CN110012016A - Mix the method and system of resources accessing control in cloud environment - Google Patents
Mix the method and system of resources accessing control in cloud environment Download PDFInfo
- Publication number
- CN110012016A CN110012016A CN201910286462.7A CN201910286462A CN110012016A CN 110012016 A CN110012016 A CN 110012016A CN 201910286462 A CN201910286462 A CN 201910286462A CN 110012016 A CN110012016 A CN 110012016A
- Authority
- CN
- China
- Prior art keywords
- user
- information
- operation system
- policy list
- network packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Abstract
The present disclosure proposes the method and system of resources accessing control in mixing cloud environment, receive the instruction of the operation system of user's access, in effective identity information of the source injection user of network packet;Network packet is intercepted and captured in the destination of network packet and analyzes user identity, by user defined in Policy List and the incidence relation for accessing application, determines to let pass still to refuse this network packet.Disclosed technique scheme realizes access control from network driver layer, strengthens the security protection to enterprise operation system.
Description
Technical field
This disclosure relates to information data processing technology field, more particularly to the side of resources accessing control in mixing cloud environment
Method and system.
Background technique
With the increasingly mature of cloud computing technology and be widely applied, expense, performance, reliability, in terms of
Advantage it is increasingly prominent, its operation system is gradually moved to mixing cloud environment by traditional data center by public institution and enterprise
In.Mixed cloud overcomes public cloud, the intrinsic deficiency of private clound, is cloud computing by using public cloud and private clound fusion
Main Patterns and developing direction.In mixing cloud environment, information resources are mostly in the form of hardware facility, software systems, data etc.
It is supplied to user, the elements such as safety, expense, performance is comprehensively considered, core system and data is usually deployed to private clound,
His system and data are deployed in public cloud.To ensure that only legitimate user is able to access that authorization resources, mixed cloud information money is improved
Source access safety and manageability, it is necessary to in private clound and public cloud authentication and resource access carry out unification
Control, it further includes application system that control object, which had not only included the hardware resources such as physical host, but also the virtual resources such as including fictitious host computer,
Equal software resources.
In mixing cloud environment, the operator of cloud is usually the cloud service mechanism of profession, and public institution, enterprise are cloud
The user of resource, they obtain the hardware resource in mixed cloud by modes such as rental, trustships, and by their system and data
It is deployed to cloud.The These characteristics of mixed cloud feel it in use pattern with traditional private data in resource management
In very big difference, the manager (cloud service mechanism) of resource and user's (hardware/virtual resource rent in cloud environment are mixed
The deployer of user, software systems and data) usually it is different entity, and the manager of conventional data centers resource and make
User is usually identical.It corresponds, mix resources accessing control in cloud environment also has biggish area with conventional data centers
Not, under conventional data centers mode, the access control of resource is independently implemented by Resource Manager, and provides in mixing cloud environment
Manager and user common implementing of the access control in source by resource, wherein the former is responsible for deployment and O&M safety certification is flat
Platform, configuration simultaneously safeguard overall safety certification and access control policy, and the latter is responsible for configuring and safeguarding mechanism related resource safety
Certification and access control policy.
It mixes and manages the diversity of resource and the complexity of resources mode in cloud environment, determine access control scheme not only
Only just for the network parameter of data packet (such as: IP address, port), also needs for the resource specifically accessed and access the resource
User, text in the former be referred to as network level access control, the latter is known as user level access control, it is clear that the latter is higher level
Access control scheme.The critical issue for realizing user level access is user belonging to identification data packet, and an intuitive idea is
By the IP address used when user's debarkation authentication system, but actually due to the limitation of IPV4 number of addresses, it is impossible to be every
One terminal device all distributes a globally unique address IPV4 on internet.Shortage of ip address is solved to generally use
The method of mapping network addresses (NAT), it is (usual in local area network internal address and public network address of the network exit to data packet
It is the address Internet) it is converted, the data packet for same local area network in this way, no matter whether its internal address is identical,
Only one address of public network is corresponding, therefore can not be only identified to user by IP address.
Inventor has found in actual operation, technically, realizes that the resources accessing control of data center is led at present
It to include two class technical solutions, one kind uses network firewall and VPN (Virtual Private Network, virtual private
Net) etc. traditional network security technology, it is another kind of be known as IAM (Identity and Access Management, identification
Managed with access) system, for the system for being exclusively used in authentication and access control.Wherein, network firewall operates mainly in net
Network layers, can only handle network level access control, not be able to satisfy user level access control;There is VPN technologies certain user class to visit
Ask control ability, but data need to encrypt in transmission process, and all data packets be required to vpn server carry out encryption and decryption,
Owning user identification, unpack recombination and the implementation of access control policy, Yi Chengwei performance bottleneck influence user experience;IAM system
The system that system is specific to user authentication and user level access control exploitation has single-sign-on, authentication management, user's authorization
With the functions such as security audit.But existing IAM system, usually just for the private data center of single enterprise, using intrusion
Formula mode carries out deployment implementation, need to modify to user's existing system, and the user authentication of existing system is uniformly transferred to IAM system
System server process, deployment maintenance difficulty is big, at high cost, flexibility is poor, is only applicable to the private data of traditional large enterprise
Center, it is difficult to be applied to mixing cloud environment.
By being described above as it can be seen that mixing the main problem that resources accessing control in cloud environment is faced has:
(1) how data packet owning user is identified in intranet environment or effectively in public network environment.
(2) permission when user access resources how is tracked.
(3) such as how non-intruding mode carries out safe adaptation to resource.
Summary of the invention
The first purpose of this specification embodiment is to provide the method for resources accessing control in mixing cloud environment, Ke Yi
Macroscopically access of the control user to operation system, strengthens the security protection to enterprise operation system.
This specification embodiment provides the method for resources accessing control in mixing cloud environment, real by the following technical programs
It is existing:
Include:
The instruction for receiving the operation system of user's access, in effective identity letter of the source injection user of network packet
Breath;
Network packet is intercepted and captured in the destination of network packet and analyzes user identity, by defined in Policy List
User with access application incidence relation, judgement clearance still refuses this network packet.
As further embodiment, the instruction of the operation system of user's access is received, and in the source of network packet
The operation system that the driving layer at end accesses user judges: whether the information accessed is defined in the first Policy List
The operation system application where server information, if it is access legal defined in the first Policy List
And user is currently at logging state, then in the effective information of the driving layer injection user identity of source.
Further, source driving layer injection user identity effective information after, identical user identity it is effective
Synchronizing information is updated into the second Policy List;
Further, the driving layer of the destination of network packet judge accessed operation system information whether
Defined in second Policy List and the legitimacy of user identity is judged, according to the control information recorded in the second Policy List
It lets pass or forbids current network data packet.
The system that the second purpose of this specification embodiment is to provide resources accessing control in mixing cloud environment, Ke Yi
Macroscopically access of the control user to operation system, strengthens the security protection to enterprise operation system.
Another embodiment of this specification provides the system of resources accessing control in mixing cloud environment, passes through following technical side
Case is realized:
Include:
Network egress module, is configured as: the instruction of the operation system of user's access is received, in the source of network packet
Inject effective identity information of user;
Web portal module, is configured as: intercepting and capturing network packet in the destination of network packet and analyzes user's body
Part, by user defined in Policy List and the incidence relation for accessing application, determine to let pass still to refuse this network
Data packet.
As the further technical solution of the disclosure, the network egress module receives the operation system of user's access
Instruction, and judge in the operation system that the driving layer of the source of network packet accesses user: the information accessed is
No is the information of the server where the application of the operation system defined in the first Policy List, if it is the first strategy
Legal access and user defined in list are currently at logging state, then inject user identity in the driving layer of source
Effective information;
Further, further includes: the effective information synchronization module of user identity is configured as: being infused in the driving layer of source
After the effective information of access customer identity, the effective information synchronized update of identical user identity is into the second Policy List;
Further, Web portal module is configured as: being accessed in the driving layer judgement of the destination of network packet
The information of operation system whether defined in the second Policy List and judge the legitimacy of user identity, according to the second plan
It omits the control information clearance recorded in list or forbids current network data packet.
The third purpose of this specification embodiment is to provide IAM system, using can macroscopically control user to industry
The access of business system strengthens the security protection to enterprise operation system.
The another embodiment of this specification provides IAM system, is achieved through the following technical solutions:
The system comprises IAM system server, information input unit and display units, are used for using information input unit
The instruction that user accesses operation system is inputted, treated that relevant information is shown by IAM system server using display unit
Show;
Wherein, the IAM system server is configured as executing following procedure:
The instruction of the operation system of user's access is received, and user is accessed in the driving layer of the source of network packet
Operation system is judged: the information accessed whether be the operation system defined in the first Policy List application institute
Server information, if it is access legal defined in the first Policy List and user is currently at login shape
State, then in the effective information of the driving layer injection user identity of source;
After the effective information of the driving layer injection user identity of source, the effective information of identical user identity is synchronous more
Newly into the second Policy List;
Judge the information of accessed operation system whether in the second strategy in the driving layer of the destination of network packet
Defined in list and judge the legitimacy of user identity, is let pass or prohibited according to the control information recorded in the second Policy List
Only current network data packet.Different from traditional IAM system, the above process is non-intrusion type to custom system, without to
Family system carries out any modification.
The fourth purpose of this specification embodiment is to provide a kind of computer equipment, using can macroscopically control use
Access of the family to operation system, strengthens the security protection to enterprise operation system.
This specification embodiment provides a kind of computer equipment, including memory, processor and storage are on a memory
And the computer program that can be run on a processor, which is characterized in that the processor realizes mixed cloud when executing described program
In environment the step of the method for resources accessing control.
The fifth purpose of this specification embodiment is to provide a kind of computer readable storage medium, using can be in macroscopic view
Access of the upper control user to operation system, strengthens the security protection to enterprise operation system.
This specification embodiment provides a kind of computer readable storage medium, is stored thereon with computer program, special
The step of sign is, the method for resources accessing control in mixing cloud environment is realized when which is executed by processor.
Disclosed technique scheme does not need the complicated nurturing of network environment, and is transparent for the operation system of enterprise
, it does not need to increase safe interface in the operation system of enterprise.Disclosed technique scheme is suitable for mixing the fortune cloud environment
Battalion's management, can be in macroscopically access of the control user to operation system.It is with the implementation method that disclosed technique scheme describes
Basis, operation audit that the investigation and evidence collection that can be attacked for operation system, user access operation system, user are to business
The preference of system such as likes to provide technical support at the analysis mining of data.
Compared with prior art, the beneficial effect of the disclosure is:
Disclosed technique scheme tracks having for user by way of injecting identity identification information in network packet
Identity is imitated, the effective rights that user accesses application are tracked by way of in network driver layer analysis strategy list, pass through end
The mode of mouth protection is that resource carries out safe adaptation.
The corresponding method of disclosed technique scheme does not need the construction of complex network environment, and does not need intrusive change
The business interface of more enterprise.
Disclosed technique scheme realizes access control from network driver layer, strengthens anti-to the safety of enterprise operation system
Shield, invader must first capture network driver layer and be able to access that operation system, could be further to operation system itself
Security mechanism is invaded.This method is equivalent on the basis of the safety lock of former operation system increases a lock again.
The behaviour that investigation and evidence collection that disclosed technique scheme can be attacked for operation system, user access operation system
It audits, user the analysis mining of data such as likes to provide technical support the preference of operation system.
Detailed description of the invention
The Figure of description for constituting a part of this disclosure is used to provide further understanding of the disclosure, and the disclosure is shown
Meaning property embodiment and its explanation do not constitute the improper restriction to the disclosure for explaining the disclosure.
Fig. 1 is the Structure and Process schematic diagram of disclosure one or more examples of implementation;
Fig. 2 is the network egress module workflow schematic diagram of disclosure one or more examples of implementation;
Fig. 3 is the Web portal module workflow schematic diagram of disclosure one or more examples of implementation.
Specific embodiment
It is noted that following detailed description is all illustrative, it is intended to provide further instruction to the disclosure.Unless another
It indicates, all technical and scientific terms used herein has usual with disclosure person of an ordinary skill in the technical field
The identical meanings of understanding.
It should be noted that term used herein above is merely to describe specific embodiment, and be not intended to restricted root
According to the illustrative embodiments of the disclosure.As used herein, unless the context clearly indicates otherwise, otherwise singular
Also it is intended to include plural form, additionally, it should be understood that, when in the present specification using term "comprising" and/or " packet
Include " when, indicate existing characteristics, step, operation, device, component and/or their combination.
Examples of implementation one
Disclosed technique scheme is disposed using distributed way, including is managed end system, acted on behalf of end system and user terminal system
Unite three parts, wherein management end system deployment in private server, for realizing user management, safety certification tactical management,
Agent side management etc.;Agent side system deployment in the server for possessing locked resource, for data packet owning user into
Row identification, according to safety certification strategy implement access control;User terminal system logs in for realizing user, accesses locked resource
When inject user identification information.Above-mentioned distributed deployment mode is transparent, disclosed technique for the application of enterprise
Scheme tracks effective identity of user, disclosed technique side by way of injecting identity identification information in network packet
Case tracks the effective rights that user accesses application, disclosed technique side by way of in network driver layer analysis strategy list
Case carries out safe adaptation by way of port protection for resource.
The examples of implementation disclose its overall technology of the method for resources accessing control design in mixing cloud environment: Yong Hufang
When asking operation system, in effective identity information of source (user terminal system) the injection user of network packet, in network data
The destination of packet intercepts and captures network packet and analyzes user identity, by defined user in the second Policy List and accesses application
Incidence relation, determine let pass still refuses this network packet.
In a specific examples of implementation, the method for resources accessing control in mixing cloud environment is disclosed, comprising:
Step (1): when user accesses operation system, accessed purpose is judged in the driving layer of the source of network packet
Address and application port whether be server where resource defined in the first Policy List address and port, if
It is access legal defined in the first Policy List and user is currently at logging state, then injects user in driving layer
The effective information of identity.
Step (2): it when user accesses operation system, in the driving layer judgement of the destination of network packet, is accessed
Whether the port of operation system defined in the second Policy List and judges the legitimacy of user identity, according to the second strategy
The access level of the current status information of the access authority of the user recorded in list, user, operation system lets pass or forbids working as
Preceding network packet.
In specific embodiment, network packet refers to, user accesses generated based on TCP/IP association when operation system
The data packet of view.
In specific embodiment, the access authority of user refers to, the port of user information and the operation system that can be accessed
Incidence relation, access authority is recorded in the first Policy List.
In specific embodiment, the status information of user refers to, the state that user logs in or nullifies, and number 0, which represents, nullifies
State, number 1 represent logging state, and only when user is in logging state, the driving layer of the source of network packet just has
The effective information of user identity may be injected.Status information is recorded in the first Policy List.
In specific embodiment, the access level of operation system refers to, the access authority of fine-grained control user, to answer
The generation of anxious special event, for example it is temporarily switched off access of all users to certain operation system.Access level is divided into three-level: 0 grade
Indicate Policy List failure, all users can access operation system;1 grade of expression Policy List comes into force, and user is strategically
The permission of middle configuration accesses operation system;2 grades of expression Policy List failures, all users cannot access operation system.Here
It is stressed again that access operation system and registering service the system access control that be two different, the former is that the embodiment of the present disclosure is sub
Content, the latter is the authority setting of operation system itself.The access level of operation system is recorded in the second Policy List.
In specific embodiment, the first Policy List saves user information and institute usually in a manner of list of data structures
The incidence relation of the port for the operation system that can be accessed saves the state that user logs in or nullifies.
In specific embodiment, the second Policy List saves user information and institute usually in a manner of list of data structures
The incidence relation of the port for the operation system that can be accessed saves user's login or the state nullified, the access for saving operation system
Rank.
First Policy List must keep user's effective information consistent with the second Policy List, when generation exists in step (1)
When driving the event of the effective information of layer injection user identity, the necessary synchronized update of the effective information of identical user identity to step
Suddenly in the Policy List in (2).
In specific embodiment, the effective information of user identity refers to the number of 4 byte lengths, and the number is according to certain
Temporal regularity dynamically change.
In specific embodiment, layer is driven, is the driving layer for referring to intercept and capture raw network data packet, for Windows
System intercepting network data package generally by the way of NDIS networks filter driver, generally uses network to drive for linux system
The mode intercepting network data package of dynamic expansion module.
In specific embodiment, the effective information of driving layer injection user identity refers in driving layer to based on TCP/IP
The data packet of agreement injects the letter of 8 byte lengths in the option option of Transmission Control Protocol according to the data structure format of standard
Breath, first character section is that represent type be experimental data to number 253 in the data structure, and it is total that the latter byte represents data structure
Length, using fixed number 8, latter two byte represents magic data, and it is effective to generally use customized data for identification
The number of property, such as 0xEFEF, the data of last four bytes represent the effective information of user identity.When in network packet
When the driving layer of destination parses TCP data packet, if TCP be surrounded by option type be 253 data, and magic data
It is 0xEFEF, then represents in this network packet comprising user identity effective information.
Referring to shown in attached drawing 2, in specific embodiment, processing of the driving layer to network packet in step (1), including with
Lower step:
(1-1) judges whether current network packet is the TCP packet based on IPV4, if it is turn to step (1-2),
Otherwise step (1-8) is turned to.
(1-2) parses the destination IP of TCP packet, destination port.
(1-3) judges current destination IP and destination port whether in the first Policy List, if it is steering step (1-
4), otherwise step (1-8) is turned to.
(1-4) judges the state of the active user recorded in the first Policy List, turns to step (1- if it is logging state
5), otherwise step (1-8) is turned to.
(1-5) injects the effective information of user identity in the option of TCP.
(1-6) recalculates the check value of TCP and IP.
(1-7) sends the network packet after injection user identity effective information, then returnes to (1-1) and continues to execute.
(1-8) sends primitive network packet, then returnes to (1-1) and continues to execute.
Referring to shown in attached drawing 3, in specific embodiment, processing of the driving layer to network packet in step (2), including with
Lower step:
(2-1) judges whether current network packet is the TCP packet based on IPV4, if it is turn to step (2-2),
Otherwise step (2-10) is turned to.
The destination port of (2-2) parsing TCP packet.
(2-3) judge current destination port whether in the second Policy List, if it is turn to step (2-4), otherwise
It turns to step (2-10).
(2-4) judges the access level of the operation system recorded in the second Policy List, turns to step (2- if it is 0
10) step (2-5), is turned to if it is 1, turns to step (2-11) if it is 2.
The state of the active user recorded in (2-5) determination strategy list turns to step (2-6) if it is logging state,
Otherwise step (2-11) is turned to.
(2-6) judge in the option of TCP whether include user identity effective information, such as option data structure
In whether include magic number 0xEFEF, if it is turn to step (2-7), otherwise turn to step (2-11).
(2-7) parses the effective information of user identity.
The effective information of the user identity of the effective information and step (1) injection for the user identity that (2-8) judgement parses
It is whether consistent, if it is step (2-9) is turned to, otherwise turn to step (2-11).
(2-9) judges whether active user has permission to access destination port according to the second Policy List, walks if it is turning to
Suddenly (2-10) otherwise turns to step (2-11).
(2-10) lets pass the data packet, then returnes to (2-1) and continue to execute.
(2-11) prevents the data packet, then returnes to (2-1) and continues to execute.
Disclosed technique scheme is related to carrying out the injection of information in the option option of Transmission Control Protocol, it requires user
The operation system accessed is based on Transmission Control Protocol.
Examples of implementation two
The system that this specification embodiment is to provide resources accessing control in mixing cloud environment, can macroscopically control
Access of the user to operation system, strengthens the security protection to enterprise operation system.
Another embodiment of this specification provides the system of resources accessing control in mixing cloud environment, passes through following technical side
Case is realized:
Include:
Network egress module, is configured as: the instruction of the operation system of user's access is received, in the source of network packet
Inject effective identity information of user;
Web portal module, is configured as: intercepting and capturing network packet in the destination of network packet and analyzes user's body
Part, by user defined in Policy List and the incidence relation for accessing application, determine to let pass still to refuse this network
Data packet.
As the further technical solution of the disclosure, the network egress module receives the operation system of user's access
Instruction, and judge in the operation system that the driving layer of the source of network packet accesses user: the information accessed is
No is the information of the server where the application of the operation system defined in the first Policy List, if it is the first strategy
Legal access and user defined in list are currently at logging state, then inject user identity in the driving layer of source
Effective information;
Further include: the effective information synchronization module of user identity is configured as: injecting user identity in the driving layer of source
Effective information after, the effective information synchronized update of identical user identity is into the second Policy List;
Web portal module, is configured as: judging accessed business system in the driving layer of the destination of network packet
Whether the information of system defined in the second Policy List and judges the legitimacy of user identity, according in the second Policy List
Current network data packet is forbidden in the control information clearance of record.
It should be noted that although being referred to several modules or submodule of equipment in the detailed description above, it is this
Division is only exemplary rather than enforceable.In fact, in accordance with an embodiment of the present disclosure, two or more above-described moulds
The feature and function of block can embody in a module.Conversely, the feature and function of an above-described module can be with
Further division is to be embodied by multiple modules.
In the examples of implementation, the specific implementation of the module of the system of resources accessing control in cloud environment is mixed referring to implementation
Example one, is not described in detail herein.
Examples of implementation three
This specification embodiment provides IAM system, using can in macroscopically access of the control user to operation system,
Strengthen the security protection to enterprise operation system.
The another embodiment of this specification provides IAM system, is achieved through the following technical solutions:
The system comprises IAM system server, information input unit and display units, are used for using information input unit
The instruction that user accesses operation system is inputted, treated that relevant information is shown by IAM system server using display unit
Show;
Wherein, the IAM system server is configured as executing following procedure:
The instruction of the operation system of user's access is received, and user is accessed in the driving layer of the source of network packet
Operation system is judged: the information accessed whether be the operation system defined in the first Policy List application institute
Server information, if it is access legal defined in the first Policy List and user is currently at login shape
State, then in the effective information of the driving layer injection user identity of source;
After the effective information of the driving layer injection user identity of source, the effective information of identical user identity is synchronous more
Newly into the second Policy List;
Judge the information of accessed operation system whether in the second strategy in the driving layer of the destination of network packet
Defined in list and judge the legitimacy of user identity, is let pass or prohibited according to the control information recorded in the second Policy List
Only current network data packet.
Examples of implementation four
The fourth purpose of this specification embodiment is to provide a kind of computer equipment, using can macroscopically control use
Access of the family to operation system, strengthens the security protection to enterprise operation system.
This specification embodiment provides a kind of computer equipment, including memory, processor and storage are on a memory
And the computer program that can be run on a processor, which is characterized in that the processor realizes mixed cloud when executing described program
In environment the step of the method for resources accessing control.
In the examples of implementation, the step of mixing the method for resources accessing control in cloud environment referring to examples of implementation one, this
Place is not described in detail.
Examples of implementation five
The fifth purpose of this specification embodiment is to provide a kind of computer readable storage medium, using can be in macroscopic view
Access of the upper control user to operation system, strengthens the security protection to enterprise operation system.
This specification embodiment provides a kind of computer readable storage medium, is stored thereon with computer program, special
The step of sign is, the method for resources accessing control in mixing cloud environment is realized when which is executed by processor.
In the examples of implementation, the step of mixing the method for resources accessing control in cloud environment referring to examples of implementation one, this
Place is not described in detail.
In the present embodiment, computer program product may include computer readable storage medium, containing for holding
The computer-readable program instructions of row various aspects of the disclosure.Computer readable storage medium, which can be, can keep and store
By the tangible device for the instruction that instruction execution equipment uses.Computer readable storage medium for example can be-- but it is unlimited
In-- storage device electric, magnetic storage apparatus, light storage device, electric magnetic storage apparatus, semiconductor memory apparatus or above-mentioned
Any appropriate combination.
It is understood that in the description of this specification, reference term " embodiment ", " another embodiment ", " other
The description of embodiment " or " first embodiment~N embodiment " etc. means specific spy described in conjunction with this embodiment or example
Sign, structure, material or feature are included at least one embodiment or example of the invention.In the present specification, to above-mentioned
The schematic representation of term may not refer to the same embodiment or example.Moreover, the specific features of description, structure, material
Person's feature can be combined in any suitable manner in any one or more of the embodiments or examples.
The foregoing is merely preferred embodiment of the present disclosure, are not limited to the disclosure, for the skill of this field
For art personnel, the disclosure can have various modifications and variations.It is all within the spirit and principle of the disclosure, it is made any to repair
Change, equivalent replacement, improvement etc., should be included within the protection scope of the disclosure.
Claims (10)
1. the method for mixing resources accessing control in cloud environment, characterized in that include:
The instruction for receiving the operation system of user's access, in effective identity information of the source injection user of network packet;
Network packet is intercepted and captured in the destination of network packet and analyzes user identity, passes through use defined in Policy List
Family and the incidence relation for accessing application determine to let pass still to refuse this network packet.
2. mixing the method for resources accessing control in cloud environment as described in claim 1, characterized in that receive user's access
The instruction of operation system, and judge in the operation system that the driving layer of the source of network packet accesses user: it is visited
The information asked whether be server where the application of the operation system defined in the first Policy List information, if
It is access legal defined in the first Policy List and user is currently at logging state, then is infused in the driving layer of source
The effective information of access customer identity.
3. mixing the method for resources accessing control in cloud environment as claimed in claim 2, characterized in that in the driving layer of source
After injecting the effective information of user identity, the effective information synchronized update of identical user identity is into the second Policy List;
Judge the information of accessed operation system whether in the second Policy List in the driving layer of the destination of network packet
Defined in and judge the legitimacy of user identity, let pass according to the control information recorded in the second Policy List or forbid working as
Preceding network packet.
4. mixing the method for resources accessing control in cloud environment as described in claim 1, characterized in that the driving layer of source is sentenced
When disconnected, the information judged is: application defined in the destination address and application port and the first Policy List accessed
Whether the address and port of the server at place are consistent.
5. mixing the method for resources accessing control in cloud environment as claimed in claim 3, characterized in that the driving layer of source is sentenced
When disconnected, the access level of the status information and operation system that have the access authority of user, user current is recorded in the second Policy List
Not.
6. the system for mixing resources accessing control in cloud environment, characterized in that include:
Network egress module, is configured as: receiving the instruction of the operation system of user's access, injects in the source of network packet
Effective identity information of user;
Web portal module, is configured as: intercepting and capturing network packet in the destination of network packet and analyzes user identity, leads to
Defined user and the incidence relation for accessing application in Policy List are crossed, determines to let pass and still refuses this network data
Packet.
7. mixing the system of resources accessing control in cloud environment as claimed in claim 6, characterized in that the network egress mould
Block receives the instruction of the operation system of user's access, and the business accessed in the driving layer of the source of network packet user
System is judged: where whether the information accessed is the application of the operation system defined in the first Policy List
The information of server, if it is access legal defined in the first Policy List and user is currently at logging state,
Then in the effective information of the driving layer injection user identity of source;
Further, the system also includes: the effective information synchronization module of user identity is configured as: in the driving of source
After the effective information of layer injection user identity, the effective information synchronized update of identical user identity is into the second Policy List;
Further, Web portal module is configured as: judging accessed industry in the driving layer of the destination of network packet
Whether the information of business system defined in the second Policy List and judges the legitimacy of user identity, is arranged according to the second strategy
The control information that records in table lets pass or forbids current network data packet.
8.IAM system, characterized in that the system comprises IAM system server, information input unit and display units, utilize
Information input unit is used to input the instruction that user accesses operation system, will be after the processing of IAM system server using display unit
Relevant information shown;
Wherein, the IAM system server is configured as executing following procedure:
Receive the instruction of the operation system of user's access, and the business accessed in the driving layer of the source of network packet user
System is judged: where whether the information accessed is the application of the operation system defined in the first Policy List
The information of server, if it is access legal defined in the first Policy List and user is currently at logging state,
Then in the effective information of the driving layer injection user identity of source;
After the effective information of the driving layer injection user identity of source, the effective information synchronized update of identical user identity is arrived
In second Policy List;
Judge the information of accessed operation system whether in the second Policy List in the driving layer of the destination of network packet
Defined in and judge the legitimacy of user identity, let pass according to the control information recorded in the second Policy List or forbid working as
Preceding network packet.The above process is non-intrusion type to custom system, without carrying out any modification to custom system.
9. a kind of computer equipment including memory, processor and stores the meter that can be run on a memory and on a processor
Calculation machine program, which is characterized in that the processor realizes claim 1-5 any mixed cloud ring when executing described program
In border the step of the method for resources accessing control.
10. a kind of computer readable storage medium, is stored thereon with computer program, which is characterized in that the program is by processor
The step of method of resources accessing control in any mixing cloud environment of claim 1-5 is realized when execution.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910286462.7A CN110012016B (en) | 2019-04-10 | 2019-04-10 | Method and system for controlling resource access in hybrid cloud environment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910286462.7A CN110012016B (en) | 2019-04-10 | 2019-04-10 | Method and system for controlling resource access in hybrid cloud environment |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN110012016A true CN110012016A (en) | 2019-07-12 |
| CN110012016B CN110012016B (en) | 2021-04-27 |
Family
ID=67170889
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910286462.7A Active CN110012016B (en) | 2019-04-10 | 2019-04-10 | Method and system for controlling resource access in hybrid cloud environment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN110012016B (en) |
Cited By (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110300124A (en) * | 2019-02-02 | 2019-10-01 | 奇安信科技集团股份有限公司 | A kind of access control method, system, electronic equipment and readable medium |
| CN111193698A (en) * | 2019-08-22 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Data processing method, device, terminal and storage medium |
| CN114143048A (en) * | 2021-11-18 | 2022-03-04 | 绿盟科技集团股份有限公司 | Method, device and storage medium for managing security resources |
| CN114363078A (en) * | 2022-01-10 | 2022-04-15 | 中宇联云计算服务(上海)有限公司 | Network system based on cloud network fusion technology and network optimization method |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330495A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Control method and control system for implementing non-equity access in a computer network |
| CN102457507A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Secure sharing method, device and system for cloud computing resources |
| US20130291121A1 (en) * | 2012-04-26 | 2013-10-31 | Vlad Mircea Iovanov | Cloud Abstraction |
| CN106603513A (en) * | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
| US20170329957A1 (en) * | 2016-05-11 | 2017-11-16 | Oracle International Corporation | Identity cloud service authorization model with dynamic roles and scopes |
| CN107818268A (en) * | 2017-11-15 | 2018-03-20 | 中国联合网络通信集团有限公司 | The access control method and server of big data platform |
-
2019
- 2019-04-10 CN CN201910286462.7A patent/CN110012016B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101330495A (en) * | 2007-06-19 | 2008-12-24 | 瑞达信息安全产业股份有限公司 | Control method and control system for implementing non-equity access in a computer network |
| CN102457507A (en) * | 2010-10-29 | 2012-05-16 | 中兴通讯股份有限公司 | Secure sharing method, device and system for cloud computing resources |
| US20130291121A1 (en) * | 2012-04-26 | 2013-10-31 | Vlad Mircea Iovanov | Cloud Abstraction |
| US20170329957A1 (en) * | 2016-05-11 | 2017-11-16 | Oracle International Corporation | Identity cloud service authorization model with dynamic roles and scopes |
| CN106603513A (en) * | 2016-11-30 | 2017-04-26 | 中国人民解放军理工大学 | Host identifier-based resource access control method and system |
| CN106790194A (en) * | 2016-12-30 | 2017-05-31 | 中国银联股份有限公司 | A kind of access control method and device based on ssl protocol |
| CN107818268A (en) * | 2017-11-15 | 2018-03-20 | 中国联合网络通信集团有限公司 | The access control method and server of big data platform |
Non-Patent Citations (1)
| Title |
|---|
| 雷瑶等: "一种基于XACML 的混合云跨域资源访问控制方案", 《计算机应用与软件》 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110300124A (en) * | 2019-02-02 | 2019-10-01 | 奇安信科技集团股份有限公司 | A kind of access control method, system, electronic equipment and readable medium |
| CN111193698A (en) * | 2019-08-22 | 2020-05-22 | 腾讯科技(深圳)有限公司 | Data processing method, device, terminal and storage medium |
| CN111193698B (en) * | 2019-08-22 | 2021-09-28 | 腾讯科技(深圳)有限公司 | Data processing method, device, terminal and storage medium |
| CN114143048A (en) * | 2021-11-18 | 2022-03-04 | 绿盟科技集团股份有限公司 | Method, device and storage medium for managing security resources |
| CN114143048B (en) * | 2021-11-18 | 2023-09-26 | 绿盟科技集团股份有限公司 | Method, device and storage medium for managing safety resources |
| CN114363078A (en) * | 2022-01-10 | 2022-04-15 | 中宇联云计算服务(上海)有限公司 | Network system based on cloud network fusion technology and network optimization method |
Also Published As
| Publication number | Publication date |
|---|---|
| CN110012016B (en) | 2021-04-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10986133B1 (en) | Cloud over IP session layer network | |
| Pattaranantakul et al. | NFV security survey: From use case driven threat analysis to state-of-the-art countermeasures | |
| CN110012016A (en) | Mix the method and system of resources accessing control in cloud environment | |
| US8843998B2 (en) | Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures | |
| US7428754B2 (en) | System for secure computing using defense-in-depth architecture | |
| US20180234459A1 (en) | Automated Enforcement of Security Policies in Cloud and Hybrid Infrastructure Environments | |
| CN100596361C (en) | Safety protection system of information system or equipment and its working method | |
| Ertaul et al. | Security Challenges in Cloud Computing. | |
| D'Silva et al. | Building a zero trust architecture using kubernetes | |
| CN105184147B (en) | User safety management method in cloud computing platform | |
| US20160156594A9 (en) | Methods and systems for managing concurrent unsecured and cryptographically secure communications across unsecured networks | |
| ES2768049T3 (en) | Procedures and systems to secure and protect repositories and directories | |
| CN105184164B (en) | A kind of data processing method | |
| CN103404103A (en) | System and method for combining an access control system with a traffic management system | |
| KR20050026624A (en) | Integration security system and method of pc using secure policy network | |
| KR101219662B1 (en) | Security system of cloud service and method thereof | |
| CN111083088B (en) | Cloud platform hierarchical management method and device based on multiple security domains | |
| Reinhardt | An architectural overview of UNIX network security | |
| CN2891503Y (en) | Security protection system for information system or equipment | |
| CN113407941A (en) | Edge cloud node and terminal user security management method | |
| Ma et al. | Security modeling and analysis of mobile agent systems | |
| Baranova | Multi-Tenant Isolation in a Service Mesh | |
| US11962622B2 (en) | Automated enforcement of security policies in cloud and hybrid infrastructure environments | |
| KR102110821B1 (en) | A rights converting system for user accounts using rights of the super account | |
| CN111683053B (en) | Cloud platform security network architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |