CN104660578A - System and method for realizing security storage and access control of data - Google Patents

System and method for realizing security storage and access control of data Download PDF

Info

Publication number
CN104660578A
CN104660578A CN201410163708.9A CN201410163708A CN104660578A CN 104660578 A CN104660578 A CN 104660578A CN 201410163708 A CN201410163708 A CN 201410163708A CN 104660578 A CN104660578 A CN 104660578A
Authority
CN
China
Prior art keywords
data
security
storage
gateway
security domain
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201410163708.9A
Other languages
Chinese (zh)
Other versions
CN104660578B (en
Inventor
董唯元
陈幼雷
郭伟
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201410163708.9A priority Critical patent/CN104660578B/en
Publication of CN104660578A publication Critical patent/CN104660578A/en
Application granted granted Critical
Publication of CN104660578B publication Critical patent/CN104660578B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/104Grouping of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0272Virtual private networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/162Implementing security features at a particular protocol layer at the data link layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1097Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]

Abstract

The invention discloses a system and method for realizing the security storage and the access control of data. The system comprises an application server, a storage security gateway, a security strategy server and a backend storage system, wherein the storage security gateway is additionally arranged between the application server and the backend storage system so as to realize the partition, the isolation and the access control of data security domains. The storage security gateway and a storage virtualization gateway can synergistically work, and data can be stored in the manner of the security domains on an actual physical medium by utilizing a virtualization technique. When a data access request arrives at the storage virtualization gateway, the storage virtualization gateway can invoke the functions of the storage security gateway so as to realize the isolation and the access control of the data security domains. Because all data requests for access to the backend storage system can be processed by the storage security gateway, security control is guaranteed to be performed on the single path of data without being bypassed. In addition, security control is realized at the bottom layer of data access, so that attack means to data by upper application layers can be effectively avoided.

