in the users table the original data has been desensitized according to the old scheme, the email field is encrypted using the old encryption algorithm. Now, the email field needs to be re-desensitized according to the new scheme, encrypted using the new AES-256 algorithm.
Further, the S010 includes:
s0101, adding a ciphertext column, and adding a new ciphertext column in a users table for storing data encrypted by using a new algorithm;
s0102, reading and decrypting old data, extracting all existing field data from a database, and decrypting the existing field data to restore original information;
S0103, reading and decrypting the old data, applying an encryption algorithm in a new scheme to the read data, and storing the encrypted result into a new ciphertext column;
s0104, updating a database, writing the new encrypted data into a new ciphertext column, and simultaneously reserving an old ciphertext column to ensure the safety of the data and rollback of the operation;
S0105, verifying and checking, wherein all data are correctly encrypted and written into a new ciphertext column by comparing the original data with the encrypted data or decrypting the samples;
S0106, switching to a new encryption column, after verifying that the new encryption data is correct, switching the system to use the new ciphertext column to perform data read-write operation, wherein all inquiry and operation are based on the new encryption data;
S0107, deleting the old encrypted data column, deleting the old ciphertext column and switching to a new encryption scheme under the condition that the stable operation of the system is confirmed and the old data is not needed any more.
And S011, ending to finish the data security management flow.
In an embodiment of the present invention, a non-invasive data information security management apparatus is further provided, including:
the middleware deployment module deploys database middleware between the application program and the database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
The connection management module is used for managing database connection by middleware and optimizing resource use by using a connection pool;
the method comprises the steps that an SQL request module is received, and middleware receives an SQL request from an application program;
the middleware analyzes the received SQL request to identify the operation type and related data;
the middleware judges whether the SQL request contains a sensitive field which needs special processing or not;
The encryption and decryption module is applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
Executing the SQL operation module, and executing the modified SQL request on the database to perform data access operation;
the execution result is returned to the application program, and the middleware decrypts the data;
The management configuration module is used for configuring and managing encryption strategies, algorithms and keys by using a Web interface provided by the middleware;
the processing stock data module re-encrypts the existing data processed by using the old encryption scheme to ensure compatibility with the new scheme;
and (5) ending the module to finish the data security management flow.
In an embodiment of the present invention, a computer device is further provided, including a memory, a processor, and a computer program stored in the memory and capable of running on the processor, where the processor implements the aforementioned non-invasive data information security management method when executing the computer program.
In an embodiment of the present invention, a computer-readable storage medium storing a computer program for executing the non-invasive data information security management method is also provided.
The beneficial effects are that:
the non-invasive data information security management method and device provided by the invention have the beneficial effects that:
the transparency and the code non-invasiveness are that the application program can utilize the encryption and decryption functions provided by the database middleware without modifying the existing code, so that the automatic protection of the data is realized, and the technical complexity of development and maintenance work is obviously reduced.
The middleware has the capability of automatically identifying the sensitive fields in the SQL sentences, and can automatically apply proper encryption and decryption logic, thereby simplifying the data protection flow and ensuring the safety of the data in each link.
The flexible strategy configuration and management interface provides a visual and easy-to-use Web interface, so that an administrator can flexibly define and adjust the encryption strategy based on the type and sensitivity of data, including key management, algorithm selection and the like, and the configurability and the management convenience of the system are enhanced.
Drawings
FIG. 1 is a flow chart of a non-invasive data information security management method according to the present invention;
FIG. 2 is a diagram of a database middleware module;
FIG. 3 is a schematic flow chart of a data encryption and decryption solution;
FIG. 4 is a schematic diagram of a non-invasive data information security management apparatus according to the present invention;
FIG. 5 is a schematic diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The principles and spirit of the present invention will be described below with reference to several exemplary embodiments, with the understanding that these embodiments are merely provided to enable those skilled in the art to better understand and practice the invention and are not intended to limit the scope of the invention in any way. Rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the scope of the disclosure to those skilled in the art.
Those skilled in the art will appreciate that embodiments of the invention may be implemented as a system, apparatus, device, method, or computer program product. Accordingly, the present disclosure may be embodied in the form of entirely hardware, entirely software (including firmware, resident software, micro-code, etc.) or in a combination of hardware and software.
According to the embodiment of the invention, a non-invasive data information security management method and device are provided, the SQL analysis module is used for identifying the access to the sensitive field, and a corresponding encryption and decryption algorithm is automatically applied, so that the security of data in the transmission and storage processes is ensured.
The principles and spirit of the present invention are explained in detail below with reference to several representative embodiments thereof.
As shown in fig. 1, the present invention relates to a non-invasive data information security management method, which includes:
S01, middleware deployment, namely deploying database middleware between an application program and a database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
As shown in fig. 2, S02, connection management, middleware management database connection, uses a connection pool to optimize resource usage;
The database middleware is an agent layer between the application program and the database, provides a unified connection interface, and simplifies the interaction flow of the application program and the database;
The database middleware adopts an efficient database connection pool mechanism to uniformly manage the connection with a plurality of database instances;
And the database middleware applies a load balancing strategy, and selects optimal database connection according to real-time system load conditions, wherein the optimal database connection comprises a database instance with the shortest response time, the lightest load or the closest geographic position.
The resource consumption of frequently creating and destroying the connection is obviously reduced, so that the overall performance of the system is improved.
According to the enterprise scale and business requirement, a single-node or multi-node deployment architecture is flexibly selected to enhance the availability of the system and realize load balancing.
The database middleware integration function comprises connection management, SQL statement analysis and rewriting, data encryption and decryption processing and a cache management mechanism.
For example:
The original application program is directly connected with the database through jdbc: mysql:// db_host:3306/mydatabase, and connection is now performed through middleware, and only the connection character string needs to be updated to jdbc: mysql:// autoproxy:3306/mydatabase. Such changes simplify the configuration of the application while simultaneously exposing the complexity and security management of the connection to middleware processing.
The design of middleware focuses on providing the highest level of data security without sacrificing performance. Through configuration and intelligent analysis in the memory, middleware can quickly respond to SQL requests, and meanwhile confidentiality and integrity of data are ensured.
The middleware can provide a high-efficiency, safe and transparent data encryption and decryption solution for application programs, simplifies the complexity of data security management, and improves the security of data operation.
Through the measures, the middleware not only improves the efficiency and the safety of data access, but also provides a flexible and extensible database access solution for enterprises.
Middleware provides a visual Web interface for administrators to configure and manage encryption policies and algorithms. The interface is the core configuration center of the middleware system and is responsible for all encryption related settings.
Standard encryption algorithm the Web interface lists a range of standard encryption algorithms, such as AES, MD5, RC4, SM3/SM4, etc. The administrator may select the appropriate algorithm and configure the relevant parameters such as encryption key, encryption mode (e.g., CBC, ECB, etc.), encryption strength (e.g., AES-128, AES-256, etc.).
Key management, an administrator may manage encryption keys on an interface, including key generation, storage, rotation, and the like. The system provides hierarchical management of keys, ensuring that data of different sensitivities uses different keys.
Uploading and configuring a custom encryption and decryption algorithm, and uploading a custom Java library, wherein an administrator uploads the custom Java library on a Web interface, and the library comprises a custom encryption algorithm 'CustomEncrypt'. This algorithm may be designed according to specific traffic requirements, providing encryption characteristics or performance advantages that standard algorithms cannot meet.
Custom algorithm selection and configuration in the Web interface, the administrator chooses to apply the "CustomEncrypt" algorithm to the custom_field field of the users table. The administrator may further configure parameters of the algorithm such as encryption strength, mode, etc.
Uploading of key management script in addition to Java library of custom encryption algorithm, administrator also needs to upload a key management script. The script is used to manage the keys required by the "CustomEncrypt" algorithm.
The method comprises the following functions:
key generation and distribution the script may contain logic to dynamically generate keys, which are generated or selected based on specific contexts (e.g., field names, usage scenarios).
And (3) key rotation and updating, namely defining a rotation strategy of the key so as to update the key periodically and improve the security of the system. The script may implement the revocation of the old key and the replacement flow of the new key.
Key access control, namely setting access rights to the key through a script, and ensuring that only authorized users or system components can access and use the key.
Encryption and decryption policy definition and selection:
Encryption policies an administrator may define encryption policies through a Web interface, including selection of which fields need to be encrypted, which encryption algorithm to use, selection of keys, and so forth. For example, AES-256 encryption may be selected for the password field of the users table and a particular key specified.
Decryption policies, corresponding to encryption policies, may also be defined by an administrator. The decryption policy defines how the encrypted data is restored, typically including selecting a corresponding decryption algorithm and key. For example, when reading data, decryption is required using the same key and algorithm as when encrypting.
Policy refinement, an administrator may choose different encryption and decryption policies based on the sensitivity and type of data. For example, for highly sensitive data (e.g., financial information), a stronger encryption algorithm and more complex key management policies may be selected, and for less sensitive data (e.g., published user information), a simple hash process may be selected.
S03, receiving an SQL request, and receiving the SQL request from the application program by the middleware;
The step S03 comprises the following steps:
s031, configuration predefining, wherein middleware uses a centralized configuration file or database table to maintain sensitive field information, wherein the sensitive field information comprises field names, associated tables, data types and encryption requirements, and the information is defined and loaded during system initialization;
s032, loading configuration data into the memory when the middleware is started so as to facilitate quick access, wherein the configuration data comprises field encryption requirements and possible access control rules.
S04, analyzing the SQL request, and analyzing the received SQL request by the middleware to identify the operation type and related data;
the S04 includes that after the middleware receives the SQL request, the parsing engine is utilized to extract key information, including operation types (such as SELECT, INSERT, UPDATE), data tables, fields and query conditions.
S05, the sensitive field, the middleware judges whether the SQL request contains the sensitive field which needs special treatment;
the S05 comprises the steps that the analysis engine compares the fields involved in the request with a sensitive field list in the memory, and identifies the fields needing encryption or decryption operation.
For example, if the email field of the users table is marked as sensitive and needs to be encrypted, the middleware will recognize and process all access requests to that field.
S06, encryption and decryption are applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
The S06 includes:
S061, configuring an algorithm, wherein the encryption or decryption requirement of each sensitive field is defined in detail in the configuration, and the encryption or decryption requirement comprises parameters such as the type of the selected algorithm, an encryption key, an encryption mode and the like;
and S062, loading and applying the algorithm, loading a corresponding algorithm by the middleware according to configuration at the starting time, and dynamically inserting an encryption or decryption function during SQL execution.
For example, for an email field encrypted using the AES algorithm, the middleware will automatically pass the email value in the SQL statement to the AES encryption function;
s063, determining function names and parameters, and determining the inserted function names and required parameters, including field values, keys, encryption modes and the like, by middleware according to encryption configuration of the fields.
For example, for an email field that needs to be encrypted, the middleware rewrites the conditional email= 'user@example.com' in the SQL statement to email=aes_encryption_function ('user@example.com', 'key12345', 'CBC'), ensuring that the data is encrypted correctly before storage.
S07, executing SQL operation, and executing the modified SQL request on a database to perform data access operation;
S08, returning a result, returning an execution result to the application program, and decrypting the data by the middleware;
The S08 comprises the steps that the middleware calls a corresponding decryption function before sending the encrypted data back to the application program, and converts the encrypted field back to the original format, so that the application program is ensured to receive and process the plaintext data.
S09, managing configuration, namely configuring and managing encryption strategies, algorithms and secret keys by using a Web interface provided by the middleware;
S010, processing stock data, re-encrypting the existing data processed by using the old encryption scheme to ensure compatibility with the new scheme;
The stock data, although already subjected to the desensitization processing of the old scheme, may not be decrypted by the new scheme due to the change of the encryption algorithm or key management policy in the new scheme. Thus, the stock data must be re-desensitized to ensure data security, consistency, and compatibility with the new system.
Assuming that in the users table the original data has been desensitized according to the old scheme, the email field is encrypted using the old encryption algorithm. Now, the email field needs to be re-desensitized according to the new scheme, encrypted using the new AES-256 algorithm.
(1) Ciphertext column addition
A new ciphertext column new_encrypted_email is added to the users table for storing the data encrypted using the new algorithm.
(2) Reading and decrypting old data
All existing email field data is extracted from the database, which is encrypted by the old scheme. The data is decrypted, if necessary, to recover the original information.
(3) Reading and decrypting old data
An encryption algorithm (AES-256) in the new scheme is applied to the read data and the encrypted result is stored in a new ciphertext column new_encrypted_email.
(4) Updating a database
New encrypted data is written to the new_encrypted_email column while the old email column is reserved to ensure data security and rollback of operation.
(5) Verification and inspection
Ensuring that all data has been properly encrypted and written to the new ciphertext column. Verification can be performed by comparing the original data with the encrypted data, or by sample decryption.
(6) Switching to a new encrypted column
After verifying that the new encrypted data is correct, the system is switched to use the new encrypted email column for data read-write operation. At this point, all queries and operations will be subject to the new encrypted data.
(7) Deleting old encrypted data columns
In the event that the system is confirmed to be operating stably and old data is no longer needed, the old email column may be selected for deletion to switch entirely to the new encryption scheme.
The stock data, although already subjected to the desensitization processing of the old scheme, may not be decrypted by the new scheme due to the change of the encryption algorithm or key management policy in the new scheme. Thus, the stock data must be re-desensitized to ensure data security, consistency, and compatibility with the new system.
Assuming that in the users table the original data has been desensitized according to the old scheme, the email field is encrypted using the old encryption algorithm. Now, the email field needs to be re-desensitized according to the new scheme, encrypted using the new AES-256 algorithm.
(1) Ciphertext column addition
A new ciphertext column new_encrypted_email is added to the users table for storing the data encrypted using the new algorithm.
(2) Reading and decrypting old data
All existing email field data is extracted from the database, which is encrypted by the old scheme. The data is decrypted, if necessary, to recover the original information.
(3) Reading and decrypting old data
An encryption algorithm (AES-256) in the new scheme is applied to the read data and the encrypted result is stored in a new ciphertext column new_encrypted_email.
(4) Updating a database
New encrypted data is written to the new_encrypted_email column while the old email column is reserved to ensure data security and rollback of operation.
(5) Verification and inspection
Ensuring that all data has been properly encrypted and written to the new ciphertext column. Verification can be performed by comparing the original data with the encrypted data, or by sample decryption.
(6) Switching to a new encrypted column
After verifying that the new encrypted data is correct, the system is switched to use the new encrypted email column for data read-write operation. At this point, all queries and operations will be subject to the new encrypted data.
(7) Deleting old encrypted data columns
In the event that the system is confirmed to be operating stably and old data is no longer needed, the old email column may be selected for deletion to switch entirely to the new encryption scheme.
And S011, ending to finish the data security management flow.
It should be noted that although the operations of the method of the present invention are described in a particular order in the above embodiments and the accompanying drawings, this does not require or imply that the operations must be performed in the particular order or that all of the illustrated operations be performed in order to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform.
In order to more clearly explain the above-mentioned non-invasive data information security management method, the following description is provided with reference to specific embodiments, however, it should be noted that the embodiments are only for better explaining the present invention, and do not constitute an undue limitation of the present invention.
As shown in fig. 1, the present invention relates to a non-invasive data information security management method, which includes:
S01, middleware deployment, namely deploying database middleware between an application program and a database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
As shown in fig. 2, S02, connection management, middleware management database connection, uses a connection pool to optimize resource usage;
Further, the database middleware is an agent layer between the application program and the database, and provides a unified connection interface, so that the interaction flow of the application program and the database is simplified;
The database middleware adopts an efficient database connection pool mechanism to uniformly manage the connection with a plurality of database instances;
And the database middleware applies a load balancing strategy, and selects optimal database connection according to real-time system load conditions, wherein the optimal database connection comprises a database instance with the shortest response time, the lightest load or the closest geographic position.
The resource consumption of frequently creating and destroying the connection is obviously reduced, so that the overall performance of the system is improved.
According to the enterprise scale and business requirement, a single-node or multi-node deployment architecture is flexibly selected to enhance the availability of the system and realize load balancing.
Further, the functions of the database middleware integration comprise connection management, SQL statement analysis and rewriting, data encryption and decryption processing and a cache management mechanism.
For example:
The original application program is directly connected with the database through jdbc: mysql:// db_host:3306/mydatabase, and connection is now performed through middleware, and only the connection character string needs to be updated to jdbc: mysql:// autoproxy:3306/mydatabase. Such changes simplify the configuration of the application while simultaneously exposing the complexity and security management of the connection to middleware processing.
The design of middleware focuses on providing the highest level of data security without sacrificing performance. Through configuration and intelligent analysis in the memory, middleware can quickly respond to SQL requests, and meanwhile confidentiality and integrity of data are ensured.
The middleware can provide a high-efficiency, safe and transparent data encryption and decryption solution for application programs, simplifies the complexity of data security management, and improves the security of data operation.
Through the measures, the middleware not only improves the efficiency and the safety of data access, but also provides a flexible and extensible database access solution for enterprises.
Middleware provides a visual Web interface for administrators to configure and manage encryption policies and algorithms. The interface is the core configuration center of the middleware system and is responsible for all encryption related settings.
Standard encryption algorithm the Web interface lists a range of standard encryption algorithms, such as AES, MD5, RC4, SM3/SM4, etc. The administrator may select the appropriate algorithm and configure the relevant parameters such as encryption key, encryption mode (e.g., CBC, ECB, etc.), encryption strength (e.g., AES-128, AES-256, etc.).
Key management, an administrator may manage encryption keys on an interface, including key generation, storage, rotation, and the like. The system provides hierarchical management of keys, ensuring that data of different sensitivities uses different keys.
Uploading and configuring a custom encryption and decryption algorithm, and uploading a custom Java library, wherein an administrator uploads the custom Java library on a Web interface, and the library comprises a custom encryption algorithm 'CustomEncrypt'. This algorithm may be designed according to specific traffic requirements, providing encryption characteristics or performance advantages that standard algorithms cannot meet.
Custom algorithm selection and configuration in the Web interface, the administrator chooses to apply the "CustomEncrypt" algorithm to the custom_field field of the users table. The administrator may further configure parameters of the algorithm such as encryption strength, mode, etc.
Uploading of key management script in addition to Java library of custom encryption algorithm, administrator also needs to upload a key management script. The script is used to manage the keys required by the "CustomEncrypt" algorithm.
The method comprises the following functions:
key generation and distribution the script may contain logic to dynamically generate keys, which are generated or selected based on specific contexts (e.g., field names, usage scenarios).
And (3) key rotation and updating, namely defining a rotation strategy of the key so as to update the key periodically and improve the security of the system. The script may implement the revocation of the old key and the replacement flow of the new key.
Key access control, namely setting access rights to the key through a script, and ensuring that only authorized users or system components can access and use the key.
Encryption and decryption policy definition and selection:
Encryption policies an administrator may define encryption policies through a Web interface, including selection of which fields need to be encrypted, which encryption algorithm to use, selection of keys, and so forth. For example, AES-256 encryption may be selected for the password field of the users table and a particular key specified.
Decryption policies, corresponding to encryption policies, may also be defined by an administrator. The decryption policy defines how the encrypted data is restored, typically including selecting a corresponding decryption algorithm and key. For example, when reading data, decryption is required using the same key and algorithm as when encrypting.
Policy refinement, an administrator may choose different encryption and decryption policies based on the sensitivity and type of data. For example, for highly sensitive data (e.g., financial information), a stronger encryption algorithm and more complex key management policies may be selected, and for less sensitive data (e.g., published user information), a simple hash process may be selected.
S03, receiving an SQL request, and receiving the SQL request from the application program by the middleware;
further, the step S03 includes:
s031, configuration predefining, wherein middleware uses a centralized configuration file or database table to maintain sensitive field information, wherein the sensitive field information comprises field names, associated tables, data types and encryption requirements, and the information is defined and loaded during system initialization;
s032, loading configuration data into the memory when the middleware is started so as to facilitate quick access, wherein the configuration data comprises field encryption requirements and possible access control rules.
S04, analyzing the SQL request, and analyzing the received SQL request by the middleware to identify the operation type and related data;
Further, the step S04 includes that after the middleware receives the SQL request, the key information is extracted by utilizing the parsing engine, wherein the key information includes operation types (such as SELECT, INSERT, UPDATE), data tables, fields and query conditions.
S05, the sensitive field, the middleware judges whether the SQL request contains the sensitive field which needs special treatment;
further, the step S05 comprises the step that the parsing engine compares the fields related to the request with a sensitive field list in the memory, and identifies the fields needing encryption or decryption operation.
For example, if the email field of the users table is marked as sensitive and needs to be encrypted, the middleware will recognize and process all access requests to that field.
S06, encryption and decryption are applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
further, the step S06 includes:
S061, configuring an algorithm, wherein the encryption or decryption requirement of each sensitive field is defined in detail in the configuration, and the encryption or decryption requirement comprises parameters such as the type of the selected algorithm, an encryption key, an encryption mode and the like;
and S062, loading and applying the algorithm, loading a corresponding algorithm by the middleware according to configuration at the starting time, and dynamically inserting an encryption or decryption function during SQL execution.
For example, for an email field encrypted using the AES algorithm, the middleware will automatically pass the email value in the SQL statement to the AES encryption function;
s063, determining function names and parameters, and determining the inserted function names and required parameters, including field values, keys, encryption modes and the like, by middleware according to encryption configuration of the fields.
For example, for an email field that needs to be encrypted, the middleware rewrites the conditional email= 'user@example.com' in the SQL statement to email=aes_encryption_function ('user@example.com', 'key12345', 'CBC'), ensuring that the data is encrypted correctly before storage.
S07, executing SQL operation, and executing the modified SQL request on a database to perform data access operation;
S08, returning a result, returning an execution result to the application program, and decrypting the data by the middleware;
Further, the S08 includes that the middleware calls a corresponding decryption function before sending the encrypted data back to the application program, and converts the encrypted field back to the original format, so as to ensure that the application program receives and processes the plaintext data.
S09, managing configuration, namely configuring and managing encryption strategies, algorithms and secret keys by using a Web interface provided by the middleware;
S010, processing stock data, re-encrypting the existing data processed by using the old encryption scheme to ensure compatibility with the new scheme;
The stock data, although already subjected to the desensitization processing of the old scheme, may not be decrypted by the new scheme due to the change of the encryption algorithm or key management policy in the new scheme. Thus, the stock data must be re-desensitized to ensure data security, consistency, and compatibility with the new system.
Assuming that in the users table the original data has been desensitized according to the old scheme, the email field is encrypted using the old encryption algorithm. Now, the email field needs to be re-desensitized according to the new scheme, encrypted using the new AES-256 algorithm.
(1) Ciphertext column addition
A new ciphertext column new_encrypted_email is added to the users table for storing the data encrypted using the new algorithm.
(2) Reading and decrypting old data
All existing email field data is extracted from the database, which is encrypted by the old scheme. The data is decrypted, if necessary, to recover the original information.
(3) Reading and decrypting old data
An encryption algorithm (AES-256) in the new scheme is applied to the read data and the encrypted result is stored in a new ciphertext column new_encrypted_email.
(4) Updating a database
New encrypted data is written to the new_encrypted_email column while the old email column is reserved to ensure data security and rollback of operation.
(5) Verification and inspection
Ensuring that all data has been properly encrypted and written to the new ciphertext column. Verification can be performed by comparing the original data with the encrypted data, or by sample decryption.
(6) Switching to a new encrypted column
After verifying that the new encrypted data is correct, the system is switched to use the new encrypted email column for data read-write operation. At this point, all queries and operations will be subject to the new encrypted data.
(7) Deleting old encrypted data columns
In the event that the system is confirmed to be operating stably and old data is no longer needed, the old email column may be selected for deletion to switch entirely to the new encryption scheme.
Raw data:
ID:1
Name:Alice
Email:"OldEncryptedEmailData"
New encrypted data:
ID:1
Name:Alice
New_Encrypted_Email:"NewEncryptedEmailData"
and S011, ending to finish the data security management flow.
As shown in fig. 3, a complete implementation procedure of the present invention includes:
Starting, namely starting a flow;
Receiving an SQL request, and receiving the SQL request from an application program by the middleware;
the SQL analysis module of the middleware starts working;
the analysis module identifies the operation type of SQL statement;
The field information, extracting the table and the field information related in the SQL sentence;
a WHERE clause and other conditions, extracting a condition part in the SQL sentence, such as the WHERE clause;
matching the extracted field information with a predefined sensitive field list;
Marking a field needing encryption/decryption, and if the field is a sensitive field, marking the field as needing encryption or decryption by an analysis module;
no processing is required, if the field is not a sensitive field, no additional processing is required;
determining encryption/decryption algorithms and parameters, and determining corresponding algorithms and parameters for fields needing encryption or decryption;
inserting an encryption/decryption function, and inserting a corresponding encryption or decryption function call in the SQL statement;
Executing the SQL statement, and sending the modified SQL statement to a database for execution;
encrypting and decrypting the encrypted field, encrypting the encrypted field before writing the data into the database, and decrypting the encrypted field when reading the encrypted field from the database;
decrypting the data before returning the result to ensure that the data returned to the application program is plaintext so that the application program can normally process the data;
the result is returned to the application program, and the processed data is returned to the application program as a query result;
And (3) ending the flow.
Standard encryption configuration example:
assume that a database table named users is provided that contains the following fields ID, name, password. The Password field needs to be encrypted and decrypted using the standard encryption algorithm AES-256, among other things.
Raw data:
ID:1
Name:Bob
Password:MySecretPassword
Standard encryption process:
The standard encryption algorithm is selected-the administrator selects AES-256 in the Web interface as the encryption algorithm for the Password field.
Key management-to ensure data security, an administrator specifies a key for encryption operations. Assume that the key is my_secure_key_256_bits_1234567890abcd.
Encryption function call-encrypting the Password field using the AES-256 algorithm and the specified key.
Exemplary encryption function call (pseudo code)
String encryptedPassword=AES256.encrypt("MySecretPassword",
"my_secure_key_256_bits_1234567890abcd");
Encrypted data
ID:1
Name:Bob
Password:AES_ENCRYPTED_DATA
Where aes_encrypted_data is ENCRYPTED cipher DATA, for example, X4FsdGVkX19hzZDn Z1NQ6Y2/97 b0= =
Standard decryption process:
When reading data, the system uses the corresponding decryption function and calls the stored key to decrypt
Example decryption function Call (pseudo code)
String decryptedPassword=AES256.decrypt("AES_ENCRYPTED_DATA",
"my_secure_key_256_bits_1234567890abcd");
Decrypted data
ID:1
Name:Bob
Password:MySecretPassword
Custom encryption and decryption configuration examples:
Assume that a database table named users contains the following fields ID, name, custom _fields. The custom_field, among other things, requires encryption and decryption using Custom encryption algorithm "CustomEncrypt".
Raw data:
ID:1
Name:Alice
Custom_Field:SensitiveData123
Custom encryption process:
and the encryption algorithm library is a Java library uploaded by an administrator and is realized by the custom encryption algorithm.
And the key management script is that the administrator also uploads a custom Key manager.java script for managing the encryption key.
Encrypting the function call:
The encryption is performed by an encryption function in the CustomEncrypt library and using a key provided by the customkeymanager.
Exemplary encryption function call
String encryptedData=CustomEncrypt.encrypt("SensitiveData123",
"secure_key_12345");
Encrypted data:
ID:1
Name:Alice
Custom_Field:ENCRYPTED_DATA
Wherein the encrypted_data may be an unreadable encryption result, such as X FsdGVkX1+21kiw87qs53 lkzr9+e/q= =
The custom decryption process:
when reading data, the system will decrypt using the custom decryption function and call CustomKeyManager the key provided
Example decryption function call
String decryptedData=CustomEncrypt.decrypt("ENCRYPTED_DATA",
"secure_key_12345");
Decrypted data:
ID:1
Name:Alice
Custom_Field:SensitiveData123
By decryption, original data SENSITIVEDATA is successfully restored.
Based on the same inventive concept, the invention also provides a non-invasive data information security management device. The implementation of the device can be referred to as implementation of the above method, and the repetition is not repeated. The term "module" as used below may be a combination of software and/or hardware that implements the intended function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
FIG. 4 is a schematic diagram of a non-invasive data information security management apparatus according to the present invention. As shown in fig. 4, the apparatus includes:
The middleware deployment module 101 deploys database middleware between the application program and the database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
A connection management module 102, middleware management database connections, using a connection pool to optimize resource usage;
A receive SQL request module 103, the middleware receiving SQL requests from the application;
the parsing SQL request module 104, the middleware parses the received SQL request to identify the operation type and related data;
the sensitive field module 105, the middleware judges whether the SQL request contains sensitive fields which need special processing;
the encryption and decryption module 106 is applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
Executing the SQL operation module 107, wherein the modified SQL request is executed on the database to perform data access operation;
The return result module 108 returns the execution result to the application program, and the middleware decrypts the data;
A management configuration module 109 that configures and manages encryption policies, algorithms, and keys using the Web interface provided by the middleware;
A process stock data module 110 re-encrypts existing data processed using an old encryption scheme to ensure compatibility with a new scheme;
and the end module 111 completes the data security management flow.
It should be noted that although several modules of a non-invasive data information security management apparatus are mentioned in the above detailed description, this division is merely exemplary and not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present invention. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.
Based on the foregoing inventive concept, as shown in fig. 5, the present invention further proposes a computer device 200, including a memory 210, a processor 220, and a computer program 230 stored in the memory 210 and capable of running on the processor 220, where the processor 220 implements the foregoing non-invasive data information security management method when executing the computer program 230.
Based on the foregoing inventive concept, the present invention also provides a computer readable storage medium, which has the following beneficial effects:
the transparency and the code non-invasiveness are that the application program can utilize the encryption and decryption functions provided by the database middleware without modifying the existing code, so that the automatic protection of the data is realized, and the technical complexity of development and maintenance work is obviously reduced.
The middleware has the capability of automatically identifying the sensitive fields in the SQL sentences, and can automatically apply proper encryption and decryption logic, thereby simplifying the data protection flow and ensuring the safety of the data in each link.
The flexible strategy configuration and management interface provides a visual and easy-to-use Web interface, so that an administrator can flexibly define and adjust the encryption strategy based on the type and sensitivity of data, including key management, algorithm selection and the like, and the configurability and the management convenience of the system are enhanced.
According to the non-invasive data information security management method and device, the control surface of the API gateway updates the release plan through the service of gray release, and meanwhile, the release state of gray is monitored, so that various gray release strategies can be fused, and the controllability and compatibility of gray release are improved.
While the spirit and principles of the present invention have been described with reference to several particular embodiments, it is to be understood that the invention is not limited to the disclosed embodiments nor does it imply that features of the various aspects are not useful in combination, nor are they useful in any combination, such as for convenience of description. The invention is intended to cover various modifications and equivalent arrangements included within the spirit and scope of the appended claims.
Various implementations of the systems and techniques described here above can be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include being implemented in one or more computer programs that are executable and/or interpretable on a programmable system including at least one programmable processor, which may be a special or general purpose programmable processor, operable to receive data and instructions from, and to transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to the user and a keyboard and a pointing device (e.g., a mouse or a trackball) by which the user can provide input to the computer. Other kinds of devices may also be used to provide for interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a Local Area Network (LAN), a Wide Area Network (WAN), and the Internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps recited in the present disclosure may be performed in parallel or sequentially or in a different order, provided that the desired results of the technical solutions of the present disclosure are achieved, and are not limited herein.
The above detailed description should not be taken as limiting the scope of the present disclosure. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present disclosure are intended to be included within the scope of the present disclosure.
It should be apparent to those skilled in the art that various modifications or variations can be made in the present invention without requiring any inventive effort by those skilled in the art based on the technical solutions of the present invention.
Claims (12)
1. A method for non-intrusive data information security management, the method comprising:
S01, middleware deployment, namely deploying database middleware between an application program and a database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
s02, connection management, wherein middleware management database is connected, and a connection pool is used for optimizing resource use;
s03, receiving an SQL request, and receiving the SQL request from the application program by the middleware;
S04, analyzing the SQL request, and analyzing the received SQL request by the middleware to identify the operation type and related data;
s05, the sensitive field, the middleware judges whether the SQL request contains the sensitive field which needs special treatment;
s06, encryption and decryption are applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
S07, executing SQL operation, and executing the modified SQL request on a database to perform data access operation;
S08, returning a result, returning an execution result to the application program, and decrypting the data by the middleware;
s09, managing configuration, namely configuring and managing encryption strategies, algorithms and secret keys by using a Web interface provided by the middleware;
S010, processing stock data, re-encrypting the existing data processed by using the old encryption scheme to ensure compatibility with the new scheme;
and S011, ending to finish the data security management flow.
2. The non-invasive data information security management method according to claim 1, wherein the database middleware provides a unified connection interface for a proxy layer between an application program and a database;
the database middleware adopts a database connection pool mechanism to uniformly manage the connection with a plurality of database instances;
And the database middleware applies a load balancing strategy, and selects optimal database connection according to real-time system load conditions, wherein the optimal database connection comprises a database instance with the shortest response time, the lightest load or the closest geographic position.
3. The method according to claim 1, wherein the functions of the database middleware integration include connection management, SQL statement parsing and rewriting, data encryption and decryption processing, and cache management mechanism.
4. The non-invasive data information security management method according to claim 1, wherein S03 comprises:
s031, configuration predefining, wherein middleware uses a centralized configuration file or database table to maintain sensitive field information, wherein the sensitive field information comprises field names, associated tables, data types and encryption requirements, and the information is defined and loaded during system initialization;
s032, loading configuration data into the memory when the middleware is started so as to facilitate quick access, wherein the configuration data comprises field encryption requirements and possible access control rules.
5. The method according to claim 1, wherein S04 includes extracting key information by using a parsing engine after the middleware receives the SQL request, including operation type, data table, field and query condition.
6. The method according to claim 1, wherein S05 comprises comparing the fields involved in the request with the list of sensitive fields in the memory by the parsing engine to identify the fields that need encryption or decryption.
7. The non-invasive data information security management method according to claim 1, wherein S06 comprises:
S061, configuring an algorithm, wherein the encryption or decryption requirement of each sensitive field is defined in detail in the configuration, and the encryption or decryption requirement comprises an algorithm type, an encryption key and an encryption mode which are selected;
and S062, loading and applying the algorithm, loading a corresponding algorithm by the middleware according to configuration at the starting time, and dynamically inserting an encryption or decryption function during SQL execution.
S063, determining function names and parameters, and determining the inserted function names and required parameters, including field values, keys, encryption modes and the like, by middleware according to encryption configuration of the fields.
8. The method of claim 1, wherein S08 comprises the middleware calling a corresponding decryption function to convert the encrypted field back to the original format before sending the encrypted data back to the application, and the application receiving and processing the plaintext data.
