CN117891466A - Security product component method, apparatus, computer device, and storage medium - Google Patents
Security product component method, apparatus, computer device, and storage medium Download PDFInfo
- Publication number
- CN117891466A CN117891466A CN202311791082.1A CN202311791082A CN117891466A CN 117891466 A CN117891466 A CN 117891466A CN 202311791082 A CN202311791082 A CN 202311791082A CN 117891466 A CN117891466 A CN 117891466A
- Authority
- CN
- China
- Prior art keywords
- component
- security component
- security
- management platform
- information
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 238000013475 authorization Methods 0.000 claims abstract description 108
- 238000004891 communication Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 16
- 238000002955 isolation Methods 0.000 claims description 14
- 230000009191 jumping Effects 0.000 claims description 5
- 230000004044 response Effects 0.000 claims description 5
- 230000000875 corresponding effect Effects 0.000 description 42
- 238000010586 diagram Methods 0.000 description 8
- 238000005516 engineering process Methods 0.000 description 7
- 238000012423 maintenance Methods 0.000 description 4
- 230000008859 change Effects 0.000 description 2
- 238000001514 detection method Methods 0.000 description 2
- 230000008676 import Effects 0.000 description 2
- 238000012545 processing Methods 0.000 description 2
- 230000001737 promoting effect Effects 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- OKTJSMMVPCPJKN-UHFFFAOYSA-N Carbon Chemical compound [C] OKTJSMMVPCPJKN-UHFFFAOYSA-N 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000002596 correlated effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 229910021389 graphene Inorganic materials 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
Landscapes
- Storage Device Security (AREA)
Abstract
The application relates to a security product component deployment method, a security product component deployment device, computer equipment and a storage medium. The method is applied to a cloud platform, wherein a security component management platform is deployed in the cloud platform, and the method comprises the following steps: receiving a component deployment request, wherein the component deployment request comprises authorization information and a component identifier corresponding to a target tenant; creating a security component corresponding to the component identifier, and sending an authorization request to the security component management platform, wherein the authorization request comprises the authorization information and the component identifier, and the authorization request is used for requesting to register the target tenant according to the authorization information and importing a permission file to the security component; and receiving the authorized access information of the security component returned by the security component management platform, and sending the authorized access information to the target tenant. By adopting the method, the deployment speed can be improved.
Description
Technical Field
The present disclosure relates to the field of cloud computing technologies, and in particular, to a method and apparatus for deploying a security product component, a computer device, and a storage medium.
Background
With the rapid development of cloud computing technology, the cloud computing open network and service sharing scene becomes more complex and changeable, the security challenges become more serious, and some novel security problems become more prominent, so that the security problems on the cloud are more and more emphasized. However, the conventional security policy may reduce the performance of virtualization, and a cloud platform with a low security policy capability may be an attack object of an attacker. Cloud security is a brand new mode for promoting information security technology to realize on-demand service and promoting information security technology and secure data resources to be fully used, and is considered as the core of new generation information security technology innovation and business mode innovation.
At present, a general cloud security product deployment scheme is to disperse and deploy on a virtual machine of a cloud platform in a single-product deployment mode, and the deployment efficiency is low.
Disclosure of Invention
In view of the foregoing, it is desirable to provide a method, an apparatus, a computer device, and a storage medium for deploying a security product component, which can improve the deployment speed.
In a first aspect, the present application provides a security component deployment method, where the method is applied to a cloud platform, and the cloud platform is deployed with a security component management platform, and the method includes:
Receiving a component deployment request, wherein the component deployment request comprises authorization information and a component identifier corresponding to a target tenant;
creating a security component corresponding to the component identifier, and sending an authorization request to the security component management platform, wherein the authorization request comprises the authorization information and the component identifier, and the authorization request is used for requesting to register the target tenant according to the authorization information and importing a permission file to the security component;
and receiving the authorized access information of the security component returned by the security component management platform, and sending the authorized access information to the target tenant, wherein the authorized access information is generated under the condition that the permission file is successfully imported in the security component.
According to the security product component deployment method, the cloud platform deploys the security component management platform and the security components, unified authorization and permission of each security component are carried out on a target tenant through the security component management platform, authorization access information of each security component is sent to the target tenant, one-key deployment of the security components of the target tenant is realized through pure software, and deployment speed is improved.
In one embodiment, the cloud platform stores an image file of the security component management platform, and the method further includes:
creating the security component management platform in a virtual machine service of the virtualized computing resource by adopting an image file of the security component management platform;
network resources, computing resources, and storage resources are allocated to the secure element management platform.
According to the deployment method of the safety product components, the cloud platform deploys the safety component management platform, so that the safety components are uniformly managed through the safety component management platform, and the deployment speed is improved.
In one embodiment, the cloud platform stores image files of a plurality of security components, the image file of each security component corresponds to a component identifier, the component deployment request further includes component specification information, and the creating the security component corresponding to the component identifier includes:
acquiring image files corresponding to the component identifiers from the image files of the plurality of safety components;
and creating the safety component based on the component specification information and the image file corresponding to the component identifier.
According to the deployment method of the security product components, the cloud platform deploys the security components required by the target tenant according to the component identification corresponding to the target tenant, so that resources are saved, a plurality of security components are deployed at one time, and the deployment speed is improved.
In one embodiment, the method further comprises:
detecting whether the port state of the safety component is normal;
and generating the authorization request under the condition that the port state of the security component is normal.
In one embodiment, each security component corresponds to a virtual private cloud network, the private cloud network being used for tenant isolation and network isolation, the method further comprising:
configuring an internal network address of a cloud platform Software Defined Network (SDN) for the security component management platform, wherein the internal network address of the security component management platform is used for carrying out cross-network communication with the security component;
and configuring an internal network address of the cloud platform SDN for each security component, wherein the internal network address configured by the security component is used for carrying out cross-network communication with the security component management platform.
According to the deployment method of the safety product component, by configuring the internal network addresses for the safety component and the safety component management platform, the cross-network communication between the safety component and the safety component management platform is realized, the privacy of tenants is ensured, and conditions are provided for unified management of the safety component management platform.
In one embodiment, the method further comprises:
and responding to the triggering operation of the authorized access information, and jumping to a management page of the security component, wherein the management page is used for carrying out security management on the security component.
According to the deployment method of the security product component, the target tenant can access the management page of the security component to conduct security management on the security component by providing the authorized access information for the target tenant, so that the operation and maintenance efficiency is improved.
In a second aspect, the present application provides a security component deployment method, where the method is applied to a security component management platform, where the security component management platform is deployed by a cloud platform, and the method includes:
receiving an authorization request sent by the cloud platform, wherein the authorization request comprises authorization information and a component identifier corresponding to a target tenant;
registering the target tenant on a security component corresponding to the component identifier according to the authorization information, wherein the security component is created by the cloud platform;
sending a license file to the security component;
receiving an information acquisition request sent by the security component, wherein the information acquisition request is generated under the condition that the license file is successfully imported in the security component;
Generating authorized access information of the security component in response to the information acquisition request;
and returning authorized access information of the security component to the cloud platform.
According to the security product component deployment method, the security component management platform performs unified authorization and permission of each security component on the target tenant, and sends the authorized access information of each security component to the target tenant, so that the target tenant can deploy the security components by one key through pure software, and the deployment speed is improved.
In a third aspect, the present application provides a security component deployment method, where the method is applied to a security component, where the security component is created by a cloud platform, and the security component is created based on a component identifier corresponding to a target tenant, and the cloud platform is deployed with a security component management platform, and the method includes:
receiving a permission file sent by a security component management platform, wherein the permission file is sent when the security component completes registration of the target tenant according to the authorization information of the target tenant;
based on the permission file, opening security service for the target tenant;
and sending an information acquisition request to the security component management platform, wherein the information acquisition request is used for requesting to acquire authorized access information of the security component.
According to the security product component deployment method, each security component performs unified authorization and permission on the target tenant according to the permission file sent by the security component management platform, and requests the security component management platform to provide unified authorization access information, so that the one-key deployment of the security component of the target tenant is realized through pure software, and the deployment speed is improved.
In a fourth aspect, the present application provides a security component deployment apparatus, the apparatus being applied to a cloud platform in which a security component management platform is deployed, the apparatus comprising:
the first receiving module is used for receiving a component deployment request, wherein the component deployment request comprises authorization information and a component identifier corresponding to a target tenant;
the first creating module is used for creating a security component corresponding to the component identifier, and sending an authorization request to the security component management platform, wherein the authorization request comprises the authorization information and the component identifier, and the authorization request is used for requesting to register the target tenant according to the authorization information and importing a permission file to the security component;
the second receiving module is used for receiving the authorized access information of the security component returned by the security component management platform and sending the authorized access information to the target tenant, wherein the authorized access information is generated under the condition that the permission file is successfully imported in the security component.
In one embodiment, the cloud platform stores an image file of the security component management platform, and the apparatus further includes:
the second creation module is used for creating the security component management platform by adopting an image file of the security component management platform in a virtual machine service of the virtualized computing resource;
and the allocation module is used for allocating network resources, computing resources and storage resources for the security component management platform.
In one embodiment, the cloud platform stores image files of a plurality of security components, and the image file of each security component corresponds to a component identifier, and the first creating module is further configured to:
acquiring image files corresponding to the component identifiers from the image files of the plurality of safety components;
and creating the safety component based on the component specification information and the image file corresponding to the component identifier.
In one embodiment, the apparatus further comprises:
the detection module is used for detecting whether the port state of the safety component is normal or not;
and the generation module is used for generating the authorization request under the condition that the port state of the security component is normal.
In one embodiment, each security component corresponds to a virtual private cloud network, the private cloud network being used for tenant isolation and network isolation, the apparatus further comprising:
a first configuration module, configured to configure an internal network address of a cloud platform software defined network SDN for the security component management platform, where the internal network address of the security component management platform is used for performing cross-network communication with the security component;
and the second configuration module is used for configuring an internal network address of the cloud platform SDN for each security component, and the internal network address configured by the security component is used for carrying out cross-network communication with the security component management platform.
In one embodiment, the apparatus further comprises:
the jump module is used for responding to the triggering operation of the authorized access information and jumping to a management page of the security component, wherein the management page is used for carrying out security management on the security component.
In a fifth aspect, the present application provides a security component deployment apparatus applied to a security component management platform deployed by a cloud platform, the apparatus comprising:
The first receiving module is used for receiving an authorization request sent by the cloud platform, wherein the authorization request comprises authorization information and a component identifier corresponding to a target tenant;
the registration module is used for registering the target tenant on a security component corresponding to the component identifier according to the authorization information, and the security component is created by the cloud platform;
a first sending module, configured to send a license file to the security component;
the second receiving module is used for receiving an information acquisition request sent by the security component, wherein the information acquisition request is generated under the condition that the license file is successfully imported in the security component;
the generation module is used for responding to the information acquisition request and generating authorized access information of the security component;
and the second sending module is used for returning the authorized access information of the security component to the cloud platform.