Description

A kind of system and method thereof realizing data security storage and data access control
Technical field
The present invention relates to the storage security field in information technology, particularly relate to a kind of system and the method thereof that ensure critical data safe storage and access control.
Background technology
Along with the development of cloud computing technology, Intel Virtualization Technology extensive use within the storage system, the form that the physical storage medium unification of storage system is resource pool outwards provides service.The details that the data that Intel Virtualization Technology shields bottom store, the physical location of deposit data and logical place are had nothing to do, user can obtain the virtual memory space larger than actual storage capacity, and user only needs to be concerned about the form of expression of data in application layer, and without the details that relation bottom stores.But the application of Intel Virtualization Technology also can bring data security risk simultaneously.Application layer data, by various access control means, is logically isolation.But Intel Virtualization Technology shields specific object and the details of application layer data, the data of different business systems are left concentratedly often on physical medium.Be responsible for the equipment of process virtual memory management due to the concrete security attribute of data cannot be known, therefore when actual storage, mainly can consider performance and the extended capability of bottom physical storage medium, and ignore the security attribute of business datum.So just bring risk to the business datum with different safety class.The data of such as high sensitivity level and general data mix in layers of physical devices to be deposited.Under common applied environment, this storage mode can be satisfied the demand, but under the applied environment of high demand for security, needs to carry out stronger isolation to the data of the responsive grade of difference and safe class, or even physical isolation, existing storage virtualization technology just cannot satisfy the demands.
Current, storage virtualization technology extensively uses for storing producer.Wherein a kind of implementation method is, by a special storage gateway, manage the memory device that rear end is all, the capacity resource of all memory devices is combined, form a unified logical Virtual storage pool, from this unified storage pool, then carry out partition capacity (showing as rolls) use to application server.The particularly development of cloud computing, makes virtual memory technique persistently overheating, because the memory device substantial amounts of cloud computing, is just needing the mechanism of a set of like this integration, carrys out streamlining management and improves storage efficiency.
But, when storage virtualization technology is widely used in cloud computing while, also there is potential security risk.By storage virtualization technology, different business datums is logically isolation, but probably leaves in physically on Same Physical equipment.But there is responsive level difference between data, some data is most important, and responsive rank is very high, some data sensitive rank is general.If the data that responsive rank is high are known will cause very large loss by third parties.As virtual memory technique this no matter be what data, all make no exception, be even stored in the way on Same Physical equipment, it is very unfavorable to preserve the high data of responsive rank, causes very big hidden danger.
Existingly may be summarized to be three kinds of schemes for data security storage: one is that the data access of application layer controls, and two is divide security domain from network layer, and three is utilize cryptographic technique to carry out burst to data.These technology are described respectively below.
Application layer data access control technology is safe practice relatively more conventional within the storage system at present, can define different access rights, to reach the logic isolation between data for the data separate Access Control List (ACL) (ACL) of different sensitivity level.This kind of technology also comprises rights management, adopts key or the access of certificate to data to limit etc.This kind of implementation Patents is numerous, but this kind of scheme due to the level of dealing with problems different with angle, and the present invention's not direct comparativity, is not enumerating.
Utilize the access control technology (IPtables etc.) of the double layer network technology such as VLAN and network layer the network of storage system can be carried out dividing the different subnet of formation, make the manage traffic for storage system, data flow is separated, and transmits at the different network segments between different business datums.This technological essence belongs to network security technology, is applied in storage networking the attack that can prevent to a certain extent from external network, strengthens the fail safe of storage system.
Data fragmentation technology data block is divided into different fragments by certain algorithm and is kept in distributed storage environment, combined by algorithm when accessing.Only obtaining independently fragment is to know whole data block contents, and object is that protected data is revealed, and stores and can improve its fail safe in transmission in data.The one that the such as patent No. proposes for CN201110034475.9 is towards distributed cloud storage security framework and data access method thereof, it is, by wafer breaker, storage information is carried out burst, make data become cannot the data slot that identifies by other non-authentication system, when Internet Transmission stores with data, just there is relative confidentiality and fail safe after burst.
But technique scheme is inherently made peace, the technology used in the present invention thinking is not identical, the problem mentioned above therefore cannot solving.Wherein, the access control technology of application layer, mainly for the access rights of data, controls the access to data from application layer.This kind of scheme does not consider the concrete Storage Format of data on actual physical storage position.Even if the data that sensitivity level is high have stricter control of authority, also just that is to say at logical layer and to control on the upper strata of Storage Virtualization, can not isolate in Storage Virtualization lower floor physical storage locations, therefore can not solve the problem of data at bottom mixed storage of different sensitivity level.
The access of each equipment in the safety control technology major control storage networking of network layer, and by the mode dividing the subnets such as VLAN, different network traffics are isolated.Therefore be the isolation of a kind of mechanical floor and data traffic, can not memory location that really control data is concrete.This kind of technology can not to carry out the access control on network to it according to the different sensitivity level of data.
Data fragmentation memory technology is the process of a kind of distributed storage to data block itself, and it can be used for strengthening data-privacy protection, also can be used for the performance improving data storage, increase data redundancy, improve data reliability etc.Therefore data fragmentation technology is not carry out burst according to the security attribute of data or sensitivity level, how burst obtains better confidentiality and transmission performance to the main focused data of its slicing algorithm, do not consider concrete memory location, therefore just can not solve the problem that mixing stores yet.In fact, data fragmentation technology can increase the probability that different business data mixing stores on the contrary, the risk that the data block that can increase different sensitivity level is on the contrary stored together.
As seen from the above analysis, current existing Technology On Data Encryption does not solve the safety problem that different sensitivity level data mixing that the application due to Intel Virtualization Technology brings store.Therefore, need new technical scheme and solve this problem.
Summary of the invention
For the technical problem existed in prior art, the present invention proposes a kind of system and the method thereof that realize data security storage and data access control, the virtual security technology scheme combined with access control of application memory, by being different storage security territories by the Data Placement in storage system, other data of different sensitivity level can be made, in the process that data store, namely meet logic isolation, the isolation of physical location can be had again.Thus the security risk that the storage of solution data mixing brings, meet the applied environment of higher demand for security.
The present invention adopts following technical scheme:
Realize the system that data security stores and data access controls, it is characterized in that: comprise the application server that four parts are respectively the request of initiation, storage security gateway, Security Policy Server and back end storage system;
The data access request received on automatic network is responsible for by described application server, and initiates the data access request to back end storage system;
Described storage security gateway is responsible for realizing security domain management, the division of data security territory, isolation and access control function; Storage security gateway is a logic function, and it is the gateway device of functional module by software simulating or hardware mode; Storage security gateway is direct-connected with Storage Virtualization gateway, if storage security gateway is the functional module of software simulating, then a functional part as Storage Virtualization gateway realizes; If storage security gateway is the gateway device of hardware mode, then directly connect with Storage Virtualization gateway;
Described Security Policy Server is used for preserving and managing all data security domain policies, accepts the inquiry from storage security gateway and responds;
Described back end storage system comprises physics or virtual memory device, and back end storage system is the main storage ground of data, and primarily of storage networking device, storage control and storage medium are formed; Back end storage system comprises memory device, that memory device refers to concrete physics or virtual storage medium, such as actual physical disk.
Wherein, data access request initiated by application server, and the security attribute information such as the sensitivity level of data are carried in request, and storage security gateway obtains the sensitivity level information in request, judges the security domain that this sensitivity level is corresponding, and sets up the security domain index of data block; Security domain information is converted to the virtual address of Storage Virtualization gateway identification by storage security gateway, then is converted to corresponding physical address by virtual gateway, and final data will be stored in security domain corresponding on physical address; Data access request is if read data, then storage security gateway obtains the safe class of current access request side and the sensitivity level of accessed data, and query safe strategic server, obtain the security strategy that this access request side is corresponding, judge whether to allow access; In Data Migration or reproduction process, the migration source address of storage security gateway monitors data block and destination address, if with the security domain strategy corresponding to address is disagreed, then can notify Storage Virtualization gateway stop migration occur, and between the security domain of same levels or security domain inside carry out moving and copying.
Particularly, described storage security gateway comprises equipment information management module, security domain management module, Data Migration monitoring module, data sensitivity determination module and data access control module;
Described equipment information management module in charge managing memory apparatus information also calculates the security attribute value of physical storage medium in the back end storage system accessed; Described equipment information management module can safeguard a list in advance, wherein records all memory device brands, device type and respective weights and value, as the input item of computing equipment security attribute value; First, equipment information management module is by automatic acquisition and manage the information of each memory device of back end storage system access, and utilizes this information to calculate security attribute value corresponding to equipment, maintenance and management storage equipment security list of attribute values simultaneously; This security attribute value using the input item as security domain management module, as dividing the foundation of security domain; The information including each memory device of management in comprises equipment board, memory capacity, storage media types and RAID information;
Described security domain management module in charge maintenance and management is by the mapping table memory device virtual address space to security domain; First, security domain management module can obtain the security attribute value of memory device, calculates the security domain belonging to memory device, set up the mapping table entry of virtual address space to security domain of memory device according to security attribute value;
Described Data Migration monitoring module is responsible for monitoring the data traffic between security domain, and between security domain, have the data flowing of running counter to security strategy, monitoring module can send control command, stops Data Migration; Data traffic usually occurs in copying of data, in transition process, is automatically carried out or carry out when application layer sends instruction by Storage Virtualization gateway when carrying out memory management functions; Data Migration monitoring module can flow to according to the data flow security strategy monitor data between security domain, when finding not meet the data traffic of security strategy, then notifies that access control module controls;
Described data sensitivity determination module, when receiving data requesting instructions, data sensitivity determination module is by the responsive rank of data block in recognition instruction; When recognizing other instruction data storage of high sensitivity level, then according to the mapping table of security domain management module, calculate security domain corresponding to this data block and virtual address space, and notify Storage Virtualization gateway, data are stored into corresponding security domain; When being identified as data access instruction, then obtain the safe class of access request main body, and come according to security strategy process access request by data access control module; The safe class of the responsive rank of data block and access main body can together be transferred to Storage Virtualization gateway as a part for data block security attribute with storing instruction, and gives data sensitivity determination module and judge.
Described data access control module is responsible for realizing carrying out security domain separation and access control function to the access of data; The security domain separation of data is comprised to the instruction received from Data Migration monitoring module, and be converted to the operational order of Storage Virtualization gateway identification, the migration of restricting data between security domain; Access control function comprises according to security strategy, limits the requestor of different level of security to the access of data in security domain; The control mode that data access control module is implemented is defined by security strategy.
Based on foregoing a kind of system realizing data security storage and data access control, the invention provides and a kind ofly realize the method that data security stores and data access controls, the method comprises the storage of data, the migration of the access control of data and data controls three flow processs;
Wherein, the Stored Procedure of data comprises the steps:
1), Storage Virtualization gateway receives data storage request and is forwarded to storage security gateway;
2), that the data sensitivity determination module of storage security gateway obtains data sensitivity level from request is other, and according to responsive rank query safe territory administration module;
3), security domain management module calculates corresponding security domain and virtual address space, and returns security domain and virtual address space;
4), data sensitivity determination module returns virtual address space, performs concrete data storage operations by Storage Virtualization gateway according to this virtual address space;
The access control flow process of data comprises the steps:
1), Storage Virtualization gateway receives data access request and is forwarded to storage security gateway;
2), after the data access control module of storage security gateway receives request, data query susceptibility determination module obtains the safe class of access main body;
3), data access control module query safe strategic server or local security policy buffer memory obtain the security strategy corresponding with this access request;
4), data access control module query safe territory administration module, obtain the security domain corresponding with this access request;
5), security domain management module is inquired about corresponding security domain according to the data block virtual address in access request and is returned to data access control module;
6), whether data access control module is legal according to the security domain authentication-access of security strategy and requested data block; Generate access control instruction according to the result, and return permission or refusal two kinds of access control instructions;
7), Storage Virtualization gateway receives access control instruction, allows or refuses this access request;
The migration control flow of data comprises the steps:
1), the Data Migration monitoring module of storage security gateway monitors the data migration operation undertaken by Storage Virtualization gateway in real time, specific implementation adopts poll or advice method, whether Data Migration is had by according to migration monitoring module poll Storage Virtualization gateway, or by Storage Virtualization gateway proactive notification Data Migration monitoring module;
2), Data Migration monitoring module obtains the source and destination virtual address of moving, and inquires about corresponding security domain;
3), security domain management module calculates corresponding security domain according to virtual address, and returns results;
4), Data Migration monitoring module query safe strategic server or local security policy buffer memory, obtain corresponding security strategy;
5), the legitimacy of Data Migration monitoring module checking migration operation, and the result is returned to data access control module;
6), data access control module generates access control instruction according to the result, permission or refusal migration;
7), Storage Virtualization gateway performs or refusal data migration operation.
The present invention is compared to prior art, and the present invention has following advantage:
(1) provide a kind of data isolation higher for the security intensity of storage system and access control method, meet high demand for security industry to the demand of data protection.The division in data storage security territory makes data not only logically can be isolated by traditional access control, also add the secure access of physical isolation and control.Solve the safety problem that the different data mixing storage of sensitivity level in different business brings.
(2) can compatible main flow storage system, well support the application of storage virtualization technology, support the cloud in cloud computing to store or distributed storage etc.The storage security gateway carrying out the division of storage security territory and isolated controlling as the safety feature of on Storage Virtualization gateway, can adopt plug and play mode.
(3) little on the impact of performance, the storage security gateway of the program can combine with Intel Virtualization Technology, is deployed in Storage Virtualization gateway, operates in data block rank, less to the performance impact of I/O operation itself.
(4) concept proposing storage security territory of this innovation, effectively reduce the unordered security risk caused of physical location that factor data stores, while the benefit brought of compatible storage virtualization technology, the fail safe that data store can improve.
Other data of different sensitivity levels that the technical scheme that the present invention proposes can produce for operation system, when storing according to security strategy, are automatically classified in different physical storage areas.This physical storage areas is logically presented as security domain.Data sensitive rank in identical security domain is identical or close, and the data sensitive rank in different security domain is different.Based on the method, when the data in security domain are conducted interviews, can to conduct interviews control according to security strategy.Further, the method can the migration of control data between different security domain or automatically copy, and guarantees it is physically isolation between security domain.Therefore this technology can realize in a unified virtual storage resource pond, the physical isolation stronger to sensitive data and safeguard protection.
The present invention introduces a kind of concept of data security territory, while the existing storage virtualization technology of compatibility, realize storing the classification of data on physical medium, and guarantee isolation stronger between the data of different sensitivity level by the access control means being applied in Storage Virtualization layer, solve the problem.
Accompanying drawing explanation
Fig. 1 is system configuration schematic diagram of the present invention.
Fig. 2 is its storage security gateway of the present invention logical functional structure figure.
Fig. 3 is its equipment information management resume module logic diagram of the present invention.
Fig. 4 is one of the present invention typical security domain mapping logic schematic diagram.
Fig. 5 is the realization flow figure that a kind of typical data of the present invention store;
Fig. 6 is the realization flow figure that a kind of typical data access of the present invention controls;
Fig. 7 is that the present invention is a kind of typically to the realization flow figure that Data Migration controls;
The realization of the object of the invention, functional characteristics and advantage will in conjunction with the embodiments, are described further with reference to accompanying drawing.
Embodiment
Should be appreciated that specific embodiment described herein only in order to explain the present invention, be not intended to limit the present invention.
The logic function that the present invention mainly increases storage security gateway between the application server of front-end generating data request and back end storage system divides to realize data security territory, isolates and access control.Storage security gateway can collaborative work with Storage Virtualization gateway, utilizes existing Intel Virtualization Technology to realize data and stores according to security domain mode on actual physics medium.When data access request arrives Storage Virtualization gateway, the function of storage security gateway can be called to realize isolation and the access control in data security territory by Storage Virtualization gateway.Because the request of data of all access back end storage systems all through storage security gateway processes, can it is hereby ensured that security control is carried out on the exclusive path of data, can not be bypassed.Further, security control, in the bottom layer realization of data access, can effectively prevent upper layer application layer for the attack means of data.
With reference to Fig. 1, the system realizing data security storage and data access control provided by the present invention, comprises the application server that four logical blocks are respectively the request of initiation, storage security gateway, Security Policy Server and back end storage system.,
Wherein, data access request initiated by application server, and the security attribute information such as the sensitivity level of data are carried in request, and storage security gateway obtains the sensitivity level information in request, judges the security domain that this sensitivity level is corresponding, and sets up the security domain index of data block.Security domain information is converted to the virtual address of Storage Virtualization gateway identification by storage security gateway, then is converted to corresponding physical address by Storage Virtualization gateway, and final data will be stored in security domain corresponding on physical address.Data access request is if read data, then storage security gateway obtains the safe class of current access request side and the sensitivity level of accessed data, and query safe strategic server, obtain the security strategy that this access request side is corresponding, judge whether to allow access.In Data Migration or reproduction process, the migration source address of storage security gateway monitors data block and destination address, if with the security domain strategy corresponding to address is disagreed (data of such as different security domain can not mutually move or copy), then can notify Storage Virtualization gateway stop migration occur, and between the security domain of same levels or security domain inside carry out moving and copying.
1) application server is general Service Process Server, and primary recipient carrys out the data access request on automatic network, and initiates the data access request to back end storage system.
2) storage security gateway: be responsible for realizing security domain management, the division of data security territory, isolation and access control function.Storage security gateway is a logic function, can be the functional module of software simulating or the gateway device of hardware mode.Storage security gateway is direct-connected with Storage Virtualization gateway, if storage security gateway is the functional module of software simulating, can realize as of a Storage Virtualization gateway functional part.If the gateway device of hardware mode, then directly connect with Storage Virtualization gateway.
3) Security Policy Server: preserve and manage all data security domain policies, accept the inquiry from storage security gateway and respond.In specific implementation, Security Policy Server is as independently security management center, and suggestion adopts separate server to realize.In actual application environment, also can realize this function as a functional module by storage security gateway.
4) back end storage system: comprise physics or virtual memory device, the main storage ground of data, primarily of storage networking device, storage control and storage medium are formed, such as SAN or NAS etc.Back end storage system comprises memory device, that memory device refers to concrete physics or virtual storage medium, such as actual physical disk.
Wherein, storage security gateway is the core functional components of native system, its logical functional structure as shown in Figure 2, below in conjunction with Fig. 2, introduce each comprising modules of storage security gateway in detail, storage security gateway comprises equipment information management module, security domain management module, Data Migration monitoring module, data sensitivity determination module and data access control module.
1) equipment information management module
This module in charge managing memory apparatus information also calculates the security attribute value (note: security attribute value is for weighing the reliability of this storage medium of physical storage medium in the back end storage system accessed, performance, an integrated value of each side such as fail safe).This module can safeguard a list in advance, wherein records all memory device brands, device type and respective weights and value, as the input item of computing equipment security attribute value.First, module is by automatic acquisition and manage the information of each memory device of back end storage system access, and utilizes this information to calculate security attribute value corresponding to equipment, maintenance and management storage equipment security list of attribute values simultaneously.This security attribute value using the input item as security domain management module, as divide security domain (setting up the mapping of security domain and storage medium) foundation.The information spinner including each memory device of management in will include but not limited to: equipment brand, memory capacity, storage media types, RAID information etc.Predefined for weighing every weighted value list of storage medium security attribute value not in scope of design of the present invention.Can assign weight according to practical application scene with to some particular requirements of memory device and be worth.In some cases, if the memory device automatically identified is not in the list of configured in advance, then a default value can be set, by being updated in list by facility information configuration interface after manual identified.With reference to Fig. 3, Fig. 3 is the processing logic figure of this module.
2) security domain management module
This module in charge maintenance and management is by the mapping table memory device virtual address space to security domain.First, security domain management module can obtain the security attribute value of memory device, calculates the security domain belonging to memory device, set up the mapping table entry of virtual address space to security domain of memory device according to security attribute value.For supporting autgmentability, the virtual address space of memory device can in use change, but its security attribute is constant, and the virtual address map record therefore corresponding to security domain can be constantly updated.Fig. 4 shows a kind of typical security domain mapping logic schematic diagram.
During typical mapping table realizes, memory device list has one-to-one relationship with safe property value, each memory device has virtual address space (being distributed by the unified management of Storage Virtualization gateway), between security attribute value and security domain, there is corresponding relation, it can be one-one relationship, also can be many-to-one relationship, also namely the scope of multiple security attribute value or a property value corresponds to a security domain.Just by the virtual address space corresponding to memory device with security domain opening relationships, and the memory device of correspondence can be brought into security domain management scope by mapping table.Data security territory is logic region, specifically correspond to the virtual address space of different physical storage mediums, virtual address space is by the unified management of Storage Virtualization gateway, data security territory of the present invention administration module is only responsible for data security territory to correspond to the virtual address space identified by virtual gateway, and not responsible physical address is to the conversion of virtual address.
3) Data Migration monitoring module
Data Migration monitoring module is responsible for monitoring the data traffic between security domain, and between security domain, have the data flowing of running counter to security strategy, monitoring module can send control command, stops Data Migration.Data traffic usually occurs in copying of data, in transition process.Automatically carried out when carrying out memory management functions by Storage Virtualization gateway or carry out when application layer sends instruction.Data Migration monitoring module can flow to according to the data flow security strategy monitor data between security domain, and when finding not meet the data traffic of security strategy, then notification data access control module controls.
4) data sensitivity determination module
When receiving data requesting instructions, data sensitivity determination module is by the responsive rank of data block in recognition instruction, when recognizing other instruction data storage of high sensitivity level, then according to the mapping table of security domain management module, calculate security domain corresponding to this data block and virtual address space, and notify Storage Virtualization gateway, data are stored into corresponding security domain.When being identified as data access instruction, then obtain the safe class of access request main body, and come according to security strategy process access request by access control module.The safe class of the responsive rank of data block and access main body can together be transferred to Storage Virtualization gateway as a part for data block security attribute with storing instruction, and gives this module and judge.The security attribute of data block also can be transferred to gateway by other means and process.
5) data access control module
Data access control module is responsible for realizing carrying out security domain separation and access control function to the access of data.The Secure isolation of data is comprised to the instruction received from Data Migration monitoring module, and be converted to the operational order of Storage Virtualization gateway identification, the migration of restricting data between security domain.Access control function comprises according to security strategy, limits the requestor of different level of security to the access of data in security domain.The control mode that data access control module is implemented is defined by security strategy, and the mode of access control of the present invention and security strategy are determined by the demand for security of embody rule environment.Such as, under a kind of environment of high demand for security, need to implement forced symmetric centralization function, then security strategy implements Mandatory Access Control, and data access control module then can limit the data in the lower access request principal access safe class of the level of security security domain higher than him.
Introduce in detail below and provided by the inventionly a kind ofly realize the method that data security stores and data access controls, the method comprises the storage of data, the migration of the access control of data and data controls three realization flows.
The storage of data comprises: after storage security gateway receives data storage request, judge data sensitive level, and calculate corresponding security domain and virtual address space according to sensitivity level, controlled to perform concrete data storage operations according to virtual address by Storage Virtualization gateway device.
The access control of data comprises: after storage security gateway receives data access request, by the safe class of data access control module queried access requestor, query safe strategy and security domain corresponding to access destination data block, and verify whether this access requestor has the authority of this security domain of access according to security strategy.The result of checking returns to Storage Virtualization gateway device, if allow this access request, then performs concrete accessing operation by it.
The migration of data controls to comprise: the data migration operation that storage security gateway monitors Storage Virtualization gateway device performs, if find that there is migration operation, then intercept and capture migration operation, and according to the object of migration operation and the security domain of virtual address inquiry correspondence, if identical security domain then directly returns, if different security domain, then whether query safe strategy allows migration, if allow migration, then notify that Storage Virtualization gateway performs migration, otherwise will notify that Storage Virtualization gateway refusal performs migration.
With reference to Fig. 5,6 and 7, introduce the concrete steps of three realization flows in detail.
The realization flow that a kind of typical data store is as shown in Figure 5:
Step is as follows:
1, Storage Virtualization gateway receives data storage request and is forwarded to storage security gateway.
2, the data sensitivity determination module of storage security gateway obtains data sensitivity level not from request, and according to responsive rank query safe territory administration module.
3, security domain management module calculates corresponding security domain and virtual address space, and returns security domain and virtual address space.
4, data sensitivity determination module returns virtual address space, performs concrete data storage operations by Storage Virtualization gateway according to this virtual address space.
A kind of realization flow of access control of typical data is as shown in Figure 6:
Step is as follows:
1, Storage Virtualization gateway receives data access request and is forwarded to storage security gateway.
2, after the data access control module of storage security gateway receives request, data query susceptibility determination module obtains the safe class of access main body.
3, data access control module query safe strategic server (or local security policy buffer memory) obtains the security strategy corresponding with this access request.
4, data access control module query safe territory administration module, obtains the security domain (security domain at visit data block place) corresponding with this access request.
5, security domain management module is inquired about corresponding security domain according to the data block virtual address in access request and is returned to data access control module.
6, whether data access control module is legal according to the security domain authentication-access of security strategy and requested data block.Generate access control instruction according to the result, and return permission or refusal two kinds of access control instructions.
7, Storage Virtualization gateway receives access control instruction, allows or refuses this access request.
The realization flow that a kind of migration of typical data controls is as shown in Figure 7:
Step is as follows:
1, the Data Migration monitoring module of storage security gateway monitors the data migration operation undertaken by Storage Virtualization gateway in real time.Whether specific implementation can adopt poll or advice method, by transferring module main body poll Storage Virtualization gateway by Data Migration, or by Storage Virtualization gateway proactive notification Data Migration monitoring module.
2, Data Migration monitoring module obtains the source and destination virtual address of migration, and the security domain that inquiry is corresponding.
3, security domain management module calculates corresponding security domain according to virtual address, and returns results.
4, Data Migration monitoring module query safe strategic server or local security policy buffer memory, obtains corresponding security strategy.
5, the legitimacy of Data Migration monitoring module checking migration operation, and the result is returned to data access control module.
6, data access control module generates access control instruction according to the result, allows or refusal migration.
7, Storage Virtualization gateway performs or refusal data migration operation.
The above is only the preferred embodiment of the present invention, protection scope of the present invention be not only confined to above-described embodiment, and all technical schemes belonged under thinking of the present invention all belong to protection scope of the present invention.It should be pointed out that for those skilled in the art, some improvements and modifications without departing from the principles of the present invention, these improvements and modifications also should be considered as protection scope of the present invention.

Claims (3)

1. realize the system that data security stores and data access controls, it is characterized in that: comprise the application server that four parts are respectively the request of initiation, storage security gateway, Security Policy Server and back end storage system;
The data access request received on automatic network is responsible for by described application server, and initiates the data access request to back end storage system;
Described storage security gateway is responsible for realizing security domain management, the division of data security territory, isolation and access control function; Storage security gateway is a logic function, and it is the gateway device of functional module by software simulating or hardware mode; Storage security gateway is direct-connected with Storage Virtualization gateway, if storage security gateway is the functional module of software simulating, then a functional part as Storage Virtualization gateway realizes; If storage security gateway is the gateway device of hardware mode, then directly connect with Storage Virtualization gateway;
Described Security Policy Server is used for preserving and managing all data security domain policies, accepts the inquiry from storage security gateway and responds;
Described back end storage system comprises physics or virtual memory device, and back end storage system is the main storage ground of data, and primarily of storage networking device, storage control and storage medium are formed;
Wherein, data access request initiated by application server, and the security attribute information such as the sensitivity level of data are carried in request, and storage security gateway obtains the sensitivity level information in request, judges the security domain that this sensitivity level is corresponding, and sets up the security domain index of data block; Security domain information is converted to the virtual address of Storage Virtualization gateway identification by storage security gateway, then is converted to corresponding physical address by virtual gateway, and final data will be stored in security domain corresponding on physical address; Data access request is if read data, then storage security gateway obtains the safe class of current access request side and the sensitivity level of accessed data, and query safe strategic server, obtain the security strategy that this access request side is corresponding, judge whether to allow access; In Data Migration or reproduction process, the migration source address of storage security gateway monitors data block and destination address, if with the security domain strategy corresponding to address is disagreed, then can notify Storage Virtualization gateway stop migration occur, and between the security domain of same levels or security domain inside carry out moving and copying.
2. the system realizing data isolation and data access control according to claim 1, is characterized in that: described storage security gateway comprises equipment information management module, security domain management module, Data Migration monitoring module, data sensitivity determination module and data access control module;
Described equipment information management module in charge managing memory apparatus information also calculates the security attribute value of physical storage medium in the back end storage system accessed; Described equipment information management module can safeguard a list in advance, wherein records all memory device brands, device type and respective weights and value, as the input item of computing equipment security attribute value; First, equipment information management module is by automatic acquisition and manage the information of each memory device of back end storage system access, and utilizes this information to calculate security attribute value corresponding to equipment, maintenance and management storage equipment security list of attribute values simultaneously; This security attribute value using the input item as security domain management module, as dividing the foundation of security domain; The information including each memory device of management in comprises equipment board, memory capacity, storage media types and RAID information;
Described security domain management module in charge maintenance and management is by the mapping table memory device virtual address space to security domain; First, security domain management module can obtain the security attribute value of memory device, calculates the security domain belonging to memory device, set up the mapping table entry of virtual address space to security domain of memory device according to security attribute value;
Described Data Migration monitoring module is responsible for monitoring the data traffic between security domain, and between security domain, have the data flowing of running counter to security strategy, monitoring module can send control command, stops Data Migration; Data traffic usually occurs in copying of data, in transition process, is automatically carried out or carry out when application layer sends instruction by Storage Virtualization gateway when carrying out memory management functions; Data Migration monitoring module can flow to according to the data flow security strategy monitor data between security domain, when finding not meet the data traffic of security strategy, then notifies that access control module controls;
Described data sensitivity determination module, when receiving data requesting instructions, data sensitivity determination module is by the responsive rank of data block in recognition instruction; When recognizing other instruction data storage of high sensitivity level, then according to the mapping table of security domain management module, calculate security domain corresponding to this data block and virtual address space, and notify Storage Virtualization gateway, data are stored into corresponding security domain; When being identified as data access instruction, then obtain the safe class of access request main body, and come according to security strategy process access request by data access control module; The safe class of the responsive rank of data block and access main body can together be transferred to Storage Virtualization gateway as a part for data block security attribute with storing instruction, and gives data sensitivity determination module and judge.
Described data access control module is responsible for realizing carrying out security domain separation and access control function to the access of data; The security domain separation of data is comprised to the instruction received from Data Migration monitoring module, and be converted to the operational order of Storage Virtualization gateway identification, the migration of restricting data between security domain; Access control function comprises according to security strategy, limits the requestor of different level of security to the access of data in security domain; The control mode that data access control module is implemented is defined by security strategy.
3. realize the method that data security stores and data access controls, it is characterized in that the method comprises the storage of data, the migration of the access control of data and data controls three flow processs;
Wherein, the Stored Procedure of data comprises the steps:
1), Storage Virtualization gateway receives data storage request and is forwarded to storage security gateway;
2), that the data sensitivity determination module of storage security gateway obtains data sensitivity level from request is other, and according to responsive rank query safe territory administration module;
3), security domain management module calculates corresponding security domain and virtual address space, and returns security domain and virtual address space;
4), data sensitivity determination module returns virtual address space, performs concrete data storage operations by Storage Virtualization gateway according to this virtual address space;
The access control flow process of data comprises the steps:
1), Storage Virtualization gateway receives data access request and is forwarded to storage security gateway;
2), after the data access control module of storage security gateway receives request, data query susceptibility determination module obtains the safe class of access main body;
3), data access control module query safe strategic server or local security policy buffer memory obtain the security strategy corresponding with this access request;
4), data access control module query safe territory administration module, obtain the security domain corresponding with this access request;
5), security domain management module is inquired about corresponding security domain according to the data block virtual address in access request and is returned to data access control module;
6), whether data access control module is legal according to the security domain authentication-access of security strategy and requested data block; Generate access control instruction according to the result, and return permission or refusal two kinds of access control instructions;
7), Storage Virtualization gateway receives access control instruction, allows or refuses this access request;
The migration control flow of data comprises the steps:
1), the Data Migration monitoring module of storage security gateway monitors the data migration operation undertaken by Storage Virtualization gateway in real time, specific implementation adopts poll or advice method, whether Data Migration is had by according to migration monitoring module poll Storage Virtualization gateway, or by Storage Virtualization gateway proactive notification Data Migration monitoring module;
2), Data Migration monitoring module obtains the source and destination virtual address of moving, and inquires about corresponding security domain;
3), security domain management module calculates corresponding security domain according to virtual address, and returns results;
4), Data Migration monitoring module query safe strategic server or local security policy buffer memory, obtain corresponding security strategy;
5), the legitimacy of Data Migration monitoring module checking migration operation, and the result is returned to data access control module;
6), data access control module generates access control instruction according to the result, permission or refusal migration;
7), Storage Virtualization gateway performs or refusal data migration operation.
CN201410163708.9A 2014-04-22 2014-04-22 A kind of system and method for realizing data safety storage and data access control Active CN104660578B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410163708.9A CN104660578B (en) 2014-04-22 2014-04-22 A kind of system and method for realizing data safety storage and data access control

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410163708.9A CN104660578B (en) 2014-04-22 2014-04-22 A kind of system and method for realizing data safety storage and data access control

Publications (2)

Publication Number Publication Date
CN104660578A true CN104660578A (en) 2015-05-27
CN104660578B CN104660578B (en) 2017-12-19

Family

ID=53251282

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410163708.9A Active CN104660578B (en) 2014-04-22 2014-04-22 A kind of system and method for realizing data safety storage and data access control

Country Status (1)

Country Link
CN (1) CN104660578B (en)

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106209910A (en) * 2016-08-29 2016-12-07 上海航盛实业有限公司 A kind of method for security protection of inter-vehicle information system
CN106502578A (en) * 2015-09-06 2017-03-15 中兴通讯股份有限公司 Capacity change suggesting method and device
CN106682499A (en) * 2016-11-16 2017-05-17 无锡港湾网络科技有限公司 Disaster prevention system data secure-storage method
CN106899602A (en) * 2017-03-13 2017-06-27 广州五舟科技股份有限公司 distributed computing platform and its file management method
CN107070878A (en) * 2017-02-13 2017-08-18 北京奇虎科技有限公司 A kind of system and method for being used to carry out monitored application viral isolation
CN107122123A (en) * 2016-02-24 2017-09-01 湖南百里目科技有限责任公司 A kind of new Storage Virtualization gateway direct mode operation method
CN107203722A (en) * 2016-03-16 2017-09-26 中国电子科技集团公司电子科学研究院 A kind of virtualization data isolation exchange method and device
CN107343008A (en) * 2017-07-17 2017-11-10 山东超越数控电子有限公司 A kind of data safety isolation of anti-access module leakage is with sharing implementation method
CN107958158A (en) * 2017-10-27 2018-04-24 国网辽宁省电力有限公司 The dynamic data desensitization method and system of a kind of big data platform
CN109753811A (en) * 2018-12-28 2019-05-14 北京东方国信科技股份有限公司 A kind of data probe design method and device detecting sensitive information
CN110059110A (en) * 2019-04-12 2019-07-26 北京百度网讯科技有限公司 Business datum security processing, device, computer equipment and storage medium
CN113678421A (en) * 2020-01-19 2021-11-19 Oppo广东移动通信有限公司 Security domain configuration, discovery and joining method and device and electronic equipment
CN114077403A (en) * 2020-08-18 2022-02-22 美光科技公司 Setting-based access to data stored in isolated memory media
CN114490449A (en) * 2022-04-18 2022-05-13 飞腾信息技术有限公司 Memory access method and device and processor
CN115378659A (en) * 2022-07-28 2022-11-22 中国电子科技集团公司第三十研究所 High-reliability file encryption and fine-grained access control method based on user identity
WO2023078074A1 (en) * 2021-11-05 2023-05-11 北京字节跳动网络技术有限公司 Method and apparatus for data access control

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101111053A (en) * 2006-07-18 2008-01-23 中兴通讯股份有限公司 System and method for defending network attack in mobile network
CN101398768A (en) * 2008-10-28 2009-04-01 北京航空航天大学 Construct method of distributed virtual machine monitor system
CN101764798A (en) * 2009-07-01 2010-06-30 北京华胜天成科技股份有限公司 Safety management system and method based on client terminal
CN101763476A (en) * 2009-12-25 2010-06-30 中国科学院计算技术研究所 Multilevel security policy conversion method
CN102143158A (en) * 2011-01-13 2011-08-03 北京邮电大学 Data anti-leakage method based on trusted platform module (TPM)
CN102882885A (en) * 2012-10-17 2013-01-16 北京卓微天成科技咨询有限公司 Method and system for improving cloud computing data security
CN103403732A (en) * 2012-10-15 2013-11-20 华为技术有限公司 Processing method and device for input and output opeartion

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101111053A (en) * 2006-07-18 2008-01-23 中兴通讯股份有限公司 System and method for defending network attack in mobile network
CN101398768A (en) * 2008-10-28 2009-04-01 北京航空航天大学 Construct method of distributed virtual machine monitor system
CN101764798A (en) * 2009-07-01 2010-06-30 北京华胜天成科技股份有限公司 Safety management system and method based on client terminal
CN101763476A (en) * 2009-12-25 2010-06-30 中国科学院计算技术研究所 Multilevel security policy conversion method
CN102143158A (en) * 2011-01-13 2011-08-03 北京邮电大学 Data anti-leakage method based on trusted platform module (TPM)
CN103403732A (en) * 2012-10-15 2013-11-20 华为技术有限公司 Processing method and device for input and output opeartion
CN102882885A (en) * 2012-10-17 2013-01-16 北京卓微天成科技咨询有限公司 Method and system for improving cloud computing data security

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106502578B (en) * 2015-09-06 2019-06-11 中兴通讯股份有限公司 Capacity changes suggesting method and device
CN106502578A (en) * 2015-09-06 2017-03-15 中兴通讯股份有限公司 Capacity change suggesting method and device
CN107122123A (en) * 2016-02-24 2017-09-01 湖南百里目科技有限责任公司 A kind of new Storage Virtualization gateway direct mode operation method
CN107203722A (en) * 2016-03-16 2017-09-26 中国电子科技集团公司电子科学研究院 A kind of virtualization data isolation exchange method and device
CN107203722B (en) * 2016-03-16 2020-01-14 中国电子科技集团公司电子科学研究院 Virtualization data isolation exchange method and device
CN106209910A (en) * 2016-08-29 2016-12-07 上海航盛实业有限公司 A kind of method for security protection of inter-vehicle information system
CN106682499A (en) * 2016-11-16 2017-05-17 无锡港湾网络科技有限公司 Disaster prevention system data secure-storage method
CN107070878B (en) * 2017-02-13 2020-09-18 北京安云世纪科技有限公司 System and method for virus isolation of monitored application
CN107070878A (en) * 2017-02-13 2017-08-18 北京奇虎科技有限公司 A kind of system and method for being used to carry out monitored application viral isolation
CN106899602B (en) * 2017-03-13 2019-12-27 广州五舟科技股份有限公司 Distributed computing platform and file management method thereof
CN106899602A (en) * 2017-03-13 2017-06-27 广州五舟科技股份有限公司 distributed computing platform and its file management method
CN107343008A (en) * 2017-07-17 2017-11-10 山东超越数控电子有限公司 A kind of data safety isolation of anti-access module leakage is with sharing implementation method
CN107958158A (en) * 2017-10-27 2018-04-24 国网辽宁省电力有限公司 The dynamic data desensitization method and system of a kind of big data platform
CN109753811A (en) * 2018-12-28 2019-05-14 北京东方国信科技股份有限公司 A kind of data probe design method and device detecting sensitive information
CN109753811B (en) * 2018-12-28 2021-04-23 北京东方国信科技股份有限公司 Data probe design method and device for detecting sensitive information
CN110059110A (en) * 2019-04-12 2019-07-26 北京百度网讯科技有限公司 Business datum security processing, device, computer equipment and storage medium
CN113678421A (en) * 2020-01-19 2021-11-19 Oppo广东移动通信有限公司 Security domain configuration, discovery and joining method and device and electronic equipment
CN114077403A (en) * 2020-08-18 2022-02-22 美光科技公司 Setting-based access to data stored in isolated memory media
CN114077403B (en) * 2020-08-18 2024-04-02 美光科技公司 Set-based access to data stored in an isolated memory medium
WO2023078074A1 (en) * 2021-11-05 2023-05-11 北京字节跳动网络技术有限公司 Method and apparatus for data access control
US11669632B2 (en) 2021-11-05 2023-06-06 Beijing Bytedance Network Technology Co., Ltd. Method and apparatus for control of data access
CN114490449A (en) * 2022-04-18 2022-05-13 飞腾信息技术有限公司 Memory access method and device and processor
CN114490449B (en) * 2022-04-18 2022-07-08 飞腾信息技术有限公司 Memory access method and device and processor
CN115378659A (en) * 2022-07-28 2022-11-22 中国电子科技集团公司第三十研究所 High-reliability file encryption and fine-grained access control method based on user identity
CN115378659B (en) * 2022-07-28 2024-04-16 中国电子科技集团公司第三十研究所 High-reliability file encryption and fine-granularity access control method based on user identity

Also Published As

Publication number Publication date
CN104660578B (en) 2017-12-19

Similar Documents

Publication Publication Date Title
CN104660578A (en) System and method for realizing security storage and access control of data
US10021143B2 (en) Method and apparatus for multi-tenancy secrets management in multiple data security jurisdiction zones
CN102947797B (en) The online service using directory feature extending transversely accesses and controls
CN114514507B (en) System and method for supporting quota policy language in cloud infrastructure environment
CN103139159B (en) Secure communication between virtual machine in cloud computing framework
WO2020019839A1 (en) Method for creating enterprise cloud and management platform
US20220058039A1 (en) Secure digital workspace using machine learning and microsegmentation
CN103379089B (en) Access control method and system thereof based on security domain separation
CN109219949B (en) Method and apparatus for configuring security domains in a network function virtualization infrastructure
US20210067423A1 (en) System and method for service limit increase for a multi-tenant cloud infrastructure environment
US20080034438A1 (en) Multiple hierarchy access control method
CN101739282B (en) Method, device and system for managing virtual machine
CN104301301B (en) A kind of Data Migration encryption method based between cloud storage system
CN103338194B (en) A kind of based on credit worthiness assessment across security domain access control system and method
CN109413080B (en) Cross-domain dynamic authority control method and system
CN106445399A (en) Control method of storage system, and storage system
US20230353505A1 (en) System and method for tag based resource limits or quotas in a cloud infrastructure environment
CN107135223A (en) The data persistence method of Mass Data Management system
CN111083088B (en) Cloud platform hierarchical management method and device based on multiple security domains
CN104866774B (en) The method and system of account rights management
CN104363229A (en) Data center and access method thereof
KR100673329B1 (en) User Role / Permission Setting System using Certificate in Grid Environment and Its Method
CN114884653A (en) Multi-tenant oriented cross-tenant access method, system, device and medium
US20120185581A1 (en) Domain based isolation of network ports
CN109684868A (en) The authority setting method of ACL multi-tenant system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant