CN106559421A - The access control method and system of data object under a kind of cloud computing environment - Google Patents
The access control method and system of data object under a kind of cloud computing environment Download PDFInfo
- Publication number
- CN106559421A CN106559421A CN201610982386.XA CN201610982386A CN106559421A CN 106559421 A CN106559421 A CN 106559421A CN 201610982386 A CN201610982386 A CN 201610982386A CN 106559421 A CN106559421 A CN 106559421A
- Authority
- CN
- China
- Prior art keywords
- data object
- access
- data
- health degree
- evaluation
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Abstract
The present invention provides a kind of access control method and system of data object under cloud computing environment, can ensure the potential risk that is safe, reducing Accessor Access's bad data object of data object in Accessor Access's Cloud Server.Methods described includes:Acquisition is stored in the metadata of the data object in Cloud Server;The health degree grade of the data object is determined according to the metadata of the data object for getting;When data object described in Accessor Access, according to the mapping relations between the health degree grade and secure access strategy of the data object for pre-setting, it is the corresponding secure access strategy of visitor distribution according to the health degree grade of the data object of the Accessor Access.The present invention is applied to communication technical field.
Description
Technical field
The present invention relates to communication technical field, particularly relates to a kind of access control method of data object under cloud computing environment
And system.
Background technology
In recent years, with the novel information technology such as the fast development of network and the communication technology, especially cloud computing, big data
Rise, people can easily get the data resource needed for oneself by Cloud Server.Data are the carriers of information, are
Enterprise moves towards informationalized necessary basis and valuable capital, and the data storage of magnanimity has powerful temptation again to attacker.
The continuous progress of hacking technique increases data resource risk factor under fire under cloud computing environment, causes under cloud computing environment
Problem of data safety emerge in an endless stream, the access risk included by data resource also improve constantly.
Existing access control technology mainly carries out safe access control, the access control of such as based role from user perspective
User is divided into different roles by simulation, distributes different access rights according to different user roles, specifically, according to
Same type of user is distributed identical authority by the role of user, realizes the secure access strategy based on user role and renewal
Model, however, the data object for being stored in Cloud Server similarly has different confidence levels, but, existing cloud computing ring
Access control technology under border does not account for the confidence level of the accessed data object being stored in Cloud Server.
The content of the invention
The technical problem to be solved in the present invention be to provide under a kind of cloud computing environment the access control method of data object and
System, to solve the confidence level that not accounting for existing for prior art is stored in accessed data object in Cloud Server
Problem.
To solve above-mentioned technical problem, the embodiment of the present invention provides a kind of access control of data object under cloud computing environment
Method, including:
Acquisition is stored in the metadata of the data object in Cloud Server;
The health degree grade of the data object is determined according to the metadata of the data object for getting;
When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting
The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access
The corresponding secure access strategy of distribution.
Further, the metadata of the data object that the basis gets determines the health degree of the data object
Grade includes:
It is determined that the evaluation and test value of each evaluation metricses related to data health degree;
The evaluation and test value of each evaluation metrics is multiplied by into the corresponding weight of each evaluation metricses, each evaluation metrics is obtained to data
The contribution margin of health degree;
Each evaluation metrics for obtaining are added to the contribution margin of data health degree, total tribute to data health degree is obtained
Offer value;
The total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, the data pair are obtained
The health degree of elephant;
According to the mapping relations between the health degree grade of the health degree and data object of the data object for pre-setting, root
According to the health degree of the data object for obtaining, the health degree grade of the data object is obtained.
Further, the evaluation metricses related to data health degree include:Data standard compliance, ageing, data are complete
Whole property, credibility, accessibility, successful access rate and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner,
Digital signature, access chained address and access historical record, wherein, the access historical record includes:Number described in successful access
According to object historical record and failed access described in data object historical record;
The evaluation and test value for determining each evaluation metricses related to data health degree includes:
Judge whether the type of the data object meets the data standard specification for pre-setting, obtain the data standard
The evaluation and test value of accordance;
According to the creation time of the data object and whether access difference between the current time of the data object
Less than default time threshold, the ageing evaluation and test value is obtained;
Completeness check is carried out to the digital digest of the data object, the evaluation and test value of the data integrity is obtained;
According to the digital signature of the digital certificate and the data object of the data owner, the data object is verified
Credibility, obtain it is described credibility evaluation and test value;
The data object is accessed according to the access chained address of the data object, the evaluation and test of the accessibility is obtained
Value;
Obtain successful access described in data object number of times, will obtain successful access described in data object number of times divided by
The data object is accessed for total degree, obtains the evaluation and test value of the successful access rate;
Obtain failed access described in data object number of times, will obtain failed access described in data object number of times divided by
The data object is accessed for total degree, obtains the evaluation and test value of the failed access rate.
Further, it is described when data object described in Accessor Access, according to the health of the data object for pre-setting
Mapping relations between degree grade and secure access strategy, according to health degree of the data object of the Accessor Access etc.
Level is visitor's allocation of access rights, and provides corresponding safety and include with indicating risk:
When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting
The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access
Allocation of access rights, and provide corresponding safety and indicating risk.
Further, the health degree grade of the data object includes:It is excellent, good, in, it is poor;
It is described when data object described in Accessor Access, according to the data object for pre-setting health degree grade with peace
Mapping relations between full access strategy, are the visit according to the health degree grade of the data object of the Accessor Access
The person's of asking allocation of access rights, and provide corresponding safety and include with indicating risk:
If the health degree grade of the data object of Accessor Access is excellent, visitor is accessing the data object
During point out data obj ect security described in the visitor credible;
If the health degree grade of the data object of Accessor Access is good, the data object interviewee is normal
Access;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the data object
During point out described in the visitor data correspondence to there is security risk;
If the health degree grade of the data object of Accessor Access is poor, forbid data pair described in Accessor Access
As.
The embodiment of the present invention also provides a kind of access control system of data object under cloud computing environment, including:
Acquisition module, for obtaining the metadata of the data object being stored in Cloud Server;
Determining module, for the health degree of the data object is determined according to the metadata of the data object for getting
Grade;
Distribute module, for when data object described in Accessor Access, according to the health of the data object for pre-setting
Mapping relations between degree grade and secure access strategy, according to health degree of the data object of the Accessor Access etc.
Level is the corresponding secure access strategy of visitor distribution.
Further, the determining module includes:
First determining unit, for determining the evaluation and test value of each evaluation metricses related to data health degree;
Second determining unit, for the evaluation and test value of each evaluation metrics is multiplied by the corresponding weight of each evaluation metricses, obtains
Contribution margin of each evaluation metrics to data health degree;
3rd determining unit, for each evaluation metrics for obtaining are added to the contribution margin of data health degree, obtains total
The contribution margin to data health degree;
4th determining unit, for the total contribution margin to data health degree for obtaining is multiplied by the conversion system for pre-setting
Number, obtains the health degree of the data object;
5th determining unit, for the health degree according to the data object for pre-setting and the health degree grade of data object
Between mapping relations, according to the health degree of the data object for obtaining, obtain the health degree grade of the data object.
Further, the evaluation metricses related to data health degree include:Data standard compliance, ageing, data are complete
Whole property, credibility, accessibility, successful access rate and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner,
Digital signature, access chained address and access historical record, wherein, the access historical record includes:Number described in successful access
According to object historical record and failed access described in data object historical record;
First determining unit includes:
Judgment sub-unit, for judging whether the type of the data object meets the data standard specification for pre-setting,
Obtain the evaluation and test value of the data standard compliance;
Comparing subunit, for the creation time according to the data object and the current time for accessing the data object
Between difference whether be less than default time threshold, obtain the ageing evaluation and test value;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the number
According to the evaluation and test value of integrality;
Second verification subelement, the numeral for the digital certificate according to the data owner and the data object are signed
Name, verifies the credibility of the data object, obtains the evaluation and test value of the credibility;
Subelement is accessed, and for the data object being accessed according to the access chained address of the data object, obtains institute
State the evaluation and test value of accessibility;
First removes subunit, for obtaining the number of times of data object described in successful access, the successful access institute that will be obtained
The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the successful access rate;
Second removes subunit, for obtaining the number of times of data object described in failed access, the failed access institute that will be obtained
The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the failed access rate.
Further, the distribute module, for when data object described in Accessor Access, according to the number for pre-setting
According to the mapping relations between the health degree grade and secure access strategy of object, according to the data pair of the Accessor Access
The health degree grade of elephant is visitor's allocation of access rights, and provides corresponding safety and indicating risk.
Further, the health degree grade of the data object includes:It is excellent, good, in, it is poor;
The distribute module includes:
First allocation unit, if the health degree grade for the data object of Accessor Access is excellent, visitor
During the data object is accessed point out data obj ect security described in the visitor credible;
Second allocation unit, if the health degree grade for the data object of Accessor Access is good, the number
According to object, interviewee normally accesses;
3rd allocation unit, if the health degree grade for the data object of Accessor Access is, visitor
During the data object is accessed, point out data correspondence described in the visitor to there is security risk;
4th allocation unit, if the health degree grade for the data object of Accessor Access is poor, forbids visiting
The person of asking accesses the data object.
The above-mentioned technical proposal of the present invention has the beneficial effect that:
In such scheme, by the metadata for obtaining the data object being stored in Cloud Server;According to the institute for getting
The metadata for stating data object determines the health degree grade of the data object;When data object described in Accessor Access, press
The mapping relations between health degree grade and secure access strategy according to the data object for pre-setting, according to Accessor Access's
The health degree grade of the data object is the corresponding secure access strategy of visitor distribution.So, for different health
The data object of degree grade adopts different secure access strategies, can ensure data object in Accessor Access's Cloud Server
Safety, the potential risk for reducing Accessor Access's bad data object.
Description of the drawings
Fig. 1 is that the flow process of the access control method of data object under cloud computing environment provided in an embodiment of the present invention is illustrated
Figure;
Fig. 2 is that the detailed process of the access control method of data object under cloud computing environment provided in an embodiment of the present invention shows
It is intended to;
Fig. 3 is that the principle of the access control method of data object under cloud computing environment provided in an embodiment of the present invention is illustrated
Figure;
Fig. 4 is the structural representation of the access control system of data object under cloud computing environment provided in an embodiment of the present invention
Figure.
Specific embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and tool
Body embodiment is described in detail.
The present invention is asked for the confidence level of the existing accessed data object for not accounting for being stored in Cloud Server
A kind of topic, there is provided the access control method and system of data object under cloud computing environment.
Embodiment one
Referring to shown in Fig. 1, the access control method of data object under cloud computing environment provided in an embodiment of the present invention is wrapped
Include:
S101, acquisition are stored in the metadata of the data object in Cloud Server;
S102, determines the health degree grade of the data object according to the metadata of the data object for getting;
S103, when data object described in Accessor Access, according to the data object for pre-setting health degree grade with
Mapping relations between secure access strategy, are described according to the health degree grade of the data object of the Accessor Access
The corresponding secure access strategy of visitor's distribution.
The access control method of data object under cloud computing environment described in the embodiment of the present invention, acquisition are stored in cloud service
The metadata of the data object in device;The health of the data object is determined according to the metadata of the data object for getting
Degree grade;When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting
The mapping relations between strategy are asked, is distributed for the visitor according to the health degree grade of the data object of Accessor Access
Corresponding secure access strategy.So, different secure access strategies, energy are adopted for the data object of different health degree grades
The potential wind that is safe, reducing Accessor Access's bad data object of data object in Accessor Access's Cloud Server is ensured enough
Danger.
In the present embodiment, abbreviation of the visitor for data access person, the data access person are stored in institute for access
State the user of the data object of Cloud Server.
As shown in Figures 2 and 3, in the present embodiment, for the health degree to data object under cloud computing environment (referred to as:Number
According to health degree) it is estimated, the health degree grade of data object is obtained, concrete step can include:
A11, by data owner upload data object arrive cloud platform/Cloud Server, upload data object to cloud platform/
Before Cloud Server, also include:Type, creation time according to the requirement explicit data object of data health degree evaluation metricses,
Digital digest, the digital signature of the data object are generated by cryptographic algorithm, these attributes are placed on behind data object,
Data object assessment body is formed, the process is referred to as secure package, the data object assessment body after secure package is submitted to into cloud clothes
Business device, the cryptographic algorithm that digital digest, digital signature are used during secure package can by data owner and cloud platform/
Cloud Server security service is consulted to determine;
Wherein, the data health degree evaluation metricses include:It is data standard compliance, ageing, data integrity, credible
Property, accessibility, successful access rate, failed access rate.
The characteristics of A12, data health degree evaluation services are directed to data object, extracts the metadata of data object, wherein,
The metadata of the data object is included but is not limited to:The type of data object, creation time, digital digest, digital signature, visit
Ask chained address, access historical record and data owner etc.;
Wherein, the data health degree evaluation services are separated with data object storage in logic, physically in Cloud Server
Upper operation is in order to obtaining the health degree assessment result of the metadata of data object, returned data object.
A13, the demand for security according to user under cloud computing environment to data object accesses, provide data under cloud computing environment
The definition of object health degree, proposes the evaluating standard of data health degree evaluation metricses on this basis, obtains each evaluation metrics
Evaluation and test value, and propose that data health degree comprehensive assessment function computing formula obtains the health degree of data object;Wherein, according to number
According to the evaluating standard of health degree evaluation metricses, the evaluation and test value for obtaining each evaluation metrics includes:
Data standard compliance:According to the type of data object, check whether which accords with according to International or National relevant criterion
Close correlation standard;If meeting data standard specification, the index is 1, is not inconsistent and is combined into 0.
It is ageing:According to the difference between the current time of the creation time and the access data object of data object it is
It is no to judge ageing less than default time threshold, if whether difference therebetween is less than default time threshold, when
Preferably, the index is 1 to effect property, and otherwise, the index is 0.
Data integrity:Data object is being uploaded to before Cloud Server by data owner, data object is being dissipated
Column operations, obtains its hashed value as digital digest, the hashed value is placed on behind the data object as completeness check
Foundation;Data health degree evaluation services periodically carry out completeness check to the hashed value, if by completeness check, this refers to
1 is designated as, not by being then 0.
It is credible:Data object is being uploaded to before Cloud Server by data owner, the numeral of the data object is being plucked
To be digitally signed by its private key, the signature value is placed on behind the data object as the foundation of Trusting eBusiness;Number
According to health degree evaluation services according to the digital signature of the digital certificate and data object of data owner, the periodic check data pair
The credibility of elephant;If by credible verification, the index is 1, not by for 0.
Accessibility:Can the data object be accessed according to the corresponding access chained address of data object, if can access
Then the index is 1, and otherwise, it is impossible to access the object, the index is 0.
Successful access rate:The number of times of visitor's successful access data object is accessed for total degree divided by the data object.
Failed access rate:The number of times of visitor's failed access data object is accessed for total degree divided by the data object.
A14, to arrange weight w before each evaluation metricsi, each evaluation and test is referred to by data health degree comprehensive assessment function
Target evaluation and test value SiIt is multiplied by respective weights wiContribution margin of the evaluation metricses to data health degree is obtained, by all evaluation metricses
The contribution margin of data health degree is added, and obtains total contribution margin to data health degree, by total contribution to data health degree
Value is multiplied by the health degree that conversion coefficient k obtains data object, and the data health degree comprehensive assessment function representation is:
Wherein, D represents the health degree of data object, and n represents the number of data health degree evaluation metricses, wiRepresent that i-th comments
Survey the corresponding weight of index, SiThe evaluation and test value of the i-th evaluation metricses is represented, k represents conversion coefficient.
In the present embodiment, for example, by weight wiWith the design of conversion coefficient k, data health degree is mapped to into 0~100
Interval integer value.
A15, by weight wiWith the design of conversion coefficient k, data health degree is mapped to into the integer in 0~100 interval
After value, can by integer value size be divided into it is excellent, good, in, differ from the health degree grade of four different data objects, for example, wherein,
0~40 is poor, and during 40~60 are, 60~80 is good, and 80~100 is excellent.
In the present embodiment, as an alternative embodiment, the metadata of the data object that the basis gets determines
The health degree grade of the data object includes:
It is determined that the evaluation and test value of each evaluation metricses related to data health degree;
The evaluation and test value of each evaluation metrics is multiplied by into the corresponding weight of each evaluation metricses, each evaluation metrics is obtained to data
The contribution margin of health degree;
Each evaluation metrics for obtaining are added to the contribution margin of data health degree, total tribute to data health degree is obtained
Offer value;
The total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, the data pair are obtained
The health degree of elephant;
According to the mapping relations between the health degree grade of the health degree and data object of the data object for pre-setting, root
According to the health degree of the data object for obtaining, the health degree grade of the data object is obtained.
In the present embodiment, as another alternative embodiment, the determination each evaluation metricses related to data health degree
Evaluation and test value include:
Judge whether the type of the data object meets the data standard specification for pre-setting, obtain the data standard
The evaluation and test value of accordance;
According to the creation time of the data object and whether access difference between the current time of the data object
Less than default time threshold, the ageing evaluation and test value is obtained;
Completeness check is carried out to the digital digest of the data object, the evaluation and test value of the data integrity is obtained;
According to the digital signature of the digital certificate and the data object of the data owner, the data object is verified
Credibility, obtain it is described credibility evaluation and test value;
The data object is accessed according to the access chained address of the data object, the evaluation and test of the accessibility is obtained
Value;
Obtain successful access described in data object number of times, will obtain successful access described in data object number of times divided by
The data object is accessed for total degree, obtains the evaluation and test value of the successful access rate;
Obtain failed access described in data object number of times, will obtain failed access described in data object number of times divided by
The data object is accessed for total degree, obtains the evaluation and test value of the failed access rate.
As shown in figure 3, in the present embodiment, the health degree grade of the data object for obtaining can also be stored in data
In health degree list, cloud platform/Cloud Server keeper is formulated according to the health degree grade being stored in data health degree list
Different secure access strategies, obtains the mapping relations between the health degree grade of data object and secure access strategy.So,
The maker of secure access strategy expands to cloud platform/Cloud Server keeper by data owner, it is not necessary to data owner
Participate and draw secure access strategy, on the one hand, can formulate with effectively save data owner the time of secure access strategy, it is another
Aspect, the object of access control expand to data object itself by visitor, can be on the premise of the access that guarantees data security
Trusting degree of the visitor to accessed data object is improved, the potential risk that the unhealthy data of Accessor Access are brought is reduced;
Wherein, the secure access strategy includes:Access rights and corresponding safety and indicating risk.
As shown in Figures 2 and 3, in the present embodiment, after customization secure access strategy, visitor is under cloud computing environment
Data object initiate access request, cloud platform/Cloud Server can according to the health degree list and secure access strategy (or,
Mapping relations between the health degree grade and secure access strategy of data object) response is carried out to this access, to visitor
The actual access rights of distribution, and carry out corresponding safety and indicating risk.
It is in the present embodiment, as an alternative embodiment, described when data object described in Accessor Access, according to setting in advance
Mapping relations between the health degree grade and secure access strategy of the data object put, according to the Accessor Access
The health degree grade of data object is visitor's allocation of access rights, and provides corresponding safety and include with indicating risk:
When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting
The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access
Allocation of access rights, and provide corresponding safety and indicating risk.
In the present embodiment, the health degree grade of the data object includes:It is excellent, good, in, it is poor;If Accessor Access's
The health degree grade of the data object can point out the data obj ect security can for excellent, then during the data object is accessed
Letter.If the health degree grade of the data object of Accessor Access is good, the data object can be by the positive frequentation of user
Ask, point out the data object normal.During if the health degree grade of the data object of Accessor Access were, data object
Interviewee has an indicating risk when accessing, and points out the visitor data object to have certain security risk.If visitor
The health degree grade of the data object for accessing is poor, then forbid Accessor Access's data object.So, for different strong
The data object of Kang Du grades adopts different secure access strategies, ensures the peace of data object in Accessor Access's cloud platform
Entirely, reduce the potential risk of Accessor Access's bad data object.
In the present embodiment, used as another alternative embodiment, the health degree grade of the data object includes:It is excellent, good, in,
Difference;
It is described when data object described in Accessor Access, according to the data object for pre-setting health degree grade with peace
Mapping relations between full access strategy, are the visit according to the health degree grade of the data object of the Accessor Access
The person's of asking allocation of access rights, and provide corresponding safety and include with indicating risk:
If the health degree grade of the data object of Accessor Access is excellent, visitor is accessing the data object
During point out data obj ect security described in the visitor credible;
If the health degree grade of the data object of Accessor Access is good, the data object interviewee is normal
Access;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the data object
During point out described in the visitor data correspondence to there is security risk;
If the health degree grade of the data object of Accessor Access is poor, forbid data pair described in Accessor Access
As.
Embodiment two
The present invention also provides a kind of specific embodiment of the access control system of data object under cloud computing environment, due to
The visit of access control system and the data object under aforementioned cloud computing environment of data object under the cloud computing environment that the present invention is provided
Ask that the specific embodiment of control method is corresponding, the access control system of data object can be by holding under the cloud computing environment
Process step in row said method specific embodiment is realizing data under the purpose of the present invention, therefore above-mentioned cloud computing environment
Explanation in the access control method specific embodiment of object, is also applied for number under the cloud computing environment of present invention offer
According to the specific embodiment of the access control system of object, will not be described in great detail in detailed description below of the present invention.
Referring to shown in Fig. 4, the embodiment of the present invention also provides a kind of access control system of data object under cloud computing environment,
Including:
Acquisition module 11, for obtaining the metadata of the data object being stored in Cloud Server;
Determining module 12, for the health of the data object is determined according to the metadata of the data object for getting
Degree grade;
Distribute module 13, for when data object described in Accessor Access, according to the strong of the data object for pre-setting
Mapping relations between Kang Du grades and secure access strategy, according to the health degree of the data object of the Accessor Access
Grade is the corresponding secure access strategy of visitor distribution.
The access control system of data object under cloud computing environment described in the embodiment of the present invention, is stored in cloud by obtaining
The metadata of the data object in server;The data object is determined according to the metadata of the data object for getting
Health degree grade;When data object described in Accessor Access, according to health degree grade and the peace of the data object for pre-setting
Mapping relations between full access strategy, are the visitor according to the health degree grade of the data object of Accessor Access
The corresponding secure access strategy of distribution.So, different secure access plans is adopted for the data object of different health degree grades
Slightly, can ensure data object in Accessor Access's Cloud Server it is safe, reduce the latent of Accessor Access's bad data object
In risk.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute
Stating determining module includes:
First determining unit, for determining the evaluation and test value of each evaluation metricses related to data health degree;
Second determining unit, for the evaluation and test value of each evaluation metrics is multiplied by the corresponding weight of each evaluation metricses, obtains
Contribution margin of each evaluation metrics to data health degree;
3rd determining unit, for each evaluation metrics for obtaining are added to the contribution margin of data health degree, obtains total
The contribution margin to data health degree;
4th determining unit, for the total contribution margin to data health degree for obtaining is multiplied by the conversion system for pre-setting
Number, obtains the health degree of the data object;
5th determining unit, for the health degree according to the data object for pre-setting and the health degree grade of data object
Between mapping relations, according to the health degree of the data object for obtaining, obtain the health degree grade of the data object.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, with
The related evaluation metricses of data health degree include:Data standard compliance, ageing, data integrity, credibility, may have access to
Property, successful access rate and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner,
Digital signature, access chained address and access historical record, wherein, the access historical record includes:Number described in successful access
According to object historical record and failed access described in data object historical record;
First determining unit includes:
Judgment sub-unit, for judging whether the type of the data object meets the data standard specification for pre-setting,
Obtain the evaluation and test value of the data standard compliance;
Comparing subunit, for the creation time according to the data object and the current time for accessing the data object
Between difference whether be less than default time threshold, obtain the ageing evaluation and test value;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the number
According to the evaluation and test value of integrality;
Second verification subelement, the numeral for the digital certificate according to the data owner and the data object are signed
Name, verifies the credibility of the data object, obtains the evaluation and test value of the credibility;
Subelement is accessed, and for the data object being accessed according to the access chained address of the data object, obtains institute
State the evaluation and test value of accessibility;
First removes subunit, for obtaining the number of times of data object described in successful access, the successful access institute that will be obtained
The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the successful access rate;
Second removes subunit, for obtaining the number of times of data object described in failed access, the failed access institute that will be obtained
The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the failed access rate.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute
Distribute module is stated, for when data object described in Accessor Access, according to the health degree grade of the data object for pre-setting
With the mapping relations between secure access strategy, it is institute according to the health degree grade of the data object of the Accessor Access
Visitor's allocation of access rights is stated, and provides corresponding safety and indicating risk.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute
The health degree grade for stating data object includes:It is excellent, good, in, it is poor;
The distribute module includes:
First allocation unit, if the health degree grade for the data object of Accessor Access is excellent, visitor
During the data object is accessed point out data obj ect security described in the visitor credible;
Second allocation unit, if the health degree grade for the data object of Accessor Access is good, the number
According to object, interviewee normally accesses;
3rd allocation unit, if the health degree grade for the data object of Accessor Access is, visitor
During the data object is accessed, point out data correspondence described in the visitor to there is security risk;
4th allocation unit, if the health degree grade for the data object of Accessor Access is poor, forbids visiting
The person of asking accesses the data object.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art
For, on the premise of without departing from principle of the present invention, some improvements and modifications can also be made, these improvements and modifications
Should be regarded as protection scope of the present invention.
Claims (10)
1. under a kind of cloud computing environment data object access control method, it is characterised in that include:
Acquisition is stored in the metadata of the data object in Cloud Server;
The health degree grade of the data object is determined according to the metadata of the data object for getting;
When data object described in Accessor Access, according to health degree grade and the secure access plan of the data object for pre-setting
Mapping relations between slightly, distribute for the visitor according to the health degree grade of the data object of the Accessor Access
Corresponding secure access strategy.
2. under cloud computing environment according to claim 1 data object access control method, it is characterised in that described
Determine that according to the metadata of the data object for getting the health degree grade of the data object includes:
It is determined that the evaluation and test value of each evaluation metricses related to data health degree;
The evaluation and test value of each evaluation metrics is multiplied by into the corresponding weight of each evaluation metricses, each evaluation metrics is obtained to data health
The contribution margin of degree;
Each evaluation metrics for obtaining are added to the contribution margin of data health degree, total contribution to data health degree is obtained
Value;
The total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, the data object is obtained
Health degree;
According to the mapping relations between the health degree grade of the health degree and data object of the data object for pre-setting, according to
The health degree of the data object for arriving, obtains the health degree grade of the data object.
3. under cloud computing environment according to claim 2 data object access control method, it is characterised in that with data
The related evaluation metricses of health degree include:Data standard compliance, ageing, data integrity, credibility, accessibility, into
Work(rate of people logging in and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, numeral
Signature, access chained address and access historical record, wherein, the access historical record includes:Data pair described in successful access
The historical record of data object described in the historical record and failed access of elephant;
The evaluation and test value for determining each evaluation metricses related to data health degree includes:
Judge whether the type of the data object meets the data standard specification for pre-setting, obtain the data standard and meet
The evaluation and test value of property;
Whether it is less than according to the difference between the current time of the creation time and the access data object of the data object
Default time threshold, obtains the ageing evaluation and test value;
Completeness check is carried out to the digital digest of the data object, the evaluation and test value of the data integrity is obtained;
According to the digital signature of the digital certificate and the data object of the data owner, verify the data object can
Letter property, obtains the evaluation and test value of the credibility;
The data object is accessed according to the access chained address of the data object, the evaluation and test value of the accessibility is obtained;
The number of times of data object described in successful access is obtained, the number of times of data object is divided by described described in the successful access that will be obtained
Data object is accessed for total degree, obtains the evaluation and test value of the successful access rate;
The number of times of data object described in failed access is obtained, the number of times of data object is divided by described described in the failed access that will be obtained
Data object is accessed for total degree, obtains the evaluation and test value of the failed access rate.
4. under cloud computing environment according to claim 1 data object access control method, it is characterised in that it is described work as
Described in Accessor Access during data object, according between the health degree grade and secure access strategy of the data object for pre-setting
Mapping relations, be that the visitor distributes access right according to the health degree grade of the data object of the Accessor Access
Limiting, and provide corresponding safety is included with indicating risk:
When data object described in Accessor Access, according to health degree grade and the secure access plan of the data object for pre-setting
Mapping relations between slightly, distribute for the visitor according to the health degree grade of the data object of the Accessor Access
Access rights, and provide corresponding safety and indicating risk.
5. under cloud computing environment according to claim 4 data object access control method, it is characterised in that the number
Include according to the health degree grade of object:It is excellent, good, in, it is poor;
It is described when data object described in Accessor Access, according to the data object for pre-setting health degree grade with safety visit
The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access
Allocation of access rights, and provide corresponding safety and include with indicating risk:
If the health degree grade of the data object of Accessor Access is excellent, visitor is accessing the mistake of the data object
Point out data obj ect security described in the visitor credible in journey;
If the health degree grade of the data object of Accessor Access is for good, the positive frequentation of the data object interviewee
Ask;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the mistake of the data object
Data correspondence described in the visitor is pointed out to there is security risk in journey;
If the health degree grade of the data object of Accessor Access is poor, forbid data object described in Accessor Access.
6. under a kind of cloud computing environment data object access control system, it is characterised in that include:
Acquisition module, for obtaining the metadata of the data object being stored in Cloud Server;
Determining module, for determining health degree of the data object etc. according to the metadata of the data object for getting
Level;
Distribute module, for when data object described in Accessor Access, according to the health degree etc. of the data object for pre-setting
Mapping relations between level and secure access strategy, according to the health degree grade of the data object of the Accessor Access be
Visitor's distribution is corresponding to have secure access to strategy.
7. under cloud computing environment according to claim 6 data object access control system, it is characterised in that it is described really
Cover half block includes:
First determining unit, for determining the evaluation and test value of each evaluation metricses related to data health degree;
Second determining unit, for the evaluation and test value of each evaluation metrics is multiplied by the corresponding weight of each evaluation metricses, obtains each
Contribution margin of the evaluation metricses to data health degree;
3rd determining unit, for each evaluation metrics for obtaining are added to the contribution margin of data health degree, obtains total right
The contribution margin of data health degree;
4th determining unit, for the total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting,
Obtain the health degree of the data object;
5th determining unit, between the health degree grade according to the health degree and data object of the data object for pre-setting
Mapping relations, according to the health degree of the data object for obtaining, obtain the health degree grade of the data object.
8. under cloud computing environment according to claim 7 data object access control system, it is characterised in that with data
The related evaluation metricses of health degree include:Data standard compliance, ageing, data integrity, credibility, accessibility, into
Work(rate of people logging in and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, numeral
Signature, access chained address and access historical record, wherein, the access historical record includes:Data pair described in successful access
The historical record of data object described in the historical record and failed access of elephant;
First determining unit includes:
Judgment sub-unit, for judging whether the type of the data object meets the data standard specification for pre-setting, obtains
The evaluation and test value of the data standard compliance;
Comparing subunit, between the current time for the creation time according to the data object and the access data object
Difference whether be less than default time threshold, obtain the ageing evaluation and test value;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the data complete
The evaluation and test value of whole property;
Second verification subelement, for the digital certificate according to the data owner and the digital signature of the data object,
The credibility of the data object is verified, the evaluation and test value of the credibility is obtained;
Access subelement, for accessing the data object according to the access chained address of the data object, obtain it is described can
The evaluation and test value of access property;
First removes subunit, for obtaining the number of times of data object described in successful access, number described in the successful access that will be obtained
Total degree is accessed for divided by the data object according to the number of times of object, obtains the evaluation and test value of the successful access rate;
Second removes subunit, for obtaining the number of times of data object described in failed access, number described in the failed access that will be obtained
Total degree is accessed for divided by the data object according to the number of times of object, obtains the evaluation and test value of the failed access rate.
9. under cloud computing environment according to claim 6 data object access control system, it is characterised in that described point
With module, for when data object described in Accessor Access, according to health degree grade and the peace of the data object for pre-setting
Mapping relations between full access strategy, are the visit according to the health degree grade of the data object of the Accessor Access
The person's of asking allocation of access rights, and provide corresponding safety and indicating risk.
10. under cloud computing environment according to claim 9 data object access control system, it is characterised in that it is described
The health degree grade of data object includes:It is excellent, good, in, it is poor;
The distribute module includes:
First allocation unit, if the health degree grade for the data object of Accessor Access is excellent, visitor is visiting
Point out data obj ect security described in the visitor credible during asking the data object;
Second allocation unit, if the health degree grade for the data object of Accessor Access is good, the data pair
As interviewee normally accesses;
3rd allocation unit, if the health degree grade for the data object of Accessor Access is, visitor is visiting
Data correspondence described in the visitor is pointed out to there is security risk during asking the data object;
4th allocation unit, if the health degree grade for the data object of Accessor Access is poor, forbids visitor
Access the data object.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610982386.XA CN106559421B (en) | 2016-11-08 | 2016-11-08 | The access control method and system of data object under a kind of cloud computing environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201610982386.XA CN106559421B (en) | 2016-11-08 | 2016-11-08 | The access control method and system of data object under a kind of cloud computing environment |
Publications (2)
Publication Number | Publication Date |
---|---|
CN106559421A true CN106559421A (en) | 2017-04-05 |
CN106559421B CN106559421B (en) | 2019-09-10 |
Family
ID=58444274
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201610982386.XA Active CN106559421B (en) | 2016-11-08 | 2016-11-08 | The access control method and system of data object under a kind of cloud computing environment |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN106559421B (en) |
Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102687133A (en) * | 2009-11-16 | 2012-09-19 | 微软公司 | Containerless data for trustworthy computing and data services |
CN103139007A (en) * | 2011-12-05 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Method and system for detecting application server performance |
CN103699534A (en) * | 2012-09-27 | 2014-04-02 | 腾讯科技(深圳)有限公司 | Display method and device for data object in system directory |
CN103729593A (en) * | 2013-12-31 | 2014-04-16 | 安一恒通(北京)科技有限公司 | Method and system for recognizing file safety |
CN105631344A (en) * | 2015-04-30 | 2016-06-01 | 南京酷派软件技术有限公司 | Security data access control method and system as well as terminal |
-
2016
- 2016-11-08 CN CN201610982386.XA patent/CN106559421B/en active Active
Patent Citations (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102687133A (en) * | 2009-11-16 | 2012-09-19 | 微软公司 | Containerless data for trustworthy computing and data services |
CN103139007A (en) * | 2011-12-05 | 2013-06-05 | 阿里巴巴集团控股有限公司 | Method and system for detecting application server performance |
CN103699534A (en) * | 2012-09-27 | 2014-04-02 | 腾讯科技(深圳)有限公司 | Display method and device for data object in system directory |
CN103729593A (en) * | 2013-12-31 | 2014-04-16 | 安一恒通(北京)科技有限公司 | Method and system for recognizing file safety |
CN105631344A (en) * | 2015-04-30 | 2016-06-01 | 南京酷派软件技术有限公司 | Security data access control method and system as well as terminal |
Non-Patent Citations (1)
Title |
---|
宋涛: "《网络环境下服务可信建模与方法的研究》", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 * |
Also Published As
Publication number | Publication date |
---|---|
CN106559421B (en) | 2019-09-10 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN112348204B (en) | Safe sharing method for marine Internet of things data under edge computing framework based on federal learning and block chain technology | |
CN108875327A (en) | One seed nucleus body method and apparatus | |
CN102761551B (en) | System and method for multilevel cross-domain access control | |
US10063535B2 (en) | User authentication based on personal access history | |
CN103685244B (en) | A kind of differentiation authentication method and device | |
JP2016539436A5 (en) | ||
US8978159B1 (en) | Methods and apparatus for mediating access to derivatives of sensitive data | |
CN105045597B (en) | A kind of JAVA card object reference method and device | |
CN110417820A (en) | Processing method, device and the readable storage medium storing program for executing of single-node login system | |
CN105988739A (en) | Location and boundary controls for storage volumes | |
CN105516117A (en) | Cloud computing based power data security storage method | |
CN105933245A (en) | Secure and credible access method in software defined network | |
CN104836777B (en) | Identity verification method and system | |
CN104009959A (en) | XACML-based verifiable cloud access control method | |
CN107689941A (en) | A kind of apparatus and method for preventing same user's repeat logon | |
CN113242230A (en) | Multi-level authentication and access control system and method based on intelligent contracts | |
WO2019052469A1 (en) | Network request processing method and apparatus, electronic device, and storage medium | |
CN103327036A (en) | Identification method of Internet browsing devices and Cookie server | |
CN106060048A (en) | Network resource access method and network resource access device | |
Ke et al. | A privacy risk assessment scheme for fog nodes in access control system | |
CN106559421A (en) | The access control method and system of data object under a kind of cloud computing environment | |
CN113544665A (en) | Execution of measurements on trusted agents in resource-constrained environments using proof of operation | |
CN104009846B (en) | A kind of single-sign-on apparatus and method | |
CN105516134A (en) | Authentication method and system for system integration | |
CN106230769B (en) | Mobile cloud data staging connection control method based on mobile terminal degree of belief |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant | ||
TR01 | Transfer of patent right | ||
TR01 | Transfer of patent right |
Effective date of registration: 20200201 Address after: No.163, East 2nd Street, Yudai, Yongding town, Mentougou District, Beijing Patentee after: Luban (Beijing) Electronic Commerce Technology Co., Ltd. Address before: 100083 Haidian District, Xueyuan Road, No. 30, Patentee before: University OF SCIENCE AND TECHNOLOGY BEIJING |