CN104796412B - End-to-end cloud service system and access method to its sensitive data - Google Patents
End-to-end cloud service system and access method to its sensitive data Download PDFInfo
- Publication number
- CN104796412B CN104796412B CN201510152025.8A CN201510152025A CN104796412B CN 104796412 B CN104796412 B CN 104796412B CN 201510152025 A CN201510152025 A CN 201510152025A CN 104796412 B CN104796412 B CN 104796412B
- Authority
- CN
- China
- Prior art keywords
- cloud server
- access
- server terminal
- sensitive data
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Landscapes
- Storage Device Security (AREA)
Abstract
The present invention provides a kind of end-to-end cloud service system and the access method to its sensitive data.The end-to-end cloud service system includes the multiple cloud server terminals and a central cloud server terminal of distributed setting, multiple cloud server terminal settings or embedded access control Agent are responsible for pair nonsensitive data stored with the cloud server terminal where it and access, it is also responsible for forwarding the access request to access sensitive data of user to central cloud server terminal, central cloud server terminal setting or embedded central access control program are responsible for verifying access request according to preset authorization rule, to directly or coordinate multiple cloud server terminals that access control Agent stores central cloud server terminal sensitive data access activity.The safety that the present invention can improve the sensitive data of end-to-end cloud service database and nonsensitive data accesses.
Description
Technical field
The present invention relates to cloud computing, service, application program and mobile Internet fields, in particular to virtualization number
According to the secure context in library.
Background technology
The prior art is restricted to the virtualization of database most preferably to use and share physical resource and improve data
Library access performance.Database virtualization is difficult to solve safety issue, and is moved to cloud in data and is virtualized so that shared
And elasticity is when maximizing, the solution of safety issue becomes very challenging property and very necessary.
201310557723.7 patent documents disclose a kind of page access control method and relevant apparatus and system, the party
Method includes:User terminal slave station point server obtains page source code;The corresponding script of acquisition approach information, in page source code
Embedded script tag includes routing information;That calls that script sends that page source code includes to the first safe Cloud Server is N number of
Link;It calls script to receive the corresponding safety level information of N number of link from the first safe Cloud Server, and calls script base
Safe class described by safety level information corresponding to N number of link links the control that accesses to N number of.The technical solution is only
Only it is the secure access accessed the web page of URL, is related to the two types object that data and database are entirely different,
Therefore it can not possibly be with substantial common place, in addition when user to access pages with the technical solution of the secure access of database
Relevant accessing request information must be forwarded via the first safe Cloud Server, and it is independent to cast aside the first safe Cloud Server
Accession page is completed by server in station.
201210326130.5 patent documents disclose a kind of cloud sensitive data safeguard protection system based on storage metadata
Metadata under cloud environment is divided into system metadata, content metadata and believed about data file storage location by system and method
The storage metadata three classes of breath, and the data file under cloud environment is divided into general data file and sensitive data by significance level
File, is encrypted and access control by the storage metadata to the sensitive data file under cloud environment, makes unauthorized user
It cannot access and destroy sensitive data file.Although the technical solution is disclosed is stored in sensitive Metadata Service by sensitive data
Device, nonsensitive data are stored in normal metadata server, that is, disclose and be stored separately sensitive data and nonsensitive data, but
The two is still stored in the metadata server cluster that each cloud server terminal is constituted, not by the corresponding sensitive number of all cloud server terminals
It, certainly also just can not be by data center according to the visit of preset authorization rule and user according to data center is centrally stored in
Ask that request coordinates each cloud server terminal to sensitive and/or nonsensitive data access activity.
Based on above-mentioned, it is known that the prior art can not coordinate the data access activity of multiple mutually independent cloud server terminals, right
The safety of associated database access is relatively low.
Invention content
In consideration of it, the embodiment of the present invention provides a kind of end-to-end cloud service system and the secure access side to its sensitive data
Method can improve the safety to database access.
One embodiment of the invention provides a kind of end-to-end cloud service system, including:Multiple cloud server terminals of distribution setting
And a central cloud server terminal, multiple cloud server terminals are respectively set or are embedded with access control Agent, access control generation
Reason program is responsible for pair nonsensitive data stored with the cloud server terminal where it and accesses, and access control Agent is also responsible for
In forwarding the access request to access sensitive data of user, central cloud server terminal to be arranged or be embedded with to central cloud server terminal
Access control program, central access control program is entreated to be responsible for carrying out the access request of user according to preset authorization rule
Verification, to the sensitive number of multiple cloud server terminals that are direct or coordinating access control Agent pair and central cloud server terminal storage
According to access activity.
Another embodiment of the present invention provides a kind of access method to sensitive data, including:By end-to-end cloud service system
Invent multiple cloud server terminals and a central cloud server terminal including distribution setting, multiple cloud server terminals be respectively set or
It is embedded with access control Agent, central cloud server terminal is arranged or is embedded with central access control program;By each cloud server terminal
Access control Agent be responsible for pair with where it cloud server terminal store a nonsensitive data access, each cloud server terminal
Access control Agent be also responsible for central cloud server terminal forward user the access request to access sensitive data;By
The central access control program of central cloud server terminal is responsible for verifying access request according to preset authorization rule, from
And directly or coordinate multiple cloud server terminals that each access control Agent stores central cloud server terminal sensitive data visit
Ask activity.
Through the above technical solutions, advantageous effect caused by the embodiment of the present invention is:By end-to-end cloud service database
Design tool can pass through the access control of each cloud server terminal there are one central cloud server terminal and multiple cloud server terminals of distributed setting
Agent processed accesses the nonsensitive data for being stored in each cloud server terminal, and the central access control journey for passing through central cloud server terminal
Sequence controls each cloud server terminal and accesses the sensitive data for being stored in central cloud server terminal, and sensitive data is stored separately with nonsensitive data
And the sensitive data of each cloud server terminal is centrally stored and can coordinate each cloud server terminal by central cloud server terminal and access, it can not only
The safety accessed sensitive data is enough improved, while the safety accessed nonsensitive data can also be taken into account.
Description of the drawings
Fig. 1 is the Organization Chart of one embodiment of end-to-end cloud service system of the present invention;
Fig. 2 is the schematic diagram of one embodiment of authorization rule of the present invention;
Fig. 3 is the Organization Chart of another embodiment of end-to-end cloud service system of the present invention;
Fig. 4 is the generation of the client-information database of the present invention and safeguards schematic diagram;
Fig. 5 is the access schematic diagram of the client-information database of the present invention.
Specific implementation mode
Technical scheme of the present invention is described in detail with reference to the accompanying drawings and examples.
Fig. 1 is the Organization Chart of one embodiment of end-to-end cloud service system of the present invention.As shown in Figure 1, end-to-end cloud service
System includes that (i.e. the cloud of ordinary meaning is only shown in figure for multiple cloud server terminals of a central cloud server terminal and distributed setting
Cloud server terminal i, and i is positive integer).Each cloud server terminal is respectively provided with or is embedded in there are one access control Agent, i.e., for
For cloud server terminal i be access control Agent i, the access control Agent both be responsible for pair with the cloud server terminal where it
Associated database (it stores nonsensitive data) accesses, and is also responsible for receiving and forwards user's to central cloud server terminal
To the access request of access sensitive data, there are one central access control program (such as Fig. 3 for central cloud server terminal setting or insertion
It is shown), which is responsible for verifying access request according to preset authorization rule, to coordinate
Access control Agent pair database associated with central cloud server terminal (it stores the sensitive data of multiple cloud server terminals)
Access activity.Based on this, it is known that the end-to-end cloud service system of the embodiment of the present invention is substantially a kind of distributed and coordination
The cloud architecture that formula is combined.
In the cloud architecture, each cloud server terminal is respectively provided with a VDBA (Virtual Database
Administrator, virtual data library manager) and a MVDB-SR (Multimedia Virtual Database for
Service Record, multimedium virtual database), i.e., it is VDBA i for cloud server terminal i, and central cloud server terminal tool
There are one the centralized VDBA for supervising the database on all cloud server terminals (i.e. virtual machine VM), centralization VDBA with it is each
VDBA works to support the cloud service of entire cloud architecture together.
Specifically, each VDBA is responsible for installation, configuration, upgrading, management, monitoring, maintenance in corresponding cloud server terminal
And safeguard protection, coordinate dynamic resource allocation and performance together with centralized VDBA MVDB-SR corresponding with each cloud server terminal
Optimization, specifically, the client-information database of centralized VDBA are used to manage the MVDB-SR of each cloud server terminal, monitoring
The data of every MVDB-SR, that is, store sensitive data, for example, the name of the corresponding user of each cloud server terminal, gender, the age,
Contact method and payment information, the server info database of centralized VDBA are used to coordinate and record the visit of all cloud server terminals
Ask activity.
Wherein, database associated with cloud server terminal is MVDB-SR, and every MVDB-SR has there are two key component,
That is VFS (Virtual File System, Virtual File System) and VDB (Virtual Database System, virtual data
Library system), VFS stores the multimedia file of the format such as text, picture, audio and video, and VDB stores the texts lattice such as table
The data link of formula, i.e., if multimedia file is a part for data link, then it represents that multimedia file be stored in VFS and
Link associated there is stored in VDB.
Database associated with central cloud server terminal is client-information database, and client-information database is for depositing
The sensitive data of the corresponding user of encrypted all cloud server terminals, such as name above-mentioned, gender, age, correspondent party are passed through in storage
Formula and payment information.
Fig. 2 is the schematic diagram of one embodiment of authorization rule of the present invention.As shown in Fig. 2, the access for verifying user is asked
The authorization rule asked can be stored with tabular form, including implicit rule and dynamic rules, and implicit rule can be not only used for limiting
User has the permission for the nonsensitive data for accessing corresponding cloud service terminal storage, can be also used for limiting user to it
Kinsfolk authorizes the permission for the nonsensitive data for accessing corresponding cloud service terminal storage, and dynamic rules are limiting use
Authorize the non-sensitive number that one or more other users access corresponding cloud service terminal storage within a predetermined period of time in family
According to permission, such as user i authorize other users j and/or k etc. can be accessed within one day it is associated with cloud service terminal i
Database (MVDB-SR).
The embodiment of the present invention can also carry out data generation and maintenance to the client-information database for being related to sensitive data,
As shown in figure 4, step S41 shows that user sends out request to use corresponding cloud server terminal, step to access control Agent
S42 shows that the central access control program of central cloud server terminal judges whether user's (corresponding client of cloud server terminal
Information database), and if it exists, indicate that the corresponding client-information database of the user is held it has been established that thening follow the steps S43
The next program of row, such as the sensitive data that user to be stored is stored or replaces original sensitive data with it, if depositing
It is indicating the corresponding client-information database of the user not and is prompting user to input institute it has been established that thening follow the steps S44
The sensitive data to be stored (personal information) then executes step S45, i.e., the central access control program evidence of central cloud server terminal
This updates the corresponding client-information database of the user.
In embodiments of the present invention, each cloud server terminal all has respective client-information database, the client
Information database is physically located in the client-information database of central cloud server terminal, but logically and actually quilt
Separated virtual data base, only when mandate passes through verification, the user (authorized party) of cloud service just may have access to its client letter
Cease data.
In conjunction with shown in Fig. 1 and Fig. 3, what user can be provided by the access control Agent of each cloud server terminal
ACAPI(Access Control API;Access control application programming interfaces) it reads or is shared with other cloud server terminals
One or more data records, such as user can propose that access request, access control Agent are advised according to mandate by ACAPI
The access request is then verified, and allows user to access nonsensitive data after being verified, including data are carried out more
It newly (is written) and reads.In order to improve the safety of access, the data that preferably user accesses at this time of the embodiment of the present invention are cloud
The corresponding nonsensitive data of server-side.
Fig. 5 is the access schematic diagram of the client-information database of the present invention.In conjunction with shown in Fig. 3 and Fig. 5, when user wants
It (can be only sensitive data may be nonsensitive data to read sensitive data or data associated with other cloud server terminals
And sensitive data) when, step S51 shows the ACAPI that user can call cloud server terminal and be provided by access control Agent
It is proposed that access request, step S52 show that the access request of user is forwarded to central cloud server terminal by access control Agent
Central access control program, step S53 show central access control program according to authorization rule verify the access request whether by
It authorizes, if unauthorized, thens follow the steps S54 i.e. denied access and ask, if expression has been authorized to be verified, then follow the steps S55,
I.e. central access control program retrieves user's data to be accessed from client-information database, and is sent to cloud server terminal
Access control Agent, then execute step S56, i.e. the access control Agent of cloud server terminal will the obtained number of retrieval
According to being sent to user.Wherein, it may be non-that user's data to be accessed, which both can be the corresponding sensitive data of cloud server terminal,
Sensitive data.
Based on above-mentioned it is found that there are one central cloud server terminals and distribution to be arranged by end-to-end cloud service database design tool
Multiple cloud server terminals, can by the access control Agent of each cloud server terminal access be stored in the non-quick of each cloud server terminal
Feel data, and each cloud server terminal access is controlled by the central access control program of central cloud server terminal and is stored in central cloud service
The sensitive data at end, sensitive data and nonsensitive data are stored separately and the sensitive data of each cloud server terminal is centrally stored and can be by
Central cloud server terminal coordinates each cloud server terminal and accesses, and can not only improve the safety accessed sensitive data, while
The safety accessed nonsensitive data can be taken into account.
It should be appreciated that the foregoing is merely the section Example of the present invention, it is not intended to limit the patent model of the present invention
It encloses, it is every to be converted using equivalent structure made by description of the invention and accompanying drawing content or flow, such as between each embodiment
Divide be combineding with each other for technical characteristic, is included within the scope of the present invention.
Claims (10)
1. a kind of end-to-end cloud service system, which is characterized in that the end-to-end cloud service system includes the more of distributed setting
A cloud server terminal and a central cloud server terminal, wherein the multiple cloud server terminal is respectively set or is embedded with access control
Agent, the access control Agent are responsible for pair nonsensitive data stored with the cloud server terminal where it and are visited
It asks, the access control Agent is also responsible for forwarding the visit to access sensitive data of user to the central cloud server terminal
Ask that request, the center cloud server terminal are arranged or are embedded with central access control program, the center access control program is responsible for
The access request is verified according to preset authorization rule, to which the direct or coordination access control acts on behalf of journey
The access activity of the sensitive data of the multiple cloud server terminal of central cloud server terminal storage described in ordered pair.
2. end-to-end cloud service system according to claim 1, which is characterized in that the authorization rule includes implicit rule
And dynamic rules, the implicit rule have the corresponding cloud service terminal storage of access to limit the user
The permission of the nonsensitive data, the user, which authorize its kinsfolk, accesses the corresponding cloud service terminal storage
The nonsensitive data permission, the dynamic rules authorize one or more other users pre- to limit the user
The permission of the nonsensitive data of the corresponding cloud service terminal storage is accessed in section of fixing time.
3. end-to-end cloud service system according to claim 2, which is characterized in that the access of each cloud server terminal
Control agent program is further responsible for receiving the access request, and to described in basis before the central cloud server terminal forwarding
Authorization rule verifies the access request.
4. end-to-end cloud service system according to claim 1, which is characterized in that the sensitive data be stored in it is described in
The client-information database of cloud server terminal, the client-information database is entreated to pass through encrypted all clouds for storing
The sensitive data of server-side, including the name of the user, gender, age, contact method and payment information.
5. end-to-end cloud service system according to claim 1, which is characterized in that the nonsensitive data is stored in each institute
In the multimedium virtual database for stating cloud server terminal, the multimedium virtual database is corresponding for storing the cloud server terminal
The multimedia file of user's write-in, the multimedia file includes text, picture, audio and video format, the center
Cloud server terminal further includes server info database, and the server info database is closed for recording all cloud server terminals
In the access activity of the nonsensitive data.
6. a kind of access method of sensitive data to end-to-end cloud service system, which is characterized in that described to sensitive data
Access method includes:
The end-to-end cloud service system is invented to multiple cloud server terminals and a central cloud clothes including distribution setting
Business end, wherein the multiple cloud server terminal is respectively set or is embedded with access control Agent, the center cloud server terminal is set
Set or be embedded with central access control program;
As the access control Agent of each cloud server terminal be responsible for pair with where it cloud server terminal storage it is non-quick
Sense data access, and the access control Agent of each cloud server terminal is also responsible for turning to the central cloud server terminal
The access request to access sensitive data at hair family;
It is responsible for according to preset authorization rule to described by the central access control program of the central cloud server terminal
Access request is verified, to which direct or each access control Agent of coordination is to the central cloud server terminal storage
The access activity of the sensitive data of the multiple cloud server terminal.
7. the access method according to claim 6 to sensitive data, which is characterized in that the authorization rule includes implicit
Rule and dynamic rules, the implicit rule, which limits the user, has the corresponding cloud service terminal storage of access
The permission of the nonsensitive data, the user, which authorize its kinsfolk, accesses the corresponding cloud service terminal storage
The nonsensitive data permission, the dynamic rules limit the user and authorize one or more other users in pre- timing
Between access in section the corresponding cloud service terminal storage the nonsensitive data permission.
8. the access method according to claim 7 to sensitive data, which is characterized in that the access to sensitive data
Method further comprises:
It is further responsible for receiving the access request by the access control Agent of each cloud server terminal, and to institute
The access request is verified according to the authorization rule before stating central cloud server terminal forwarding.
9. the access method according to claim 6 to sensitive data, which is characterized in that the sensitive data is stored in institute
In the client-information database for stating central cloud server terminal, the client-information database storage is by encrypted all described
The sensitive data of cloud server terminal, including the name of the user, gender, age, contact method and payment information.
10. the access method according to claim 6 to sensitive data, which is characterized in that the nonsensitive data storage
In the multimedium virtual database of each cloud server terminal, cloud server terminal described in the multimedium virtual database purchase corresponds to
The user write-in multimedia file, the multimedia file includes text, picture, audio and video format, in described
It further includes server info database to entreat cloud server terminal, and the server info database is for recording all cloud server terminals
Access activity about the nonsensitive data.
Applications Claiming Priority (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US201461975894P | 2014-04-06 | 2014-04-06 | |
| US61/975,894 | 2014-04-06 |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN104796412A CN104796412A (en) | 2015-07-22 |
| CN104796412B true CN104796412B (en) | 2018-08-17 |
Family
ID=53560924
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201510152025.8A Active CN104796412B (en) | 2014-04-06 | 2015-03-31 | End-to-end cloud service system and access method to its sensitive data |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN104796412B (en) |
Families Citing this family (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN106487775B (en) * | 2015-09-01 | 2020-01-21 | 阿里巴巴集团控股有限公司 | Service data processing method and device based on cloud platform |
| CN105472403A (en) * | 2015-12-08 | 2016-04-06 | 康佳集团股份有限公司 | Cloud service framework implementation method and system for supporting adaptive mobile streaming media |
| CN106845075B (en) * | 2016-12-20 | 2021-07-20 | 杭州联众医疗科技股份有限公司 | Centralized diagnosis report system |
| CN106850819A (en) * | 2017-02-17 | 2017-06-13 | 深圳市中博睿存信息技术有限公司 | A kind of method and system for improving object storage security |
| CN110188567B (en) * | 2019-05-23 | 2022-12-20 | 复旦大学 | Associated access control method for preventing sensitive data jigsaw |
| EP4170533A4 (en) * | 2020-07-08 | 2023-07-26 | Huawei Technologies Co., Ltd. | High-precision map, high-precision map generating method, and usage method |
| CN112948877A (en) * | 2021-03-03 | 2021-06-11 | 北京中安星云软件技术有限公司 | Dynamic database desensitization method and system based on TCP (Transmission control protocol) proxy |
| CN113010897B (en) * | 2021-03-19 | 2023-06-13 | 中国联合网络通信集团有限公司 | Cloud computing security management method and system |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101594360A (en) * | 2009-07-07 | 2009-12-02 | 清华大学 | LAN system and the method for safeguarding LAN information safety |
| CN101997823A (en) * | 2009-08-17 | 2011-03-30 | 联想(北京)有限公司 | Distributed file system and data access method thereof |
| CN102724302A (en) * | 2012-05-30 | 2012-10-10 | 中兴通讯股份有限公司 | Family data center system based on cloud storage and family data management method |
-
2015
- 2015-03-31 CN CN201510152025.8A patent/CN104796412B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101594360A (en) * | 2009-07-07 | 2009-12-02 | 清华大学 | LAN system and the method for safeguarding LAN information safety |
| CN101997823A (en) * | 2009-08-17 | 2011-03-30 | 联想(北京)有限公司 | Distributed file system and data access method thereof |
| CN102724302A (en) * | 2012-05-30 | 2012-10-10 | 中兴通讯股份有限公司 | Family data center system based on cloud storage and family data management method |
Non-Patent Citations (1)
| Title |
|---|
| 数据网格中元信息服务系统的设计与实现;付伟;《中国优秀硕士学位论文全文数据库》;20050615;正文第42-52、61-68页 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN104796412A (en) | 2015-07-22 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN104796412B (en) | End-to-end cloud service system and access method to its sensitive data | |
| US11467891B2 (en) | Kernel event triggers for content item security | |
| CN110414268B (en) | Access control method, device, equipment and storage medium | |
| US11645369B2 (en) | Blockchain digital rights management streaming library | |
| US9946895B1 (en) | Data obfuscation | |
| CN105659558B (en) | Computer implemented method, authorization server and computer-readable memory | |
| CN104982005B (en) | Implement the computing device and method of the franchise cryptographic services in virtualized environment | |
| US20200213362A1 (en) | Policy approval layer | |
| US9135608B2 (en) | Systems and methods for constructing a local electronic medical record data store using a remote personal health record server | |
| US10397213B2 (en) | Systems, methods, and software to provide access control in cloud computing environments | |
| US10846243B2 (en) | Access management method, information processing device, program, and recording medium | |
| US10699023B1 (en) | Encryption profiles for encrypting user-submitted data | |
| CN107528830B (en) | Account login method, system and storage medium | |
| JP2013029994A (en) | Server apparatus, information processing method, and program | |
| US11063922B2 (en) | Virtual content repository | |
| US20140282842A1 (en) | User centric method and adaptor for digital rights management system | |
| CN109657492A (en) | Data base management method, medium and electronic equipment | |
| CN109784073A (en) | Data access method and device, storage medium, computer equipment | |
| CN104331827B (en) | Transaction configuration generating method and deals match device | |
| JP4780010B2 (en) | Data management system, method and program | |
| JP4699503B2 (en) | File delivery system and file delivery method | |
| CN118094582A (en) | Resource authority abstraction, user authority generation and verification method | |
| JP5707214B2 (en) | File management system and file management method |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| TR01 | Transfer of patent right | ||
| TR01 | Transfer of patent right |
Effective date of registration: 20230704 Address after: 524000 room 512, incubator building, No. 70, middle Renmin Avenue, Zhanjiang Economic and Technological Development Zone, Zhanjiang City, Guangdong Province Patentee after: Zhanjiang Zibo Technology Co.,Ltd. Address before: 516006 Zhongkai hi tech Zone, Huizhou, Guangdong, 86 Chang seven Road West Patentee before: HUIZHOU TCL MOBILE COMMUNICATION Co.,Ltd. |