CN112417464B - Cloud computing digital right protection method and device - Google Patents
Cloud computing digital right protection method and device Download PDFInfo
- Publication number
- CN112417464B CN112417464B CN201910783907.2A CN201910783907A CN112417464B CN 112417464 B CN112417464 B CN 112417464B CN 201910783907 A CN201910783907 A CN 201910783907A CN 112417464 B CN112417464 B CN 112417464B
- Authority
- CN
- China
- Prior art keywords
- data
- cloud service
- cloud
- service client
- controlled
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/602—Providing cryptographic facilities or services
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
- G06F21/6227—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database where protection concerns the structure of data, e.g. records, types, queries
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/64—Protecting data integrity, e.g. using checksums, certificates or signatures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2107—File encryption
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Bioethics (AREA)
- General Health & Medical Sciences (AREA)
- Computer Hardware Design (AREA)
- Health & Medical Sciences (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Databases & Information Systems (AREA)
- Storage Device Security (AREA)
Abstract
The embodiment of the invention provides a cloud computing digital right protection method and device, wherein the method comprises the following steps: the cloud service client configures and manages the digital rights controller and provides digital rights protection storage service; the cloud service provider uses the digital rights protection storage service as a storage resource to generate a digital rights protection cloud computing platform used by a cloud service client; the cloud service client uses the digital rights protection cloud computing platform, and client data is stored through the digital rights protection storage service or the digital rights protection cloud computing platform. The embodiment of the invention protects the management control right of cloud service clients to cloud data, protects the data integrity and confidentiality of the cloud service client data, prevents the virtual machine image or snapshot from being tampered maliciously, and prevents sensitive resources possibly existing in the virtual machine image or snapshot from being accessed illegally.
Description
Technical Field
The invention relates to the field of information security, in particular to cloud computing data security.
Background
The right refers to rights generated in the whole life cycle treatment process, and relates to personal privacy, data property rights, national main rights and other rights. The data right main body is a data control right owner, can be a natural person, a legal person, an illegal person organization and the like, and is often a specific object pointed by data or a collection, storage, transmission and processing person of the data. The rights object is data, i.e. a set of information codes with a certain rule or value to which the rights relate. The rights protection refers to the complete dominance of the rights subject to the rights object, so that the rights object is under legal control of the rights subject, and the rights subject has the rights of freely exercising and legal control of the rights object without interference of other people. The essence of the digital rights protection is that the digital rights subject controls the digital rights object, in order to ensure the rights and interests of the digital rights subject, the digital rights subject is used as a donor to influence and govern the controlled object related to the whole life cycle of the digital rights object, and the controlled object comprises software and hardware facilities in the aspects of calculation, storage, transmission, and the like, such as information sources, channels, information sinks, encoders, decoders and the like.
The cloud computing (closed computing) refers to a mode of accessing an extensible and flexible physical or virtual shared resource pool through a network and acquiring and managing resources by self as required, and resource examples comprise a server, an operating system, a network, software, an application, a storage device and the like;
the cloud service provider (cloud service provider) refers to a provider of cloud computing service, and manages, operates and supports computing infrastructure and software of cloud computing, and delivers resources of the cloud computing through a network;
the cloud service client (cloud service customer) refers to a participant who establishes a business relationship with a cloud service provider for using a cloud computing service;
the cloud computing platform/system (cload computing Platform/system) refers to a cloud computing infrastructure provided by a cloud facilitator and a collection of service software thereon;
the virtual machine monitor (hypervisor) refers to an intermediate software layer running between an access server and an operating system, and can allow multiple operating systems and applications to share hardware;
the host machine refers to a physical server running a virtual machine monitor;
the virtual machine mirror image and the snapshot refer to an integral data file of the cloud computing platform generated by the virtual machine monitor;
The client data refers to program codes and client service data of cloud service clients deployed inside a cloud computing platform, and the client service data comprises: authentication data, business data, audit data, configuration data, video data, and personal information;
the unauthorized person includes: hackers, high-rights management personnel, equipment maintenance personnel, and data cracking personnel after equipment loss or loss of control.
With the rapid development of cloud computing technology, many individuals, enterprises, government and even army serve as cloud service clients, client data are deployed on a cloud computing platform provided by a cloud service provider gradually, the client data are also directly computed and stored on the cloud computing platform, virtual machine images and snapshots of the cloud computing platform generated by a virtual monitor deployed on a host computer need to be stored on a storage facility, ownership and management rights of the client data deployed on the cloud computing platform are separated from each other, after the cloud service client data are cloud-up, control rights of the data are lost, so that the cloud service provider or unauthorized personnel can steal, leak and spread the client data, and the following data security problems exist in the cloud computing field: firstly, a cloud service provider or an unauthorized person can maliciously tamper with the virtual machine image and the snapshot through copying, backup and the client data in the virtual machine image and the snapshot can be illegally accessed; secondly, the cloud service provider or unauthorized personnel can steal and leak the client data deployed on the cloud computing platform through the cloud computing platform controlled by the cloud service provider or unauthorized personnel.
Disclosure of Invention
Aiming at the security risk that a cloud service provider or unauthorized personnel can steal, leak and diffuse client data and virtual machine images and snapshot data files after cloud service client data are cloud-loaded, the embodiment of the invention provides a cloud computing right protection method and device, which are used for guaranteeing management control right of cloud service clients to cloud data, protecting data integrity and confidentiality of cloud service client data, preventing virtual machine images or snapshots from being tampered maliciously and preventing sensitive resources possibly existing in the virtual machine images or snapshots from being accessed illegally.
In one aspect, an embodiment of the present invention provides a cloud computing rights protection method, where the method includes:
the cloud service client configures and manages the digital rights controller and provides digital rights protection storage service;
the cloud service provider uses the digital rights protection storage service as a storage resource to generate a digital rights protection cloud computing platform used by a cloud service client;
the cloud service client uses the digital rights protection cloud computing platform, and client data is stored through the digital rights protection storage service or the digital rights protection cloud computing platform.
Preferably, the digital rights controller is a storage facility controlled by a cloud service client; the digital rights protection storage service refers to storage service provided by a digital rights controller controlled by a cloud service client;
The digital rights controller is a secure storage device for guaranteeing the control rights of cloud service clients to data;
preferably, the rights controller is a storage boundary safety protection device comprising: the system comprises a storage security gateway device, a data storage encryption device and a storage encryption drive board card.
Preferably, the virtual machine image and the snapshot of the digital rights protection cloud computing platform are stored through the digital rights protection storage service.
Preferably, the client data includes: program source and execution code, authentication data, business data, audit data, configuration data, video data, and personal information.
In another aspect, an embodiment of the present invention provides a digital rights controller apparatus, including:
the digital rights management unit provides a function of managing digital rights protection strategies for cloud service clients;
the digital rights control unit executes digital rights protection strategy and provides digital rights protection storage service; the data received by the digital rights protection storage service is encoded according to the digital rights protection strategy and then is output to the controlled storage unit for storage; decoding the data stored in the controlled storage unit according to the digital rights protection strategy, and outputting the data to digital rights protection storage service;
The controlled storage unit is a storage facility managed and controlled by the digital control unit and is responsible for storing data.
The cloud service client realizes unified safety management control of the digital control unit through the digital protection strategy file, and the data stored in the controlled storage unit can not be restored under the condition that the matched digital protection strategy file or the matched digital protection strategy file password is not available; under the condition that the digital rights protection policy file is changed, the digital rights control unit cannot read the data stored in the controlled storage unit; after the digital control unit fails, a new digital control unit can be replaced, and the data storage access of the digital control unit is recovered through the digital protection strategy file recovery function, so that data loss and data damage are not caused.
Preferably, in the private cloud application scenario, the rights management unit, the rights control unit and the controlled storage unit are controlled and managed by different cloud service client roles respectively.
Preferably, the digital rights protection policy includes secret division algorithm parameters; the number of the controlled storage units is M; the digital right control unit is based on a secret division technical route, and adopts a secret division algorithm to divide data received by a storage service into N pieces of sub-secret data P1, P2, … …, PN, and the N pieces of sub-secret data are stored in M controlled storage units; wherein:
N is a natural number greater than 1, M is a natural number greater than 1 and less than or equal to N;
at least 1 piece of sub-secret data is arranged on each controlled storage unit; wherein the cloud service client data cannot be recovered by data on any single controlled storage unit, and the cloud service client data cannot be recovered by the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered, and the cloud service client data can be recovered through a digital control unit;
the M controlled memory cells are divided into two classes: the cloud service client comprises a cloud service client controllable and controlled storage unit and a cloud service client uncontrollable and controlled storage unit, wherein the management control right of the cloud service client controllable and controlled storage unit belongs to a cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
at least 1 cloud service client controllable controlled storage units comprise at most all M storage units; the uncontrollable controlled storage unit of the cloud service client comprises M-1 controlled storage units at most and 0 controlled storage units at least;
the cloud service client controllable controlled storage unit is either storage equipment or cloud storage provided by a cloud computing platform;
The cloud service client cannot control the controlled storage unit, or is a storage device or cloud storage provided by a cloud computing platform.
Preferably, under two application scenes of public cloud and hybrid cloud, the digital rights management unit is controlled and managed by a cloud service client; the cloud service client controllable controlled storage units are at least 1 and comprise at most all M storage units.
Preferably, in a multi-cloud application scenario, the rights management unit must be controlled and managed by a cloud service client; the cloud service client controllable controlled storage units can be 0, and all M controlled storage units are respectively provided by not less than 2 cloud service providers.
The technical scheme has the following beneficial effects:
1. the cloud computing mirror image and the snapshot protection technology mechanism are provided for cloud service clients, and the virtual machine mirror image is prevented from being tampered maliciously, and sensitive resources possibly existing in the virtual machine mirror image and the snapshot are prevented from being accessed illegally.
2. The cloud service client is provided with the technical protection of the integrity and confidentiality of the client data, and the cloud service client data management authority is ensured only by a cloud service provider or a third party under the authorization of the cloud service client;
3. and a data security back door of the cloud is prevented. Personnel with high authority in the cloud (such as a system administrator, an operation and maintenance person, a DB engineer, a hacker and the like) are prevented from taking the controlled storage unit as a backdoor, and cloud service client data files are directly stolen from a storage facility, so that the cloud service client program codes deployed in the cloud service client data files and the data security risks of the cloud service client data are stolen, and the security protection function that the data can not be used in copying from the cloud storage device is realized.
4. The digital rights protection technology mechanism is provided for the cloud service clients, and the cloud service clients control the digital rights of the cloud service clients through the digital rights controller and the controlled storage unit.
5. A security technical support system which is used for role division, responsibility separation, data segmentation, operation and maintenance management and security division and is incapable of being compromised by any single party is established for cloud computing.
6. The method realizes a data security multi-member management technical mechanism, prevents data leakage risk caused by excessively concentrated storage management authority, adopts a secret segmentation technology preferentially on the overall technical route, divides data into a plurality of secret data packets, respectively stores the secret data packets on a plurality of different storage devices, respectively manages the secret data packets by a plurality of operation and maintenance personnel, and technically realizes the multi-member management security mechanism.
7. The invention uses the secret division technical route, does not need to manage passwords, and has the advantages of high secret coding conversion speed and low management cost compared with other technical routes using data encryption.
8. According to the cloud service client data sharing method, the cloud service client data are divided by the secret, and then are stored in the plurality of cloud storage, and the information stored in each cloud storage is incomplete, so that the data security of the cloud storage service, the cloud backup service and the cloud computing service is guaranteed.
Drawings
In order to more clearly illustrate the embodiments of the invention or the technical solutions in the prior art, the drawings that are required in the embodiments or the description of the prior art will be briefly described, it being obvious that the drawings in the following description are only some embodiments of the invention, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for protecting the cloud computing rights in an embodiment of the invention;
FIG. 2 is a schematic diagram of a cloud computing rights management device according to an embodiment of the present invention;
FIG. 3 is a schematic diagram of a cloud computing digital rights protection system according to an embodiment of the present invention;
FIG. 4 is a flow chart of a data partitioning security method of the cloud computing digital rights protection system of the application example of the present invention;
FIG. 5 is a schematic diagram of a digital rights protection private cloud system according to an embodiment of the present invention;
FIG. 6 is a schematic diagram of a public cloud system with digital rights protection according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a digital rights protection hybrid cloud system according to an embodiment of the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
As shown in fig. 1, a flowchart of a cloud computing rights protection method according to an embodiment of the present invention includes:
101. the cloud service client configures and manages the digital rights controller and provides digital rights protection storage service;
102. the cloud service provider uses the digital rights protection storage service as a storage resource to generate a digital rights protection cloud computing platform used by a cloud service client;
103. the cloud service client uses the digital rights protection cloud computing platform, and client data is stored through the digital rights protection storage service or the digital rights protection cloud computing platform.
Preferably, the digital rights controller is a storage facility controlled by a cloud service client; the digital rights protection storage service refers to storage service provided by a digital rights controller controlled by a cloud service client;
the digital rights controller is a secure storage device for guaranteeing the control rights of cloud service clients to data;
the digital rights controller is a storage boundary safety protection device comprising: the system comprises a storage security gateway device, a data storage encryption device and a storage encryption drive board card.
Preferably, the virtual machine image and the snapshot of the digital rights protection cloud computing platform are stored through the digital rights protection storage service.
Preferably, the client data includes: program source and execution code, authentication data, business data, audit data, configuration data, video data, and personal information.
Fig. 2 is a schematic structural diagram of a cloud computing rights protection device according to an embodiment of the present invention, where the device includes:
a digital rights management unit 21 that provides a function of managing digital rights protection policies for cloud service clients;
a digital rights control unit 22 for executing digital rights protection policy and providing digital rights protection storage service; the data received by the digital rights protection storage service is encoded according to the digital rights protection strategy and then is output to the controlled storage unit 23 for storage; decoding the data stored in the controlled storage unit 23 according to the digital right protection strategy, and outputting the decoded data to digital right protection storage service;
the controlled storage unit 23 is a storage facility managed and controlled by the digital control unit, and is responsible for storing data.
The cloud service client realizes unified safety management control of the digital control unit through the digital protection strategy file, and the data stored in the controlled storage unit can not be restored under the condition that the matched digital protection strategy file or the matched digital protection strategy file password is not available; under the condition that the digital rights protection policy file is changed, the digital rights control unit cannot read the data stored in the controlled storage unit; after the digital control unit fails, a new digital control unit can be replaced, and the data storage access of the digital control unit is recovered through the digital protection strategy file recovery function, so that data loss and data damage are not caused.
Preferably, in the private cloud application scenario, the rights management unit, the rights control unit and the controlled storage unit are controlled and managed by different cloud service client roles respectively.
Preferably, the digital rights protection policy includes secret division algorithm parameters; the number of the controlled storage units is M; the digital right control unit is based on a secret division technical route, and adopts a secret division algorithm to divide data received by a storage service into N pieces of sub-secret data P1, P2, … …, PN, and the N pieces of sub-secret data are stored in M controlled storage units; wherein:
n is a natural number greater than 1, M is a natural number greater than 1 and less than or equal to N;
at least 1 piece of sub-secret data is arranged on each controlled storage unit; wherein the cloud service client data cannot be recovered by data on any single controlled storage unit, and the cloud service client data cannot be recovered by the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered, and the cloud service client data can be recovered through a digital control unit;
the M controlled memory cells are divided into two classes: the cloud service client comprises a cloud service client controllable and controlled storage unit and a cloud service client uncontrollable and controlled storage unit, wherein the management control right of the cloud service client controllable and controlled storage unit belongs to a cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
At least 1 cloud service client controllable controlled storage units comprise at most all M storage units; the uncontrollable controlled storage unit of the cloud service client comprises M-1 controlled storage units at most and 0 controlled storage units at least;
the cloud service client controllable controlled storage unit is either storage equipment or cloud storage provided by a cloud computing platform;
the cloud service client cannot control the controlled storage unit, or is a storage device or cloud storage provided by a cloud computing platform.
Preferably, under two application scenes of public cloud and hybrid cloud, the digital rights management unit is controlled and managed by a cloud service client; the cloud service client controllable controlled storage units are at least 1 and comprise at most all M storage units.
Preferably, in a multi-cloud application scenario, the rights management unit must be controlled and managed by a cloud service client; the cloud service client controllable controlled storage units can be 0, and all M controlled storage units are respectively provided by not less than 2 cloud service providers.
The following is a detailed description by application example:
as shown in fig. 3, a schematic diagram of a cloud computing digital rights protection system according to an application example of the present invention is shown, where the cloud computing digital rights protection system includes: the cloud service system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a cloud service client uncontrollable controlled storage unit, a digital right controller and a cloud service client controllable controlled storage unit.
The cloud computing service unit is a cloud computing platform/system (cload computing Platform/system) and comprises a virtual host, a cloud server, a VPS (Virtual Private Server virtual private server), cloud storage, a cloud hard disk and the like. Cloud service clients deploy cloud service client data on the cloud computing service units. The cloud service client data comprises service system program codes of cloud service clients and cloud service client service data. The cloud service client refers to a user of the cloud computing service unit and can be a person, an enterprise and public institution, a government and an army.
The cloud computing management unit is a cloud computing resource and service management information system which uses a virtual machine monitor (hypervisor) to uniformly manage and schedule a large number of cloud storage and network resources provided by computing units and storage resources connected by a network or other cloud computing platforms, and forms a computing resource pool to serve cloud service clients as required.
The computing unit refers to computing resources which can be managed and scheduled by the cloud computing management unit, and can be computing facilities such as server equipment, PC equipment, supercomputers and the like, and can also be cloud computing service units provided by other cloud computing platforms.
The uncontrollable controlled storage unit of the cloud service client can be storage equipment or cloud storage provided by a cloud computing platform.
The digital rights controller is a storage boundary safety protection facility and is used for protecting the digital rights of cloud service clients, and the digital rights controller belongs to the cloud service clients and does not belong to cloud service providers.
The cloud service client controllable controlled storage unit is a controlled storage unit managed and controlled by the cloud service client, and can be storage equipment or cloud storage provided by other cloud computing platforms.
The cloud computing digital rights protection system is characterized in that:
the digital rights controller is controlled by a cloud service client and serves as a storage resource provider of a cloud computing management unit, the cloud computing management unit generates a cloud computing service unit, when the cloud computing service unit is used by the cloud service client, program codes and data are deployed on the cloud computing service unit, and finally all cloud service client data are stored through the digital rights controller and are embodied into cloud service client data in different forms such as virtual machine images, snapshot data files, document data files, audio and video data files, database files and the like.
The digital rights controller divides the cloud service client data into N sub-secret data P1, P2, … …, PN, N is a natural number larger than 1 by adopting a secret division algorithm;
n pieces of sub secret data generated after the cloud service client data are divided in a secret manner are stored on M controlled storage units through the digital rights controller, wherein M is a natural number which is more than 1 and less than N; at least 1 piece of sub-secret data is arranged on each controlled storage unit; wherein the cloud service client data cannot be recovered by data on any single controlled storage unit, and the cloud service client data cannot be recovered by the absence of data on any one controlled storage unit; the data on all M controlled storage units must be gathered, and the cloud service client data can be recovered through the digital rights controller; the M controlled memory cells are divided into two classes: a cloud service client controllable controlled storage unit and a cloud service client uncontrollable controlled storage unit. The management control right of the controlled storage units contained in the cloud service client controllable controlled storage unit belongs to the cloud service client, and the cloud service client controllable controlled storage unit comprises at least 1 controlled storage unit and at most can contain all M controlled storage units; the management control right of the controlled storage units contained in the uncontrollable cloud service client storage units does not belong to the cloud service client, and the uncontrollable cloud service client storage units contain M-1 controlled storage units at most and 0 controlled storage units at least.
The cloud service client realizes unified safety management control of the digital controller through the digital protection strategy file, and achieves the safety protection effect of the cloud service client data stored in the cloud service client uncontrollable controlled storage unit and the cloud service client controllable controlled storage unit under the condition that the matched digital protection strategy file or the matched digital protection strategy file password is not available; under the condition that the digital rights protection policy file is changed, the digital rights controller cannot read the data stored in the cloud service client uncontrollable controlled storage unit and the data stored in the cloud service client controllable controlled storage unit; after the digital rights controller fails, new equipment can be replaced, and the data storage access is recovered through the digital rights protection strategy file recovery function, so that data loss and data damage are avoided.
Preferably, the rights controller provides rights protection management functions for the cloud service clients, and data security management personnel of the cloud service clients manage all the cloud service client controllable storage units and cloud service client uncontrollable storage units through the rights protection management functions and manage secret segmentation algorithms and algorithm parameters thereof.
As shown in fig. 4, a flow chart of a data partitioning security method of a cloud computing digital rights protection system for an application example of the present invention is shown, where the method includes:
401. the digital rights protection system comprises three parts of functions:
1) The cloud service client deploys the digital controller and the controllable storage unit of the cloud service client in the same security domain;
2) Setting a multi-member management mechanism, wherein a cloud service client sets a data security manager and a system operation and maintenance manager;
3) Setting a digital right protection policy, and setting the digital right protection policy of a digital right controller by a cloud service client data security manager.
402. Cloud service client data are cloud-loaded, and cloud service client system operation and maintenance management personnel install deployment program codes and service data in a cloud computing service unit;
403. the cloud service client data are stored in a secret and secret mode, the digital rights controller performs secret segmentation on the cloud service client data, the cloud service client data are encoded and decoded into N sub-secret data by using a secret segmentation algorithm, and the N sub-secret data are written into the cloud service client controllable storage unit and the cloud service client uncontrollable storage unit respectively. The secret division algorithm divides the cloud service client data into N sub-secret data P1, P2, … … and PN, and only N sub-secret data with complete sets can cloud service client data be reconstructed by the data division algorithm in the later period.
The technical scheme has the following beneficial effects:
1. and a data security back door of the cloud is prevented. Personnel with high authority in the cloud (such as a system administrator, an operation and maintenance person, a DB engineer, a hacker and the like) are prevented from taking the uncontrollable and controlled storage unit of the cloud service client as a back door, and the cloud service client data file is directly stolen from the uncontrollable and controlled storage unit of the cloud service client, so that the cloud service client program codes and the data security risks of the cloud service client data deployed in the cloud service client data file are stolen, and the security protection function of copying the data from the cloud storage device which cannot be used is realized.
2. The cloud service client provides a digital rights protection technical mechanism, and the cloud service client ensures absolute control rights of cloud service client data by controlling a digital rights controller and a cloud service client controllable storage unit.
3. A security technical support system which is used for role division, responsibility separation, data segmentation, operation and maintenance management and security division and is incapable of being compromised by any single party is established for cloud computing.
4. The method realizes a data security multi-member management technical mechanism, prevents data leakage risk caused by excessively concentrated storage management authority, adopts a secret segmentation technology preferentially on the overall technical route, divides data into a plurality of secret data packets, respectively stores the secret data packets on a plurality of different storage devices, respectively manages the secret data packets by a plurality of operation and maintenance personnel, and technically realizes the multi-member management security mechanism.
5. The invention uses the secret division technology route, does not use the data encryption technology, does not need to manage the password, and compared with other technology routes using the data encryption, the invention has the advantages of high secret coding conversion speed and low management cost.
6. The cloud service client data storage method and system support data segmentation 'multi-cloud' fusion secure storage, and cloud service client data are stored in a plurality of cloud storages after being segmented by secrets, and information stored in each cloud storage is incomplete, so that the data security of cloud storage service, cloud backup service and cloud computing service is ensured.
FIG. 5 is a schematic diagram of a digital rights protection private cloud system according to an embodiment of the present invention; comprising the following steps: the cloud computing system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a digital right controller, a first cloud service client controllable storage unit and a second cloud service client controllable storage unit.
The digital rights controller, the first cloud service client controllable and controlled storage unit and the second cloud service client controllable and controlled storage unit are deployed in the same security domain.
The cloud service client data is divided into two parts by the digital rights controller, and one part is stored in a first cloud service client controllable and controlled storage unit and managed by a first operation and maintenance manager; and the other part is stored in a second cloud service client controllable controlled storage unit and is managed by a second operation and maintenance manager.
The application example has the following beneficial effects:
1. and a data security back door of the cloud is prevented. Personnel with high authority in the cloud (such as a system administrator, an operation and maintenance person, a DB engineer, a hacker and the like) are prevented from taking the controlled storage unit as a backdoor, and cloud service client data files are directly stolen from the controlled storage unit, so that the cloud service client program codes deployed in the cloud service client data files and the data security risks of the cloud service client data are stolen, and the security protection function that the data can not be used in copying from the cloud storage device is realized.
2. The cloud service client provides a digital rights protection technical mechanism, and the cloud service client ensures absolute control rights of cloud service client data by controlling a digital rights controller and a cloud service client controllable storage unit.
3. A security technical support system which is used for role division, responsibility separation, data segmentation, operation and maintenance management and security division and is incapable of being compromised by any single party is established for cloud computing.
4. The method realizes a data security multi-member management technical mechanism, prevents data leakage risk caused by excessively concentrated storage management authority, adopts a secret segmentation technology preferentially on the overall technical route, divides data into a plurality of secret data packets, respectively stores the secret data packets on a plurality of different storage devices, respectively manages the secret data packets by a plurality of operation and maintenance personnel, and technically realizes the multi-member management security mechanism.
As shown in fig. 6, a schematic diagram of a public cloud system with digital rights protection for an application example of the present invention includes: the cloud computing system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a digital controller, a cloud service client uncontrollable controlled storage unit and a cloud service client controllable controlled storage unit.
The application example of the invention provides a data fort device which comprises a digital right controller and a cloud service client controllable controlled storage unit. Cloud service clients of public cloud ensure the data security of the cloud service clients deployed on the public cloud by using data fort equipment. According to the application example, the cloud host provided by the public cloud has the data segmentation storage anti-leakage function.
Preferably, the cloud computing management unit of the public cloud must use the data fort to generate a cloud computing service unit.
Preferably, the cloud service client can check the storage resource used by the cloud computing service unit through the cloud computing management unit to check whether the data of the used cloud computing service unit is protected by the data fort controlled by the cloud service client.
Preferably, when a cloud service client creates a cloud computing service unit, renting the uncontrollable controlled storage unit of the cloud service client provided by the public cloud according to the need; and when the cloud computing service unit is deleted, the renting is immediately returned.
Preferably, the cloud service client manages the control data fort itself.
The application example has the following beneficial effects:
1. public cloud data security and leakage prevention are achieved. After the cloud service client data has public cloud, the cloud service client ensures absolute control right of the cloud service client data through a digital right controller for controlling the data fort equipment and a controllable and controlled storage unit of the cloud service client.
2. And a data security back door of the cloud is prevented. Personnel with high authority in the cloud (such as a system administrator, an operation and maintenance person, a DB engineer, a hacker and the like) are prevented from taking the uncontrollable and controlled storage unit of the cloud service client as a back door, and the cloud service client data file is directly stolen from the uncontrollable and controlled storage unit of the cloud service client, so that the cloud service client program codes and the data security risks of the cloud service client data deployed in the cloud service client data file are stolen, and the security protection function of copying the data from the cloud storage device which cannot be used is realized.
As shown in fig. 7, a schematic diagram of a digital rights protection hybrid cloud system according to an application example of the present invention includes: the cloud computing system comprises a cloud computing service unit, a cloud computing management unit, a computing unit, a digital controller, a cloud service client uncontrollable controlled storage unit and a cloud service client controllable controlled storage unit.
The cloud service client deploys the cloud computing management unit, the digital rights controller and the controllable and controlled storage unit of the cloud service client in the same security domain, rents the computing unit of the public cloud and the uncontrollable and controlled storage unit of the cloud service client.
The cloud computing service unit is managed by the cloud computing management unit in the same security domain and has the same security intensity as the private cloud.
The application example has the following beneficial effects:
1. public cloud data security is achieved. The cloud service client can not obtain the data content of the cloud service client when the public cloud provides the computing service and the storage service, and the cloud service client ensures the absolute control right of the cloud service client data through controlling the digital right controller and the controllable storage unit of the cloud service client.
2. And a data security back door of the cloud is prevented. Personnel with high authority in the cloud (such as a system administrator, an operation and maintenance person, a DB engineer, a hacker and the like) are prevented from taking the uncontrollable and controlled storage unit of the cloud service client as a back door, and the cloud service client data file is directly stolen from the uncontrollable and controlled storage unit of the cloud service client, so that the cloud service client program codes and the data security risks of the cloud service client data deployed in the cloud service client data file are stolen, and the security protection function of copying the data from the cloud storage device which cannot be used is realized.
It should be understood that the specific order or hierarchy of steps in the processes disclosed are examples of exemplary approaches. Based on design preferences, it is understood that the specific order or hierarchy of steps in the processes may be rearranged without departing from the scope of the present disclosure. The accompanying method claims present elements of the various steps in a sample order, and are not meant to be limited to the specific order or hierarchy presented.
In the foregoing detailed description, various features are grouped together in a single embodiment for the purpose of streamlining the disclosure. This method of disclosure is not to be interpreted as reflecting an intention that the claimed embodiments of the subject matter require more features than are expressly recited in each claim. Rather, as the following claims reflect, application lies in less than all features of a single disclosed embodiment. Thus the following claims are hereby expressly incorporated into this detailed description, with each claim standing on its own as a separate preferred embodiment of this application.
The previous description of the disclosed embodiments is provided to enable any person skilled in the art to make or use the present application. As will be apparent to those skilled in the art; various modifications to these embodiments will be readily apparent, and the generic principles defined herein may be applied to other embodiments without departing from the spirit or scope of the disclosure. Thus, the present disclosure is not intended to be limited to the embodiments shown herein but is to be accorded the widest scope consistent with the principles and novel features disclosed herein.
The foregoing description includes examples of one or more embodiments. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the aforementioned embodiments, but one of ordinary skill in the art may recognize that many further combinations and permutations of various embodiments are possible. Accordingly, the embodiments described herein are intended to embrace all such alterations, modifications and variations that fall within the scope of the appended claims. Furthermore, as used in the specification or claims, the term "comprising" is intended to be inclusive in a manner similar to the term "comprising," as interpreted when employed as a transitional word in a claim. Furthermore, any use of the term "or" in the specification of the claims is intended to mean "non-exclusive or".
Those of skill in the art will further appreciate that the various illustrative logical blocks (illustrative logical block), units, and steps described in connection with the embodiments of the invention may be implemented by electronic hardware, computer software, or combinations of both. To clearly illustrate this interchangeability of hardware and software, various illustrative components (illustrative components), elements, and steps have been described above generally in terms of their functionality. Whether such functionality is implemented as hardware or software depends upon the particular application and design requirements of the overall system. Those skilled in the art may implement the described functionality in varying ways for each particular application, but such implementation is not to be understood as beyond the scope of the embodiments of the present invention.
The various illustrative logical blocks or units described in the embodiments of the invention may be implemented or performed with a general purpose processor, a digital signal processor, an Application Specific Integrated Circuit (ASIC), a field programmable gate array or other programmable logic device, discrete gate or transistor logic, discrete hardware components, or any combination thereof designed to perform the functions described. A general purpose processor may be a microprocessor, but in the alternative, the general purpose processor may be any conventional processor, controller, microcontroller, or state machine. A processor may also be implemented as a combination of computing devices, e.g., a digital signal processor and a microprocessor, a plurality of microprocessors, one or more microprocessors in conjunction with a digital signal processor core, or any other similar configuration.
The steps of a method or algorithm described in connection with the embodiments disclosed herein may be embodied directly in hardware, in a software module executed by a processor, or in a combination of the two. A software module may be stored in RAM memory, flash memory, ROM memory, EPROM memory, EEPROM memory, registers, hard disk, a removable disk, a CD-ROM, or any other form of storage medium known in the art. In an example, a storage medium may be coupled to the processor such that the processor can read information from, and write information to, the storage medium. In the alternative, the storage medium may be integral to the processor. The processor and the storage medium may be disposed in an ASIC, which may be disposed in a cloud service client terminal. In the alternative, the processor and the storage medium may reside in different components in a cloud service client terminal.
In one or more exemplary designs, the above-described functions of embodiments of the present invention may be implemented in hardware, software, firmware, or any combination of the three. If implemented in software, the functions may be stored on a computer-readable medium or transmitted as one or more instructions or code on the computer-readable medium. Computer readable media includes both computer storage media and communication media that facilitate transfer of computer programs from one place to another. A storage media may be any available media that can be accessed by a general purpose or special purpose computer. For example, such computer-readable media may include, but is not limited to, RAM, ROM, EEPROM, CD-ROM or other optical disk storage, magnetic disk storage or other magnetic storage devices, or any other medium that may be used to carry or store program code in the form of instructions or data structures and other data structures that may be read by a general or special purpose computer, or a general or special purpose processor. Further, any connection is properly termed a computer-readable medium, e.g., if the software is transmitted from a website, server, or other remote source via a coaxial cable, fiber optic cable, twisted pair, digital cloud service client (DSL), or in a wireless manner such as infrared, wireless, and microwave, etc., are included in the definition of computer-readable medium. The disks (disks) and disks (disks) include compact disks, laser disks, optical disks, DVDs, floppy disks, and blu-ray discs where disks usually reproduce data magnetically, while disks usually reproduce data optically with lasers. Combinations of the above may also be included within the computer-readable media.
The foregoing description of the embodiments has been provided for the purpose of illustrating the general principles of the invention, and is not meant to limit the scope of the invention, but to limit the invention to the particular embodiments, and any modifications, equivalents, improvements, etc. that fall within the spirit and principles of the invention are intended to be included within the scope of the invention.
Claims (9)
1. A method for protecting a cloud computing right, the method comprising:
the cloud service client configures and manages the digital rights controller and provides digital rights protection storage service;
the cloud service provider uses the digital rights protection storage service as a storage resource to generate a digital rights protection cloud computing platform used by a cloud service client;
the cloud service client uses the digital rights protection cloud computing platform, and client data is stored through the digital rights protection storage service or the digital rights protection cloud computing platform;
the digital right protection strategy comprises secret division algorithm parameters; the number of the controlled storage units is M; the digital right control unit is based on a secret division technical route, and adopts a secret division algorithm to divide data received by a storage service into N sub-secret data P1, P2, … …, PN, and the N sub-secret data are stored in M controlled storage units; wherein:
N is a natural number greater than 1, M is a natural number greater than 1 and less than or equal to N;
at least 1 piece of sub-secret data is arranged on each controlled storage unit; wherein the data on any single controlled storage unit cannot recover the cloud service client data, and the data on any one controlled storage unit cannot recover the cloud service client data in the absence of the data; the data on all M controlled storage units must be gathered, and cloud service client data can be recovered through the digital rights control unit;
the M controlled memory cells are divided into two classes: the cloud service client comprises a cloud service client controllable and controlled storage unit and a cloud service client uncontrollable and controlled storage unit, wherein the management control right of the cloud service client controllable and controlled storage unit belongs to a cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
at least 1 cloud service client controllable controlled storage units comprise at most all M storage units; the uncontrollable controlled storage unit of the cloud service client comprises M-1 controlled storage units at most and 0 controlled storage units at least;
the cloud service client controllable controlled storage unit is either storage equipment or cloud storage provided by a cloud computing platform;
The cloud service client cannot control the controlled storage unit, or is a storage device or cloud storage provided by a cloud computing platform.
2. The cloud computing rights protection method of claim 1, wherein the rights controller is a storage facility controlled by a cloud service client itself; the digital rights protection storage service refers to storage service provided by a digital rights controller controlled by a cloud service client;
the digital rights controller is a secure storage device for guaranteeing the control rights of cloud service clients to data;
the digital rights controller is a storage boundary safety protection device comprising: the system comprises a storage security gateway device, a data storage encryption device and a storage encryption drive board card.
3. The cloud computing rights protection method of claim 1, wherein virtual machine images and snapshots of the rights protected cloud computing platform are stored by a rights protection storage service.
4. The cloud computing rights protection method of claim 1, wherein the customer data comprises: program source and execution code, authentication data, business data, audit data, configuration data, video data, and personal information.
5. A digital rights controller device, the device comprising:
The digital rights management unit provides a function of managing digital rights protection strategies for cloud service clients;
the digital rights control unit executes digital rights protection strategy and provides digital rights protection storage service; the data received by the digital rights protection storage service is encoded according to the digital rights protection strategy and then is output to the controlled storage unit for storage; decoding the data stored in the controlled storage unit according to the digital rights protection strategy, and outputting the data to digital rights protection storage service;
the controlled storage unit is a storage facility managed and controlled by the digital right control unit and is responsible for storing data;
the digital right protection strategy comprises secret division algorithm parameters; the number of the controlled storage units is M; the digital right control unit is based on a secret division technical route, and adopts a secret division algorithm to divide data received by a storage service into N sub-secret data P1, P2, … …, PN, and the N sub-secret data are stored in M controlled storage units; wherein:
n is a natural number greater than 1, M is a natural number greater than 1 and less than or equal to N;
at least 1 piece of sub-secret data is arranged on each controlled storage unit; wherein the data on any single controlled storage unit cannot recover the cloud service client data, and the data on any one controlled storage unit cannot recover the cloud service client data in the absence of the data; the data on all M controlled storage units must be gathered, and cloud service client data can be recovered through the digital rights control unit;
The M controlled memory cells are divided into two classes: the cloud service client comprises a cloud service client controllable and controlled storage unit and a cloud service client uncontrollable and controlled storage unit, wherein the management control right of the cloud service client controllable and controlled storage unit belongs to a cloud service client; the management control right of the uncontrollable controlled storage unit of the cloud service client does not belong to the cloud service client;
at least 1 cloud service client controllable controlled storage units comprise at most all M storage units; the uncontrollable controlled storage unit of the cloud service client comprises M-1 controlled storage units at most and 0 controlled storage units at least;
the cloud service client controllable controlled storage unit is either storage equipment or cloud storage provided by a cloud computing platform;
the cloud service client cannot control the controlled storage unit, or is a storage device or cloud storage provided by a cloud computing platform.
6. The rights controller device of claim 5, wherein the rights management unit, the rights control unit, and the controlled storage unit are controlled and managed by different cloud service client roles, respectively, in a private cloud application scenario.
7. The rights controller device according to claim 5, wherein the cloud service client realizes unified security management control of the rights control unit through the rights protection policy file, and the data stored in the controlled storage unit cannot be restored under the condition that there is no mating rights protection policy file or no mating rights protection policy file password; under the condition that the digital rights protection policy file is changed, the digital rights control unit cannot read the data stored in the controlled storage unit; after the digital control unit fails, a new digital control unit can be replaced, and the data storage access of the digital control unit is recovered through the digital protection strategy file recovery function, so that data loss and data damage are not caused.
8. The digital rights controller device according to claim 5, wherein the digital rights management unit is controlled and managed by the cloud service client in both public cloud and hybrid cloud application scenarios; the cloud service client controllable controlled storage units are at least 1 and comprise at most all M storage units.
9. The rights controller device of claim 5, wherein the rights management unit must be controlled and managed by the cloud service client in a multi-cloud application scenario; the cloud service client controllable controlled storage units can be 0, and all M controlled storage units are respectively provided by not less than 2 cloud service providers.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910783907.2A CN112417464B (en) | 2019-08-23 | 2019-08-23 | Cloud computing digital right protection method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201910783907.2A CN112417464B (en) | 2019-08-23 | 2019-08-23 | Cloud computing digital right protection method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN112417464A CN112417464A (en) | 2021-02-26 |
| CN112417464B true CN112417464B (en) | 2023-10-24 |
Family
ID=74779702
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201910783907.2A Active CN112417464B (en) | 2019-08-23 | 2019-08-23 | Cloud computing digital right protection method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN112417464B (en) |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857560A (en) * | 2012-08-15 | 2013-01-02 | 华数传媒网络有限公司 | Multi-service application orientated cloud storage data distribution method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US9507949B2 (en) * | 2012-09-28 | 2016-11-29 | Intel Corporation | Device and methods for management and access of distributed data sources |
| US9667606B2 (en) * | 2015-07-01 | 2017-05-30 | Cyphermatrix, Inc. | Systems, methods and computer readable medium to implement secured computational infrastructure for cloud and data center environments |
-
2019
- 2019-08-23 CN CN201910783907.2A patent/CN112417464B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102857560A (en) * | 2012-08-15 | 2013-01-02 | 华数传媒网络有限公司 | Multi-service application orientated cloud storage data distribution method |
Non-Patent Citations (1)
| Title |
|---|
| "基于属性加密的云存储隐私保护机制研究";冯涛 等;《网络与信息安全学报》;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN112417464A (en) | 2021-02-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11057361B2 (en) | Cluster of secure execution platforms | |
| US20200356536A1 (en) | Method and devices for enabling data governance using policies triggered by metadata in multi-cloud environments | |
| Boampong et al. | Different facets of security in the cloud | |
| US11693591B2 (en) | Multi cloud data framework for secure data access and portability | |
| CN101594360B (en) | Local area network system and method for maintaining safety thereof | |
| CN108351922B (en) | Method, system, and medium for applying rights management policies to protected files | |
| KR101373542B1 (en) | System for Privacy Protection which uses Logical Network Division Method based on Virtualization | |
| US9053343B1 (en) | Token-based debugging of access control policies | |
| Scarfone et al. | Guide to storage encryption technologies for end user devices | |
| US11190549B2 (en) | Method and devices for enabling portability of data and client between cloud service providers | |
| US10498767B1 (en) | Systems and methods for enforcing data loss prevention (DLP) policies during web conferences | |
| CN110543775B (en) | Data security protection method and system based on super-fusion concept | |
| Chandramouli et al. | Security guidelines for storage infrastructure | |
| Alouane et al. | Security, privacy and trust in cloud computing: A comparative study | |
| CN101382919A (en) | Storage data isolating method based on identity | |
| CN112417464B (en) | Cloud computing digital right protection method and device | |
| CN110457920A (en) | A kind of data ciphering method and encryption device | |
| KR102554875B1 (en) | Apparatus and method for connecting network for providing remote work environment | |
| Freato | Microsoft Azure Security | |
| KR100901014B1 (en) | Apparatus and method for running application in virtual environment | |
| Blomquist | Comparing Centralized and Decentralized Cybersecurity in State and Local Government | |
| Brandao | Integrated security framework for private cloud computing on-premise | |
| CN112434310A (en) | Storage facility digital right protection method and device | |
| US11270014B1 (en) | Systems and methods for utilizing metadata for protecting against the sharing of images in a computing network | |
| Sireesha et al. | Cloud Computing: A Study on Type of Data Stored in a Cloud and Its Security Mechanisms |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |