CN113010897A - Cloud computing security management method and system - Google Patents

Cloud computing security management method and system Download PDF

Info

Publication number
CN113010897A
CN113010897A CN202110294049.2A CN202110294049A CN113010897A CN 113010897 A CN113010897 A CN 113010897A CN 202110294049 A CN202110294049 A CN 202110294049A CN 113010897 A CN113010897 A CN 113010897A
Authority
CN
China
Prior art keywords
cloud
metadata
metadata server
generating
cloud computing
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202110294049.2A
Other languages
Chinese (zh)
Other versions
CN113010897B (en
Inventor
李朝霞
游思佳
康楠
沈可
王本忠
邢鑫
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China United Network Communications Group Co Ltd
Unicom Cloud Data Co Ltd
Original Assignee
China United Network Communications Group Co Ltd
Unicom Cloud Data Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China United Network Communications Group Co Ltd, Unicom Cloud Data Co Ltd filed Critical China United Network Communications Group Co Ltd
Priority to CN202110294049.2A priority Critical patent/CN113010897B/en
Publication of CN113010897A publication Critical patent/CN113010897A/en
Application granted granted Critical
Publication of CN113010897B publication Critical patent/CN113010897B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/46Multiprogramming arrangements
    • G06F9/50Allocation of resources, e.g. of the central processing unit [CPU]
    • G06F9/5061Partitioning or combining of resources
    • G06F9/5077Logical partitioning of resources; Management or configuration of virtualized resources
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45595Network integration; Enabling network access in virtual machine instances
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Storage Device Security (AREA)

Abstract

The application provides a cloud computing security management method and a cloud computing security management system. The method comprises the steps of firstly obtaining a service request reported by a cloud user side, generating an access rule according to the service request, and issuing an access right meeting the access rule to the cloud user side so as to control the operation behavior of the cloud user on a cloud platform through the access right, avoid illegal access of an external user or a network, ensure the confidentiality and the safety of the cloud platform and ensure the safety of the operation environment of the cloud platform. The method comprises the steps of dynamically expanding and positioning metadata servers, generating virtual machines for file metadata and providing virtual resource services, improving metadata transmission safety, expanding the capacity of each metadata server by using the virtual machines and the provided virtual resource services, enabling a cloud user side, a gateway and a cloud platform to be safe and integrated, avoiding hidden dangers that positioning is difficult to implement once the virtual machines are damaged and malicious code invasion possibly exists, establishing a safe and feasible cloud computing environment for cloud users, and guaranteeing the safety of cloud computing data.

Description

Cloud computing security management method and system
Technical Field
The application relates to the technical field of cloud computing, in particular to a cloud computing security management method and a cloud computing security management system.
Background
Cloud computing is one of distributed computing, and refers to a process of decomposing a huge data computing processing program into countless small programs through a network cloud, and then processing and analyzing the small programs through a system composed of a plurality of servers to obtain results and returning the results to a user.
Cloud computing firstly solves the distribution of tasks, then computes the tasks and merges the computation results, and can complete tens of thousands of data processing works in a very short time, so that the cloud computing becomes a focus of attention due to the strong computing capability and service advantages. However, for the development of cloud computing, the first critical issue is security. Moreover, with the continuous popularization of cloud computing, the importance of security problems is more prominent, and a gradually rising development trend is presented nowadays, and the security problems also become a core factor restricting the development of cloud computing.
Therefore, the running state of the cloud computing and how the running equipment deploys the corresponding security policy become problems to be solved at present.
Disclosure of Invention
The application provides a cloud computing security management method and a system thereof, which are used for deploying corresponding security strategies for a cloud computing operation environment and operation equipment.
In a first aspect, the present application provides a cloud computing security management method, including:
acquiring a service request reported by a cloud user side, and generating an access rule according to the service request so as to issue an access right which accords with the access rule to the cloud user side, wherein the access right comprises a service list;
dynamically expanding and positioning a metadata server through a cloud platform, wherein the metadata server is used for managing, controlling and storing metadata information matched with the service request;
and generating the virtual machine and providing virtual resource service for file metadata so as to ensure that the cloud user side, the gateway and the cloud platform are safely integrated, wherein the file metadata corresponds to the metadata information mapping.
In one possible design, the generating access rules from the service request includes:
generating safety marking information according to the service request, wherein the safety marking information is used for identifying the identity information of the cloud user reporting the service request;
and generating the access rule according to the identity information of the cloud user, wherein the access rule is used for controlling the operation behavior of the cloud user on the cloud platform.
In one possible design, the dynamically extending, by the cloud platform, the metadata server includes:
generating a first-digit binary code for each metadata server through the cloud platform, wherein each binary code is used for numbering the corresponding metadata server;
hashing a file identifier of the file metadata into a second-digit binary hash value;
and acquiring a prefix in the binary hash value so as to store the file metadata with the same prefix into the metadata server with the same binary code.
In one possible design, the locating, by the cloud platform, the metadata server includes:
positioning the metadata server according to the prefix;
if the serial number of the metadata server is the same as the prefix, determining that the file metadata is located in the metadata server;
and if the serial number of the metadata server is greater than the prefix, positioning the metadata server according to a preset splitting rule, wherein the preset splitting rule is used for representing the splitting rule of the metadata server.
In one possible design, the generating the virtual machine for file metadata includes:
generating name information of the virtual machine;
selecting a resource pool required by the virtual machine;
setting a storage mode of the virtual machine;
configuring a virtual processor and a virtual memory required by the virtual machine;
setting a network connection mode of the virtual machine and generating a virtual network disk.
In one possible design, the providing the virtual resource service for the file metadata includes:
and generating a virtualization management platform so that the cloud user can acquire the virtual resource service through a preset control in the virtualization management platform.
In a second aspect, the present application provides a cloud computing security management system, including:
the cloud user side is used for reporting the service request of the cloud user;
the identity authentication module is used for generating an access rule according to the acquired service request and issuing an access right which accords with the access rule to the cloud user side, wherein the access right comprises a service list;
the cloud platform is used for dynamically expanding and positioning a metadata server, and the metadata server is used for managing, controlling and storing metadata information matched with the service request;
the cloud platform is further used for generating the virtual machine and providing virtual resource service for file metadata so that the cloud user side, the gateway and the cloud platform are integrated safely, and the file metadata correspond to the metadata information in a mapping mode.
In one possible design, the identity authentication module is specifically configured to:
generating safety marking information according to the service request, wherein the safety marking information is used for identifying the identity information of the cloud user reporting the service request;
generating the access rule according to the identity information of the cloud user, wherein the access rule is used for controlling the operation behavior of the cloud user on the cloud platform;
the identity authentication module supports a preset hardware interface.
In one possible design, the cloud platform is specifically configured to:
generating a first-digit binary code for each metadata server, wherein each binary code is used for numbering the corresponding metadata server;
hashing a file identifier of the file metadata into a second-digit binary hash value;
and acquiring a prefix in the binary hash value so as to store the file metadata with the same prefix into the metadata server with the same binary code.
In one possible design, the cloud platform is further specifically configured to:
positioning the metadata server according to the prefix;
if the serial number of the metadata server is the same as the prefix, determining that the file metadata is located in the metadata server;
and if the serial number of the metadata server is greater than the prefix, positioning the metadata server according to a preset splitting rule, wherein the preset splitting rule is used for representing the splitting rule of the metadata server.
According to the cloud computing security management method and the cloud computing security management system, a cloud user reports a service request through a cloud user side, an identity authentication module generates an access rule according to the service request after obtaining the service request, and then issues an access right meeting the access rule to the cloud user side, so that the cloud user can obtain the access right in a service list mode at the cloud user side, the operation behavior of the cloud user on a cloud platform is controlled through the access right, illegal access of an external user or a network is avoided, the confidentiality and the security of cloud platform resources are further ensured, and the security of the operation environment of the cloud user in the cloud platform is ensured. Furthermore, the cloud platform dynamically expands and positions the metadata servers, generates virtual machines for file metadata and provides virtual resource services, improves the security of metadata transmission, and can expand the capacity of each metadata server by using the virtual machines and the corresponding virtual resource services, so that a cloud user side, a gateway and the cloud platform are integrated safely, and the hidden dangers that positioning is difficult to implement and malicious code invasion is possible to exist once the virtual machines are damaged are avoided, thereby establishing a safe and feasible cloud computing environment for cloud users and ensuring the security of cloud computing data.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, and it is obvious that the drawings in the following description are some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to these drawings without inventive exercise.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application;
fig. 2 is a schematic flowchart of a cloud computing security management method according to an embodiment of the present application;
fig. 3 is a schematic flowchart of another cloud computing security management method according to an embodiment of the present application;
fig. 4 is a schematic flowchart of another cloud computing security management method according to an embodiment of the present application;
fig. 5 is a schematic flowchart of another cloud computing security management method according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a cloud computing security management system according to an embodiment of the present application;
fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Detailed Description
Reference will now be made in detail to the exemplary embodiments, examples of which are illustrated in the accompanying drawings. When the following description refers to the accompanying drawings, like numbers in different drawings represent the same or similar elements unless otherwise indicated. The embodiments described in the following exemplary embodiments do not represent all embodiments consistent with the present application. Rather, they are merely examples of methods and apparatus consistent with certain aspects of the present application, as detailed in the appended claims.
The terms "first," "second," "third," "fourth," and the like in the description and in the claims of the present application and in the above-described drawings (if any) are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used is interchangeable under appropriate circumstances such that the embodiments of the application described herein are, for example, capable of operation in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Cloud computing can complete tens of thousands of data processing works in a very short time, and thus, the cloud computing becomes a focus of attention in the technical field of computer processing due to its strong computing power and service advantages. However, for the development of cloud computing, the first critical issue is security. Moreover, with the continuous popularization of cloud computing, the importance of security problems is more prominent, and the security problems present a gradually rising development trend at present and also become core factors restricting the development of cloud computing. Therefore, the running state of the cloud computing and how the running equipment deploys the corresponding security policy become problems to be solved at present.
Based on the above, the application provides a cloud computing security management method and a cloud computing security management system. The invention conception of the cloud computing security management method and the cloud computing security management system provided by the application is as follows: firstly, an access rule and an access authority meeting the access rule are formulated according to a service request reported by a cloud user, so that the cloud user operates a cloud platform according to the access authority, and a safe operation environment taking network safety and host safety as a core is established for cloud computing; secondly, with data security in cloud computing as a target, by dynamically expanding and positioning the metadata servers, the metadata transmission security is improved, and meanwhile, the capability of each metadata server can be expanded by generating a virtual machine and providing a virtual resource service, so that a cloud user side, a gateway and a cloud platform are integrated in security. When a virtual machine is damaged, risks such as malicious code invasion can be quickly determined in real time and avoided, a safe and feasible cloud environment and management service are established for a cloud user, and the safety of cloud user information is guaranteed.
An exemplary application scenario of the embodiments of the present application is described below.
Fig. 1 is a schematic view of an application scenario provided in an embodiment of the present application. As shown in fig. 1, a network is used to provide a medium for communication links between the terminal devices 11 and the server cluster 12, and the network may include various connection types, such as wired, wireless communication links, or fiber optic cables. The terminal device 11 and the server cluster 12 may interact with each other via a network to receive or send messages. The terminal device 11 may be any terminal configured at a cloud user side, and the cloud user may access the cloud platform through the terminal device 11, for example, the cloud user may register and log in on the terminal device 11 through a corresponding browser to access the cloud platform. The server cluster 12 is a plurality of servers configured on the cloud platform side to provide corresponding cloud computing services for cloud users. The cloud computing security management method and the cloud computing security management system provided by the embodiment of the application are applied to a cloud computing system formed by a terminal device 11 on a cloud user side and a server cluster 12 on a cloud platform side, so that the cloud computing security management method and the cloud computing security management system provided by the embodiment of the application provide security for a cloud user in an operating environment of the cloud platform and guarantee security of cloud computing data.
It should be noted that, in the embodiment of the present application, the type of the terminal device 11 described above is not limited, for example, the terminal device 11 may be a computer, a smart phone, smart glasses, a smart band, a smart watch, a tablet computer, and the like, and the terminal device 11 in fig. 1 is illustrated by taking the smart phone as an example. The server 12 may be a single server, but this embodiment is not limited thereto. In addition, the server cluster 12 on the cloud platform side may be shared by a plurality of different cloud users, that is, the number of the terminal devices 11 corresponding to the server cluster 12 may be multiple, for example, the terminal device 13 shown in fig. 1 may be further provided, and this embodiment is not limited thereto.
It should be noted that the above application scenarios are only exemplary, and the cloud computing security management method and the cloud computing security management system provided in the embodiment of the present application include, but are not limited to, the above application scenarios.
The following describes the technical solutions of the present application and how to solve the above technical problems with specific embodiments. The following several specific embodiments may be combined with each other, and details of the same or similar concepts or processes may not be repeated in some embodiments.
Fig. 2 is a schematic flow chart of a cloud computing security management method according to an embodiment of the present application. As shown in fig. 2, the cloud computing security management method provided in this embodiment includes:
s101: and acquiring a service request reported by the cloud user side, and generating an access rule according to the service request so as to issue an access right meeting the access rule to the cloud user side.
Wherein the access rights comprise a list of services.
The cloud user comprises an interactive interface between the cloud user and the cloud platform, the cloud user can report the service request of the cloud user through the cloud user, the cloud user can report the service request to the identity authentication module, the identity authentication module obtains the service request reported by the cloud user, and an access rule for restricting the operation behavior of the cloud user on the cloud platform is generated according to the corresponding service request.
Further, the identity authentication module issues an access right meeting the access rule to the cloud user side to the cloud user, so that the cloud user can access the cloud platform through the access right. For example, the access right may include a service list showing the corresponding service, which is provided by the cloud platform to the cloud user and meets the access rule, to the cloud user in the form of an icon or a corresponding list.
The identity authentication module is arranged for carrying out security audit management on the identities of different cloud users so as to prevent external users or networks from illegally accessing the cloud platform.
S102: and dynamically expanding and positioning the metadata server through the cloud platform.
The metadata server is used for managing, controlling and storing metadata information matched with the service request.
The metadata server refers to a server or a server cluster which manages and stores metadata information matched with the service request of the cloud user. The metadata information may be understood as an attribute for describing data such as a metadata database, a metadata standard, and the like belonging to the cloud user.
The purpose of dynamically expanding the metadata servers through the cloud platform is to dynamically increase the metadata servers for each relevant metadata server in a mode of expanding the fields of the metadata servers, so that the dynamic expansion of the metadata servers is realized. On the basis of dynamic expansion of the metadata servers, the metadata servers can be further positioned through metadata server fields so as to link each metadata server.
In a possible design, a possible implementation manner of dynamically expanding the metadata server through the cloud platform in step S102 is shown in fig. 3, and fig. 3 is a schematic flow diagram of another cloud computing security management method provided in this embodiment of the present application. As shown in fig. 3, the present embodiment includes:
s201: a first bit of binary code is generated for each metadata server by the cloud platform.
Wherein each binary is used to number the corresponding metadata server.
Assuming that the first digit is i-digit, and a binary code of the first digit is generated for each metadata server through the cloud platform, it can be understood that an i-digit binary code is generated for each metadata server, so as to number the corresponding metadata server through the i-digit binary code. In this embodiment, i is used to represent the length of the data identifier, and a value of i may be set according to an actual working condition.
S202: the file identifier of the file metadata is hashed to a second binary hash value.
The file metadata refers to data which corresponds to metadata information mapping and belongs to cloud users, and the file identifier is used for representing the full path of the file metadata. This step is to hash the file identifier of the file metadata belonging to the cloud user to a second-digit binary hash (hash) value of, for example, m bits. And m is the second digit, the value of m is greater than that of i, and the value of m can be set according to the actual working condition.
It should be further understood that the hash means for the file identifier may use a common hash algorithm, and the specific content of the hash algorithm is not limited in this embodiment.
S203: and acquiring the first digit in the binary hash value to store the file metadata which is the same as the first digit in a metadata server of the same binary code.
And distributing the file metadata with the same prefix value to the same metadata server. Specifically, a binary hash value of a file identifier of file metadata is first obtained to obtain a prefix of the binary hash value, and then the file metadata with the same prefix is stored in a metadata server of the same binary code, that is, the file metadata with the same prefix of the binary hash value is stored in the same metadata server. Wherein the prefix is identical to the encoding, i.e. the first digit, of the metadata server.
In the embodiment of dynamically expanding the metadata server through the cloud platform, firstly, the cloud numbers each metadata server by using a binary code of a first digit, then hashes a file identifier of file metadata to a binary hash value of a second digit, finally obtains a prefix of the binary hash value, stores the file metadata with the same prefix to the metadata server of the same binary code, dynamically expands the metadata server through a hash means based on fields in the metadata server, is beneficial to improving transmission rates of file metadata such as migration, improves security during file metadata transmission based on the binary hash value, and is beneficial to providing a secure data transmission environment for cloud users.
Further, on the basis of dynamic expansion of the metadata server, in order to further ensure the security of data in cloud computing, the cloud computing security management method provided by the embodiment of the application further positions the metadata service through the cloud platform. One possible implementation is shown in the steps of fig. 4. Fig. 4 is a schematic flowchart of another cloud computing security management method according to an embodiment of the present application. As shown in fig. 4, the present embodiment includes:
s301: and positioning the metadata server according to the prefix.
After the dynamic expansion of the metadata server is completed, further, for the file metadata, the metadata server can be located by the prefix of the file identifier of the file metadata. In other words, a prefix may be located to a metadata server numbered as the prefix.
302: and if the number of the metadata server is the same as the prefix, determining that the file metadata is located in the metadata server.
For the file metadata, when the number of the metadata server is the same as the prefix of the binary hash value of the file identifier of the file metadata, it indicates that the file metadata to be located is stored in the metadata server, that is, it can be determined that the file metadata is located in the metadata server with the number as the prefix, thereby implementing direct location of the metadata server.
S302: and if the serial number of the metadata server is greater than the prefix, positioning the metadata server according to a preset splitting rule.
The preset splitting rule is used for representing the splitting rule of the metadata server.
For the file metadata, when the number of the metadata server is greater than the prefix of the binary hash value of the file identifier of the file metadata, it is indicated that the metadata server is split, wherein the metadata server can be split according to a preset splitting rule, and then the metadata server can be positioned according to the preset splitting rule. The preset splitting rule is a splitting rule of the metadata server so as to migrate the metadata of the file.
For example, the preset splitting rule may be defined as a prefix a that takes a file identifier as a binary hash value0a1...ai-1The file metadata is migrated to a newly added metadata server, and the prefix a of the binary hash value0a1...ai-1The file metadata of 0 remains in the original metadata server. At this time, the file identifier of the file metadata in the newly added metadata server becomes a0a1...ai-11, and the file identifier of the file metadata in the original metadata server becomes a0a1...ai-10, the length of the file identifier of the two stored file metadata is increased by 1.
It is understood that the specific content of the preset splitting rule may be set according to practical situations, including but not limited to the content of the preset splitting rule in the embodiment schematically illustrated in the present application.
In the embodiment, the metadata server is located through the cloud platform, specifically, the metadata server is located according to a prefix of a binary hash value of a file identifier of the file metadata, if the number of the metadata server is the same as the prefix, it is determined that the file metadata is located in the metadata server, and if the number of the metadata server is greater than the prefix, the metadata server is located according to a preset splitting rule. The preset splitting rule is a classification rule followed when the metadata server splits in the dynamic expansion process of the metadata. Therefore, when the virtual machine is damaged or a deleted TCP (Transmission Control Protocol) serial number is reused, the metadata server can be quickly positioned, malicious codes are prevented from being infected, and safety guarantee is provided for file metadata of the cloud user.
S103: and generating a virtual machine for the file metadata and providing virtual resource service, so that the cloud user side, the gateway and the cloud platform are safely integrated.
Wherein the file metadata corresponds to the metadata information mapping.
Further, the cloud computing security management method provided by the embodiment of the application further generates a virtual machine for file metadata of a cloud user and provides corresponding virtual resource services, so that the cloud user side, the gateway and the cloud platform are integrated on the basis of realizing dynamic expansion of the metadata server, and the network security, the host security and the data security of cloud computing are enhanced. The gateway is an internetwork connector or a protocol converter between the cloud platform and the cloud user side, so that network interconnection is realized on a network layer.
In one possible design, the possible implementation manner of generating the virtual machine for the file metadata in step S103 is to create the virtual machine. For example, the implementation process of generating the virtual machine may include at least one of:
and generating name information of the virtual machine, namely naming the virtual machine.
And selecting a resource pool required by the virtual machine, namely selecting a corresponding resource pool for the virtual machine.
And setting the storage mode of the virtual machine, namely selecting a corresponding storage mode, such as a symmetrical mode or an asymmetrical mode, for the virtual machine.
And configuring the virtual processor and the virtual memory required by the virtual machine, namely configuring the virtual processor and the virtual memory for the virtual machine.
Setting a network connection mode of the virtual machine and generating a virtual network disk, namely selecting the network connection mode for the virtual machine and creating the virtual disk.
And a corresponding operating system can be set for the virtual machine, and the like.
Optionally, the providing of the virtual resource service for the file metadata in step S103 may specifically be to generate a virtualization management platform, so that the cloud user can obtain the virtual resource service through some preset controls set in the virtualization management platform. For example, a cloud user clicks a preset control of a "new virtual machine" through a virtualization management platform to acquire a virtual resource service of a corresponding virtual machine configured for the preset control.
By generating a virtual machine for file metadata and providing virtual resource services, access rules are formulated for identity authentication of cloud users to ensure security of a cloud computing environment, and dynamic expansion of metadata servers enables association and rapid positioning of the metadata servers to be achieved, so that the cloud computing security management method provided by the embodiment of the application utilizes the virtual machine and the corresponding virtual resource services to expand the computing capacity and the storage capacity of each metadata server to achieve security integration of a cloud user side, a gateway and a cloud platform which aim at data security while ensuring security of the cloud environment by taking network security and host security as a core.
In addition, the cloud computing security management method provided by the embodiment of the application may further include moving and rolling back the virtual machine for the file metadata to enhance security of security integration. In this embodiment, specific implementation manners of the moving of the virtual machine and the rollback of the virtual machine are not limited, and may be set correspondingly according to actual situations.
According to the cloud computing security management method provided by the embodiment of the application, firstly, the service request reported by the cloud user is obtained, the access rule is generated according to the service request, then the access authority conforming to the access rule is issued to the cloud user side, so that the cloud user can obtain the access authority in the cloud user side in a service list mode, the operation behavior of the cloud user on the cloud platform is controlled through the access authority, the illegal access of external users or networks is avoided, the confidentiality and the security of cloud platform resources are further ensured, and the security of the operation environment of the cloud user in the cloud platform is ensured. Furthermore, the cloud platform dynamically expands and positions the metadata servers, generates virtual machines for file metadata and provides virtual resource services, improves the security of metadata transmission, and can expand the capacity of each metadata server by using the virtual machines and the corresponding virtual resource services, so that a cloud user side, a gateway and the cloud platform are integrated safely, and the hidden dangers that positioning is difficult to implement and malicious code invasion is possible to exist once the virtual machines are damaged are avoided, thereby establishing a safe and feasible cloud computing environment for cloud users and ensuring the security of cloud computing data.
In one possible design, a possible implementation of generating the access rule according to the service request in step S101 is shown in fig. 5. Fig. 5 is a schematic flowchart of another cloud computing security management method according to an embodiment of the present application. As shown in fig. 5, the present embodiment includes:
s401: and generating safety marking information according to the service request.
The safety marking information is used for identifying the identity information of the cloud user reporting the service request.
And generating safety marking information for each cloud user according to the service request reported by the cloud user through the cloud user side, so as to identify the identity information of the cloud user reporting the service request through the safety marking information. Correspondingly, whether the host machine and the virtual machine belonging to the cloud user, such as the physical server, and the cloud user are safe or not and whether the cloud user is safe or not can also be identified through the safety marking information.
In addition, the identity information of the cloud user may include corresponding information characterizing the type of the cloud user.
S402: and generating an access rule according to the identity information of the cloud user.
The access rules are used for controlling the operation behaviors of the cloud users on the cloud platform.
Specific access rules of the cloud platform are formulated for cloud users with different identity information, so that the operation behaviors of the cloud users in the cloud platform are controlled through the access rules formulated for the cloud users, the cloud computing in the cloud platform is prevented from being illegally accessed by external users or networks, and the confidentiality and the safety of the cloud computing are ensured.
In addition, it should be noted that the operation of generating the access rule according to the service request reported by the cloud user provided in this embodiment may be performed through bandwidth allocation, protocol overflow, flow control, and other approaches, so as to achieve security targets such as illegal access, intrusion prevention, security audit, and the like.
The specific process of the cloud computing security management method provided by the embodiment of the present application is described in detail above, and a cloud computing security management system capable of implementing the cloud computing security management method is described in detail below.
Fig. 6 is a schematic structural diagram of a cloud computing security management system according to an embodiment of the present application. As shown in fig. 6, the cloud computing security management system 500 provided in this embodiment includes:
the cloud user 501 is configured to report a service request of a cloud user.
The identity authentication module 502 is configured to generate an access rule according to the obtained service request, and issue an access right meeting the access rule to the cloud user side, where the access right includes a service list.
The cloud platform 503 is configured to dynamically extend and locate a metadata server, and the metadata server is configured to manage and control and store metadata information matched with the service request.
The cloud platform 503 is further configured to generate a virtual machine for the file metadata and provide a virtual resource service, so that the cloud user side, the gateway and the cloud platform are integrated safely, and the file metadata corresponds to the metadata information in a mapping manner.
In one possible design, the identity authentication module 502 is specifically configured to:
generating safety marking information according to the service request, wherein the safety marking information is used for identifying the identity information of the cloud user reporting the service request;
generating an access rule according to the identity information of the cloud user, wherein the access rule is used for controlling the operation behavior of the cloud user on the cloud platform;
the identity authentication module 503 supports a preset hardware interface, that is, the identity authentication module 503 can provide a preset hardware interface connection such as a USB Key to a virtual desktop such as a host, a virtual machine, and a virtualization management platform.
In one possible design, the cloud platform 503 is specifically configured to:
generating a first digit binary code for each metadata server, each binary code being used to number the corresponding metadata server;
hashing a file identifier of the file metadata into a binary hash value of a second digit;
and acquiring a prefix in the binary hash value so as to store the file metadata with the same prefix into a metadata server with the same binary coding.
In one possible design, the cloud platform 503 is further specifically configured to:
positioning the metadata server according to the prefix;
if the number of the metadata server is the same as the prefix, determining that the file metadata is located in the metadata server;
and if the serial number of the metadata server is greater than the prefix, positioning the metadata server according to a preset splitting rule, wherein the preset splitting rule is used for representing the splitting rule of the metadata server.
Optionally, the cloud platform 503 is further configured to:
generating name information of the virtual machine;
selecting a resource pool required by the virtual machine;
setting a storage mode of a virtual machine;
configuring a virtual processor and a virtual memory required by a virtual machine;
setting a network connection mode of the virtual machine and generating a virtual network disk.
Optionally, the cloud platform 503 is further configured to:
and generating a virtualization management platform so that the cloud user can obtain the virtual resource service through a preset control in the virtualization management platform.
Optionally, as shown in fig. 6, the cloud computing security management system 500 may further include:
the system management and configuration module 504 is configured to manage authorization, authentication, login, and the like of a cloud user, and/or manage corresponding resources and services in cloud computing, and/or receive a task request of the cloud user, and report the request of the cloud user to a corresponding application program, and/or schedule and deploy corresponding resources in the cloud computing to provide management and service operations for cloud computing of the cloud user, so as to enhance security of the cloud user in the cloud computing.
Optionally, the cloud computing security management system 500 may further include:
the monitoring and counting module 505 is configured to monitor and measure a resource usage state in cloud computing, and/or allocate resources in cloud computing to monitoring and management services related to cloud computing resources, such as corresponding cloud users, so as to ensure that each cloud user can perform monitoring and management in a cloud environment where cloud resources are guaranteed, so as to improve security of cloud user data.
Optionally, the cloud computing security management system 500 may further include:
the fault tolerance processing module 506 is configured to generate a Master fault tolerance mechanism to store three types of metadata in the file metadata, for example, a name space, a mapping table of Chunk and file name, and location information of Chunk copies, where each Chunk may default to three copies.
The various parts in the cloud computing security management system 500 provided in the embodiment of the present application may be electrically connected and communicatively connected through corresponding connection interfaces, which is not limited in this embodiment.
It should be noted that the cloud computing security management system provided in each embodiment may be applied to the cloud computing security management method provided in any embodiment to execute corresponding steps, and the specific implementation manner and the technical effect are similar and will not be described herein again.
Fig. 7 is a schematic structural diagram of an electronic device according to an embodiment of the present application. As shown in fig. 7, the electronic device 600 may include: at least one processor 601 and memory 602. Fig. 7 illustrates an example of a processor.
The memory 602 stores programs of the processor 601. In particular, the program may include program code including computer operating instructions.
The memory 602 may comprise high-speed RAM memory, and may also include non-volatile memory (non-volatile memory), such as at least one disk memory.
The processor 601 is configured to execute the computer program stored in the memory 602 to implement the steps in the cloud computing security management method in the above embodiments of the method.
The processor 601 may be a Central Processing Unit (CPU), an Application Specific Integrated Circuit (ASIC), or one or more integrated circuits configured to implement the embodiments of the present application.
Alternatively, the memory 602 may be separate or integrated with the processor 601. When the memory 602 is a device independent from the processor 601, the electronic device 600 may further include:
a bus 603 for connecting the processor 601 and the memory 602. The bus may be an Industry Standard Architecture (ISA) bus, a Peripheral Component Interconnect (PCI) bus, an Extended ISA (EISA) bus, or the like. Buses may be classified as address buses, data buses, control buses, etc., but do not represent only one bus or type of bus.
Alternatively, in a specific implementation, if the memory 602 and the processor 601 are integrated into a single chip, the memory 602 and the processor 601 may communicate via an internal interface.
The present application also provides a computer-readable storage medium, which may include: a variety of media that can store program codes, such as a usb disk, a removable hard disk, a read-only memory (ROM), a Random Access Memory (RAM), a magnetic disk, or an optical disk, and in particular, a computer program is stored in the computer-readable storage medium, and when the computer program is executed by at least one processor of the electronic device, the electronic device executes the steps of the cloud computing security management method provided in the foregoing various embodiments.
Embodiments of the present application also provide a computer program product, which includes a computer program, and the computer program is stored in a readable storage medium. The computer program can be read from a readable storage medium by at least one processor of the electronic device, and the computer program can be executed by the at least one processor to enable the device to implement the steps of the cloud computing security management method provided by the various embodiments described above.
Other embodiments of the present application will be apparent to those skilled in the art from consideration of the specification and practice of the invention disclosed herein. This application is intended to cover any variations, uses, or adaptations of the invention following, in general, the principles of the application and including such departures from the present disclosure as come within known or customary practice within the art to which the invention pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the application being indicated by the following claims.
It will be understood that the present application is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the application is limited only by the appended claims.

Claims (10)

1. A cloud computing security management method is characterized by comprising the following steps:
acquiring a service request reported by a cloud user side, and generating an access rule according to the service request so as to issue an access right which accords with the access rule to the cloud user side, wherein the access right comprises a service list;
dynamically expanding and positioning a metadata server through a cloud platform, wherein the metadata server is used for managing, controlling and storing metadata information matched with the service request;
and generating the virtual machine and providing virtual resource service for file metadata so as to ensure that the cloud user side, the gateway and the cloud platform are safely integrated, wherein the file metadata corresponds to the metadata information mapping.
2. The cloud computing security management method of claim 1, wherein the generating access rules from the service request comprises:
generating safety marking information according to the service request, wherein the safety marking information is used for identifying the identity information of the cloud user reporting the service request;
and generating the access rule according to the identity information of the cloud user, wherein the access rule is used for controlling the operation behavior of the cloud user on the cloud platform.
3. The cloud computing security management method of claim 2, wherein the dynamically extending the metadata server via the cloud platform comprises:
generating a first-digit binary code for each metadata server through the cloud platform, wherein each binary code is used for numbering the corresponding metadata server;
hashing a file identifier of the file metadata into a second-digit binary hash value;
and acquiring a prefix in the binary hash value so as to store the file metadata with the same prefix into the metadata server of the same binary code, wherein the prefix is consistent with the first digit.
4. The cloud computing security management method of claim 3, wherein the locating, by the cloud platform, the metadata server comprises:
positioning the metadata server according to the prefix;
if the serial number of the metadata server is the same as the prefix, determining that the file metadata is located in the metadata server;
and if the serial number of the metadata server is greater than the prefix, positioning the metadata server according to a preset splitting rule, wherein the preset splitting rule is used for representing the splitting rule of the metadata server.
5. The cloud computing security management method of any of claims 1-4, wherein the generating the virtual machine for file metadata comprises:
generating name information of the virtual machine;
selecting a resource pool required by the virtual machine;
setting a storage mode of the virtual machine;
configuring a virtual processor and a virtual memory required by the virtual machine;
setting a network connection mode of the virtual machine and generating a virtual network disk.
6. The cloud computing security management method according to any one of claims 1 to 4, wherein the providing of the virtual resource service for the file metadata includes:
and generating a virtualization management platform so that the cloud user can acquire the virtual resource service through a preset control in the virtualization management platform.
7. A cloud computing security management system, comprising:
the cloud user side is used for reporting the service request of the cloud user;
the identity authentication module is used for generating an access rule according to the acquired service request and issuing an access right which accords with the access rule to the cloud user side, wherein the access right comprises a service list;
the cloud platform is used for dynamically expanding and positioning a metadata server, and the metadata server is used for managing, controlling and storing metadata information matched with the service request;
the cloud platform is further used for generating the virtual machine and providing virtual resource service for file metadata so that the cloud user side, the gateway and the cloud platform are integrated safely, and the file metadata correspond to the metadata information in a mapping mode.
8. The cloud computing security management system of claim 7, wherein the identity authentication module is specifically configured to:
generating safety marking information according to the service request, wherein the safety marking information is used for identifying the identity information of the cloud user reporting the service request;
generating the access rule according to the identity information of the cloud user, wherein the access rule is used for controlling the operation behavior of the cloud user on the cloud platform;
the identity authentication module supports a preset hardware interface.
9. The cloud computing security management system of claim 8, wherein the cloud platform is specifically configured to:
generating a first-digit binary code for each metadata server, wherein each binary code is used for numbering the corresponding metadata server;
hashing a file identifier of the file metadata into a second-digit binary hash value;
and acquiring a prefix in the binary hash value so as to store the file metadata with the same prefix into the metadata server with the same binary code.
10. The cloud computing security management system of claim 9, wherein the cloud platform is further specifically configured to:
positioning the metadata server according to the prefix;
if the serial number of the metadata server is the same as the prefix, determining that the file metadata is located in the metadata server;
and if the serial number of the metadata server is greater than the prefix, positioning the metadata server according to a preset splitting rule, wherein the preset splitting rule is used for representing the splitting rule of the metadata server.
CN202110294049.2A 2021-03-19 2021-03-19 Cloud computing security management method and system Active CN113010897B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202110294049.2A CN113010897B (en) 2021-03-19 2021-03-19 Cloud computing security management method and system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202110294049.2A CN113010897B (en) 2021-03-19 2021-03-19 Cloud computing security management method and system

Publications (2)

Publication Number Publication Date
CN113010897A true CN113010897A (en) 2021-06-22
CN113010897B CN113010897B (en) 2023-06-13

Family

ID=76402857

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202110294049.2A Active CN113010897B (en) 2021-03-19 2021-03-19 Cloud computing security management method and system

Country Status (1)

Country Link
CN (1) CN113010897B (en)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422808A (en) * 2022-01-07 2022-04-29 北京百度网讯科技有限公司 Cloud mobile phone interaction method and device, electronic equipment and storage medium
CN114706725A (en) * 2022-03-14 2022-07-05 广州慧思软件科技有限公司 Equipment data processing method and system based on cloud platform

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969475A (en) * 2010-11-15 2011-02-09 张军 Business data controllable distribution and fusion application system based on cloud computing
US20140059226A1 (en) * 2012-08-21 2014-02-27 Rackspace Us, Inc. Multi-Level Cloud Computing System
US20150074743A1 (en) * 2013-09-10 2015-03-12 Vmware, Inc. Extensible multi-tenant cloud-management system and methods for extending functionalities and services provided by a multi-tenant cloud-managment system
CN104796412A (en) * 2014-04-06 2015-07-22 惠州Tcl移动通信有限公司 End-to-end cloud service system and method for accessing sensitive data thereof
US20150222620A1 (en) * 2014-01-31 2015-08-06 Oracle International Corporation System and method for providing application security in a cloud computing environment
CN106161566A (en) * 2015-04-24 2016-11-23 中兴通讯股份有限公司 A kind of cloud computation data center access management method and cloud computation data center
CN107426252A (en) * 2017-09-15 2017-12-01 北京百悟科技有限公司 The method and apparatus that web application firewall services are provided
CN109314724A (en) * 2016-08-09 2019-02-05 华为技术有限公司 The methods, devices and systems of virtual machine access physical server in cloud computing system

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101969475A (en) * 2010-11-15 2011-02-09 张军 Business data controllable distribution and fusion application system based on cloud computing
US20140059226A1 (en) * 2012-08-21 2014-02-27 Rackspace Us, Inc. Multi-Level Cloud Computing System
US20150074743A1 (en) * 2013-09-10 2015-03-12 Vmware, Inc. Extensible multi-tenant cloud-management system and methods for extending functionalities and services provided by a multi-tenant cloud-managment system
US20150222620A1 (en) * 2014-01-31 2015-08-06 Oracle International Corporation System and method for providing application security in a cloud computing environment
CN104796412A (en) * 2014-04-06 2015-07-22 惠州Tcl移动通信有限公司 End-to-end cloud service system and method for accessing sensitive data thereof
CN106161566A (en) * 2015-04-24 2016-11-23 中兴通讯股份有限公司 A kind of cloud computation data center access management method and cloud computation data center
CN109314724A (en) * 2016-08-09 2019-02-05 华为技术有限公司 The methods, devices and systems of virtual machine access physical server in cloud computing system
CN107426252A (en) * 2017-09-15 2017-12-01 北京百悟科技有限公司 The method and apparatus that web application firewall services are provided

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
冯朝胜;秦志光;袁丁;: "云数据安全存储技术", 计算机学报, vol. 38, no. 01, pages 152 - 165 *
李桂贞;: "基于云计算的移动数字图书馆服务平台构建研究", 现代情报, no. 03, pages 84 - 87 *

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114422808A (en) * 2022-01-07 2022-04-29 北京百度网讯科技有限公司 Cloud mobile phone interaction method and device, electronic equipment and storage medium
CN114706725A (en) * 2022-03-14 2022-07-05 广州慧思软件科技有限公司 Equipment data processing method and system based on cloud platform
CN114706725B (en) * 2022-03-14 2023-05-09 广州慧思软件科技有限公司 Equipment data processing method and system based on cloud platform

Also Published As

Publication number Publication date
CN113010897B (en) 2023-06-13

Similar Documents

Publication Publication Date Title
CN108549580B (en) Method for automatically deploying Kubernets slave nodes and terminal equipment
EP3281360B1 (en) Virtualized network function monitoring
US9928080B2 (en) Hardware security module access management in a cloud computing environment
US20190034648A1 (en) Managing access to documents with a file monitor
US10318747B1 (en) Block chain based authentication
CN106844111B (en) Access method of cloud storage network file system
CN112948851A (en) User authentication method, device, server and storage medium
CN110677453A (en) ZooKeeper-based distributed lock service implementation method, device, equipment and storage medium
CN108733802B (en) Identification code generation and analysis method and device, storage medium and electronic equipment
CN111680900A (en) Work order issuing method and device, electronic equipment and storage medium
CN105447151A (en) Method for accessing distributed database, data source proxy apparatus and application server
CN113010897B (en) Cloud computing security management method and system
CN113221154A (en) Service password obtaining method and device, electronic equipment and storage medium
CN111090616B (en) File management method, corresponding device, equipment and storage medium
CN113067802A (en) User identification method, device, equipment and computer readable storage medium
CN115021995B (en) Multi-channel login method, device, equipment and storage medium
CN110109731B (en) Management method and system of virtual trusted root in cloud environment
CN113312669A (en) Password synchronization method, device and storage medium
CN112214769A (en) Active measurement system of Windows system based on SGX architecture
CN112965743A (en) Software change management method and device, electronic equipment and storage medium
CN115018509A (en) Object processing method and device, electronic equipment and storage medium
CN112860398A (en) Data processing method, device, equipment and medium based on rule engine
KR20210027038A (en) Proxy apparatus and method for processing information executed on proxy apparatus
CN111865612A (en) Identity authentication method and device for power Internet of things terminal
CN109739615A (en) A kind of mapping method of virtual hard disk, equipment and cloud computing platform

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant