CN104660578B - A kind of system and method for realizing data safety storage and data access control - Google Patents
A kind of system and method for realizing data safety storage and data access control Download PDFInfo
- Publication number
- CN104660578B CN104660578B CN201410163708.9A CN201410163708A CN104660578B CN 104660578 B CN104660578 B CN 104660578B CN 201410163708 A CN201410163708 A CN 201410163708A CN 104660578 B CN104660578 B CN 104660578B
- Authority
- CN
- China
- Prior art keywords
- data
- security
- storage
- gateway
- module
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000003860 storage Methods 0.000 title claims abstract description 259
- 238000000034 method Methods 0.000 title claims abstract description 39
- 238000002955 isolation Methods 0.000 claims abstract description 20
- 230000005012 migration Effects 0.000 claims description 75
- 238000013508 migration Methods 0.000 claims description 75
- 238000007726 management method Methods 0.000 claims description 62
- 230000035945 sensitivity Effects 0.000 claims description 46
- 238000012544 monitoring process Methods 0.000 claims description 43
- 238000013500 data storage Methods 0.000 claims description 23
- 230000006870 function Effects 0.000 claims description 23
- 230000008569 process Effects 0.000 claims description 15
- 238000013507 mapping Methods 0.000 claims description 14
- 238000012423 maintenance Methods 0.000 claims description 6
- 238000000926 separation method Methods 0.000 claims description 5
- 230000006399 behavior Effects 0.000 claims description 3
- 230000007704 transition Effects 0.000 claims description 3
- 230000006855 networking Effects 0.000 claims description 2
- 238000000151 deposition Methods 0.000 claims 1
- 230000014759 maintenance of location Effects 0.000 claims 1
- 238000005516 engineering process Methods 0.000 abstract description 33
- 238000012545 processing Methods 0.000 abstract description 5
- 238000002156 mixing Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 238000013467 fragmentation Methods 0.000 description 3
- 238000006062 fragmentation reaction Methods 0.000 description 3
- 238000011161 development Methods 0.000 description 2
- 239000012634 fragment Substances 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000005192 partition Methods 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 238000000465 moulding Methods 0.000 description 1
- 238000013021 overheating Methods 0.000 description 1
- 230000000149 penetrating effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 239000011800 void material Substances 0.000 description 1
- 238000005303 weighing Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/104—Grouping of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The present invention discloses a kind of system and method for realizing data safety storage and data access control, and the system includes application server, stores security gateway, Security Policy Server and back end storage system;Increase stores security gateway to realize the division of data safety domain, isolation and access control between application server and back end storage system.Storage security gateway can cooperate with Storage Virtualization gateway, realize that data store on actual physics medium according to security domain mode using virtualization technology.When data access request reaches Storage Virtualization gateway, the isolation in data safety domain and access control can be realized by the function of Storage Virtualization gateway calling storage security gateway.Because the request of data of all access back end storage systems can all pass through storage security gateway processing, it is ensured that security control is carried out on the exclusive path of data, will not be bypassed.And security control can effectively prevent upper application layer to be directed to the attack meanses of data in the bottom layer realization of data access.
Description
Technical field
The present invention relates to the storage security fields in information technology, ensure that critical data stores safely more particularly to one kind
And the system and method for access control.
Background technology
With the development of cloud computing technology, the extensive use of virtualization technology within the storage system, the physics of storage system
The form that storage medium is unified for resource pool is provided out servicing.Virtualization technology shields the details of the data storage of bottom,
Make physical location and the logical place of data storage unrelated, user can obtain the virtual memory sky bigger than actual storage capacity
Between, and user only needs to be concerned about the form of expression of the data in application layer, and without the details of relation bottom storage.But virtualize skill
The application of art also brings along data safety risk simultaneously.Application layer data by various access control means, be logically every
From.But virtualization technology shields the specific object and details of application layer data, the data of different business systems are situated between in physics
Often left concentratedly in matter.It is responsible for specific security attribute of the equipment of processing virtual memory management due to data can not be known,
Therefore it in actual storage, can mainly consider the performance and extended capability of bottom physical storage medium, and ignore business datum
Security attribute.Thus the business datum with different safety class is given to bring risk.Such as the data of high sensitivity level and general
Logical data mix storage in layers of physical devices.Under common application environment, this storage mode disclosure satisfy that
Need, but, it is necessary to be carried out to the data of different sensitive grades and safe class stronger under the application environment of high safety demand
Isolation, even physical isolation, existing storage virtualization technology just can not meet demands.
Currently, storage virtualization technology is storage producer extensive utilization.One of which implementation method is to pass through one
Special storage gateway, to manage all storage devices in rear end, the capacity resource of all storage devices is combined, group
The logical Virtual storage pool unified into one, then carry out partition capacity from this unified storage pool and (show as the shape with volume
Formula) used to application server.The particularly development of cloud computing so that virtual memory technique is persistently overheating, because cloud computing
Storage device substantial amounts, the positive mechanism for needing so a set of integration, carry out streamlining management and improve storage efficiency.
However, when storage virtualization technology is widely used in cloud computing simultaneously, there is also potential security risk.Pass through
Storage virtualization technology, different business datums is logically isolation, but is physically probably stored in same
On physical equipment.But there is sensitive level difference between data, some data are most important, sensitive rank is very high, some
Data sensitive rank is general.If the high data of sensitive rank are known by third party will cause very big loss.As virtual memory skill
Art is this regardless of data, all makes no exception, or even the way being stored on same physical equipment, high to sensitive rank
Data preserve it is very unfavorable, cause very big hidden danger.
It is existing to may be summarized to be three kinds of schemes for data safety storage:When the data access control of application layer, two
It is to divide security domain from Internet, third, carrying out burst to data using cryptographic technique.These technologies are described separately below.
Application layer data access control technology is more commonly used safe practice within the storage system at present, can be directed to not
Data with sensitivity level define different access rights using accesses control list (ACL), with reach the logic between data every
From.This kind of technology also includes rights management, is limited etc. using the access of key or certificate to data.This kind of implementation phase
Pass patent is numerous, but this kind of scheme is different due to solving the level of problem and angle, and the present invention does not have directly comparable property, no
Enumerating.
It will can be stored using the access control technology of the double layer network such as VLAN technology and Internet (IPtables etc.)
The network of system carries out division and forms different subnets, makes the management flow for storage system, and data flow separates, and not
Transmitted between same business datum in the different network segments.This technological essence is to belong to network security technology, applied to storage net
The attack from external network can be prevented in network to a certain extent, strengthens the security of storage system.
Data fragmentation technology is that data block is divided into different fragments by certain algorithm and is stored in distributed storage
In environment, it is combined when accessing by algorithm.It is that can not know whole data block contents, mesh only to obtain independent fragment
Be protection leaking data, data storage and transmission in can improve its security.Such as Patent No.
For one kind that CN201110034475.9 is proposed towards distributed cloud storage security architecture and its data access method, it is logical
Cross wafer breaker and storage information is carried out burst, data is become the data slot that can not be identified by other non-authentication systems, point
Just there is relative confidentiality and security after piece in network transmission and data storage.
But above-mentioned technical proposal, which is inherently made peace, the technology used in the present invention thinking and to be differed, therefore can not be solved
The problem of mentioned above.Wherein, the access control technology of application layer controls mainly for the access rights of data from application layer
Access to data.This kind of scheme does not consider specific Storage Format of the data on actual physical storage position.Even if sensitivity level
High data have tightened up control of authority, also simply that is to say in logical layer and are controlled on the upper strata of Storage Virtualization,
It can not be isolated in Storage Virtualization lower floor physical storage locations, therefore can not solve the data of different sensitivity levels in bottom
The problem of mixed storage.
The access of each equipment in the safety control technology major control storage network of Internet, and by dividing VLAN etc.
The mode of subnet is isolated different network traffics.Therefore it is the isolation of a kind of mechanical floor and data traffic, it is impossible to really
The specific storage location of control data.This kind of technology can not carry out the access on network according to the different sensitivity level of data to it
Control.
Data fragmentation memory technology is a kind of processing of distributed storage to data block in itself, and it can be used for strengthening number
According to secret protection, it can be used for improving the performance of data storage, increase data redundancy, improve data reliability etc..Therefore data
Allocation methods are not to carry out burst according to the security attribute or sensitivity level of data, and its slicing algorithm is primarily upon how data divide
Piece obtains more preferable confidentiality and transmission performance, does not consider specific storage location, therefore cannot also solve asking for mixing storage
Topic.In fact, data fragmentation technology can increase the probability of different business data mixing storage on the contrary, different sensitivities can be increased on the contrary
The risk that the data block of level is stored together.
As seen from the above analysis, existing Technology On Data Encryption does not have solution by virtualization technology is using institute at present
The safety problem of the different sensitivity level data mixings storage brought.It is therefore desirable to have new technical scheme solves the problem.
The content of the invention
For technical problem present in prior art, the present invention proposes that one kind realizes data safety storage and data access
The security technology scheme that the system and method for control, application memory virtualization and access control are combined, by being by storage
Data in system are divided into different storage security domains, can make the different other data of sensitivity level, during data storage
Meet logic isolation, and can has the isolation of physical location.So as to solve the security risk that data mixing storage tape is come, meet
The more application environment of high safety demand.
The present invention uses following technical schemes:
A kind of system for realizing data safety storage and data access control, it is characterised in that:Including four parts respectively
To initiate the application server of request, security gateway, Security Policy Server and back end storage system are stored;
The application server is responsible for receiving the data access request come on automatic network, and initiates to back end storage system
Data access request;
The storage security gateway is responsible for realizing security domain management, the division of data safety domain, isolation and access control function;
It is a logic function to store security gateway, and it is the gateway for the functional module either hardware mode realized by software
Equipment;Storage security gateway is direct-connected with Storage Virtualization gateway, if storage security gateway is the functional module that software is realized,
One function part as Storage Virtualization gateway is realized;If storage security gateway is the gateway device of hardware mode,
It is directly connected to Storage Virtualization gateway;
The Security Policy Server is used to preserve and manage all data safety domain policies, receives from storage safety net
The inquiry and response of pass;
The back end storage system includes physics or virtual storage device, and back end storage system is the main storage of data
Ground, mainly it is made up of storage networking device, storage control and storage medium;Back end storage system includes storage device, deposits
Storage equipment refers to specific physics or virtual storage medium, such as actual physical disk.
Wherein, application server initiates data access request, and request carries the security attribute information such as the sensitivity level of data, deposited
The sensitivity level information in security gateway acquisition request is stored up, judges security domain corresponding to the sensitivity level, and establish the safety of data block
Domain Index;Storage security gateway is converted to security domain information the virtual address of Storage Virtualization gateway identification, then by virtualizing
Gateway is converted to corresponding physical address, and final data will be stored on physical address in corresponding security domain;Data access
Request then stores security gateway and obtains the safe class of current access request side and accessed data if reading data
Sensitivity level, and query safe strategic server, obtain security strategy corresponding to the access request side, determine whether to access;
In Data Migration or reproduction process, the migration source address and destination address of security gateway monitoring data block are stored, and if ground
Safe domain policy corresponding to location is disagreed, then is notified that Storage Virtualization gateway prevents migration, and in same levels
Migrated and replicated between security domain or inside security domain.
Specifically, the storage security gateway includes equipment information management module, security domain management module, Data Migration prison
Control module, data sensitivity determination module and data access control module;
The equipment information management module is responsible for storing device information and calculated in accessed back end storage system
The security attribute value of physical storage medium;The equipment information management module can safeguard a list in advance, wherein record is all
Storage device brand, device type and respective weights and value, the input item as computing device security attribute value;First, equipment
Information management module will automatically obtain and manage the information of each storage device of back end storage system access, and utilize the information
Calculate security attribute value corresponding to equipment, while maintenance and management storage equipment security list of attribute values;The security attribute value
Using as the input item of security domain management module, the foundation as division security domain;Include the letter of each storage device of management
Breath includes equipment brand, memory capacity, storage media types and RAID information;
The security domain management module is responsible for maintenance and management by storage device virtual address space to security domain
Mapping table;First, security domain management module can obtain the security attribute value of storage device, and calculating storage according to security attribute value sets
Standby affiliated security domain, establishes the virtual address space of storage device to the mapping table entry of security domain;
The Data Migration monitoring module is responsible for monitoring data traffic between security domain, when being run counter between security domain
The data flowing of security strategy, monitoring module can send control command, prevent Data Migration;Data traffic generally occurs in data
Duplication, in transition process, carried out or sent in application layer automatically when carrying out memory management functions by Storage Virtualization gateway
Carried out during instruction;Data Migration monitoring module can work as hair according to the data flow security strategy monitoring data flow direction between security domain
When not meeting the data traffic of security strategy now, then access control module is notified to be controlled;
The data sensitivity determination module, when receiving data requesting instructions, data sensitivity determination module will be known
Not Zhi Ling in data block sensitive rank;When recognizing the other instruction data storage of high sensitivity level, then according to security domain management mould
The mapping table of block, security domain and virtual address space corresponding to the data block are calculated, and notify Storage Virtualization gateway, by data
Store corresponding security domain;When being identified as data access instruction, then the safe class of access request main body is obtained, and by counting
Come to handle access request according to security strategy according to access control module;The sensitive rank of data block and the safety of access main body etc.
Level can together be transferred to Storage Virtualization gateway with store instruction as a part for data block security attribute, and give data
Susceptibility determination module is judged.
The data access control module is responsible for realizing that the access to data carries out security domain separation and access control function;
The security domain separation of data is included receiving the instruction from Data Migration monitoring module, and is converted to the knowledge of Storage Virtualization gateway
Other operational order, migration of the limitation data between security domain;Access control function includes different according to security strategy, limitation
Access of the requestor of level of security to data in security domain;The control mode that data access control module is implemented is by security strategy
Definition.
Based on a kind of foregoing system for realizing data safety storage and data access control, the present invention provides a kind of
The method for realizing data safety storage and data access control, this method include the storage of data, the access control sum of data
According to migration control three flows;
Wherein, the Stored Procedure of data comprises the following steps:
1), Storage Virtualization gateway receives data storage request and is forwarded to storage security gateway;
2), the data sensitivity determination module for storing security gateway obtains data sensitive rank from request, and according to quick
Feel rank query safe domain management module;
3), security domain management module calculate corresponding to security domain and virtual address space, and return to security domain and virtually
Location space;
4), data sensitivity determination module returns to virtual address space, by Storage Virtualization gateway according to this virtual address
Space performs specific data storage operations;
The access control flow of data comprises the following steps:
1), Storage Virtualization gateway receives data access request and is forwarded to storage security gateway;
2) after the data access control module reception request for, storing security gateway, inquiry data sensitivity determination module obtains
Take the safe class for accessing main body;
3), data access control module query safe strategic server or local security policy caching are obtained and asked with the access
Seek corresponding security strategy;
4), data access control module query safe domain management module, security domain corresponding with the access request is obtained;
5), security domain and returned corresponding to data block virtual address inquiry of the security domain management module in access request
Give data access control module;
6), whether data access control module is legal according to the security domain authentication-access of security strategy and requested data block;
Access control instruction is generated according to the result, and returns to two kinds of access controls of permission or refusal and instructs;
7), Storage Virtualization gateway receives access control instruction, it is allowed to or refuse the access request;
The migration control flow of data comprises the following steps:
1), the Data Migration monitoring module of storage security gateway monitors the data carried out by Storage Virtualization gateway and moved in real time
Operation is moved, specific implementation uses poll or advice method, by whether having number according to migration monitoring module poll Storage Virtualization gateway
According to migration, or by Storage Virtualization gateway proactive notification Data Migration monitoring module;
2), Data Migration monitoring module obtains the source and destination virtual address of migration, and security domain corresponding to inquiry;
3), security domain management module security domain according to corresponding to calculating virtual address, and returning result;
4), Data Migration monitoring module query safe strategic server or local security policy caching, obtain corresponding pacify
Full strategy;
5), the legitimacy of Data Migration monitoring module checking migration operation, and the result is returned into data access control
Molding block;
6), data access control module generates access control instruction according to the result, it is allowed to or refusal migration;
7), Storage Virtualization gateway performs or refused data migration operation.
The present invention has following advantage compared to prior art, the present invention:
(1) a kind of higher data isolation of security intensity for storage system and access control method are provided, is met
Demand of the high safety demand industry to data protection.The division in data storage security domain causes data not only can logically lead to
Cross traditional access control to be isolated, also add the secure access of physical isolation and control.Solve quick in different business
Feel the safety problem that the different data mixing storage tape of level is come.
(2) it is capable of the application of compatible main flow storage system, well support storage virtualization technology, supports in cloud computing
Cloud storage or distributed storage etc..Carry out storing partition security domain and the storage security gateway of isolation control can be empty as storage
A safety feature on planization gateway, using plug and play mode.
(3) influence to performance is small, and the storage security gateway of the program can be combined with virtualization technology, be deployed in and deposited
In storage virtualization gateway, operated in data block rank, it is smaller to the performance impact of I/O operation in itself.
(4) concept for proposing storage security domain of the innovation, the physical bit of factor data storage is effectively reduced
Put it is unordered caused by security risk, can compatible storage virtualization technology bring benefit while, improve data storage
Security.
Technical scheme proposed by the present invention can be directed to the different other data of sensitivity level caused by operation system, deposited
According to security strategy during storage, it is automatically classified into different physical storage areas.The physical storage areas is logically presented as
Security domain.Data sensitive rank in identical security domain is same or like, and the data sensitive rank in different security domains is different.Base
In this method, when being conducted interviews to the data in security domain, can conduct interviews control according to security strategy.Also, this method
Migration of the control data between different security domains or automatic it can replicate, it is ensured that be physically isolation between security domain.Cause
This this technology can realize that in a unified virtual storage resource pond physical isolation stronger to sensitive data and safety are protected
Shield.
Present invention introduces a kind of concept in data safety domain, while compatible existing storage virtualization technology, realizes
Classification storage on physical medium to data, and by applying the access control means in Storage Virtualization layer to ensure different sensitivities
Stronger isolation, solves the above problems between the data of level.
Brief description of the drawings
Fig. 1 is the system architecture schematic diagram of the present invention.
For the present invention, it stores security gateway logical functional structure figure to Fig. 2.
Fig. 3 is its equipment information management resume module logic chart of the invention.
Fig. 4 is a kind of typical security domain mapping logic schematic diagram of the present invention.
Fig. 5 is a kind of implementation process figure of typical data storage of the present invention;
Fig. 6 is a kind of implementation process figure of typical data access control of the present invention;
Fig. 7 is that the present invention is a kind of typically to the implementation process figure of Data Migration control;
The realization, functional characteristics and advantage of the object of the invention will be described further referring to the drawings in conjunction with the embodiments.
Embodiment
It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, it is not intended to limit the present invention.
The present invention mainly increases storage between the application server of front-end generating data request and back end storage system
The logic function of security gateway come realize data safety domain division, isolation and access control.Security gateway is stored with storage
Virtualization gateway can cooperate, and realize data on actual physics medium according to security domain side using existing virtualization technology
Formula stores.When data access request reaches Storage Virtualization gateway, storage security gateway can be called by Storage Virtualization gateway
Function realize the isolation in data safety domain and access control.Because the request of data of all access back end storage systems all can
By storing security gateway processing, it is hereby ensured that security control is carried out on the exclusive path of data, will not be bypassed.And
And security control can effectively prevent upper application layer to be directed to the attack meanses of data in the bottom layer realization of data access.
Reference picture 1, the system provided by the present invention for realizing data safety storage and data access control, including four patrolled
It is respectively the application server for initiating request to collect part, stores security gateway, Security Policy Server and back end storage system.,
Wherein, application server initiates data access request, and request carries the security attribute information such as the sensitivity level of data, deposited
The sensitivity level information in security gateway acquisition request is stored up, judges security domain corresponding to the sensitivity level, and establish the safety of data block
Domain Index.Storage security gateway is converted to security domain information the virtual address of Storage Virtualization gateway identification, then empty by storage
Planization gateway is converted to corresponding physical address, and final data will be stored on physical address in corresponding security domain.Data
Access request then stores security gateway and obtains the safe class of current access request side and accessed number if reading data
According to sensitivity level, and query safe strategic server obtains security strategy corresponding to the access request side, determines whether to visit
Ask.In Data Migration or reproduction process, the migration source address and destination address of security gateway monitoring data block are stored, and if
Safe domain policy corresponding to address disagrees (for example the data of different security domains mutually can not be migrated or replicated), then is notified that
Storage Virtualization gateway prevents migration, and is migrated and answered between the security domain of same levels or inside security domain
System.
1) application server is general Service Process Server, the data access request that primary recipient comes on automatic network,
And initiate the data access request to back end storage system.
2) security gateway is stored:It is responsible for realizing security domain management, the division of data safety domain, isolation and access control function.
It is a logic function to store security gateway, can be the functional module of software realization or the gateway device of hardware mode.
Storage security gateway is direct-connected with Storage Virtualization gateway, if storage security gateway is the functional module that software is realized, Ke Yizuo
Realized for the One function part of Storage Virtualization gateway.If the gateway device of hardware mode, then with Storage Virtualization net
Pass is directly connected to.
3) Security Policy Server:Preserve and manage all data safety domain policies, receive from storage security gateway
Inquire about and respond.In the specific implementation, Security Policy Server as independent security management center, it is proposed that using stand-alone service
Device is realized.In actual application environment, the function can also be realized by storage security gateway as One function module.
4) back end storage system:Including physics or virtual storage device, the main storage of data, mainly by storage net
Network equipment, storage control and storage medium are formed, such as SAN or NAS etc..Back end storage system includes storage device, deposits
Storage equipment refers to specific physics or virtual storage medium, such as actual physical disk.
Wherein, storage security gateway is the core functional components of the system, and its logical functional structure is as shown in Fig. 2 below
With reference to Fig. 2, each comprising modules of storage security gateway are discussed in detail, storing security gateway includes equipment information management module, peace
Universe management module, Data Migration monitoring module, data sensitivity determination module and data access control module.
1) equipment information management module
The module is responsible for storing device information and calculates physical storage medium in accessed back end storage system
Security attribute value (note:Security attribute value is used for one of each side such as the reliability for weighing the storage medium, performance, security
Integrated value).The module can safeguard a list in advance, wherein recording all storage device brand, device type and respective weights
And value, the input item as computing device security attribute value.First, module will automatically obtain and manage back end storage system access
Each storage device information, and calculate security attribute value corresponding to equipment using the information, while maintenance and management is deposited
Store up equipment safety list of attribute values.The security attribute value is using as the input item of security domain management module, as division security domain
The foundation of (mapping for establishing security domain and storage medium).Including the information of each storage device of management mainly includes but unlimited
In:Equipment brand, memory capacity, storage media types, RAID information etc..The storage medium that is used to weigh of predefined belongs to safely
Every weight value list of property value is not in scope of design of the present invention.Can be according to practical application scene and one to storage device
A little particular requirements distribute weight and value.In some cases, if the storage device of automatic identification is not in the row of configured in advance
In table, then a default value can be set, can be by configuring interface renewal into list by facility information after manual identified.Reference
Fig. 3, Fig. 3 is the processing logic chart of the module.
2) security domain management module
The module is responsible for maintenance and management by storage device virtual address space to the mapping table security domain.First,
Security domain management module can obtain the security attribute value of storage device, and the safety belonging to storage device is calculated according to security attribute value
Domain, the virtual address space of storage device is established to the mapping table entry of security domain.To support autgmentability, the void of storage device
Intending address space can change in use, but its security attribute is constant, therefore the virtual address corresponding to security domain is reflected
Penetrating record can constantly update.Fig. 4 shows a kind of typical security domain mapping logic schematic diagram.
During typical mapping table is realized, storage device list has one-to-one relationship with safe property value, each storage
Equipment has virtual address space (be managed collectively and distributed by Storage Virtualization gateway), has between security attribute value and security domain
Corresponding relation, can be one-one relationship or many-to-one relationship, namely multiple security attribute values or property value
Scope corresponds to a security domain.The virtual address space corresponding to storage device can just be built with security domain by mapping table
Vertical relation, and bring corresponding storage device into security domain management scope.Data safety domain is logic region, is specifically corresponded to
The virtual address space of different physical storage mediums, virtual address space are managed collectively by Storage Virtualization gateway, the present invention
Data safety domain management module be only responsible for corresponding to data safety domain into the virtual address space that is identified by virtualization gateway,
And not responsible physical address is to the conversion of virtual address.
3) Data Migration monitoring module
Data Migration monitoring module is responsible for monitoring data traffic between security domain, when running counter to safety between security domain
The data flowing of strategy, monitoring module can send control command, prevent Data Migration.Answering in data generally occurs for data traffic
Make, in transition process.Carried out automatically when carrying out memory management functions by Storage Virtualization gateway or send instruction in application layer
Shi Jinhang.Data Migration monitoring module can be according to the data flow security strategy monitoring data flow direction between security domain, when finding not
When meeting the data traffic of security strategy, then data access control module is notified to be controlled.
4) data sensitivity determination module
When receiving data requesting instructions, data sensitivity determination module will identify the sensitivity level of data block in instruction
Not, when recognizing the other instruction data storage of high sensitivity level, then the mapping table according to security domain management module, calculates the data block
Corresponding security domain and virtual address space, and Storage Virtualization gateway is notified, store data into corresponding security domain.Work as knowledge
Not Wei data access instruction when, then the safe class of access request main body is obtained, and by access control module come according to safe plan
Slightly handle access request.The sensitive rank of data block and the safe class of access main body can be as data block security attributes
A part is together transferred to Storage Virtualization gateway with store instruction, and gives the module and judged.The safety category of data block
Property can also be transferred to gateway by other means and be handled.
5) data access control module
Data access control module is responsible for realizing that the access to data carries out security domain separation and access control function.Logarithm
According to security isolation include receive the instruction from Data Migration monitoring module, and be converted to Storage Virtualization gateway identification behaviour
Instruct, migration of the limitation data between security domain.Access control function includes, according to security strategy, limiting different safe levels
Access of other requestor to data in security domain.The control mode that data access control module is implemented is defined by security strategy,
The mode and security strategy of access control of the present invention are determined by the demand for security of concrete application environment.Such as in a kind of Gao An
, it is necessary to implement forced symmetric centralization function in the environment of full demand, then security strategy implements Mandatory Access Control, and data are visited
Ask that control module can be then limited in the relatively low access request principal access safe class of the level of security security domain higher than him
Data.
A kind of method for realizing data safety storage and data access control provided by the invention, the party is described in detail below
The migration that method includes the storage of data, the access control of data and data controls three implementation processs.
The storage of data includes:After storing security gateway reception data storage request, data sensitive level is judged, and according to quick
Feel security domain and virtual address space corresponding to level calculating, tool is performed according to virtual address control by Storage Virtualization gateway device
The data storage operations of body.
The access control of data includes:After storing security gateway reception data access request, by data access control module
Security domain corresponding to the safe class of queried access requestor, query safe strategy and access target data block, and according to peace
Full strategy verifies whether the access requestor has the authority for accessing the security domain.The result of checking returns to Storage Virtualization
Gateway device, if allowing the access request, it is executed by it specific access and operates.
The migration control of data includes:Store the Data Migration behaviour that security gateway monitoring Storage Virtualization gateway device performs
Make, if it find that there is migration operation, then intercept and capture migration operation, and corresponding to purpose according to migration operation and virtual address inquiry
Security domain, if identical security domain then directly returns, if different security domains, then whether query safe strategy allows to move
Move, if allowing to migrate, notice Storage Virtualization gateway performs migration, otherwise performs notice Storage Virtualization gateway refusal
Migration.
Reference picture 5,6 and 7, the specific steps of three implementation processs are discussed in detail.
A kind of implementation process of typical data storage is as shown in Figure 5:
Step is as follows:
1st, Storage Virtualization gateway receives data storage request and is forwarded to storage security gateway.
2nd, the data sensitivity determination module for storing security gateway obtains data sensitive rank from request, and according to sensitivity
Rank query safe domain management module.
3rd, security domain and virtual address space corresponding to the calculating of security domain management module, and return to security domain and virtual address
Space.
4th, data sensitivity determination module returns to virtual address space, empty according to this virtual address by Storage Virtualization gateway
Between perform specific data storage operations.
A kind of implementation process of the access control of typical data is as shown in Figure 6:
Step is as follows:
1st, Storage Virtualization gateway receives data access request and is forwarded to storage security gateway.
2nd, after the data access control module reception request for storing security gateway, inquiry data sensitivity determination module obtains
Access the safe class of main body.
3rd, data access control module query safe strategic server (or local security policy caching) obtains and the access
Security strategy corresponding to request.
4th, data access control module query safe domain management module, obtain security domain corresponding with the access request and (visit
Ask the security domain where data block).
5th, security domain and returned corresponding to data block virtual address inquiry of the security domain management module in access request
Give data access control module.
6th, whether data access control module is legal according to the security domain authentication-access of security strategy and requested data block.Root
According to the result generation access control instruction, and return to two kinds of access controls of permission or refusal and instruct.
7th, Storage Virtualization gateway receives access control instruction, it is allowed to or refuse the access request.
A kind of implementation process of the migration control of typical data is as shown in Figure 7:
Step is as follows:
1st, the Data Migration monitoring module of storage security gateway monitors the data carried out by Storage Virtualization gateway and moved in real time
Move operation.Specific implementation can use poll or advice method, by transferring module main body poll Storage Virtualization gateway whether by
Data Migration, or by Storage Virtualization gateway proactive notification Data Migration monitoring module.
2nd, Data Migration monitoring module obtains the source and destination virtual address of migration, and security domain corresponding to inquiry.
3rd, security domain management module security domain according to corresponding to calculating virtual address, and returning result.
4th, Data Migration monitoring module query safe strategic server or local security policy caching, safety corresponding to acquisition
Strategy.
5th, the legitimacy of Data Migration monitoring module checking migration operation, and the result is returned into data access control
Module.
6th, data access control module generates access control instruction according to the result, it is allowed to or refusal migration.
7th, Storage Virtualization gateway performs or refused data migration operation.
Described above is only the preferred embodiment of the present invention, and protection scope of the present invention is not limited merely to above-mentioned implementation
Example, all technical schemes belonged under thinking of the present invention belong to protection scope of the present invention.It should be pointed out that for the art
Those of ordinary skill for, some improvements and modifications without departing from the principles of the present invention, these improvements and modifications
It should be regarded as protection scope of the present invention.
Claims (2)
- A kind of 1. system for realizing data safety storage and data access control, it is characterised in that:It is respectively including four parts The application server of request is initiated, stores security gateway, Security Policy Server and back end storage system;The application server is responsible for receiving the data access request come on automatic network, and initiates the data to back end storage system Access request;The storage security gateway is responsible for realizing security domain management, the division of data safety domain, isolation and access control function;Storage Security gateway is a logic function, and it is that the gateway for the functional module either hardware mode realized by software is set It is standby;Storage security gateway is direct-connected with Storage Virtualization gateway, if storage security gateway is the functional module that software is realized, makees Realized for the One function part of Storage Virtualization gateway;If storage security gateway is the gateway device of hardware mode, together Storage Virtualization gateway is directly connected to;The storage security gateway includes equipment information management module, security domain management module, Data Migration monitoring module, data Susceptibility determination module and data access control module;The equipment information management module is responsible for storing device information and calculates physics in accessed back end storage system The security attribute value of storage medium;The equipment information management module can safeguard a list in advance, wherein recording all storages Equipment brand, device type and respective weights and value, the input item as computing device security attribute value;First, facility information Management module will automatically obtain and manage the information of each storage device of back end storage system access, and be calculated using the information Go out security attribute value corresponding to equipment, while maintenance and management storage equipment security list of attribute values;The security attribute value will be made For the input item of security domain management module, the foundation as division security domain;Include the packet of each storage device of management Include equipment brand, memory capacity, storage media types and RAID information;The security domain management module is responsible for maintenance and management by storage device virtual address space to the mapping security domain Table;First, security domain management module can obtain the security attribute value of storage device, and storage device institute is calculated according to security attribute value The security domain of category, the virtual address space of storage device is established to the mapping table entry of security domain;The Data Migration monitoring module is responsible for monitoring data traffic between security domain, when running counter to safety between security domain The data flowing of strategy, monitoring module can send control command, prevent Data Migration;Answering in data generally occurs for data traffic Make, in transition process, carried out automatically when carrying out memory management functions by Storage Virtualization gateway or send instruction in application layer Shi Jinhang;Data Migration monitoring module can be according to the data flow security strategy monitoring data flow direction between security domain, when finding not When meeting the data traffic of security strategy, then access control module is notified to be controlled;The data sensitivity determination module, when receiving data requesting instructions, data sensitivity determination module refers to identification The sensitive rank of data block in order;When recognizing the other instruction data storage of high sensitivity level, then according to security domain management module Mapping table, security domain and virtual address space corresponding to the data block are calculated, and notify Storage Virtualization gateway, by data storage To corresponding security domain;When being identified as data access instruction, then the safe class of access request main body is obtained, and visited by data Ask that control module to handle access request according to security strategy;The sensitive rank of data block and the safe class of access main body can Storage Virtualization gateway is together transferred to store instruction using the part as data block security attribute, and gives data sensitive Degree determination module is judgedThe data access control module is responsible for realizing that the access to data carries out security domain separation and access control function;Logarithm According to security domain separation include receive the instruction from Data Migration monitoring module, and be converted to Storage Virtualization gateway identification Operational order, migration of the limitation data between security domain;Access control function includes, according to security strategy, limiting different safety Access of the requestor of rank to data in security domain;The control mode that data access control module is implemented is determined by security strategy Justice;The Security Policy Server is used to preserve and manage all data safety domain policies, receives from storage security gateway Inquire about and respond;The back end storage system includes physics or virtual storage device, and back end storage system is the main storage of data, Mainly it is made up of storage networking device, storage control and storage medium;Wherein, application server initiates data access request, and request carries the sensitivity level security attribute information of data, storage safety Gateway obtains the sensitivity level information in request, judges security domain corresponding to the sensitivity level, and establish the safe Domain Index of data block; Storage security gateway is converted to security domain information the virtual address of Storage Virtualization gateway identification, then is changed by virtualization gateway For corresponding physical address, final data will be stored on physical address in corresponding security domain;If data access request It is to read data, then stores security gateway and obtain the safe class of current access request side and the sensitivity level of accessed data, And query safe strategic server, security strategy corresponding to the access request side is obtained, determines whether to access;Moved in data Move or reproduction process in, store security gateway monitoring data block migration source address and destination address, if with address corresponding to Safe domain policy disagree, then be notified that Storage Virtualization gateway prevents migration, and same levels security domain it Between or security domain inside migrated and replicated.
- A kind of 2. method for realizing data safety storage and data access control, it is characterised in that this method includes depositing for data The migration of storage, the access control of data and data controls three flows;Wherein, the Stored Procedure of data comprises the following steps:1), Storage Virtualization gateway receives data storage request and is forwarded to storage security gateway;2), the data sensitivity determination module for storing security gateway obtains data sensitive rank from request, and according to sensitivity level Other query safe domain management module;3), security domain and virtual address space corresponding to the calculating of security domain management module, and return to security domain and virtual address sky Between;4), data sensitivity determination module returns to virtual address space, by Storage Virtualization gateway according to this virtual address space Perform specific data storage operations;The access control flow of data comprises the following steps:1), Storage Virtualization gateway receives data access request and is forwarded to storage security gateway;2) after the data access control module reception request for, storing security gateway, inquiry data sensitivity determination module, which obtains, visits Ask the safe class of main body;3), data access control module query safe strategic server or local security policy caching obtain and the access request pair The security strategy answered;4), data access control module query safe domain management module, security domain corresponding with the access request is obtained;5), security domain and number is returned to corresponding to data block virtual address inquiry of the security domain management module in access request According to access control module;6), whether data access control module is legal according to the security domain authentication-access of security strategy and requested data block;According to The result generation access control instruction, and return to two kinds of access controls of permission or refusal and instruct;7), Storage Virtualization gateway receives access control instruction, it is allowed to or refuse the access request;The migration control flow of data comprises the following steps:1) the Data Migration behaviour that the Data Migration monitoring module monitoring in real time of security gateway is carried out by Storage Virtualization gateway, is stored Make, specific implementation uses poll or advice method, whether there are data by Data Migration monitoring module poll Storage Virtualization gateway Migration, or by Storage Virtualization gateway proactive notification Data Migration monitoring module;2), Data Migration monitoring module obtains the source and destination virtual address of migration, and security domain corresponding to inquiry;3), security domain management module security domain according to corresponding to calculating virtual address, and returning result;4), Data Migration monitoring module query safe strategic server or local security policy caching, safe plan corresponding to acquisition Slightly;5), the legitimacy of Data Migration monitoring module checking migration operation, and the result is returned into data access control mould Block;6), data access control module generates access control instruction according to the result, it is allowed to or refusal migration;7), Storage Virtualization gateway performs or refused data migration operation.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410163708.9A CN104660578B (en) | 2014-04-22 | 2014-04-22 | A kind of system and method for realizing data safety storage and data access control |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410163708.9A CN104660578B (en) | 2014-04-22 | 2014-04-22 | A kind of system and method for realizing data safety storage and data access control |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104660578A CN104660578A (en) | 2015-05-27 |
| CN104660578B true CN104660578B (en) | 2017-12-19 |
Family
ID=53251282
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410163708.9A Expired - Fee Related CN104660578B (en) | 2014-04-22 | 2014-04-22 | A kind of system and method for realizing data safety storage and data access control |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104660578B (en) |
Families Citing this family (18)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106502578B (en) * | 2015-09-06 | 2019-06-11 | 中兴通讯股份有限公司 | Capacity changes suggesting method and device |
| CN107122123A (en) * | 2016-02-24 | 2017-09-01 | 湖南百里目科技有限责任公司 | A kind of new Storage Virtualization gateway direct mode operation method |
| CN107203722B (en) * | 2016-03-16 | 2020-01-14 | 中国电子科技集团公司电子科学研究院 | Virtualization data isolation exchange method and device |
| CN106209910A (en) * | 2016-08-29 | 2016-12-07 | 上海航盛实业有限公司 | A kind of method for security protection of inter-vehicle information system |
| CN106682499A (en) * | 2016-11-16 | 2017-05-17 | 无锡港湾网络科技有限公司 | Disaster prevention system data secure-storage method |
| CN107070878B (en) * | 2017-02-13 | 2020-09-18 | 北京安云世纪科技有限公司 | System and method for virus isolation of monitored application |
| CN106899602B (en) * | 2017-03-13 | 2019-12-27 | 广州五舟科技股份有限公司 | Distributed computing platform and file management method thereof |
| CN107343008A (en) * | 2017-07-17 | 2017-11-10 | 山东超越数控电子有限公司 | A kind of data safety isolation of anti-access module leakage is with sharing implementation method |
| CN107958158A (en) * | 2017-10-27 | 2018-04-24 | 国网辽宁省电力有限公司 | The dynamic data desensitization method and system of a kind of big data platform |
| CN109753811B (en) * | 2018-12-28 | 2021-04-23 | 北京东方国信科技股份有限公司 | Data probe design method and device for detecting sensitive information |
| CN110059110B (en) * | 2019-04-12 | 2021-05-28 | 北京百度网讯科技有限公司 | Business data security processing method and device, computer equipment and storage medium |
| WO2021142849A1 (en) * | 2020-01-19 | 2021-07-22 | Oppo广东移动通信有限公司 | Method and apparatus for configuring, discovering and joining security domain, and electronic device |
| US11539692B2 (en) * | 2020-08-18 | 2022-12-27 | Micron Technology, Inc. | Setting based access to data stored in quarantined memory media |
| CN116089661A (en) | 2021-11-05 | 2023-05-09 | 北京字节跳动网络技术有限公司 | Method and device for controlling data access |
| CN114490449B (en) * | 2022-04-18 | 2022-07-08 | 飞腾信息技术有限公司 | Memory access method and device and processor |
| CN115378659B (en) * | 2022-07-28 | 2024-04-16 | 中国电子科技集团公司第三十研究所 | High-reliability file encryption and fine-granularity access control method based on user identity |
| CN117609994B (en) * | 2023-12-06 | 2024-06-21 | 乘乘智数科技(深圳)有限公司 | Non-invasive data monitoring method and system based on data security |
| CN117993029B (en) * | 2024-04-03 | 2024-07-05 | 武昌首义学院 | Satellite information and training data warehouse network safety protection method and system |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101111053A (en) * | 2006-07-18 | 2008-01-23 | 中兴通讯股份有限公司 | System and method for defending network attack in mobile network |
| CN101398768A (en) * | 2008-10-28 | 2009-04-01 | 北京航空航天大学 | Construct method of distributed virtual machine monitor system |
| CN101764798A (en) * | 2009-07-01 | 2010-06-30 | 北京华胜天成科技股份有限公司 | Safety management system and method based on client terminal |
| CN101763476A (en) * | 2009-12-25 | 2010-06-30 | 中国科学院计算技术研究所 | Multilevel security policy conversion method |
| CN102143158A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Data anti-leakage method based on trusted platform module (TPM) |
| CN102882885A (en) * | 2012-10-17 | 2013-01-16 | 北京卓微天成科技咨询有限公司 | Method and system for improving cloud computing data security |
| CN103403732A (en) * | 2012-10-15 | 2013-11-20 | 华为技术有限公司 | Processing method and device for input and output opeartion |
-
2014
- 2014-04-22 CN CN201410163708.9A patent/CN104660578B/en not_active Expired - Fee Related
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101111053A (en) * | 2006-07-18 | 2008-01-23 | 中兴通讯股份有限公司 | System and method for defending network attack in mobile network |
| CN101398768A (en) * | 2008-10-28 | 2009-04-01 | 北京航空航天大学 | Construct method of distributed virtual machine monitor system |
| CN101764798A (en) * | 2009-07-01 | 2010-06-30 | 北京华胜天成科技股份有限公司 | Safety management system and method based on client terminal |
| CN101763476A (en) * | 2009-12-25 | 2010-06-30 | 中国科学院计算技术研究所 | Multilevel security policy conversion method |
| CN102143158A (en) * | 2011-01-13 | 2011-08-03 | 北京邮电大学 | Data anti-leakage method based on trusted platform module (TPM) |
| CN103403732A (en) * | 2012-10-15 | 2013-11-20 | 华为技术有限公司 | Processing method and device for input and output opeartion |
| CN102882885A (en) * | 2012-10-17 | 2013-01-16 | 北京卓微天成科技咨询有限公司 | Method and system for improving cloud computing data security |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104660578A (en) | 2015-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104660578B (en) | A kind of system and method for realizing data safety storage and data access control | |
| CN102947797B (en) | The online service using directory feature extending transversely accesses and controls | |
| US10887306B2 (en) | Authenticating an unknown device based on relationships with other devices in a group of devices | |
| US10244001B2 (en) | System, apparatus and method for access control list processing in a constrained environment | |
| CN114514507B (en) | System and method for supporting quota policy language in cloud infrastructure environment | |
| CN101449275B (en) | System and method for secure access control to a storage device | |
| CN102761551B (en) | System and method for multilevel cross-domain access control | |
| US8276184B2 (en) | User-centric resource architecture | |
| CN109117650A (en) | A kind of creation method of enterprise's cloud and management platform | |
| CN107104931A (en) | A kind of access control method and platform | |
| US11580239B2 (en) | Controlling access to cloud resources in data using cloud-enabled data tagging and a dynamic access control policy engine | |
| US20120131646A1 (en) | Role-based access control limited by application and hostname | |
| CN105989275B (en) | Method and system for certification | |
| US12058119B2 (en) | Automatic escalation of trust credentials | |
| CN109219949B (en) | Method and apparatus for configuring security domains in a network function virtualization infrastructure | |
| CN103139159A (en) | Safety communication among virtual machines in cloud computing framework | |
| EP2586155A1 (en) | Authorization control | |
| US11546271B2 (en) | System and method for tag based request context in a cloud infrastructure environment | |
| Van Meter et al. | Derived virtual devices: A secure distributed file system mechanism | |
| CN111083088B (en) | Cloud platform hierarchical management method and device based on multiple security domains | |
| CN107547258A (en) | The implementation method and device of a kind of network strategy | |
| US7568216B2 (en) | Methods for defining and naming iSCSI targets using volume access and security policy | |
| CN104363229A (en) | Data center and access method thereof | |
| KR100673329B1 (en) | User Role / Permission Setting System using Certificate in Grid Environment and Its Method | |
| CN114884653A (en) | Multi-tenant oriented cross-tenant access method, system, device and medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20171219 |