CN116781382A

CN116781382A - Access method and device of cloud storage system, electronic equipment and computer medium

Info

Publication number: CN116781382A
Application number: CN202310860836.8A
Authority: CN
Inventors: 陈文华; 王爱宝; 林飞; 李志龙; 魏俊
Original assignee: China Telecom Technology Innovation Center; China Telecom Corp Ltd
Current assignee: China Telecom Technology Innovation Center; China Telecom Corp Ltd
Priority date: 2023-07-13
Filing date: 2023-07-13
Publication date: 2023-09-19

Abstract

The disclosure relates to an access method and device of a cloud storage system, electronic equipment and a computer readable medium, and belongs to the technical field of Internet. The method comprises the following steps: establishing mutual authentication among the client, the cloud storage gateway and the zero trust controller, and sending an access token to the client through the zero trust controller; the client sends an access request and an access token of the cloud storage system to a cloud storage gateway corresponding to the cloud storage system; the cloud storage gateway carries out security detection on the access request of the client based on a security detection strategy; when the access request of the client passes through detection, the cloud storage gateway executes access operation of the cloud storage system according to the access request and the access token of the client, and returns an access operation result to the client. According to the cloud storage system access security detection method and device, the two-way identity authentication among the client, the cloud storage gateway and the zero trust controller is achieved, and the access request of the client is safely detected, so that the access security of the cloud storage system can be improved.

Description

Access method and device of cloud storage system, electronic equipment and computer medium

Technical Field

The disclosure relates to the technical field of internet, and in particular relates to an access method of a cloud storage system, an access device of the cloud storage system, electronic equipment and a computer readable medium.

Background

Cloud storage refers to a system which integrates various different types of storage devices in a network through application software to cooperatively work through functions of cluster application, grid technology or a distributed file system and the like, and provides data storage and service access functions together, so that the safety of data is ensured, and storage space is saved, such as a distributed storage cloud disk system.

Currently, in the process of accessing a cloud storage system, the following security problems may exist: 1. the client user is unauthorized and overruns the authorization and misoperates the cloud disk file; 2. the cloud disk file uploaded or shared by the client user may carry viruses or malicious software; 3. the components present a risk of identity impersonation, particularly the significant risk that a impersonation client user may present a compromise, illegitimate access and destruction to the cloud storage system.

In view of this, there is a need in the art for an access method of a cloud storage system that can improve access security.

It should be noted that the information disclosed in the above background section is only for enhancing understanding of the background of the present disclosure and thus may include information that does not constitute prior art known to those of ordinary skill in the art.

Disclosure of Invention

The present disclosure aims to provide an access method of a cloud storage system, an access device of the cloud storage system, an electronic device, and a computer readable medium, and further to at least some extent improve access security of the cloud storage system.

According to a first aspect of the present disclosure, there is provided an access method of a cloud storage system, including:

establishing mutual authentication among a client, a cloud storage gateway and a zero trust controller, and sending an access token of the cloud storage system to the client through the zero trust controller;

the client sends the access request of the cloud storage system and the corresponding access token to a cloud storage gateway corresponding to the cloud storage system;

the cloud storage gateway acquires a security detection policy through the zero trust controller and performs security detection on an access request of the client based on the security detection policy;

when the access request of the client passes through detection, the cloud storage gateway executes the access operation of the cloud storage system according to the access request of the client and the access token, and returns the access operation result of the cloud storage system to the client.

In an exemplary embodiment of the disclosure, the establishing the mutual authentication between the client, the cloud storage gateway and the zero trust controller, and sending, by the zero trust controller, the access token of the cloud storage system to the client includes:

establishing bidirectional authentication between the zero trust controller and the cloud storage gateway and bidirectional authentication between the zero trust controller and the client;

the zero trust controller acquires a multi-factor authentication policy corresponding to the client, verifies the client information based on the multi-factor authentication policy, and judges whether the client meets the multi-factor authentication policy;

if the client side meets the multi-factor authentication policy, establishing bidirectional authentication between the client side and the cloud storage gateway;

and after the authentication is successful, the zero trust controller sends a cloud storage gateway list and an access token corresponding to the cloud storage systems which the client is allowed to connect to the client.

In an exemplary embodiment of the present disclosure, the zero trust controller obtains a multi-factor authentication policy corresponding to the client, verifies client information based on the multi-factor authentication policy, and determines whether the client meets the multi-factor authentication policy, including:

The zero trust controller acquires a multi-factor authentication strategy corresponding to the client, and invokes a single-factor authentication module in the zero trust controller based on the multi-factor authentication strategy;

and the zero trust controller performs various single-factor authentication operations on the client information through the single-factor authentication module, and if all the single-factor authentication operations pass, the client is judged to meet the multi-factor authentication policy.

In one exemplary embodiment of the present disclosure, the step of establishing mutual authentication between the client and the zero trust controller or the cloud storage gateway comprises:

the client initiates single-package authorization to the zero trust controller or the cloud storage gateway;

if the single packet authorization fails, the zero trust controller or the cloud storage gateway directly discards the single packet;

and if the single packet authorization passes, finishing the bidirectional authentication between the client and the zero trust controller or the cloud storage gateway by establishing bidirectional secure transport layer protocol connection between the client and the zero trust controller or the cloud storage gateway.

In an exemplary embodiment of the present disclosure, the security detection policy includes a security access policy and a security protection policy, the cloud storage gateway obtains the security detection policy through the zero trust controller, and performs security detection on an access request of the client based on the security detection policy, including:

The cloud storage gateway acquires a security access strategy and a security protection strategy of the cloud storage system through the zero trust controller;

the cloud storage gateway starts a security access monitoring process based on the security access policy and starts a security protection monitoring process based on the security protection policy;

the cloud storage gateway matches the access request of the client and the characteristic information in the access token through the secure access monitoring process, and judges whether the access request of the client meets the secure access policy;

the cloud storage gateway detects the access request of the client through the security protection monitoring process and judges whether the access request of the client meets the security protection policy;

and if the access request of the client side meets the security access policy and the security protection policy simultaneously, judging that the access request of the client side passes the detection.

In an exemplary embodiment of the present disclosure, the method further comprises:

and if the access request of the client does not meet the security access policy and the security protection policy at the same time, the cloud storage gateway refuses the access request of the client and executes corresponding security protection action based on the access request of the client.

the cloud storage gateway reports the access request handling information of the client to the zero trust controller according to a preset time interval;

and the zero trust controller updates the security detection strategy according to the access request handling information reported by the cloud storage gateway, and issues the updated security detection strategy to the cloud storage gateway.

According to a second aspect of the present disclosure, there is provided an access device of a cloud storage system, including:

the system comprises a bidirectional authentication establishing module, a zero trust controller and a cloud storage system, wherein the bidirectional authentication establishing module is used for establishing bidirectional authentication among a client, a cloud storage gateway and the zero trust controller, and sending an access token of the cloud storage system to the client through the zero trust controller;

the access request sending module is used for sending the access request of the cloud storage system and the corresponding access token to a cloud storage gateway corresponding to the cloud storage system by the client;

the access request detection module is used for acquiring a security detection strategy by the cloud storage gateway through the zero trust controller and carrying out security detection on the access request of the client based on the security detection strategy;

And the access result returning module is used for executing the access operation of the cloud storage system according to the access request of the client and the access token by the cloud storage gateway when the access request of the client passes, and returning the access operation result of the cloud storage system to the client.

According to a third aspect of the present disclosure, there is provided an electronic device comprising: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of accessing a cloud storage system of any of the above via execution of the executable instructions.

According to a fourth aspect of the present disclosure, there is provided a computer readable medium having stored thereon a computer program which, when executed by a processor, implements the method of accessing a cloud storage system of any of the above.

Exemplary embodiments of the present disclosure may have the following advantageous effects:

according to the access method of the cloud storage system in the exemplary embodiment of the disclosure, on one hand, by establishing mutual authentication among the client, the cloud storage gateway and the zero trust controller, the security concept that zero trust security is based on the access host identity as a center is reflected, and client identity impersonation and impersonation cloud storage gateway implementation of 'man-in-the-middle attack' are prevented; on the other hand, the access security of the cloud storage system can be further improved by continuously and dynamically detecting and filtering the compliance of security access policy rules for the access request of the client and detecting and filtering the virus and malicious software.

It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.

Drawings

The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the disclosure and together with the description, serve to explain the principles of the disclosure. It will be apparent to those of ordinary skill in the art that the drawings in the following description are merely examples of the disclosure and that other drawings may be derived from them without undue effort.

FIG. 1 illustrates a flow diagram of a method of accessing a cloud storage system according to an example embodiment of the present disclosure;

FIG. 2 schematically illustrates a cloud storage system deployment diagram based on zero trust access control in one embodiment according to the present disclosure;

fig. 3 shows a schematic flow diagram of establishing mutual authentication between a client, a cloud storage gateway, and a zero trust controller according to an example embodiment of the present disclosure;

FIG. 4 illustrates a flow diagram of client access request security detection according to an example embodiment of the present disclosure;

FIG. 5 illustrates a flow diagram of an authentication and authorization method for a cloud storage system in accordance with one embodiment of the present disclosure;

FIG. 6 illustrates a flow diagram of a cloud disk access method of a cloud storage system in accordance with one embodiment of the present disclosure;

FIG. 7 illustrates a block diagram of an access device of a cloud storage system of an example embodiment of the present disclosure;

fig. 8 shows a schematic diagram of a computer system suitable for use in implementing embodiments of the present disclosure.

Detailed Description

Example embodiments will now be described more fully with reference to the accompanying drawings. However, the exemplary embodiments may be embodied in many forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments. In the following description, numerous specific details are provided to give a thorough understanding of embodiments of the present disclosure. One skilled in the relevant art will recognize, however, that the aspects of the disclosure may be practiced without one or more of the specific details, or with other methods, components, devices, steps, etc. In other instances, well-known technical solutions have not been shown or described in detail to avoid obscuring aspects of the present disclosure.

Furthermore, the drawings are merely schematic illustrations of the present disclosure and are not necessarily drawn to scale. The same reference numerals in the drawings denote the same or similar parts, and thus a repetitive description thereof will be omitted. Some of the block diagrams shown in the figures are functional entities and do not necessarily correspond to physically or logically separate entities. These functional entities may be implemented in software or in one or more hardware modules or integrated circuits or in different networks and/or processor devices and/or microcontroller devices.

The embodiment firstly provides an access method of a cloud storage system. Referring to fig. 1, the method for accessing a cloud storage system may include the following steps:

and S110, establishing mutual authentication among the client, the cloud storage gateway and the zero trust controller, and sending an access token of the cloud storage system to the client through the zero trust controller.

And S120, the client sends the access request of the cloud storage system and the corresponding access token to a cloud storage gateway corresponding to the cloud storage system.

S130, the cloud storage gateway acquires a security detection strategy through the zero trust controller, and performs security detection on an access request of the client based on the security detection strategy.

And S140, when the access request of the client passes, the cloud storage gateway executes the access operation of the cloud storage system according to the access request and the access token of the client, and returns the access operation result of the cloud storage system to the client.

The above steps of the present exemplary embodiment will be described in more detail with reference to fig. 2 to 6.

In step S110, mutual authentication between the client, the cloud storage gateway and the zero trust controller is established, and an access token of the cloud storage system is sent to the client through the zero trust controller.

In this example embodiment, the access of the cloud storage system mainly involves three components of a client, a cloud storage gateway and a zero trust controller. FIG. 2 schematically illustrates a cloud storage system deployment diagram based on zero trust access control in one embodiment of the present disclosure, the components functioning as follows:

client side: MFA (Multi-Factor Authentication) Multi-factor authentication and file management realize operations such as uploading, downloading, deleting, sharing, adding, deleting, checking and the like of cloud disk files. The client component may appear as an SDK (Software Development Kit ), APP (Application), or WEB (World Wide WEB) front end.

Cloud storage gateway: as a gateway of a distributed storage cloud, for example, ceph (a distributed storage system), RESTful API (Representational State Transfer, representing layer transition) is provided externally (Application Programming Interface ); realizing the mutual authentication with the client and the zero trust controller; and detecting and filtering the compliance of the security access policy rules and the detection and filtering control of the virus and the malicious software prevention are carried out on the cloud disk file access request according to the security access policy rules, the virus prevention and the malicious software prevention (worm, backdoor and Trojan) rules issued by the zero trust controller.

Zero trust controller: providing global IAM (Identity and Access Management, identification and access management) management, optional authentication authorization services such as multi-factor authentication including account passwords/cell phone passcodes/face authentication/PKI (Public Key Infrastructure ) certificates, device authentication, OAuth (an open security protocol), etc. may be connected; the access control engine calls a trust algorithm, a security policy library, a permission authorization library and an operation environment library to make permission authorization judgment; the security engine realizes security policy management and decision control of file virus and malicious software prevention.

In this example embodiment, as shown in fig. 3, two-to-two mutual authentication between a client, a cloud storage gateway and a zero trust controller is established, and an access token of a cloud storage system is sent to the client through the zero trust controller, which specifically includes the following steps:

and S310, establishing bidirectional authentication between the zero trust controller and the cloud storage gateway and bidirectional authentication between the zero trust controller and the client.

In this example embodiment, the zero trust controller negotiates a key by establishing an mTLS (Mutual Transport Layer Security, bidirectional secure transport layer protocol) connection with the cloud storage gateway, completing bidirectional identity authentication.

In this example embodiment, the step of establishing the mutual authentication between the client and the zero-trust controller is that the client initiates a single-packet authorization to the zero-trust controller; if the single packet authorization fails, the zero trust controller directly discards the single packet; if the single packet passes the authorization, the bidirectional authentication between the client and the zero trust controller is completed by establishing the bidirectional secure transport layer protocol connection between the client and the zero trust controller.

The client initiates SPA (Single Packet Authorization) a single packet authorization to the zero trust controller. If the SPA single packet authorization fails, the zero trust controller directly discards the SPA single packet and does not respond to the client; if SPA single-packet authorization passes, the client establishes mTLS bidirectional connection with the zero trust controller, negotiates a key, and completes bidirectional identity authentication. The SPA single-packet authorization mechanism can significantly reduce the exposure face of network attacks.

And S320, the zero trust controller acquires a multi-factor authentication strategy corresponding to the client, verifies the client information based on the multi-factor authentication strategy, and judges whether the client meets the multi-factor authentication strategy.

In this example embodiment, the zero trust controller obtains a multi-factor authentication policy corresponding to the client, invokes a single-factor authentication module in the zero trust controller based on the multi-factor authentication policy, and then performs each single-factor authentication operation on the client information through the single-factor authentication module, and if all the single-factor authentication operations pass, determines that the client satisfies the multi-factor authentication policy.

The zero trust controller invokes a single factor authentication module involved in the MFA multi-factor authentication policy to verify relevant client information. Authentication activities may include account password authentication, PKI certificate authentication, face authentication, and other optional authentications. Authentication activities are optional and may be performed concurrently, with the choice or absence of authentication activities depending on whether the zero trust controller client MFA multi-factor authentication policy includes the authentication.

And S330, if the client side meets the multi-factor authentication policy, establishing bidirectional authentication between the client side and the cloud storage gateway.

The zero trust controller gathers authentication activity results and judges whether the client meets a multi-factor authentication policy.

If the zero trust controller determines that the client does not meet the multi-factor authentication policy, the authentication of the client fails, and the zero trust controller transmits an authentication failure message to the client.

And if the zero trust controller judges that the client side meets the multi-factor authentication strategy, the authentication of the client side is successful, and the bidirectional authentication between the client side and the cloud storage gateway is established.

In this example embodiment, the step of establishing the mutual authentication between the client and the cloud storage gateway includes the client initiating a single packet authorization to the cloud storage gateway; if the single packet authorization fails, the cloud storage gateway directly discards the single packet; and if the single packet passes the authorization, the bidirectional authentication between the client and the cloud storage gateway is completed by establishing the bidirectional secure transport layer protocol connection between the client and the cloud storage gateway.

The client initiates SPA single-packet authorization to the cloud storage gateway. If the SPA single packet authorization fails, the cloud storage gateway directly discards the SPA single packet and does not respond to the client; if SPA single-packet authorization passes, the client establishes mTLS bidirectional TLS connection with the cloud storage gateway, negotiates a key, and completes bidirectional identity authentication.

And S340, after the authentication is successful, the zero trust controller sends a cloud storage gateway list and an access token corresponding to the cloud storage systems which the client is allowed to connect to the client.

The zero trust controller determines a list of cloud storage gateways that allow the client to connect and access tokens issued to the client, and informs the cloud storage gateways and the client over a TLS secure channel. An access token is a string credential that represents that a client is authorized to access a protected resource, and typically includes an access token identifier, a client ID, a protected resource, a scope of rights, an expiration time stamp, and other information related to authorization decisions. The access token is typically opaque to the client, i.e., the client does not understand the meaning of the token, but the authorization server (here a zero trust controller) and the resource server (here a cloud storage gateway) understand the meaning of the token.

Through carrying out MFA multi-factor authentication on the client, besides the traditional cloud disk account password, additional one or two authentication modes are adopted, such as mobile phone verification codes, graphic verification codes, OT (One Time Password, dynamic passwords), CA (Certificate Authority ) certificates, biometric authentication such as face recognition, fingerprint recognition and the like, so that the login security of the client can be greatly enhanced.

In step S120, the client sends an access request of the cloud storage system and a corresponding access token to a cloud storage gateway corresponding to the cloud storage system.

In this example embodiment, the client may send a request to access the cloud storage system and an access token to the cloud storage gateway over the TLS secure channel. The access request of the client may include operations such as uploading, downloading, deleting, sharing, adding, deleting, and searching of the folder.

In step S130, the cloud storage gateway acquires a security detection policy through the zero trust controller, and performs security detection on the access request of the client based on the security detection policy.

In this example embodiment, the security detection policies include security access policies and security protection policies, where the security protection policies may include rules that are anti-virus and anti-malware (worms, backdoors, trojans).

In this example embodiment, as shown in fig. 4, the cloud storage gateway obtains a security detection policy through the zero trust controller, and performs security detection on an access request of the client based on the security detection policy, which may specifically include the following steps:

s410, the cloud storage gateway acquires a security access strategy and a security protection strategy of the cloud storage system through the zero trust controller.

The zero trust controller determines security access policies and security protection policies (antivirus, antimalware) for accessing the cloud storage system. The cloud storage gateway can receive a security access policy and a security protection policy which are issued by the zero trust controller and used for accessing the cloud storage system through the TLS security channel.

And S420, the cloud storage gateway starts a security access monitoring process based on the security access policy and starts a security protection monitoring process based on the security protection policy.

The cloud storage gateway starts a relevant dynamic monitoring process based on a security access policy and a security protection policy issued by the zero trust controller.

And S430, the cloud storage gateway matches the access request of the client and the characteristic information in the access token through a secure access monitoring process, and judges whether the access request of the client meets a secure access policy.

The cloud storage gateway analyzes the access token of the client, checks the access request information of the client, and detects the related characteristic information of the matched access token and the access request through a safety access monitoring process and a safety protection monitoring process.

S440, the cloud storage gateway detects the access request of the client through the security protection monitoring process and judges whether the access request of the client meets the security protection policy.

The security access monitoring process can detect and filter the compliance of security access policy rules for the cloud disk file access request. Particularly, when the client uploads or shares the cloud disk file, the safety protection monitoring process can realize detection and filtering control on viruses and malicious software. The security access listening process and the security guard listening process may run concurrently.

S450, if the access request of the client side meets the security access policy and the security protection policy simultaneously, judging that the access request of the client side passes the detection.

And the cloud storage gateway gathers the processing result information of the security access monitoring process and the security protection monitoring process and judges whether the client cloud disk file access requests all meet the security access policy and the security protection policy requirements. And if the access request of the client meets the security access policy and the security protection policy at the same time, judging that the access request of the client passes the detection.

In addition, if the access request of the client side does not meet the security access policy and the security protection policy at the same time, the cloud storage gateway refuses the access request of the client side and executes the corresponding security protection action based on the access request of the client side.

If the client cloud disk file access requests do not all meet the requirements of the security access policy and the security protection policy, the cloud storage gateway refuses the access requests of the client, and when a major security risk event (such as virus or malicious software found in an uploaded or shared file) is found, security protection actions (virus isolation, malicious software removal and session connection interruption) are carried out, and the security protection actions are reported to the zero trust controller and the client is notified.

In step S140, when the access request of the client passes, the cloud storage gateway performs an access operation of the cloud storage system according to the access request and the access token of the client, and returns an access operation result of the cloud storage system to the client.

In this example embodiment, if all access requests of the client meet requirements of a security access policy and a security protection policy, the cloud storage gateway locates a cloud disk file location in a cloud storage system to be accessed by the client, executes an operation within an access token authority range, and returns an access operation result of the cloud storage system to the client.

In this example embodiment, the cloud storage gateway may further report the access request handling information of the client to the zero trust controller according to a preset time interval, and the zero trust controller updates the security detection policy according to the access request handling information reported by the cloud storage gateway, and issues the updated security detection policy to the cloud storage gateway.

The cloud storage gateway periodically reports access request handling information of the client to the zero trust controller, wherein the access request handling information comprises cloud disk file access request handling results and related access logs. And the zero trust controller updates the client security access policy and the security protection policy after summarizing the related information, and issues the security access policy and the security protection policy to the cloud storage gateway to realize dynamic access control.

Fig. 5 is a schematic flow chart of an authentication and authorization method of a cloud storage system according to an embodiment of the present disclosure, which is an illustration of the above-mentioned bidirectional authentication related steps in the present exemplary embodiment, and the specific steps of the flow chart are as follows:

and S502, the zero trust controller and the cloud storage gateway complete bidirectional identity authentication.

And the zero trust controller establishes mTLS connection with the cloud storage gateway, negotiates a key and completes bidirectional identity authentication.

S504, the client and the zero trust controller complete bidirectional identity authentication.

The client initiates SPA single-packet authorization to the zero-trust controller. If the SPA single packet authorization fails, the zero trust controller directly discards the SPA single packet and does not respond to the client; if SPA single-packet authorization passes, the client establishes mTLS bidirectional connection with the zero trust controller, negotiates a key, and completes bidirectional identity authentication.

And S506, the zero trust controller calls the MFA multi-factor authentication strategy to verify the relevant client information.

The zero trust controller invokes the (single factor) authentication authorization module involved in the MFA multi-factor authentication policy to verify the relevant client information.

Step S508, the zero trust controller executes authentication activities.

Authentication activities (account password authentication, PKI certificate authentication, face authentication, other optional authentication) are optional and may be performed concurrently, with the choice or absence of authentication activities depending on whether the zero trust controller client MFA multi-factor authentication policy includes the authentication.

And S510, the zero trust controller judges whether the client meets a multi-factor authentication strategy.

The zero trust controller gathers authentication activity results and determines whether the client satisfies a multi-factor authentication policy.

Step S512, the zero trust controller transmits the authentication failure message to the client.

Step S514, the zero trust controller determines a cloud storage gateway list allowing the client to connect and an access token issued to the client.

If the zero trust controller judges that the client meets the multi-factor authentication policy, the client authentication is successful, the zero trust controller determines a cloud storage gateway list allowing the client to connect and an access token issued to the client, and informs the cloud storage gateway and the client through a TLS secure channel.

And S516, the client and the cloud storage gateway finish bidirectional identity authentication.

Fig. 6 is a schematic flow chart of a cloud disk access method of a cloud storage system according to an embodiment of the present disclosure, which is an illustration of the access steps of the cloud storage system according to the present exemplary embodiment, and the specific steps of the flow chart are as follows:

and S602, the zero trust controller determines a security access strategy and a security protection strategy for accessing the cloud disk file.

The zero trust controller determines a security access policy rule set and security protection policies (antivirus, anti-malware) to access the cloud disk file.

And S604, the cloud storage gateway starts a relevant dynamic monitoring process.

And the cloud storage gateway receives a security access policy rule set and a security protection policy which are issued by the zero trust controller and used for accessing the cloud disk file through the TLS security channel, and starts a relevant dynamic monitoring process.

And S606, the client sends an access request and an access token to the cloud storage gateway.

And the client sends a request for accessing the cloud disk file and an access token to the cloud storage gateway through the TLS secure channel. The request for the client to access the cloud disk file comprises operations such as uploading, downloading, deleting, sharing, adding, deleting, searching and the like of the cloud disk file.

And S608, detecting an access request by the cloud storage gateway.

The cloud storage gateway analyzes the client access token, and detects and matches relevant characteristic information by comparing the client cloud disk file access request information with the security access monitoring process and the security protection monitoring process.

And S610, the cloud storage gateway operates a security access monitoring process and a security protection monitoring process.

The security access listening process and the security protection listening process (antivirus, anti-malware) run concurrently. And the security access monitoring process carries out detection and filtering control on compliance of security access policy rules on the cloud disk file access request. Particularly, when the client uploads or shares the cloud disk file, the safety protection monitoring process realizes detection and filtering control on viruses and malicious software.

And S612, the cloud storage gateway judges whether the client access request meets the requirements of a security access policy and a security protection policy.

And the cloud storage gateway gathers the processing result information of the security access monitoring process and the security protection monitoring process and judges whether the client cloud disk file access requests all meet the security access policy and the security protection policy requirements.

Step S614, the cloud storage gateway refuses the client access request.

If the client cloud disk file access request does not fully meet the requirements of the security access policy and the security protection policy, the cloud storage gateway refuses the client cloud disk access request, and when a major security risk event (such as virus or malicious software found in an uploaded or shared file) is found, security protection actions (such as virus isolation, malicious software removal and session connection interruption) are performed, and the security protection actions are reported to the zero trust controller and the client is notified.

And S616, the cloud storage gateway executes access operation.

If the cloud disk file access requests of the client all meet the requirements of the security access policy and the security protection policy, the cloud storage gateway locates the cloud disk file position in the distributed storage cloud to be accessed by the client, executes the operation within the access token authority range, and returns the cloud disk access operation result to the client.

And S618, the cloud storage gateway periodically reports the client access request handling information to the zero trust controller.

The cloud storage gateway periodically reports the client cloud disk file access request handling and the context information in the relevant access log to the zero trust controller.

And S620, updating the security access policy and the security protection policy by the zero trust controller.

And after summarizing the related information, the zero trust controller updates the security access policy and the security protection policy of the client cloud disk file, and issues the security access policy and the security protection policy to the cloud storage gateway to realize dynamic access control.

It should be noted that although the steps of the methods in the present disclosure are depicted in the accompanying drawings in a particular order, this does not require or imply that the steps must be performed in that particular order, or that all illustrated steps be performed, to achieve desirable results. Additionally or alternatively, certain steps may be omitted, multiple steps combined into one step to perform, and/or one step decomposed into multiple steps to perform, etc.

Further, the disclosure also provides an access device of the cloud storage system. Referring to fig. 7, the access device of the cloud storage system may include a mutual authentication establishment module 710, an access request transmission module 720, an access request detection module 730, and an access result return module 740. Wherein:

The mutual authentication establishment module 710 may be configured to establish mutual authentication between the client, the cloud storage gateway, and the zero trust controller, and send an access token of the cloud storage system to the client through the zero trust controller;

the access request sending module 720 may be configured to send, by the client, an access request of the cloud storage system and a corresponding access token to a cloud storage gateway corresponding to the cloud storage system;

the access request detection module 730 may be configured to obtain a security detection policy by using the cloud storage gateway through the zero trust controller, and perform security detection on an access request of the client based on the security detection policy;

the access result returning module 740 may be configured to, when the access request of the client passes, perform an access operation of the cloud storage system according to the access request and the access token of the client, and return the access operation result of the cloud storage system to the client.

In some exemplary embodiments of the present disclosure, the mutual authentication setup module 710 may include a controller authentication setup unit, an authentication policy judgment unit, a client authentication unit, and an access token transmission unit. Wherein:

the controller authentication establishing unit can be used for establishing bidirectional authentication between the zero trust controller and the cloud storage gateway and bidirectional authentication between the zero trust controller and the client;

The authentication policy judgment unit can be used for acquiring a multi-factor authentication policy corresponding to the client by the zero trust controller, verifying the client information based on the multi-factor authentication policy, and judging whether the client meets the multi-factor authentication policy;

the client authentication establishing unit may be configured to establish bidirectional authentication between the client and the cloud storage gateway if the client satisfies a multi-factor authentication policy;

the access token sending unit may be configured to send, to the client, the cloud storage gateway list and the access token corresponding to the plurality of cloud storage systems that the client is allowed to connect to by using the zero trust controller after authentication is successful.

In some exemplary embodiments of the present disclosure, the authentication policy judging unit may include an authentication module calling unit and an authentication operation performing unit. Wherein:

the authentication module calling unit can be used for the zero trust controller to acquire a multi-factor authentication strategy corresponding to the client and call a single-factor authentication module in the zero trust controller based on the multi-factor authentication strategy;

the authentication operation execution unit can be used for the zero trust controller to perform various single-factor authentication operations on the client information through the single-factor authentication module, and if all the single-factor authentication operations pass, the client is judged to meet the multi-factor authentication policy.

In some exemplary embodiments of the present disclosure, the client authentication establishment unit may include a single packet authorization unit, a single packet discard unit, and a protocol connection unit. Wherein:

the single-package authorization unit can be used for the client to initiate single-package authorization to the zero trust controller or the cloud storage gateway;

the single packet discarding unit may be configured to directly discard the single packet by using the zero trust controller or the cloud storage gateway if the single packet authorization fails;

the protocol connection unit can be used for completing the bidirectional authentication between the client and the zero trust controller or the cloud storage gateway by establishing the bidirectional secure transport layer protocol connection between the client and the zero trust controller or the cloud storage gateway if the single packet authorization passes.

In some exemplary embodiments of the present disclosure, the access request detection module 730 may include a security policy acquisition unit, a listening process starting unit, a security access listening unit, a security guard listening unit, and a request detection decision unit. Wherein:

the security policy acquisition unit can be used for acquiring a security access policy and a security protection policy of the cloud storage system through the zero trust controller by the cloud storage gateway;

the monitoring process starting unit can be used for starting a security access monitoring process based on a security access strategy by the cloud storage gateway and starting a security protection monitoring process based on a security protection strategy;

The security access monitoring unit can be used for the cloud storage gateway to match the access request of the client and the characteristic information in the access token through the security access monitoring process and judge whether the access request of the client meets the security access policy;

the security monitoring unit can be used for detecting the access request of the client through the security monitoring process by the cloud storage gateway and judging whether the access request of the client meets the security policy;

the request detection determination unit may be configured to determine that the access request of the client passes detection if the access request of the client satisfies both the security access policy and the security protection policy.

In some exemplary embodiments of the present disclosure, the access request detection module 730 may further include an access request rejecting unit, which may be configured to reject the access request of the client if the access request of the client does not satisfy the security access policy and the security protection policy at the same time, and perform a corresponding security protection action based on the access request of the client.

In some exemplary embodiments of the present disclosure, an access device of a cloud storage system provided by the present disclosure may further include a security policy update module, which may include a disposition information reporting unit and a security policy update unit. Wherein:

The handling information reporting unit may be configured to report, by using the cloud storage gateway, access request handling information of the client to the zero trust controller according to a preset time interval;

the security policy updating unit may be configured to update the security detection policy according to the access request handling information reported by the cloud storage gateway by using the zero trust controller, and send the updated security detection policy to the cloud storage gateway.

The specific details of each module/unit in the access device of the cloud storage system are described in detail in the corresponding method embodiment section, and are not described herein again.

It should be noted that, the computer system 800 of the electronic device shown in fig. 8 is only an example, and should not impose any limitation on the functions and the application scope of the embodiments of the present disclosure.

As shown in fig. 8, the computer system 800 includes a Central Processing Unit (CPU) 801 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 802 or a program loaded from a storage section 808 into a Random Access Memory (RAM) 803. In the RAM 803, various programs and data required for system operation are also stored. The CPU 801, ROM 802, and RAM 803 are connected to each other by a bus 804. An input/output (I/O) interface 805 is also connected to the bus 804.

The following components are connected to the I/O interface 805: an input portion 806 including a keyboard, mouse, etc.; an output portion 807 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and a speaker; a storage section 808 including a hard disk or the like; and a communication section 809 including a network interface card such as a LAN card, a modem, or the like. The communication section 809 performs communication processing via a network such as the internet. The drive 810 is also connected to the I/O interface 805 as needed. A removable medium 811 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 810 as needed so that a computer program read out therefrom is mounted into the storage section 808 as needed.

In particular, according to embodiments of the present disclosure, the processes described above with reference to flowcharts may be implemented as computer software programs. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication section 809, and/or installed from the removable media 811. When executed by a Central Processing Unit (CPU) 801, performs the various functions defined in the system of the present disclosure.

It should be noted that the computer readable medium shown in the present disclosure may be a computer readable signal medium or a computer readable storage medium, or any combination of the two. The computer readable storage medium can be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or a combination of any of the foregoing. More specific examples of the computer-readable storage medium may include, but are not limited to: an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. In the present disclosure, however, the computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, with the computer-readable program code embodied therein. Such a propagated data signal may take any of a variety of forms, including, but not limited to, electro-magnetic, optical, or any suitable combination of the foregoing. A computer readable signal medium may also be any computer readable medium that is not a computer readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device. Program code embodied on a computer readable medium may be transmitted using any appropriate medium, including but not limited to: wireless, wire, fiber optic cable, RF, etc., or any suitable combination of the foregoing.

The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.

As another aspect, the present disclosure also provides a computer-readable medium that may be contained in the electronic device described in the above embodiments; or may exist alone without being incorporated into the electronic device. The computer readable medium carries one or more programs which, when executed by the electronic device, cause the electronic device to implement the method as described in the above embodiments.

It should be noted that although in the above detailed description several modules of a device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules described above may be embodied in one module in accordance with embodiments of the present disclosure. Conversely, the features and functions of one module described above may be further divided into a plurality of modules to be embodied.

Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This disclosure is intended to cover any adaptations, uses, or adaptations of the disclosure following the general principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains.

It is to be understood that the present disclosure is not limited to the precise arrangements and instrumentalities shown in the drawings, and that various modifications and changes may be effected without departing from the scope thereof. The scope of the present disclosure is limited only by the appended claims.

Claims

1. An access method of a cloud storage system is characterized by comprising the following steps:

2. The method for accessing a cloud storage system according to claim 1, wherein establishing mutual authentication between a client, a cloud storage gateway and a zero trust controller, and sending an access token of the cloud storage system to the client through the zero trust controller comprises:

3. The access method of the cloud storage system according to claim 2, wherein the zero trust controller obtains a multi-factor authentication policy corresponding to the client, verifies client information based on the multi-factor authentication policy, and determines whether the client satisfies the multi-factor authentication policy, including:

4. The method of accessing a cloud storage system of claim 2, wherein establishing mutual authentication between the client and the zero trust controller or the cloud storage gateway comprises:

5. The access method of the cloud storage system according to claim 1, wherein the security detection policy includes a security access policy and a security protection policy, the cloud storage gateway obtains the security detection policy through the zero trust controller, and performs security detection on an access request of the client based on the security detection policy, including:

6. The method of accessing a cloud storage system of claim 5, said method further comprising:

7. The method of accessing a cloud storage system of claim 1, said method further comprising:

8. An access device for a cloud storage system, comprising:

the access request sending module is used for enabling the client to send the access request of the cloud storage system and the corresponding access token to a cloud storage gateway corresponding to the cloud storage system;

the access request detection module is used for enabling the cloud storage gateway to acquire a security detection strategy through the zero trust controller and carrying out security detection on the access request of the client based on the security detection strategy;

9. An electronic device, comprising:

a processor; and

a memory for storing one or more programs that, when executed by the processor, cause the processor to implement the method of accessing a cloud storage system of any of claims 1-7.

10. A computer readable medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements the access method of the cloud storage system according to any of claims 1 to 7.