CN117836761A - Managing data isolation - Google Patents
Managing data isolation Download PDFInfo
- Publication number
- CN117836761A CN117836761A CN202180101562.3A CN202180101562A CN117836761A CN 117836761 A CN117836761 A CN 117836761A CN 202180101562 A CN202180101562 A CN 202180101562A CN 117836761 A CN117836761 A CN 117836761A
- Authority
- CN
- China
- Prior art keywords
- group
- data
- service
- management
- isolation requirements
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000002955 isolation Methods 0.000 title claims abstract description 99
- 238000000034 method Methods 0.000 claims abstract description 41
- 230000006870 function Effects 0.000 claims description 133
- 238000012544 monitoring process Methods 0.000 claims description 33
- 238000004891 communication Methods 0.000 claims description 31
- 230000015654 memory Effects 0.000 claims description 22
- 238000004458 analytical method Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 9
- 230000005540 biological transmission Effects 0.000 claims description 6
- 238000007726 management method Methods 0.000 description 165
- 238000010801 machine learning Methods 0.000 description 8
- 230000008569 process Effects 0.000 description 7
- 238000013473 artificial intelligence Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000007246 mechanism Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000001413 cellular effect Effects 0.000 description 2
- 238000013480 data collection Methods 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000001105 regulatory effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013024 troubleshooting Methods 0.000 description 2
- 102100022734 Acyl carrier protein, mitochondrial Human genes 0.000 description 1
- 101000678845 Homo sapiens Acyl carrier protein, mitochondrial Proteins 0.000 description 1
- 101000979909 Homo sapiens NMDA receptor synaptonuclear signaling and neuronal migration factor Proteins 0.000 description 1
- 101001109689 Homo sapiens Nuclear receptor subfamily 4 group A member 3 Proteins 0.000 description 1
- 102100024546 NMDA receptor synaptonuclear signaling and neuronal migration factor Human genes 0.000 description 1
- 102100022673 Nuclear receptor subfamily 4 group A member 3 Human genes 0.000 description 1
- 238000013459 approach Methods 0.000 description 1
- 239000000969 carrier Substances 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000005457 optimization Methods 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 238000001356 surgical procedure Methods 0.000 description 1
- 230000001360 synchronised effect Effects 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/24—Querying
- G06F16/245—Query processing
- G06F16/2455—Query execution
Abstract
Embodiments of the present disclosure relate to devices, methods, apparatuses, and computer-readable storage media for managing data isolation. The method includes receiving, at a first device, management data associated with a service; according to the determination that the management data belongs to the group, obtaining one or more isolation requirements of the group; isolating storage space allocated to the group based on one or more isolation requirements; and storing the management data in the storage space.
Description
Technical Field
Embodiments of the present disclosure relate generally to the field of telecommunications and, more particularly, relate to an apparatus, method, device, and computer-readable storage medium for managing data isolation.
Background
Slice isolation is important to ensure reliable, secure, regulatory and guaranteed service guarantees, as well as data and communication integrity and confidentiality. To support network slice isolation requirements, the global system for mobile communications association (GSMA) defines attributes in a Generic Slice Template (GST) to isolate resources of different horizontal network slices.
The data of a network slice client (NSC or tenant) always needs to be isolated from other NSCs, even at the least stringent level of isolation (i.e., service/tenant isolation).
Disclosure of Invention
In general, example embodiments of the present disclosure provide a solution to managing data isolation.
In a first aspect, a method is provided. The method includes receiving, at a first device, management data associated with a service; according to the determination that the management data belongs to the group, obtaining one or more isolation requirements of the group; isolating storage space allocated to the group based on one or more isolation requirements; and storing the management data in the storage space.
In a second aspect, an apparatus is provided. The apparatus includes at least one processor; and at least one memory including computer program code; the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to: receiving, at a first device, management data associated with a service; according to the determination that the management data belongs to the group, obtaining one or more isolation requirements of the group; isolating storage space allocated to the group based on one or more isolation requirements; and storing the management data in the storage space.
In a third aspect, there is provided an apparatus comprising: means for receiving, at a first device, management data associated with a service; means for obtaining one or more isolation requirements for a group corresponding to a service in accordance with a determination that the management data belongs to the group; means for isolating storage space allocated to the group based on one or more isolation requirements; and means for storing the management data in the storage space.
In a fourth aspect, there is provided a computer readable medium having stored thereon a computer program which, when executed by at least one processor of a device, causes the device to perform a method according to the first aspect.
Other features and advantages of embodiments of the present disclosure will become apparent from the following description of the specific embodiments, when read in conjunction with the accompanying drawings, which illustrate, by way of example, the principles of the embodiments of the disclosure.
Drawings
Embodiments of the present disclosure are presented in an exemplary sense, and their advantages are explained in more detail below with reference to the drawings, in which
FIG. 1 illustrates an example environment in which example embodiments of the present disclosure may be implemented;
FIG. 2 illustrates an example of a process of managing data isolation according to some example embodiments of the present disclosure;
FIG. 3 illustrates a flowchart of an example method of managing data isolation, according to some example embodiments of the present disclosure;
FIG. 4 illustrates a simplified block diagram of a device suitable for implementing exemplary embodiments of the present disclosure; and
fig. 5 illustrates a block diagram of an example computer-readable medium, according to some embodiments of the disclosure.
The same or similar reference numbers will be used throughout the drawings to refer to the same or like elements.
Detailed Description
Principles of the present disclosure will now be described with reference to some example embodiments. It should be understood that these embodiments are described for illustrative purposes only and to assist those skilled in the art in understanding and practicing the present disclosure without implying any limitation on the scope of the present disclosure. The disclosure described herein may be implemented in various ways other than those described below.
In the following description and claims, unless defined otherwise, all technical and scientific terms used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this disclosure belongs.
References in the present disclosure to "one (one) embodiment," "an (embodiment," "an) example embodiment," etc., indicate that the embodiment described may include a particular feature, structure, or characteristic, but every embodiment may not necessarily include the particular feature, structure, or characteristic. In addition, such phrases are not necessarily referring to the same embodiment. In addition, such phrases are not necessarily referring to the same embodiment. Furthermore, when a particular feature, structure, or characteristic is described in connection with an example embodiment, it is submitted that it is within the knowledge of one skilled in the art to effect such feature, structure, or characteristic in connection with other embodiments whether or not explicitly described.
It will be understood that, although the terms "first" and "second," etc. may be used herein to describe various elements, these elements should not be limited by these terms. These terms are only used to distinguish between functions of the various elements. As used herein, the term "and/or" includes any and all combinations of one or more of the listed terms.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of example embodiments. As used herein, the singular forms "a", "an" and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise. It will be further understood that the terms "comprises," "comprising," "has," "including," "includes" and/or "including," when used herein, specify the presence of stated features, elements, components, and/or groups thereof, but do not preclude the presence or addition of one or more other features, elements, components, and/or groups thereof.
As used in this application, the term "circuitry" may refer to one, or more, or all of:
(a) Hardware-only circuit implementations (such as implementations in analog and/or digital circuitry only)
(b) A combination of hardware circuitry and software, such as (as applicable):
(i) Combination of analog and/or digital hardware circuit(s) and software/firmware, and
(ii) Any portion of the hardware processor(s) (including digital signal processor (s)), software, and memory(s) with software that work together to cause a device (such as a mobile phone or server) to perform various functions and
(c) Hardware circuit(s) and/or processor(s), such as microprocessor(s) or portion of microprocessor(s), that require software (e.g., firmware) to operate, but may not exist when software is not required for operation.
This definition of circuitry applies to all uses of this term in this application, including in any claims. As a further example, as used in this application, the term "circuitry" also encompasses an implementation of only a hardware circuit or processor (or processors) or a portion of a hardware circuit or processor and its (or their) accompanying software and/or firmware. The term "circuitry" also encompasses, for example and if applicable to the particular claim element, a baseband integrated circuit or processor integrated circuit for a mobile device or a similar integrated circuit in a server, cellular network device, or other computing or network device.
As used herein, the term "communication network" refers to a network that conforms to any suitable communication standard, such as a fifth generation (5G) system, long Term Evolution (LTE), LTE-advanced (LTE-a), wideband Code Division Multiple Access (WCDMA), high Speed Packet Access (HSPA), narrowband internet of things (NB-IoT), and so forth. Furthermore, the communication between the terminal device and the network device in the communication network may be performed according to any suitable generation communication protocol, including, but not limited to, first generation (1G), second generation (2G), 2.5G, 2.75G, third generation (3G), fourth generation (4G), 4.5G, future fifth generation (5G) New Radio (NR) communication protocols and/or any other protocol currently known or to be developed in the future. Embodiments of the present disclosure may be applied in various communication systems. In view of the rapid development of communications, there will of course be future types of communication technologies and systems with which the present disclosure may be embodied. It should not be taken as limiting the scope of the present disclosure to only the foregoing systems.
As used herein, the term "network device" refers to a node in a communication network via which a terminal device accesses the network and receives services from the network. A network device may refer to a Base Station (BS) or access point node B (NodeB or NB), evolved NodeB (eNodeB or eNB), NR next generation NodeB (gNB), remote Radio Unit (RRU), radio Head (RH), remote Radio Head (RRH), relay, low power nodes (such as femto, pico, etc.), depending on the terminology and technology applied. The RAN split architecture includes a gNB-CU (centralized unit, hosting RRC, SDAP, and PDCP) that controls multiple gNB-DUs (distributed units, hosting RLC, MAC, and PHY). The relay node may correspond to the DU portion of the IAB node.
The term "terminal device" refers to any terminal device capable of wireless communication. By way of example, and not limitation, a terminal device may also be referred to as a communication device, user Equipment (UE), subscriber Station (SS), portable subscriber station, mobile Station (MS), or Access Terminal (AT). The terminal devices may include, but are not limited to, mobile phones, cellular phones, smart phones, voice over IP (VoIP) phones, wireless local loop phones, tablets, wearable terminal devices, personal Digital Assistants (PDAs), portable computers, desktop computers, image capture terminal devices (such as digital cameras), gaming terminal devices, music storage and playback devices, in-vehicle wireless terminal devices, wireless endpoints, mobile stations, notebook computer embedded devices (LEEs), laptop computer mounted devices (LMEs), USB dongles, smart devices, wireless client devices (CPE), internet of things (IoT) devices, watches or other wearable devices, head Mounted Displays (HMDs), vehicles, drones, medical devices and applications (e.g., tele-surgery), industrial devices and applications (e.g., robots and/or other wireless devices operating in the industrial and/or automated processing chain context), consumer electronic devices, devices operating on commercial and/or industrial wireless networks, and the like. The terminal device may also correspond to a Mobile Terminal (MT) part of an Integrated Access and Backhaul (IAB) node (also referred to as a relay node). In the following description, the terms "terminal device", "communication device", "terminal", "user equipment" and "UE" may be used interchangeably.
Although the functionality described herein may be performed in fixed and/or wireless network nodes and/or management functions/nodes in various example embodiments, in other example embodiments, the functionality may be implemented in a user equipment device (such as a cell phone or tablet or laptop or desktop or mobile IoT device or fixed IoT device). The user equipment device may be suitably equipped with corresponding capabilities as described in connection with the fixed and/or radio network node(s), for example. The user equipment device may be a user equipment and/or a control device (such as a chipset or processor) configured to control the user equipment when installed in the user equipment. Examples of such functions include a bootstrapping server function and/or a home subscriber server, which may be implemented in a user equipment device by providing the user equipment device with software configured to cause the user equipment device to execute from the perspective of these functions/nodes.
Fig. 1 illustrates an example communication network 100 in which embodiments of the present disclosure may be implemented. Communication network 100 may include a plurality of management function nodes 110-1, 110-2, and 110-3 and service consumer 120. Service consumer 120 may request a specific service from at least one of management function nodes 110-1, 110-2, and 110-3. The plurality of management function nodes 110-1, 110-2 and 110-3 may communicate with each other.
In some scenarios, management function node 110-1 may be referred to as a provisioning function node, management function node 110-2 may be referred to as a monitoring function node, and management function node 110-3 may be referred to as an analysis function node.
The management function nodes 110-1, 110-2, and 110-3 may be implemented as different management function entities. It should be appreciated that the management function nodes 110-1, 110-2 and 110-3 may be integrated in the same management function entity. Hereinafter, the management function nodes 110-1, 110-2, and 110-3 may also be collectively referred to as the management function node 110.
It should be understood that the number of management functional entities and service consumers shown in fig. 1 is given for illustrative purposes and not to imply any limitation. Communication network 100 may include any suitable number of management function entities and service consumers.
In addition, communication network 100 may also include other systems 130 and DBMS140.
As mentioned above, slice isolation is important to ensure reliable, secure, regulatory and guaranteed service guarantees, as well as data and communication integrity and confidentiality. To support the network slice isolation requirements, GSMA defines attributes in GST to isolate resources of different levels of network slices.
The data of a network slice client always requires isolation from other NSCs, even for the least stringent level of isolation (i.e., service/tenant isolation).
Different types of data exist in 5G networks, such as management plane data, signal plane data, and data plane data.
Management plane data may also refer to management data and include operational data such as FM, PM, CM, repository, inventory, tracking, qoE, MDT, log, policy, analysis report, etc.; and business data such as charging information, SLAs, consumer identity and credentials, tenant profiles, subscriber data, etc.
The signal plane data may include UE Id, S-nsai, PLMN/NPN Id, dnn, location, credentials for authentication, subscriber profile, qoS related, and the data plane data may include application data.
Furthermore, these data may be at different times, including: data in collection, data in rest/storage, data in transmission, and data in use (e.g., for analysis).
For example, the data type and the period/phase of the data are as follows:
table 1: list of tenant data in different periods of time
All of the data described above requires data isolation during its lifecycle. Different levels of isolation and protection may be applied to data of different tenants or slice groups, as well as to different data types or different periods of the same tenant or slice group. For example, slices of some tenants may require confidentiality protection, while integrity is more important for some slices than others. Similarly, for the same tenant or slice group, PM/FM data may need availability and integrity, customer and subscriber information may need confidentiality, while MDT, etc., would need anonymization.
Some approaches for resource isolation have been proposed, particularly for managed resources (e.g., NF, virtual resources, transport, etc.) based on isolated groups and isolated profiles. An isolation group is a group of network slices for the same tenant, or the same SST, or the same industry, or the same area, or to support the same function, etc. The isolation profile is used to define an isolation policy in each domain to achieve isolation of each domain. However, no specific quarantine policy is defined in the quarantine profile, nor is a method defined in the management/network function to quarantine and protect data for each tenant or slice group, particularly management data.
In addition, while data isolation is required from both a security and performance perspective, data efficiency needs to be considered. This means that mechanisms to allow the data of one tenant to be accessed and used by other tenants or operators under certain conditions need to be considered. In addition, mechanisms for data tracking for consuming the responsibilities of the tenant/operator sharing the data should also be applied.
Thus, the present disclosure proposes a solution to manage data isolation while collecting data in the collection, static data, transmitting and in use. In this solution, the management function node(s) may receive management data associated with the service. When the management function node(s) determine that the management data belongs to a group, the management function node(s) may obtain one or more isolation requirements for the group. The management function node(s) may isolate the storage space allocated to the group based on one or more isolation requirements and store management data in the storage space.
Principles and implementations of the present disclosure will be described in detail below with reference to fig. 2, fig. 2 showing an example of a process of managing data isolation according to some example embodiments of the present disclosure. For discussion purposes, process 200 will be described with reference to FIG. 1. Process 200 may involve management function nodes 110-1, 110-2, and 110-3, service consumer 120, other systems 130, and DBMS140 as shown in FIG. 1.
As described above, the management function nodes 110-1, 110-2, and 110-3 may be implemented in separate management function entities. Alternatively, the management function nodes 110-1, 110-2 and 110-3 may also be implemented in an integrated management function entity. In the scenario shown in FIG. 2, management function node 110-1 may be referred to as a provisioning function node, management function node 110-2 may be referred to as a monitoring function node, and management function node 110-3 may be referred to as an analysis function node.