In a sixth aspect, the present application provides a security component deployment apparatus, the apparatus being applied to a security component, the security component being created by a cloud platform, the security component being created based on a component identifier corresponding to a target tenant, the cloud platform having a security component management platform deployed therein, the apparatus comprising:
The receiving module is used for receiving a license file sent by the security component management platform, wherein the license file is sent when the security component completes registration of the target tenant according to the authorization information of the target tenant;
the service module is used for opening security services for the target tenant based on the permission file;
and the sending module is used for sending an information acquisition request to the security component management platform, wherein the information acquisition request is used for requesting to acquire the authorized access information of the security component.
In a seventh aspect, the present application further provides a computer device, including a memory and a processor, where the memory stores a computer program, and the processor implements the secure component deployment method of the first aspect or any embodiment of the first aspect, or the secure component deployment method of the second aspect, or the secure component deployment method of the third aspect, when the processor executes the computer program.
In an eighth aspect, the present application further provides a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the secure component deployment method of the first aspect or any one of the embodiments of the first aspect, or the secure component deployment method of the second aspect, or the secure component deployment method of the third aspect.
In a ninth aspect, the present application also provides a computer program product comprising a computer program which, when executed by a processor, implements the security component deployment method of the first aspect or any one of the embodiments of the first aspect, or the security component deployment method of the second aspect, or the security component deployment method of the third aspect.
According to the security product component deployment method, the security product component deployment device, the computer equipment and the storage medium, the cloud platform deploys the security component management platform and the security components, unified authorization and permission of each security component are carried out on a target tenant through the security component management platform, authorization access information of each security component is sent to the target tenant, one-key deployment of the security components of the target tenant is realized through pure software, and deployment speed is improved.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the related art, the drawings that are required to be used in the embodiments or the related technical descriptions will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to the drawings without inventive effort for a person having ordinary skill in the art.
FIG. 1 is a schematic architecture diagram of a full component deployment system in one embodiment;
FIG. 2 is a flow diagram of a method of secure component deployment in one embodiment;
FIG. 3 is a flow diagram of a method of secure component deployment in one embodiment;
FIG. 4 is a block diagram of a security component deployment device in one embodiment;
FIG. 5 is a block diagram of a security component deployment device in one embodiment;
FIG. 6 is a block diagram of a security component deployment device in one embodiment;
fig. 7 is an internal structural diagram of a computer device in one embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
In one embodiment, as shown in FIG. 1, a security component deployment system is provided that includes a cloud platform 110, a security component management platform 120, and at least one security component 130. The cloud platform 110 may be used to deploy the security component management platform 120 and the security components 130 that the target user needs to deploy. The security component management platform 120 may be configured to register the target user with the security component 130 in accordance with the authorization information and send a license file to the security component 130. The security component 130 is configured to receive the license file, open a security service for the target tenant based on the license file, and send information acquisition information to the security component management platform 120. The security component management platform 120 may be configured to generate authorized access information for the security component in response to the information acquisition request, and return the authorized access information for the security component to the cloud platform 110. The cloud platform 110 may be configured to receive authorized access information for the security component and send the authorized access information to the target tenant.
Wherein, the target tenant may represent a tenant needing to deploy the security component, and the target tenant may be any one or more tenants, for example, the target tenant may be one or more of tenant 1, tenant 2, tenant 3, tenant 4, and the like shown in fig. 1.
The cloud platform 110 has a security component management platform 120 deployed therein. In one possible implementation, the cloud platform 110 may employ the image file of the security component management platform to create the security component management platform 120 in the virtual machine service of the virtualized computing resource, and allocate network resources, computing resources, and storage resources (as shown in fig. 1) for the security component management platform 120, thereby completing deployment of the security management platform 120.
Also disposed in cloud platform 110 is a security component 130. The cloud platform may receive a component deployment request including authorization information corresponding to a target tenant and a component identity, creating a security component 130 corresponding to the component identity. In one possible implementation, the cloud platform 110 may obtain an image file corresponding to the component identifier from the stored image files of the plurality of security components, and create the security component 130 based on the specification information and the image file corresponding to the component identifier.
The security management platform 120 and each security component 130 correspond to one virtual private cloud for tenant isolation and network isolation. In one possible implementation, the cloud platform 110 may configure the security component management platform 120 with an internal network address (i.e., the MFIP address described in fig. 1) of a cloud platform software defined network technology (Software Defined Network, SDN) and one internal network address of the cloud platform SDN for each security component. The security component management platform 120 and the security component 130 may communicate across the network via MFIP addresses. In this way, security management platform 120 and each security component 130 respectively establish a communication channel, such as a virtual extended local area network (Virtual Extensible Local Area Network, vxLAN) tunnel.
In one possible implementation, the cloud platform 110 may also bind a public network IP address for the security component management platform as a service network address. The service network can interact with the fort machine, and the public network IP address can also be used for jumping to log in the management page of the security component.
In the embodiment of the present application, the security component management platform 120 and the security component 130 may be virtual machines.
According to the security product component deployment system, the cloud platform deploys the security component management platform and the security components, unified authorization and permission of each security component are carried out on a target tenant through the security component management platform, authorization access information of each security component is sent to the target tenant, one-key deployment of the security components of the target tenant is realized through pure software, and deployment speed is improved.
In one embodiment, as shown in fig. 2, a method for deploying a security component is provided, and the method is applied to the cloud platform 110 in fig. 1 for illustration, and includes the following steps:
step S201, a component deployment request is received.
In the embodiment of the application, a security component management platform is deployed in the cloud platform. In one possible implementation manner, the cloud platform stores an image file of the security component management platform, and the method further includes: creating the security component management platform in a virtual machine service of the virtualized computing resource by adopting an image file of the security component management platform; network resources, computing resources, and storage resources are allocated to the secure element management platform.
In one example, the image file of the security component management platform may be a raw image file. The user may upload an image of the security management platform in the cloud platform, which then creates a virtual machine in the virtualized computing resource (Elastic Compute Service, ECS) with this image, which may be referred to as a security component management platform. The cloud platform can provide network resources, computing resources and storage resources for the security component management platform and start services so that the security component management platform can operate normally. In the embodiment of the application, the security component management platform may be used for managing security components of the whole cloud platform, including but not limited to authorization of a target tenant, issuing of a license file, providing authorized access information, and the like.
Security components may also be deployed on the cloud platform. In the embodiment of the application, the cloud platform can deploy the security component according to the requirements of the target tenant, and at least one security component is deployed for at least one tenant at a time. A user may submit a component deployment request at the cloud platform, where the component deployment request may include authorization information and a component identifier corresponding to the target tenant. The target tenant may represent a tenant to which the security component is to be deployed, and the target tenant may be any one or more tenants, and the authorization information may include item information and use time information of the tenant. The project information is used as the authorization information of the target tenant, so that different projects under the same tenant can be ensured to be used by creating a security component, the granularity of authorization management is thinned, and the management precision is improved. Component identification may be used to identify unique security components. Thus, the component deployment request may be used to request a security service for a target duration (corresponding to the use duration information in the authorization information) of a target item (corresponding to item information in the authorization information) for a target user on a target security component (corresponding to the component identification in the component deployment request).
Step S202, a security component corresponding to the component identifier is created, and an authorization request is sent to the security component management platform.
After the cloud platform receives the component deployment request, firstly, a security component corresponding to the component identifier can be created according to the indication of the deployment request, and then, the security component is authorized to the target tenant.
In one possible implementation manner, the cloud platform stores image files of a plurality of security components, the image file of each security component corresponds to a component identifier, the component deployment request further includes component specification information, and the creating the security component corresponding to the component identifier includes: acquiring image files corresponding to the component identifiers from the image files of the plurality of safety components; and creating the safety component based on the component specification information and the image file corresponding to the component identifier.
The cloud platform may store image files of a plurality of security components. The target tenant may only need to provision security services on part of the security components. Therefore, after receiving the component deployment request, the cloud platform only needs to establish a security component according to the component identifier carried in the component deployment request. In one example, the mirror ask of the security component may be a mirror file in raw format. The cloud platform may first find an image file corresponding to the component identifier carried in the component deployment request from among the stored image files of the plurality of security components, and then create virtual machines with each found image file in the ECS, where these created virtual machines may be referred to as security components. In one possible implementation, each security component corresponds to a virtual private cloud network, which is used for tenant isolation and network isolation. In this way, privacy and security of the tenant can be ensured.
When the security component is deployed, different specifications can be adopted for deployment. In an embodiment of the present application, the component deployment request may include component specification information, where the component specification information may be used to indicate a specification adopted when deploying the security component. In one example, the component specification information includes, but is not limited to, CPU, memory, and disk size information. The cloud platform can create a security component according to the component specification information and the mirror image file corresponding to the component identifier. The created safety component meets the requirements of users and reduces the waste of resources.
In one possible implementation, the cloud platform may configure the internal network address of the cloud platform software defined network SDN for the security component management platform, and configure the internal network address of one cloud platform SDN for each security component, where the internal network address of the security component management platform is used for cross-network communication with the security component, and the internal network address of the security component configuration is used for cross-network communication with the security component management platform.
In the embodiment of the application, the security component and the security component management platform both correspond to a virtual private cloud network, and after the cloud platform configures an internal network address (i.e., an MFIP address) of the cloud platform SDN for the security component and the security management platform, cross-network communication between the security component and the security component management platform can be realized through the MFIP address. Therefore, the privacy of the tenant is ensured, the communication between the safety component and the safety component management platform is realized, and the safety component management platform provides conditions for the management of the safety component.
In one possible implementation manner, the cloud platform may further configure a public network IP address of the cloud platform for the security component management platform, and as a service network address, the target tenant may jump to the management page of the security component by logging in the service network address. In this way, access and management of external target tenants to the cloud platform internal security components are achieved.
After the cloud platform completes the deployment of the security component management platform and the security component, the cloud platform may send an authorization request to the security component management platform. The authorization request comprises the authorization information and the component identifier, and is used for requesting to register the target tenant according to the authorization information and importing a permission file into the security component. That is, after the cloud platform sends an authorization request to the security component management platform, the security component management platform may open security services on the required security components for the target tenant.
The cloud platform sends an authorization request to the security component management platform. The security component management platform receives an authorization request sent by the cloud platform; registering and authenticating a target tenant on the authorization information security component; and sends the license file to the security component if the registration and authentication are successful. The security component receives a license file sent by the security component management platform; based on the permission file, opening security service for the target tenant; and sending an information acquisition request to the security component management platform. The security component management platform receives an information acquisition request sent by a security component; generating authorized access information of the security component in response to the information acquisition request; and returning authorized access information of the security component to the cloud platform.
In the embodiment of the application, the user may first upload the license file on the cloud platform. After the cloud platform deploys the security component management platform, the cloud platform may send the license file to the security component management platform. In one possible implementation, the security component management platform stores a preset number of license files, and different security components have a uniform authorization mode and share the preset number. For example, there are 200 license files in the security component management platform, and different security components can use these license files, if there are 10 license files consumed by the tenant, then only 190 license files can be consumed by the rest of the tenants. Thus, by limiting the number of license files, the range of security services can be managed, and reliability can be improved.
In one possible implementation, the method further includes: detecting whether the port state of the safety component is normal; and generating the authorization request under the condition that the port state of the security component is normal.
In the embodiment of the application, before sending the authorization request, the cloud platform may first check whether the port state of the security component is normal. If the port states of all the security components are normal, the security components can normally communicate with the security component management platform and can normally provide security services for target tenants, so that the cloud platform can generate and send authorization requests. If the port states of the security components are abnormal, the security components may not normally communicate with the security component management platform or provide security services for the target tenant, so that the cloud platform may temporarily not generate an authorization request to save resources. Of course, the cloud platform can also select a mode of firstly opening the security service at the security component with normal port state and then opening the security service after the port states of other security components are normal, so that the security service can be provided for the target tenant in time. The manner of detecting the port state may refer to related technologies, and will not be described herein.
Step S203, receiving the authorized access information of the security component returned by the security component management platform, and sending the authorized access information to the target tenant.
Wherein the authorized access information is generated if the license file is successfully imported in the secure element. The cloud platform can receive the authorized access information of the security component returned by the security component management platform and send the authorized access information to the target tenant. The authorized access information includes, but is not limited to, an authorized uniform resource locator (Uniform Resource Locator, URL). The target tenant may perform a triggering operation on the authorized access information. And the cloud platform responds to the triggering operation of the authorized access information and can jump to the management page of the security component. Wherein the management page can be used for carrying out security management on the security component. For example, the security component management platform opens security services of security component 1 and security component 2 for tenant 1, after which the cloud platform may send the authorization URL of security component 1 and the authorization URL of security component 2 to tenant 1. After clicking the authorized URL of the security component 1, the tenant 1 may jump to the management page of the security component 1, so as to perform security management on the security component 1. Similarly, after clicking the authorized URL of the security component 2, the tenant 1 may jump to the management page of the security component 2, so as to perform security management on the security component 2.
According to the security product component deployment method, the cloud platform deploys the security component management platform and the security components, unified authorization and permission of each security component are carried out on a target tenant through the security component management platform, authorization access information of each security component is sent to the target tenant, one-key deployment of the security components of the target tenant is realized through pure software, and deployment speed is improved.
In one embodiment, as shown in fig. 3, a secure component deployment method is provided, and the secure component deployment system in fig. 1 is taken as an example to illustrate the method, which includes the following steps:
step S301, the cloud platform deploys a security component management platform.
The user can upload the mirror image file of the security component management platform on the cloud platform. After the cloud platform acquires the raw image file of the security component management platform, the security component management platform can be created in the ECS virtual machine service of the cloud platform by using the image file, computing resources, network resources and storage resources are provided for the security component management platform, and the service of the security management platform is started.
In step S302, the cloud platform configures a public network IP address and an MFIP address for the security component management platform.
The cloud platform may configure the public network IP address and MFIP address for the security component management platform. Wherein the public network IP address is the service network address and the MFIP is the address for communication with the security component.
In one possible implementation, the cloud platform may also import a license file to the security component management platform, which may be used to provision security services on the security component. When the security component receives the license file, it indicates that the security component can provision security services for the target tenant.
In step S303, the cloud platform receives image files of a plurality of security components.
The user may also upload image files of multiple security components on the cloud platform. After the cloud platform receives the image files, the image files and the component identifications can be stored in a correlated mode, so that the image files of each safety component correspond to one component identification.
Step S304, the user logs in the cloud platform.
A user may log onto the cloud platform to configure a security component for a target tenant. When a user logs in, the cloud platform can conduct authority verification on the user, and when the user has the security component deployment authority, the cloud platform can display the security component deployment page for the user to use.
In step S305, the user selects a security component to be deployed on the cloud platform.
In one example, the cloud platform may present a security component deployment page that may include a security component selection area, a component specification information configuration area, and an authorization information configuration area. The user may select a security component to be dispensed in a security component selection area. The user can input necessary component specification information in the component specification configuration area. The user may input the authorization information in the authorization information configuration area. Of course, the foregoing is merely an exemplary illustration of a security component deployment page, and the security component deployment page may further include other areas, which is not limited to the embodiments of the present application.
Step S306, the cloud platform creates a security component according to the component specification information and the mirror image file corresponding to the component identifier.
The cloud platform can obtain information such as specification information, component identification of the security component to be deployed and the like according to selection and configuration of a user, and then can create the security component and start service according to the component specification information and the mirror image file corresponding to the component identification.
Each safety component
In step S307, the cloud platform configures the MFIP address for the security component.
The cloud platform may configure MFIP for the security component as an address for the security component to communicate with the security component management platform.
In step S308, the cloud platform detects whether the port status of the security component is normal.
The cloud platform can firstly detect whether the port state of the security component is normal or not, and send an authorization request to the security management platform after the port state is normal.
Step S309, the cloud platform generates an authorization request under the condition that the port state of the security component is normal, and sends an authorization request to the security component management platform, wherein the authorization request comprises authorization information and component identification.
The authorization information may include, but is not limited to, project information, usage time length information, and the like. The project information can ensure that different projects under the target tenant can be respectively configured with the security components and used, so that the flexibility is improved.
In step S310, the security component management platform registers the target user on the security component corresponding to the component identifier according to the authorization information to the security component, and sends the license file to the security component.
In step S311, the security component receives the license file and opens a security service for the target tenant based on the license file.
In step S312, the security component sends an information acquisition request to the security component management platform.
In step S313, the security component management platform generates authorized access information of the security component in response to the information acquisition request, and returns the authorized access information of the security component to the cloud platform.
In step S314, the cloud platform sends the authorized access information to the target tenant.
Step S315, the target tenant clicks the jump to log in the management page of the security component according to the authorized access information.
The security component management platform can provide requests such as authorization, renewal, unsubscribe and the like for the security component in addition to registering, issuing a permission file and providing authorized access information for the target user, so that the duration of opening the security service is changed. The security component can realize functions of authorization, renewal, unsubscribing and the like according to the request sent by the security component management platform.
According to the embodiment of the application, under the condition of not depending on hardware equipment, the unified management of a plurality of safety components is carried out by adopting a pure software deployment mode through the cloud platform, the safety components are provided for each tenant, the deployment, management and use of tenant-level safety components are realized, the deployment speed and the working efficiency are improved, and the user experience is improved. Meanwhile, the unified deployment mode does not need to independently import license files for each safety component, can be used after unpacking, and reduces operation and maintenance difficulty. In addition, the cloud platform configures the MFIP for the security component management platform and the security components, and realizes the security component management security and the communication of the security components under the conditions of tenant isolation and network isolation of the virtual private cloud, thereby providing conditions for unified management of a plurality of security components, realizing the one-key deployment of the security components by tenants, simplifying the operation and maintenance steps of the security components, and reducing the operation and maintenance difficulty.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are sequentially shown as indicated by arrows, these steps are not necessarily sequentially performed in the order indicated by the arrows. The steps are not strictly limited to the order of execution unless explicitly recited herein, and the steps may be executed in other orders. Moreover, at least some of the steps in the flowcharts described in the above embodiments may include a plurality of steps or a plurality of stages, which are not necessarily performed at the same time, but may be performed at different times, and the order of the steps or stages is not necessarily performed sequentially, but may be performed alternately or alternately with at least some of the other steps or stages.
Based on the same inventive concept, the embodiment of the application also provides a security component deployment device for implementing the security component deployment method. The implementation of the solution provided by the device is similar to the implementation described in the above method, so the specific limitation in the embodiments of the safety component deployment device or devices provided below may be referred to the limitation of the safety component deployment method hereinabove, and will not be described herein.
In one embodiment, as shown in fig. 4, a security component deployment apparatus is provided, where the apparatus is applied to a cloud platform, and a security component management platform is deployed in the cloud platform, and the apparatus 400 may include: a first receiving module 401, a first creating module 402, and a second receiving module 403, wherein,
the first receiving module is used for receiving a component deployment request, wherein the component deployment request comprises authorization information and a component identifier corresponding to a target tenant;
the first creating module is used for creating a security component corresponding to the component identifier, and sending an authorization request to the security component management platform, wherein the authorization request comprises the authorization information and the component identifier, and the authorization request is used for requesting to register the target tenant according to the authorization information and importing a permission file to the security component;
the second receiving module is used for receiving the authorized access information of the security component returned by the security component management platform and sending the authorized access information to the target tenant, wherein the authorized access information is generated under the condition that the permission file is successfully imported in the security component.
In one embodiment, the cloud platform stores an image file of the security component management platform, and the apparatus further includes:
the second creation module is used for creating the security component management platform by adopting an image file of the security component management platform in a virtual machine service of the virtualized computing resource;
and the allocation module is used for allocating network resources, computing resources and storage resources for the security component management platform.
In one embodiment, the cloud platform stores image files of a plurality of security components, and the image file of each security component corresponds to a component identifier, and the first creating module is further configured to:
acquiring image files corresponding to the component identifiers from the image files of the plurality of safety components;
and creating the safety component based on the component specification information and the image file corresponding to the component identifier.
In one embodiment, the apparatus further comprises:
the detection module is used for detecting whether the port state of the safety component is normal or not;
and the generation module is used for generating the authorization request under the condition that the port state of the security component is normal.
In one embodiment, each security component corresponds to a virtual private cloud network, the private cloud network being used for tenant isolation and network isolation, the apparatus further comprising:
a first configuration module, configured to configure an internal network address of a cloud platform software defined network SDN for the security component management platform, where the internal network address of the security component management platform is used for performing cross-network communication with the security component;
and the second configuration module is used for configuring an internal network address of the cloud platform SDN for each security component, and the internal network address configured by the security component is used for carrying out cross-network communication with the security component management platform.
In one embodiment, the apparatus further comprises:
the jump module is used for responding to the triggering operation of the authorized access information and jumping to a management page of the security component, wherein the management page is used for carrying out security management on the security component.
In one embodiment, as shown in fig. 5, a security component deployment apparatus is provided, the apparatus being applied to a security component management platform, the security component management platform being deployed by a cloud platform, the apparatus 500 may include: a first receiving module 501, a registering module 502, a first transmitting module 503, a second receiving module 504, a generating module 505, and a second transmitting module 506, wherein,
The first receiving module is used for receiving an authorization request sent by the cloud platform, wherein the authorization request comprises authorization information and a component identifier corresponding to a target tenant;
the registration module is used for registering the target tenant on a security component corresponding to the component identifier according to the authorization information, and the security component is created by the cloud platform;
a first sending module, configured to send a license file to the security component;
the second receiving module is used for receiving an information acquisition request sent by the security component, wherein the information acquisition request is generated under the condition that the license file is successfully imported in the security component;
the generation module is used for responding to the information acquisition request and generating authorized access information of the security component;
and the second sending module is used for returning the authorized access information of the security component to the cloud platform.
In one embodiment, as shown in fig. 6, a security component deployment apparatus is provided, where the apparatus is applied to a security component, where the security component is created by a cloud platform, and the security component is created based on a component identifier corresponding to a target tenant, and a security component management platform is deployed in the cloud platform, where the apparatus 600 may include: a receiving module 601, a service module 602, and a transmitting module 603, wherein,
The receiving module is used for receiving a license file sent by the security component management platform, wherein the license file is sent when the security component completes registration of the target tenant according to the authorization information of the target tenant;
the service module is used for opening security services for the target tenant based on the permission file;
and the sending module is used for sending an information acquisition request to the security component management platform, wherein the information acquisition request is used for requesting to acquire the authorized access information of the security component.
The various modules in the security component deployment device described above may be implemented in whole or in part by software, hardware, and combinations thereof. The above modules may be embedded in hardware or may be independent of a processor in the computer device, or may be stored in software in a memory in the computer device, so that the processor may call and execute operations corresponding to the above modules.
In one exemplary embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 7. The computer device includes a processor, a memory, an Input/Output interface (I/O) and a communication interface. The processor, the memory and the input/output interface are connected through a system bus, and the communication interface is connected to the system bus through the input/output interface. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, computer programs, and a database. The internal memory provides an environment for the operation of the operating system and computer programs in the non-volatile storage media. The input/output interface of the computer device is used to exchange information between the processor and the external device. The communication interface of the computer device is used for communicating with an external terminal through a network connection. The computer program, when executed by a processor, implements a secure component deployment method.
It will be appreciated by those skilled in the art that the structure shown in fig. 7 is merely a block diagram of some of the structures associated with the present application and is not limiting of the computer device to which the present application may be applied, and that a particular computer device may include more or fewer components than shown, or may combine certain components, or have a different arrangement of components.
In an exemplary embodiment, a computer device is provided, comprising a memory and a processor, the memory having stored therein a computer program, the processor performing the steps of the method embodiments described above when the computer program is executed.
In one embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when executed by a processor, implements the steps of the method embodiments described above.
In an embodiment, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the steps of the method embodiments described above.
Those skilled in the art will appreciate that implementing all or part of the above described methods may be accomplished by way of a computer program stored on a non-transitory computer readable storage medium, which when executed, may comprise the steps of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the various embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high density embedded nonvolatile Memory, resistive random access Memory (ReRAM), magnetic random access Memory (Magnetoresistive Random Access Memory, MRAM), ferroelectric Memory (Ferroelectric Random Access Memory, FRAM), phase change Memory (Phase Change Memory, PCM), graphene Memory, and the like. Volatile memory can include random access memory (Random Access Memory, RAM) or external cache memory, and the like. By way of illustration, and not limitation, RAM can be in the form of a variety of forms, such as static random access memory (Static Random Access Memory, SRAM) or dynamic random access memory (Dynamic Random Access Memory, DRAM), and the like. The databases referred to in the various embodiments provided herein may include at least one of relational databases and non-relational databases. The non-relational database may include, but is not limited to, a blockchain-based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic units, quantum computing-based data processing logic units, etc., without being limited thereto.
The technical features of the above embodiments may be arbitrarily combined, and all possible combinations of the technical features in the above embodiments are not described for brevity of description, however, as long as there is no contradiction between the combinations of the technical features, they should be considered as the scope of the description.
The above examples only represent a few embodiments of the present application, which are described in more detail and are not to be construed as limiting the scope of the present application. It should be noted that it would be apparent to those skilled in the art that various modifications and improvements could be made without departing from the spirit of the present application, which would be within the scope of the present application. Accordingly, the scope of protection of the present application shall be subject to the appended claims.
Claims (10)
1. A security component deployment method, wherein the method is applied to a cloud platform, in which a security component management platform is deployed, the method comprising:
receiving a component deployment request, wherein the component deployment request comprises authorization information and a component identifier corresponding to a target tenant;
creating a security component corresponding to the component identifier, and sending an authorization request to the security component management platform, wherein the authorization request comprises the authorization information and the component identifier, and the authorization request is used for requesting to register the target tenant according to the authorization information and importing a permission file to the security component;
And receiving the authorized access information of the security component returned by the security component management platform, and sending the authorized access information to the target tenant, wherein the authorized access information is generated under the condition that the permission file is successfully imported in the security component.
2. The method of claim 1, wherein the cloud platform has an image of the security component management platform stored therein, the method further comprising:
creating the security component management platform in a virtual machine service of the virtualized computing resource by adopting an image file of the security component management platform;
network resources, computing resources, and storage resources are allocated to the secure element management platform.
3. The method according to claim 1, wherein the cloud platform stores mirror image files of a plurality of security components, and each mirror image file of the security component corresponds to a component identifier, the component deployment request further includes component specification information, and the creating the security component corresponding to the component identifier includes:
acquiring image files corresponding to the component identifiers from the image files of the plurality of safety components;
And creating the safety component based on the component specification information and the image file corresponding to the component identifier.
4. The method according to claim 1, wherein the method further comprises:
detecting whether the port state of the safety component is normal;
and generating the authorization request under the condition that the port state of the security component is normal.
5. The method of claim 1, wherein each security component corresponds to a virtual private cloud network, the private cloud network being used for tenant isolation and network isolation, the method further comprising:
configuring an internal network address of a cloud platform Software Defined Network (SDN) for the security component management platform, wherein the internal network address of the security component management platform is used for carrying out cross-network communication with the security component;
and configuring an internal network address of the cloud platform SDN for each security component, wherein the internal network address configured by the security component is used for carrying out cross-network communication with the security component management platform.
6. The method according to claim 1, wherein the method further comprises:
and responding to the triggering operation of the authorized access information, and jumping to a management page of the security component, wherein the management page is used for carrying out security management on the security component.
7. A security component deployment method, wherein the method is applied to a security component management platform, the security component management platform being deployed by a cloud platform, the method comprising:
receiving an authorization request sent by the cloud platform, wherein the authorization request comprises authorization information and a component identifier corresponding to a target tenant;
registering the target tenant on a security component corresponding to the component identifier according to the authorization information, wherein the security component is created by the cloud platform;
sending a license file to the security component;
receiving an information acquisition request sent by the security component, wherein the information acquisition request is generated under the condition that the license file is successfully imported in the security component;
generating authorized access information of the security component in response to the information acquisition request;
and returning authorized access information of the security component to the cloud platform.
8. A security component deployment method, wherein the method is applied to a security component, the security component is created by a cloud platform, the security component is created based on a component identifier corresponding to a target tenant, and a security component management platform is deployed in the cloud platform, the method comprises:
Receiving a permission file sent by a security component management platform, wherein the permission file is sent when the security component completes registration of the target tenant according to the authorization information of the target tenant;
based on the permission file, opening security service for the target tenant;
and sending an information acquisition request to the security component management platform, wherein the information acquisition request is used for requesting to acquire authorized access information of the security component.
9. A security component deployment apparatus, the apparatus being applied to a cloud platform having a security component management platform deployed thereon, the apparatus comprising:
the first receiving module is used for receiving a component deployment request, wherein the component deployment request comprises authorization information and a component identifier corresponding to a target tenant;
the first creating module is used for creating a security component corresponding to the component identifier, and sending an authorization request to the security component management platform, wherein the authorization request comprises the authorization information and the component identifier, and the authorization request is used for requesting to register the target tenant according to the authorization information and importing a permission file to the security component;
The second receiving module is used for receiving the authorized access information of the security component returned by the security component management platform and sending the authorized access information to the target tenant, wherein the authorized access information is generated under the condition that the permission file is successfully imported in the security component.
10. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method of any one of claims 1 to 6, or implements the steps of the method of claim 7, or implements the steps of the method of claim 8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311791082.1A CN117891466A (en) | 2023-12-22 | 2023-12-22 | Security product component method, apparatus, computer device, and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311791082.1A CN117891466A (en) | 2023-12-22 | 2023-12-22 | Security product component method, apparatus, computer device, and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117891466A true CN117891466A (en) | 2024-04-16 |
Family
ID=90648128
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311791082.1A Pending CN117891466A (en) | 2023-12-22 | 2023-12-22 | Security product component method, apparatus, computer device, and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117891466A (en) |
-
2023
- 2023-12-22 CN CN202311791082.1A patent/CN117891466A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110120979B (en) | Scheduling method, device and related equipment | |
| CN108399101B (en) | Method, device and system for scheduling resources | |
| US20200364608A1 (en) | Communicating in a federated learning environment | |
| EP2689324B1 (en) | Strong rights management for computing application functionality | |
| US9813423B2 (en) | Trust-based computing resource authorization in a networked computing environment | |
| US9928080B2 (en) | Hardware security module access management in a cloud computing environment | |
| US20120311575A1 (en) | System and method for enforcing policies for virtual machines | |
| US9648040B1 (en) | Authorization check using a web service request | |
| US9866547B2 (en) | Controlling a discovery component, within a virtual environment, that sends authenticated data to a discovery engine outside the virtual environment | |
| EP2972728B1 (en) | Tracking application usage in a computing environment | |
| US8776057B2 (en) | System and method for providing evidence of the physical presence of virtual machines | |
| CN112099913A (en) | Method for realizing safety isolation of virtual machine based on OpenStack | |
| WO2022271223A9 (en) | Dynamic microservices allocation mechanism | |
| US11190359B2 (en) | Device and system for accessing a distributed ledger | |
| CN114185558A (en) | Native application master selection method and device based on K8s and storage medium | |
| CN114363162B (en) | Block chain log generation method and device, electronic equipment and storage medium | |
| CN115757611A (en) | Big data cluster switching method and device, electronic equipment and storage medium | |
| CN110839007A (en) | Cloud network security processing method and device and computer storage medium | |
| CN113377499A (en) | Virtual machine management method, device, equipment and readable storage medium | |
| CN108833177B (en) | Virtual switch management method and master control card | |
| CN117891466A (en) | Security product component method, apparatus, computer device, and storage medium | |
| CN114124524A (en) | Cloud platform permission setting method and device, terminal equipment and storage medium | |
| CN112015524A (en) | Workflow deployment method, equipment, system and storage medium | |
| CN118018552B (en) | Cluster service deployment method and device based on middleware and computer equipment | |
| CN112748981B (en) | Processing method and device for software mirror image of virtual network function |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |