CN116566728A - Micro-service architecture meeting GAMP5 security audit requirement - Google Patents
Micro-service architecture meeting GAMP5 security audit requirement Download PDFInfo
- Publication number
- CN116566728A CN116566728A CN202310708770.0A CN202310708770A CN116566728A CN 116566728 A CN116566728 A CN 116566728A CN 202310708770 A CN202310708770 A CN 202310708770A CN 116566728 A CN116566728 A CN 116566728A
- Authority
- CN
- China
- Prior art keywords
- data
- micro
- service
- event
- database
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012550 audit Methods 0.000 title claims abstract description 15
- 238000013474 audit trail Methods 0.000 claims abstract description 11
- 238000012544 monitoring process Methods 0.000 claims abstract description 10
- 238000013475 authorization Methods 0.000 claims abstract description 7
- 230000002776 aggregation Effects 0.000 claims description 12
- 238000004220 aggregation Methods 0.000 claims description 12
- 230000005540 biological transmission Effects 0.000 claims description 5
- 238000004364 calculation method Methods 0.000 claims description 4
- 238000000034 method Methods 0.000 claims description 3
- 238000012545 processing Methods 0.000 claims description 3
- 238000012216 screening Methods 0.000 claims description 2
- 230000008901 benefit Effects 0.000 abstract description 3
- 238000011217 control strategy Methods 0.000 abstract description 2
- 238000005516 engineering process Methods 0.000 abstract description 2
- 238000004458 analytical method Methods 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000007792 addition Methods 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000009849 deactivation Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/51—Discovery or management thereof, e.g. service location protocol [SLP] or web services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to the technical field of computer networks, in particular to a micro-service architecture meeting the GAMP5 security audit requirement, which comprises a plurality of autonomous micro-services, wherein each micro-service comprises a micro-front end, a micro-back end and a database, and the micro-back end comprises an endpoint interface for receiving a service request of the micro-front end; the server is used for sending or receiving a service request of the command processor or sending a database reading request, the command processor writes event table data into the database, and the command processor combines audit trail data with the database event table so as to see data snapshot information of the database projection table. Compared with the prior art, the invention has the advantages that: the safety is high: the security authentication and authorization protocol, the data protection technology and the fine-grained access control strategy are used for ensuring the security of the service unit; monitoring and logging are complete: all services in the micro-service architecture are monitored and logged, and potential safety problems are discovered and solved in time.
Description
Technical Field
The invention relates to the technical field of computer networks, in particular to a micro-service architecture meeting GAMP5 security audit requirements.
Background
With the development of the internet and cloud computing, micro-service architecture is widely used in enterprise applications. The micro-service architecture can split an application into a series of small, autonomous service units, making the application more flexible and scalable.
However, service units in a micro-service architecture are often distributed over multiple nodes, with some security risk. Thus, special concerns about security in micro-service architecture are required under the GAMP5 security audit requirements. Currently, there have been some solutions to ensure security of micro-service architecture, but they still suffer from some drawbacks, such as lack of fine-grained access control and logging, etc.
Disclosure of Invention
The technical problem to be solved by the invention is to overcome the defects of the prior art, and provide a micro-service architecture with high service unit security, fine-grained monitoring and log recording of service, audit release of main data and data audit of service data.
In order to achieve the above objective, a micro-service architecture meeting the requirement of GAMP5 security audit is designed, including a plurality of autonomous micro-services, each micro-service including a micro-front end, a micro-back end and a database, wherein the micro-back end includes an endpoint interface for receiving a service request of the micro-front end; the server is used for sending or receiving a service request of the command processor or sending a database reading request, the command processor writes event table data into the database, and the command processor combines audit trail data with the database event table so as to see data snapshot information of the database projection table; storing audit trail data in a data field of an event table in a key-value form, wherein each record corresponds to an event in the event table, the data of the event is stored in the data field, the data is stored in the key-value form, the key represents the attribute or the field name of the data, and the value represents a specific data value; the data field in the projection table refers to data stored in the projection table and corresponding to the data field in the event table, and the data in the data field in the projection table is a result obtained by processing, screening and converting based on the data in the event table; the event table is used for storing event information of the aggregation root, and comprises an event ID, an aggregation root ID, an event type and an event version, wherein the event ID is used as a unique identifier and is a main key of the event, and the aggregation root ID is used as an external key to be associated with the aggregation root table.
The invention also has the following preferable technical scheme:
1. the audit trail data comprises recorded operator data, recorded user information data for operation, recorded operation time data, recorded time information data for operation and recorded operation type data.
2. The data field in the shadow table generally contains part of the data in the event table, and some calculated data, including aggregate calculation and statistical data, and the specific content and format of the data field in the shadow table depend on specific query requirements and service scenarios.
3. The system also comprises service units, and authentication and authorization protocols of OAuth2.0 and OpenID are passed between the service units.
4. A transport layer security protocol is used between the microservice and the gateway to secure data transmissions.
5. The micro-service uses an RBAC access control policy.
6. The system also comprises a monitoring tool and a log analysis tool, which are used for monitoring and logging all services in the micro-service architecture.
Compared with the prior art, the invention has the advantages that:
1. the safety is high: the security authentication and authorization protocol, the data protection technology and the fine-grained access control strategy are used for ensuring the security of the service unit;
2. monitoring and logging are complete: monitoring and logging all services in the micro-service architecture, and timely finding and solving potential safety problems;
3. the expandability is good: the micro-service architecture can split an application into a series of small, autonomous service units, making the application more flexible and scalable.
Drawings
FIG. 1 is a general architecture diagram of the present invention;
fig. 2 is a schematic illustration of a microservice of the present invention.
Detailed Description
The construction and principles of the present invention will be readily apparent to those skilled in the art from the following description taken in conjunction with the accompanying drawings. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the scope of the invention.
As shown in FIG. 1, the present invention includes several autonomous micro-services, each including a micro-front end, a micro-back end, and a database. As shown in fig. 2, the micro back end includes an endpoint interface for receiving service requests from the micro front end. The server is used for sending or receiving a service request of the command processor or sending a database reading request, and the command processor writes the event table data into the database.
As illustrated in fig. 1, the micro-service architecture includes the following aspects:
1. data tracing
In the invention, the system supports the data security audit requirement of all GAMP5, and the command processor combines audit trail data with a database event table, specifically: the data is stored in the 'data' field of an event (events) table in the form of a key-value, where the key represents the attribute or field name of the data and the value represents a specific data value. The manner in which data for an event is stored in the 'data' field is referred to as the NoSQL manner, which is different from a conventional relational database, but stores data in the form of documents, graphics, or key values, etc. The use of key-value data has the advantage that it allows data to be organized in a very flexible way and that the data structure can be very conveniently extended and modified. Furthermore, in some cases, the use of key-value data may also improve the performance of data queries.
In the event table, each record corresponds to one event, and various events occurring in the system are recorded, and the event table is used for storing event information of an aggregation root, including information of an event ID, an aggregation root ID, an event type, an event version, data and the like. Wherein the event ID is used as a unique identifier and is a main key of the event; the aggregation root ID is used as a foreign key to associate the aggregation root table.
According to the invention, the audit trail data is combined with the database event table through the command processor, so that the data snapshot information of the database projection table can be seen. The projection table herein is a copy of the data extracted and converted from the event table for supporting the query and reporting functions of the system. The projection table typically contains only a portion of the data in the event table, and the data is transformed and processed to better support queries and analysis. The 'data' field in the shadow table refers to data stored in the shadow table corresponding to the 'data' field in the event table. In the shadow table, the data in the 'data' field is the result of processing, filtering, and converting based on the data in the event table. The 'data' field in the shadow table typically contains part of the data in the event table, as well as some calculated data, such as aggregate calculations, statistics, etc. The specific content and format of the 'data' field in the pivot table generally depends on the specific query requirements and business scenario. When designing the projection table, the data to be stored is reasonably selected according to the query and report requirements of the system, and appropriate conversion and calculation are performed so as to support the query and analysis functions of the system.
All the main data support audit release, all the business data support data audit, and when the data is queried, the user knows what is done at what time, and supports version backtracking of the main data. By recording information of operators, time, operation types and the like, management staff can be helped to better know the service condition of the system, and problems of misoperation, data leakage and the like are prevented. The audit trail data records the following information: recording an operator: recording user information for operation; recording operation time: recording time information of operation, including date, time and the like; recording operation type: the types of operations performed by the record include addition, modification, deletion, etc.
Therefore, when the data tracing tracking is required, the user can see what time, place and do through the event list.
2. Secure authentication and authorization
In the present invention, oauth2.0 and OpenID based authentication and authorization protocols are used to ensure that a service unit can only be accessed by authenticated and authorized users or services.
3. Data protection
In the present invention, a transport layer security protocol is used to protect data transmission and encryption techniques are used to protect data storage to ensure that data is protected during transmission and storage.
4. Access control
In the present invention, fine-grained access control is performed on services to ensure that only authorized users or services can access the corresponding services. An RBAC (role based access control) access control policy may be used.
5. Monitoring and logging
In the present invention, all services in the micro-service architecture need to be monitored and journaled in order to discover and solve potential security issues in time. This can be accomplished using monitoring tools and log analysis tools.
In general, the system of the invention adopts Https transmission encryption protocol, and uses oauth2.0 and OpenID authentication and authorization protocol, only users with corresponding authorities can access corresponding micro services, after users access the system, after new addition, modification, deactivation and deletion operations are performed on data, information of operators, operation time and modification of the data can be checked in an audit trail, and each record is recorded in the system. The method supports the post-audit release of the main data, and when the data is modified, the data can only take effect after the audit is passed; version backtracking of the main data is supported, and any version of the data can be returned.
The above description is only specific to the embodiments of the invention, but the scope of the invention is not limited thereto, and any person skilled in the art who is skilled in the art to which the invention pertains shall apply to the technical solution and the novel concept according to the invention, and shall all be covered by the scope of the invention.
Claims (7)
1. The micro-service architecture meeting the GAMP5 security audit requirement comprises a plurality of autonomous micro-services, wherein each micro-service comprises a micro-front end, a micro-back end and a database, and the micro-back end comprises an endpoint interface for receiving a service request of the micro-front end; a server for sending or receiving a service request or a database read request from a command processor, the command processor writing event table data into a database, the method comprising the steps of
The command processor combines the audit trail data with the database event table, and can see the data snapshot information of the database projection table;
the audit trail data is stored in the data field of the event table in the form of key-value,
in the event table, each record corresponds to an event, data of the event is stored in a data field, the data is stored in a key-value form, wherein the key represents an attribute or a field name of the data, and the value represents a specific data value;
the data field in the projection table refers to data stored in the projection table and corresponding to the data field in the event table, and the data in the data field in the projection table is a result obtained by processing, screening and converting based on the data in the event table;
the event table is used for storing event information of the aggregation root, and comprises an event ID, an aggregation root ID, an event type and an event version, wherein the event ID is used as a unique identifier and is a main key of the event, and the aggregation root ID is used as an external key to be associated with the aggregation root table.
2. The micro-service architecture according to claim 1, wherein the audit trail data includes recorded operator data, recorded user information data for performing operations, recorded operation time data, recorded time information data for performing operations, and recorded operation type data.
3. The micro-service architecture according to claim 1, wherein the data field in the projection table generally contains part of the data in the event table, and some of the calculated data includes aggregate calculation, statistics, and the specific content and format of the data field in the projection table depends on the specific query requirements and service scenario.
4. The micro-service architecture according to claim 1, further comprising service units, wherein the service units pass authentication and authorization protocols of oauth2.0 and OpenID.
5. The micro-service architecture according to claim 1, wherein a transport layer security protocol is used between the micro-service and the gateway to protect data transmissions.
6. A micro-service architecture that meets the requirements of the GAMP5 security audit as recited in claim 1, wherein said micro-service uses RBAC access control policies.
7. The micro-service architecture according to claim 1, further comprising a monitoring tool and a logging tool for monitoring and logging all services in the micro-service architecture.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310708770.0A CN116566728A (en) | 2023-06-15 | 2023-06-15 | Micro-service architecture meeting GAMP5 security audit requirement |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310708770.0A CN116566728A (en) | 2023-06-15 | 2023-06-15 | Micro-service architecture meeting GAMP5 security audit requirement |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116566728A true CN116566728A (en) | 2023-08-08 |
Family
ID=87494843
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310708770.0A Pending CN116566728A (en) | 2023-06-15 | 2023-06-15 | Micro-service architecture meeting GAMP5 security audit requirement |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116566728A (en) |
-
2023
- 2023-06-15 CN CN202310708770.0A patent/CN116566728A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8131677B2 (en) | System and method for effecting information governance | |
| US7647327B2 (en) | Method and system for implementing storage strategies of a file autonomously of a user | |
| RU2531569C2 (en) | Secure and private backup storage and processing for trusted computing and data services | |
| US8321688B2 (en) | Secure and private backup storage and processing for trusted computing and data services | |
| US8909881B2 (en) | Systems and methods for creating copies of data, such as archive copies | |
| US7797281B1 (en) | Granular restore of data objects from a directory service | |
| WO2018032376A1 (en) | Self-securing storage system and method for block chain | |
| US8214377B2 (en) | Method, system, and program for managing groups of objects when there are different group types | |
| US11907199B2 (en) | Blockchain based distributed file systems | |
| US20070005665A1 (en) | Separation of duties in a data audit system | |
| US20200387433A1 (en) | Database optimized disaster recovery orchestrator | |
| JP2013509657A (en) | Fixed content storage within a segmented content platform using namespaces | |
| US11475132B2 (en) | Systems and methods for protecting against malware attacks | |
| CN104504014A (en) | Data processing method and device based on large data platform | |
| US20120254416A1 (en) | Mainframe Event Correlation | |
| KR20200084136A (en) | System for auditing data access based on block chain and the method thereof | |
| US8738768B2 (en) | Multiple destinations for mainframe event monitoring | |
| CN109753360A (en) | Lightweight data management system and method towards fringe node in electric system | |
| US11868339B2 (en) | Blockchain based distributed file systems | |
| US20110137866A1 (en) | Method for generating backup script | |
| CN113448926A (en) | Block chaining operation and maintenance management system and method | |
| CN116910023A (en) | Data management system | |
| CN116566728A (en) | Micro-service architecture meeting GAMP5 security audit requirement | |
| WO2019106177A1 (en) | Automated logging | |
| CN102456045A (en) | Database cluster encrypting method and system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |