信息网络安全 ›› 2021, Vol. 21 ›› Issue (10): 48-53.doi: 10.3969/j.issn.1671-1122.2021.10.007

• 入选论文 • 上一篇    下一篇

多维度数据分级分类安全管理框架

刘红1,2(), 张越今3, 赵文霞4, 杨牧4   

  1. 1.北京锐安科技有限公司,北京 100192
    2.北京市网络空间数据分析与应用工程技术研究中心,北京 100192
    3.北京联合大学智慧城市学院,北京 100101
    4.北京市公安局,北京 100055
  • 收稿日期:2021-06-15 出版日期:2021-10-10 发布日期:2021-10-14
  • 通讯作者: 刘红 E-mail:liuhong@bjrun.com
  • 作者简介:刘红(1982—),女,北京,博士,主要研究方向为信息安全|张越今(1970—),男,吉林,教授,博士,主要研究方向为网络信息安全|赵文霞(1983—),女,山东,高级工程师,硕士,主要研究方向为数据治理|杨牧(1984—),男,北京,硕士,主要研究方向为数据安全
  • 基金资助:
    公安部技术研究计划重点项目(2020JSYJA09)

A Security Management Framework for Data Sensitivity and Multidimensional Classification

LIU Hong1,2(), ZHANG Yuejin3, ZHAO Wenxia4, YANG Mu4   

  1. 1. Run Technologies Co., Ltd. Beijing, Beijing 100192, China
    2. Beijing Cyberspace Data Analysis and Applied Engineering Technology Research Center, Beijing 100192, China
    3. Smart City College, Beijing Union University, Beijing 100101, China
    4. Beijing Municipal Public Security Bureau, Beijing 100055, China
  • Received:2021-06-15 Online:2021-10-10 Published:2021-10-14
  • Contact: LIU Hong E-mail:liuhong@bjrun.com

摘要:

针对目前数据分级分类安全管理缺乏统一标准和框架,传统的分级分类方法的表达能力有限等情况,文章提出一种利用声明式逻辑编程语言,建立多维度数据分级分类的表达和计算的系统框架,能够实现细粒度的分级分类设定、高效查询和分析。首先在表达能力和复杂度方面,除了支持传统的安全标签,还支持不面向数据记录、带参数、涉及多个数据资源相互作用关系等方式的分级分类,并给出了实例。然后基于分级分类,在同一框架下还能够进行多种数据安全分析和管理。利用纯声明式语言的特性,能够在现有系统上以较小代价实现分级分类安全管理,并允许底层计算框架和存储方式与上层分级分类逻辑的解耦,有利于进行系统优化升级,减小安全机制对系统性能的影响,促进数据分级分类安全管理落地。

关键词: 数据安全, 分级分类, 逻辑编程, 大数据

Abstract:

In view of there has been no consensus on the standard and the technical architecture of data sensitivity and classification management, and conventional tools to realize data sensitivity and classification have very limited expressive power, a framework for expressing and computing data sensitivity and multidimensional data classification was proposed. The method was based on a declarative logic programming language and was capable of defining and analyzing data sensitivity and classification with fine granularity and high efficiency. Firstly, in terms of expression ability and complexity, besides supported conventional security labels, sensitivity and classification assigned not on data records, or parameterized, or concerning multiple data resources could also be expressed and computed. Then based on sensitivity and classification, examples were given to show the expressiveness and complexity of the method. Various data security analysis and management mechanisms could be implemented on the same framework. In addition, utilizing the declarative nature of the language, realizing data security on existing systems incurs low overhead to performance and was transparented to underlying computation and storage details, which was beneficial to system migration and optimization, could reduce the impact of security mechanism on system performance, and facilitates the deployment of data sensitivity and classification-based security mechanisms.

Key words: data security, sensitivity and classification, logic programming, big data

中图分类号: