CN104618313B - Safety management system and method - Google Patents
Safety management system and method Download PDFInfo
- Publication number
- CN104618313B CN104618313B CN201310542729.7A CN201310542729A CN104618313B CN 104618313 B CN104618313 B CN 104618313B CN 201310542729 A CN201310542729 A CN 201310542729A CN 104618313 B CN104618313 B CN 104618313B
- Authority
- CN
- China
- Prior art keywords
- subsystem
- data process
- key message
- desktop
- process subsystem
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 324
- 230000008569 process Effects 0.000 claims abstract description 265
- 238000012545 processing Methods 0.000 claims abstract description 87
- 238000003860 storage Methods 0.000 claims abstract description 35
- 230000010365 information processing Effects 0.000 claims abstract description 26
- 238000007726 management method Methods 0.000 claims description 72
- 238000012360 testing method Methods 0.000 claims description 41
- 238000012550 audit Methods 0.000 claims description 34
- 238000002474 experimental method Methods 0.000 claims description 21
- 230000006835 compression Effects 0.000 claims description 8
- 238000007906 compression Methods 0.000 claims description 8
- 230000002155 anti-virotic effect Effects 0.000 claims description 3
- 230000002045 lasting effect Effects 0.000 claims description 2
- 230000000694 effects Effects 0.000 abstract description 21
- 230000000903 blocking effect Effects 0.000 abstract description 12
- 238000009413 insulation Methods 0.000 abstract description 12
- 238000001514 detection method Methods 0.000 description 20
- 238000010586 diagram Methods 0.000 description 18
- 238000005516 engineering process Methods 0.000 description 14
- 238000002955 isolation Methods 0.000 description 11
- 230000005540 biological transmission Effects 0.000 description 8
- 238000012827 research and development Methods 0.000 description 7
- 238000004088 simulation Methods 0.000 description 7
- 238000012986 modification Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 5
- 238000011160 research Methods 0.000 description 5
- 238000006243 chemical reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 238000013507 mapping Methods 0.000 description 3
- 238000004321 preservation Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 230000001960 triggered effect Effects 0.000 description 3
- 238000013461 design Methods 0.000 description 2
- 238000007689 inspection Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000009172 bursting Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000012217 deletion Methods 0.000 description 1
- 230000037430 deletion Effects 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000013439 planning Methods 0.000 description 1
- 230000003362 replicative effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Information Transfer Between Computers (AREA)
Abstract
The invention discloses a kind of safety management system and method, belong to information security field.The system includes:Desktop cloud subsystem and at least one data process subsystem.The present invention by desktop cloud subsystem to office terminal forward data process subsystem desktop picture, data process subsystem receive office terminal operated on desktop picture caused by trigger signal;Data process subsystem completes editor, storage, processing, upload and download of key message etc. according to trigger signal inside data process subsystem or between different pieces of information processing subsystem, realize and key message is isolated in data process subsystem or between data process subsystem;It is not in place to solve the problems, such as that existing security management solution is protected to key message;Reach and insulation blocking, in the case where not influenceing employee's normal office work completely, the effect for the key message that adequately protects are carried out to key message.
Description
Technical field
The present invention relates to information security field, more particularly to a kind of safety management system and method.
Background technology
Safety management and enterprise, government and country are all closely bound up, safety management be to all people in production, thing and
The management and control of environment.For example the beforehand research work of industry new technology, the Xiang Xin are being in the planning of certain company with framework department
Technology can be widely applied in 3 to five years of future, belong to the height secret of company.This just needs to provide a kind of bursting tube
Involved all numbers in personnel, related equipment and work that reason solution works the beforehand research for participating in this new technology
According to the safety management that progress is strict.
By taking a certain new technology of above-mentioned research and development as an example, safety management is finally embodied in all key messages in R&D process
Protected.Existing security management solution includes two kinds of physical isolation solution and logic isolation solution.The
One, physical isolation solution is to realize safety management by way of establish separate physical region.Such as by all research and development
The employee of this new technology is uniformly arranged in some hotel and is operated, and camera gamut covers whole hotel, Yuan Gongjin
Going out hotel needs to carry out strict safety inspection by safety check door, and related equipment needs to apply simultaneously when needing to take out of hotel
Carry out safe handling;Second, logic isolation solution is to reach crucial letter by replicating other set data center apparatus
The purpose of isolation is ceased, so as to realize safety management.Fig. 1 is refer to, logic isolation solution is needed in original data center
The new data center apparatus 10 of other set is copied outside equipment 12, and replicates a set of new network equipment 20 and new number
It is connected according to central apparatus 10.Original data center apparatus 12 uses for all employees of company, is not related to this new technology
Any key message, all key messages for being related to this new technology are stored in new data center apparatus 10.Research and development should
The employee of item new technology accesses new data center apparatus 10 by the new network equipment 20 and carries out R&D work, reaches pass with this
The purpose of key information isolation.Key message typically refers to code, the version file obtained by code compilation and important technology text
Shelves etc..
Whether physical isolation solution or logic isolation solution, all exist not in place to key message protection
The problem of.Whether physical isolation solution or logic isolation solution, the employee for researching and developing this new technology can be with
The equipment that storage relates to the key message of this new technology carries out direct interaction, and can download and deposit in the computer of oneself
These key messages are stored up, or even these key messages are copied by mobile hard disk etc..After employee gets these key messages,
Company is difficult to again carry out these key messages strict safety management.
The content of the invention
It is not in place to key message protection in order to solve existing security management solution, the problem of potential safety hazard be present,
The embodiments of the invention provide a kind of safety management system and method.The technical scheme is as follows:
First aspect, there is provided a kind of safety management system, the system include:
Desktop cloud subsystem and at least one data process subsystem;
The desktop cloud subsystem, for forwarding the desktop picture of the data process subsystem to office terminal, and to
The data process subsystem forward the office terminal operated on the desktop picture caused by trigger signal;
The data process subsystem, for providing the desktop picture to the desktop cloud subsystem;And described in receiving
Office terminal operated on the desktop picture caused by trigger signal;According to the trigger signal in data processing
In editor, storage, processing, upload and download that key message is completed between internal system or different pieces of information processing subsystem
It is at least one.
In the first possible embodiment of first aspect, at least one data process subsystem includes number and passed
Subsystem;
The number passes subsystem, and the key message that the data process subsystem of first condition uploads is met for receiving;Deposit
Store up the key message;The download of the key message is provided to the data process subsystem for meeting second condition.
With reference to the first possible embodiment of first aspect, in second of possible embodiment,
The number passes subsystem, the upload for carrying source IP addresses sent for receiving a data process subsystem
Request;Detect whether the source IP addresses belong to predetermined upload domain;If testing result is belongs to the predetermined upload domain, really
The fixed data process subsystem meets first condition;And/or carried for what one data process subsystem of reception was sent
The download request of purpose IP address;Detect whether the purpose IP address belongs to predetermined download domain;If testing result is belongs to
State predetermined download domain, it is determined that the data process subsystem meets second condition.
With reference to the first possible embodiment of first aspect, in the third possible embodiment,
The number passes subsystem, for carrying out security audit to the key message stored;If the key message
Safety, then the key message is moved under specified download directory for the data process subsystem for meeting second condition to enter
Row is downloaded.
With reference to the third possible embodiment of first aspect, in the 4th kind of possible embodiment,
The number passes subsystem, and three level securities are carried out according to default scanning rule for the key message to storing
At least one-level scanning in scanning, the three-level security sweep include belonging to the file suffixes name scanning of the first order, belong to second
The keyword scan of level and the special identifier scanning for belonging to the third level;Determine that the key message is safe and defeated when scanning passes through
Go out file security audit statement.
Second of possible embodiment of the first possible embodiment, first aspect with reference to first aspect,
4th kind of possible embodiment of the third possible embodiment or first aspect of one side, it is possible at the 5th kind
In embodiment, the data process subsystem for meeting first condition includes continuous integrating subsystem;
The desktop cloud subsystem, it is additionally operable to the office terminal logging on to the continuous integrating subsystem;
The continuous integrating subsystem, for by described in the desktop cloud subsystem to the office terminal forwarding after login
The desktop picture of continuous integrating subsystem;Receive the office terminal by the desktop cloud subsystem forward in the desktop
Trigger signal caused by operation on image;According to the editor of the trigger signal completion code and compiling and build version text
Part.
Second of possible embodiment of the first possible embodiment, first aspect with reference to first aspect,
4th kind of possible embodiment of the third possible embodiment or first aspect of one side, it is possible at the 6th kind
In embodiment, the data process subsystem for meeting first condition includes emulation cloud subsystem;
The desktop cloud subsystem, it is additionally operable to the office terminal logging on to the emulation cloud subsystem;
The emulation cloud subsystem, it is described imitative for being forwarded by the desktop cloud subsystem to the office terminal after login
The desktop picture of true cloud subsystem;Receive the office terminal by the desktop cloud subsystem forward in the desktop picture
Trigger signal caused by upper operation;According to the editor of the trigger signal completion code, compiling and emulation and build version text
Part.
Second of possible embodiment of the first possible embodiment, first aspect with reference to first aspect,
4th kind of possible embodiment of the third possible embodiment or first aspect of one side, it is possible at the 7th kind
In embodiment, the data process subsystem for meeting second condition includes laboratory subsystem, the laboratory subsystem
Subsystem, at least one experimental terminal and the commissioning device being connected with the experimental terminal are logged in including laboratory;
The desktop cloud subsystem, it is additionally operable to the IP address for carrying the experimental terminal for triggering the office terminal
Experiment logging request be sent to the laboratory and log in subsystem;
The laboratory logs in subsystem, is taken for receiving the office terminal by what the desktop cloud subsystem was sent
The experiment logging request of IP address with the experimental terminal;According to the IP address of the experimental terminal by the experimental terminal
Established and connected using gateway proxy agreement with the office terminal;The desktop picture of the experimental terminal is obtained, by the experiment
The desktop picture of terminal is sent to the office terminal by the desktop cloud subsystem;
The experimental terminal, for receive the office terminal by the desktop cloud subsystem forward in the desktop
Trigger signal caused by operation on image;The version file is completed on the commissioning device according to the trigger signal
Debugging.
With reference to the 7th kind of possible embodiment of first aspect, in the 8th kind of possible embodiment,
The laboratory logs in subsystem, for obtaining the image and data flow of the experimental terminal;By the experiment eventually
The image and stream compression at end are changed to the desktop picture for only including image stream, and the desktop picture is passed through into the desktop cloud subsystem
System is sent to the office terminal.
Second of possible reality of the first possible embodiment, first aspect with reference to first aspect, first aspect
Mode, the 4th kind of possible embodiment of the third possible embodiment or first aspect of first aspect are applied,
In nine kinds of possible embodiments,
The desktop cloud subsystem, the IP address for carrying the office terminal sent for receiving the office terminal
Desktop cloud logging request;Whether the IP address for detecting the office terminal conforms to a predetermined condition;If testing result is pre- to meet
Fixed condition, the then connection established between the office terminal and the desktop cloud subsystem.
Second of possible reality of the first possible embodiment, first aspect with reference to first aspect, first aspect
Mode, the 4th kind of possible embodiment of the third possible embodiment or first aspect of first aspect are applied,
In ten kinds of possible embodiments, the data process subsystem for meeting second condition includes public service subsystem;
The desktop cloud subsystem, it is additionally operable to the office terminal agent logs to the public service subsystem;
The public service subsystem, it is public for being forwarded by the desktop cloud subsystem to the office terminal after login
The desktop picture of service;The office terminal is received to operate on the desktop picture by what the desktop cloud subsystem forwarded
Caused trigger signal;The public service is completed according to the trigger signal;
Wherein, the public service includes mail service, file-management services, management version tool SVN services, movable mesh
Record at least one of AD domains authentication service, domain name system DNS service and anti-virus service.
Second aspect, there is provided a kind of method for managing security, methods described include:
To the desktop picture of office terminal forwarding data process subsystem;
The office terminal is forwarded to operate caused triggering on the desktop picture to the data process subsystem
Signal, the trigger signal are used to trigger the data process subsystem inside the data process subsystem or different numbers
According at least one of editor, storage, processing, upload and download that key message is completed between processing subsystem.
It is described to forward data process subsystem to office terminal in the first possible embodiment of second aspect
Before desktop picture, in addition to:
Receive the desktop cloud logging request for the IP address for carrying the office terminal that the office terminal is sent;
Whether the IP address for detecting the office terminal conforms to a predetermined condition;
If testing result is conforms to a predetermined condition, the connection established between the office terminal and local terminal;
The office terminal is logged on into the data process subsystem.
The third aspect, there is provided a kind of method for managing security, methods described include:
Desktop picture is provided to desktop cloud subsystem, the desktop picture is used to be transmitted to by the desktop cloud subsystem to do
Public terminal;
Receive desktop cloud subsystem forwarding the office terminal operate on the desktop picture caused by it is tactile
Signal;
Completed to close inside data process subsystem or between different pieces of information processing subsystem according to the trigger signal
At least one of editor, storage, processing, upload and download of key information.
It is described when methods described, which is applied to number, passes subsystem in the first possible embodiment of the third aspect
Key message is completed inside data process subsystem or between different pieces of information processing subsystem according to the trigger signal
At least one of editor, storage, processing, upload and download, including:
Receive and meet the key message that the data process subsystem of first condition uploads;
Store the key message;
The download of the key message is provided to the data process subsystem for meeting second condition.
With reference to the first possible embodiment of the third aspect, in second of possible embodiment of the third aspect
In, before the key message for receiving the data process subsystem upload for meeting first condition, in addition to:
Receive the upload request for carrying source IP addresses that a data process subsystem is sent;
Detect whether the source IP addresses belong to predetermined upload domain;
If testing result is to belong to the predetermined upload domain, it is determined that the data process subsystem meets first condition.
With reference to the first possible embodiment of the third aspect, in the third possible embodiment of the third aspect
In, it is described to before being provided the download of the data process subsystem offer key message of second condition, in addition to:
Receive the download request for carrying purpose IP address that a data process subsystem is sent;
Detect whether the purpose IP address belongs to predetermined download domain;
If testing result is to belong to the predetermined download domain, it is determined that the data process subsystem meets second condition.
With reference to the first possible embodiment of the third aspect, in the 4th kind of possible embodiment of the third aspect
In, after the storage key message, in addition to:
Security audit is carried out to the key message stored;
The download that the key message is provided to the data process subsystem for meeting second condition, including:
If the key message safety, the key message is moved under specified download directory and meets second for described
The data process subsystem of condition is downloaded.
With reference to second of possible embodiment of the third aspect, in the 5th kind of possible embodiment of the third aspect
In, the described pair of key message stored carries out security audit, including:
At least one-level in three-level security sweep is carried out to the key message stored according to default scanning rule to sweep
Retouch, the three-level security sweep includes belonging to the file suffixes name scanning of the first order, belongs to the keyword scan and category of the second level
Scanned in the special identifier of the third level;
When scanning passes through, the key message safety and output file security audit form are determined.
With reference to the third aspect, in the 6th kind of possible embodiment of the third aspect, when methods described is applied to include
It is described to provide desktop to desktop cloud subsystem during the laboratory subsystem of laboratory login subsystem and at least one commissioning device
Image, the desktop picture are used to be transmitted to office terminal by the desktop cloud subsystem, including:
The image and data flow of the subsystem acquisition commissioning device are logged in by the laboratory;
Being logged in subsystem by the laboratory and be changed to the image of the experimental terminal and stream compression only includes image stream
Desktop picture;
Subsystem is logged in by the laboratory desktop picture is sent to described do by the desktop cloud subsystem
Public terminal.
The beneficial effect that technical scheme provided in an embodiment of the present invention is brought is:
The desktop picture of data process subsystem, data process subsystem are forwarded to office terminal by desktop cloud subsystem
Receive office terminal operated on desktop picture caused by trigger signal;Data process subsystem is according to trigger signal in data
Editor that key message is completed inside processing subsystem or between different pieces of information processing subsystem, storage, processing, upload and under
Carry etc. so that the scope of activities of key message be only limitted to inside different pieces of information processing subsystem or between, employee uses office
Desktop picture that terminal can only be checked in data process subsystem and key message can not be copied, downloaded or stored to office
In terminal, realize and key message is isolated in data process subsystem or between data process subsystem;
It is not in place to key message protection so as to solve existing security management solution, the problem of potential safety hazard be present;Reach
Insulation blocking is carried out to key message, in the case where not influenceing employee's normal office work completely, adequately protect key message, excludes
The effect of potential safety hazard.
Brief description of the drawings
Technical scheme in order to illustrate the embodiments of the present invention more clearly, make required in being described below to embodiment
Accompanying drawing is briefly described, it should be apparent that, drawings in the following description are only some embodiments of the present invention, for
For those of ordinary skill in the art, on the premise of not paying creative work, other can also be obtained according to these accompanying drawings
Accompanying drawing.
Fig. 1 is the structural representation involved by a kind of existing security management solution;
Fig. 2 is the block diagram for the safety management system that one embodiment of the invention provides;
Fig. 3 is the block diagram for the safety management system that another embodiment of the present invention provides;
Fig. 4 is the block diagram for the safety management system that yet another embodiment of the invention provides;
Fig. 5 is the block diagram for the safety management system that a further embodiment of the present invention provides;
Fig. 6 is the method flow diagram for the method for managing security that one embodiment of the invention provides;
Fig. 7 is the method flow diagram for the method for managing security that another embodiment of the present invention provides;
Fig. 8 is the method flow diagram for the method for managing security that another embodiment of the present invention provides;
Fig. 9 is the method flow diagram for the method for managing security that another embodiment of the present invention provides;
Figure 10 is the method flow diagram for the method for managing security that another embodiment of the present invention provides.
Embodiment
To make the object, technical solutions and advantages of the present invention clearer, below in conjunction with accompanying drawing to embodiment party of the present invention
Formula is described in further detail.
Inventor has found that existing security management solution all has the problem of not in place to key message protection.Root
This reason is that employee can carry out direct interaction with being stored with the equipment of these key messages, and can be in the computer of oneself
Download and store these key messages, or even equipment copies these key messages with oneself by mobile hard disk, USB flash disk etc..Employee obtains
To after these key messages, company is difficult to again carry out these key messages strict safety management.The present invention pass through by
All key messages are limited in the very strict data center for including at least one data process subsystem of security management and control
In, the data process subsystem that employee can only be stored with key message by the connection of desktop cloud subsystem at work is done
Public affairs, this causes employee can not copy key message, download or store into the computer of oneself, so as to provide it is a kind of from
The security management solution of key message is protected on source.Below, will be described in detail by several specific embodiments:
Fig. 2 is refer to, the block diagram of the safety management system provided it illustrates one embodiment of the invention, the peace
Full management system 200 includes:Desktop cloud subsystem 210 and at least one data process subsystem 220.
Desktop cloud subsystem 210, for forwarding the desktop picture of data process subsystem to office terminal 100, and to number
According to processing subsystem 220 forward office terminal 100 operated on desktop picture caused by trigger signal.
Data process subsystem 220, for providing desktop picture to desktop cloud subsystem 210;And receive office terminal 100
The trigger signal caused by operation on desktop picture;According to trigger signal in the inside of data process subsystem 220 or different
At least one of editor, storage, processing, upload and download of key message are completed between data process subsystem 220.
In summary, the safety management system that the present embodiment provides, number is forwarded to office terminal by desktop cloud subsystem
According to the desktop picture of processing subsystem, data process subsystem receives office terminal and caused triggering is operated on desktop picture
Signal;Data process subsystem is according to trigger signal inside data process subsystem or between different pieces of information processing subsystem
Complete editor, storage, processing, upload and download of key message etc. so that the scope of activities of key message is only limitted to different numbers
According to inside processing subsystem or between, employee using the desktop picture that office terminal can only be checked in data process subsystem and
Key message can not be copied, downloaded or stored into office terminal, realized and key message is isolated in data processing
In system or between data process subsystem;So as to solve existing security management solution to key message
Protect not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, do not influenceed employee completely just
Often in the case of office, adequately protect key message, excludes the effect of potential safety hazard.
It should be added that in different implementation environments, key message is also different.For example ground in project
Under hair ring border, key message can include code, version file, tune-up data and important technology document etc.;Researched and developed in automobile
Under environment, key message can be Automobile Design drawing and parameter etc.;Under patent agency's environment, key message can include
Patent file and customer data etc.;In a government office under environment, key message can include policies and regulations, internal decision making data with
And personnel's confidential information etc..Processing to key message includes at least one of editor, storage, processing, upload and download.Its
In, editor, which refers to write, change, delete and compile, etc. operates;Storage refers to preserve operation;Processing refers to copy, pastes, adjusts
The operations such as examination, emulation.Based on the different disposal to key message, can be realized respectively using different data process subsystems pair
At least one of editor, storage, processing, upload and download of key message are handled.In other words, for different scenes,
The quantity of above-mentioned data process subsystem can be different, and each data process subsystem can realize one kind for key message
Or several functions, depending on specific implementation.
For the ease of description, mainly it is described herein by taking Project-developing environment as an example.Under the implementation environment,
The version file and important technology document that key message includes code, obtained by code compilation.Data process subsystem can be with
Including:For realizing the continuous integrating subsystem of code compilation, the emulation cloud subsystem for realizing version file emulation, being used for
Realize that the number that key message is transmitted between different pieces of information processing subsystem passes subsystem, the reality for realizing version file debugging
The all or part tested in room subsystem, the public service subsystem for realizing public service.Wherein, continuous integrating subsystem
It is each independent data processing that system, emulation cloud subsystem, number, which pass subsystem, laboratory subsystem and public service subsystem,
Subsystem, it can be connected each other by cable network or wireless network.
Understood according to above-mentioned, isolated in order that obtaining key message with office terminal.First aspect is, it is necessary to make key message only
Enter edlin, storage and processing inside data process subsystem;Second aspect is, it is necessary to make key message only in data processing
Uploaded and downloaded between system.First, first aspect is described in detail using next embodiment:
Fig. 3 is refer to, the block diagram of the safety management system provided it illustrates another embodiment of the present invention, the peace
Full management system 200 includes:Desktop cloud subsystem 210 and laboratory subsystem 250.
Assuming that the safety management system that the present embodiment provides is applied under Project-developing environment, wherein being mainly concerned with to version
Debugging of this document on commissioning device and the operation for checking debugging process.
Office terminal 100 is the terminal of such as desktop computer or notebook etc used in research staff.Office is eventually
End 100, for sending desktop cloud logging request to desktop cloud subsystem 210, the desktop cloud logging request carries office terminal
100 IP address.
Desktop cloud subsystem 210, the IP address for carrying office terminal 100 sent for receiving office terminal 100
Desktop cloud logging request.Desktop cloud logging request refers to that office terminal 100 requires to establish connection between desktop cloud subsystem 210
The request of relation.In order to verify the identity of office terminal, desktop cloud subsystem 210, with being additionally operable to detect the IP of office terminal 100
Whether location conforms to a predetermined condition;If testing result establishes office terminal 100 and desktop cloud subsystem to conform to a predetermined condition
Connection between 210.
Specifically, desktop cloud subsystem 210 includes:Desktop cloud accessing gateway equipment and virtual machine resource pool(Do not scheming
In show).Wherein:
Desktop cloud accessing gateway equipment, for receiving the IP address for carrying office terminal 100 of the transmission of office terminal 100
Desktop cloud logging request.Desktop cloud accessing gateway equipment, it is additionally operable to after the IP address of office terminal 100 is received, examines
Survey whether the IP address conforms to a predetermined condition;If desktop cloud logging request is transmitted to by testing result to conform to a predetermined condition
Virtual machine resource pool.
Virtual machine resource pool, for receiving desktop cloud logging request;After desktop cloud logging request is received, configuration
Idle virtual machine is established with office terminal 100 and connected.Wherein, the connection between office terminal 100 and virtual machine is usual
Use ICA(Independent Computing Architecture, independent computing architecture)Agreement.
When office terminal 100 is established with a certain virtual machine to be connected, namely office terminal 100 and desktop cloud subsystem
210 establish connection.
Laboratory subsystem 250 includes:At least one experimental terminal 251, the commissioning device being connected with experimental terminal 251
252 and laboratory log in subsystem 253.
Desktop cloud subsystem 210, it is additionally operable to office terminal 100 logging on to laboratory subsystem 250.That is, office is eventually
End 100, in needing to use laboratory subsystem 250 an experimental terminal 251 carry out version file debugging when,
Triggering experiment logging request, the experiment logging request carry a reality in laboratory subsystem 250 on desktop cloud subsystem 210
Test the IP address of terminal 251.
Desktop cloud subsystem 210, the IP address for carrying experimental terminal 251 for being additionally operable to trigger office terminal 100
Experiment logging request is sent to laboratory and logs in subsystem 253.
Experiment logging request refers to that office terminal 100 logs in laboratory by desktop cloud subsystem 210 and logs in subsystem 253
Request, log in laboratory log in subsystem 253 after, can just view the experimental terminal 251 in laboratory subsystem 250
Desktop picture.Experiment logging request carries the IP address of experimental terminal 251, and the IP address of experimental terminal 251 is used to inform
Laboratory logs in subsystem 253 its desktop picture for needing to check which platform experimental terminal 251.
Laboratory, which logs in subsystem 253, to be included:Ask AM access module 253a, gateway proxy module 253b and image procossing mould
Block 253c.
AM access module 253a is asked, reality is carried by what desktop cloud subsystem 210 was sent for receiving office terminal 100
Test the experiment logging request of the IP address of terminal 251.
Gateway proxy module 253b, for the IP address according to experimental terminal 251 by corresponding experimental terminal 251 with handling official business
Terminal 100 establishes connection using gateway proxy agreement.
Image processing module 253c, for obtaining the desktop picture of experimental terminal 251, by the desk-top picture of experimental terminal 251
As being sent to office terminal 100 by desktop cloud subsystem 210.
Specifically, image processing module 253c, for obtaining the image and data flow of experimental terminal 251;It will test eventually
The image and stream compression at end 251 are changed to the desktop picture for only including image stream;Desktop picture is passed through into desktop cloud subsystem 210
It is sent to office terminal 100.
Experimental terminal 251 records the debugging process of its connected commissioning device 252, and laboratory logs in subsystem 253
Image processing module 253c obtains the image and data flow of the debugging process from experimental terminal 251.Laboratory logs in subsystem
253 image processing module 253c can configure Microsoft TS-Gateway(A kind of terminal service gateway), in advance to the gateway
When carrying out strategy configuration, the data flow in image and data flow is blocked with reaching by forbidding the mapping of clipbook and driver
Clip the purpose removed.After completing strategy configuration, the image processing module 253c of subsystem 253 figure is logged in by laboratory
Picture and data flow only include the desktop picture of image stream with regard to being all converted to.Finally, laboratory is logged at the image of subsystem 253
The desktop picture of experimental terminal 251 is sent to office terminal 100 by reason module 253c by desktop cloud subsystem 210.
Office terminal 100, it is additionally operable to after the desktop picture of display experimental terminal 251, is sent to desktop cloud subsystem 210
Carry out operating caused trigger signal on desktop picture.Desktop cloud subsystem 210 is by office terminal 210 on desktop picture
After trigger signal caused by being operated is sent to experimental terminal 251 by laboratory login subsystem 253, experimental terminal
251 complete debugging of the version file on commissioning device 252 according to trigger signal.
It should be noted that above-described embodiment is only to pass through 210 turns of desktop cloud subsystem using office terminal 100 with employee
Send out its operate on the desktop picture of experimental terminal 251 caused by trigger signal complete the illustration of debugging efforts.Member
Work can also be debugged directly using experimental terminal 251 to commissioning device 252, but debugging is checked in 251 supports of experimental terminal
Process and the trigger signal of input related commissioning instruction, do not support copy or downloading data stream from experimental terminal 251.
It should also be noted that, laboratory log in subsystem 253 in protocol conversion module can also be set, with desktop cloud
Subsystem 210 carries out using HTTPS during information transfer(Hypertext Transfer Protocol Secure, safety are super literary
This host-host protocol)Agreement, the security of information transfer is improved with this.Carrying out to the image and data flow in experimental terminal 251
Processing procedure in, then by protocol conversion module by HTTPS protocol conversions be RDP(Remote Desktop Protocol,
RDP)Agreement, realize the processing to image and data flow.
In summary, the safety management system that the present embodiment provides, number is forwarded to office terminal by desktop cloud subsystem
According to the desktop picture of processing subsystem, data process subsystem receives office terminal and caused triggering is operated on desktop picture
Signal;Data process subsystem is according to trigger signal inside data process subsystem or between different pieces of information processing subsystem
Complete editor, storage, processing, upload and download of key message etc. so that the scope of activities of key message is only limitted to different numbers
According to inside processing subsystem or between, employee using the desktop picture that office terminal can only be checked in data process subsystem and
Key message can not be copied, downloaded or stored into office terminal, realized and key message is isolated in data processing
In system or between data process subsystem;So as to solve existing security management solution to key message
Protect not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, do not influenceed employee completely just
Often in the case of office, adequately protect key message, excludes the effect of potential safety hazard.
The safety management system that the present embodiment provides, also by specific example to employee under Project-developing environment to debugging
The debugging of equipment and check that the operation of debugging process is described in detail and illustrated.The laboratory being directed to logs in son
System is to realize the important component for carrying out insulation blocking in whole R&D process to key message.Laboratory logs in subsystem
In image processing module be responsible for transmit image stream so that employee can only check the desk-top picture of experimental terminal by office terminal
Picture, and can not be copied from experimental terminal or downloading data stream.The safety management system that the present embodiment provides, is fully ensured that
The feasibility and tightness of the security management solution.
Secondly, second aspect is described in detail using following examples.
Fig. 4 is refer to, the block diagram of the safety management system provided it illustrates yet another embodiment of the invention, the peace
Full management system includes:Desktop cloud subsystem 210, the data process subsystem 221 for meeting first condition, meet second condition
The sum of data process subsystem 222 passes subsystem 230.
Desktop cloud subsystem 210, the IP address for carrying office terminal 100 sent for receiving office terminal 100
Desktop cloud logging request;Whether the IP address of detection office terminal 100 conforms to a predetermined condition;If testing result is to meet predetermined bar
Part, the then connection established between office terminal 100 and desktop cloud subsystem 210.
The process that office terminal 100 establishes connection with desktop cloud subsystem 210 has been situated between in detail in the embodiment shown in fig. 3
Continue, repeat no more.
The present embodiment completes upload and the download of key message to illustrate between different pieces of information processing subsystem.
Desktop cloud subsystem 210 is used to office terminal 100 logging on to data process subsystem, as met first condition
Data process subsystem 221, the sum of the data process subsystem 222 biography subsystem 223 for meeting second condition.Specifically,
Office terminal 100 is used for after connection is established with desktop cloud subsystem 210, is triggered on desktop cloud subsystem 210
Log in the logging request for the data process subsystem 221 for meeting first condition;Desktop cloud subsystem 210 is used to turn logging request
Issue the data process subsystem 221 for meeting first condition;Meet the data process subsystem 221 of first condition and step on receiving
After record request, checking login, and the table provided by desktop cloud subsystem 210 to office terminal 100 are carried out to office terminal 100
Face image.Afterwards, the data process subsystem 221 of first condition is met according to office terminal 100 when being operated on desktop picture
Caused trigger signal produces upload request and performs upload operation, and the upload request carries the data for meeting first condition
The IP address of processing subsystem 221.
Office terminal 100 is used for after connection is established with desktop cloud subsystem 210, is triggered on desktop cloud subsystem 210
Log in the logging request for the data process subsystem 222 for meeting second condition;Desktop cloud subsystem 210 is used to turn logging request
Issue the data process subsystem 222 for meeting second condition;Meet the data process subsystem 222 of second condition and step on receiving
After record request, checking login, and the table provided by desktop cloud subsystem 210 to office terminal 100 are carried out to office terminal 100
Face image.Afterwards, the data process subsystem 222 of second condition is met according to office terminal 100 when being operated on desktop picture
Caused trigger signal produces download request and performs down operation, and the download request carries the data for meeting second condition
The IP address of processing subsystem 221.
Number passes subsystem 230, including:Uploading detection module 230a, upload memory module 230b, security audit module
230c, download detection module 230d and offer module 230e is provided.
Uploading detection module 230a, for the source IP addresses that carry for receiving that data process subsystem sends
Pass request;Whether detection source IP addresses, which belong to predetermined, uploads domain;If testing result uploads domain to belong to predetermined, it is determined that the number
Meet first condition according to processing subsystem.
Number passes subsystem 230 and the IP address of each data process subsystem is classified in advance, obtains predetermined upload domain
With predetermined download domain.Classification to IP address can be according to the physics residing for specific equipment in different data process subsystems
Address is classified, and its physical address is different, and IP address also differs.Wherein, make a reservation for upload domain to refer to allow in the scope
Key message is uploaded to number and passed in subsystem 230 by the data process subsystem of interior IP address;Accordingly, making a reservation for download domain is
Referring to, which allows the data process subsystem of IP address within the range to be passed from number in subsystem 230, downloads key message.
Memory module 230b is uploaded, the crucial letter that the data process subsystem 221 of first condition uploads is met for receiving
Cease and store key message.
Meet first condition data process subsystem 221 refer to that the IP address of the data process subsystem belongs to predetermined on
Pass domain.The data process subsystem 221 that the upload memory module 230b that number is passed in subsystem 230 permits compliance with first condition uploads
Key message, after receiving the key message, key message is stored in the upload file specified.The upload specified text
Part folder can be it is corresponding with above-mentioned IP address upload file, in advance by above-mentioned IP address be sorted in it is predetermined upload domain when build
It is vertical.
Security audit module 230c, for carrying out security audit to the key message stored;If key message is safe,
Key message is moved under specified download directory and is downloaded for meeting the data process subsystem of second condition.
Security audit can carry out security sweep by the key message to storing according to default scanning rule.It is default to sweep
It can be at least one-level scanning in three-level security sweep to retouch rule.Wherein, three-level security sweep includes the text for belonging to the first order
The scanning of part suffix name, belong to the keyword scan of the second level and belong to the special identifier scanning of the third level.Scanning rule can be
Pre-configured, it can also be configured before the scan according to practical business demand by employee.When scanning passes through, it is determined that
Key message safety and output file security audit form.File security audit statement uses for backstage audit, can be according to this
File security audit statement is classified to key message, retrieved etc..
Simultaneously, however, it is determined that the key message is safe, then key message is moved under specified download directory for meeting
The data process subsystem 222 of second condition is downloaded.The data process subsystem 222 for meeting second condition refers to the data
The IP address of processing subsystem belongs to predetermined and downloads domain.It can be lower published article corresponding with above-mentioned IP address that this, which specifies download directory,
Part presss from both sides, and is established in advance when above-mentioned IP address is sorted in into predetermined download domain.
Detection module 230d is downloaded, is carried for what one data process subsystem of reception was sent under purpose IP address
Carry request;Whether testing goal IP address, which belongs to predetermined, is downloaded domain;If testing result downloads domain to belong to predetermined, it is determined that the number
Meet second condition according to processing subsystem.
Number passes subsystem 230 and the IP address of each data process subsystem is classified in advance, obtains predetermined upload domain
With predetermined download domain.If the IP address of some data process subsystem, which belongs to predetermined, downloads domain, it is determined that the data processing subsystem
System meets second condition.
Download and module 230e is provided, for providing key message to the data process subsystem 222 for meeting second condition
Download.
The data process subsystem 222 for meeting second condition refers to that the IP address of the data process subsystem belongs to pre- and fixed
Carry domain.The download offer module 230e that number is passed in subsystem 230 permits compliance with the data process subsystem 222 of second condition from originally
Download key message in end.
In summary, the safety management system that the present embodiment provides, number is forwarded to office terminal by desktop cloud subsystem
According to the desktop picture of processing subsystem, data process subsystem receives office terminal and caused triggering is operated on desktop picture
Signal;Data process subsystem is according to trigger signal inside data process subsystem or between different pieces of information processing subsystem
Complete editor, storage, processing, upload and download of key message etc. so that the scope of activities of key message is only limitted to different numbers
According to inside processing subsystem or between, employee using the desktop picture that office terminal can only be checked in data process subsystem and
Key message can not be copied, downloaded or stored into office terminal, realized and key message is isolated in data processing
In system or between data process subsystem;So as to solve existing security management solution to key message
Protect not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, do not influenceed employee completely just
Often in the case of office, adequately protect key message, excludes the effect of potential safety hazard.
The safety management system that the present embodiment provides, also passing subsystem by number realizes the upload of key message, download,
And by the safety detection to IP address and key message, fully ensure that the scope of key message transmission is only limitted to difference
Data process subsystem between.
Fig. 5 is refer to, the block diagram of the safety management system provided it illustrates a further embodiment of the present invention, the peace
Full management system includes:Desktop cloud subsystem 210, number pass subsystem 230, continuous integrating subsystem 240, laboratory subsystem
250th, cloud subsystem 260 and public service subsystem 280 are emulated.
It is still assumed that the safety management system that the present embodiment provides is applied under Project-developing environment, the present embodiment is to whole
All operations under development environment describe in detail and illustrated.
Office terminal 100 is the terminal of such as desktop computer or notebook etc used in research staff.Office is eventually
End 100, for sending desktop cloud logging request to desktop cloud subsystem 210, the desktop cloud logging request carries office terminal
100 IP address.
Desktop cloud subsystem 210, the IP address for carrying office terminal 100 sent for receiving office terminal 100
Desktop cloud logging request.Desktop cloud logging request refers to that office terminal 100 requires to establish connection between desktop cloud subsystem 210
The request of relation.In order to verify the identity of office terminal, desktop cloud subsystem 210, with being additionally operable to detect the IP of office terminal 100
Whether location conforms to a predetermined condition;If testing result establishes office terminal 100 and desktop cloud subsystem to conform to a predetermined condition
Connection between 210.
Specifically, desktop cloud subsystem 210 includes:Desktop cloud accessing gateway equipment and virtual machine resource pool(Do not scheming
In show).Wherein:
Desktop cloud accessing gateway equipment, for receiving the IP address for carrying office terminal 100 of the transmission of office terminal 100
Desktop cloud logging request.Desktop cloud accessing gateway equipment, it is additionally operable to after the IP address of office terminal 100 is received, examines
Survey whether the IP address conforms to a predetermined condition;If desktop cloud logging request is transmitted to by testing result to conform to a predetermined condition
Virtual machine resource pool.
Virtual machine resource pool, for receiving desktop cloud logging request;After desktop cloud logging request is received, configuration
Idle virtual machine is established with office terminal 100 and connected.Wherein, the connection between office terminal 100 and virtual machine is usual
Use ICA(Independent Computing Architecture, independent computing architecture)Agreement.
When office terminal 100 is established with a certain virtual machine to be connected, namely office terminal 100 and desktop cloud subsystem
210 establish connection.
Desktop cloud subsystem 210, it is additionally operable to office terminal 100 logging on to continuous integrating subsystem 240.That is, office
Terminal 100, for when needing to use continuous integrating subsystem 240 to be compiled, triggering and logging on desktop cloud subsystem 210
The logging request of continuous integrating subsystem 240.
Continuous integrating subsystem 240, for being held by desktop cloud subsystem 210 to the forwarding of office terminal 100 after login
The desktop picture of continuous integral subsystem 240.
Some computers or server for carrying data storage capacities can be included in continuous integrating subsystem 240.
Continuous integrating subsystem 240 forwards continuous integrating subsystem by desktop cloud subsystem 210 to the office terminal 100 after login
The desktop picture of a certain computer or server in 240.Employee enters according to the desktop picture shown on office terminal 100
Row compiling work.
Continuous integrating subsystem 240, be additionally operable to receive office terminal 100 by desktop cloud subsystem 240 forward in table
Trigger signal caused by operation on the image of face, according to the editor of trigger signal completion code and compiling and build version file.
Trigger signal refers to employee when being compiled work on office terminal 100, input code or modification, delete and
Control command caused by the operation such as preservation.Employee is compiled work in office terminal 100, is connected with the office terminal 100
Continuous integrating subsystem 240 when being operated according to employee caused trigger signal complete corresponding input code or modification,
The operation such as deletion and preservation.After the editor of completion code and compiling, build version file carries out version debugging and used for follow-up.
It should be noted that continuous integrating subsystem 240 can realize personal and group's level compiling work.Continuous integrating
Some security mechanisms can be set in subsystem 240, for example pass through desktop cloud subsystem 210 using office terminal 100 in employee
Log on to after continuous integrating subsystem 240 and stored, it is necessary to input password password and can just view in continuous integrating subsystem 240
Key message.It is possible to further configure different password passwords, each zooid to different employees or different project team
Work, which can only view the key message for being related to itself work or each employee, can only view the key for being related to oneself project team
Information, so as to realize the compiling work of personal and group's level.
Number passes subsystem 230, including:Uploading detection module 230a, upload memory module 230b, security audit module
230c, download detection module 230d and offer module 230e is provided.
Uploading detection module 230a, source IP addresses are carried for receive the transmission of continuous integrating subsystem 240
Pass request;Whether detection source IP addresses, which belong to predetermined, uploads domain;If testing result uploads domain to belong to predetermined, it is determined that continues
Integral subsystem 240 meets first condition.
Number passes subsystem 230 and the IP address of each data process subsystem is classified in advance, obtains predetermined upload domain
With predetermined download domain.Classification to IP address can be according to the physics residing for specific equipment in different data process subsystems
Address is classified, and its physical address is different, and IP address also differs.Wherein, make a reservation for upload domain to refer to allow in the scope
Key message is uploaded to number and passed in subsystem 230 by the data process subsystem of interior IP address;Accordingly, making a reservation for download domain is
Referring to, which allows the data process subsystem of IP address within the range to be passed from number in subsystem 230, downloads key message.
In continuous integrating subsystem 240 after build version file, employee passes through desktop cloud subsystem 210 and lasting collection
The upload memory module 230a in subsystem 230 is passed into subsystem 240 to number and sends upload request, the upload request, which carries, to be come
Source IP address, namely the IP address of continuous integrating subsystem 240.The upload memory module 230a that number is passed in subsystem 230 is received
After upload request being sent to continuous integrating subsystem 240, to being that the IP address of continuous integrating subsystem 240 detects, inspection
Survey whether the IP address belongs to predetermined upload domain.If testing result uploads domain to belong to predetermined, it is determined that continuous integrating subsystem
240 meet first condition.
Memory module 230b is uploaded, for receiving the key message of the upload of continuous integrating subsystem 240 and storing the key
Information.
Number passes subsystem 230 and the version file that continuous integrating subsystem 240 uploads is stored in the upload file specified
In.The upload file specified can be it is corresponding with the IP address of data process subsystem upload file, in advance will
The IP address of data process subsystem is established when being sorted in predetermined upload domain.
Security audit module 230c, for carrying out security audit to the key message stored;If key message is safe,
Key message is moved under specified download directory and is downloaded for meeting the data process subsystem of second condition.
Security audit can carry out security sweep by the key message to storing according to default scanning rule.It is default to sweep
It can be at least one-level scanning in three-level security sweep to retouch rule.Wherein, three-level security sweep includes the text for belonging to the first order
The scanning of part suffix name, belong to the keyword scan of the second level and belong to the special identifier scanning of the third level.Scanning rule can be
Pre-configured, it can also be configured before the scan according to practical business demand by employee.When scanning passes through, it is determined that
Key message safety and output file security audit form.File security audit statement uses for backstage audit, can be according to this
File security audit statement is classified to key message, retrieved etc..
Simultaneously, however, it is determined that the key message is safe, then key message is moved under specified download directory for meeting
The data process subsystem of second condition is downloaded.The data process subsystem for meeting second condition refers to data processing
The IP address of system belongs to predetermined and downloads domain.It can be download folder corresponding with above-mentioned IP address that this, which specifies download directory,
Established in advance when above-mentioned IP address is sorted in into predetermined download domain.
Detection module 230d is downloaded, for receiving the download for carrying purpose IP address of the transmission of laboratory subsystem 250
Request;Whether testing goal IP address, which belongs to predetermined, is downloaded domain;If testing result downloads domain to belong to predetermined, it is determined that laboratory
Subsystem 250 meets second condition.
Number passes subsystem 230 and the IP address of each data process subsystem is classified in advance, obtains predetermined upload domain
With predetermined download domain.If the IP address of laboratory subsystem 250, which belongs to predetermined, downloads domain, it is determined that laboratory subsystem 250 accords with
Close second condition.
Laboratory subsystem 250 includes at least one experimental terminal 251 and the commissioning device being connected with experimental terminal 251
252.Corresponding shell script can be in advance installed in experimental terminal 251, the download detection module in subsystem 230 is passed to number
230d sends the download request for carrying own IP address.
After the download detection module 230d that number is passed in subsystem 230 receives the download request of the transmission of experimental terminal 251,
The IP address of experimental terminal 251 is detected, detects whether the IP address belongs to predetermined download domain.If testing result is to belong to
It is predetermined to download domain, it is determined that laboratory subsystem 250 meets second condition.
Download and module 230e is provided, for providing the download of key message to laboratory subsystem 250.
After the download detection module 230d during number passes subsystem 230 determines that laboratory subsystem 250 meets second condition,
The download that experimental terminal 251 is passed from number in subsystem 230 provides download version file in module 230e, and then completes version file
Debugging efforts on commissioning device 252.
Desktop cloud subsystem 210, it is additionally operable to office terminal 100 logging on to laboratory subsystem 250.That is, office is eventually
End 100, in needing to use laboratory subsystem 250 an experimental terminal 251 carry out version file debugging when,
Triggering experiment logging request, the experiment logging request carry a reality in laboratory subsystem 250 on desktop cloud subsystem 210
Test the IP address of terminal 251.
Laboratory subsystem 250 also includes laboratory and logs in subsystem 253.
Desktop cloud subsystem 210, the IP address for carrying experimental terminal 251 for being additionally operable to trigger office terminal 100
Experiment logging request is sent to laboratory and logs in subsystem 253.
Experiment logging request refers to that office terminal 100 logs in laboratory by desktop cloud subsystem 210 and logs in subsystem 253
Request, log in laboratory log in subsystem 253 after, can just view the experimental terminal 251 in laboratory subsystem 250
Desktop picture.Experiment logging request carries the IP address of experimental terminal 251, and the IP address of experimental terminal 251 is used to inform
Laboratory logs in subsystem 253 its desktop picture for needing to check which platform experimental terminal 251.
Laboratory, which logs in subsystem 253, to be included:Ask AM access module 253a, gateway proxy module 253b and image procossing mould
Block 253c.
AM access module 253a is asked, reality is carried by what desktop cloud subsystem 210 was sent for receiving office terminal 100
Test the experiment logging request of the IP address of terminal 251.
Gateway proxy module 253b, for the IP address according to experimental terminal 251 by corresponding experimental terminal 251 with handling official business
Terminal 100 establishes connection using gateway proxy agreement.
Image processing module 253c, for obtaining the desktop picture of experimental terminal 251, by the desk-top picture of experimental terminal 251
As being sent to office terminal 100 by desktop cloud subsystem 210.
Specifically, image processing module 253c, for obtaining the image and data flow of experimental terminal 251;It will test eventually
The image and stream compression at end 251 are changed to the desktop picture for only including image stream;Desktop picture is passed through into desktop cloud subsystem 210
It is sent to office terminal 100.
Experimental terminal 251 records the debugging process of its connected commissioning device 252, and laboratory logs in subsystem 253
Image processing module 253c obtains the image and data flow of the debugging process from experimental terminal 251.Laboratory logs in subsystem
253 image processing module 253c can configure Microsoft TS-Gateway(A kind of terminal service gateway), in advance to the gateway
When carrying out strategy configuration, the data flow in image and data flow is blocked with reaching by forbidding the mapping of clipbook and driver
Clip the purpose removed.After completing strategy configuration, the image processing module 253c of subsystem 253 figure is logged in by laboratory
Picture and data flow only include the desktop picture of image stream with regard to being all converted to.Finally, laboratory is logged at the image of subsystem 253
The desktop picture of experimental terminal 251 is sent to office terminal 100 by reason module 253c by desktop cloud subsystem 210.
Office terminal 100, it is additionally operable to after the desktop picture of display experimental terminal 251, is sent to desktop cloud subsystem 210
Carry out operating caused trigger signal on desktop picture.Desktop cloud subsystem 210 is by office terminal 210 on desktop picture
After trigger signal caused by being operated is sent to experimental terminal 251 by laboratory login subsystem 253, experimental terminal
251 complete debugging of the version file on commissioning device 252 according to trigger signal.
The safety management system that the present embodiment provides, in addition to:Emulate cloud subsystem 260 and public service subsystem 280.
Cloud subsystem 260 is emulated, the simulated research and development ring of employee one is supplied in R & D of complex for realizing
Border.For example employee is studying the maximum carrying voltage of certain block circuit board, if tested by real circuit board, can lead
Cause burns out a lot of circuit boards and forms the wasting of resources.A simulated development environment is built, one piece of simulation is provided in the present context
Circuit board, but its part and performance parameter and real circuit board are just the same, are equally reached the purpose of research.
Desktop cloud subsystem 210, it is additionally operable to office terminal 100 logging on to emulation cloud subsystem 260.That is, office is eventually
End 100, for when needing to use emulation cloud subsystem 260 to be emulated, being triggered on desktop cloud subsystem 210 and logging in emulation
The logging request of cloud subsystem 260.
Cloud subsystem 260 is emulated, for forwarding emulation to the office terminal 100 after login by desktop cloud subsystem 210
The desktop picture of cloud subsystem 260;Office terminal 260 is received to grasp on desktop picture by what desktop cloud subsystem 210 forwarded
Trigger signal caused by work;According to the editor of trigger signal completion code, compiling and emulation and build version file.
With continuous integrating subsystem 240 similarly, data can also be carried including some by emulating in cloud subsystem 260
The computer or server of storage capacity.It is whole to the office after login by desktop cloud subsystem 210 to emulate cloud subsystem 260
The desktop picture of a certain computer or server in the forwarding of end 100 emulation cloud subsystem 260.Employee is according to office terminal
The desktop picture shown on 100, carry out simulation work.
Trigger signal refers to employee when carrying out simulation work on office terminal 100, input code or modification, delete and
Control command caused by the operation such as preservation.Employee carries out simulation work in office terminal 100, is connected with the office terminal 100
Emulation cloud subsystem 260 when being operated according to employee caused trigger signal complete corresponding input code or modification, delete
The operation such as remove and preserve.After the editor of completion code, compiling and emulation, build version file carries out version debugging and made for follow-up
With.
Public service subsystem 280, for providing mail service, file-management services, SVN(Subversion, Yi Zhongguan
Manage version tool)Service, AD(Active Directory, Active Directory)Domain authentication service, DNS(Domain Name
System, domain name system)The public service such as service and anti-virus service.
Desktop cloud subsystem 210, it is additionally operable to the agent logs of office terminal 100 to public service subsystem 280.That is,
Office terminal 100, for need to use public service subsystem 280 obtain public service when, on desktop cloud subsystem 210
Triggering logs in the logging request of public service subsystem 280.
Public service subsystem 280, for forwarding public affairs to the office terminal 100 after login by desktop cloud subsystem 210
The desktop picture serviced altogether;Office terminal 100 is received to produce when operating on desktop picture by what desktop cloud subsystem 210 forwarded
Raw trigger signal;Public service is completed according to trigger signal.
The implementation process is similar with above-mentioned continuous integrating subsystem 240 or emulation cloud subsystem 260, repeats no more.
In summary, the safety management system that the present embodiment provides, number is forwarded to office terminal by desktop cloud subsystem
According to the desktop picture of processing subsystem, data process subsystem receives office terminal and caused triggering is operated on desktop picture
Signal;Data process subsystem is according to trigger signal inside data process subsystem or between different pieces of information processing subsystem
Complete editor, storage, processing, upload and download of key message etc. so that the scope of activities of key message is only limitted to different numbers
According to inside processing subsystem or between, employee using the desktop picture that office terminal can only be checked in data process subsystem and
Key message can not be copied, downloaded or stored into office terminal, realized and key message is isolated in data processing
In system or between data process subsystem;So as to solve existing security management solution to key message
Protect not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, do not influenceed employee completely just
Often in the case of office, adequately protect key message, excludes the effect of potential safety hazard.
The safety management system that the present embodiment provides, also by specific example to all operations under whole development environment
It is described in detail and illustrates.Wherein, the image processing module that laboratory is logged in subsystem is responsible for transmitting image stream so that
Employee can only check the desktop picture of experimental terminal by office terminal, and can not be copied from experimental terminal or downloading data
Stream.The safety management system that the present embodiment provides, has fully ensured that the feasibility and tightness of the security management solution.Separately
Outside, passing subsystem by number realizes the upload of key message, download, and passes through the safety to IP address and key message
Detection, fully ensure that the scope of key message transmission is only limitted between different data process subsystems.
The safety management system that the present embodiment provides, also realizes simulation work, by public by emulating cloud subsystem
Service subsystem provides diversified public service to employee;Provide a set of be more highly preferred to and perfect safety management solution party
Case.
Fig. 6 is refer to, the method flow diagram of the method for managing security provided it illustrates one embodiment of the invention, the peace
Full management method is applied in desktop cloud subsystem.The method for managing security includes:
Step 602, the desktop picture of data process subsystem is forwarded to office terminal.
Step 604, to data process subsystem forwarding office terminal operated on desktop picture caused by trigger signal,
Trigger signal is used for trigger data processing subsystem inside data process subsystem or between different pieces of information processing subsystem
Complete at least one of editor, storage, processing, upload and download of key message.
In summary, the method for managing security that the present embodiment provides, by forwarding data process subsystem to office terminal
Desktop picture, to data process subsystem forwarding office terminal operate on desktop picture caused by trigger signal, trigger
Signal is completed for trigger data processing subsystem inside data process subsystem or between different pieces of information processing subsystem
Editor, storage, processing, upload and download of key message etc. so that the scope of activities of key message is only limitted at different pieces of information
Manage subsystem internal or between, employee can not using the desktop picture that office terminal can only be checked in data process subsystem
Key message is copied, download or stored into office terminal, realizes and key message is isolated in data process subsystem
In or data process subsystem between;Key message is protected so as to solve existing security management solution
It is not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, normally done not influenceing employee completely
In the case of public affairs, adequately protect key message, excludes the effect of potential safety hazard.
Fig. 7 is refer to, the method flow diagram of the method for managing security provided it illustrates another embodiment of the present invention, the peace
Full management method is applied in desktop cloud subsystem.The method for managing security includes:
Step 701, the desktop cloud logging request for the IP address for carrying office terminal that office terminal is sent is received.
Desktop cloud logging request refers to the request to be established a connection between office terminal requirement and desktop cloud subsystem.
Desktop cloud subsystem includes:Desktop cloud accessing gateway equipment and virtual machine resource pool.Office terminal first with table
Face cloud access gateway device establishes connection, and desktop cloud logging request is sent to desktop cloud gateway device.
Step 702, whether the IP address for detecting office terminal conforms to a predetermined condition.
In order to verify the identity of office terminal, it is necessary to be detected to the IP address of office terminal.Desktop cloud logging request
Carry the IP address of office terminal.After desktop cloud accessing gateway equipment receives the IP address of office terminal, the IP is detected
Whether address conforms to a predetermined condition.
Step 703, if testing result is conforms to a predetermined condition, the connection established between office terminal and local terminal.
If testing result configures idle virtual machine with handling official business eventually to conform to a predetermined condition, by virtual machine resource pool
Connection is established at end.Wherein, the connection between office terminal and virtual machine is usually using ICA agreements.
When office terminal is established with a certain virtual machine to be connected, namely office terminal establishes with desktop cloud subsystem
Connection.
Step 704, office terminal is logged on into data process subsystem.
Data process subsystem include continuous integrating subsystem, number pass subsystem, laboratory subsystem, simulation subsystem and
At least one of test subsystems.When employee needs to use any data processing subsystem to be operated, pass through office terminal
The logging request for logging in corresponding data processing subsystem is sent to desktop cloud subsystem, the logging request is turned by desktop cloud subsystem
Issue corresponding data process subsystem, data process subsystem is received after the logging request by desktop cloud subsystem to office
Terminal forwards desktop picture.
Step 705, the desktop picture of data process subsystem is forwarded to office terminal.
Desktop cloud subsystem forwards the desktop picture of data process subsystem to office terminal.
Step 706, to data process subsystem forwarding office terminal operated on desktop picture caused by trigger signal,
Trigger signal is used for trigger data processing subsystem inside data process subsystem or between different pieces of information processing subsystem
Complete at least one of editor, storage, processing, upload and download of key message.
Trigger signal refers to the control that employee inputs when the work such as being compiled, emulating or debugging on office terminal
Order, is completed for control data processing subsystem inside data process subsystem or between different pieces of information processing subsystem
Editor, storage, processing, upload and download of key message etc. operate.
In summary, the method for managing security that the present embodiment provides, by forwarding data process subsystem to office terminal
Desktop picture, to data process subsystem forwarding office terminal operate on desktop picture caused by trigger signal, trigger
Signal is completed for trigger data processing subsystem inside data process subsystem or between different pieces of information processing subsystem
Editor, storage, processing, upload and download of key message etc. so that the scope of activities of key message is only limitted at different pieces of information
Manage subsystem internal or between, employee can not using the desktop picture that office terminal can only be checked in data process subsystem
Key message is copied, download or stored into office terminal, realizes and key message is isolated in data process subsystem
In or data process subsystem between;Key message is protected so as to solve existing security management solution
It is not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, normally done not influenceing employee completely
In the case of public affairs, adequately protect key message, excludes the effect of potential safety hazard.
The method for managing security that the present embodiment provides, also by the detection of the IP address to office terminal, improves this reality
The security of the security management solution of example offer is provided.
Fig. 8 is refer to, the method flow diagram of the method for managing security provided it illustrates another embodiment of the present invention, the peace
Full management method is applied in different data process subsystems.The method for managing security includes:
Step 802, desktop picture is provided to desktop cloud subsystem, desktop picture is used to be transmitted to by desktop cloud subsystem to do
Public terminal.
Step 804, the office terminal for receiving the forwarding of desktop cloud subsystem operates caused triggering letter on desktop picture
Number.
Step 806, it is complete inside data process subsystem or between different pieces of information processing subsystem according to trigger signal
Into at least one of the editor of key message, storage, processing, upload and download.
In summary, the method for managing security that the present embodiment provides, by providing desktop picture to desktop cloud subsystem, and
Desktop picture is transmitted to by office terminal by desktop cloud subsystem;The office terminal of desktop cloud subsystem forwarding is received in desktop
Trigger signal caused by operation on image;According to trigger signal inside data process subsystem or different pieces of information processing son
Editor, storage, processing, upload and download of key message etc. are completed between system so that the scope of activities of key message only limits
Inside the different pieces of information processing subsystem or between, table that employee can only be checked in data process subsystem using office terminal
Face image and key message can not be copied, downloaded or stored into office terminal, realize and key message be isolated in number
According in processing subsystem or between data process subsystem;So as to solve existing security management solution pair
Key message protection is not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, in not shadow completely
In the case of ringing employee's normal office work, adequately protect key message, excludes the effect of potential safety hazard.
Fig. 9 is refer to, the method flow diagram of the method for managing security provided it illustrates another embodiment of the present invention, when this
When method for managing security is applied to number biography subsystem, the method for managing security includes:
Step 901, desktop picture is provided to desktop cloud subsystem, desktop picture is used to be transmitted to by desktop cloud subsystem to do
Public terminal.
Number passes subsystem and provides desktop picture to desktop cloud subsystem, and desktop picture is used to be transmitted to by desktop cloud subsystem
Office terminal.
Step 902, the office terminal for receiving the forwarding of desktop cloud subsystem operates caused triggering letter on desktop picture
Number.
The office terminal that number passes subsystem reception desktop cloud subsystem forwarding operates caused triggering on desktop picture
Signal.Trigger signal refers to the control life that employee inputs when the work such as being compiled, emulating or debugging on office terminal
Order, complete to close inside data process subsystem or between different pieces of information processing subsystem for control data processing subsystem
Editor, storage, processing, upload and download of key information etc. operate.
Step 903, the upload request for carrying source IP addresses that a data process subsystem is sent is received.
Number passes subsystem and receives the upload request for carrying source IP addresses that a data process subsystem is sent.Number passes
Subsystem is classified to the IP address of each data process subsystem in advance, is obtained the predetermined domain that uploads and is downloaded domain with predetermined.It is right
The classification of IP address can be classified according to the physical address residing for specific equipment in different data process subsystems, its
Physical address is different, and IP address also differs.Wherein, make a reservation for upload the data that domain refers to allow IP address within the range
Key message is uploaded to number and passed in subsystem by processing subsystem;Accordingly, make a reservation for download domain to refer to allow within the range
The data process subsystem of IP address passes in subsystem from number and downloads key message.Upload request refers to that data process subsystem is sent out
The request of the upload key message sent.
Step 904, whether detection source IP addresses belong to predetermined upload domain.
Number passes whether subsystem detection source IP addresses belong to predetermined upload domain.Number passes subsystem and receives data processing
After the upload request that system is sent, the IP address of data process subsystem is detected, detects whether the IP address belongs to
It is predetermined to upload domain.
Step 905, if testing result uploads domain to belong to predetermined, it is determined that data process subsystem meets first condition.
If testing result uploads domain to belong to predetermined, number passes subsystem and determines that data process subsystem meets first
Part.The data process subsystem that number biography subsystem permits compliance with first condition uploads key message to it.
Step 906, receive and meet the key message that the data process subsystem of first condition uploads.
Number, which passes subsystem and received, meets the key message that the data process subsystem of first condition uploads.For example number passes son
System receives the version file that continuous integrating subsystem or simulation subsystem upload.
Step 907, key message is stored.
Number passes subsystem storage key message.Number passes subsystem and is stored in key message in the upload file specified.
The upload file specified can be it is corresponding with the IP address of data process subsystem upload file, in advance by data
The IP address of processing subsystem is established when being sorted in predetermined upload domain.
Step 908, security audit is carried out to the key message stored.
Number passes subsystem and carries out security audit to the key message stored.
Specifically, this step includes following several sub-steps:
First, at least one-level in three-level security sweep is carried out according to default scanning rule to the key message stored and swept
Retouch, three-level security sweep includes belonging to the file suffixes name scanning of the first order, belong to the keyword scan of the second level and belongs to the
The special identifier scanning of three-level.
Security audit can carry out security sweep by the key message to storing according to default scanning rule.It is default to sweep
It can be at least one-level scanning in three-level security sweep to retouch rule.Wherein, three-level security sweep includes the text for belonging to the first order
The scanning of part suffix name, belong to the keyword scan of the second level and belong to the special identifier scanning of the third level.Scanning rule can be
Pre-configured, it can also be configured before the scan according to practical business demand by employee.
Second, when scanning passes through, determine key message safety and output file security audit form.
When scanning passes through, number passes subsystem and determines key message safety and output file security audit form.File is pacified
Full audit statement uses for backstage audit, key message can be classified according to this document security audit form, retrieved
Deng.
Step 909, if key message is safe, key message is moved under specified download directory for meeting second condition
Data process subsystem be downloaded.
If key message is safe, number passes subsystem and key message is moved under specified download directory for meeting Article 2
The data process subsystem of part is downloaded.The data process subsystem for meeting second condition refers to the data process subsystem
IP address belongs to predetermined and downloads domain.
Step 910, the download request for carrying purpose IP address that a data process subsystem is sent is received.
Number passes subsystem and receives the download request for carrying purpose IP address that a data process subsystem is sent.Download
Request refers to the request for the download key message that data process subsystem is sent.For example the download request is by laboratory subsystem
What the experimental terminal in system was sent.Corresponding shell script can be installed, passing subsystem to number sends in experimental terminal in advance
Carry the download request of own IP address.
Step 911, whether testing goal IP address belongs to predetermined download domain.
Number passes whether subsystem testing goal IP address belongs to predetermined download domain.Number passes subsystem and receives data processing
After the download request that system is sent, the IP address of data process subsystem is detected, detects whether the IP address belongs to
It is predetermined to download domain.
Step 912, if testing result downloads domain to belong to predetermined, it is determined that data process subsystem meets second condition.
If testing result downloads domain to belong to predetermined, number passes subsystem and determines that the data process subsystem meets Article 2
Part.The data process subsystem that number biography subsystem permits compliance with second condition downloads key message from local terminal.
Step 913, the download of key message is provided to the data process subsystem for meeting second condition.
Number passes the download that subsystem provides key message to the data process subsystem for meeting second condition.Subsystem is passed in number
After system agreement provides the download of key message, the data process subsystem for meeting second condition downloads pass from number biography subsystem
Key information.
In summary, the method for managing security that the present embodiment provides, by providing desktop picture to desktop cloud subsystem, and
Desktop picture is transmitted to by office terminal by desktop cloud subsystem;The office terminal of desktop cloud subsystem forwarding is received in desktop
Trigger signal caused by operation on image;According to trigger signal inside data process subsystem or different pieces of information processing son
Editor, storage, processing, upload and download of key message etc. are completed between system so that the scope of activities of key message only limits
Inside the different pieces of information processing subsystem or between, table that employee can only be checked in data process subsystem using office terminal
Face image and key message can not be copied, downloaded or stored into office terminal, realize and key message be isolated in number
According in processing subsystem or between data process subsystem;So as to solve existing security management solution pair
Key message protection is not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, in not shadow completely
In the case of ringing employee's normal office work, adequately protect key message, excludes the effect of potential safety hazard.
The method for managing security that the present embodiment provides, also passing subsystem by number realizes the upload of key message, download,
And by the safety detection to IP address and key message, fully ensure that the scope of key message transmission is only limitted to difference
Data process subsystem between.
Figure 10 is refer to, the method flow diagram of the method for managing security provided it illustrates another embodiment of the present invention, when
, should when the method for managing security is applied to the laboratory subsystem for including laboratory login subsystem and at least one commissioning device
Method for managing security includes:
Step 1001, laboratory logs in subsystem reception office terminal and carries experiment by what desktop cloud subsystem was sent
The experiment logging request of the IP address of terminal.
The carrying that laboratory subsystem is sent by laboratory login subsystem reception office terminal by desktop cloud subsystem
There is the experiment logging request of the IP address of experimental terminal.Experimental terminal is carried in the experiment logging request that office terminal is sent
IP address, for informing laboratory login subsystem, it needs to be connected with which platform experimental terminal.
Step 1002, laboratory logs in subsystem and is utilized experimental terminal and office terminal according to the IP address of experimental terminal
Gateway proxy agreement establishes connection.
Laboratory subsystem is whole with office by experimental terminal according to the IP address of experimental terminal by laboratory login subsystem
Connection is established in end using gateway proxy agreement.
Step 1003, laboratory logs in the image and data flow that subsystem obtains commissioning device.
Laboratory subsystem is logged in the image and data flow of subsystem acquisition commissioning device by laboratory.Experimental terminal records
The debugging process of coupled commissioning device, laboratory logs in the figure that subsystem obtains the debugging process from experimental terminal
Picture and data flow.
Step 1004, laboratory logs in subsystem and the image of experimental terminal and stream compression is changed to only including image stream
Desktop picture.
Laboratory subsystem is logged in subsystem and be changed to the image of experimental terminal and stream compression by laboratory only includes figure
As the desktop picture of stream.Laboratory, which logs in subsystem, can configure Microsoft TS-Gateway(A kind of terminal service gateway), in advance
When carrying out strategy configuration to the gateway, reached by forbidding the mapping of clipbook and driver by image and data flow
Data flow intercept remove purpose.After completing strategy configuration, the image and data flow of subsystem are logged in by laboratory
Only include the desktop picture of image stream with regard to being all converted to.
Step 1005, laboratory logs in subsystem and desktop picture is sent into office terminal by desktop cloud subsystem.
Laboratory subsystem logs in subsystem by laboratory and desktop picture is sent into office eventually by desktop cloud subsystem
End.Laboratory logs in subsystem and the desktop picture of experimental terminal is sent into office terminal by desktop cloud subsystem.
After step 1003 to step 1005, office terminal receives the experimental terminal table forwarded by desktop cloud subsystem
Face image, employee are operated on the desktop picture using office terminal and produce corresponding trigger signal, the trigger signal
Experimental terminal is transmitted to by desktop cloud subsystem.
Step 1006, experimental terminal receives the office terminal that desktop cloud subsystem forwards and produced when being operated on desktop picture
Trigger signal.
The office terminal that experimental terminal in the subsystem of laboratory receives the forwarding of desktop cloud subsystem is grasped on desktop picture
Trigger signal caused by work.Trigger signal refers to the control command that employee inputs when being operated on office terminal, uses
In download or the corresponding commissioning device of debugging for controlling the completion key message of the experimental terminal in the subsystem of laboratory etc..
Step 1007, experimental terminal completes the download of key message according to trigger signal or the corresponding debugging of debugging is set
It is standby.
Experimental terminal in the subsystem of laboratory is completed the download of key message according to trigger signal or debugged corresponding
Commissioning device etc..
In summary, the method for managing security that the present embodiment provides, by providing desktop picture to desktop cloud subsystem, and
Desktop picture is transmitted to by office terminal by desktop cloud subsystem;The office terminal of desktop cloud subsystem forwarding is received in desktop
Trigger signal caused by operation on image;According to trigger signal inside data process subsystem or different pieces of information processing son
Editor, storage, processing, upload and download of key message etc. are completed between system so that the scope of activities of key message only limits
Inside the different pieces of information processing subsystem or between, table that employee can only be checked in data process subsystem using office terminal
Face image and key message can not be copied, downloaded or stored into office terminal, realize and key message be isolated in number
According in processing subsystem or between data process subsystem;So as to solve existing security management solution pair
Key message protection is not in place, the problem of potential safety hazard be present;Reach and insulation blocking is carried out to key message, in not shadow completely
In the case of ringing employee's normal office work, adequately protect key message, excludes the effect of potential safety hazard.
The method for managing security that the present embodiment provides, subsystem responsible is also logged in by laboratory and transmits image stream so that
Employee can only check the desktop picture of experimental terminal by office terminal, and can not be copied from experimental terminal or downloading data
Stream.The safety management system that the present embodiment provides, has fully ensured that the feasibility and tightness of the security management solution.
It should be noted that:The safety management system that above-described embodiment provides is when carrying out safety management, only with above-mentioned each
The division progress of functional module, can be as needed and by above-mentioned function distribution by different work(for example, in practical application
Energy module is completed, i.e., the internal structure of system is divided into different functional modules, to complete whole described above or portion
Divide function.In addition, the safety management system that above-described embodiment provides belongs to same design with method for managing security embodiment, it has
Body implementation process refers to embodiment of the method, repeats no more here.
It should be appreciated that it is used in the present context, unless context clearly supports exception, singulative " one
It is individual "(“a”、“an”、“the”)It is intended to also include plural form.It is to be further understood that "and/or" used herein is
Referring to includes any of one or more than one project listed in association and is possible to combine.
The embodiments of the present invention are for illustration only, do not represent the quality of embodiment.
One of ordinary skill in the art will appreciate that hardware can be passed through by realizing all or part of step of above-described embodiment
To complete, by program the hardware of correlation can also be instructed to complete, described program can be stored in a kind of computer-readable
In storage medium, storage medium mentioned above can be read-only storage, disk or CD etc..
The foregoing is only presently preferred embodiments of the present invention, be not intended to limit the invention, it is all the present invention spirit and
Within principle, any modification, equivalent substitution and improvements made etc., it should be included in the scope of the protection.
Claims (17)
1. a kind of safety management system, it is characterised in that the system includes:
Desktop cloud subsystem and at least one data process subsystem;
The desktop cloud subsystem, for forwarding the desktop picture of the data process subsystem to office terminal, and to described
Data process subsystem forward the office terminal operated on the desktop picture caused by trigger signal;
The data process subsystem, for providing the desktop picture to the desktop cloud subsystem;And receive the office
Terminal operated on the desktop picture caused by trigger signal;According to the trigger signal in the data process subsystem
Completed between internal or different pieces of information processing subsystem in editor, storage, processing, upload and the download of key message at least
It is a kind of;
At least one data process subsystem includes number and passes subsystem;
The number passes subsystem, and the key message that the data process subsystem of first condition uploads is met for receiving;Storage institute
State key message;The download of the key message is provided to the data process subsystem for meeting second condition;
Wherein, the data process subsystem for meeting the first condition refers to that the IP address of the data process subsystem belongs to pre-
Surely upload domain, the predetermined upload domain refer to allow in the data process subsystem or the data process subsystem it
Between in the range of IP address data process subsystem by key message be uploaded to it is described number pass subsystem in;
The data process subsystem for meeting the second condition refers to that the IP address of the data process subsystem belongs to pre- and fixed
Domain is carried, the predetermined download domain refers to allow in the data process subsystem or between the data process subsystem
In the range of IP address data process subsystem from it is described number pass subsystems in download key message.
2. system according to claim 1, it is characterised in that
The number passes subsystem, please for receiving the upload for carrying source IP addresses that a data process subsystem is sent
Ask;Detect whether the source IP addresses belong to predetermined upload domain;If testing result is to belong to the predetermined upload domain, it is determined that
The data process subsystem meets first condition;And/or carry mesh for what one data process subsystem of reception was sent
IP address download request;Detect whether the purpose IP address belongs to predetermined download domain;If testing result is to belong to described
It is predetermined to download domain, it is determined that the data process subsystem meets second condition.
3. system according to claim 1, it is characterised in that
The number passes subsystem, for carrying out security audit to the key message stored;If the key message safety,
Then the key message is moved under specified download directory and carried out down for the data process subsystem for meeting second condition
Carry.
4. system according to claim 3, it is characterised in that
The number passes subsystem, and three-level security sweep is carried out according to default scanning rule for the key message to storing
In at least one-level scanning, the three-level security sweep include belong to the first order file suffixes name scanning, belong to the second level
Keyword scan and the special identifier scanning for belonging to the third level;The key message safety is determined when scanning passes through and exports text
Part security audit form.
5. system according to any one of claims 1 to 4, it is characterised in that data processing for meeting first condition
System includes continuous integrating subsystem;
The desktop cloud subsystem, it is additionally operable to the office terminal logging on to the continuous integrating subsystem;
The continuous integrating subsystem, it is described lasting for being forwarded by the desktop cloud subsystem to the office terminal after login
The desktop picture of integral subsystem;Receive the office terminal by the desktop cloud subsystem forward in the desktop picture
Trigger signal caused by upper operation;According to the editor of the trigger signal completion code and compiling and build version file.
6. system according to any one of claims 1 to 4, it is characterised in that data processing for meeting first condition
System includes emulation cloud subsystem;
The desktop cloud subsystem, it is additionally operable to the office terminal logging on to the emulation cloud subsystem;
The emulation cloud subsystem, for forwarding the emulation cloud to the office terminal after login by the desktop cloud subsystem
The desktop picture of subsystem;The office terminal is received to grasp on the desktop picture by what the desktop cloud subsystem forwarded
Trigger signal caused by work;According to the editor of the trigger signal completion code, compiling and emulation and build version file.
7. system according to any one of claims 1 to 4, it is characterised in that data processing for meeting second condition
System includes laboratory subsystem, the laboratory subsystem include laboratory log in subsystem, at least one experimental terminal and
The commissioning device being connected with the experimental terminal;
The desktop cloud subsystem, it is additionally operable to the reality for the IP address for carrying the experimental terminal for triggering the office terminal
Test logging request and be sent to the laboratory login subsystem;
The laboratory logs in subsystem, is carried for receiving the office terminal by what the desktop cloud subsystem was sent
The experiment logging request of the IP address of the experimental terminal;According to the IP address of the experimental terminal by the experimental terminal and institute
State office terminal and establish connection using gateway proxy agreement;The desktop picture of the experimental terminal is obtained, by the experimental terminal
Desktop picture the office terminal is sent to by the desktop cloud subsystem;
The experimental terminal, for receive the office terminal by the desktop cloud subsystem forward in the desktop picture
Trigger signal caused by upper operation;Debugging of the version file on the commissioning device is completed according to the trigger signal.
8. system according to claim 7, it is characterised in that
The laboratory logs in subsystem, for obtaining the image and data flow of the experimental terminal;By the experimental terminal
Image and stream compression are changed to the desktop picture for only including image stream, and the desktop picture is sent out by the desktop cloud subsystem
Give the office terminal.
9. system according to any one of claims 1 to 4, it is characterised in that
The desktop cloud subsystem, the table of the IP address for carrying the office terminal sent for receiving the office terminal
Face cloud logging request;Whether the IP address for detecting the office terminal conforms to a predetermined condition;If testing result is to meet predetermined bar
Part, the then connection established between the office terminal and the desktop cloud subsystem.
10. system according to any one of claims 1 to 4, it is characterised in that data processing for meeting second condition
System includes public service subsystem;
The desktop cloud subsystem, it is additionally operable to the office terminal agent logs to the public service subsystem;
The public service subsystem, for forwarding public service to the office terminal after login by the desktop cloud subsystem
Desktop picture;The office terminal is received to produce when operating on the desktop picture by what the desktop cloud subsystem forwarded
Raw trigger signal;The public service is completed according to the trigger signal;
Wherein, the public service includes mail service, file-management services, management version tool SVN services, active directory
At least one of domain authentication service, domain name system DNS service and anti-virus service.
A kind of 11. method for managing security, it is characterised in that methods described is applied to desktop cloud subsystem, including:
Receive the desktop cloud logging request for the IP address for carrying the office terminal that office terminal is sent;
Whether the IP address for detecting the office terminal conforms to a predetermined condition;
If testing result is conforms to a predetermined condition, the connection established between the office terminal and data process subsystem;
The office terminal is logged on into the data process subsystem, the data process subsystem include number pass subsystems,
Meet the data process subsystem of first condition and meet the data process subsystem of second condition;
To the desktop picture of office terminal forwarding data process subsystem;
To the data process subsystem forward the office terminal operated on the desktop picture caused by trigger signal,
The trigger signal is used to trigger the number and pass subsystem and receive to meet the key that the data process subsystem of first condition uploads
Information, the key message is stored, the download of the key message is provided to the data process subsystem for meeting second condition;
Wherein, the data process subsystem for meeting the first condition refers to that the IP address of the data process subsystem belongs to pre-
Surely upload domain, the predetermined upload domain refer to allow in the data process subsystem or the data process subsystem it
Between in the range of IP address data process subsystem by key message be uploaded to it is described number pass subsystem in;
The data process subsystem for meeting the second condition refers to that the IP address of the data process subsystem belongs to pre- and fixed
Domain is carried, the predetermined download domain refers to allow in the data process subsystem or between the data process subsystem
In the range of IP address data process subsystem from it is described number pass subsystems in download key message.
A kind of 12. method for managing security, it is characterised in that methods described is applied at least one data process subsystem, including:
Desktop picture is provided to desktop cloud subsystem, the desktop picture is used to be transmitted to office eventually by the desktop cloud subsystem
End;
The office terminal for receiving the desktop cloud subsystem forwarding operates caused triggering letter on the desktop picture
Number;
The data process subsystem includes number and passes subsystem, meets the data process subsystem of first condition and meet Article 2
The data process subsystem of part, the number pass subsystem and data processing for meeting first condition are received according to the trigger signal
The key message that system uploads, stores the key message, and the pass is provided to the data process subsystem for meeting second condition
The download of key information;
Wherein, the data process subsystem for meeting the first condition refers to that the IP address of the data process subsystem belongs to pre-
Surely upload domain, the predetermined upload domain refer to allow in the data process subsystem or the data process subsystem it
Between in the range of IP address data process subsystem by key message be uploaded to it is described number pass subsystem in;
The data process subsystem for meeting the second condition refers to that the IP address of the data process subsystem belongs to pre- and fixed
Domain is carried, the predetermined download domain refers to allow in the data process subsystem or between the data process subsystem
In the range of IP address data process subsystem from it is described number pass subsystems in download key message.
13. according to the method for claim 12, it is characterised in that described to receive the data processing subsystem for meeting first condition
Before the key message that system uploads, in addition to:
Receive the upload request for carrying source IP addresses that a data process subsystem is sent;
Detect whether the source IP addresses belong to predetermined upload domain;
If testing result is to belong to the predetermined upload domain, it is determined that the data process subsystem meets first condition.
14. according to the method for claim 12, it is characterised in that described to the data process subsystem for meeting second condition
Before the download that the key message is provided, in addition to:
Receive the download request for carrying purpose IP address that a data process subsystem is sent;
Detect whether the purpose IP address belongs to predetermined download domain;
If testing result is to belong to the predetermined download domain, it is determined that the data process subsystem meets second condition.
15. according to the method for claim 12, it is characterised in that after the storage key message, in addition to:
Security audit is carried out to the key message stored;
The download that the key message is provided to the data process subsystem for meeting second condition, including:
If the key message safety, the key message is moved under specified download directory and meets second condition for described
Data process subsystem be downloaded.
16. according to the method for claim 15, it is characterised in that the described pair of key message stored carries out safety
Audit, including:
At least one-level in three-level security sweep is carried out to the key message stored according to default scanning rule to scan, institute
State three-level security sweep and scan, belong to the keyword scan of the second level and belong to the 3rd including belonging to the file suffixes name of the first order
The special identifier scanning of level;
When scanning passes through, the key message safety and output file security audit form are determined.
17. according to the method for claim 12, it is characterised in that when methods described is applied to include laboratory login subsystem
It is described to provide desktop picture, the desktop to desktop cloud subsystem during the laboratory subsystem of system and at least one commissioning device
Image is used to be transmitted to office terminal by the desktop cloud subsystem, including:
The image and data flow of the subsystem acquisition commissioning device are logged in by the laboratory;
Being changed to the image of experimental terminal and stream compression by laboratory login subsystem only includes the desk-top picture of image stream
Picture;
Subsystem is logged in by the laboratory desktop picture is sent to the office eventually by the desktop cloud subsystem
End.
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310542729.7A CN104618313B (en) | 2013-11-05 | 2013-11-05 | Safety management system and method |
PCT/CN2014/078478 WO2015067037A1 (en) | 2013-11-05 | 2014-05-27 | Security management system and method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201310542729.7A CN104618313B (en) | 2013-11-05 | 2013-11-05 | Safety management system and method |
Publications (2)
Publication Number | Publication Date |
---|---|
CN104618313A CN104618313A (en) | 2015-05-13 |
CN104618313B true CN104618313B (en) | 2018-02-13 |
Family
ID=53040848
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201310542729.7A Active CN104618313B (en) | 2013-11-05 | 2013-11-05 | Safety management system and method |
Country Status (2)
Country | Link |
---|---|
CN (1) | CN104618313B (en) |
WO (1) | WO2015067037A1 (en) |
Families Citing this family (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN105245606B (en) * | 2015-10-22 | 2018-10-16 | 中国铁路总公司 | Cloud office platform |
CN106231267A (en) * | 2016-08-24 | 2016-12-14 | 成都中英锐达科技有限公司 | View data managing and control system, data download method, playback of data processing method |
CN109257213B (en) * | 2018-09-07 | 2021-06-29 | 广东电网有限责任公司 | Method and device for judging computer terminal access verification failure |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101764798A (en) * | 2009-07-01 | 2010-06-30 | 北京华胜天成科技股份有限公司 | Safety management system and method based on client terminal |
CN102143149A (en) * | 2010-12-10 | 2011-08-03 | 华为技术有限公司 | Method and system for mini-station to access cloud, and access management equipment |
CN102662741A (en) * | 2012-04-05 | 2012-09-12 | 华为技术有限公司 | Method, device and system for realizing virtual desktop |
CN202772927U (en) * | 2012-09-10 | 2013-03-06 | 厦门锐思特软件科技有限公司 | Internal network information safety management system based on cloud desktop |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20080104699A1 (en) * | 2006-09-28 | 2008-05-01 | Microsoft Corporation | Secure service computation |
-
2013
- 2013-11-05 CN CN201310542729.7A patent/CN104618313B/en active Active
-
2014
- 2014-05-27 WO PCT/CN2014/078478 patent/WO2015067037A1/en active Application Filing
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101764798A (en) * | 2009-07-01 | 2010-06-30 | 北京华胜天成科技股份有限公司 | Safety management system and method based on client terminal |
CN102143149A (en) * | 2010-12-10 | 2011-08-03 | 华为技术有限公司 | Method and system for mini-station to access cloud, and access management equipment |
CN102662741A (en) * | 2012-04-05 | 2012-09-12 | 华为技术有限公司 | Method, device and system for realizing virtual desktop |
CN202772927U (en) * | 2012-09-10 | 2013-03-06 | 厦门锐思特软件科技有限公司 | Internal network information safety management system based on cloud desktop |
Also Published As
Publication number | Publication date |
---|---|
CN104618313A (en) | 2015-05-13 |
WO2015067037A1 (en) | 2015-05-14 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10089106B2 (en) | Communications network, computer architecture, computer-implemented method and computer program product for development and management of femtocell-based applications | |
US10447560B2 (en) | Data leakage protection in cloud applications | |
CN105393524B (en) | Image analysis and management | |
CN110011866B (en) | Providing device as a service | |
CN104364790B (en) | System and method for implementing dual factor anthentication | |
CN108293045A (en) | Single-sign-on Identity Management between local and remote system | |
CN108897691A (en) | Data processing method, device, server and medium based on interface analog service | |
CN104901970B (en) | A kind of Quick Response Code login method, server and system | |
CN104410813A (en) | Method and device for binding user account with monitoring equipment in video monitoring system | |
CN105357110B (en) | E-mail sending method, apparatus and system | |
CN106844489A (en) | A kind of file operation method, device and system | |
CN111901357B (en) | Remote network connection method, system, computer device and storage medium | |
CN112448856A (en) | Method and system for providing public network access for external through intranet kubernets | |
CN104182681B (en) | Hook-based iOS (iPhone operating system) key behavior detection device and detection method thereof | |
Wang et al. | Discovering vulnerabilities in COTS IoT devices through blackbox fuzzing web management interface | |
CN115118705B (en) | Industrial edge management and control platform based on micro-service | |
CN108848162A (en) | Show connection method, display equipment and the system of equipment | |
CN104702624A (en) | Method and system for logging virtual machine based on Cloud Stack platform | |
CN104618313B (en) | Safety management system and method | |
CN108848164A (en) | Show connection method, display equipment and the system of equipment | |
CN104348838A (en) | Document management system and method | |
CN114189553B (en) | Flow playback method, system and computing device | |
CN110278092A (en) | Router long-range control method and system based on MQTT agreement | |
Edgar et al. | Towards an experimental testbed facility for cyber-physical security research | |
CN110034979A (en) | A kind of proxy resources monitoring method, device, electronic equipment and storage medium |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right |
Effective date of registration: 20220222 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Patentee after: Huawei Cloud Computing Technologies Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Patentee before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
TR01 | Transfer of patent right |