9. The non-invasive data information security management method according to claim 1, wherein the S010 includes:
s0101, adding a ciphertext column, and adding a new ciphertext column in a users table for storing data encrypted by using a new algorithm;
s0102, reading and decrypting old data, extracting all existing field data from a database, and decrypting the existing field data to restore original information;
S0103, reading and decrypting the old data, applying an encryption algorithm in a new scheme to the read data, and storing the encrypted result into a new ciphertext column;
s0104, updating a database, writing the new encrypted data into a new ciphertext column, and simultaneously reserving an old ciphertext column to ensure the safety of the data and rollback of the operation;
S0105, verifying and checking, wherein all data are correctly encrypted and written into a new ciphertext column by comparing the original data with the encrypted data or decrypting the samples;
S0106, switching to a new encryption column, after verifying that the new encryption data is correct, switching the system to use the new ciphertext column to perform data read-write operation, wherein all inquiry and operation are based on the new encryption data;
S0107, deleting the old encrypted data column, deleting the old ciphertext column and switching to a new encryption scheme under the condition that the stable operation of the system is confirmed and the old data is not needed any more.
10. A non-invasive data information security management apparatus, the apparatus comprising:
the middleware deployment module deploys database middleware between the application program and the database, wherein the database middleware is hereinafter referred to as middleware and is used as a proxy for data interaction;
The connection management module is used for managing database connection by middleware and optimizing resource use by using a connection pool;
the method comprises the steps that an SQL request module is received, and middleware receives an SQL request from an application program;
the middleware analyzes the received SQL request to identify the operation type and related data;
the middleware judges whether the SQL request contains a sensitive field which needs special processing or not;
The encryption and decryption module is applied, the fields are sensitive fields, and the middleware automatically applies an encryption and decryption algorithm;
Executing the SQL operation module, and executing the modified SQL request on the database to perform data access operation;
the execution result is returned to the application program, and the middleware decrypts the data;
The management configuration module is used for configuring and managing encryption strategies, algorithms and keys by using a Web interface provided by the middleware;
the processing stock data module re-encrypts the existing data processed by using the old encryption scheme to ensure compatibility with the new scheme;
and (5) ending the module to finish the data security management flow.
11. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1-9 when executing the computer program.
12. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for executing the method of any one of claims 1-9.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411299152.6A CN119357988A (en) | 2024-09-18 | 2024-09-18 | A non-intrusive data information security management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202411299152.6A CN119357988A (en) | 2024-09-18 | 2024-09-18 | A non-intrusive data information security management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN119357988A true CN119357988A (en) | 2025-01-24 |
Family
ID=94318756
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202411299152.6A Pending CN119357988A (en) | 2024-09-18 | 2024-09-18 | A non-intrusive data information security management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN119357988A (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN120046196A (en) * | 2025-04-25 | 2025-05-27 | 中科云谷科技有限公司 | Data processing method, application terminal, security management platform and storage medium |
| CN120372640A (en) * | 2025-04-02 | 2025-07-25 | 北京中安星云软件技术有限公司 | Method and device for encrypting database data storage |
-
2024
- 2024-09-18 CN CN202411299152.6A patent/CN119357988A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN120372640A (en) * | 2025-04-02 | 2025-07-25 | 北京中安星云软件技术有限公司 | Method and device for encrypting database data storage |
| CN120046196A (en) * | 2025-04-25 | 2025-05-27 | 中科云谷科技有限公司 | Data processing method, application terminal, security management platform and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US20230185937A1 (en) | Controlling access to application data | |
| JP5635978B2 (en) | Authenticated database connection for applications without human intervention | |
| EP1680727B1 (en) | Distributed document version control | |
| JP6482526B2 (en) | Security service management for computer applications by changing object code of computer applications | |
| US9672236B2 (en) | Client computer for querying a database stored on a server via a network | |
| US8925108B2 (en) | Document access auditing | |
| US9430211B2 (en) | System and method for sharing information in a private ecosystem | |
| US20170163419A1 (en) | Encrypted File Storage | |
| US20130212707A1 (en) | Document control system | |
| CN119357988A (en) | A non-intrusive data information security management method and device | |
| US20170099144A1 (en) | Embedded encryption platform comprising an algorithmically flexible multiple parameter encryption system | |
| US11005847B2 (en) | Method, apparatus and computer program product for executing an application in clouds | |
| US9002790B2 (en) | Hosted storage locking | |
| WO2010150008A2 (en) | Method and system for provision of cryptographic services | |
| US10630722B2 (en) | System and method for sharing information in a private ecosystem | |
| CN106992851B (en) | TrustZone-based database file password encryption and decryption method and device and terminal equipment | |
| US11386194B1 (en) | Generating and validating activation codes without data persistence | |
| EP3809300A1 (en) | Method and apparatus for data encryption, method and apparatus for data decryption | |
| US9607176B2 (en) | Secure copy and paste of mobile app data | |
| JP2009510616A (en) | System and method for protecting sensitive data in a database | |
| US11263328B2 (en) | Encrypted log aggregation | |
| CN116015767A (en) | A data processing method, device, equipment and medium | |
| Ngo et al. | Serverless computing architecture security and quality analysis for back-end development | |
| CN113946850B (en) | A method, apparatus, electronic and storage medium for using a key | |
| CN115130141A (en) | Document processing method and device, mobile terminal and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |