CN108243040A - A kind of authentication of cloud computing and the realization framework for accessing management security service - Google Patents
A kind of authentication of cloud computing and the realization framework for accessing management security service Download PDFInfo
- Publication number
- CN108243040A CN108243040A CN201611222134.3A CN201611222134A CN108243040A CN 108243040 A CN108243040 A CN 108243040A CN 201611222134 A CN201611222134 A CN 201611222134A CN 108243040 A CN108243040 A CN 108243040A
- Authority
- CN
- China
- Prior art keywords
- cloud computing
- management
- service
- security service
- authentication
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/06—Management of faults, events, alarms or notifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/08—Configuration management of networks or network elements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/60—Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources
Abstract
The invention discloses a kind of authentication based on cloud computing and access management security service (4AaaS is:4A be service) realization framework, security service provider (SSP) is enabled to environmentally to provide 4A services for each corporate client in public cloud, the framework has the Core Feature of cloud service, including flexibly using resource, pay-per-use, roaming etc., and can be integrated well with existing private clound (or privately owned platform).Traditional authentication and access management framework (4A) has been not suitable for cloud computing environment.By means of the invention it is possible to so that safe O&M service cloud platform is provided for client, function is more perfect, 4A security services of more high security level, improves the core competitiveness of safe O&M service cloud platform.
Description
Technical field
The present invention relates to information security, field of cloud calculation more particularly to structure intelligence, safe O&Ms quickly and efficiently
The frame of service cloud platform.
Background technology
The English abbreviation included in the present invention is as follows:
SSP:Security Service Provider security service providers;
4A:Authentication, Account, Authorization, Audit certification, account, mandate, audit;
Saas:Security-as-a-service is serviced safely;
4AaaS:4A-as-a-service 4A are serviced;
SOC:Security Operation Center security management centers;
ID:Identifier identification unique numbers;
IDS:Intrusion Detection Systems intruding detection systems;
SNMP:Simple Network Management Protocol Simple Network Management Protocols.
Safety in production is always the premise and the rejection of leading cadres at various levels is examined to refer to that guarantee work in every is orderly carried out
Mark.Enterprise IT network and information security operation and maintenance systems are the important components of all kinds of enterprise safety operation work.Logistics networks
And information system is efficiently and stably run, and is the basis of all market management activities of enterprise and normal operation.
Currently, the IT system of enterprise all deploys a variety of different Intelligent management control systems to some extent and safety is set
It is standby, labor productivity is effectively improved, reduces operation cost, has become important support and the production of enterprise's high efficiency operation
An indispensable ring in link.On the one hand, once because security incident or failure occur in enterprise network and each control system, such as
Fruit cannot find in time, timely processing, restore in time, this will certainly influence the normal management order of enterprise, even result in factory
It stops production, influences the existence of enterprise, just seem increasingly important for the safety guarantee of enterprise network;On the other hand, due to various
Cyber-attack techniques also become increasingly advanced, increasingly universalness, and the IT network systems of enterprise are faced with what is attacked at any time
Danger or even different degrees of invasion and destruction are frequently suffered from, the severe jamming normal operation of the IT networks of enterprise is serious dry
The normal production order of Rao Liao enterprises;Increasingly serious security threat forces enterprise to have to strengthen to network and operation system
Multi-level, three-dimensional security defensive system, building security O&M service cloud platform, real-time tracking are constantly pursued in security protection
System event detects and predicts various security attacks in real time, takes corresponding control action in time, eliminates or reduction attack is made
Into loss or harm, do everything possible to protect the IT networks of enterprise and the normal operation of operation system.
The existing safe O&M patterns of enterprise IT are a kind of passive O&M modes, i.e.,:It is soft only as corporate client IT
Part/hardware device breaks down, and when IT networks are not normally functioning by the attack of hacker in other words, client passes through phone etc.
Mode contacts security service provider (SSP), and security service provider provides long-range and live customer service.This passive peace
Dimension mode for the national games, it is impossible to be client in time, even be that client fixes a breakdown in advance, the normal operation of client has been subjected to certain
The influence of kind degree.Therefore, it is necessary to a kind of positive safe O&M new service mode is worked out to promote current security service
It is horizontal.
Information security is carried out as a kind of service mode (Saas) on cloud computing environment, and Saas passes through public cloud
Computing environment releases news security service;And by being mixed with private clound, it is (or privately owned flat that Saas can promote existing private clound
Platform) security solution function.Authentication and the scope for accessing management include the entire of management Managed Resource access
Process.Once the authentication of corporate client for corporate client by later, according to the secure access strategy of locked resource, dividing
With corresponding access rights, corporate client is able to access that corresponding shielded resource according to the access rights distributed.
For this purpose, how to improve the operation benefits of enterprise using information-based means, optimize the IT system of enterprise so that it can
Profession and high performance-price ratio information safety operation and maintenance service is provided for all kinds of enterprises, becomes especially information safety operation and maintenance management
The important topic solved is had in cloud platform design.
Invention content
The present invention provides the realization framework of a kind of authentication based on cloud computing and access management security service, in original
On the basis of the safety management system (or private clound) that some is built for each corporate client, perfect in shape and function is provided for each client
, the 4A security services of high security level.
A kind of authentication based on cloud computing of the present invention and the realization framework for accessing management security service, applied to energy
In the safe O&M monitoring service platform that various security services and O&M monitoring service are enough provided for multiple corporate clients.
The security service include 4A, configuration management/baseline management, security risk assessment, threat detection, vulnerability scanning,
Anti-virus, fort machine function etc..
The O&M monitoring service includes 4A, configuration management, fault management, performance management, issue management, change management
Deng.
The framework includes authentication and accesses management security service module, shielded access resource module and Web
Browser module.The authentication and access management security service module, including 4A Core Features submodule and 4A management
Module.
The shielded access resource module, including at least equipment, data, application, service, one or more SSP.
Further, the 4A Core Features submodule, including at least certification, mandate, audit, ID management, single-sign-on
Function.
Further, the 4A management submodule, including at least tactical management.
Further, the authentication and access management security service module, be operate in publicly-owned cloud computing environment it
On.
Further, the shielded access resource module, operates on privately owned cloud computing environment.
It a kind of authentication based on cloud computing of the present invention and accesses management security service (4AaaS is:4A is serviced)
Realization framework, enable to security service provider (SSP) public cloud environmentally for each corporate client provide 4A service,
The framework has the Core Feature of cloud service, including flexibly using computing resource, pay-per-use, roaming etc., and can be very well
Ground is integrated with existing private clound (or privately owned platform).Traditional authentication and access management framework (4A) no longer
It is suitable for cloud computing environment.By means of the invention it is possible to so that safe O&M service cloud platform provided for client it is perfect in shape and function, high
The 4A security services of security level improve the core competitiveness of safe O&M service cloud platform.
Description of the drawings
Fig. 1 is a kind of authentication based on cloud computing of the present invention and the realization framework for accessing management security service
Structure diagram;
Specific embodiment
Here is the further description to the present invention with reference to the accompanying drawings with example:
Authentication of the present invention and access management security service, including 4A.It is original for each enterprise
On the basis of the safety management system (or private clound) that client builds, provide that function is more perfect, higher safety level for client
Other 4A security services.
The 4A is defined as four big component parts of information security, that is, merges unification user account (account) and manage
Reason, unified certification (authentication) management, unified authorization (authorization) management and unified security audit
(audit) it manages, and covers the functions such as single-sign-on, perfect in shape and function, high security level 4A services can be provided for client.
The concentration Account Administration (or ID management), the Account Administration in Unified Set is provided for client, supports the money of management
Source includes operating system, the network equipment, application system and SSP of mainstream etc.;It can not only realize the wound of managed resource account number
It the basic function that Account Administrations life cycle is included such as builds, delete and synchronizes, and realize account number cipher strategy, password is strong
The functions such as degree, the setting of life cycle.
The Collective qualification management, the actual needs that can be applied according to corporate client provide different strong for corporate client
The authentication mode of degree can not only keep original static password mode, but also can provide with the high-strength of Authentication of Dyhibrid
Certification (one-time password, digital certificate, dynamic password) is spent, but also existing other faces such as biological characteristic can be integrated and known
The novel authentication modes such as other and fingerprint recognition.It can not only realize the unified management of corporate client certification, and can be enterprise
Industry client provides unified verification portal, realizes the single-sign-on that Enterprise Information Resources access.
The concentration rights management can carry out centralized Control to the resource access rights of corporate client.It both can be real
Now to the access privilege control of B/S, C/S application system resource, can also realize to database, host, the network equipment and SSP etc.
Operation permission control, resources control type both including B/S URL, C/S function module, also the data including database,
Record and host, the operational order of the network equipment, IP address and port etc..
It is described to concentrate audit (audit) management, by the corporate client all management of operation log centralized recording and analysis, no
Corporate client behavior can be only monitored, and can data mining be carried out by the Audit data of concentration, in order to thing
The identification of safety accident responsibility afterwards.
Fig. 1 is a kind of authentication based on cloud computing of the present invention and the realization framework for accessing management security service
Structure diagram.
The framework includes authentication and accesses management security service module, shielded access resource module and Web
Browser module.The authentication and access management security service module, including 4A Core Features submodule and 4A management
Module.
The shielded access resource module, including at least equipment, data, application, service, one or more SSP.
The SSP, the present invention refer to original safety management system (or private clound) built for multiple corporate clients
Security service provider.
The equipment, data, application, service can be the equipment or business equipment of SSP, may not be the equipment of SSP
Or business equipment (or newly added equipment).
4A Core Feature submodules, including at least certification, mandate, audit, ID management, single-sign-on function.
4A manages submodule, including at least tactical management.
The authentication and access management security service module, operate under publicly-owned cloud computing environment.For example, operation
Windows operating system virtual machine Web server public cloud environmentally, and 4A corn modules and 4A management modules
It is separately operable on two different virtual machines of this environment.When enterprise family is registered for the first time, the digital certificate of this client is deposited
Storage is in the MySQL database of the framework.User password encryption storage, and (even SSP) not visible to anyone.Work as visitor
When family enterprise logs in, its digital certificate being first verified that, be proved to be successful generation and returning to token (token), token is enterprise
The pass of administration of user-visiting department shielded resource in private clound, for example, equipment, data, application, SSP, etc..Here it is
One more complete authentication of ratio and the flow for accessing management service.It is supplied to corporate client by way of cloud service.
By browser and PC, mobile phone, Pad etc., the service can be accessed.
The shielded access resource module, operates on privately owned cloud computing environment.Corporate client is by operating in
After 4A on public cloud, according to the permission distributed, access corresponding shielded resource, for example, equipment, data, should
With, SSP (or multiple SSP), corresponding safe O&M operation is carried out, etc..
The foregoing is merely presently preferred embodiments of the present invention, is not used for limiting the practical range of the present invention;It is every according to this
The made equivalence changes of invention and modification, the scope of the claims for being considered as the present invention are covered.
Claims (7)
1. the present invention provides the realization framework of a kind of authentication based on cloud computing and access management security service, including body
Part certification and access management security service module, shielded access resource module and Web browser module.
2. a kind of authentication based on cloud computing as described in claim 1 and the realization framework for accessing management security service,
The authentication and access management security service module, including 4A Core Features submodule and 4A management submodules.
3. a kind of authentication based on cloud computing as described in claim 1 and the realization framework for accessing management security service,
The shielded access resource module, including at least equipment, data, application, service, a SSP or multiple SSP.
4. a kind of authentication based on cloud computing as claimed in claim 2 and the realization framework for accessing management security service,
The 4A Core Features submodule, including at least certification, mandate, audit, ID management, single-sign-on function.
5. a kind of authentication based on cloud computing as claimed in claim 2 and the realization framework for accessing management security service,
The 4A manages submodule, including at least tactical management.
6. a kind of authentication based on cloud computing as claimed in claim 2 and the realization framework for accessing management security service,
The authentication and access management security service module, operate on publicly-owned cloud computing environment.
7. a kind of authentication based on cloud computing as claimed in claim 2 and the realization framework for accessing management security service,
The shielded access resource module, operates on the environment of privately owned cloud computing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611222134.3A CN108243040A (en) | 2016-12-23 | 2016-12-23 | A kind of authentication of cloud computing and the realization framework for accessing management security service |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611222134.3A CN108243040A (en) | 2016-12-23 | 2016-12-23 | A kind of authentication of cloud computing and the realization framework for accessing management security service |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN108243040A true CN108243040A (en) | 2018-07-03 |
Family
ID=62702221
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611222134.3A Pending CN108243040A (en) | 2016-12-23 | 2016-12-23 | A kind of authentication of cloud computing and the realization framework for accessing management security service |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN108243040A (en) |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881299A (en) * | 2018-08-01 | 2018-11-23 | 杭州安恒信息技术股份有限公司 | The safe O&M method and device thereof of private clound platform information system |
| CN108960456A (en) * | 2018-08-14 | 2018-12-07 | 东华软件股份公司 | Private clound secure, integral operation platform |
| CN112383557A (en) * | 2020-11-17 | 2021-02-19 | 北京明朝万达科技股份有限公司 | Security access gateway and industrial equipment communication management method |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368973A (en) * | 2013-07-25 | 2013-10-23 | 浪潮(北京)电子信息产业有限公司 | Safety system for cloud operating system |
| CN105282178A (en) * | 2015-11-29 | 2016-01-27 | 国网江西省电力公司信息通信分公司 | Cloud computing security technology platform |
| CN105391721A (en) * | 2015-11-23 | 2016-03-09 | 兰玉杰 | Unified authentication management open system based on cloud computing |
| CN106067119A (en) * | 2016-06-03 | 2016-11-02 | 成都镜杰科技有限责任公司 | Client relation management method based on privately owned cloud |
-
2016
- 2016-12-23 CN CN201611222134.3A patent/CN108243040A/en active Pending
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103368973A (en) * | 2013-07-25 | 2013-10-23 | 浪潮(北京)电子信息产业有限公司 | Safety system for cloud operating system |
| CN105391721A (en) * | 2015-11-23 | 2016-03-09 | 兰玉杰 | Unified authentication management open system based on cloud computing |
| CN105282178A (en) * | 2015-11-29 | 2016-01-27 | 国网江西省电力公司信息通信分公司 | Cloud computing security technology platform |
| CN106067119A (en) * | 2016-06-03 | 2016-11-02 | 成都镜杰科技有限责任公司 | Client relation management method based on privately owned cloud |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108881299A (en) * | 2018-08-01 | 2018-11-23 | 杭州安恒信息技术股份有限公司 | The safe O&M method and device thereof of private clound platform information system |
| CN108960456A (en) * | 2018-08-14 | 2018-12-07 | 东华软件股份公司 | Private clound secure, integral operation platform |
| CN112383557A (en) * | 2020-11-17 | 2021-02-19 | 北京明朝万达科技股份有限公司 | Security access gateway and industrial equipment communication management method |
| CN112383557B (en) * | 2020-11-17 | 2023-06-20 | 北京明朝万达科技股份有限公司 | Safety access gateway and industrial equipment communication management method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Sharma et al. | Identity and access management as security-as-a-service from clouds | |
| Gao et al. | SCADA communication and security issues | |
| CN105430000A (en) | Cloud computing security management system | |
| EP3490212B1 (en) | Actively identifying and neutralizing network hot spots | |
| Turab et al. | Cloud computing challenges and solutions | |
| Rautmare | SCADA system security: Challenges and recommendations | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| CN108243040A (en) | A kind of authentication of cloud computing and the realization framework for accessing management security service | |
| Mishra et al. | Analysis of cloud computing vulnerability against DDoS | |
| CN112966260A (en) | Data security agent system and method based on domestic trusted computing platform | |
| CN113065136B (en) | Host protection trusted computing system | |
| Park et al. | Configuration method Of AWS security architecture that is applicable to the cloud lifecycle for sustainable social network | |
| Kumar | Intrusion detection and prevention system in enhancing security of cloud environment | |
| Varadharajan et al. | Techniques for Enhancing Security in Industrial Control Systems | |
| Yin et al. | Research on Cloud Platform Security Protection System for Power Plant | |
| Wu et al. | Cloud platform security protection framework technology | |
| Choi | IoT (Internet of Things) based Solution Trend Identification and Analysis Research | |
| Xia | Data security risk and preventive measures of virtual cloud server based on cloud computing | |
| Sun et al. | Research on the design of the implementation plan of network security level protection of information security | |
| Jeganathan et al. | Secure the cloud computing environment from attackers using intrusion detection system | |
| Mahmood et al. | Securing Industrial Internet of Things (Industrial IoT)-A Reviewof Challenges and Solutions | |
| Kaushik et al. | Security and Privacy Issues in Fog/Edge/Pervasive Computing | |
| Zhang et al. | Controlling Network Risk in E-commerce | |
| Li | Research on Network Information Security Issues and Strategies under the Internet Plus Environment | |
| Arya et al. | Integrating IoT with cloud computing and big data analytics: Security perspective |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20180703 |