CN110012016B - Method and system for controlling resource access in hybrid cloud environment - Google Patents

Method and system for controlling resource access in hybrid cloud environment Download PDF

Info

Publication number
CN110012016B
CN110012016B CN201910286462.7A CN201910286462A CN110012016B CN 110012016 B CN110012016 B CN 110012016B CN 201910286462 A CN201910286462 A CN 201910286462A CN 110012016 B CN110012016 B CN 110012016B
Authority
CN
China
Prior art keywords
user
information
data packet
service system
network data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201910286462.7A
Other languages
Chinese (zh)
Other versions
CN110012016A (en
Inventor
高寿柏
仲茜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shandong Shichuang Yun Service Co ltd
Original Assignee
Shandong Shichuang Yun Service Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shandong Shichuang Yun Service Co ltd filed Critical Shandong Shichuang Yun Service Co ltd
Priority to CN201910286462.7A priority Critical patent/CN110012016B/en
Publication of CN110012016A publication Critical patent/CN110012016A/en
Application granted granted Critical
Publication of CN110012016B publication Critical patent/CN110012016B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0815Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/101Access control lists [ACL]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general

Abstract

The utility model provides a resource access control method and system in a hybrid cloud environment, which receives the instruction of a service system accessed by a user and injects effective identity information of the user at the source end of a network data packet; and intercepting the network data packet at the destination end of the network data packet, analyzing the identity of the user, and judging whether to pass or reject the network data packet according to the incidence relation between the user and the accessed application defined in the strategy list. According to the technical scheme, access control is realized from a network driving layer, and safety protection on an enterprise business system is enhanced.

Description

Method and system for controlling resource access in hybrid cloud environment
Technical Field
The disclosure relates to the technical field of information data processing, and in particular relates to a method and a system for resource access control in a hybrid cloud environment.
Background
With the increasing maturity and wide application of cloud computing technology, the advantages of cloud computing technology in the aspects of cost, performance, reliability, expansibility and the like are increasingly highlighted, and business units and enterprises gradually migrate business systems of the business units from traditional data centers to hybrid cloud environments. The hybrid cloud combines the public cloud and the private cloud, overcomes the inherent defects of the public cloud and the private cloud, and is the main mode and the development direction of cloud computing. In a hybrid cloud environment, information resources are mostly provided for users in the form of hardware facilities, software systems, data and the like, elements such as security, cost, performance and the like are comprehensively considered, a core system and data are generally deployed to a private cloud, and other systems and data are deployed to a public cloud. In order to ensure that only a legal user can access authorized resources and improve the security and manageability of access to information resources of the hybrid cloud, it is necessary to perform unified management and control on identity authentication and resource access in the private cloud and the public cloud, and a management and control object includes not only hardware resources such as a physical host and the like, but also virtual resources such as a virtual host and the like, and also includes software resources such as an application system and the like.
In a hybrid cloud environment, an operator of a cloud is usually a professional cloud service organization, and a business entity and an enterprise are only users of cloud resources, and the business entity and the enterprise obtain hardware resources in the hybrid cloud by means of renting, hosting and the like, and deploy systems and data of the hardware resources to a cloud end. The above-mentioned features of the hybrid cloud make it very different from the traditional private data center in terms of resource management and usage patterns, and the manager (cloud service organization) and the user (leaser of hardware/virtual resource, deployer of software system and data) of the resources in the hybrid cloud environment are usually different entities, while the manager and the user of the traditional data center resources are usually the same. Correspondingly, the resource access control in the hybrid cloud environment is also greatly different from that of the traditional data center, in the traditional data center mode, the resource access control is independently implemented by a resource manager, and in the hybrid cloud environment, the resource access control is implemented by the resource manager and a user together, wherein the former is responsible for deploying and operating and maintaining a security authentication platform, configuring and maintaining a total security authentication and access control strategy, and the latter is responsible for configuring and maintaining a resource security authentication and access control strategy related to the mechanism.
The diversity of the control resources and the complexity of the resource modes in the hybrid cloud environment determine that the access control mode is not only for the network parameters (such as IP addresses, ports, and the like) of the data packets, but also for the specific resources to be accessed and the users accessing the resources, the former is referred to as network-level access control, the latter is referred to as user-level access control, and obviously the latter is a higher-level access control mode. The key problem in achieving user-level access is identifying the user to which the packet belongs, and an intuitive idea is to pass the IP address used when the user logs in the authentication system, but in practice, due to the limitation of the number of IPV4 addresses, it is impossible to assign a globally unique IPV4 address to each terminal device on the Internet. The method of network address mapping (NAT) is usually adopted to solve the problem of insufficient IP address, and the method converts the local area network address and the public network address (usually Internet address) of the data packet at the network outlet, so that for the data packet of the same local area network, no matter whether the internal network address is the same or not, only one address corresponds to the public network address, and therefore, the user can not be identified only through the IP address.
The inventor finds in actual work that, from a technical aspect, implementing resource Access control of a data center mainly includes two types of technical solutions, one type adopts a traditional Network security technology such as a Network firewall and a Virtual Private Network (VPN), and the other type is called an Identity and Access Management (IAM) system, which is a system dedicated to Identity authentication and Access control. The network firewall mainly works in a network layer, can only process network-level access control and cannot meet user-level access control; the VPN technology has certain user-level access control capability, but data needs to be encrypted in the transmission process, all data packets need to be encrypted and decrypted by a VPN server, the identification of the belonged user, unpacking and recombining and the implementation of an access control strategy, so that the performance bottleneck is easily formed, and the user experience is influenced; the IAM system is developed specially aiming at user authentication and user-level access control, and has the functions of single sign-on, authentication management, user authorization, safety audit and the like. However, the existing IAM system is usually deployed and implemented only for the private data center of a single enterprise in an intrusive manner, the existing system of a user needs to be modified, user authentication of the existing system is uniformly handed to the IAM system server for processing, deployment and maintenance difficulty is large, cost is high, flexibility is poor, and the existing IAM system is only suitable for the traditional private data center of a large enterprise and is difficult to apply to a hybrid cloud environment.
As can be seen from the above description, the main problems faced by resource access control in a hybrid cloud environment are:
(1) how to effectively identify the user to which the data packet belongs in an intranet environment or in a public network environment.
(2) How to track the permissions of users when accessing resources.
(3) How to securely adapt resources in a non-intrusive manner.
Disclosure of Invention
One of the purposes of the embodiments of the present specification is to provide a method for controlling resource access in a hybrid cloud environment, which can macroscopically control access of a user to a business system, and enhance security protection of an enterprise business system.
The embodiment of the specification provides a method for controlling resource access in a hybrid cloud environment, which is realized by the following technical scheme:
the method comprises the following steps:
receiving an instruction of a service system accessed by a user, and injecting effective identity information of the user at a source end of a network data packet;
and intercepting the network data packet at the destination end of the network data packet, analyzing the identity of the user, and judging whether to pass or reject the network data packet according to the incidence relation between the user and the accessed application defined in the strategy list.
As a further implementation example, receiving an instruction of a service system accessed by a user, and determining, at a driver layer of a source end of a network packet, the service system accessed by the user: and if the accessed information is the information of the server where the application of the service system is defined in the first policy list, and if the accessed information is legal access defined in the first policy list and the user is currently in a login state, injecting effective information of the user identity at a driving layer of the source end.
Further, after the driving layer of the source end injects the effective information of the user identity, the effective information of the same user identity is synchronously updated to a second strategy list;
further, the driving layer at the destination end of the network data packet judges whether the information of the accessed service system is defined in the second policy list or not and judges the validity of the user identity, and the current network data packet is released or forbidden according to the control information recorded in the second policy list.
Another purpose of the embodiments of this specification is to provide a system for controlling resource access in a hybrid cloud environment, which can macroscopically control access of a user to a business system, and enhance security protection for an enterprise business system.
Another embodiment of the present specification provides a system for resource access control in a hybrid cloud environment, which is implemented by the following technical solutions:
the method comprises the following steps:
a network egress module configured to: receiving an instruction of a service system accessed by a user, and injecting effective identity information of the user at a source end of a network data packet;
a network entry module configured to: and intercepting the network data packet at the destination end of the network data packet, analyzing the identity of the user, and judging whether to pass or reject the network data packet according to the incidence relation between the user and the accessed application defined in the strategy list.
As a further technical solution of the present disclosure, the network egress module receives an instruction of a service system accessed by a user, and determines, at a driver layer of a source end of a network data packet, the service system accessed by the user: whether the accessed information is the information of the server where the application of the service system is located defined in the first policy list or not, and if the accessed information is legal access defined in the first policy list and the user is currently in a login state, injecting effective information of the user identity into a driving layer of a source end;
further, the method also comprises the following steps: a valid information synchronization module for a user identity configured to: after the driving layer of the source end injects the effective information of the user identity, the effective information of the same user identity is synchronously updated to a second strategy list;
further, a network entry module configured to: and judging whether the information of the accessed service system is defined in the second strategy list or not and judging the legality of the user identity at the driving layer of the destination end of the network data packet, and releasing or forbidding the current network data packet according to the control information recorded in the second strategy list.
It is a third object of embodiments of the present disclosure to provide an IAM system, which can control access of users to a business system macroscopically, and enhance security protection for an enterprise business system.
Another embodiment of the present disclosure provides an IAM system, which is implemented by the following technical solutions:
the system comprises an IAM system server, an information input unit and a display unit, wherein the information input unit is used for inputting an instruction of a user for accessing the service system, and the display unit is used for displaying the related information processed by the IAM system server;
wherein the IAM system server is configured to perform the following process:
receiving the instruction of the service system accessed by the user, and judging the service system accessed by the user at the driving layer of the source end of the network data packet: whether the accessed information is the information of the server where the application of the service system is located defined in the first policy list or not, and if the accessed information is legal access defined in the first policy list and the user is currently in a login state, injecting effective information of the user identity into a driving layer of a source end;
after the driving layer of the source end injects the effective information of the user identity, the effective information of the same user identity is synchronously updated to a second strategy list;
and judging whether the information of the accessed service system is defined in the second strategy list or not and judging the legality of the user identity at the driving layer of the destination end of the network data packet, and releasing or forbidding the current network data packet according to the control information recorded in the second strategy list. Unlike conventional IAM systems, the above process is non-intrusive to the user system, and does not require any modifications to the user system.
It is a fourth object of embodiments of the present specification to provide a computer device that enhances security protection for enterprise business systems by enabling macroscopically controlled user access to the business systems.
The computer device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and is characterized in that the processor executes the program to realize the steps of the method for controlling the resource access in the hybrid cloud environment.
It is a fifth object of the embodiments of the present disclosure to provide a computer-readable storage medium, which can macroscopically control the access of a user to a business system, thereby enhancing the security protection of an enterprise business system.
The present specification embodiments provide a computer readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, performs the steps of a method for resource access control in a hybrid cloud environment.
The technical scheme of the disclosure does not need complex network environment construction, is transparent to the business system of the enterprise, and does not need to increase a safety interface in the business system of the enterprise. The technical scheme disclosed by the invention is suitable for operation management in a mixed cloud environment, and can macroscopically control the access of a user to a service system. Based on the implementation method described in the technical scheme of the disclosure, technical support can be provided for the investigation and evidence obtaining of the service system suffering from the attack, the operation audit of the user on the service system access, the preference of the user on the service system and other data analysis and mining.
Compared with the prior art, the beneficial effect of this disclosure is:
the technical scheme of the method and the device for tracking the effective identity of the user by injecting the identity identification information into the network data packet tracks the effective authority of the user for accessing the application by analyzing the strategy list at the network driving layer, and performs safety adaptation on the resource by a port protection mode.
The method corresponding to the technical scheme of the disclosure does not need the construction of a complex network environment and does not need to change the business interface of an enterprise in an intrusive way.
According to the technical scheme, access control is realized from the network driving layer, safety protection on the enterprise service system is enhanced, and an intruder must first get stuck in the network driving layer to access the service system, so that the safety mechanism of the service system can be further intruded. The method is equivalent to adding a lock on the basis of the safety lock of the original business system.
The technical scheme can provide technical support for the investigation and evidence obtaining of the attack of the business system, the operation audit of the user on the access of the business system, the preference and the like of the user on the business system and the like.
Drawings
The accompanying drawings, which are included to provide a further understanding of the disclosure, illustrate embodiments of the disclosure and together with the description serve to explain the disclosure and are not to limit the disclosure.
FIG. 1 is a schematic block diagram illustrating the flow of one or more embodiments of the present disclosure;
FIG. 2 is a schematic diagram of a network egress module workflow in accordance with one or more embodiments of the present disclosure;
FIG. 3 is a schematic diagram illustrating a network entry module workflow in accordance with one or more embodiments of the present disclosure.
Detailed Description
It should be noted that the following detailed description is exemplary and is intended to provide further explanation of the disclosure. Unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
It is noted that the terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments according to the present disclosure. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, and it should be understood that when the terms "comprises" and/or "comprising" are used in this specification, they specify the presence of stated features, steps, operations, devices, components, and/or combinations thereof, unless the context clearly indicates otherwise.
Example of implementation 1
The technical scheme of the disclosure adopts a distributed deployment mode, and comprises a management end system, an agent end system and a user end system, wherein the management end system is deployed in a special server and is used for realizing user management, security authentication policy management, agent end management and the like; the proxy end system is deployed in a server with protected resources and used for identifying the user to which the data packet belongs and implementing access control according to a security authentication strategy; the user side system is used for realizing user login and injecting user identity identification information when accessing protected resources. The distributed deployment mode is transparent to the application of enterprises, the effective identity of the user is tracked in a mode of injecting identity identification information into a network data packet, the effective authority of the user for accessing the application is tracked in a mode of analyzing a strategy list in a network driving layer, and the safe adaptation is carried out on the resource in a port protection mode.
The implementation example discloses a method for controlling resource access in a hybrid cloud environment, and the overall technical concept is as follows: when a user accesses a service system, effective identity information of the user is injected into a source end (a user end system) of a network data packet, the network packet is intercepted and the user identity is analyzed at a destination end of the network data packet, and the network data packet is judged to be released or rejected according to the incidence relation between the user and the accessed application defined in the second strategy list.
In a specific embodiment, a method for controlling resource access in a hybrid cloud environment is disclosed, which includes:
step (1): when a user accesses a service system, a driving layer at a source end of a network data packet judges whether an accessed destination address and an application port are the address and the port of a server where resources defined in a first policy list are located, if the accessed destination address and the application port are legal accesses defined in the first policy list and the user is currently in a login state, effective information of the user identity is injected into the driving layer.
Step (2): when the user accesses the service system, the driver layer of the destination end of the network data packet judges whether the port of the accessed service system is defined in the second strategy list or not and judges the legality of the user identity, and the current network data packet is released or forbidden according to the access authority of the user, the current state information of the user and the access level of the service system which are recorded in the second strategy list.
In a specific implementation example, the network packet refers to a TCP/IP protocol-based packet generated when a user accesses a service system.
In a specific implementation example, the access right of the user refers to an association relationship between the user information and a port of the accessible service system, and the access right is recorded in the first policy list.
In a specific implementation example, the state information of the user refers to a state in which the user logs in or logs out, where a numeral 0 represents a logout state and a numeral 1 represents a login state, and only when the user is in the login state, the driver layer at the source end of the network packet may inject valid information of the user identity. The state information is recorded in a first policy list.
In a specific implementation example, the access level of the service system refers to fine-grained control of access rights of users to meet an emergency for a special event, such as temporarily cutting off access to a certain service system by all users. The access level is divided into three levels: level 0 indicates that the policy list is invalid and all users can access the service system; level 1 indicates that the policy list is effective, and the user accesses the service system according to the authority configured in the policy; level 2 indicates that the policy list is invalid and that all users cannot access the business system. Here again, the access service system and the login service system are two different access controls, the former being the content of the embodiment of the present disclosure, and the latter being the authority setting of the service system itself. The access level of the business system is recorded in a second policy list.
In a specific implementation example, the first policy list generally stores, in a form of a data structure list, an association relationship between user information and a port of the accessible service system, and a state of user login or logout.
In a specific implementation example, the second policy list generally stores, in a data structure list, an association relationship between the user information and a port of the service system that can be accessed, a state of user login or logout, and an access level of the service system.
The first policy list and the second policy list must keep the user valid information consistent, and when an event of injecting the user identity valid information at the driver layer occurs in step (1), the same user identity valid information must be synchronously updated into the policy list in step (2).
In a specific embodiment, the valid information of the user identity refers to a number with a length of 4 bytes, and the number dynamically changes according to a certain time rule.
In a specific embodiment, the driver layer is a driver layer capable of intercepting an original network data packet, and generally intercepts the network data packet by using an NDIS network filter driver for a Windows system, and generally intercepts the network data packet by using a network driver extension module for a Linux system.
In a specific implementation example, the effective information of the user identity injected by the driver layer is that for a data packet based on a TCP/IP protocol, information with a length of 8 bytes is injected in an option of the TCP protocol according to a standard data structure format, in the data structure, the first byte is a number 253 representing the type of experimental data, the last byte represents the total length of the data structure, a fixed number 8 is adopted, the last two bytes represent magic data, a custom number for identifying the validity of the data, such as 0 xeffef, is usually adopted, and the data of the last four bytes represent effective information of the user identity. When the driver layer at the destination of the network packet parses the TCP packet, if the TCP packet has the option type of 253 data and the magic data is 0 xeffef, it indicates that the network packet contains the user identity valid information.
Referring to fig. 2, in a specific implementation example, the processing of the network packet by the driver layer in step (1) includes the following steps:
(1-1) judging whether the current network data packet is a TCP packet based on IPV4, if so, turning to the step (1-2), otherwise, turning to the step (1-8).
(1-2) analyzing the destination IP and the destination port of the TCP packet.
(1-3) judging whether the current destination IP and the destination port are in the first strategy list, if so, turning to the step (1-4), otherwise, turning to the step (1-8).
(1-4) judging the state of the current user recorded in the first strategy list, if the current user is in the login state, turning to the step (1-5), and if the current user is in the login state, turning to the step (1-8).
And (1-5) injecting effective information of the user identity in the option of the TCP.
(1-6) recalculating the check values of TCP and IP.
And (1-7) sending the network packet after the user identity valid information is injected, and then returning to (1-1) to continue execution.
And (1-8) sending the original network packet, and then returning to (1-1) to continue execution.
Referring to fig. 3, in a specific implementation example, the processing of the network packet by the driver layer in step (2) includes the following steps:
(2-1) judging whether the current network data packet is a TCP packet based on IPV4, if so, turning to the step (2-2), otherwise, turning to the step (2-10).
And (2-2) resolving the destination port of the TCP packet.
(2-3) judging whether the current destination port is in the second strategy list, if so, turning to the step (2-4), otherwise, turning to the step (2-10).
(2-4) judging the access level of the business system recorded in the second strategy list, if the access level is 0, turning to the step (2-10), if the access level is 1, turning to the step (2-5), and if the access level is 2, turning to the step (2-11).
(2-5) judging the state of the current user recorded in the strategy list, if the current user is in the login state, turning to the step (2-6), and if the current user is in the login state, turning to the step (2-11).
(2-6) judging whether the option of TCP contains valid information of user identity, for example, whether the option data structure contains magic number 0xEFEF, if yes, turning to the step (2-7), otherwise, turning to the step (2-11).
And (2-7) effective information of the user identity is analyzed.
(2-8) judging whether the effective information of the analyzed user identity is consistent with the effective information of the user identity injected in the step (1), if so, turning to the step (2-9), otherwise, turning to the step (2-11).
(2-9) judging whether the current user has the right to access the destination port according to the second strategy list, if so, turning to the step (2-10), otherwise, turning to the step (2-11).
And (2-10) releasing the data packet, and then returning to (2-1) to continue execution.
(2-11) blocking the data packet, and then returning to (2-1) to continue execution.
The technical scheme of the disclosure relates to the injection of information in option options of a TCP protocol, so that a service system accessed by a user is required to be based on the TCP protocol.
Example II
The implementation mode of the specification is to provide a resource access control system in a hybrid cloud environment, which can macroscopically control the access of users to a business system and strengthen the safety protection of an enterprise business system.
Another embodiment of the present specification provides a system for resource access control in a hybrid cloud environment, which is implemented by the following technical solutions:
the method comprises the following steps:
a network egress module configured to: receiving an instruction of a service system accessed by a user, and injecting effective identity information of the user at a source end of a network data packet;
a network entry module configured to: and intercepting the network data packet at the destination end of the network data packet, analyzing the identity of the user, and judging whether to pass or reject the network data packet according to the incidence relation between the user and the accessed application defined in the strategy list.
As a further technical solution of the present disclosure, the network egress module receives an instruction of a service system accessed by a user, and determines, at a driver layer of a source end of a network data packet, the service system accessed by the user: whether the accessed information is the information of the server where the application of the service system is located defined in the first policy list or not, and if the accessed information is legal access defined in the first policy list and the user is currently in a login state, injecting effective information of the user identity into a driving layer of a source end;
further comprising: a valid information synchronization module for a user identity configured to: after the driving layer of the source end injects the effective information of the user identity, the effective information of the same user identity is synchronously updated to a second strategy list;
a network entry module configured to: and judging whether the information of the accessed service system is defined in the second strategy list or not and judging the legality of the user identity at the driving layer of the destination end of the network data packet, and releasing or forbidding the current network data packet according to the control information recorded in the second strategy list.
It should be noted that although several modules or sub-modules of the device are mentioned in the above detailed description, such division is merely exemplary and not mandatory. Indeed, the features and functionality of two or more of the modules described above may be embodied in one module in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module described above may be further divided into embodiments by a plurality of modules.
In this embodiment, the specific implementation of the modules of the system for resource access control in the hybrid cloud environment is described in the first embodiment, and will not be described in detail herein.
Example III
The embodiment of the specification provides an IAM system, and the access of a user to a business system can be controlled macroscopically, so that the safety protection of an enterprise business system is enhanced.
Another embodiment of the present disclosure provides an IAM system, which is implemented by the following technical solutions:
the system comprises an IAM system server, an information input unit and a display unit, wherein the information input unit is used for inputting an instruction of a user for accessing the service system, and the display unit is used for displaying the related information processed by the IAM system server;
wherein the IAM system server is configured to perform the following process:
receiving the instruction of the service system accessed by the user, and judging the service system accessed by the user at the driving layer of the source end of the network data packet: whether the accessed information is the information of the server where the application of the service system is located defined in the first policy list or not, and if the accessed information is legal access defined in the first policy list and the user is currently in a login state, injecting effective information of the user identity into a driving layer of a source end;
after the driving layer of the source end injects the effective information of the user identity, the effective information of the same user identity is synchronously updated to a second strategy list;
and judging whether the information of the accessed service system is defined in the second strategy list or not and judging the legality of the user identity at the driving layer of the destination end of the network data packet, and releasing or forbidding the current network data packet according to the control information recorded in the second strategy list.
Example four
It is a fourth object of embodiments of the present specification to provide a computer device that enhances security protection for enterprise business systems by enabling macroscopically controlled user access to the business systems.
The computer device comprises a memory, a processor and a computer program which is stored on the memory and can run on the processor, and is characterized in that the processor executes the program to realize the steps of the method for controlling the resource access in the hybrid cloud environment.
In this embodiment, the steps of the method for controlling resource access in a hybrid cloud environment are described in embodiment one, and are not described in detail here.
Example five
It is a fifth object of the embodiments of the present disclosure to provide a computer-readable storage medium, which can macroscopically control the access of a user to a business system, thereby enhancing the security protection of an enterprise business system.
The present specification embodiments provide a computer readable storage medium having a computer program stored thereon, wherein the program, when executed by a processor, performs the steps of a method for resource access control in a hybrid cloud environment.
In this embodiment, the steps of the method for controlling resource access in a hybrid cloud environment are described in embodiment one, and are not described in detail here.
In the present embodiments, a computer program product may include a computer-readable storage medium having computer-readable program instructions embodied thereon for performing various aspects of the present disclosure. The computer readable storage medium may be a tangible device that can hold and store the instructions for use by the instruction execution device. The computer readable storage medium may be, for example, but not limited to, an electronic memory device, a magnetic memory device, an optical memory device, an electromagnetic memory device, a semiconductor memory device, or any suitable combination of the foregoing.
It is to be understood that throughout the description of the present specification, reference to the term "one embodiment", "another embodiment", "other embodiments", or "first through nth embodiments", etc., is intended to mean that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, the schematic representations of the terms used above do not necessarily refer to the same embodiment or example. Furthermore, the particular features, structures, or materials described may be combined in any suitable manner in any one or more embodiments or examples.
The above description is only a preferred embodiment of the present disclosure and is not intended to limit the present disclosure, and various modifications and changes may be made to the present disclosure by those skilled in the art. Any modification, equivalent replacement, improvement and the like made within the spirit and principle of the present disclosure should be included in the protection scope of the present disclosure.

Claims (5)

1. The method for controlling resource access in the hybrid cloud environment is characterized by comprising the following steps:
receiving an instruction of a service system accessed by a user, and injecting effective identity information of the user at a source end of a network data packet, wherein the specific steps are as follows:
step (1): when a user accesses a service system, a driving layer at a source end of a network data packet judges whether an accessed destination address and an application port are the address and the port of a server where resources defined in a first strategy list are located, if the accessed destination address and the application port are legal accesses defined in the first strategy list and the user is currently in a login state, effective information of the user identity is injected into the driving layer;
intercepting the network data packet at the destination end of the network data packet and analyzing the user identity, and judging whether to pass or reject the network data packet according to the incidence relation between the user and the accessed application defined in the strategy list, wherein the specific steps are as follows:
step (2): when a user accesses the service system, judging whether a port of the accessed service system is defined in a second strategy list or not and judging the legality of the user identity in a driving layer of a destination end of the network data packet, and releasing or forbidding the current network data packet according to the access authority of the user, the current state information of the user and the access level of the service system which are recorded in the second strategy list;
the access authority of the user refers to the incidence relation between the user information and the port of the accessible service system, and the access authority is recorded in the first strategy list;
the state information of the user refers to the state of user login or logout, only when the user is in the login state, the drive layer of the source end of the network data packet can inject effective information of the user identity, and the state information is recorded in the first strategy list;
the access level of the service system refers to the access authority of a fine-grained control user, so that the access level of the service system is recorded in a second strategy list when an emergency special event occurs;
the first policy list and the second policy list must keep the user valid information consistent, and when an event of injecting the user identity valid information at the driver layer occurs in step (1), the same user identity valid information must be synchronously updated to the policy list in step (2);
the effective information of the user identity refers to a number with the length of 4 bytes, and the number dynamically changes according to a certain time rule.
2. A system for controlling resource access in a hybrid cloud environment, comprising:
a network egress module configured to: receiving an instruction of a service system accessed by a user, and injecting effective identity information of the user at a source end of a network data packet, wherein the specific steps are as follows:
step (1): when a user accesses a service system, a driving layer at a source end of a network data packet judges whether an accessed destination address and an application port are the address and the port of a server where resources defined in a first strategy list are located, if the accessed destination address and the application port are legal accesses defined in the first strategy list and the user is currently in a login state, effective information of the user identity is injected into the driving layer;
a network entry module configured to: intercepting the network data packet at the destination end of the network data packet and analyzing the user identity, and judging whether to pass or reject the network data packet according to the incidence relation between the user and the accessed application defined in the strategy list, wherein the specific steps are as follows:
step (2): when a user accesses the service system, judging whether a port of the accessed service system is defined in a second strategy list or not and judging the legality of the user identity in a driving layer of a destination end of the network data packet, and releasing or forbidding the current network data packet according to the access authority of the user, the current state information of the user and the access level of the service system which are recorded in the second strategy list;
the access authority of the user refers to the incidence relation between the user information and the port of the accessible service system, and the access authority is recorded in the first strategy list;
the state information of the user refers to the state of user login or logout, only when the user is in the login state, the drive layer of the source end of the network data packet can inject effective information of the user identity, and the state information is recorded in the first strategy list;
the access level of the service system refers to the access authority of a fine-grained control user, so that the access level of the service system is recorded in a second strategy list when an emergency special event occurs;
the first policy list and the second policy list must keep the user valid information consistent, and when an event of injecting the user identity valid information at the driver layer occurs in step (1), the same user identity valid information must be synchronously updated to the policy list in step (2);
the effective information of the user identity refers to a number with the length of 4 bytes, and the number dynamically changes according to a certain time rule.
The IAM system is characterized by comprising an IAM system server, an information input unit and a display unit, wherein the information input unit is used for inputting an instruction of a user for accessing the service system, and the display unit is used for displaying related information processed by the IAM system server;
wherein the IAM system server is configured to perform the specific steps of claim 1.
4. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor, wherein the steps of the method of resource access control in a hybrid cloud environment of claim 1 are implemented when the program is executed by the processor.
5. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method for resource access control in a hybrid cloud environment of claim 1.
CN201910286462.7A 2019-04-10 2019-04-10 Method and system for controlling resource access in hybrid cloud environment Active CN110012016B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201910286462.7A CN110012016B (en) 2019-04-10 2019-04-10 Method and system for controlling resource access in hybrid cloud environment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201910286462.7A CN110012016B (en) 2019-04-10 2019-04-10 Method and system for controlling resource access in hybrid cloud environment

Publications (2)

Publication Number Publication Date
CN110012016A CN110012016A (en) 2019-07-12
CN110012016B true CN110012016B (en) 2021-04-27

Family

ID=67170889

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201910286462.7A Active CN110012016B (en) 2019-04-10 2019-04-10 Method and system for controlling resource access in hybrid cloud environment

Country Status (1)

Country Link
CN (1) CN110012016B (en)

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN109842625A (en) * 2019-02-02 2019-06-04 北京奇安信科技有限公司 A kind of dynamic accesses control method and system
CN111193698B (en) * 2019-08-22 2021-09-28 腾讯科技(深圳)有限公司 Data processing method, device, terminal and storage medium
CN114143048B (en) * 2021-11-18 2023-09-26 绿盟科技集团股份有限公司 Method, device and storage medium for managing safety resources
CN114363078A (en) * 2022-01-10 2022-04-15 中宇联云计算服务(上海)有限公司 Network system based on cloud network fusion technology and network optimization method

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101330495A (en) * 2007-06-19 2008-12-24 瑞达信息安全产业股份有限公司 Control method and control system for implementing non-equity access in a computer network
CN102457507A (en) * 2010-10-29 2012-05-16 中兴通讯股份有限公司 Secure sharing method, device and system for cloud computing resources
CN106603513A (en) * 2016-11-30 2017-04-26 中国人民解放军理工大学 Host identifier-based resource access control method and system
CN106790194A (en) * 2016-12-30 2017-05-31 中国银联股份有限公司 A kind of access control method and device based on ssl protocol
CN107818268A (en) * 2017-11-15 2018-03-20 中国联合网络通信集团有限公司 The access control method and server of big data platform

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20130291121A1 (en) * 2012-04-26 2013-10-31 Vlad Mircea Iovanov Cloud Abstraction
US10878079B2 (en) * 2016-05-11 2020-12-29 Oracle International Corporation Identity cloud service authorization model with dynamic roles and scopes

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101330495A (en) * 2007-06-19 2008-12-24 瑞达信息安全产业股份有限公司 Control method and control system for implementing non-equity access in a computer network
CN102457507A (en) * 2010-10-29 2012-05-16 中兴通讯股份有限公司 Secure sharing method, device and system for cloud computing resources
CN106603513A (en) * 2016-11-30 2017-04-26 中国人民解放军理工大学 Host identifier-based resource access control method and system
CN106790194A (en) * 2016-12-30 2017-05-31 中国银联股份有限公司 A kind of access control method and device based on ssl protocol
CN107818268A (en) * 2017-11-15 2018-03-20 中国联合网络通信集团有限公司 The access control method and server of big data platform

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
一种基于XACML 的混合云跨域资源访问控制方案;雷瑶等;《计算机应用与软件》;20140731;全文 *

Also Published As

Publication number Publication date
CN110012016A (en) 2019-07-12

Similar Documents

Publication Publication Date Title
CN110012016B (en) Method and system for controlling resource access in hybrid cloud environment
US11575712B2 (en) Automated enforcement of security policies in cloud and hybrid infrastructure environments
US10360062B2 (en) System and method for providing a self-monitoring, self-reporting, and self-repairing virtual asset configured for extrusion and intrusion detection and threat scoring in a cloud computing environment
DeCusatis et al. Implementing zero trust cloud networks with transport access control and first packet authentication
US11531749B2 (en) Controlling access to external networks by an air-gapped endpoint
EP1305687B1 (en) Filtered application-to-application communication
US7756981B2 (en) Systems and methods for remote rogue protocol enforcement
US20070266433A1 (en) System and Method for Securing Information in a Virtual Computing Environment
US6289462B1 (en) Trusted compartmentalized computer operating system
CN114615328B (en) Security access control system and method
JP5539335B2 (en) Authentication for distributed secure content management systems
US20010044904A1 (en) Secure remote kernel communication
US11171985B1 (en) System and method to detect lateral movement of ransomware by deploying a security appliance over a shared network to implement a default gateway with point-to-point links between endpoints
US11374964B1 (en) Preventing lateral propagation of ransomware using a security appliance that dynamically inserts a DHCP server/relay and a default gateway with point-to-point links between endpoints
US20080120699A1 (en) Method and system for assessing and mitigating access control to a managed network
US11303669B1 (en) System and method for tunneling endpoint traffic to the cloud for ransomware lateral movement protection
Brooks et al. Security vulnerability analysis in virtualized computing environments
US8607302B2 (en) Method and system for sharing labeled information between different security realms
KR101076683B1 (en) Apparatus and method for splitting host-based networks
Sun et al. SPLM: security protection of live virtual machine migration in cloud computing
US9888014B2 (en) Enforcing security for sensitive data on database client hosts
US11722519B1 (en) System and method for dynamically avoiding double encryption of already encrypted traffic over point-to-point virtual private networks for lateral movement protection from ransomware
Manikandasaran et al. Infrastructure virtualization security architecture specification for private cloud
US11916957B1 (en) System and method for utilizing DHCP relay to police DHCP address assignment in ransomware protected network
CN113259383B (en) Cross-domain communication system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant