Process isolation and encryption mechanism based security disc model and generation method thereof

Abstract

The invention discloses a process isolation and encryption mechanism based security disc model and a generation method thereof. The security disc model comprises a virtual isolating operation module, an I/O agent process encryption/decryption module and a security disc, wherein the virtual isolating operation module is used for acquiring a credible process, and converting the credible process into a controlled process which is forcedly placed in a virtual isolating operation environment for operation; the I/O agent process encryption/decryption module is used for conducting read-write operation on data files in the security disc in the transparent encryption-write/decryption-read manner; the security disc is revealed on a terminal host computer as an ordinary disc partition. The security disc model and the generation method thereof can comprehensively manage and control the credible and controllable operation environment of the terminal security process, the encryption forced filing management of the whole life cycle from storage, conveying, application to destruction of the security files, and the acts of the network, printing, memory leak and the like of a security program operated at the terminal, and realizes whole-process monitoring of the security files.

Description

Technical field [0001] The invention relates to the technical field of information security, in particular to a storage disk model related to the confidentiality of information and data in a computer. Background technique [0002] With the rapid development of computer and network technology, the information network has penetrated into all aspects of social life. Various important data in the information network are vulnerable to theft, tampering, deletion or erosion by virus Trojans during the process of storage, transmission, use and destruction. . Traditional data encryption and storage methods can ensure the security of the data in the encrypted state, but there are still many risks and ways of leaking in the process of data being decrypted and used, such as the theft of Trojan horses and viruses, network and printing leaks. Generally speaking, the terminal is the carrier and tool for contacting and processing unit information. Therefore, in most enterprises and units, the t...

AI Technical Summary

Problems solved by technology

Theoretically, this method can better guarantee the goal that corporate information cannot be diffused from the terminal from the source, but in the long-term application practice of this method, it is found that there are the following problems: 1) The types of documents that need encryption protection There are many types of applications involved, and the encryption software needs to be well supported and compatible with various application systems and software. The workload of encryption policy setting and testing for different applications is very heavy, and the service pressure is relatively high; 2) because The encryption method is transparent encryption and decryption, so there is a risk of being leaked by the decryption process through the network during the process of transparent decryption of the document by the authorized process; 3) During the use of the encryption method, the encryption application starts or runs The configuration files that must be relied on will also be encrypted together. In some cases, a configuration file may be called by multiple applications. If other applications that call the configuration file do not have the decryption permission, it will cause the application to run Failed, resulting in additional maintenance workload and new inconvenience to users; 4) Using this method, the confidential documents in the terminal are scattered in each storage disk in an encrypted manner, and the confidential documents in the terminal cannot be realized. Mandatory centralized management

However, virtual isolation technologies similar to secure desktops and virtual desktops to prevent the proliferation of terminal confidential information have the following shortcomings: 1) Virtual isolated desktops constructed from real desktops using mechanisms such as registry and file redirection, compared with Virtual machine technology is a big step forward, it will consume much less terminal resources and the user experience will be much better, but it is always a heavyweight isolation environment, the use of large-scale application software in virtual desktops or real desktops and virtual desktops Frequent switching back and forth will easily lead to compatibility issues; 2) Similar to building a virtual isolated desktop from a real desktop to prevent terminal information leakage, it is bound to require users to log in to a secure virtual desktop environment when processing sensitive information at the terminal 3) The core of the virtual desktop isolation technology is to use the redirection technology to realize the isolation and protection of confidential documents, and there are deficiencies in the safe encryption and storage of the documents themselves; 4) In the In the virtual secure desktop environment, users often have the need to communicate and communicate externally through the network. If there is no other auxiliary means to fine-grained control and management of network access under the secure desktop, network channel leaks will become a virtual security desktop to prevent the spread of terminal information. weakness

[0007] It can be seen that the above three methods of preventing terminal information diffusion all have certain disadvantages and cannot meet the requirements of current information security technology

Images