CN116881956A - Permission management method and device oriented to multi-cloud resource management - Google Patents
Permission management method and device oriented to multi-cloud resource management Download PDFInfo
- Publication number
- CN116881956A CN116881956A CN202311154001.7A CN202311154001A CN116881956A CN 116881956 A CN116881956 A CN 116881956A CN 202311154001 A CN202311154001 A CN 202311154001A CN 116881956 A CN116881956 A CN 116881956A
- Authority
- CN
- China
- Prior art keywords
- authorization
- role
- time
- offline
- roles
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000007726 management method Methods 0.000 title claims abstract description 47
- 238000013475 authorization Methods 0.000 claims abstract description 148
- 238000000034 method Methods 0.000 claims abstract description 54
- 230000008569 process Effects 0.000 claims abstract description 44
- 238000012545 processing Methods 0.000 claims abstract description 23
- 238000004891 communication Methods 0.000 claims abstract description 8
- 230000002159 abnormal effect Effects 0.000 claims description 20
- 238000011156 evaluation Methods 0.000 claims description 20
- 239000003086 colorant Substances 0.000 claims description 4
- 238000004590 computer program Methods 0.000 description 4
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000010586 diagram Methods 0.000 description 3
- 230000006870 function Effects 0.000 description 3
- 239000004973 liquid crystal related substance Substances 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 230000004044 response Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 238000004458 analytical method Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000003111 delayed effect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 238000004088 simulation Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/604—Tools and structures for managing or administering access control systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2137—Time limited access, e.g. to a computer or data
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2141—Access rights, e.g. capability lists, access control lists, access tables, access matrices
Abstract
The application discloses a rights management method and device for multi-cloud resource management, and particularly relates to the technical field of rights management, wherein the rights management method and device comprises a data processing module, an information acquisition module, a marking module, an authorization strategy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization strategy module and the real-time judging module are in communication connection with the data processing module; according to the marking conditions of enterprise users and roles, corresponding authorization strategies are formulated, so that the security of the cloud platform and the flexibility of access control are improved, and the authorization process of normal enterprise users is reduced; and judging whether the role or enterprise user performs the authorization step again or not by comparing the offline time of the role with the offline time threshold and comparing the offline times with the offline times threshold so as to reduce potential security vulnerabilities or risks, solve the problem of complex authorization of cloud platform resources and ensure the security of accessing the cloud resources at the enterprise user based on the cloud platform.
Description
Technical Field
The application relates to the technical field of rights management, in particular to a rights management method and device for multi-cloud resource management.
Background
With the rapid development of cloud computing markets, enterprises are converting from single cloud services to hybrid cloud and multi-cloud services, the technical advantages of different cloud manufacturers can be fully utilized by using a multi-cloud architecture, and the strategy of multi-cloud deployment can be dynamically adjusted according to the requirements of services, technologies, performances and the like, so that the multi-cloud architecture provides great convenience for rapid innovation of the enterprises, a plurality of challenges are brought, the management of the multi-cloud is more and more complex, independent management processes and systems are required to be built for each cloud platform, and particularly, the management is abnormal and complex in terms of user resource management of a plurality of cloud platforms.
The enterprise has higher requirements on security in communication with the cloud platform, the enterprise user generally comprises a plurality of access roles, when the existing enterprise user accesses the cloud platform by using different access roles, in order to ensure the security of cloud resources of the cloud platform, the authority of the access roles to access the cloud resources of the cloud platform needs to be authorized and managed according to the difference of each cloud platform to the access roles, and the cloud platforms are authorized one by one, so that the problems of great workload and complexity exist, and the access efficiency is affected.
In order to solve the above problems, a technical solution is now provided.
Disclosure of Invention
In order to overcome the above drawbacks of the prior art, embodiments of the present application provide a rights management method and apparatus for multi-cloud resource management to solve the problems set forth in the background art.
In order to achieve the above purpose, the present application provides the following technical solutions:
a rights management method facing to multi-cloud resource management comprises the following steps:
step S1: collecting historical authorization process information and historical operation information, and calculating a historical authority security assessment coefficient according to the historical authorization process information and the historical operation information; marking the diagonal color by comparing the historical authority security assessment coefficient with an authority security assessment threshold;
step S2: calculating the role risk rate, and marking enterprise users according to the comparison between the role risk rate and the role risk rate threshold value; according to the marked condition of enterprise users and the marked condition of roles, an authorization strategy is formulated;
step S3: and acquiring real-time safety information, obtaining the offline time and offline times of the roles according to the real-time safety information, and judging whether to re-authorize or not through comparison of the offline time and the offline time threshold value and comparison of the offline times and the offline time threshold value.
In a preferred embodiment, the historical authorization process information includes an authorization summary value, and the authorization summary value is obtained by:
setting standard authorization time which is the average value of the times used for successful authorization in the authorization step; in the history of acquisition, the number of times of authorizing steps of the cloud platform to the character in the history is acquired, the authorizing steps of the cloud platform to the character in the history are numbered, and the number of authorizing steps of the cloud platform to the character in the history is marked as,/>;Is a positive integer; acquiring time used by each cloud platform in the history of successful authorization for the role;
calculating an authorization clique value, wherein the authorization clique value is expressed as follows:the method comprises the steps of carrying out a first treatment on the surface of the Which is a kind ofIn (I)>Time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value;
the authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role;
the historical operation information is reflected by the operation safety value; acquiring the total access times of the roles on the cloud platform, and acquiring the abnormal access times of the roles on the cloud platform after the roles are successfully authorized; acquiring the times of exceeding the authority of a role in a certain access process; setting an override authority number threshold, and marking the number of times of the access process, which exceeds the authority number threshold in the access process, as an authority override value;
calculating an operation safety value according to the abnormal access times, the total access times and the authority override value;
and weighting and summing the authorized camping value, the authorized success rate and the operation safety value to obtain a historical authority safety evaluation coefficient.
In a preferred embodiment, a rights security assessment threshold is set; and marking the roles as dangerous roles when the historical permission safety evaluation coefficient is larger than the permission safety evaluation threshold, and marking the roles as safe roles when the historical permission safety evaluation coefficient is smaller than or equal to the permission safety evaluation threshold.
In a preferred embodiment, in step S2, a role risk is calculated from the number of roles marked as dangerous roles within the enterprise user and the number of roles marked as safe roles within the enterprise user; setting a role risk threshold, and marking enterprise users as dangerous enterprise users when the role risk is larger than the role risk threshold; when the role risk rate is smaller than or equal to the role risk rate threshold value, marking the enterprise user as a normal enterprise user;
when the enterprise user is marked as a dangerous enterprise user, generating a three-level authorization signal; when the enterprise user is marked as a normal enterprise user and the role is marked as a dangerous role, generating a secondary authorization signal; when an enterprise user is marked as a normal enterprise user and a role is marked as a security role, a primary authorization signal is generated.
In a preferred embodiment, in step S3, real-time security information is collected, the real-time security information being represented by the character off-line time;
setting an offline time threshold, and generating a role re-authorization signal when the offline time of the role is greater than the offline time threshold;
recording the times of generating the role re-authorization signal; setting an offline frequency threshold, and generating an enterprise user re-authorization signal when the frequency of generating the role re-authorization signal is greater than the offline frequency threshold.
In a preferred embodiment, the rights management device for cloud resource management comprises a data processing module, an information acquisition module, a marking module, an authorization strategy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization strategy module and the real-time judging module are in communication connection with the data processing module;
the information acquisition module acquires historical authorization process information and historical operation information, the historical authorization process information and the historical operation information are sent to the data processing module, and the data processing module calculates a historical authority security assessment coefficient;
the information acquisition module acquires real-time safety information, the real-time safety information is sent to the data processing module, and the data processing module processes the real-time safety information to obtain the offline time and offline times of the roles;
the marking module marks the diagonal colors through the comparison of the historical authority security assessment coefficient and the authority security assessment threshold; the marking module marks the enterprise users according to the comparison of the role risk rate and the role risk rate threshold value;
the authorization policy module formulates an authorization policy according to the marked condition of the enterprise user and the marked condition of the role;
the real-time judging module judges whether to re-authorize or not through the comparison of the offline time and the offline time threshold value and the comparison of the offline times and the offline times threshold value.
The rights management method and the rights management device for the cloud resource management have the technical effects and advantages that:
1. calculating a historical authority security assessment coefficient through the historical authorization process information and the historical operation information, and marking different roles as dangerous roles or safe roles according to comparison of the historical authority security assessment coefficient and an authority security assessment threshold; such tagging and categorization may help enterprise users quickly learn about the security status of the roles.
2. Marking the enterprise users as dangerous enterprise users or normal enterprise users according to the role risk rate and the role risk rate threshold value; such tagging and categorization may help enterprise users identify enterprise users with higher security risks; according to the marking conditions of enterprise users and roles, a corresponding authorization strategy is formulated, so that the problem that resources of a cloud platform are complex to authorize is solved, the security and the access control flexibility of the cloud platform are improved, and meanwhile, the authorization process of normal enterprise users is reduced.
3. By acquiring the offline time of the role, comparing the offline time of the role with the offline time threshold and comparing the offline times with the offline times threshold, judging whether the role or the enterprise user carries out the authorization step again so as to reduce potential security holes or risks, and by re-authorizing, the access authority of the whole enterprise user is ensured to be effectively managed, so that the offline condition of the role inside the enterprise user can be timely dealt with, and the security of accessing the cloud resources on the basis of the cloud platform by the enterprise user is ensured.
Drawings
FIG. 1 is a schematic diagram of a rights management method for multi-cloud resource management according to the present application;
fig. 2 is a schematic structural diagram of a rights management unit for multi-cloud resource management according to the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Example 1
Fig. 1 shows a rights management method for multi-cloud resource management, which includes the following steps:
step S1: collecting historical authorization process information and historical operation information, and calculating a historical authority security assessment coefficient according to the historical authorization process information and the historical operation information; and marking the diagonal colors by comparing the historical permission safety evaluation coefficients with permission safety evaluation thresholds.
Step S2: calculating the role risk rate, and marking enterprise users according to the comparison between the role risk rate and the role risk rate threshold value; and formulating an authorization strategy according to the marked condition of the enterprise user and the marked condition of the role.
Step S3: and acquiring real-time safety information, obtaining the offline time and offline times of the roles according to the real-time safety information, and judging whether to re-authorize or not through comparison of the offline time and the offline time threshold value and comparison of the offline times and the offline time threshold value.
In step S1, an enterprise user generally accesses a cloud platform with more than one role to obtain cloud resources, and the cloud platform authorizes the enterprise user first and then authorizes the enterprise user to include the corresponding role; enterprise users include role 1, role 2, role 3. n is a positive integer.
And respectively acquiring historical authorization process information and historical operation information of the roles included by the enterprise user.
The authorization result of the authorization step of the cloud platform to the role is divided into authorization success and authorization failure; the total number of the authorization steps of the cloud platform to the character is the sum of the number of times that the authorization of the cloud platform to the character is successful and the number of times that the authorization of the cloud platform to the character is failed.
The historical authorization process information includes authorization values, which are obtained as follows:
setting standard authorization time, wherein the standard authorization time is set according to the security requirement of the cloud platform, the actual time used in the actual authorization process and other actual conditions; the standard authorization time setting steps are as follows: setting an authorization step corresponding to the cloud platform according to the security requirement of the cloud platform, wherein the higher the security requirement is, the more complicated the step is; performing simulation experiments on steps of the authorization process to obtain a large number of times of time used for executing the authorization process, namely the time used for successfully authorizing the authorization step, calculating the average value of the time used for successfully authorizing the authorization step under a large number of times, wherein the standard authorization time is the average value of the time used for successfully authorizing the authorization step; in the process of authorizing the enterprise user roles by the cloud platform in the later period, the time used for successful authorization of the enterprise user roles is generally longer than the standard authorization time due to the influence of manual operation.
The authorization value represents the fluency of authorization steps when a role of a user of an enterprise accesses a cloud platform.
In the history of acquisition, acquiring the times of authorizing steps of the cloud platform to the character in the history, numbering the authorizing steps of the cloud platform to the character in the history, and marking the number of authorizing steps of the cloud platform to the character in the history as,;/>Is a positive integer; and acquiring the time used by each cloud platform in the history of successful authorization for the role.
Calculating an authorization campness value through the time used in the step of authorizing the character by the cloud platform and the standard authorization time, wherein the authorization campness value expression is as follows:the method comprises the steps of carrying out a first treatment on the surface of the Wherein, the liquid crystal display device comprises a liquid crystal display device,/>time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value; the greater the authorization campness value, the longer the authorization time of the cloud platform to the character in the history, the worse the fluency of the authorization step, the longer the exposure time of the security credential in the authorization step, and the greater the risk of unauthorized access or attack during the authorization; the windows of security vulnerabilities and risks are increased, making the cloud platform and related data vulnerable to unauthorized access or attack.
The authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role; the higher the success rate of the authorization, the higher the security during the authorization.
And acquiring historical operation information, wherein the historical operation information is embodied through an operation safety value.
The operation safety value represents the safety of a certain enterprise user when the role of the certain enterprise user acquires cloud resources of a certain cloud platform.
In the history, the total access times of the roles on the cloud platform are obtained, and after the roles are successfully authorized, the abnormal access times of the roles on the cloud platform are obtained, wherein the abnormal access times comprise the access times of an abnormal time period and the access times of an abnormal geographic position; the abnormal access times are the sum of the abnormal time period access times and the abnormal geographic position access times.
The total access times of the character on the cloud platform is the sum of the abnormal access times of the character on the cloud platform and the normal access times of the character on the cloud platform.
The cloud platform is generally accessed at a plurality of fixed geographic positions owned by the enterprise user, and the working time of the enterprise is also relatively fixed, namely the working time is fixed, so that the cloud platform is not accessed within the fixed working time and marked as abnormal time period access without accessing the enterprise user at the plurality of fixed geographic positions; the greater the number of abnormal accesses, the more serious the rights security problem may exist.
Acquiring the times of overriding authority of a character in a certain access process, wherein the overriding authority refers to the action of clicking cloud resources which do not belong to the authority of the character in the access process; setting an override authority frequency threshold in consideration of the condition that false clicking possibly exists, acquiring the frequency of the access process that the frequency of the override authority is greater than the override authority frequency threshold in the access process, marking the frequency of the access process that the frequency of the override authority is greater than the override authority frequency threshold as an authority override value, wherein the greater the authority override value is, the worse the access security of the character on the cloud platform in the history is, and the more serious the override behavior is; the rights override value is generally small, and if the rights override value is too large, the operation condition that serious rights override exists is indicated.
According to the abnormal access times, the total access times and the authority override value, an operation security value is calculated, for example, one way of calculating the operation security value is as follows: the operation safety value is obtained by multiplying the ratio of the abnormal access times to the total access times by the authority override value; the operation safety value reflects the safety of operation authority when the role accesses the cloud platform in the history, and the larger the ratio of the abnormal access times to the total access times and the larger the authority override value, the larger the result of multiplying the ratio of the abnormal access times to the total access times by the authority override value, namely the more serious the override behavior exists.
The historical authority security assessment coefficient is obtained by weighted summation of the authorized and smooth values and the authorized success rate and the operation security value, for example, the historical authority security assessment coefficient can be calculated by adopting the following formula:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Respectively isHistorical authority security assessment coefficient, authorization success rate and operation security value +.>Weight factors of authorization and authorization success rate and operation safety value are respectively, and for better follow-up analysis according to the magnitude of the historical authority safety evaluation coefficient, the weight factors are +.>Greater than 0->Less than 0.
The larger the historical permission security assessment coefficient is, the worse the security of the access of the role to the cloud platform is in the history.
Setting a permission safety evaluation threshold value, and marking the diagonal color by comparing the historical permission safety evaluation coefficient with the permission safety evaluation threshold value.
Calculating historical permission security assessment coefficients corresponding to different roles included by enterprise users, marking the roles as dangerous roles when the historical permission security assessment coefficients are larger than a permission security assessment threshold, marking the roles as safe roles when the historical permission security assessment coefficients are smaller than or equal to the permission security assessment threshold, and marking the roles as safe roles when the historical permission security assessment coefficients are better in the authorization process of the cloud platform.
The authorization process and the operation behavior of the angle on the cloud platform can be comprehensively evaluated through the collection of the historical authorization process information and the historical operation information, and different roles can be marked as dangerous roles or safe roles according to the comparison of the historical permission safety evaluation coefficient and the permission safety evaluation threshold value; such tagging and categorization may help enterprise users quickly learn about the security status of the roles.
In step S2, the number of roles marked as dangerous roles in the enterprise user is obtained, the number of roles marked as safe roles in the enterprise user is obtained, and the role risk rate is calculated: role risk = number of dangerous roles/(number of roles of security role + number of roles of dangerous role); setting a role risk threshold, and marking enterprise users as dangerous enterprise users when the role risk is larger than the role risk threshold; and marking the enterprise user as a normal enterprise user when the role risk is less than or equal to the role risk threshold.
After the cloud platform authorizes the enterprise user, an authorization strategy is formulated according to the marked condition of the enterprise user and the marked condition of the role:
when the enterprise users are marked as dangerous enterprise users, three-level authorization signals are generated, and the cloud platform strictly executes authorization steps according to the generated three-level authorization signals when the enterprise users and roles access the cloud platform.
When the enterprise user is marked as a normal enterprise user and the role is marked as a dangerous role, generating a secondary authorization signal, and the cloud platform skips the authorization step according to the generated secondary authorization signal, wherein the role needs to strictly execute the authorization step.
When the enterprise user is marked as a normal enterprise user and the role is marked as a security role, a primary authorization signal is generated, and the cloud platform directly enters the cloud platform by skipping the authorization step when the enterprise user and the role access the cloud platform according to the generated primary authorization signal.
It is noted that the permission security evaluation threshold is set according to the magnitude of the historical permission security evaluation coefficient and actual conditions such as security requirement standards integrated by the professional technician on the cloud platform, and the details are not repeated here; the role risk threshold is set according to the role risk and the actual conditions such as security requirement standards of the cloud platform for the roles by professional technicians, and the like, and will not be repeated here.
The role risk rate reflects the overall safety condition of the roles in the enterprise users, and helps the enterprise users to quickly know the overall risk level of the roles; marking the enterprise users as dangerous enterprise users or normal enterprise users according to the role risk threshold; such tagging and categorization may help enterprise users identify enterprise users with higher security risks; according to marking conditions of enterprise users and roles, corresponding authorization strategies are formulated, and balance of safety and convenience is achieved; the security and access control flexibility of the cloud platform are improved, the authorization process of normal enterprise users is reduced, and user experience is improved.
In step S3, real-time security information is collected, and after the authorization policy is formulated, real-time access is monitored, and the real-time security information is reflected by the role offline time.
The role offline time refers to a period of time that an enterprise user role is offline during communication or access with the cloud platform.
Longer character off-line times may result in delayed data processing and responses, may delay discovery and processing of abnormal access or security events, which may increase response time to security threats, reduce the effectiveness of real-time monitoring, and may result in an increase in security vulnerabilities or risks.
Setting an offline time threshold, and generating a role re-authorization signal when the offline time of the role is greater than the offline time threshold and the role is dangerous to the access environment of the cloud platform after the role is offline for a long time; and the cloud platform re-authorizes the roles according to the generated role re-authorization signal, and the roles need to be re-authorized.
Recording the times of generating role re-authorization signals when the enterprise user roles access the cloud platform in real time; setting an offline frequency threshold, and generating an enterprise user re-authorization signal when the frequency of generating the role re-authorization signal is greater than the offline frequency threshold; and the cloud platform performs an authorization step on the angle after the enterprise user needs to perform the authorization step again according to the generated enterprise user re-authorization signal.
The number of times the character re-authorization signal is generated is marked as the offline number.
The offline time threshold is set according to the actual security requirement standard of the cloud platform for offline time, and is not described herein again; the offline frequency threshold is set according to the security requirement standard of the cloud platform for the offline frequency actually, and will not be described here again.
The method has the advantages that the offline time of the roles can be obtained, the states of the roles of the enterprise users in the communication or access process with the cloud platform can be monitored, whether the roles or the enterprise users are subjected to authorization steps again is judged through comparison of the offline time of the roles and the offline time threshold value and comparison of the offline times and the offline times threshold value, so that potential security holes or risks are reduced, the access authority of the whole enterprise users is effectively managed through re-authorization, the offline situation of the roles inside the enterprise users can be timely dealt with, the security risks are reduced, and the security of accessing the cloud resources based on the cloud platform in the enterprise users is guaranteed.
Example 2
The difference between embodiment 2 and embodiment 1 of the present application is that this embodiment describes a rights management unit for multi-cloud resource management.
Fig. 2 is a schematic structural diagram of a rights management device for managing cloud resources, which includes a data processing module, an information acquisition module, a marking module, an authorization policy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization policy module and the real-time judging module are communicatively connected with the data processing module.
The information acquisition module acquires the historical authorization process information and the historical operation information, the historical authorization process information and the historical operation information are sent to the data processing module, and the data processing module calculates a historical authority security assessment coefficient.
The information acquisition module acquires real-time safety information, the real-time safety information is sent to the data processing module, and the data processing module processes the real-time safety information to obtain the offline time and offline times of the roles.
The marking module marks the diagonal colors through the comparison of the historical authority security assessment coefficient and the authority security assessment threshold; and the marking module marks the enterprise user according to the comparison of the role risk rate and the role risk rate threshold value.
The authorization policy module formulates an authorization policy according to the marked condition of the enterprise user and the marked condition of the role.
The real-time judging module judges whether to re-authorize or not through the comparison of the offline time and the offline time threshold value and the comparison of the offline times and the offline times threshold value.
The above formulas are all formulas with dimensionality removed and numerical calculation, the formulas are formulas with the latest real situation obtained by software simulation through collecting a large amount of data, and preset parameters and threshold selection in the formulas are set by those skilled in the art according to the actual situation.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with embodiments of the present application are produced in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system, apparatus and module may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on this understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, comprising several instructions for causing a computer device (which may be a personal computer, a server, a network device, etc.) to perform all or part of the steps of the method according to the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely illustrative of the present application, and the present application is not limited thereto, and any person skilled in the art will readily recognize that variations or substitutions are within the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Finally: the foregoing description of the preferred embodiments of the application is not intended to limit the application to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and principles of the application are intended to be included within the scope of the application.
Claims (6)
1. The rights management method for the cloud resource management is characterized by comprising the following steps of:
step S1: collecting historical authorization process information and historical operation information, and calculating a historical authority security assessment coefficient according to the historical authorization process information and the historical operation information; marking the diagonal color by comparing the historical authority security assessment coefficient with an authority security assessment threshold;
step S2: calculating the role risk rate, and marking enterprise users according to the comparison between the role risk rate and the role risk rate threshold value; according to the marked condition of enterprise users and the marked condition of roles, an authorization strategy is formulated;
step S3: and acquiring real-time safety information, obtaining the offline time and offline times of the roles according to the real-time safety information, and judging whether to re-authorize or not through comparison of the offline time and the offline time threshold value and comparison of the offline times and the offline time threshold value.
2. The rights management method for multi-cloud resource management according to claim 1, wherein: the historical authorization process information comprises authorization values, and the acquisition logic of the authorization values is as follows:
setting standard authorization time which is the average value of the times used for successful authorization in the authorization step; in the history of acquisition, the number of times of authorizing steps of the cloud platform to the character in the history is acquired, the authorizing steps of the cloud platform to the character in the history are numbered, and the number of authorizing steps of the cloud platform to the character in the history is marked as,/>;/>Is a positive integer; acquiring time used by each cloud platform in the history of successful authorization for the role;
calculating an authorization clique value, wherein the authorization clique value is expressed as follows:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value;
the authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role;
the historical operation information is reflected by the operation safety value; acquiring the total access times of the roles on the cloud platform, and acquiring the abnormal access times of the roles on the cloud platform after the roles are successfully authorized; acquiring the times of exceeding the authority of a role in a certain access process; setting an override authority number threshold, and marking the number of times of the access process, which exceeds the authority number threshold in the access process, as an authority override value;
calculating an operation safety value according to the abnormal access times, the total access times and the authority override value;
and weighting and summing the authorized camping value, the authorized success rate and the operation safety value to obtain a historical authority safety evaluation coefficient.
3. The rights management method for multi-cloud resource management according to claim 2, wherein: setting a permission security assessment threshold; and marking the roles as dangerous roles when the historical permission safety evaluation coefficient is larger than the permission safety evaluation threshold, and marking the roles as safe roles when the historical permission safety evaluation coefficient is smaller than or equal to the permission safety evaluation threshold.
4. A rights management method for multi-cloud resource management as claimed in claim 3, wherein: in step S2, calculating the role risk rate according to the number of roles marked as dangerous roles in the enterprise user and the number of roles marked as safe roles in the enterprise user; setting a role risk threshold, and marking enterprise users as dangerous enterprise users when the role risk is larger than the role risk threshold; when the role risk rate is smaller than or equal to the role risk rate threshold value, marking the enterprise user as a normal enterprise user;
when the enterprise user is marked as a dangerous enterprise user, generating a three-level authorization signal; when the enterprise user is marked as a normal enterprise user and the role is marked as a dangerous role, generating a secondary authorization signal; when an enterprise user is marked as a normal enterprise user and a role is marked as a security role, a primary authorization signal is generated.
5. The rights management method for multi-cloud resource management according to claim 4, wherein: in step S3, collecting real-time safety information, wherein the real-time safety information is reflected by the off-line time of the character;
setting an offline time threshold, and generating a role re-authorization signal when the offline time of the role is greater than the offline time threshold;
recording the times of generating the role re-authorization signal; setting an offline frequency threshold, and generating an enterprise user re-authorization signal when the frequency of generating the role re-authorization signal is greater than the offline frequency threshold.
6. A rights management apparatus for multi-cloud resource management, configured to implement a rights management method for multi-cloud resource management as claimed in any one of claims 1 to 5, wherein: the system comprises a data processing module, an information acquisition module, a marking module, an authorization strategy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization strategy module and the real-time judging module are in communication connection with the data processing module;
the information acquisition module acquires historical authorization process information and historical operation information, the historical authorization process information and the historical operation information are sent to the data processing module, and the data processing module calculates a historical authority security assessment coefficient;
the information acquisition module acquires real-time safety information, the real-time safety information is sent to the data processing module, and the data processing module processes the real-time safety information to obtain the offline time and offline times of the roles;
the marking module marks the diagonal colors through the comparison of the historical authority security assessment coefficient and the authority security assessment threshold; the marking module marks the enterprise users according to the comparison of the role risk rate and the role risk rate threshold value;
the authorization policy module formulates an authorization policy according to the marked condition of the enterprise user and the marked condition of the role;
the real-time judging module judges whether to re-authorize or not through the comparison of the offline time and the offline time threshold value and the comparison of the offline times and the offline times threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311154001.7A CN116881956B (en) | 2023-09-08 | 2023-09-08 | Permission management method and device oriented to multi-cloud resource management |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311154001.7A CN116881956B (en) | 2023-09-08 | 2023-09-08 | Permission management method and device oriented to multi-cloud resource management |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN116881956A true CN116881956A (en) | 2023-10-13 |
| CN116881956B CN116881956B (en) | 2024-01-09 |
Family
ID=88268471
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311154001.7A Active CN116881956B (en) | 2023-09-08 | 2023-09-08 | Permission management method and device oriented to multi-cloud resource management |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116881956B (en) |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| CN105760745A (en) * | 2014-12-15 | 2016-07-13 | 华为软件技术有限公司 | Authority management method and device |
| US20190156342A1 (en) * | 2016-07-22 | 2019-05-23 | Alibaba Group Holding Limited | Method and device for controlling service operation risk |
| CN115146297A (en) * | 2022-09-02 | 2022-10-04 | 江苏荣泽信息科技股份有限公司 | Authority management method and device for enterprise-level account |
| CN116506200A (en) * | 2023-05-11 | 2023-07-28 | 余杰 | Cloud security service implementation system and method |
| CN116708037A (en) * | 2023-08-07 | 2023-09-05 | 勤源(江苏)科技有限公司 | Cloud platform access right control method and system |
-
2023
- 2023-09-08 CN CN202311154001.7A patent/CN116881956B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105760745A (en) * | 2014-12-15 | 2016-07-13 | 华为软件技术有限公司 | Authority management method and device |
| CN104935590A (en) * | 2015-06-10 | 2015-09-23 | 南京航空航天大学 | HDFS access control method based on role and user trust value |
| US20190156342A1 (en) * | 2016-07-22 | 2019-05-23 | Alibaba Group Holding Limited | Method and device for controlling service operation risk |
| CN115146297A (en) * | 2022-09-02 | 2022-10-04 | 江苏荣泽信息科技股份有限公司 | Authority management method and device for enterprise-level account |
| CN116506200A (en) * | 2023-05-11 | 2023-07-28 | 余杰 | Cloud security service implementation system and method |
| CN116708037A (en) * | 2023-08-07 | 2023-09-05 | 勤源(江苏)科技有限公司 | Cloud platform access right control method and system |
Also Published As
| Publication number | Publication date |
|---|---|
| CN116881956B (en) | 2024-01-09 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11818168B2 (en) | Monitoring for lateral movements-related security threats | |
| Shameli-Sendi et al. | Intrusion response systems: survey and taxonomy | |
| JP5030578B2 (en) | Method, data processing system, and program for controlling risk in an artificial neural network expert system | |
| EP2515252A2 (en) | System and method for reducing security risk in computer network | |
| US20210234877A1 (en) | Proactively protecting service endpoints based on deep learning of user location and access patterns | |
| EP4104410B1 (en) | Security automation system with machine learning functions | |
| WO2016048129A2 (en) | A system and method for authenticating a user based on user behaviour and environmental factors | |
| CN116881956B (en) | Permission management method and device oriented to multi-cloud resource management | |
| CN106951779A (en) | A kind of USB security protection systems for selecting to analyze with equipment behavior based on user | |
| He et al. | SCPN-based game model for security situational awareness in the Intenet of things | |
| CN110225019B (en) | Network security processing method and device | |
| US20220060485A1 (en) | Threat forecasting | |
| Zhang et al. | A qualitative and quantitative risk assessment method in software security | |
| CN114745143A (en) | Method and device for automatically generating access control strategy | |
| CN113127882B (en) | Terminal safety protection method, device, equipment and readable storage medium | |
| CN111818017B (en) | Railway network security prediction method and system and electronic equipment | |
| CN109743303A (en) | Using guard method, device, system and storage medium | |
| CN117097560B (en) | Virtualized attack-defense countermeasure environment construction method | |
| CN116366286A (en) | Zero trust access control method and device | |
| CN117390708B (en) | Privacy data security protection method and system | |
| CN114035784B (en) | Method and device for defining verification code flow through graph and rule set | |
| CN115296830A (en) | Network collaborative attack modeling and harm quantitative analysis method based on game theory | |
| Du et al. | Research and Application of Information System Vulnerability Control Technology Based on Runtime Self-Protection Technology | |
| Boadi et al. | Current BYOD security evaluation system: future direction | |
| Kpoze et al. | Cybersecurity Risk Assessment for Beninese Power Grid SCADA system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |