CN105915535A - Virtual resource access control method based on user identity - Google Patents
Virtual resource access control method based on user identity Download PDFInfo
- Publication number
- CN105915535A CN105915535A CN201610349749.6A CN201610349749A CN105915535A CN 105915535 A CN105915535 A CN 105915535A CN 201610349749 A CN201610349749 A CN 201610349749A CN 105915535 A CN105915535 A CN 105915535A
- Authority
- CN
- China
- Prior art keywords
- resource
- safety regulation
- user
- security strategy
- associations table
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
- Computer And Data Communications (AREA)
Abstract
The invention discloses a virtual resource access control method based on a user identity. The method comprises the following steps: a cloud resource management platform distributes resources according to a user request and builds and updates a resource association table according to the resource use distribution condition; a security policy manager generates a security rule according to the resource association table and a security policy in a policy library; and a security policy enforcement entity updates the existing security rule and enforces the security rule. The method of the invention can solve the problem of inaccurate security rule caused by dynamic resource distribution in a cloud computing environment, and the accuracy and the effectiveness of the security rule are improved.
Description
Technical field
The present invention relates to field of information security technology, particularly relate to a kind of method generating reliable and effective safety regulation under cloud computing environment.
Background technology
Cloud computing is a kind of according to the model using charging, it provide a kind of configured and convenience that is that share resource pool (including Internet resources, server, storage device, application program and service etc.) reliably and on-demand network accesses, thus realize rapid deployment and resource reclaim etc., it is not required to the too much participation of user and service provider simultaneously.In order to strengthen the safety that its virtual resources uses, usually use the equipment such as fire wall that the access of virtual resources carries out security control, safeguard the safety of network environment.
The advantage in cloud computing environment, virtual resources application access control method being had safety, effectiveness, but due to the dynamic distribution of resource in cloud computing environment, user has resource and is continually changing so that each security strategy performs the safety regulation in entity and uncertainty occurs.It is thus desirable to method for designing, it is possible to produce corresponding safety regulation according to the currently used resource situation of user and security strategy, in order to perform entity for security strategy and reliable and effective safety regulation is provided.
Summary of the invention
Present invention solves the technical problem that and be to propose a kind of virtual resources access control method based on user identity, improve accuracy and the effectiveness of safety regulation.Under cloud computing environment, Rule Builder generates reliable and effective safety regulation according to resource associations table and security strategy, and is sent to corresponding security strategy execution entity.
In order to solve problem above, a kind of virtual resources access control method based on user identity, comprise the following steps:
Cloud resource management platform asks Resources allocation the use distribution condition according to resource to set up and update resource associations table according to user;
Secure policy manager generates safety regulation according to the security strategy in resource associations table and policy library;
Security strategy performs entity and updates existing safety regulation and implement.
Further, preferred as one, described cloud resource management platform asks Resources allocation the use distribution condition foundation according to resource to update resource associations table step and farther include according to user: when setting up renewal resource associations table, data item in table should include detailed user profile, including the unique identity/user name/certificate of ID(etc. of user), the mark (resource type/resource name/IP address/MAC Address/port numbers etc.) of occupied resource and other information (group belonging to user/user's level of confidentiality/User reliability etc.).
Further, preferred as one, described cloud resource management platform asks Resources allocation the use distribution condition foundation according to resource to update resource associations table step and farther include according to user: for the establishment of resource associations table updates, when resource distribution changes, create in time or update resource associations table.
Further, preferred as one, described secure policy manager farther includes according to the strategy generating safety regulation step in resource associations table and policy library: when generating safety regulation, secure policy manager generates final safety regulation according to security strategy and resource associations table, and is sent to corresponding security strategy execution entity.
Further, preferred as one, described secure policy manager farther includes according to the strategy generating safety regulation step in resource associations table and policy library: when generating strategy, and safety officer is formulated by the policy development module in secure policy manager and revises security strategy and update policy library.
Further, preferred as one, described secure policy manager farther includes according to the strategy generating safety regulation step in resource associations table and policy library: the rule generation module that generation safety regulation comprises the concrete steps that in secure policy manager utilizes the information inquired in resource associations table, including IP address, port numbers etc., replace the corresponding part of security strategy, generate the safety regulation meeting Current resource distribution state.
Further, preferred as one, described secure policy manager farther includes according to the strategy generating safety regulation step in resource associations table and policy library: for secure policy manager, and all information comprised in the resource associations table of cloud resource management platform generation and security strategy all can be resolved by rule generation module and obtain.
Further, preferred as one, described security strategy performs entity and updates existing safety regulation and implement step and farther include: for security strategy performs entity, when resource distribution changes or security strategy changes, receives in time and updates safety regulation and also implement.
The beneficial effects of the present invention is, first, resource information and other relevant informations that resource associations table is currently occupied by subscriber identity information, user collectively constitute, can effecting reaction active user basic condition and with resource occupy relation, enhance effectiveness and the real-time of resource associations table;Second, safety regulation uses the resource information (such as, IP, port numbers etc.) that user the most dynamically occupies, it is ensured that the accuracy of safety regulation and effectiveness;3rd, security strategy is formulated by secure policy manager and stores, it is simple to the unified management of security strategy;To sum up, this method can effectively solve the problem that the inaccurate problem of the safety regulation caused in cloud computing environment due to Resource dynamic allocation, improves accuracy and the effectiveness of safety regulation.
Accompanying drawing explanation
When considered in conjunction with the accompanying drawings, by referring to detailed description below, can more completely be more fully understood that the present invention and easily learn the advantage that many of which is adjoint, but accompanying drawing described herein is used for providing a further understanding of the present invention, constitute the part of the present invention, the schematic description and description of the present invention is used for explaining the present invention, is not intended that inappropriate limitation of the present invention.
Fig. 1 is the work signal of resource access control method based on user identity under cloud computing environment in the present invention.
Detailed description of the invention
Referring to Fig. 1, embodiments of the invention are illustrated.
Understandable for enabling above-mentioned purpose, feature and advantage to become apparent from, the present invention is further detailed explanation with detailed description of the invention below in conjunction with the accompanying drawings.
A kind of virtual resources access control method based on user identity, comprises the following steps:
Cloud resource management platform asks Resources allocation the use distribution condition according to resource to set up and update resource associations table according to user;
Secure policy manager generates safety regulation according to the security strategy in resource associations table and policy library;
Security strategy performs entity and updates existing safety regulation and implement.
Embodiment one:
The application in firewall box of a kind of virtual resources access control method based on user identity.
As it is shown in figure 1, comprise the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer formulate the security strategy relevant with amendment firewall box by the policy development module in secure policy manager and update policy library;
Rule generation module query resource contingency table in S3, secure policy manager, it is thus achieved that user profile required in security strategy and the relevant information (such as, IP address, port numbers etc.) of currently used resource;
S4, the relevant information of the currently used resource of the user utilizing S3 to inquire, according to the description of security strategy, generate final five-tuple safety regulation and be sent to firewall box;
S5, firewall box update existing safety regulation and implement.
During whole, if cause the change of resource distribution because of user operation, create the most at once or update resource associations table.
Embodiment two:
The application in gateway device of a kind of virtual resources access control method based on user identity.
As it is shown in figure 1, comprise the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer formulate the security strategy relevant with amendment gateway device by the policy development module in secure policy manager and update policy library;
Rule generation module query resource contingency table in S3, secure policy manager, it is thus achieved that user profile required in security strategy and the relevant information (such as, IP address, port numbers etc.) of currently used resource;
S4, the relevant information of the currently used resource of the user utilizing S3 to inquire, according to the description of security strategy, generate final safety regulation and be sent to gateway device;
S5, gateway device update existing safety regulation and implement.
During whole, if cause the change of resource distribution because of user operation, create the most at once or update resource associations table.
Embodiment three:
The application in intruding detection system of a kind of virtual resources access control method based on user identity.
As it is shown in figure 1, comprise the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer formulate the security strategy relevant with amendment intruding detection system by the policy development module in secure policy manager and update policy library;
Rule generation module query resource contingency table in S3, secure policy manager, it is thus achieved that the relevant information of user profile required in security strategy and currently used resource (such as, it is allowed to/the IP address that no thoroughfare, port numbers etc.);
S4, the relevant information of the currently used resource of the user utilizing S3 to inquire, according to the description of security strategy, generate final safety regulation the security strategy execution module being sent in intruding detection system;
In S5, intruding detection system, security strategy performs the module existing safety regulation of renewal and implements.
During whole, if cause the change of resource distribution because of user operation, create the most at once or update resource associations table.
Embodiment four:
The application in intrusion prevention system of a kind of virtual resources access control method based on user identity.
As it is shown in figure 1, comprise the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer formulate the security strategy relevant with amendment intrusion prevention system by the policy development module in secure policy manager and update policy library;
Rule generation module query resource contingency table in S3, secure policy manager, it is thus achieved that the relevant information of user profile required in security strategy and currently used resource (such as, it is allowed to/the IP address that no thoroughfare, port numbers etc.);
S4, the relevant information of the currently used resource of the user utilizing S3 to inquire, according to the description of security strategy, generate final safety regulation the security strategy execution module being sent in intrusion prevention system;
In S5, intrusion prevention system, security strategy performs the module existing safety regulation of renewal and implements.
During whole, if cause the change of resource distribution because of user operation, create the most at once or update resource associations table.
Embodiment five:
The application in network log-in management product of a kind of virtual resources access control method based on user identity.
As it is shown in figure 1, comprise the following steps:
S1, cloud resource management platform create or update resource associations table and be sent to secure policy manager;
S2, safety officer formulate the security strategy relevant with amendment network log-in management by the policy development module in secure policy manager and update policy library;
Rule generation module query resource contingency table in S3, secure policy manager, it is thus achieved that user profile required in network log-in management related security policies and the relevant information (such as, IP address, port numbers, affiliated group etc.) of currently used resource;
S4, the relevant information of the currently used resource of the user utilizing S3 to inquire, according to the description of security strategy, generate final safety regulation and be sent to network log-in management product;
S5, the existing safety regulation of network log-in management product renewing are also implemented.
During whole, if cause the change of resource distribution because of user operation, create the most at once or update resource associations table.
As it has been described above, explained embodiments of the invention, but as long as can have a lot of deformation essentially without the inventive point and effect departing from the present invention, this will be readily apparent to persons skilled in the art.Therefore, within such variation is also integrally incorporated in protection scope of the present invention.
Claims (9)
1. a virtual resources access control method based on user identity, it is characterised in that comprise the following steps:
Cloud resource management platform asks Resources allocation the use distribution condition according to resource to set up and update resource associations table according to user;
Secure policy manager generates safety regulation according to the security strategy in resource associations table and policy library;
Security strategy performs entity and updates existing safety regulation and implement.
A kind of virtual resources access control method based on user identity the most according to claim 1, it is characterized in that, this method is applied to cloud computing environment, the virtual resources access control method of described identity-based comprises two parts: resource associations table is set up and updated part and secure policy manager generation safety regulation part, wherein resource associations table is set up renewal part and is mainly completed cloud resource management platform to the foundation of resource associations table and renewal process, secure policy manager generation safety regulation part mainly completes safety officer and formulates security strategy and the generation of final safety regulation.
Cloud resource management platform the most according to claim 1 asks Resources allocation the use distribution condition according to resource to set up and update resource associations table step according to user, farther include: cloud resource management platform sets up resource associations table according to the use distribution condition of Current resource, when causing resource allocation conditions to change due to user operation, upgrade in time resource associations table, and is sent to secure policy manager.
Cloud resource management platform the most according to claim 1 asks Resources allocation the use distribution condition according to resource to set up and update resource associations table step according to user, farther include: the use distribution condition of resource includes the actual identity of user, the actual identity of described user refers to the unique identity of user, user name or certificate, the mark etc. of CU resource, the mark of described CU resource refers to resource type, resource name, MAC Address, IP address, port numbers etc., and generate other information required during safety regulation, other information described refer to group belonging to user, user's level of confidentiality, User reliability etc. generate information required during safety regulation.
Secure policy manager the most according to claim 1 is according to the strategy generating safety regulation step in resource associations table and policy library, farther include: when generating safety regulation, secure policy manager generates final safety regulation according to security strategy and resource associations table, and is sent to corresponding security strategy execution entity.
Secure policy manager the most according to claim 5 is according to the strategy generating safety regulation step in resource associations table and policy library, farther including: when generating strategy, safety officer is formulated by the policy development module in secure policy manager and revises security strategy and update policy library.
Secure policy manager the most according to claim 5 is according to the strategy generating safety regulation step in resource associations table and policy library, farther include: the rule generation module that generation safety regulation comprises the concrete steps that in secure policy manager utilizes the information inquired in resource associations table, including IP address, port numbers etc., replace the corresponding part of security strategy, generate the safety regulation meeting Current resource distribution state.
Security strategy the most according to claim 1 performs entity and updates existing safety regulation and implement step, farther includes: security strategy performs update existing safety regulation after entity receives new safety regulation and dispose the safety regulation that enforcement is new.
Security strategy the most according to claim 8 performs entity and updates existing safety regulation and implement step, farther include: due to user operation cause resource allocation conditions to change or security strategy change time, security strategy perform entity receive and update safety regulation in time and implement.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610349749.6A CN105915535B (en) | 2016-05-24 | 2016-05-24 | A kind of virtual resources access control method based on user identity |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610349749.6A CN105915535B (en) | 2016-05-24 | 2016-05-24 | A kind of virtual resources access control method based on user identity |
Publications (2)
Publication Number | Publication Date |
---|---|
CN105915535A true CN105915535A (en) | 2016-08-31 |
CN105915535B CN105915535B (en) | 2017-10-31 |
Family
ID=56742236
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610349749.6A Active CN105915535B (en) | 2016-05-24 | 2016-05-24 | A kind of virtual resources access control method based on user identity |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN105915535B (en) |
Cited By (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108123924A (en) * | 2016-11-30 | 2018-06-05 | 中兴通讯股份有限公司 | A kind of method for managing resource and system |
CN109040106A (en) * | 2018-08-28 | 2018-12-18 | 广州城市信息研究所有限公司 | A kind of transmission control method and device of service hierarchy classification |
CN109587095A (en) * | 2017-09-28 | 2019-04-05 | 中国电信股份有限公司 | Information security control method, device and system |
CN112769825A (en) * | 2021-01-07 | 2021-05-07 | 深圳市永达电子信息股份有限公司 | Network security guarantee method, system and computer storage medium |
CN112866219A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system |
CN112866220A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
Families Citing this family (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US11882155B1 (en) | 2021-06-09 | 2024-01-23 | State Farm Mutual Automobile Insurance Company | Systems and methods for cybersecurity analysis and control of cloud-based systems |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101087187A (en) * | 2007-05-22 | 2007-12-12 | 网御神州科技(北京)有限公司 | A method and device for secure access control based on user |
CN101321064A (en) * | 2008-07-17 | 2008-12-10 | 上海众恒信息产业有限公司 | Information system access control method and apparatus based on digital certificate technique |
CN101729403A (en) * | 2009-12-10 | 2010-06-09 | 上海电机学院 | Access control method based on attribute and rule |
CN102624757A (en) * | 2011-01-26 | 2012-08-01 | 中山爱科数字家庭产业孵化基地有限公司 | Data security access method in cloud computing environment |
CN105184147A (en) * | 2015-09-08 | 2015-12-23 | 成都博元科技有限公司 | User security management method for cloud computing platform |
-
2016
- 2016-05-24 CN CN201610349749.6A patent/CN105915535B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101087187A (en) * | 2007-05-22 | 2007-12-12 | 网御神州科技(北京)有限公司 | A method and device for secure access control based on user |
CN101321064A (en) * | 2008-07-17 | 2008-12-10 | 上海众恒信息产业有限公司 | Information system access control method and apparatus based on digital certificate technique |
CN101729403A (en) * | 2009-12-10 | 2010-06-09 | 上海电机学院 | Access control method based on attribute and rule |
CN102624757A (en) * | 2011-01-26 | 2012-08-01 | 中山爱科数字家庭产业孵化基地有限公司 | Data security access method in cloud computing environment |
CN105184147A (en) * | 2015-09-08 | 2015-12-23 | 成都博元科技有限公司 | User security management method for cloud computing platform |
Cited By (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108123924A (en) * | 2016-11-30 | 2018-06-05 | 中兴通讯股份有限公司 | A kind of method for managing resource and system |
CN109587095A (en) * | 2017-09-28 | 2019-04-05 | 中国电信股份有限公司 | Information security control method, device and system |
CN109040106A (en) * | 2018-08-28 | 2018-12-18 | 广州城市信息研究所有限公司 | A kind of transmission control method and device of service hierarchy classification |
CN112769825A (en) * | 2021-01-07 | 2021-05-07 | 深圳市永达电子信息股份有限公司 | Network security guarantee method, system and computer storage medium |
CN112866219A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system |
CN112866220A (en) * | 2021-01-07 | 2021-05-28 | 深圳市永达电子信息股份有限公司 | Safety management and control method and system based on CIA state machine |
CN112769825B (en) * | 2021-01-07 | 2023-02-21 | 深圳市永达电子信息股份有限公司 | Network security guarantee method, system and computer storage medium |
Also Published As
Publication number | Publication date |
---|---|
CN105915535B (en) | 2017-10-31 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN105915535A (en) | Virtual resource access control method based on user identity | |
CN103457933B (en) | A kind of virtual machine (vm) migration security strategy dynamic configuration system and method | |
KR102472362B1 (en) | Internet Of Things Device Control System and Method Based On Block Chain | |
CN108416230B (en) | Data access method based on data isolation model | |
CN103546434A (en) | Network access control method, device and system | |
CN108600163B (en) | Cloud environment distributed hash chain architecture and cloud data integrity verification method | |
CN103634314A (en) | Service access control method and device based on VSR (virtual service router) | |
CN107885980A (en) | A kind of method of managing software and system | |
CN106134141A (en) | A kind of method and device updating network service describer NSD | |
CN104811465A (en) | Decision method for access control and equipment | |
CN105894159A (en) | Implementation method of cross-domain and cross-platform user unified management system | |
CN106572116A (en) | Role-and-attribute-based cross-domain secure switch access control method of integrated network | |
CN103220228A (en) | Method and equipment for sending border gateway protocol (BGP) routes | |
CN104853002B (en) | A kind of dns resolution system and analytic method based on SDN network | |
US20170346798A1 (en) | Key negotiation method and system, network entity and computer storage medium | |
WO2006051101B1 (en) | Method and system for local authority partitioning of client resources | |
CN103281339A (en) | Safety controlling system of mobile terminal | |
CN101594386B (en) | Method and device for constructing reliable virtual organization based on distributed strategy verification | |
CN106803825A (en) | Anonymous zone building method based on query context | |
CN101309279A (en) | Control method, system and device for terminal access | |
CN108924086A (en) | A kind of host information acquisition method based on TSM Security Agent | |
CN103685586A (en) | Method, device and system for realizing address sharing | |
US10263955B2 (en) | Multi-tiered protection platform | |
CN106656942A (en) | Role token issuing method, access control method and related equipment | |
CN103713583B (en) | A kind of automatic data collection and the method and device for configuring authorization message |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
C06 | Publication | ||
PB01 | Publication | ||
C10 | Entry into substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |