| 主权项 |
1. A method, said method comprising:
receiving, by a first computing environment from a second computing environment via one or more processors of the first computing environment, data wherein the received data comprises a mixture of non-sensitive data and first sensitive data along with first metadata indicative of a sensitivity of the first sensitive data, and wherein the second computing environment is external to the first computing environment; receiving, by the one or more processors from the second computing environment, a request to perform an operation on the previously received first sensitive data; after said receiving the request to perform the operation, ascertaining, by the one or more processors by inspecting the first metadata, that the first sensitive data to be used for the operation are sensitive data; in response to said ascertaining, intercepting, by the one or more processors, the operation on the first sensitive data; after said intercepting the operation on the first sensitive data, performing, by the one or more processors, the operation on the first sensitive data, wherein said performing the operation on the first sensitive data creates second sensitive data resulting from said performing the operation on the first sensitive data; registering the created second sensitive data by storing one or more memory addresses of the second sensitive data in second metadata and storing the second metadata in a sensitive data register storage; and intercepting, by the one or more processors, an external access by the second computing environment of the second sensitive data in the first computing environment and in response, applying a compliance firewall rule to the second sensitive data intended to leave the first computing environment, wherein the compliance firewall rule defines an action to be applied to the second sensitive data such that the second sensitive data are protected against unauthorized access, wherein the first computing environment comprises a hypervisor, a virtual machine running on the hypervisor and comprising the sensitive data register storage, and a compliance gateway coupled to and external to the virtual machine and the hypervisor, and wherein the hypervisor, the virtual machine, and the compliance gateway are utilized in performance of said receiving the data, and wherein the method further comprises after said receiving the request:
said compliance gateway intercepting the request;said compliance gateway inspecting the intercepted request, not finding sensitive data in the request from said inspecting the intercepted request, and forwarding the request directly to the virtual machine in response to said not finding sensitive data in the request;said virtual machine receiving the request from the compliance gateway and in response, said virtual machine initiating performance of the operation indicated in the request; andsaid hypervisor determining that the performance of the request requires the first sensitive data that is sensitive, and in response said hypervisor preventing the virtual machine from completing performance of the operation by performing said intercepting the operation. |
