CN106559421A - The access control method and system of data object under a kind of cloud computing environment - Google Patents

The access control method and system of data object under a kind of cloud computing environment Download PDF

Info

Publication number
CN106559421A
CN106559421A CN201610982386.XA CN201610982386A CN106559421A CN 106559421 A CN106559421 A CN 106559421A CN 201610982386 A CN201610982386 A CN 201610982386A CN 106559421 A CN106559421 A CN 106559421A
Authority
CN
China
Prior art keywords
data object
access
data
health degree
evaluation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201610982386.XA
Other languages
Chinese (zh)
Other versions
CN106559421B (en
Inventor
陈红松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Luban (beijing) Electronic Commerce Technology Co Ltd
Original Assignee
University of Science and Technology Beijing USTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology Beijing USTB filed Critical University of Science and Technology Beijing USTB
Priority to CN201610982386.XA priority Critical patent/CN106559421B/en
Publication of CN106559421A publication Critical patent/CN106559421A/en
Application granted granted Critical
Publication of CN106559421B publication Critical patent/CN106559421B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Abstract

The present invention provides a kind of access control method and system of data object under cloud computing environment, can ensure the potential risk that is safe, reducing Accessor Access's bad data object of data object in Accessor Access's Cloud Server.Methods described includes:Acquisition is stored in the metadata of the data object in Cloud Server;The health degree grade of the data object is determined according to the metadata of the data object for getting;When data object described in Accessor Access, according to the mapping relations between the health degree grade and secure access strategy of the data object for pre-setting, it is the corresponding secure access strategy of visitor distribution according to the health degree grade of the data object of the Accessor Access.The present invention is applied to communication technical field.

Description

The access control method and system of data object under a kind of cloud computing environment
Technical field
The present invention relates to communication technical field, particularly relates to a kind of access control method of data object under cloud computing environment And system.
Background technology
In recent years, with the novel information technology such as the fast development of network and the communication technology, especially cloud computing, big data Rise, people can easily get the data resource needed for oneself by Cloud Server.Data are the carriers of information, are Enterprise moves towards informationalized necessary basis and valuable capital, and the data storage of magnanimity has powerful temptation again to attacker. The continuous progress of hacking technique increases data resource risk factor under fire under cloud computing environment, causes under cloud computing environment Problem of data safety emerge in an endless stream, the access risk included by data resource also improve constantly.
Existing access control technology mainly carries out safe access control, the access control of such as based role from user perspective User is divided into different roles by simulation, distributes different access rights according to different user roles, specifically, according to Same type of user is distributed identical authority by the role of user, realizes the secure access strategy based on user role and renewal Model, however, the data object for being stored in Cloud Server similarly has different confidence levels, but, existing cloud computing ring Access control technology under border does not account for the confidence level of the accessed data object being stored in Cloud Server.
The content of the invention
The technical problem to be solved in the present invention be to provide under a kind of cloud computing environment the access control method of data object and System, to solve the confidence level that not accounting for existing for prior art is stored in accessed data object in Cloud Server Problem.
To solve above-mentioned technical problem, the embodiment of the present invention provides a kind of access control of data object under cloud computing environment Method, including:
Acquisition is stored in the metadata of the data object in Cloud Server;
The health degree grade of the data object is determined according to the metadata of the data object for getting;
When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access The corresponding secure access strategy of distribution.
Further, the metadata of the data object that the basis gets determines the health degree of the data object Grade includes:
It is determined that the evaluation and test value of each evaluation metricses related to data health degree;
The evaluation and test value of each evaluation metrics is multiplied by into the corresponding weight of each evaluation metricses, each evaluation metrics is obtained to data The contribution margin of health degree;
Each evaluation metrics for obtaining are added to the contribution margin of data health degree, total tribute to data health degree is obtained Offer value;
The total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, the data pair are obtained The health degree of elephant;
According to the mapping relations between the health degree grade of the health degree and data object of the data object for pre-setting, root According to the health degree of the data object for obtaining, the health degree grade of the data object is obtained.
Further, the evaluation metricses related to data health degree include:Data standard compliance, ageing, data are complete Whole property, credibility, accessibility, successful access rate and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, Digital signature, access chained address and access historical record, wherein, the access historical record includes:Number described in successful access According to object historical record and failed access described in data object historical record;
The evaluation and test value for determining each evaluation metricses related to data health degree includes:
Judge whether the type of the data object meets the data standard specification for pre-setting, obtain the data standard The evaluation and test value of accordance;
According to the creation time of the data object and whether access difference between the current time of the data object Less than default time threshold, the ageing evaluation and test value is obtained;
Completeness check is carried out to the digital digest of the data object, the evaluation and test value of the data integrity is obtained;
According to the digital signature of the digital certificate and the data object of the data owner, the data object is verified Credibility, obtain it is described credibility evaluation and test value;
The data object is accessed according to the access chained address of the data object, the evaluation and test of the accessibility is obtained Value;
Obtain successful access described in data object number of times, will obtain successful access described in data object number of times divided by The data object is accessed for total degree, obtains the evaluation and test value of the successful access rate;
Obtain failed access described in data object number of times, will obtain failed access described in data object number of times divided by The data object is accessed for total degree, obtains the evaluation and test value of the failed access rate.
Further, it is described when data object described in Accessor Access, according to the health of the data object for pre-setting Mapping relations between degree grade and secure access strategy, according to health degree of the data object of the Accessor Access etc. Level is visitor's allocation of access rights, and provides corresponding safety and include with indicating risk:
When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access Allocation of access rights, and provide corresponding safety and indicating risk.
Further, the health degree grade of the data object includes:It is excellent, good, in, it is poor;
It is described when data object described in Accessor Access, according to the data object for pre-setting health degree grade with peace Mapping relations between full access strategy, are the visit according to the health degree grade of the data object of the Accessor Access The person's of asking allocation of access rights, and provide corresponding safety and include with indicating risk:
If the health degree grade of the data object of Accessor Access is excellent, visitor is accessing the data object During point out data obj ect security described in the visitor credible;
If the health degree grade of the data object of Accessor Access is good, the data object interviewee is normal Access;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the data object During point out described in the visitor data correspondence to there is security risk;
If the health degree grade of the data object of Accessor Access is poor, forbid data pair described in Accessor Access As.
The embodiment of the present invention also provides a kind of access control system of data object under cloud computing environment, including:
Acquisition module, for obtaining the metadata of the data object being stored in Cloud Server;
Determining module, for the health degree of the data object is determined according to the metadata of the data object for getting Grade;
Distribute module, for when data object described in Accessor Access, according to the health of the data object for pre-setting Mapping relations between degree grade and secure access strategy, according to health degree of the data object of the Accessor Access etc. Level is the corresponding secure access strategy of visitor distribution.
Further, the determining module includes:
First determining unit, for determining the evaluation and test value of each evaluation metricses related to data health degree;
Second determining unit, for the evaluation and test value of each evaluation metrics is multiplied by the corresponding weight of each evaluation metricses, obtains Contribution margin of each evaluation metrics to data health degree;
3rd determining unit, for each evaluation metrics for obtaining are added to the contribution margin of data health degree, obtains total The contribution margin to data health degree;
4th determining unit, for the total contribution margin to data health degree for obtaining is multiplied by the conversion system for pre-setting Number, obtains the health degree of the data object;
5th determining unit, for the health degree according to the data object for pre-setting and the health degree grade of data object Between mapping relations, according to the health degree of the data object for obtaining, obtain the health degree grade of the data object.
Further, the evaluation metricses related to data health degree include:Data standard compliance, ageing, data are complete Whole property, credibility, accessibility, successful access rate and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, Digital signature, access chained address and access historical record, wherein, the access historical record includes:Number described in successful access According to object historical record and failed access described in data object historical record;
First determining unit includes:
Judgment sub-unit, for judging whether the type of the data object meets the data standard specification for pre-setting, Obtain the evaluation and test value of the data standard compliance;
Comparing subunit, for the creation time according to the data object and the current time for accessing the data object Between difference whether be less than default time threshold, obtain the ageing evaluation and test value;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the number According to the evaluation and test value of integrality;
Second verification subelement, the numeral for the digital certificate according to the data owner and the data object are signed Name, verifies the credibility of the data object, obtains the evaluation and test value of the credibility;
Subelement is accessed, and for the data object being accessed according to the access chained address of the data object, obtains institute State the evaluation and test value of accessibility;
First removes subunit, for obtaining the number of times of data object described in successful access, the successful access institute that will be obtained The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the successful access rate;
Second removes subunit, for obtaining the number of times of data object described in failed access, the failed access institute that will be obtained The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the failed access rate.
Further, the distribute module, for when data object described in Accessor Access, according to the number for pre-setting According to the mapping relations between the health degree grade and secure access strategy of object, according to the data pair of the Accessor Access The health degree grade of elephant is visitor's allocation of access rights, and provides corresponding safety and indicating risk.
Further, the health degree grade of the data object includes:It is excellent, good, in, it is poor;
The distribute module includes:
First allocation unit, if the health degree grade for the data object of Accessor Access is excellent, visitor During the data object is accessed point out data obj ect security described in the visitor credible;
Second allocation unit, if the health degree grade for the data object of Accessor Access is good, the number According to object, interviewee normally accesses;
3rd allocation unit, if the health degree grade for the data object of Accessor Access is, visitor During the data object is accessed, point out data correspondence described in the visitor to there is security risk;
4th allocation unit, if the health degree grade for the data object of Accessor Access is poor, forbids visiting The person of asking accesses the data object.
The above-mentioned technical proposal of the present invention has the beneficial effect that:
In such scheme, by the metadata for obtaining the data object being stored in Cloud Server;According to the institute for getting The metadata for stating data object determines the health degree grade of the data object;When data object described in Accessor Access, press The mapping relations between health degree grade and secure access strategy according to the data object for pre-setting, according to Accessor Access's The health degree grade of the data object is the corresponding secure access strategy of visitor distribution.So, for different health The data object of degree grade adopts different secure access strategies, can ensure data object in Accessor Access's Cloud Server Safety, the potential risk for reducing Accessor Access's bad data object.
Description of the drawings
Fig. 1 is that the flow process of the access control method of data object under cloud computing environment provided in an embodiment of the present invention is illustrated Figure;
Fig. 2 is that the detailed process of the access control method of data object under cloud computing environment provided in an embodiment of the present invention shows It is intended to;
Fig. 3 is that the principle of the access control method of data object under cloud computing environment provided in an embodiment of the present invention is illustrated Figure;
Fig. 4 is the structural representation of the access control system of data object under cloud computing environment provided in an embodiment of the present invention Figure.
Specific embodiment
To make the technical problem to be solved in the present invention, technical scheme and advantage clearer, below in conjunction with accompanying drawing and tool Body embodiment is described in detail.
The present invention is asked for the confidence level of the existing accessed data object for not accounting for being stored in Cloud Server A kind of topic, there is provided the access control method and system of data object under cloud computing environment.
Embodiment one
Referring to shown in Fig. 1, the access control method of data object under cloud computing environment provided in an embodiment of the present invention is wrapped Include:
S101, acquisition are stored in the metadata of the data object in Cloud Server;
S102, determines the health degree grade of the data object according to the metadata of the data object for getting;
S103, when data object described in Accessor Access, according to the data object for pre-setting health degree grade with Mapping relations between secure access strategy, are described according to the health degree grade of the data object of the Accessor Access The corresponding secure access strategy of visitor's distribution.
The access control method of data object under cloud computing environment described in the embodiment of the present invention, acquisition are stored in cloud service The metadata of the data object in device;The health of the data object is determined according to the metadata of the data object for getting Degree grade;When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting The mapping relations between strategy are asked, is distributed for the visitor according to the health degree grade of the data object of Accessor Access Corresponding secure access strategy.So, different secure access strategies, energy are adopted for the data object of different health degree grades The potential wind that is safe, reducing Accessor Access's bad data object of data object in Accessor Access's Cloud Server is ensured enough Danger.
In the present embodiment, abbreviation of the visitor for data access person, the data access person are stored in institute for access State the user of the data object of Cloud Server.
As shown in Figures 2 and 3, in the present embodiment, for the health degree to data object under cloud computing environment (referred to as:Number According to health degree) it is estimated, the health degree grade of data object is obtained, concrete step can include:
A11, by data owner upload data object arrive cloud platform/Cloud Server, upload data object to cloud platform/ Before Cloud Server, also include:Type, creation time according to the requirement explicit data object of data health degree evaluation metricses, Digital digest, the digital signature of the data object are generated by cryptographic algorithm, these attributes are placed on behind data object, Data object assessment body is formed, the process is referred to as secure package, the data object assessment body after secure package is submitted to into cloud clothes Business device, the cryptographic algorithm that digital digest, digital signature are used during secure package can by data owner and cloud platform/ Cloud Server security service is consulted to determine;
Wherein, the data health degree evaluation metricses include:It is data standard compliance, ageing, data integrity, credible Property, accessibility, successful access rate, failed access rate.
The characteristics of A12, data health degree evaluation services are directed to data object, extracts the metadata of data object, wherein, The metadata of the data object is included but is not limited to:The type of data object, creation time, digital digest, digital signature, visit Ask chained address, access historical record and data owner etc.;
Wherein, the data health degree evaluation services are separated with data object storage in logic, physically in Cloud Server Upper operation is in order to obtaining the health degree assessment result of the metadata of data object, returned data object.
A13, the demand for security according to user under cloud computing environment to data object accesses, provide data under cloud computing environment The definition of object health degree, proposes the evaluating standard of data health degree evaluation metricses on this basis, obtains each evaluation metrics Evaluation and test value, and propose that data health degree comprehensive assessment function computing formula obtains the health degree of data object;Wherein, according to number According to the evaluating standard of health degree evaluation metricses, the evaluation and test value for obtaining each evaluation metrics includes:
Data standard compliance:According to the type of data object, check whether which accords with according to International or National relevant criterion Close correlation standard;If meeting data standard specification, the index is 1, is not inconsistent and is combined into 0.
It is ageing:According to the difference between the current time of the creation time and the access data object of data object it is It is no to judge ageing less than default time threshold, if whether difference therebetween is less than default time threshold, when Preferably, the index is 1 to effect property, and otherwise, the index is 0.
Data integrity:Data object is being uploaded to before Cloud Server by data owner, data object is being dissipated Column operations, obtains its hashed value as digital digest, the hashed value is placed on behind the data object as completeness check Foundation;Data health degree evaluation services periodically carry out completeness check to the hashed value, if by completeness check, this refers to 1 is designated as, not by being then 0.
It is credible:Data object is being uploaded to before Cloud Server by data owner, the numeral of the data object is being plucked To be digitally signed by its private key, the signature value is placed on behind the data object as the foundation of Trusting eBusiness;Number According to health degree evaluation services according to the digital signature of the digital certificate and data object of data owner, the periodic check data pair The credibility of elephant;If by credible verification, the index is 1, not by for 0.
Accessibility:Can the data object be accessed according to the corresponding access chained address of data object, if can access Then the index is 1, and otherwise, it is impossible to access the object, the index is 0.
Successful access rate:The number of times of visitor's successful access data object is accessed for total degree divided by the data object.
Failed access rate:The number of times of visitor's failed access data object is accessed for total degree divided by the data object.
A14, to arrange weight w before each evaluation metricsi, each evaluation and test is referred to by data health degree comprehensive assessment function Target evaluation and test value SiIt is multiplied by respective weights wiContribution margin of the evaluation metricses to data health degree is obtained, by all evaluation metricses The contribution margin of data health degree is added, and obtains total contribution margin to data health degree, by total contribution to data health degree Value is multiplied by the health degree that conversion coefficient k obtains data object, and the data health degree comprehensive assessment function representation is:
Wherein, D represents the health degree of data object, and n represents the number of data health degree evaluation metricses, wiRepresent that i-th comments Survey the corresponding weight of index, SiThe evaluation and test value of the i-th evaluation metricses is represented, k represents conversion coefficient.
In the present embodiment, for example, by weight wiWith the design of conversion coefficient k, data health degree is mapped to into 0~100 Interval integer value.
A15, by weight wiWith the design of conversion coefficient k, data health degree is mapped to into the integer in 0~100 interval After value, can by integer value size be divided into it is excellent, good, in, differ from the health degree grade of four different data objects, for example, wherein, 0~40 is poor, and during 40~60 are, 60~80 is good, and 80~100 is excellent.
In the present embodiment, as an alternative embodiment, the metadata of the data object that the basis gets determines The health degree grade of the data object includes:
It is determined that the evaluation and test value of each evaluation metricses related to data health degree;
The evaluation and test value of each evaluation metrics is multiplied by into the corresponding weight of each evaluation metricses, each evaluation metrics is obtained to data The contribution margin of health degree;
Each evaluation metrics for obtaining are added to the contribution margin of data health degree, total tribute to data health degree is obtained Offer value;
The total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, the data pair are obtained The health degree of elephant;
According to the mapping relations between the health degree grade of the health degree and data object of the data object for pre-setting, root According to the health degree of the data object for obtaining, the health degree grade of the data object is obtained.
In the present embodiment, as another alternative embodiment, the determination each evaluation metricses related to data health degree Evaluation and test value include:
Judge whether the type of the data object meets the data standard specification for pre-setting, obtain the data standard The evaluation and test value of accordance;
According to the creation time of the data object and whether access difference between the current time of the data object Less than default time threshold, the ageing evaluation and test value is obtained;
Completeness check is carried out to the digital digest of the data object, the evaluation and test value of the data integrity is obtained;
According to the digital signature of the digital certificate and the data object of the data owner, the data object is verified Credibility, obtain it is described credibility evaluation and test value;
The data object is accessed according to the access chained address of the data object, the evaluation and test of the accessibility is obtained Value;
Obtain successful access described in data object number of times, will obtain successful access described in data object number of times divided by The data object is accessed for total degree, obtains the evaluation and test value of the successful access rate;
Obtain failed access described in data object number of times, will obtain failed access described in data object number of times divided by The data object is accessed for total degree, obtains the evaluation and test value of the failed access rate.
As shown in figure 3, in the present embodiment, the health degree grade of the data object for obtaining can also be stored in data In health degree list, cloud platform/Cloud Server keeper is formulated according to the health degree grade being stored in data health degree list Different secure access strategies, obtains the mapping relations between the health degree grade of data object and secure access strategy.So, The maker of secure access strategy expands to cloud platform/Cloud Server keeper by data owner, it is not necessary to data owner Participate and draw secure access strategy, on the one hand, can formulate with effectively save data owner the time of secure access strategy, it is another Aspect, the object of access control expand to data object itself by visitor, can be on the premise of the access that guarantees data security Trusting degree of the visitor to accessed data object is improved, the potential risk that the unhealthy data of Accessor Access are brought is reduced; Wherein, the secure access strategy includes:Access rights and corresponding safety and indicating risk.
As shown in Figures 2 and 3, in the present embodiment, after customization secure access strategy, visitor is under cloud computing environment Data object initiate access request, cloud platform/Cloud Server can according to the health degree list and secure access strategy (or, Mapping relations between the health degree grade and secure access strategy of data object) response is carried out to this access, to visitor The actual access rights of distribution, and carry out corresponding safety and indicating risk.
It is in the present embodiment, as an alternative embodiment, described when data object described in Accessor Access, according to setting in advance Mapping relations between the health degree grade and secure access strategy of the data object put, according to the Accessor Access The health degree grade of data object is visitor's allocation of access rights, and provides corresponding safety and include with indicating risk:
When data object described in Accessor Access, according to health degree grade and the safety visit of the data object for pre-setting The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access Allocation of access rights, and provide corresponding safety and indicating risk.
In the present embodiment, the health degree grade of the data object includes:It is excellent, good, in, it is poor;If Accessor Access's The health degree grade of the data object can point out the data obj ect security can for excellent, then during the data object is accessed Letter.If the health degree grade of the data object of Accessor Access is good, the data object can be by the positive frequentation of user Ask, point out the data object normal.During if the health degree grade of the data object of Accessor Access were, data object Interviewee has an indicating risk when accessing, and points out the visitor data object to have certain security risk.If visitor The health degree grade of the data object for accessing is poor, then forbid Accessor Access's data object.So, for different strong The data object of Kang Du grades adopts different secure access strategies, ensures the peace of data object in Accessor Access's cloud platform Entirely, reduce the potential risk of Accessor Access's bad data object.
In the present embodiment, used as another alternative embodiment, the health degree grade of the data object includes:It is excellent, good, in, Difference;
It is described when data object described in Accessor Access, according to the data object for pre-setting health degree grade with peace Mapping relations between full access strategy, are the visit according to the health degree grade of the data object of the Accessor Access The person's of asking allocation of access rights, and provide corresponding safety and include with indicating risk:
If the health degree grade of the data object of Accessor Access is excellent, visitor is accessing the data object During point out data obj ect security described in the visitor credible;
If the health degree grade of the data object of Accessor Access is good, the data object interviewee is normal Access;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the data object During point out described in the visitor data correspondence to there is security risk;
If the health degree grade of the data object of Accessor Access is poor, forbid data pair described in Accessor Access As.
Embodiment two
The present invention also provides a kind of specific embodiment of the access control system of data object under cloud computing environment, due to The visit of access control system and the data object under aforementioned cloud computing environment of data object under the cloud computing environment that the present invention is provided Ask that the specific embodiment of control method is corresponding, the access control system of data object can be by holding under the cloud computing environment Process step in row said method specific embodiment is realizing data under the purpose of the present invention, therefore above-mentioned cloud computing environment Explanation in the access control method specific embodiment of object, is also applied for number under the cloud computing environment of present invention offer According to the specific embodiment of the access control system of object, will not be described in great detail in detailed description below of the present invention.
Referring to shown in Fig. 4, the embodiment of the present invention also provides a kind of access control system of data object under cloud computing environment, Including:
Acquisition module 11, for obtaining the metadata of the data object being stored in Cloud Server;
Determining module 12, for the health of the data object is determined according to the metadata of the data object for getting Degree grade;
Distribute module 13, for when data object described in Accessor Access, according to the strong of the data object for pre-setting Mapping relations between Kang Du grades and secure access strategy, according to the health degree of the data object of the Accessor Access Grade is the corresponding secure access strategy of visitor distribution.
The access control system of data object under cloud computing environment described in the embodiment of the present invention, is stored in cloud by obtaining The metadata of the data object in server;The data object is determined according to the metadata of the data object for getting Health degree grade;When data object described in Accessor Access, according to health degree grade and the peace of the data object for pre-setting Mapping relations between full access strategy, are the visitor according to the health degree grade of the data object of Accessor Access The corresponding secure access strategy of distribution.So, different secure access plans is adopted for the data object of different health degree grades Slightly, can ensure data object in Accessor Access's Cloud Server it is safe, reduce the latent of Accessor Access's bad data object In risk.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute Stating determining module includes:
First determining unit, for determining the evaluation and test value of each evaluation metricses related to data health degree;
Second determining unit, for the evaluation and test value of each evaluation metrics is multiplied by the corresponding weight of each evaluation metricses, obtains Contribution margin of each evaluation metrics to data health degree;
3rd determining unit, for each evaluation metrics for obtaining are added to the contribution margin of data health degree, obtains total The contribution margin to data health degree;
4th determining unit, for the total contribution margin to data health degree for obtaining is multiplied by the conversion system for pre-setting Number, obtains the health degree of the data object;
5th determining unit, for the health degree according to the data object for pre-setting and the health degree grade of data object Between mapping relations, according to the health degree of the data object for obtaining, obtain the health degree grade of the data object.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, with The related evaluation metricses of data health degree include:Data standard compliance, ageing, data integrity, credibility, may have access to Property, successful access rate and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, Digital signature, access chained address and access historical record, wherein, the access historical record includes:Number described in successful access According to object historical record and failed access described in data object historical record;
First determining unit includes:
Judgment sub-unit, for judging whether the type of the data object meets the data standard specification for pre-setting, Obtain the evaluation and test value of the data standard compliance;
Comparing subunit, for the creation time according to the data object and the current time for accessing the data object Between difference whether be less than default time threshold, obtain the ageing evaluation and test value;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the number According to the evaluation and test value of integrality;
Second verification subelement, the numeral for the digital certificate according to the data owner and the data object are signed Name, verifies the credibility of the data object, obtains the evaluation and test value of the credibility;
Subelement is accessed, and for the data object being accessed according to the access chained address of the data object, obtains institute State the evaluation and test value of accessibility;
First removes subunit, for obtaining the number of times of data object described in successful access, the successful access institute that will be obtained The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the successful access rate;
Second removes subunit, for obtaining the number of times of data object described in failed access, the failed access institute that will be obtained The number of times for stating data object is accessed for total degree divided by the data object, obtains the evaluation and test value of the failed access rate.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute Distribute module is stated, for when data object described in Accessor Access, according to the health degree grade of the data object for pre-setting With the mapping relations between secure access strategy, it is institute according to the health degree grade of the data object of the Accessor Access Visitor's allocation of access rights is stated, and provides corresponding safety and indicating risk.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute The health degree grade for stating data object includes:It is excellent, good, in, it is poor;
The distribute module includes:
First allocation unit, if the health degree grade for the data object of Accessor Access is excellent, visitor During the data object is accessed point out data obj ect security described in the visitor credible;
Second allocation unit, if the health degree grade for the data object of Accessor Access is good, the number According to object, interviewee normally accesses;
3rd allocation unit, if the health degree grade for the data object of Accessor Access is, visitor During the data object is accessed, point out data correspondence described in the visitor to there is security risk;
4th allocation unit, if the health degree grade for the data object of Accessor Access is poor, forbids visiting The person of asking accesses the data object.
The above is the preferred embodiment of the present invention, it is noted that for those skilled in the art For, on the premise of without departing from principle of the present invention, some improvements and modifications can also be made, these improvements and modifications Should be regarded as protection scope of the present invention.

Claims (10)

1. under a kind of cloud computing environment data object access control method, it is characterised in that include:
Acquisition is stored in the metadata of the data object in Cloud Server;
The health degree grade of the data object is determined according to the metadata of the data object for getting;
When data object described in Accessor Access, according to health degree grade and the secure access plan of the data object for pre-setting Mapping relations between slightly, distribute for the visitor according to the health degree grade of the data object of the Accessor Access Corresponding secure access strategy.
2. under cloud computing environment according to claim 1 data object access control method, it is characterised in that described Determine that according to the metadata of the data object for getting the health degree grade of the data object includes:
It is determined that the evaluation and test value of each evaluation metricses related to data health degree;
The evaluation and test value of each evaluation metrics is multiplied by into the corresponding weight of each evaluation metricses, each evaluation metrics is obtained to data health The contribution margin of degree;
Each evaluation metrics for obtaining are added to the contribution margin of data health degree, total contribution to data health degree is obtained Value;
The total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, the data object is obtained Health degree;
According to the mapping relations between the health degree grade of the health degree and data object of the data object for pre-setting, according to The health degree of the data object for arriving, obtains the health degree grade of the data object.
3. under cloud computing environment according to claim 2 data object access control method, it is characterised in that with data The related evaluation metricses of health degree include:Data standard compliance, ageing, data integrity, credibility, accessibility, into Work(rate of people logging in and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, numeral Signature, access chained address and access historical record, wherein, the access historical record includes:Data pair described in successful access The historical record of data object described in the historical record and failed access of elephant;
The evaluation and test value for determining each evaluation metricses related to data health degree includes:
Judge whether the type of the data object meets the data standard specification for pre-setting, obtain the data standard and meet The evaluation and test value of property;
Whether it is less than according to the difference between the current time of the creation time and the access data object of the data object Default time threshold, obtains the ageing evaluation and test value;
Completeness check is carried out to the digital digest of the data object, the evaluation and test value of the data integrity is obtained;
According to the digital signature of the digital certificate and the data object of the data owner, verify the data object can Letter property, obtains the evaluation and test value of the credibility;
The data object is accessed according to the access chained address of the data object, the evaluation and test value of the accessibility is obtained;
The number of times of data object described in successful access is obtained, the number of times of data object is divided by described described in the successful access that will be obtained Data object is accessed for total degree, obtains the evaluation and test value of the successful access rate;
The number of times of data object described in failed access is obtained, the number of times of data object is divided by described described in the failed access that will be obtained Data object is accessed for total degree, obtains the evaluation and test value of the failed access rate.
4. under cloud computing environment according to claim 1 data object access control method, it is characterised in that it is described work as Described in Accessor Access during data object, according between the health degree grade and secure access strategy of the data object for pre-setting Mapping relations, be that the visitor distributes access right according to the health degree grade of the data object of the Accessor Access Limiting, and provide corresponding safety is included with indicating risk:
When data object described in Accessor Access, according to health degree grade and the secure access plan of the data object for pre-setting Mapping relations between slightly, distribute for the visitor according to the health degree grade of the data object of the Accessor Access Access rights, and provide corresponding safety and indicating risk.
5. under cloud computing environment according to claim 4 data object access control method, it is characterised in that the number Include according to the health degree grade of object:It is excellent, good, in, it is poor;
It is described when data object described in Accessor Access, according to the data object for pre-setting health degree grade with safety visit The mapping relations between strategy are asked, is the visitor according to the health degree grade of the data object of the Accessor Access Allocation of access rights, and provide corresponding safety and include with indicating risk:
If the health degree grade of the data object of Accessor Access is excellent, visitor is accessing the mistake of the data object Point out data obj ect security described in the visitor credible in journey;
If the health degree grade of the data object of Accessor Access is for good, the positive frequentation of the data object interviewee Ask;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the mistake of the data object Data correspondence described in the visitor is pointed out to there is security risk in journey;
If the health degree grade of the data object of Accessor Access is poor, forbid data object described in Accessor Access.
6. under a kind of cloud computing environment data object access control system, it is characterised in that include:
Acquisition module, for obtaining the metadata of the data object being stored in Cloud Server;
Determining module, for determining health degree of the data object etc. according to the metadata of the data object for getting Level;
Distribute module, for when data object described in Accessor Access, according to the health degree etc. of the data object for pre-setting Mapping relations between level and secure access strategy, according to the health degree grade of the data object of the Accessor Access be Visitor's distribution is corresponding to have secure access to strategy.
7. under cloud computing environment according to claim 6 data object access control system, it is characterised in that it is described really Cover half block includes:
First determining unit, for determining the evaluation and test value of each evaluation metricses related to data health degree;
Second determining unit, for the evaluation and test value of each evaluation metrics is multiplied by the corresponding weight of each evaluation metricses, obtains each Contribution margin of the evaluation metricses to data health degree;
3rd determining unit, for each evaluation metrics for obtaining are added to the contribution margin of data health degree, obtains total right The contribution margin of data health degree;
4th determining unit, for the total contribution margin to data health degree for obtaining is multiplied by the conversion coefficient for pre-setting, Obtain the health degree of the data object;
5th determining unit, between the health degree grade according to the health degree and data object of the data object for pre-setting Mapping relations, according to the health degree of the data object for obtaining, obtain the health degree grade of the data object.
8. under cloud computing environment according to claim 7 data object access control system, it is characterised in that with data The related evaluation metricses of health degree include:Data standard compliance, ageing, data integrity, credibility, accessibility, into Work(rate of people logging in and failed access rate;
The metadata of the data object includes:The type of data object, creation time, digital digest, data owner, numeral Signature, access chained address and access historical record, wherein, the access historical record includes:Data pair described in successful access The historical record of data object described in the historical record and failed access of elephant;
First determining unit includes:
Judgment sub-unit, for judging whether the type of the data object meets the data standard specification for pre-setting, obtains The evaluation and test value of the data standard compliance;
Comparing subunit, between the current time for the creation time according to the data object and the access data object Difference whether be less than default time threshold, obtain the ageing evaluation and test value;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the data complete The evaluation and test value of whole property;
Second verification subelement, for the digital certificate according to the data owner and the digital signature of the data object, The credibility of the data object is verified, the evaluation and test value of the credibility is obtained;
Access subelement, for accessing the data object according to the access chained address of the data object, obtain it is described can The evaluation and test value of access property;
First removes subunit, for obtaining the number of times of data object described in successful access, number described in the successful access that will be obtained Total degree is accessed for divided by the data object according to the number of times of object, obtains the evaluation and test value of the successful access rate;
Second removes subunit, for obtaining the number of times of data object described in failed access, number described in the failed access that will be obtained Total degree is accessed for divided by the data object according to the number of times of object, obtains the evaluation and test value of the failed access rate.
9. under cloud computing environment according to claim 6 data object access control system, it is characterised in that described point With module, for when data object described in Accessor Access, according to health degree grade and the peace of the data object for pre-setting Mapping relations between full access strategy, are the visit according to the health degree grade of the data object of the Accessor Access The person's of asking allocation of access rights, and provide corresponding safety and indicating risk.
10. under cloud computing environment according to claim 9 data object access control system, it is characterised in that it is described The health degree grade of data object includes:It is excellent, good, in, it is poor;
The distribute module includes:
First allocation unit, if the health degree grade for the data object of Accessor Access is excellent, visitor is visiting Point out data obj ect security described in the visitor credible during asking the data object;
Second allocation unit, if the health degree grade for the data object of Accessor Access is good, the data pair As interviewee normally accesses;
3rd allocation unit, if the health degree grade for the data object of Accessor Access is, visitor is visiting Data correspondence described in the visitor is pointed out to there is security risk during asking the data object;
4th allocation unit, if the health degree grade for the data object of Accessor Access is poor, forbids visitor Access the data object.
CN201610982386.XA 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment Active CN106559421B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610982386.XA CN106559421B (en) 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610982386.XA CN106559421B (en) 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment

Publications (2)

Publication Number Publication Date
CN106559421A true CN106559421A (en) 2017-04-05
CN106559421B CN106559421B (en) 2019-09-10

Family

ID=58444274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610982386.XA Active CN106559421B (en) 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment

Country Status (1)

Country Link
CN (1) CN106559421B (en)

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102687133A (en) * 2009-11-16 2012-09-19 微软公司 Containerless data for trustworthy computing and data services
CN103139007A (en) * 2011-12-05 2013-06-05 阿里巴巴集团控股有限公司 Method and system for detecting application server performance
CN103699534A (en) * 2012-09-27 2014-04-02 腾讯科技(深圳)有限公司 Display method and device for data object in system directory
CN103729593A (en) * 2013-12-31 2014-04-16 安一恒通(北京)科技有限公司 Method and system for recognizing file safety
CN105631344A (en) * 2015-04-30 2016-06-01 南京酷派软件技术有限公司 Security data access control method and system as well as terminal

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102687133A (en) * 2009-11-16 2012-09-19 微软公司 Containerless data for trustworthy computing and data services
CN103139007A (en) * 2011-12-05 2013-06-05 阿里巴巴集团控股有限公司 Method and system for detecting application server performance
CN103699534A (en) * 2012-09-27 2014-04-02 腾讯科技(深圳)有限公司 Display method and device for data object in system directory
CN103729593A (en) * 2013-12-31 2014-04-16 安一恒通(北京)科技有限公司 Method and system for recognizing file safety
CN105631344A (en) * 2015-04-30 2016-06-01 南京酷派软件技术有限公司 Security data access control method and system as well as terminal

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
宋涛: "《网络环境下服务可信建模与方法的研究》", 《中国优秀硕士学位论文全文数据库(信息科技辑)》 *

Also Published As

Publication number Publication date
CN106559421B (en) 2019-09-10

Similar Documents

Publication Publication Date Title
CN112348204B (en) Safe sharing method for marine Internet of things data under edge computing framework based on federal learning and block chain technology
CN108875327A (en) One seed nucleus body method and apparatus
CN102761551B (en) System and method for multilevel cross-domain access control
US10063535B2 (en) User authentication based on personal access history
CN103685244B (en) A kind of differentiation authentication method and device
JP2016539436A5 (en)
US8978159B1 (en) Methods and apparatus for mediating access to derivatives of sensitive data
CN105045597B (en) A kind of JAVA card object reference method and device
CN110417820A (en) Processing method, device and the readable storage medium storing program for executing of single-node login system
CN105988739A (en) Location and boundary controls for storage volumes
CN105516117A (en) Cloud computing based power data security storage method
CN105933245A (en) Secure and credible access method in software defined network
CN104836777B (en) Identity verification method and system
CN104009959A (en) XACML-based verifiable cloud access control method
CN107689941A (en) A kind of apparatus and method for preventing same user's repeat logon
CN113242230A (en) Multi-level authentication and access control system and method based on intelligent contracts
WO2019052469A1 (en) Network request processing method and apparatus, electronic device, and storage medium
CN103327036A (en) Identification method of Internet browsing devices and Cookie server
CN106060048A (en) Network resource access method and network resource access device
Ke et al. A privacy risk assessment scheme for fog nodes in access control system
CN106559421A (en) The access control method and system of data object under a kind of cloud computing environment
CN113544665A (en) Execution of measurements on trusted agents in resource-constrained environments using proof of operation
CN104009846B (en) A kind of single-sign-on apparatus and method
CN105516134A (en) Authentication method and system for system integration
CN106230769B (en) Mobile cloud data staging connection control method based on mobile terminal degree of belief

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right
TR01 Transfer of patent right

Effective date of registration: 20200201

Address after: No.163, East 2nd Street, Yudai, Yongding town, Mentougou District, Beijing

Patentee after: Luban (Beijing) Electronic Commerce Technology Co., Ltd.

Address before: 100083 Haidian District, Xueyuan Road, No. 30,

Patentee before: University OF SCIENCE AND TECHNOLOGY BEIJING