Reference is now made to fig. 2. During the pre-period, the operator or tenant may enter management data quarantine requirements in the 5G network management system before or during the allocation/creation of network slices for the tenant. The management data isolation requirements may be part of the network slice allocation/creation request or previously prepared.
During a network slice deployment period, as shown in fig. 2, service consumer 120 may send 202 a request to management function node 110-1 to allocate or create a network slice or network slice subnet. The management function node 110-1 may determine 204 a tenant or a slice group mapped from the tenant that corresponds to a slice.
The following network slices and network slice subnets may also be considered services. Below the tenant and slice groups may also be collectively referred to as groups.
Once the tenant or slice group is determined, the management function node 110-1 may retrieve 206 the management data isolation requirements/policies of the tenant or slice group. Management data isolation requirements/policies may be retrieved from allocation/creation requests, tenant profiles, or isolation profiles from the DBMS 140.
In some example embodiments, the management function node 110-1 may also interpret 208 the isolation requirements of the tenant or slice group and translate the declarative isolation requirements into a imperative isolation policy (if needed) for the corresponding management domain.
The management function node 110-1 may assign 210 at least one management function to the slice/sub-slice network according to the quarantine policy, in particular for data collection and transmission. The at least one management function herein may include a monitoring management function. The management function node 110-1 may associate at least one management function with a tenant or slice group.
In some example embodiments, at least one management function for a slice/sub-network of slices may be created or reused with existing management functions. At least one management function may be isolated according to tenant or slice group information and isolation requirements.
The management function node 110-1 may then assign 212 management services and corresponding transport networks to the slice/s-slice subnetworks, in particular for data collection and transmission, to the management function node 110-2 according to the quarantine policy, and associate the management services to the tenant or slice group.
In some example embodiments, at least one management service for a slice/sub-network of slices may be created or reused with existing management services. At least one management service may be isolated according to tenant or slice group information and isolation requirements.
In addition, the management function node 110-1 may allocate 213 storage/database space from the DBMS140 to a network slice or network slice subnetwork for provisioning data. The management function node 110-1 may quarantine storage, particularly for static data, according to quarantine policies and associate the storage/database to a tenant or slice group.
In some example embodiments, the management function node 110-1 may create a new storage space/DB/table for the slice/sub-slice network for the provisioning data. Alternatively, the management function node 110-1 may also reuse existing storage/DB/tables. The management function node 110-1 may isolate the storage/DB/tables according to tenant or slice group information and isolation requirements.
Optionally, the management function node 110-1 may tag 214 the provisioning data with a tenant id or slice group id and classification to speed up subsequent processing.
In some example embodiments, the management function node 110-1 may also store 216 provisioning data in storage space from the DBMS140 assigned to a slice or a sub-network of slices and protect the data (if needed) based on the associated policies.
In some example embodiments, the management function node 110-1 may send 218 provisioning data to other systems 130 through the management services assigned to the slice/sub-network and the corresponding transport network, and protect the data (if needed) based on the associated policies.
After the network slice deployment period is completed, the management function node 110-1 may send 220 an allocation/creation response to the service consumer 120.
During the operational phase, the management function node 110-2 may receive 222 a request for monitoring data (such as PM, FM, tracking data, etc.) from the service consumer 120.
Alternatively, the management function node 110-2 may also monitor the management data without receiving a request from the service consumer 120.
In some example embodiments, the management function node 110-2 may subscribe 224 to data notifications from other systems 130. The data notification may belong to a tenant or slice group associated with the management function. In this case, when the management function node 110-2 receives 226 the monitored data, the management function node 110-2 may determine 228 the tenant or slice group to which the monitored data belongs.
In some example embodiments, the management function node 110-2 may subscribe 224 to a data notification, which may be associated with different tenants or slice groups from other systems 130. In this case, when the management function node 110-2 receives 226 the monitored data, the management function node 110-2 may determine 228 the tenant or slice group to which the monitored data belongs according to the tenant/slice group identity (e.g., S-nsai) in the received monitored data.
In some example embodiments, it is also possible that a management function in a 5G network management system associated with a particular tenant or slice group may only be allowed to subscribe to data notifications belonging to the tenant or slice group associated with that management function.
In some example embodiments, the management function node 110-2 may allocate 230 storage/databases from the DBMS140 for collecting/monitoring data (if needed). The management function node 110-2 may associate a store/database to the tenant/slice group and quarantine the store according to quarantine policies.
In some example embodiments, the management function node 110-2 may create a new storage space/DB/table for the slice/sub-network for collecting/monitoring data. Alternatively, the management function node 110-2 may also reuse existing storage/DB/tables. The management function node 110-2 may isolate the storage/DB/tables according to tenant or slice group information and isolation requirements.
Optionally, the management function node 110-2 may tag 232 the collected data with a tenant id or slice group id and classification to speed up subsequent processing.
The management function node 110-2 may store 234 the collected management data in a memory/DB from the DBMS140 associated with the tenant/slice group and protect the data (if needed) based on the associated policies.
The management function node 110-2 may send 236 collected management data or an address to retrieve the data to the consumer through the management service and corresponding transport network associated with the tenant/slice group and protect the data (if needed) based on the associated policy.
If the data address is sent back to the service consumer 120, the management function node 110-2 may allocate and separate management services and corresponding transport networks to the service consumer 120 to retrieve data, the management services and transport being associated with the tenant or slice group and protected (if needed) based on the association policy. Service consumer 120 may retrieve 238 data from management function node 110-2.
Service consumer 120 may send 240 an analyze service request to management function node 110-3.
If an analytics service request is received from a service consumer 120, the management function node 110-3 may assign 242 an Artificial Intelligence (AI)/Machine Learning (ML) model for the tenant or group of slices. The management function node 110-3 may associate the AI/ML model to a tenant or slice group and isolate and protect the AI/ML model according to an isolation policy.
In some example embodiments, the management function node 110-3 may create a new or reuse existing AI/ML model and isolate and protect the model according to tenant/isolation group information and isolation requirements.
In some example embodiments, the management function node 110-3 may isolate 244AI/ML model input data (e.g., training data) according to tenant or isolation group information and isolation requirements.
In some example embodiments, the management function node 110-3 may isolate 246 the output of the AI/ML model (if desired), for example, by allocating a store/database for the analysis report. The management function node 110-3 may associate the store/database to a tenant or group of slices and quarantine the store according to quarantine policies.
The management function node 110-3 may also send 248 an analysis report or address of the report to the service consumer 120 through the management service and corresponding transport network associated with the tenant or slice group and protect the report (if needed) based on the associated policy.
If the report address is sent back to the service consumer 120, the management function node 110-3 may assign and separate a management service and corresponding transport network to the service consumer 120 to retrieve the report, the management service and transport being associated with the tenant or slice group and protected based on the associated policy. The service consumer 120 may then retrieve 250 the report from the management function node 110-3.
In some example embodiments, examples for isolation control associated with an isolation requirement or policy may be defined as follows:
table 2: isolation control on BSS and OSS systems of 5G network
/>
/>
In some example embodiments, data structure definitions for data isolation requirements (exchanged between tenants and 3GPP management systems) and policies (exchanged between 3GPP defined management functions) may also be defined.
In some example embodiments, the declarative data isolation requirements (from the tenant/administrator of the operator to the BSS) may be defined as follows:
table 3: declarative data isolation requirements
In some example embodiments, the imperative data isolation policies (between 5G network management systems) may be defined as follows:
table 4: imperative data isolation policy
The tenant Id is used to identify the tenant subscribing to the service from the network slice provider, always visible at the BSS level or E2E service level. This is optional
Group Id is used to identify a service group, which may be organized for a specific tenant, a specific service type, a specific area, etc. Group ids may be mapped from tenant ids and visible at both higher and lower levels.
The data type is used to classify the data at a high level, e.g. the data type may be BSS data, OSS data, etc.
The data list is used to list fine-grained data types, e.g. the data list may be a list of PM, FM, MDT data etc. It is optional.
Data classes are used to define classifications of data in a data list. It may be, for example, secret, confidential, business sensitive, normal, etc
Data epochs are used to define epochs/phases of data, such as in-use, in-transit, stationary, etc. data.
The aml model type is used to define the usage of the AI/ML model, which may be used by an operator for service promotion, performance optimization or troubleshooting, etc., or by a tenant for similar troubleshooting, etc., for example. It is optional.
Isolation rules are defined to isolate tenant/group data in a data list of a specific data type in a specific data period using a specific data classification, which is expressed as a combination of tenant Id/group Id, data type, data list, data classification and data period. For the data in use, the aml model class is also considered. Please see example quarantine rules for different data for different tenants/groups in table 2. Isolation rules are used for data isolation described in the workflow of FIG. 2
Protection Req is used to decide to protect the security control of the isolated data. See example protection requirements for different data for different tenants/groups in table 2. Furthermore, the solutions presented in this disclosure may be implemented by management functions, which may be part of existing CSMF, NSMF, NSSMF, provisioning MF, monitoring MF, data management functions, analysis functions, etc., or dedicated quarantine management functions. With the solution of the present disclosure, a flexible policy framework supporting data isolation with different isolation and protection requirements for each domain, for each data type in each phase, can be implemented. Furthermore, a new management service supporting tenants to configure policies and a new interface to exchange policies between different domains are proposed. The solution may also introduce mechanisms to translate and execute policies in each domain, protect data sharing between slices and monitor guarantees of data isolation.
FIG. 3 illustrates a flowchart of an example method 300 of slack compensation, according to some example embodiments of the present disclosure. The method 800 may be implemented at a management function node 110 as shown in fig. 1. For discussion purposes, the method 300 will be described with reference to FIG. 1.
At 310, management function node 110 receives management data associated with a service.
At 320, the management function node 110 determines that the management data belongs to a group, and at 330, the management function node 110 obtains one or more isolation requirements for the group.
In some example embodiments, if the management function node 110 determines that the identity of the group is obtained from the management data, the management function node 110 may determine that the management data belongs to the group.
In some example embodiments, if the management function node 110 determines that the monitoring data belongs to the group from which the data notification has been subscribed, the management function node 110 may determine that the monitoring data belongs to the group.
At 340, the management function node 110 isolates the storage space allocated to the group based on one or more isolation requirements. At 350, the management function node 110 stores management data in the storage space.
In some example embodiments, the management function node 110 may obtain information associated with the group to which the management data belongs, the information including at least one of: the identity of the group, or the data security classification; and based on the information, marking the management data.
In some example embodiments, the management function node 110 may protect management data based on security requirements associated with the group.
In some example embodiments, if the management function node 110 determines that a request to allocate a service is received, the management function node 110 may determine a group corresponding to the service. The management function node 110 may retrieve one or more isolation requirements of the group for which the monitoring function is to be allocated for monitoring data of the group; and based on one or more isolation requirements, monitoring functions for the set of isolation.
In some example embodiments, the management function node 110 may group monitoring services for the group for the monitoring data of the group; and monitoring the service for the set of isolation based on one or more isolation requirements.
In some example embodiments, the management function node 110 may allocate additional storage space to the group for storing provisioning data belonging to the group; isolating additional storage space based on the set of one or more isolation requirements; and storing the provisioning data belonging to the group to a further storage space.
In some example embodiments, the management function node 110 may obtain information associated with the group to which the provisioning data belongs, the information including at least one of: and based on the information, marking the provisioning data.
In some example embodiments, the management function node 110 may isolate provisioning data belonging to a group based on one or more isolation requirements of the group during transmission of the provisioning data.
In some example embodiments, if the management function node 110 determines that management data associated with a group is used for analysis, the management function node 110 may assign an analysis model for the group to which the management data belongs, the analysis model being used to provide an analysis report associated with the monitoring data; and isolating the analytical model based on the one or more isolation requirements of the group.
In some example embodiments, the management function node 110 may isolate input data and output data of the analytical model based on one or more isolation requirements of the group.
In some example embodiments, the set includes at least one of: a tenant corresponding to a service, or a slice group corresponding to a service.
In some example embodiments, the service includes at least one of: a network slice service, or a network slice subnet service.
In some example embodiments, the first device includes a management function entity.
In some example embodiments, an apparatus capable of performing the method 300 (e.g., implemented at the management function node 110) may include means for performing the respective steps of the method 300. The component may be implemented in any suitable form. For example, the components may be implemented in circuitry or software modules.
In some example embodiments, the apparatus includes means for receiving, at a first device, management data associated with a service; means for obtaining one or more isolation requirements for the group based on determining that the management data belongs to the group; means for isolating storage space allocated to the group based on one or more isolation requirements; and means for storing the management data in the storage space.
Fig. 4 is a simplified block diagram of an apparatus 400 suitable for implementing embodiments of the present disclosure. Device 400 may be provided to implement a communication device, such as management function node 110 shown in fig. 1. As shown, the device 400 includes one or more processors 410, one or more memories 440 coupled to the processors 410, and a communication module 440 coupled to the processors 410.
The communication module 440 is used for two-way communication. The communication module 440 has one or more communication interfaces to facilitate communications with one or more other modules or devices. The communication interface may represent any interface required to communicate with other network elements. In some example embodiments, the communication module 440 may include at least one antenna.
The processor 410 may be of any type suitable to the local technical network and may include, as non-limiting examples, one or more of the following: general purpose computers, special purpose computers, microprocessors, digital reference signal processors (DSPs), and processors based on a multi-core processor architecture. The device 400 may have multiple processors, such as application specific integrated circuit chips that are slaved in time to a clock that is synchronized to the master processor.
Memory 420 may include one or more non-volatile memories and one or more volatile memories. Examples of non-volatile memory include, but are not limited to, read-only memory (ROM) 424, electrically programmable read-only memory (EPROM), flash memory, a hard disk, a Compact Disk (CD), a Digital Video Disk (DVD), and other magnetic and/or optical storage. Examples of volatile memory include, but are not limited to, random Access Memory (RAM) 422 and other volatile memory that will not last for the duration of the power outage.
The computer program 430 includes computer-executable instructions that are executed by the associated processor 410. Program 430 may be stored in ROM 420. Processor 410 may perform any suitable actions and processes by loading program 430 into RAM 420.
Embodiments of the present disclosure may be implemented by program 430 such that device 400 may perform any of the processes of the present disclosure as discussed with reference to fig. 2-3. Embodiments of the present disclosure may also be implemented in hardware, or in a combination of software and hardware.
In some embodiments, program 430 may be tangibly embodied in a computer-readable medium that may be included in device 400 (such as in memory 420) or other storage device accessible by device 400. Device 400 may load program 430 from a computer-readable medium into RAM 422 for execution. The computer readable medium may include any type of tangible, non-volatile storage, such as ROM, EPROM, flash memory, hard disk, CD, DVD, etc. Fig. 5 shows an example of a computer readable medium 500 in the form of a CD or DVD. The computer readable medium has a program 430 stored thereon.
In general, the various embodiments of the disclosure may be implemented in hardware or special purpose circuits, software, logic or any combination thereof. Some aspects may be implemented in hardware, while other aspects may be implemented in firmware or software which may be executed by a controller, microprocessor or other computing device. While various aspects of the embodiments of the disclosure are illustrated and described as block diagrams, flow charts, or using some other pictorial representation, it is well understood that these blocks, apparatus, systems, techniques or methods described herein may be implemented in, as non-limiting examples, hardware, software, firmware, special purpose circuits or logic, general purpose hardware or controller or other computing devices, or some combination thereof.
The present disclosure also provides at least one computer program product tangibly stored on a non-transitory computer-readable storage medium. The computer program product comprises computer executable instructions, such as those included in program modules, being executed in a device on a target real or virtual processor to perform the method 30 as described above with reference to fig. 3. Generally, program modules include routines, programs, libraries, objects, classes, components, data structures, etc. that perform particular tasks or implement particular abstract data types. In various embodiments, the functionality of the program modules may be combined or split between program modules as desired. Machine-executable instructions for program modules may be executed within local or distributed devices. In a distributed device, program modules may be located in both local and remote memory storage media.
Program code for carrying out the methods of the present disclosure may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this disclosure, computer program code or related data may be carried by any suitable carrier wave to enable an apparatus, device or processor to perform the various processes and operations described above. Examples of carriers include reference signals, computer readable media, and the like.
The computer readable medium may be a computer readable reference signal medium or a computer readable storage medium. The computer readable medium can include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or any suitable combination of the foregoing. More specific examples of a computer-readable storage medium would include an electrical connection having one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
Furthermore, although operations are depicted in a particular order, this should not be understood as requiring that such operations be performed in the particular order shown or in sequential order, or that all illustrated operations be performed, to achieve desirable results. In some cases, multitasking and parallel processing may be advantageous. Also, while the above discussion contains several specific implementation details, these should not be construed as limitations on the scope of the disclosure, but rather as descriptions of features that may be specific to particular embodiments. Certain features that are described in the context of separate embodiments can also be implemented in combination in a single embodiment. Conversely, various features that are described in the context of a single embodiment can also be implemented in multiple embodiments separately or in any suitable subcombination.
Although the disclosure has been described in language specific to structural features and/or methodological acts, it is to be understood that the disclosure defined in the appended claims is not necessarily limited to the specific features or acts described above. Rather, the specific features and acts described above are disclosed as example forms of implementing the claims.
Claims (32)
1. A method for communication, comprising:
Receiving, at a first device, management data associated with a service;
according to the determination that the management data belongs to a group, one or more isolation requirements of the group are obtained;
isolating storage space allocated to the group based on the one or more isolation requirements; and
storing the management data in the storage space.
2. The method of claim 1, further comprising:
in accordance with a determination that the identity of the group is obtained from the management data, it is determined that the management data belongs to the group.
3. The method of claim 1, further comprising:
in accordance with a determination that the group to which the data notification has been subscribed is received from the group monitoring data, it is determined that the monitored data belongs to the group.
4. The method of claim 1, further comprising:
obtaining information associated with the group to which the management data belongs, the information including at least one of:
the identity of the group, or
Classifying data safety; and
based on the information, the management data is marked.
5. The method of claim 1, further comprising:
the management data is protected based on security requirements associated with the group.
6. The method of claim 1, further comprising:
in accordance with a determination that a request to allocate the service is received, determining the group corresponding to the service;
retrieving the one or more isolation requirements of the group; and
assigning a monitoring function to the group for monitoring data of the group; and
the monitoring function is isolated for the group based on the one or more isolation requirements.
7. The method of claim 6, further comprising:
distributing a monitoring service for the group for the monitoring data of the group; and
the monitoring service is isolated for the group based on the one or more isolation requirements.
8. The method of claim 6, further comprising:
allocating additional storage space to the group for storing provisioning data belonging to the group;
isolating the additional storage space based on the one or more isolation requirements of the group; and
the provisioning data belonging to the group is stored to the further storage space.
9. The method of claim 6, further comprising:
obtaining information associated with the group to which the provisioning data belongs, the information comprising at least one of:
The identity of the group, or
Classifying data safety; and
based on the information, the provisioning data is marked.
10. The method of claim 6, further comprising:
during transmission of the provisioning data, provisioning data belonging to the group is isolated based on the one or more isolation requirements of the group.
11. The method of claim 1, further comprising:
in accordance with a determination that the management data associated with the group is to be used for analysis, assigning an analysis model for the group to which the management data belongs, the analysis model being used to provide an analysis report associated with the management data; and
isolating the analytical model based on the one or more isolation requirements of the set.
12. The method of claim 11, further comprising:
based on the set of the one or more isolation requirements, input data and output data of the analytical model are isolated.
13. The method of any one of claims 1 to 12, wherein the group comprises at least one of:
tenant corresponding to the service, or
A slice group corresponding to the service.
14. The method of any of claims 1 to 12, wherein the service comprises at least one of:
Network slice service, or
Network slicing subnetwork services.
15. The method of any of claims 1 to 12, wherein the first device comprises a management function entity.
16. A first device for communication, comprising:
at least one processor; and
at least one memory including computer program code;
the at least one memory and the computer program code are configured to, with the at least one processor, cause the first device at least to:
receiving, at a first device, management data associated with a service;
according to the determination that the management data belongs to a group, one or more isolation requirements of the group are obtained;
isolating storage space allocated to the group based on the one or more isolation requirements; and
storing the management data in the storage space.
17. The first device of claim 16, wherein the first device is further caused to:
in accordance with a determination that the identity of the group is obtained from the management data, it is determined that the management data belongs to the group.
18. The first device of claim 16, wherein the first device is further caused to:
in accordance with a determination that monitoring data has been received from the group to which data notifications have been subscribed, it is determined that the monitored data belongs to the group.
19. The first device of claim 16, wherein the first device is further caused to:
obtaining information associated with the group to which the management data belongs, the information including at least one of:
the identity of the group, or
A data security classification linked to the identity; and
based on the information, the management data is marked.
20. The first device of claim 19, wherein the first device is further caused to:
the management data is protected based on security requirements associated with the group.
21. The first device of claim 16, wherein the first device is further caused to:
in accordance with a determination that a request to allocate the service is received, determining the group corresponding to the service;
retrieving the one or more isolation requirements of the group; and
assigning a monitoring function to the group for monitoring data of the group; and
the monitoring function is isolated for the group based on the one or more isolation requirements.
22. The method of claim 21, wherein the first device is further caused to:
a group allocation monitoring service for the group for monitoring data of the group; and
The monitoring service is isolated for the group based on the one or more isolation requirements.
23. The first device of claim 18, wherein the first device is further caused to:
allocating additional storage space to the group for storing provisioning data belonging to the group;
isolating the additional storage space based on the one or more isolation requirements of the group; and
the provisioning data belonging to the group is stored to the further storage space.
24. The first device of claim 21, wherein the first device is further caused to:
obtaining information associated with the group to which the provisioning data belongs, the information including at least one of:
the identity of the group, or
Linked to the identity-related data security classification; and
based on the information, the provisioning data is marked.
25. The first device of claim 18, wherein the first device is further caused to:
during transmission of the provisioning data, provisioning data belonging to the group is isolated based on the one or more isolation requirements of the group.
26. The first device of claim 14, wherein the first device is further caused to:
In accordance with a determination that the monitoring data associated with the group is to be used for analysis, assigning an analysis model for the group to which the monitoring data belongs, the analysis model being used to provide an analysis report associated with the monitoring data; and
isolating the analytical model based on the one or more isolation requirements of the set.
27. The first device of claim 26, wherein the first device is further caused to:
based on the set of the one or more isolation requirements, input data and output data of the analytical model are isolated.
28. The first device of any of claims 16 to 27, wherein the group comprises at least one of:
tenant corresponding to the service, or
A slice group corresponding to the service.
29. The first device of any of claims 16 to 27, wherein the service comprises at least one of:
network slice service, or
Network slicing subnetwork services.
30. The first device of any of claims 16 to 27, wherein the first device comprises a management function entity.
31. An apparatus for communication, comprising:
means for receiving, at a first device, management data associated with a service;
Means for obtaining one or more isolation requirements of a group corresponding to the service in accordance with a determination that the management data belongs to the group;
means for isolating storage space allocated to the group based on the one or more isolation requirements; and
and means for storing the management data in the storage space.
32. A non-transitory computer readable medium comprising program instructions for causing an apparatus to perform at least the method of any one of claims 1 to 15.
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| PCT/CN2021/112046 WO2023015482A1 (en) | 2021-08-11 | 2021-08-11 | Management data isolation |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117836761A true CN117836761A (en) | 2024-04-05 |
Family
ID=85200430
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202180101562.3A Pending CN117836761A (en) | 2021-08-11 | 2021-08-11 | Managing data isolation |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN117836761A (en) |
| WO (1) | WO2023015482A1 (en) |
Family Cites Families (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102760084B (en) * | 2012-06-15 | 2015-02-18 | 杭州格畅科技有限公司 | Management method of application data, method for partitioning application storage space, on-line application system and application device |
| US10693728B2 (en) * | 2017-02-27 | 2020-06-23 | Dell Products L.P. | Storage isolation domains for converged infrastructure information handling systems |
| CN108737325B (en) * | 2017-04-13 | 2021-01-08 | 华为技术有限公司 | Multi-tenant data isolation method, device and system |
| US10956246B1 (en) * | 2018-07-16 | 2021-03-23 | Amazon Technologies, Inc. | Isolated read channel management interfaces at streaming data service |
| CN110851853A (en) * | 2019-09-18 | 2020-02-28 | 平安科技(深圳)有限公司 | Data isolation method and device, computer equipment and storage medium |
-
2021
- 2021-08-11 CN CN202180101562.3A patent/CN117836761A/en active Pending
- 2021-08-11 WO PCT/CN2021/112046 patent/WO2023015482A1/en unknown
Also Published As
| Publication number | Publication date |
|---|---|
| WO2023015482A1 (en) | 2023-02-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111052849B (en) | Method and apparatus for mobile network interaction proxy | |
| US11297601B2 (en) | Resource allocation method and orchestrator for network slicing in the wireless access network | |
| US11190985B1 (en) | Internet of things (IoT) devices wireless communication service management platform | |
| US10887778B2 (en) | Proactively adjusting network infrastructure in response to reporting of real-time network performance | |
| US11877177B2 (en) | Systems and methods for providing edge-based quality of service orchestration for multi-access edge computing (MEC) in a network | |
| US11722867B2 (en) | Systems and methods to determine mobile edge deployment of microservices | |
| US11528593B2 (en) | Network slicing using dedicated network node | |
| US10701553B2 (en) | Signaling an indication of a user device type to a network to allow an optimized network configuration for the user device | |
| US20210297857A1 (en) | Security for network slicing in a communication system | |
| CN109660994B (en) | Apparatus for operation in a spectrum-reclaimable leased system | |
| US11490322B2 (en) | Provisioning of network slicing in a communication system | |
| CN112805679B (en) | Managed object instance identification for object management | |
| WO2021174439A1 (en) | Allocation resource of network slice | |
| CN117836761A (en) | Managing data isolation | |
| US11640292B2 (en) | Systems and methods for IoT device lifecycle management | |
| US20230199499A1 (en) | Core network node, mec server, external server, communication system, control method, program, and non-transitory recording medium having recorded thereon program | |
| WO2021072594A1 (en) | Tenant management | |
| CN115280809A (en) | Dynamic change of access and mobility policies | |
| CN114424611B (en) | Control of network functions | |
| EP4106273A1 (en) | Apparatus, methods, and computer programs | |
| CN117121560A (en) | Dynamic network slice management | |
| US20230388855A1 (en) | Systems and methods for load balancing devices connected to a base station via a network repeater | |
| WO2024077582A1 (en) | Security counter measure for distributed network slice admission control | |
| WO2023057058A1 (en) | Apparatus, methods, and computer programs | |
| CN116069732A (en) | Method, device, apparatus and computer readable medium for updating user subscription data |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination |