CN112417464A - Cloud computing digital right protection method and device - Google Patents
Cloud computing digital right protection method and device Download PDFInfo
- Publication number
- CN112417464A CN112417464A CN201910783907.2A CN201910783907A CN112417464A CN 112417464 A CN112417464 A CN 112417464A CN 201910783907 A CN201910783907 A CN 201910783907A CN 112417464 A CN112417464 A CN 112417464A
- Authority
- CN
- China
- Prior art keywords
- data
- cloud
- cloud service
- storage
- digital
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- General Health & Medical Sciences (AREA)
- Health & Medical Sciences (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Bioethics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a cloud computing digital right protection method and a device, wherein the method comprises the following steps: the cloud service client configures and manages the digital right controller and provides digital right protection storage service; the cloud service provider uses the digital right protection storage service as a storage resource to generate a digital right protection cloud computing platform used by a cloud service customer; the cloud service client uses the digital right protection cloud computing platform, and client data are stored through the digital right protection storage service or the digital right protection cloud computing platform. The embodiment of the invention protects the management control right of the cloud service client to the cloud data, protects the data integrity and confidentiality of the cloud service client data, prevents the virtual machine image or snapshot from being maliciously tampered, and prevents sensitive resources possibly existing in the virtual machine image or snapshot from being illegally accessed.
Description
Technical Field
The invention relates to the field of information security, in particular to cloud computing data security.
Background
The digital rights refer to rights generated by data in the whole life cycle treatment process and relate to personal privacy, data property rights, national ownership and other rights and interests. The digital rights body refers to the owner of the data control rights, may be a natural person, a legal person, an illegal person organization, and the like, and is often a specific object to which the data is directed or a collector, storage, transmission, and processor of the data. The weight object is data, namely a coded set of information with certain rules or values related to the weight. The digital right protection is the complete control right which is shared by the digital right subject to the digital right object, so that the digital right object is under the legal control of the digital right subject, and the digital right subject has the right of the legal control data object which can be freely exercised and is not interfered by others. The essence of the digital rights protection is the control of a digital rights object by a digital rights subject, in order to guarantee the rights and interests of the digital rights subject, the digital rights subject is used as an administrator to influence and dominate controlled objects related to the whole life cycle of the digital rights object, and the controlled objects comprise software and hardware facilities in the aspects of calculation, storage and transmission, such as a signal source, a channel, a signal sink, an encoder, a decoder and the like.
The cloud computing (cloud computing) refers to a mode of accessing an extensible and flexible physical or virtual shared resource pool through a network and automatically acquiring and managing resources as required, and resource examples of the cloud computing (cloud computing) include a server, an operating system, a network, software, application, storage equipment and the like;
the cloud service provider (cloud service provider) refers to a provider of cloud computing service, and cloud service providers manage, operate and support computing infrastructure and software of cloud computing and deliver cloud computing resources through a network;
the cloud service customer (cloud service customer) refers to a party for establishing a business relationship with a cloud service provider by using cloud computing service;
the cloud computing Platform/system (cloud computing Platform/system) refers to a cloud computing infrastructure provided by a cloud service provider and a collection of service software thereon;
the virtual machine monitor (hypervisor) refers to an intermediate software layer which runs between an access server and an operating system and can allow a plurality of operating systems and applications to share hardware;
the host machine (host machine) refers to a physical server running a virtual machine monitor;
the virtual machine mirror image and the snapshot refer to an integral data file of the cloud computing platform generated by the virtual machine monitor;
the customer data refers to program codes and customer service data of cloud service customers deployed in the cloud computing platform, and the customer service data comprises: identifying data, business data, audit data, configuration data, video data and personal information;
the unauthorized person includes: network hackers, high-authority management personnel, equipment maintenance personnel, and data deciphering personnel after equipment is lost or out of control.
With the rapid development of cloud computing technology, many individuals, enterprises, governments and even military troops as cloud service customers gradually deploy customer data to a cloud computing platform provided by a cloud service provider, the customer data is also directly computed and stored on the cloud computing platform, and virtual machine images and snapshots of the cloud computing platform generated by virtual monitors deployed on host computers need to be stored on a storage facility, ownership and management rights of the customer data deployed on the cloud computing platform are separated from each other, and after the cloud service customer data is clouded, control rights of the data are lost, so that the cloud service provider or unauthorized persons can steal, reveal and spread the customer data, and the following data security problems exist in the cloud computing field: firstly, a cloud service provider or an unauthorized person can tamper with the virtual machine image and the snapshot through copying, backup and maliciousness, and can illegally access the client data in the virtual machine image and the snapshot; secondly, the cloud service provider or the unauthorized person can steal and reveal the customer data deployed on the cloud computing platform through the cloud computing platform controlled by the cloud service provider or the unauthorized person.
Disclosure of Invention
Aiming at the safety risk that a cloud service provider or an unauthorized person can steal, leak and spread customer data, a virtual machine image and a snapshot data file after cloud service customer data is in the cloud, the embodiment of the invention provides a cloud computing digital right protection method and device, so that the management control right of cloud service customers to cloud data is guaranteed, the data integrity and confidentiality of the cloud service customer data are protected, the virtual machine image or snapshot is prevented from being maliciously tampered, and sensitive resources possibly existing in the virtual machine image or snapshot are prevented from being illegally accessed.
In one aspect, an embodiment of the present invention provides a cloud computing weight protection method, where the method includes:
the cloud service client configures and manages the digital right controller and provides digital right protection storage service;
the cloud service provider uses the digital right protection storage service as a storage resource to generate a digital right protection cloud computing platform used by a cloud service customer;
the cloud service client uses the digital right protection cloud computing platform, and client data are stored through the digital right protection storage service or the digital right protection cloud computing platform.
Preferably, the digital controller is a storage facility controlled by the cloud service client; the digital right protection storage service refers to storage service provided by a digital right controller controlled by a cloud service client;
the digital right controller is a safe storage device for guaranteeing the control right of cloud service customers to data;
preferably, the digital rights controller is a storage boundary security device comprising: the device comprises a storage security gateway device, a data storage encryption device and a storage encryption drive board card.
Preferably, the virtual machine image and the snapshot of the digital rights protection cloud computing platform are stored through digital rights protection storage service.
Preferably, the customer data includes: program source and execution code, authentication data, business data, audit data, configuration data, video data, and personal information.
In another aspect, an embodiment of the present invention provides a digital rights controller apparatus, where the apparatus includes:
the digital right management unit is used for providing a function of managing a digital right protection strategy for a cloud service client;
the digital right control unit executes a digital right protection strategy and provides digital right protection storage service; after data received by the digital right protection storage service is coded according to a digital right protection strategy, the data is output to a controlled storage unit for storage; decoding the data stored in the controlled storage unit according to the digital right protection strategy, and outputting the data to digital right protection storage service;
the controlled storage unit is a storage facility managed and controlled by the digital right control unit and is responsible for storing data.
The cloud service client realizes the uniform security management control of the digital right control unit through the digital right protection strategy file, and the data stored in the controlled storage unit cannot be recovered under the condition that no matched digital right protection strategy file exists or no matched digital right protection strategy file password exists; under the condition that the digital right protection strategy file is changed, the digital right control unit cannot read the data stored in the controlled storage unit; after the right control unit fails, a new right control unit can be replaced, and data storage access of the right control unit is restored through the right protection policy file restoration function, so that data loss and data damage are avoided.
Preferably, in a private cloud application scenario, the digital rights management unit, the digital rights control unit, and the controlled storage unit are controlled and managed by different cloud service client roles, respectively.
Preferably, the number-right protection strategy comprises a secret segmentation algorithm parameter; the number of the controlled storage units is M; the digital right control unit is used for dividing data received by the storage service into N pieces of sub-secret data P1, P2, … …, PN and N pieces of sub-secret data to be stored on M controlled storage units by adopting a secret division algorithm based on a secret division technical route; wherein:
n is a natural number greater than 1, and M is a natural number greater than 1 and less than or equal to N;
each controlled storage unit has at least 1 sub-secret data; wherein the cloud service customer data cannot be recovered from data on any single controlled storage unit, and the cloud service customer data cannot be recovered from the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered together, and the cloud service customer data can be recovered through the digital right control unit;
the M controlled storage units are divided into two types: the cloud service client controllable controlled storage unit and the cloud service client uncontrollable controlled storage unit are arranged, wherein the management control right of the cloud service client controllable controlled storage unit belongs to the cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
the number of the controllable and controlled storage units of the cloud service client is at least 1, and the controllable and controlled storage units at most comprise all M; the cloud service customer uncontrollable controlled storage unit comprises at most M-1 controlled storage units and at least 0 controlled storage unit;
the cloud service customer controllable controlled storage unit is a storage device or cloud storage provided by a cloud computing platform;
the cloud service customer uncontrollable controlled storage unit is a storage device or cloud storage provided by a cloud computing platform.
Preferably, under two application scenes of a public cloud and a mixed cloud, the digital right management unit is controlled and managed by a cloud service client; the number of the controllable and controlled storage units of the cloud service customer is at least 1, and the controllable and controlled storage units at most comprise all M.
Preferably, in a multi-cloud application scenario, the digital rights management unit must be controlled and managed by a cloud service client; the number of the controllable controlled storage units of the cloud service customer can be 0, and all M controlled storage units are respectively provided by not less than 2 cloud service providers.
The technical scheme has the following beneficial effects:
1. a cloud computing mirror image and snapshot protection technical mechanism is provided for cloud service clients, so that the virtual machine mirror image is prevented from being maliciously tampered, and the virtual machine mirror image and sensitive resources possibly existing in a snapshot are prevented from being illegally accessed.
2. The cloud service client management method has the advantages that client data integrity and confidentiality safety technical protection is provided for the cloud service client, and the cloud service provider or a third party is guaranteed to have management authority of cloud service client data only under the authorization of the cloud service client;
3. the data security back door of high in the clouds has been prevented. The method has the advantages that the cloud service client data file is directly stolen from the storage facility by preventing the cloud high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) from taking the controlled storage unit as a back door, so that the data security risk of the cloud service client program codes and the cloud service client data deployed in the cloud service client data file is stolen, and the security protection function that the data cannot be used by copying from the cloud storage equipment is realized.
4. The digital right protection technical mechanism is provided for the cloud service client, and the cloud service client guarantees the control right of the data of the cloud service client by controlling the digital right controller and the controlled storage unit.
5. A security technology guarantee system with functions of division of roles, separation of duties, data segmentation, operation and maintenance management and security division and treatment and no secret divulgence of any single party is established for cloud computing.
6. The technical mechanism of data security multi-person management is realized, the risk of data leakage caused by too concentrated storage management authority is prevented, a secret segmentation technology is preferentially adopted on the overall technical route, data are divided into a plurality of secret data packets which are respectively stored on a plurality of different storage devices and are respectively managed by a plurality of operation and maintenance personnel, and the safety mechanism of multi-person management is technically realized.
7. Compared with other technical routes using data encryption, the method has the advantages of high secret code conversion speed and low management cost.
8. According to the cloud storage system and the cloud storage method, the cloud service client data are divided into the plurality of cloud storages after being divided secretly, the information stored in each cloud storage is incomplete, and the data safety of the cloud storage service, the cloud backup service and the cloud computing service is guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a flowchart illustrating a method for cloud computing power protection according to an embodiment of the present invention;
fig. 2 is a schematic structural diagram of a cloud computing weight protection apparatus according to an embodiment of the present invention;
FIG. 3 is a diagram illustrating a cloud computing digital rights protection system according to an embodiment of the present invention;
FIG. 4 is a flow chart of a data partitioning security method of a cloud computing digital rights protection system according to an embodiment of the present invention;
FIG. 5 is a diagram illustrating a system for protecting a private cloud according to an embodiment of the present invention;
FIG. 6 is a diagram illustrating a digital rights protection public cloud system according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a digital rights protection hybrid cloud system according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
As shown in fig. 1, which is a flowchart of a cloud computing right protection method according to an embodiment of the present invention, the method includes:
101. the cloud service client configures and manages the digital right controller and provides digital right protection storage service;
102. the cloud service provider uses the digital right protection storage service as a storage resource to generate a digital right protection cloud computing platform used by a cloud service customer;
103. the cloud service client uses the digital right protection cloud computing platform, and client data are stored through the digital right protection storage service or the digital right protection cloud computing platform.
Preferably, the digital controller is a storage facility controlled by the cloud service client; the digital right protection storage service refers to storage service provided by a digital right controller controlled by a cloud service client;
the digital right controller is a safe storage device for guaranteeing the control right of cloud service customers to data;
the digital rights controller is a storage boundary security device comprising: the device comprises a storage security gateway device, a data storage encryption device and a storage encryption drive board card.
Preferably, the virtual machine image and the snapshot of the digital rights protection cloud computing platform are stored through digital rights protection storage service.
Preferably, the customer data includes: program source and execution code, authentication data, business data, audit data, configuration data, video data, and personal information.
As shown in fig. 2, which is a schematic structural diagram of a cloud computing weight protection apparatus according to an embodiment of the present invention, the apparatus includes:
the digital right management unit 21 is used for providing a function of managing a digital right protection strategy for a cloud service client;
a digital right control unit 22 for executing a digital right protection strategy and providing digital right protection storage service; after the data received by the digital right protection storage service is encoded according to the digital right protection strategy, the data is output to the controlled storage unit 23 for storage; decoding the data stored in the controlled storage unit 23 according to the digital rights protection strategy, and outputting the data to the digital rights protection storage service;
the controlled storage unit 23 is a storage facility managed and controlled by the digital rights control unit, and is responsible for storing data.
The cloud service client realizes the uniform security management control of the digital right control unit through the digital right protection strategy file, and the data stored in the controlled storage unit cannot be recovered under the condition that no matched digital right protection strategy file exists or no matched digital right protection strategy file password exists; under the condition that the digital right protection strategy file is changed, the digital right control unit cannot read the data stored in the controlled storage unit; after the right control unit fails, a new right control unit can be replaced, and data storage access of the right control unit is restored through the right protection policy file restoration function, so that data loss and data damage are avoided.
Preferably, in a private cloud application scenario, the digital rights management unit, the digital rights control unit, and the controlled storage unit are controlled and managed by different cloud service client roles, respectively.
Preferably, the number-right protection strategy comprises a secret segmentation algorithm parameter; the number of the controlled storage units is M; the digital right control unit is used for dividing data received by the storage service into N pieces of sub-secret data P1, P2, … …, PN and N pieces of sub-secret data to be stored on M controlled storage units by adopting a secret division algorithm based on a secret division technical route; wherein:
n is a natural number greater than 1, and M is a natural number greater than 1 and less than or equal to N;
each controlled storage unit has at least 1 sub-secret data; wherein the cloud service customer data cannot be recovered from data on any single controlled storage unit, and the cloud service customer data cannot be recovered from the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered together, and the cloud service customer data can be recovered through the digital right control unit;
the M controlled storage units are divided into two types: the cloud service client controllable controlled storage unit and the cloud service client uncontrollable controlled storage unit are arranged, wherein the management control right of the cloud service client controllable controlled storage unit belongs to the cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
the number of the controllable and controlled storage units of the cloud service client is at least 1, and the controllable and controlled storage units at most comprise all M; the cloud service customer uncontrollable controlled storage unit comprises at most M-1 controlled storage units and at least 0 controlled storage unit;
the cloud service customer controllable controlled storage unit is a storage device or cloud storage provided by a cloud computing platform;
the cloud service customer uncontrollable controlled storage unit is a storage device or cloud storage provided by a cloud computing platform.
Preferably, under two application scenes of a public cloud and a mixed cloud, the digital right management unit is controlled and managed by a cloud service client; the number of the controllable and controlled storage units of the cloud service customer is at least 1, and the controllable and controlled storage units at most comprise all M.
Preferably, in a multi-cloud application scenario, the digital rights management unit must be controlled and managed by a cloud service client; the number of the controllable controlled storage units of the cloud service customer can be 0, and all M controlled storage units are respectively provided by not less than 2 cloud service providers.
The following is detailed by way of application examples:
as shown in fig. 3, a schematic diagram of a cloud computing digital rights protection system according to an application example of the present invention is shown, where the cloud computing digital rights protection system includes: the system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a cloud service customer uncontrollable controlled storage unit, a digital right controller and a cloud service customer controllable controlled storage unit.
The cloud computing service unit is a cloud computing Platform/system (cloud computing Platform/system), and includes a Virtual host, a cloud Server, a VPS (Virtual Private Server), a cloud storage, a cloud hard disk, and the like. And the cloud service client deploys cloud service client data on the cloud computing service unit. The cloud service customer data comprises business system program codes of cloud service customers and cloud service customer business data. The cloud service client refers to a user of the cloud computing service unit and can be a person, an enterprise and public institution, a government and a military.
The cloud computing management unit is a cloud computing resource and service management information system which uses a virtual machine monitor (hypervisor) to uniformly manage and schedule a large number of computing units connected by a network, storage resources or cloud storage and network resources provided by other cloud computing platforms to form a computing resource pool to serve cloud service customers as required.
The computing unit refers to a computing resource which can be managed and scheduled by the cloud computing management unit, and may be a computing facility such as a server device, a PC device, a super computer, or the like, or a cloud computing service unit provided by another cloud computing platform.
The uncontrollable controlled storage unit of the cloud service customer can be a storage device or cloud storage provided by a cloud computing platform.
The digital right controller is a storage boundary safety protection facility and is used for protecting the digital right of a cloud service client, and the control right of the digital right controller belongs to a cloud service client side but not to a cloud service provider.
The cloud service client controllable controlled storage unit is a controlled storage unit managed and controlled by the cloud service client, and can be storage equipment or cloud storage provided by other cloud computing platforms.
The cloud computing digital right protection system is characterized in that:
the digital right controller is controlled by a cloud service client and serves as a storage resource provider of a cloud computing management unit, the cloud computing management unit generates a cloud computing service unit, when the cloud service client uses the cloud computing service unit, program codes and data are deployed on the cloud computing service unit, and finally all data of the cloud service client are stored through the digital right controller and are reflected to cloud service client data in different forms such as virtual machine mirror images, snapshot data files, document data files, audio and video data files and database files.
The digital right controller divides the cloud service customer data into N sub-secret data P1, P2, … … by adopting a secret division algorithm, wherein N is a natural number greater than 1;
storing N sub-secret data generated after the cloud service customer data is divided secretly on M controlled storage units through the digital right controller, wherein M is a natural number which is larger than 1 and smaller than N; each controlled storage unit has at least 1 sub-secret data; wherein the cloud service customer data cannot be recovered from data on any single controlled storage unit, and the cloud service customer data cannot be recovered from the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered together, and the cloud service customer data can be recovered through the digital right controller; the M controlled storage units are divided into two types: the cloud service client controllable controlled storage unit and the cloud service client uncontrollable controlled storage unit. The management control right of the controlled storage units contained in the cloud service client controllable controlled storage unit belongs to the cloud service client, the cloud service client controllable controlled storage unit has at least 1 controlled storage unit, and at most, the cloud service client controllable controlled storage unit can contain all M controlled storage units; the management control right of the controlled storage units contained in the cloud service client uncontrollable controlled storage units does not belong to the cloud service client, the cloud service client uncontrollable controlled storage units contain M-1 controlled storage units at most, and the cloud service client uncontrollable controlled storage units contain 0 controlled storage units at least.
The cloud service client realizes the uniform security management control of the right-of-hand controller through the right-of-hand protection strategy file, so that the security protection effect of cloud service client data stored in the cloud service client uncontrollable storage unit and the cloud service client controllable controlled storage unit can not be recovered under the condition that a matched right-of-hand protection strategy file or a matched right-of-hand protection strategy file password is not available; under the condition that the digital rights protection strategy file is changed, the digital rights controller cannot read data stored in the internal data of the cloud service client uncontrollable controlled storage unit and the cloud service client controllable controlled storage unit; after the right controller fails, new equipment can be replaced, data storage access is recovered through the right protection policy file recovery function, and data loss and data damage cannot be caused.
Preferably, the digital right controller provides a digital right protection management function for the cloud service customer, and a data security manager of the cloud service customer manages all the cloud service customer controllable and controlled storage units and the cloud service customer uncontrollable and controlled storage units through the digital right protection management function, and manages the secret segmentation algorithm and the algorithm parameters thereof.
As shown in fig. 4, a flowchart of a data partitioning security method of a cloud computing digital rights protection system according to an application example of the present invention is shown, where the method includes:
401. the digital rights protection system setting comprises three functions:
1) the method comprises the steps of safety isolation deployment, wherein a cloud service client deploys a digital right controller and a cloud service client controllable and controlled storage unit in the same safety domain;
2) setting a multi-member management mechanism, and setting data security management personnel and system operation and maintenance management personnel by a cloud service client;
3) and setting a digital right protection strategy, and setting a digital right protection strategy of a digital right controller by cloud service customer data security management personnel.
402. Cloud service customer data goes to the cloud, and operation and maintenance management personnel of a cloud service customer system install and deploy program codes and service data in a cloud computing service unit;
403. the cloud service client data is stored secretly and secretly, the data right controller conducts secretly partitioning on the cloud service client data, the cloud service client data are coded and decoded into N sub-secrecy data through a secrecy partitioning algorithm and written into the cloud service client controllable storage unit and the cloud service client uncontrollable controlled storage unit respectively. The secret segmentation algorithm segments the cloud service client data into N pieces of sub-secret data P1, P2, … … and PN, and only the N pieces of sub-secret data are collected completely in the later period, the cloud service client data can be reconstructed by the data segmentation algorithm.
The technical scheme has the following beneficial effects:
1. the data security back door of high in the clouds has been prevented. The cloud service client data file is directly stolen from the cloud service client uncontrollable controlled storage unit by preventing cloud high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) from taking the cloud service client uncontrollable controlled storage unit as a back door, so that the cloud service client program codes and the cloud service client data deployed in the cloud service client data file are stolen, and the safety protection function of copying the data from the cloud storage equipment, wherein the data cannot be used, is realized.
2. The digital right protection technical mechanism is provided for the cloud service client, and the cloud service client guarantees the absolute control right of the cloud service client data by controlling the digital right controller and the cloud service client controllable and controlled storage unit.
3. A security technology guarantee system with functions of division of roles, separation of duties, data segmentation, operation and maintenance management and security division and treatment and no secret divulgence of any single party is established for cloud computing.
4. The technical mechanism of data security multi-person management is realized, the risk of data leakage caused by too concentrated storage management authority is prevented, a secret segmentation technology is preferentially adopted on the overall technical route, data are divided into a plurality of secret data packets which are respectively stored on a plurality of different storage devices and are respectively managed by a plurality of operation and maintenance personnel, and the safety mechanism of multi-person management is technically realized.
5. Compared with other technical routes using data encryption, the method has the advantages of high secret code conversion speed and low management cost.
6. The cloud storage system supports data segmentation and 'multi-cloud' fusion secure storage, cloud service customer data are divided into a plurality of cloud storages after being divided secretly, information stored in each cloud storage is incomplete, and data security of cloud storage services, cloud backup services and cloud computing services is guaranteed.
Fig. 5 is a schematic diagram of a system for protecting a private cloud according to an embodiment of the present invention; the method comprises the following steps: the system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a digital right controller, a first cloud service client controllable and controlled storage unit and a second cloud service client controllable and controlled storage unit.
And the digital right controller, the first cloud service customer controllable controlled storage unit and the second cloud service customer controllable controlled storage unit are deployed in the same security domain.
The cloud service client data are divided into two parts through the digital right controller, one part of the cloud service client data is stored in the first cloud service client controllable and controlled storage unit and is managed by the first operation and maintenance manager; and the other part of the data is stored in a controllable and controlled storage unit of a second cloud service customer and managed by a second operation and maintenance manager.
The application example has the following beneficial effects:
1. the data security back door of high in the clouds has been prevented. The method has the advantages that the cloud service client data file is prevented from being directly stolen from the controlled storage unit by using the controlled storage unit as a back door by personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) with high authority at the cloud end, so that the cloud service client program codes and the data security risk of the cloud service client data deployed in the cloud service client data file are stolen, and the security protection function that the data cannot be used by copying from the cloud storage equipment is realized.
2. The digital right protection technical mechanism is provided for the cloud service client, and the cloud service client guarantees the absolute control right of the cloud service client data by controlling the digital right controller and the cloud service client controllable and controlled storage unit.
3. A security technology guarantee system with functions of division of roles, separation of duties, data segmentation, operation and maintenance management and security division and treatment and no secret divulgence of any single party is established for cloud computing.
4. The technical mechanism of data security multi-person management is realized, the risk of data leakage caused by too concentrated storage management authority is prevented, a secret segmentation technology is preferentially adopted on the overall technical route, data are divided into a plurality of secret data packets which are respectively stored on a plurality of different storage devices and are respectively managed by a plurality of operation and maintenance personnel, and the safety mechanism of multi-person management is technically realized.
As shown in fig. 6, a schematic diagram of a digital rights protection public cloud system according to an embodiment of the present invention includes: the system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a digital right controller, a cloud service customer uncontrollable controlled storage unit and a cloud service customer controllable controlled storage unit.
The application example of the invention provides data bastion equipment which comprises a digital right controller and a cloud service client controllable and controlled storage unit. Cloud service clients of the public cloud use the data bastion equipment to guarantee data security of the cloud service clients deployed on the public cloud. In the application example, the cloud host provided by the public cloud has the data partitioning, storing and leakage preventing function.
Preferably, the cloud computing management unit of the public cloud must generate a cloud computing service unit using data bastion.
Preferably, the cloud service client can check the storage resources used by the cloud computing service unit through the cloud computing management unit to check whether the data of the used cloud computing service unit is protected by the data bastion controlled by the cloud service client.
Preferably, when the cloud service client establishes the cloud computing service unit, the uncontrollable controlled storage unit of the cloud service client provided by the public cloud is rented according to the requirement; and when the cloud computing service unit is deleted, immediately quitting the lease.
Preferably, the cloud service client manages the control data bastion itself.
The application example has the following beneficial effects:
1. public cloud data security and leakage prevention are realized. After the cloud service client data is publicly owned by the cloud, the cloud service client guarantees the absolute control right of the cloud service client data through the data right controller for controlling the data bastion equipment and the controllable and controlled storage unit of the cloud service client.
2. The data security back door of high in the clouds has been prevented. The cloud service client data file is directly stolen from the cloud service client uncontrollable controlled storage unit by preventing cloud high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) from taking the cloud service client uncontrollable controlled storage unit as a back door, so that the cloud service client program codes and the cloud service client data deployed in the cloud service client data file are stolen, and the safety protection function of copying the data from the cloud storage equipment, wherein the data cannot be used, is realized.
As shown in fig. 7, a schematic diagram of a digital rights protection hybrid cloud system according to an embodiment of the present invention includes: the system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a digital right controller, a cloud service customer uncontrollable controlled storage unit and a cloud service customer controllable controlled storage unit.
The cloud service client deploys a cloud computing management unit, a digital right controller, a cloud service client controllable and controlled storage unit, a public cloud computing unit and a cloud service client uncontrollable and controlled storage unit in the same security domain.
The cloud computing service unit is managed by the cloud computing management unit in the same security domain and has the same security intensity as the private cloud.
The application example has the following beneficial effects:
1. public cloud data security is realized. When public cloud provides computing service and storage service, data content of cloud service clients cannot be obtained, and the cloud service clients ensure absolute control right of cloud service client data through the control digital right controller and the cloud service client controllable and controlled storage unit.
2. The data security back door of high in the clouds has been prevented. The cloud service client data file is directly stolen from the cloud service client uncontrollable controlled storage unit by preventing cloud high-authority personnel (such as system managers, operation and maintenance personnel, DB engineers, hackers and the like) from taking the cloud service client uncontrollable controlled storage unit as a back door, so that the cloud service client program codes and the cloud service client data deployed in the cloud service client data file are stolen, and the safety protection function of copying the data from the cloud storage equipment, wherein the data cannot be used, is realized.
It should be understood that the specific order or hierarchy of steps in the processes disclosed is an example of exemplary approaches. Based upon design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not intended to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, invention lies in less than all features of a single disclosed embodiment. Thus, the following claims are hereby expressly incorporated into the detailed description, with each claim standing on its own as a separate preferred embodiment of the invention.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present invention. To those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
What has been described above includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, to the extent that the term "includes" is used in either the detailed description or the claims, such term is intended to be inclusive in a manner similar to the term "comprising" as "comprising" is interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean a "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks, units, and steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, computer software, or combinations of both. To clearly illustrate the interchangeability of hardware and software, various illustrative components, elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present embodiments.
The various illustrative logical blocks, or elements, described in connection with the embodiments disclosed herein may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described herein. A general-purpose processor may be a microprocessor, but in the alternative, the processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. For example, a storage medium may be coupled to the processor such the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may reside in an ASIC, which may be disposed in a cloud service client terminal. Alternatively, the processor and the storage medium may reside in different components in a cloud service client terminal.
In one or more exemplary designs, the functions described above in connection with the embodiments of the invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on or transmitted over as one or more instructions or code on a computer-readable medium. Computer-readable media includes both computer storage media and communication media that facilitate transfer of a computer program from one place to another. Storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media can include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to carry or store program code in the form of instructions or data structures and which can be read by a general-purpose or special-purpose computer, or a general-purpose or special-purpose processor. Further, any connection is properly termed a computer-readable medium, and so, for example, if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, digital cloud service customer line (DSL), or wirelessly, e.g., infrared, radio, and microwave, is also included in the defined computer-readable medium. Such discs (disk) and disks (disc) include compact disks, laser disks, optical disks, DVDs, floppy disks and blu-ray disks where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included in the computer-readable medium.
The above-mentioned embodiments are intended to illustrate the objects, technical solutions and advantages of the present invention in further detail, and it should be understood that the above-mentioned embodiments are merely exemplary embodiments of the present invention, and are not intended to limit the scope of the present invention, and any modifications, equivalent substitutions, improvements and the like made within the spirit and principle of the present invention should be included in the scope of the present invention.
Claims (10)
1. A cloud computing weight protection method, the method comprising:
the cloud service client configures and manages the digital right controller and provides digital right protection storage service;
the cloud service provider uses the digital right protection storage service as a storage resource to generate a digital right protection cloud computing platform used by a cloud service customer;
the cloud service client uses the digital right protection cloud computing platform, and client data are stored through the digital right protection storage service or the digital right protection cloud computing platform.
2. The cloud computing rights protection method of claim 1, wherein the rights controller is a storage facility controlled by a cloud service client itself; the digital right protection storage service refers to storage service provided by a digital right controller controlled by a cloud service client;
the digital right controller is a safe storage device for guaranteeing the control right of cloud service customers to data;
the digital rights controller is a storage boundary security device comprising: the device comprises a storage security gateway device, a data storage encryption device and a storage encryption drive board card.
3. The cloud computing weight protection method of claim 1, wherein virtual machine images and snapshots of the weight protection cloud computing platform are stored by a weight protection storage service.
4. The cloud computing rights protection method of claim 1, wherein the customer data comprises: program source and execution code, authentication data, business data, audit data, configuration data, video data, and personal information.
5. A digital rights controller apparatus, the apparatus comprising:
the digital right management unit is used for providing a function of managing a digital right protection strategy for a cloud service client;
the digital right control unit executes a digital right protection strategy and provides digital right protection storage service; after data received by the digital right protection storage service is coded according to a digital right protection strategy, the data is output to a controlled storage unit for storage; decoding the data stored in the controlled storage unit according to the digital right protection strategy, and outputting the data to digital right protection storage service;
the controlled storage unit is a storage facility managed and controlled by the digital right control unit and is responsible for storing data.
6. The digital rights controller device of claim 5, wherein in a private cloud application scenario, the digital rights management unit, the digital rights control unit, and the controlled storage unit are controlled and managed by different cloud service client roles, respectively.
7. The digital rights controller device according to claim 5, wherein the cloud service client implements the unified security management control of the digital rights control unit through the digital rights protection policy file, and the data stored in the controlled storage unit cannot be recovered without a matching digital rights protection policy file or a matching digital rights protection policy file password; under the condition that the digital right protection strategy file is changed, the digital right control unit cannot read the data stored in the controlled storage unit; after the right control unit fails, a new right control unit can be replaced, and data storage access of the right control unit is restored through the right protection policy file restoration function, so that data loss and data damage are avoided.
8. The digital rights controller apparatus of claim 5, wherein the digital rights protection policy includes secret partitioning algorithm parameters; the number of the controlled storage units is M; the digital right control unit is used for dividing data received by the storage service into N pieces of sub-secret data P1, P2, … …, PN and N pieces of sub-secret data to be stored on M controlled storage units by adopting a secret division algorithm based on a secret division technical route; wherein:
n is a natural number greater than 1, and M is a natural number greater than 1 and less than or equal to N;
each controlled storage unit has at least 1 sub-secret data; wherein the cloud service customer data cannot be recovered from data on any single controlled storage unit, and the cloud service customer data cannot be recovered from the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered together, and the cloud service customer data can be recovered through the digital right control unit;
the M controlled storage units are divided into two types: the cloud service client controllable controlled storage unit and the cloud service client uncontrollable controlled storage unit are arranged, wherein the management control right of the cloud service client controllable controlled storage unit belongs to the cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
the number of the controllable and controlled storage units of the cloud service client is at least 1, and the controllable and controlled storage units at most comprise all M; the cloud service customer uncontrollable controlled storage unit comprises at most M-1 controlled storage units and at least 0 controlled storage unit;
the cloud service customer controllable controlled storage unit is a storage device or cloud storage provided by a cloud computing platform;
the cloud service customer uncontrollable controlled storage unit is a storage device or cloud storage provided by a cloud computing platform.
9. The digital rights controller device of claim 8, wherein the digital rights management unit is controlled and managed by a cloud service client in both public cloud and hybrid cloud application scenarios; the number of the controllable and controlled storage units of the cloud service customer is at least 1, and the controllable and controlled storage units at most comprise all M.
10. The digital rights controller device of claim 8, wherein in a multi-cloud application scenario, the digital rights management unit must be controlled and managed by a cloud service client; the number of the controllable controlled storage units of the cloud service customer can be 0, and all M controlled storage units are respectively provided by not less than 2 cloud service providers.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910783907.2A CN112417464B (en) | 2019-08-23 | 2019-08-23 | Cloud computing digital right protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910783907.2A CN112417464B (en) | 2019-08-23 | 2019-08-23 | Cloud computing digital right protection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112417464A true CN112417464A (en) | 2021-02-26 |
| CN112417464B CN112417464B (en) | 2023-10-24 |
Family
ID=74779702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910783907.2A Active CN112417464B (en) | 2019-08-23 | 2019-08-23 | Cloud computing digital right protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112417464B (en) |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857560A (en) * | 2012-08-15 | 2013-01-02 | 华数传媒网络有限公司 | Multi-service application orientated cloud storage data distribution method |
| US20140096199A1 (en) * | 2012-09-28 | 2014-04-03 | Manish Dave | Device and methods for management and access of distributed data sources |
| US20170005990A1 (en) * | 2015-07-01 | 2017-01-05 | Ari Birger | Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments |
-
2019
- 2019-08-23 CN CN201910783907.2A patent/CN112417464B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857560A (en) * | 2012-08-15 | 2013-01-02 | 华数传媒网络有限公司 | Multi-service application orientated cloud storage data distribution method |
| US20140096199A1 (en) * | 2012-09-28 | 2014-04-03 | Manish Dave | Device and methods for management and access of distributed data sources |
| US20170005990A1 (en) * | 2015-07-01 | 2017-01-05 | Ari Birger | Systems, Methods and Computer Readable Medium To Implement Secured Computational Infrastructure for Cloud and Data Center Environments |
Non-Patent Citations (1)
| Title |
|---|
| 冯涛 等: ""基于属性加密的云存储隐私保护机制研究"", 《网络与信息安全学报》 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112417464B (en) | 2023-10-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8677132B1 (en) | Document security | |
| CN102948114B (en) | Single for accessing enciphered data uses authentication method and system | |
| US9449164B2 (en) | Method of securing a computing device | |
| CN102999732B (en) | Multi-stage domain protection method and system based on information security level identifiers | |
| US20050066165A1 (en) | Method and system for protecting confidential information | |
| Boampong et al. | Different facets of security in the cloud | |
| US20170039387A1 (en) | Method and system for differentiated privacy protection | |
| KR101373542B1 (en) | System for Privacy Protection which uses Logical Network Division Method based on Virtualization | |
| CN101520831A (en) | Safe terminal system and terminal safety method | |
| WO2020225604A1 (en) | Method and devices for enabling data governance using policies triggered by metadata in multi-cloud environments | |
| US11693981B2 (en) | Methods and systems for data self-protection | |
| CN114003943B (en) | Safe double-control management platform for computer room trusteeship management | |
| el-Khameesy et al. | A proposed model for enhancing data storage security in cloud computing systems | |
| CN102333068B (en) | SSH and SFTP (Secure Shell and Ssh File Transfer Protocol)-based tunnel intelligent management and control system and method | |
| Alwashali et al. | A survey of ransomware as a service (RaaS) and methods to mitigate the attack | |
| CN112417391A (en) | Information data security processing method, device, equipment and storage medium | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| CN111131244A (en) | Method and system for preventing malicious content from infecting website page and storage medium | |
| Pitropakis et al. | It's All in the Cloud: Reviewing Cloud Security | |
| Chandramouli et al. | Security guidelines for storage infrastructure | |
| CN101382919A (en) | Storage data isolating method based on identity | |
| CN113365277A (en) | Wireless network safety protection system | |
| CN112417464B (en) | Cloud computing digital right protection method and device | |
| KR102554875B1 (en) | Apparatus and method for connecting network for providing remote work environment | |
| CN115022044A (en) | Storage method and system based on multi-cloud architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |