CN106559421B - The access control method and system of data object under a kind of cloud computing environment - Google Patents

The access control method and system of data object under a kind of cloud computing environment Download PDF

Info

Publication number
CN106559421B
CN106559421B CN201610982386.XA CN201610982386A CN106559421B CN 106559421 B CN106559421 B CN 106559421B CN 201610982386 A CN201610982386 A CN 201610982386A CN 106559421 B CN106559421 B CN 106559421B
Authority
CN
China
Prior art keywords
data object
access
data
health degree
evaluation
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201610982386.XA
Other languages
Chinese (zh)
Other versions
CN106559421A (en
Inventor
陈红松
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Luban (beijing) Electronic Commerce Technology Co Ltd
Original Assignee
University of Science and Technology Beijing USTB
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by University of Science and Technology Beijing USTB filed Critical University of Science and Technology Beijing USTB
Priority to CN201610982386.XA priority Critical patent/CN106559421B/en
Publication of CN106559421A publication Critical patent/CN106559421A/en
Application granted granted Critical
Publication of CN106559421B publication Critical patent/CN106559421B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides the access control method and system of data object under a kind of cloud computing environment, the potential risk that can be ensured the safety of data object in Accessor Access's Cloud Server, reduce Accessor Access's bad data object.The described method includes: obtaining the metadata for the data object being stored in Cloud Server;The health degree grade of the data object is determined according to the metadata of the data object got;When the data object described in the Accessor Access, it is the corresponding secure access strategy of visitor distribution according to the health degree grade of the data object of the Accessor Access according to the mapping relations between the health degree grade and secure access strategy of pre-set data object.The present invention is suitable for field of communication technology.

Description

The access control method and system of data object under a kind of cloud computing environment
Technical field
The present invention relates to field of communication technology, a kind of access control method of data object under cloud computing environment is particularly related to And system.
Background technique
In recent years, with the novel informations technology such as the fast development of network and the communication technology, especially cloud computing, big data Rise, people get the data resource needed for oneself by Cloud Server in which can be convenient.Data are the carriers of information, are Enterprise moves towards information-based necessary basis and valuable capital, and the storing data of magnanimity has powerful temptation to attacker again. Being constantly progressive for hacking technique increases the risk factor of data resource under fire under cloud computing environment, causes under cloud computing environment Problem of data safety emerge one after another, the access risk that data resource is included also is being continuously improved.
Existing access control technology mainly carries out safe access control, such as the access control of based role from user perspective User is divided into different roles by simulation, and different access authority is distributed according to different user roles, specifically, according to The role of user distributes same type of user to identical permission, realizes the secure access strategy based on user role and update Model, however, being stored in the data object of Cloud Server similarly has different confidence levels, still, existing cloud computing ring Access control technology under border does not account for being stored in the confidence level of the accessed data object in Cloud Server.
Summary of the invention
The technical problem to be solved in the present invention is to provide a kind of access control method of data object under cloud computing environment and System, to solve not account for being stored in present in the prior art confidence level of the accessed data object in Cloud Server Problem.
In order to solve the above technical problems, the embodiment of the present invention provides a kind of access control of data object under cloud computing environment Method, comprising:
Obtain the metadata for the data object being stored in Cloud Server;
The health degree grade of the data object is determined according to the metadata of the data object got;
When the data object described in the Accessor Access, visited according to the health degree grade and safety of pre-set data object It asks the mapping relations between strategy, is the visitor according to the health degree grade of the data object of the Accessor Access The corresponding secure access strategy of distribution.
Further, the metadata for the data object that the basis is got determines the health degree of the data object Grade includes:
Determine the evaluation and test value of each evaluation metrics relevant to data health degree;
By the evaluation and test value of each evaluation metrics multiplied by the corresponding weight of each evaluation metrics, each evaluation metrics are obtained to data The contribution margin of health degree;
Contribution margin of the obtained each evaluation metrics to data health degree is added, total tribute to data health degree is obtained Offer value;
By obtained total contribution margin to data health degree multiplied by pre-set conversion coefficient, the data pair are obtained The health degree of elephant;
According to the mapping relations between the health degree of pre-set data object and the health degree grade of data object, root According to the health degree of the obtained data object, the health degree grade of the data object is obtained.
Further, evaluation metrics relevant to data health degree include: that data standard compliance, timeliness, data are complete Whole property, credibility, accessibility, successful access rate and failed access rate;
The metadata of the data object include: the type of data object, creation time, digital digest, data owner, Digital signature, access chained address and access historical record, wherein the access historical record includes: number described in successful access The historical record of data object described in historical record and failed access according to object;
The evaluation and test value of the determination each evaluation metrics relevant to data health degree includes:
Judge whether the type of the data object meets pre-set data standard specification, obtains the data standard The evaluation and test value of accordance;
According to the difference between the creation time of the data object and the current time of the access data object whether Less than preset time threshold, the evaluation and test value of the timeliness is obtained;
Completeness check is carried out to the digital digest of the data object, obtains the evaluation and test value of the data integrity;
According to the digital signature of the digital certificate of the data owner and the data object, the data object is verified Credibility, obtain the evaluation and test value of the credibility;
The data object is accessed according to the access chained address of the data object, obtains the evaluation and test of the accessibility Value;
The number for obtaining data object described in successful access, the number of data object described in the successful access that will acquire divided by The accessed total degree of the data object, obtains the evaluation and test value of the successful access rate;
The number for obtaining data object described in failed access, the number of data object described in the failed access that will acquire divided by The accessed total degree of the data object, obtains the evaluation and test value of the failed access rate.
Further, when the data object described in the Accessor Access, according to the health of pre-set data object The mapping relations between grade and secure access strategy are spent, according to the health degree etc. of the data object of the Accessor Access Grade is visitor's allocation of access rights, and provides corresponding safety with indicating risk and include:
When the data object described in the Accessor Access, visited according to the health degree grade and safety of pre-set data object It asks the mapping relations between strategy, is the visitor according to the health degree grade of the data object of the Accessor Access Allocation of access rights, and provide corresponding safety and indicating risk.
Further, the health degree grade of the data object include: it is excellent, good, in, it is poor;
When the data object described in the Accessor Access, according to the health degree grade and peace of pre-set data object Mapping relations between full access strategy are the visit according to the health degree grade of the data object of the Accessor Access The person's of asking allocation of access rights, and provide corresponding safety with indicating risk and include:
If the health degree grade of the data object of Accessor Access be it is excellent, visitor is accessing the data object During prompt data obj ect security described in the visitor credible;
If the health degree grade of the data object of Accessor Access be it is good, the data object interviewee is normal Access;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the data object During prompt data described in the visitor corresponding there are security risks;
If the health degree grade of the data object of Accessor Access be it is poor, forbid data pair described in Accessor Access As.
The embodiment of the present invention also provides a kind of access control system of data object under cloud computing environment, comprising:
Module is obtained, for obtaining the metadata for the data object being stored in Cloud Server;
Determining module, for determining the health degree of the data object according to the metadata of the data object got Grade;
Distribution module, when for the data object described in the Accessor Access, according to the health of pre-set data object The mapping relations between grade and secure access strategy are spent, according to the health degree etc. of the data object of the Accessor Access Grade is the corresponding secure access strategy of visitor distribution.
Further, the determining module includes:
First determination unit, for determining the evaluation and test value of each evaluation metrics relevant to data health degree;
Second determination unit, for multiplied by the corresponding weight of each evaluation metrics, obtaining the evaluation and test value of each evaluation metrics Contribution margin of each evaluation metrics to data health degree;
Third determination unit obtains total for contribution margin of the obtained each evaluation metrics to data health degree to be added The contribution margin to data health degree;
4th determination unit, total contribution margin to data health degree for that will obtain are multiplied by pre-set conversion Number, obtains the health degree of the data object;
5th determination unit, the health degree grade for health degree and data object according to pre-set data object Between mapping relations the health degree grade of the data object is obtained according to the health degree of the obtained data object.
Further, evaluation metrics relevant to data health degree include: that data standard compliance, timeliness, data are complete Whole property, credibility, accessibility, successful access rate and failed access rate;
The metadata of the data object include: the type of data object, creation time, digital digest, data owner, Digital signature, access chained address and access historical record, wherein the access historical record includes: number described in successful access The historical record of data object described in historical record and failed access according to object;
First determination unit includes:
Judgment sub-unit, for judging whether the type of the data object meets pre-set data standard specification, Obtain the evaluation and test value of the data standard compliance;
Comparing subunit, for according to the creation time of the data object and the current time of the access data object Between difference whether be less than preset time threshold, obtain the evaluation and test value of the timeliness;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the number According to the evaluation and test value of integrality;
Second verification subelement, for being signed according to the digital certificate of the data owner and the number of the data object Name, verifies the credibility of the data object, obtains the evaluation and test value of the credibility;
Subelement is accessed, for accessing the data object according to the access chained address of the data object, obtains institute State the evaluation and test value of accessibility;
First removes subunit, for obtaining the number of data object described in successful access, the successful access institute that will acquire The total degree that the number of data object is accessed divided by the data object is stated, the evaluation and test value of the successful access rate is obtained;
Second removes subunit, for obtaining the number of data object described in failed access, the failed access institute that will acquire The total degree that the number of data object is accessed divided by the data object is stated, the evaluation and test value of the failed access rate is obtained.
Further, the distribution module, when for the data object described in the Accessor Access, according to pre-set number According to the mapping relations between the health degree grade and secure access strategy of object, according to the data pair of the Accessor Access The health degree grade of elephant is visitor's allocation of access rights, and provides corresponding safety and indicating risk.
Further, the health degree grade of the data object include: it is excellent, good, in, it is poor;
The distribution module includes:
First allocation unit, if the health degree grade of the data object for Accessor Access is excellent, visitor Prompt data obj ect security described in the visitor credible during accessing the data object;
Second allocation unit, if the health degree grade of the data object for Accessor Access is good, the number It is normally accessed according to object interviewee;
Third allocation unit, if during the health degree grade of the data object for Accessor Access is, visitor Prompting data described in the visitor to correspond to during accessing the data object, there are security risks;
4th allocation unit, if the health degree grade of the data object for Accessor Access be it is poor, forbid visiting The person of asking accesses the data object.
The advantageous effects of the above technical solutions of the present invention are as follows:
In above scheme, by the metadata for obtaining the data object being stored in Cloud Server;According to the institute got The metadata for stating data object determines the health degree grade of the data object;When the data object described in the Accessor Access, press Mapping relations between health degree grade according to pre-set data object and secure access strategy, according to Accessor Access's The health degree grade of the data object is the corresponding secure access strategy of visitor distribution.In this way, being directed to different health The data object for spending grade uses different secure access strategies, can ensure data object in Accessor Access's Cloud Server Safety, the potential risk for reducing Accessor Access's bad data object.
Detailed description of the invention
Fig. 1 is the process signal of the access control method of data object under cloud computing environment provided in an embodiment of the present invention Figure;
Fig. 2 is that the detailed process of the access control method of data object under cloud computing environment provided in an embodiment of the present invention shows It is intended to;
Fig. 3 is the principle signal of the access control method of data object under cloud computing environment provided in an embodiment of the present invention Figure;
Fig. 4 is the structural representation of the access control system of data object under cloud computing environment provided in an embodiment of the present invention Figure.
Specific embodiment
To keep the technical problem to be solved in the present invention, technical solution and advantage clearer, below in conjunction with attached drawing and tool Body embodiment is described in detail.
The present invention is asked for the existing confidence level for not accounting for being stored in the accessed data object in Cloud Server Topic provides the access control method and system of data object under a kind of cloud computing environment.
Embodiment one
Referring to shown in Fig. 1, the access control method of data object under cloud computing environment provided in an embodiment of the present invention is wrapped It includes:
S101 obtains the metadata for the data object being stored in Cloud Server;
S102 determines the health degree grade of the data object according to the metadata of the data object got;
S103, when the data object described in the Accessor Access, according to pre-set data object health degree grade with Mapping relations between secure access strategy, the health degree grade according to the data object of the Accessor Access is described The corresponding secure access strategy of visitor's distribution.
The access control method of data object under cloud computing environment described in the embodiment of the present invention, acquisition are stored in cloud service The metadata of data object in device;The health of the data object is determined according to the metadata of the data object got Spend grade;When the data object described in the Accessor Access, visited according to the health degree grade and safety of pre-set data object It asks the mapping relations between strategy, is visitor distribution according to the health degree grade of the data object of Accessor Access Corresponding secure access strategy.In this way, the data object for different health degree grades uses different secure access strategies, energy The potential wind for enough ensureing the safety of data object in Accessor Access's Cloud Server, reducing Accessor Access's bad data object Danger.
In the present embodiment, the visitor is the abbreviation of data access person, and the data access person is stored in institute for access State the user of the data object of Cloud Server.
As shown in Figures 2 and 3, in the present embodiment, (referred to as: number for the health degree to data object under cloud computing environment According to health degree) it is assessed, the health degree grade of data object is obtained, specific step may include:
A11, by data owner upload data object arrive cloud platform/Cloud Server, upload data object to cloud platform/ Before Cloud Server, further includes: according to type, the creation time of the requirement explicit data object of data health degree evaluation metrics, Digital digest, the digital signature that the data object is generated by cryptographic algorithm, these attributes are placed on behind data object, It forms data object and assesses body, which is known as secure package, and the data object assessment body after secure package is submitted to cloud clothes Be engaged in device, the cryptographic algorithm that digital digest, digital signature use during secure package can by data owner and cloud platform/ Cloud Server security service is negotiated to determine;
Wherein, the data health degree evaluation metrics include: data standard compliance, it is timeliness, data integrity, credible Property, accessibility, successful access rate, failed access rate.
The characteristics of A12, data health degree evaluation services are directed to data object, extracts the metadata of data object, wherein The metadata of the data object includes but is not limited to: the type of data object, creation time, digital digest, digital signature, visit Ask chained address, access historical record and data owner etc.;
Wherein, the data health degree evaluation services are separated with data object storage in logic, physically in Cloud Server Upper operation is in order to obtain the metadata of data object, the health degree assessment result of returned data object.
A13, the demand for security according to user under cloud computing environment to data object accesses, provide data under cloud computing environment The definition of object health degree proposes the evaluating standard of data health degree evaluation metrics on this basis, obtains each evaluation metrics Evaluation and test value, and propose that data health degree comprehensive assessment function calculation formula obtains the health degree of data object;Wherein, according to number According to the evaluating standard of health degree evaluation metrics, the evaluation and test value for obtaining each evaluation metrics includes:
Data standard compliance: according to the type of data object, examine whether it accords with according to International or National relevant criterion Close correlation standard;If meeting data standard specification, which is 1, is not inconsistent and is combined into 0.
Timeliness: it is according to the difference between the creation time of data object and the current time of the access data object It is no to judge timeliness less than preset time threshold, if whether difference between the two is less than preset time threshold, when Effect property is preferable, which is 1, and otherwise, which is 0.
Data integrity: by data owner before uploading data object to Cloud Server, data object is carried out scattered Column operations obtains its hashed value as digital digest, which is placed on behind the data object as completeness check Foundation;Data health degree evaluation services periodically carry out completeness check to the hashed value, if this refers to by completeness check It is designated as 1, not by being then 0.
It is credible: by data owner before uploading data object to Cloud Server, the number of the data object being plucked It to be digitally signed by its private key, which is placed on to the foundation behind the data object as Trusting eBusiness;Number According to health degree evaluation services according to the digital certificate of data owner and the digital signature of data object, the periodic check data pair The credibility of elephant;If the index is 1, not by being 0 by credible verification.
Accessibility: can the data object be accessed according to the corresponding access chained address of data object, if can access Then the index is 1, otherwise, cannot access the object, which is 0.
Successful access rate: the total degree that the number of visitor's successful access data object is accessed divided by the data object.
Failed access rate: the total degree that the number of visitor's failed access data object is accessed divided by the data object.
A14, for a weight w is arranged before each evaluation metricsi, each evaluation and test is referred to by data health degree comprehensive assessment function Target evaluation and test value SiMultiplied by respective weights wiThe evaluation metrics are obtained to the contribution margin of data health degree, by all evaluation metrics The contribution margin of data health degree is added, and total contribution margin to data health degree is obtained, by total contribution to data health degree Value obtains the health degree of data object, the data health degree comprehensive assessment function representation multiplied by conversion coefficient k are as follows:
Wherein, D indicates that the health degree of data object, n indicate the number of data health degree evaluation metrics, wiIndicate that i-th comments Survey the corresponding weight of index, SiIndicate the evaluation and test value of the i-th evaluation metrics, k indicates conversion coefficient.
In the present embodiment, for example, passing through weight wiWith the design of conversion coefficient k, data health degree is mapped to 0~100 The integer value in section.
A15, passing through weight wiWith the design of conversion coefficient k, data health degree is mapped to the integer in 0~100 section After value, integer value size can be divided into it is excellent, good, in, the health degree grades of poor four different data objects, such as, wherein 0~40 is poor, and 40~60 are, 60~80 be it is good, 80~100 be excellent.
In the present embodiment, as an alternative embodiment, the metadata for the data object that the basis is got is determined The health degree grade of the data object includes:
Determine the evaluation and test value of each evaluation metrics relevant to data health degree;
By the evaluation and test value of each evaluation metrics multiplied by the corresponding weight of each evaluation metrics, each evaluation metrics are obtained to data The contribution margin of health degree;
Contribution margin of the obtained each evaluation metrics to data health degree is added, total tribute to data health degree is obtained Offer value;
By obtained total contribution margin to data health degree multiplied by pre-set conversion coefficient, the data pair are obtained The health degree of elephant;
According to the mapping relations between the health degree of pre-set data object and the health degree grade of data object, root According to the health degree of the obtained data object, the health degree grade of the data object is obtained.
In the present embodiment, as another alternative embodiment, the determination each evaluation metrics relevant to data health degree Evaluation and test value include:
Judge whether the type of the data object meets pre-set data standard specification, obtains the data standard The evaluation and test value of accordance;
According to the difference between the creation time of the data object and the current time of the access data object whether Less than preset time threshold, the evaluation and test value of the timeliness is obtained;
Completeness check is carried out to the digital digest of the data object, obtains the evaluation and test value of the data integrity;
According to the digital signature of the digital certificate of the data owner and the data object, the data object is verified Credibility, obtain the evaluation and test value of the credibility;
The data object is accessed according to the access chained address of the data object, obtains the evaluation and test of the accessibility Value;
The number for obtaining data object described in successful access, the number of data object described in the successful access that will acquire divided by The accessed total degree of the data object, obtains the evaluation and test value of the successful access rate;
The number for obtaining data object described in failed access, the number of data object described in the failed access that will acquire divided by The accessed total degree of the data object, obtains the evaluation and test value of the failed access rate.
As shown in figure 3, the health degree grade of the obtained data object can also be stored in data in the present embodiment In health degree list, cloud platform/Cloud Server administrator formulates according to the health degree grade being stored in data health degree list Different secure access strategies obtains the mapping relations between the health degree grade of data object and secure access strategy.In this way, The maker of secure access strategy expands to cloud platform/Cloud Server administrator by data owner, does not need data owner Participate and draw secure access strategy, on the one hand, it can be formulated with effectively save data owner the time of secure access strategy, it is another The object of aspect, access control expands to data object itself by visitor, can be under the premise of guaranteeing data security access Visitor is improved to the trusting degree of accessed data object, reduces the unhealthy data bring potential risk of Accessor Access; Wherein, the secure access strategy includes: access authority and corresponding safety and indicating risk.
As shown in Figures 2 and 3, in the present embodiment, after customization secure access strategy, visitor is directed under cloud computing environment Data object initiate access request, cloud platform/Cloud Server can according to the health degree list and secure access strategy (or, Mapping relations between the health degree grade and secure access strategy of data object) response is carried out to this access, give visitor Actual access authority is distributed, and carries out corresponding safety and indicating risk.
In the present embodiment, as an alternative embodiment, when the data object described in the Accessor Access, according to setting in advance Mapping relations between the health degree grade and secure access strategy of the data object set, according to the Accessor Access The health degree grade of data object is visitor's allocation of access rights, and provides corresponding safety with indicating risk and include:
When the data object described in the Accessor Access, visited according to the health degree grade and safety of pre-set data object It asks the mapping relations between strategy, is the visitor according to the health degree grade of the data object of the Accessor Access Allocation of access rights, and provide corresponding safety and indicating risk.
In the present embodiment, the health degree grade of the data object include: it is excellent, good, in, it is poor;If Accessor Access's The health degree grade of the data object be it is excellent, then can prompt the data obj ect security can during accessing the data object Letter.If the health degree grade of the data object of Accessor Access be it is good, which can be by the positive frequentation of user It asks, prompts the data object normal.During if the health degree grade of the data object of Accessor Access were, data object Interviewee has indicating risk when accessing, visitor's data object is prompted to have certain security risk.If visitor Access the data object health degree grade be it is poor, then forbid Accessor Access's data object.In this way, for different strong The data object of Kang Du grade uses different secure access strategies, ensures the peace of data object in Accessor Access's cloud platform Entirely, the potential risk of Accessor Access's bad data object is reduced.
In the present embodiment, as another alternative embodiment, the health degree grade of the data object include: it is excellent, good, in, Difference;
When the data object described in the Accessor Access, according to the health degree grade and peace of pre-set data object Mapping relations between full access strategy are the visit according to the health degree grade of the data object of the Accessor Access The person's of asking allocation of access rights, and provide corresponding safety with indicating risk and include:
If the health degree grade of the data object of Accessor Access be it is excellent, visitor is accessing the data object During prompt data obj ect security described in the visitor credible;
If the health degree grade of the data object of Accessor Access be it is good, the data object interviewee is normal Access;
If during the health degree grade of the data object of Accessor Access is, visitor is accessing the data object During prompt data described in the visitor corresponding there are security risks;
If the health degree grade of the data object of Accessor Access be it is poor, forbid data pair described in Accessor Access As.
Embodiment two
The present invention also provides a kind of specific embodiment of the access control system of data object under cloud computing environment, due to The visit of the access control system of data object and data object under aforementioned cloud computing environment under cloud computing environment provided by the invention Ask that the specific embodiment of control method is corresponding, the access control system of data object can be by holding under the cloud computing environment Process step in row above method specific embodiment achieves the object of the present invention, therefore data under above-mentioned cloud computing environment Explanation in the access control method specific embodiment of object is also applied for number under cloud computing environment provided by the invention According to the specific embodiment of the access control system of object, will not be described in great detail in present invention specific embodiment below.
Referring to shown in Fig. 4, the embodiment of the present invention also provides a kind of access control system of data object under cloud computing environment, Include:
Module 11 is obtained, for obtaining the metadata for the data object being stored in Cloud Server;
Determining module 12, for determining the health of the data object according to the metadata of the data object got Spend grade;
Distribution module 13, when for the data object described in the Accessor Access, according to the strong of pre-set data object Mapping relations between Kang Du grade and secure access strategy, according to the health degree of the data object of the Accessor Access Grade is the corresponding secure access strategy of visitor distribution.
The access control system of data object under cloud computing environment described in the embodiment of the present invention is stored in cloud by obtaining The metadata of data object in server;The data object is determined according to the metadata of the data object got Health degree grade;When the data object described in the Accessor Access, according to the health degree grade and peace of pre-set data object Mapping relations between full access strategy are the visitor according to the health degree grade of the data object of Accessor Access The corresponding secure access strategy of distribution.In this way, the data object for different health degree grades uses different secure access plans Slightly, it can ensure the safety of data object in Accessor Access's Cloud Server, reduce the latent of Accessor Access's bad data object In risk.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute Stating determining module includes:
First determination unit, for determining the evaluation and test value of each evaluation metrics relevant to data health degree;
Second determination unit, for multiplied by the corresponding weight of each evaluation metrics, obtaining the evaluation and test value of each evaluation metrics Contribution margin of each evaluation metrics to data health degree;
Third determination unit obtains total for contribution margin of the obtained each evaluation metrics to data health degree to be added The contribution margin to data health degree;
4th determination unit, total contribution margin to data health degree for that will obtain are multiplied by pre-set conversion Number, obtains the health degree of the data object;
5th determination unit, the health degree grade for health degree and data object according to pre-set data object Between mapping relations the health degree grade of the data object is obtained according to the health degree of the obtained data object.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, with The relevant evaluation metrics of data health degree include: data standard compliance, timeliness, data integrity, credibility, may have access to Property, successful access rate and failed access rate;
The metadata of the data object include: the type of data object, creation time, digital digest, data owner, Digital signature, access chained address and access historical record, wherein the access historical record includes: number described in successful access The historical record of data object described in historical record and failed access according to object;
First determination unit includes:
Judgment sub-unit, for judging whether the type of the data object meets pre-set data standard specification, Obtain the evaluation and test value of the data standard compliance;
Comparing subunit, for according to the creation time of the data object and the current time of the access data object Between difference whether be less than preset time threshold, obtain the evaluation and test value of the timeliness;
First verification subelement, carries out completeness check for the digital digest to the data object, obtains the number According to the evaluation and test value of integrality;
Second verification subelement, for being signed according to the digital certificate of the data owner and the number of the data object Name, verifies the credibility of the data object, obtains the evaluation and test value of the credibility;
Subelement is accessed, for accessing the data object according to the access chained address of the data object, obtains institute State the evaluation and test value of accessibility;
First removes subunit, for obtaining the number of data object described in successful access, the successful access institute that will acquire The total degree that the number of data object is accessed divided by the data object is stated, the evaluation and test value of the successful access rate is obtained;
Second removes subunit, for obtaining the number of data object described in failed access, the failed access institute that will acquire The total degree that the number of data object is accessed divided by the data object is stated, the evaluation and test value of the failed access rate is obtained.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute Distribution module is stated, when for the data object described in the Accessor Access, according to the health degree grade of pre-set data object With the mapping relations between secure access strategy, the health degree grade according to the data object of the Accessor Access is institute Visitor's allocation of access rights is stated, and provides corresponding safety and indicating risk.
Under aforementioned cloud computing environment in the specific embodiment of the access control system of data object, further, institute State data object health degree grade include: it is excellent, good, in, it is poor;
The distribution module includes:
First allocation unit, if the health degree grade of the data object for Accessor Access is excellent, visitor Prompt data obj ect security described in the visitor credible during accessing the data object;
Second allocation unit, if the health degree grade of the data object for Accessor Access is good, the number It is normally accessed according to object interviewee;
Third allocation unit, if during the health degree grade of the data object for Accessor Access is, visitor Prompting data described in the visitor to correspond to during accessing the data object, there are security risks;
4th allocation unit, if the health degree grade of the data object for Accessor Access be it is poor, forbid visiting The person of asking accesses the data object.
The above is a preferred embodiment of the present invention, it is noted that for those skilled in the art For, without departing from the principles of the present invention, it can also make several improvements and retouch, these improvements and modifications It should be regarded as protection scope of the present invention.

Claims (6)

1. the access control method of data object under a kind of cloud computing environment characterized by comprising
Obtain the metadata for the data object being stored in Cloud Server;
The health degree grade of the data object is determined according to the metadata of the data object got;
When the data object described in the Accessor Access, according to the health degree grade and secure access plan of pre-set data object Mapping relations between slightly are visitor distribution according to the health degree grade of the data object of the Accessor Access Corresponding secure access strategy;
Wherein, the metadata for the data object that the basis is got determines the health degree grade packet of the data object It includes:
Determine the evaluation and test value of each evaluation metrics relevant to data health degree;
By the evaluation and test value of each evaluation metrics multiplied by the corresponding weight of each evaluation metrics, each evaluation metrics are obtained to data health The contribution margin of degree;
Contribution margin of the obtained each evaluation metrics to data health degree is added, total contribution to data health degree is obtained Value;
By obtained total contribution margin to data health degree multiplied by pre-set conversion coefficient, the data object is obtained Health degree;
According to the mapping relations between the health degree of pre-set data object and the health degree grade of data object, according to The health degree of the data object arrived obtains the health degree grade of the data object;
Wherein, evaluation metrics relevant to data health degree include: data standard compliance, it is timeliness, data integrity, credible Property, accessibility, successful access rate and failed access rate;
The metadata of the data object includes: type, creation time, digital digest, data owner, the number of data object Signature, access chained address and access historical record, wherein the access historical record includes: data pair described in successful access The historical record of data object described in the historical record and failed access of elephant;
The evaluation and test value of the determination each evaluation metrics relevant to data health degree includes:
Judge whether the type of the data object meets pre-set data standard specification, obtains the data standard and meet The evaluation and test value of property;
Whether it is less than according to the difference between the creation time of the data object and the current time of the access data object Preset time threshold obtains the evaluation and test value of the timeliness;
Completeness check is carried out to the digital digest of the data object, obtains the evaluation and test value of the data integrity;
According to the digital signature of the digital certificate of the data owner and the data object, verify the data object can Letter property, obtains the evaluation and test value of the credibility;
The data object is accessed according to the access chained address of the data object, obtains the evaluation and test value of the accessibility;
The number of data object described in successful access is obtained, the number of data object described in the successful access that will acquire is divided by described The accessed total degree of data object, obtains the evaluation and test value of the successful access rate;
The number of data object described in failed access is obtained, the number of data object described in the failed access that will acquire is divided by described The accessed total degree of data object, obtains the evaluation and test value of the failed access rate.
2. the access control method of data object under cloud computing environment according to claim 1, which is characterized in that work as access When person accesses the data object, according to reflecting between the health degree grade and secure access strategy of pre-set data object Relationship is penetrated, is visitor's allocation of access rights according to the health degree grade of the data object of the Accessor Access, And provide corresponding safety and indicating risk.
3. the access control method of data object under cloud computing environment according to claim 2, which is characterized in that the number Health degree grade according to object include: it is excellent, good, in, it is poor;
When the data object described in the Accessor Access, visited according to the health degree grade and safety of pre-set data object It asks the mapping relations between strategy, is the visitor according to the health degree grade of the data object of the Accessor Access Allocation of access rights, and provide corresponding safety with indicating risk and include:
If the health degree grade of the data object of Accessor Access is excellent, mistake of the visitor in the access data object Prompt data obj ect security described in the visitor credible in journey;
If the health degree grade of the data object of Accessor Access is good, the positive frequentation of data object interviewee It asks;
If during the health degree grade of the data object of Accessor Access is, visitor is in the mistake for accessing the data object Prompting data described in the visitor to correspond in journey, there are security risks;
If the health degree grade of the data object of Accessor Access be it is poor, forbid data object described in Accessor Access.
4. the access control system of data object under a kind of cloud computing environment characterized by comprising
Module is obtained, for obtaining the metadata for the data object being stored in Cloud Server;
Determining module, for determining the health degree etc. of the data object according to the metadata of the data object got Grade;
Distribution module, when for the data object described in the Accessor Access, according to the health degree etc. of pre-set data object Mapping relations between grade and secure access strategy, the health degree grade according to the data object of the Accessor Access are The corresponding secure access strategy of visitor's distribution:
Wherein, the determining module includes:
First determination unit, for determining the evaluation and test value of each evaluation metrics relevant to data health degree;
Second determination unit, for multiplied by the corresponding weight of each evaluation metrics, obtaining each the evaluation and test value of each evaluation metrics Contribution margin of the evaluation metrics to data health degree;
Third determination unit obtains total pair for contribution margin of the obtained each evaluation metrics to data health degree to be added The contribution margin of data health degree;
4th determination unit, total contribution margin to data health degree for that will obtain multiplied by pre-set conversion coefficient, Obtain the health degree of the data object;
5th determination unit, between the health degree according to pre-set data object and the health degree grade of data object Mapping relations the health degree grade of the data object is obtained according to the health degree of the obtained data object;
Wherein, evaluation metrics relevant to data health degree include: data standard compliance, it is timeliness, data integrity, credible Property, accessibility, successful access rate and failed access rate;
The metadata of the data object includes: type, creation time, digital digest, data owner, the number of data object Signature, access chained address and access historical record, wherein the access historical record includes: data pair described in successful access The historical record of data object described in the historical record and failed access of elephant;
First determination unit includes:
Judgment sub-unit is obtained for judging whether the type of the data object meets pre-set data standard specification The evaluation and test value of the data standard compliance;
Comparing subunit, for according between the creation time of the data object and the current time of the access data object Difference whether be less than preset time threshold, obtain the evaluation and test value of the timeliness;
First verification subelement, carries out completeness check for the digital digest to the data object, it is complete to obtain the data The evaluation and test value of whole property;
Second verification subelement, for according to the digital certificate of the data owner and the digital signature of the data object, The credibility for verifying the data object obtains the evaluation and test value of the credibility;
Access subelement, for accessing the data object according to the access chained address of the data object, obtain it is described can The evaluation and test value of access property;
First removes subunit, for obtaining the number of data object described in successful access, number described in the successful access that will acquire According to the total degree that the number of object is accessed divided by the data object, the evaluation and test value of the successful access rate is obtained;
Second removes subunit, for obtaining the number of data object described in failed access, number described in the failed access that will acquire According to the total degree that the number of object is accessed divided by the data object, the evaluation and test value of the failed access rate is obtained.
5. the access control system of data object under cloud computing environment according to claim 4, which is characterized in that described point With module, when for the data object described in the Accessor Access, according to the health degree grade and peace of pre-set data object Mapping relations between full access strategy are the visit according to the health degree grade of the data object of the Accessor Access The person's of asking allocation of access rights, and provide corresponding safety and indicating risk.
6. the access control system of data object under cloud computing environment according to claim 5, which is characterized in that the number Health degree grade according to object include: it is excellent, good, in, it is poor;
The distribution module includes:
First allocation unit, if the health degree grade of the data object for Accessor Access be it is excellent, visitor is visiting Prompt data obj ect security described in the visitor credible during asking the data object;
Second allocation unit, if the health degree grade of the data object for Accessor Access is good, the data pair As interviewee normally accesses;
Third allocation unit, if visitor is visiting during the health degree grade of the data object for Accessor Access is Prompting data described in the visitor to correspond to during asking the data object, there are security risks;
4th allocation unit, if the health degree grade of the data object for Accessor Access be it is poor, forbid visitor Access the data object.
CN201610982386.XA 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment Active CN106559421B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201610982386.XA CN106559421B (en) 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201610982386.XA CN106559421B (en) 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment

Publications (2)

Publication Number Publication Date
CN106559421A CN106559421A (en) 2017-04-05
CN106559421B true CN106559421B (en) 2019-09-10

Family

ID=58444274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201610982386.XA Active CN106559421B (en) 2016-11-08 2016-11-08 The access control method and system of data object under a kind of cloud computing environment

Country Status (1)

Country Link
CN (1) CN106559421B (en)

Family Cites Families (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8468345B2 (en) * 2009-11-16 2013-06-18 Microsoft Corporation Containerless data for trustworthy computing and data services
CN103139007A (en) * 2011-12-05 2013-06-05 阿里巴巴集团控股有限公司 Method and system for detecting application server performance
CN103699534B (en) * 2012-09-27 2018-07-20 腾讯科技(深圳)有限公司 The display methods and device of data object in system directory
CN103729593B (en) * 2013-12-31 2017-04-12 安一恒通(北京)科技有限公司 Method and system for recognizing file safety
CN105631344B (en) * 2015-04-30 2018-11-06 南京酷派软件技术有限公司 The access control method and system of secure data, terminal

Also Published As

Publication number Publication date
CN106559421A (en) 2017-04-05

Similar Documents

Publication Publication Date Title
KR102197371B1 (en) Identity verification method and device
CN103597494B (en) Method and apparatus for the use of numerals authority of management document
CN105491054B (en) Judgment method, hold-up interception method and the device of malicious access
US9235695B2 (en) Alias-based social media identity verification
CN104270386B (en) Across application system user (asu) information integrating method and identity information management server
US20130144786A1 (en) Providing verification of user identification information
CN103685244B (en) A kind of differentiation authentication method and device
US9667613B1 (en) Detecting mobile device emulation
US8978159B1 (en) Methods and apparatus for mediating access to derivatives of sensitive data
EP3241136A1 (en) User authentication based on personal access history
CN108632089A (en) Test management method, device, equipment and the computer storage media of terminal
CN110417820A (en) Processing method, device and the readable storage medium storing program for executing of single-node login system
CN105988739A (en) Location and boundary controls for storage volumes
CN109753772A (en) A kind of account safety verification method and system
CN107169499A (en) A kind of Risk Identification Method and device
CN106778138A (en) The control method and device of software license limit
CN105897663A (en) Method for determining access authority, device and equipment
CN106897586A (en) A kind of application programming interface API right management methods and device
CN104836777B (en) Identity verification method and system
CN107888614A (en) A kind of user right determination methods and device
WO2021084434A1 (en) Authentication mechanism utilizing location corroboration
CN107135201A (en) A kind of webserver login authentication method and device
CN108769013A (en) Identity registration method and device based on Ether house
CN108701202A (en) Data leak detecting system
CN102195949A (en) Fingerprint verification method for virtual private network (VPN)

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20200201

Address after: No.163, East 2nd Street, Yudai, Yongding town, Mentougou District, Beijing

Patentee after: Luban (Beijing) Electronic Commerce Technology Co., Ltd.

Address before: 100083 Haidian District, Xueyuan Road, No. 30,

Patentee before: University OF SCIENCE AND TECHNOLOGY BEIJING

TR01 Transfer of patent right