WO2015058569A1 - 安全服务订制方法和装置 - Google Patents

安全服务订制方法和装置 Download PDF

Info

Publication number
WO2015058569A1
WO2015058569A1 PCT/CN2014/083229 CN2014083229W WO2015058569A1 WO 2015058569 A1 WO2015058569 A1 WO 2015058569A1 CN 2014083229 W CN2014083229 W CN 2014083229W WO 2015058569 A1 WO2015058569 A1 WO 2015058569A1
Authority
WO
WIPO (PCT)
Prior art keywords
security service
tenant
virtual machine
data center
cloud data
Prior art date
Application number
PCT/CN2014/083229
Other languages
English (en)
French (fr)
Inventor
陈小华
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Priority to EP14856207.7A priority Critical patent/EP3062479B1/en
Priority to US15/031,811 priority patent/US10686837B2/en
Publication of WO2015058569A1 publication Critical patent/WO2015058569A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/52Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
    • G06F21/53Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances

Definitions

  • the present invention relates to the field of information security, and in particular, to a security service subscription method and apparatus.
  • Cloud computing data centers host not only customer equipment, but also computing power and IT availability.
  • the data is transmitted in the cloud, and the cloud computing data center allocates the computing power required for it, and manages the background of the entire infrastructure.
  • the software layer continuously debugs the cloud platform according to the actual network usage.
  • the hardware level ensures the normal operation and deployment of the equipment room environment and network resources.
  • the data center can complete the entire IT solution, and customers can use the computing power (like the water and electricity supply) without having to worry about the background.
  • Security services are essential for tenants to use the services provided by cloud computing data centers.
  • Embodiments of the present invention provide a security service subscription method and apparatus, which solves the problem that a single security service providing manner cannot meet the needs of different tenants.
  • An embodiment of the present invention provides a security service subscription method, including: a cloud data center acquiring a security service type selected by a tenant; and the cloud data center performing a corresponding security service according to the security service type selected by the tenant.
  • the obtaining, by the cloud data center, the security service type selected by the tenant includes: after receiving the resource form sent by the tenant, determining, by the cloud data center, a security service type of the virtual machine rented by the tenant, in the resource form Carrying the virtual machine and the parameter of the virtual machine that the tenant requests to rent; the cloud data center determines one or more security service types that are suitable for the virtual machine for the tenant to select; The cloud data center receives information of one or more security service types selected by the tenant.
  • the cloud data center determines the one or more security service types that are suitable for the virtual machine for the tenant to select: the information that the cloud data center determines to be suitable for the security service type of the virtual machine.
  • a list of optional security service types is generated.
  • the optional security service type list includes multiple entries, and each entry corresponds to an optional security service type information.
  • the information that the cloud data center receives the one or more security service types selected by the tenant is specifically: the cloud data center receives a list of selected security service types returned by the tenant, where the selected security service type
  • the list carries one or more optional security service types selected by the tenant.
  • the cloud data center determines that the security service type of the virtual machine that is rented by the tenant is: the cloud data center determines, according to the parameter of the virtual machine, that the virtual machine is suitable for the virtual machine.
  • the type of security service is an optional security service type.
  • the method further includes: configuring a virtual machine security service type list of the tenant in a security module in the access gateway, where the virtual machine security service type list includes the security service type selected by the tenant.
  • the obtaining, by the cloud data center, the security service type selected by the tenant includes: when the tenant accesses the cloud data center by using the access gateway, the security module sends the virtual machine security service type list to the The cloud data center determines the security service type selected by the tenant according to the virtual machine security service type list.
  • the acquiring, by the cloud data center, the security service type selected by the tenant includes: after receiving the virtual machine application sent by the tenant, determining, by the cloud data center, a security service type of the virtual machine rented by the tenant, where the virtual machine is in the virtual machine
  • the application carries the virtual machine that the tenant requests to rent, the parameters of the virtual machine, and the type of security service requested by the tenant;
  • the cloud data center determines an optional security service type of the tenant according to the parameter of the virtual machine; the cloud security center selects an optional security service type from the tenant request as the security service type selected by the tenant.
  • the method further includes: the cloud data center corresponding to one or more security service types that perform the tenant selection The results of the security service are fed back to the tenant.
  • the embodiment of the present invention further provides another security service subscription method, including: the tenant selects a required security service type; the tenant submits the selected security service type to the cloud data center, and requests the corresponding security service.
  • the type of security service required by the tenant to be selected includes: the tenant sending a resource form to the cloud data center, where the resource form carries the virtual machine that the tenant requests to rent and parameters of the virtual machine;
  • the tenant receives the cloud data center to return one or more security service types;
  • the tenant selects one or more optional security service types from the list of optional security service types.
  • the tenant receiving the cloud data center to return one or more security service types is specifically: the tenant receives a list of optional security service types returned by the cloud data center, where the optional security service type list is Contains multiple entries, each of which corresponds to an optional security service type.
  • the tenant submits the selected security service type to the cloud data center, and the corresponding security service includes: the tenant generates the selected security service type information by selecting the selected security service type information, where the selected security service is selected.
  • the service type list carries one or more optional security service types selected by the tenant; the tenant sends the selected security service type list to the cloud data center.
  • the types of security services required by the tenant selection include: The tenant configures a virtual machine security service type list of the tenant in a security module in the access gateway, where the virtual machine security service type list includes the security service type selected by the tenant.
  • the tenant submits the selected security service type to the cloud data center, and the corresponding security service includes: when the tenant accesses the cloud data center through the access gateway, the security module uses the virtual machine A list of security service types is sent to the cloud data center.
  • the tenant submits the selected security service type to the cloud data center, and the corresponding security service includes: the tenant sends a virtual machine application to the cloud data center, where the virtual machine application carries the tenant The virtual machine requesting the lease, the parameters of the virtual machine, and the type of security service requested by the tenant.
  • the method further includes: the tenant receiving the one or more security service types corresponding to the execution of the cloud data center feedback The result of the security service.
  • the embodiment of the present invention further provides a security service subscription device, including: a service type obtaining module, configured to acquire a security service type selected by a tenant; and a service execution module, configured to perform corresponding according to the security service type selected by the tenant Security service.
  • the service type obtaining module includes: a first request receiving unit, configured to: after receiving a resource form sent by the tenant, determine a security service type of the virtual machine rented by the tenant, and carry the The tenant requests the leased virtual machine and the parameters of the virtual machine; the first service providing unit is configured to select the one or more security service types that are determined to be suitable for the virtual machine for the tenant; the first selection receiving unit, Set to receive information of one or more security service types selected by the tenant.
  • a first request receiving unit configured to: after receiving a resource form sent by the tenant, determine a security service type of the virtual machine rented by the tenant, and carry the The tenant requests the leased virtual machine and the parameters of the virtual machine
  • the first service providing unit is configured to select the one or more security service types that are determined to be suitable for the virtual machine for the tenant
  • the first selection receiving unit Set to receive information of one or more security service types selected by the tenant.
  • the service type obtaining module further includes: And the second selection receiving unit is configured to: when the tenant accesses the cloud data center through the access gateway, receive a virtual machine security service type list sent by the security module, and determine, according to the virtual machine security service type list, the security of the tenant selection Service type.
  • the service type obtaining module further includes: a third request receiving unit, configured to: after receiving the virtual machine application sent by the tenant, determine a security service type of the virtual machine rented by the tenant, in the virtual machine application Carrying the virtual machine that the tenant requests to rent, the parameters of the virtual machine, and the security service type requested by the tenant; the third optional determining unit is configured to determine the optional security of the tenant according to the parameter of the virtual machine a service type; a third selection unit, configured to select an optional security service type from the tenant request as the security service type selected by the tenant.
  • the apparatus further comprises: a result feedback module, configured to feed back to the tenant the result of the security service corresponding to the one or more security service types that perform the tenant selection.
  • An embodiment of the present invention provides a security service subscription method and device, where a cloud data center acquires a security service type selected by a tenant, and the cloud data center performs a corresponding security service according to the security service type selected by the tenant, and implements the cloud.
  • the data center provides security services based on tenant needs, and solves the problem that a single security service delivery method cannot meet the needs of different tenants.
  • FIG. 4 is a schematic diagram of a list of selected security service types in Embodiment 2 of the present invention
  • FIG. 4 is a schematic diagram of a network architecture used in Embodiment 3 of the present invention
  • FIG. 6 is a flowchart of a security service subscription method according to Embodiment 4 of the present invention
  • FIG. 7 is a schematic structural diagram of a security service subscription apparatus according to Embodiment 5 of the present invention
  • FIG. 8 is a schematic structural diagram of a service type acquisition module 701 of FIG.
  • the security services are rich in content, including basic security services: encryption, authentication, non-repudiation, integrity protection, etc.; application security services: online antivirus, intrusion detection, security warning, content monitoring, etc.
  • an embodiment of the present invention provides a security service subscription method.
  • a security service may be maintained as a resource pool, and a tenant selects a security service to be implemented on the resource.
  • Security resources can be used to provide external security services, including security detection services such as security scanning services, vulnerability scanning services, web scanning services, tamper-proof scanning services, port scanning services, Trojan scanning services, traffic monitoring services, etc.
  • Security detection services such as security scanning services, vulnerability scanning services, web scanning services, tamper-proof scanning services, port scanning services, Trojan scanning services, traffic monitoring services, etc.
  • Resources including security hardening services, password enhancement services, anti-trojan injection services, anti-virus services, data stream cleaning services, firewall services, etc.
  • Getting the resources you need on the network in an on-demand, scalable way is one of the features of cloud computing. In cloud data centers, security and reliability are the top concerns of tenants. Therefore, the various security measures in the cloud data center will be extremely important.
  • the security service mode in the cloud data center is run in the background by default, providing security for the cloud data center, and the security service is managed and distributed by the cloud data center.
  • the traditional security service strategy relies on a unified strategy.
  • the security services obtained by the tenant's resources are basically the same.
  • Tenants are not able to participate in the provision of security services for resources.
  • the security requirements for tenants vary for different business categories. For the same business category, the security requirements required by different tenants will vary.
  • providing unified security protection for different resources of different tenants can not accurately meet the needs of tenants, and can not efficiently configure security resources. Therefore, in order to improve tenant participation and improve the tenant's tenant experience of security services, the cloud data center can only be responsible for the maintenance of security resources and the implementation and feedback of security services.
  • the security service type and strength are returned to the tenant for selection, and the tenant decides which type of security protection is to be applied to the leased resource.
  • the cloud data center maintains security resources such as system configuration check, system vulnerability check, system security hardening, and system patch hardening. Before the tenant selects the security service to be executed, the cloud data center does not perform these security services. After the security service, the cloud data center is responsible for the execution of these security services and feeds back the results to the tenants.
  • the security service subscription method provided by the embodiment of the present invention selects a security service type to be executed by the tenant, and after the tenant submits the virtual machine rental request, the cloud data center determines the security service type available to the virtual machine, and provides the tenant with the security service type.
  • An embodiment of the present invention provides a security service subscription method.
  • the process for providing a security service to a tenant by using the method is as shown in FIG. 1.
  • the method includes the following steps: Step 101: A tenant submits a resource form List1 to a cloud data center, including a virtual machine.
  • Step 102 the cloud data center according to Listl, according to the existing strategy, analyze and comb the
  • the virtual machine uses the security service type as the optional security service type, and creates an optional security service type list List2 and feeds back to the tenant; for example, the security policy may be: specify the system configuration check content according to the operating system type. Different systems have different system configuration checks.
  • Step 103 The tenant selects one or more optional security service types in List2 to form a selected security service type list List3, and sends the list to the cloud data center; wherein List3 is a subset of List2.
  • Step 104 The cloud data center performs security detection and protection on the virtual machine according to the List3, and feeds the security result to the tenant.
  • Step 105 According to the security result, the tenant can select whether to re-select the security service; if the security service needs to be re-selected, Go back to step 103.
  • FIG. 2 A specific implementation of the process shown in FIG. 1 is shown in FIG. 2.
  • the cloud data center provides a list of security services to the tenant through a web portal or a client, and the tenant can select a required security service type in the security service list, and the specific process includes Step 201: The tenant logs in to the cloud data center web portal or the client, submits the virtual machine resource form Listl in the web portal or the client, and sends the virtual machine resource form Listl to the cloud data center. Step 202: The cloud data center returns to the user according to the Listl. Security service type list List2, as shown
  • the customer can select the required security capability (security service type) through the interface shown in FIG. 3;
  • Step 203 the tenant selects the security service type, and forms the selected security service type list List3, as shown in FIG.
  • Step 204 The cloud data center performs security detection and protection according to List3, and feeds the security result to the tenant.
  • Step 205 The tenant checks the security result and determines whether to re-establish Select the type of security service.
  • Embodiment 2 of the present invention will be described below with reference to the accompanying drawings.
  • the embodiment of the present invention provides a security service subscription method, which implements security service selection by using a security module in an access gateway provided by the cloud data center.
  • the network architecture is as shown in FIG. 5 .
  • the security module is responsible for interacting with the cloud data center to send and receive security service type information. For example, by setting the security service type in advance in the security module of the access gateway.
  • the security module sends the security service type to the cloud data center.
  • the cloud data center performs security detection and protection for the security service type of the security module.
  • the function of the security module can also be extended. For example, the security module can determine the conditions for the user to access the gateway according to a predefined policy, and adjust the type of the security service.
  • the security module adds the security service type corresponding to the public network, or enhances the execution strength of the existing service type of the security module.
  • the virtual machine security service type list can be set by a remote connection or other means by a privileged user such as a cloud data center or a tenant.
  • the security module in the access gateway sends the virtual machine security service type list to the cloud data center;
  • the cloud data center performs security detection and protection on the virtual machine according to the virtual machine security service type list, and feeds back the execution result to the tenant;
  • the tenant can judge whether to adjust the type of security service based on the security result. Embodiment 3 of the present invention will be described below with reference to the accompanying drawings.
  • the tenant sends a virtual machine application, and sends the expected security service type and virtual machine resources and service requirements to the cloud data center.
  • the cloud data center determines whether these security service types are executed, the execution intensity, etc. according to the policy, and the security services to be executed.
  • the type and execution results are fed back to the tenant.
  • the tenant submits a virtual machine application to the cloud data center, including a virtual machine resource list Listl, a content and an embodiment, and a list of security service types requested by the tenant List2;
  • the cloud data center filters the information about the security service type and execution strength of the virtual machine from List2 according to List1; the cloud data center performs the selected security service type List3, and feeds back the security execution result and List3 to The tenant; the cloud data center can also send the tenant to the tenant for the security service type List4 that the tenant should perform for the virtual machine;
  • An embodiment of the present invention provides a security service subscription method, and the process for providing a security service to a tenant by using a cloud data center is as shown in FIG. 6 , and the method includes: Step 601: The cloud data center acquires a security service type selected by the tenant; In this step, the tenant first selects the type of security service required, and submits the selected security service type to the cloud data center to request the corresponding security service; then the cloud data center acquires the security service type selected by the tenant. In this step, three implementation manners are specifically included, which will be separately described below. method one
  • the tenant sends a resource form to the cloud data center, and after receiving the resource form sent by the tenant, the cloud data center determines the security service type of the virtual machine rented by the tenant, and carries the tenant request in the resource form.
  • the virtual machine of the leased virtual machine and the parameter of the virtual machine; specifically, the cloud data center determines, according to the parameter of the virtual machine, a security service type suitable for the virtual machine as an optional security service type.
  • the cloud data center generates a list of optional security service types by determining the information of the security service type that is suitable for the virtual machine.
  • the optional security service type list includes multiple entries, and each entry corresponds to an optional one.
  • Information of the security service type; the tenant selects one or more optional security service types from the list of the optional security service types, and generates information of the selected security service type to generate a list of selected security service types,
  • the selected security service type list carries one or more optional security service types selected by the tenant, and the tenant sends the selected security service type list to the cloud data center.
  • the cloud data center receives a list of selected security service types returned by the tenant, and the selected security service type list carries one or more optional security service types selected by the tenant.
  • the tenant configures a list of the virtual machine security service types of the tenant in the security module in the access gateway, where the virtual machine security service type list includes the security service type selected by the tenant.
  • the security module sends the virtual machine security service type list to the cloud data center;
  • the cloud data center determines, according to the virtual machine security service type list, a security service type selected by the tenant.
  • the tenant sends a virtual machine application to the cloud data center, where the virtual machine application carries the virtual machine requested by the tenant, the parameter of the virtual machine, and the security service type requested by the tenant; After receiving the virtual machine application sent by the tenant, the data center determines the security service type of the virtual machine rented by the tenant;
  • the cloud data center determines an optional security service type of the tenant according to parameters of the virtual machine; 3. The cloud data center selects an optional security service type from the tenant request as the security service type selected by the tenant.
  • Step 602 The cloud data center performs a corresponding security service according to the security service type selected by the tenant. After determining that the security service type selected by the tenant is completed, the cloud data center can perform security corresponding to the security service type. Service, and get execution result data.
  • Step 603 The cloud data center feeds back to the tenant the result of performing the security service corresponding to one or more security service types selected by the tenant.
  • the embodiment of the present invention provides a security service subscription device, and the structure thereof is as shown in FIG. 7.
  • the method includes: a service type obtaining module 701, configured to acquire a security service type selected by a tenant; and a service execution module 702, configured to The type of security service selected by the tenant performs the corresponding security service.
  • a service type obtaining module 701 configured to acquire a security service type selected by a tenant
  • a service execution module 702 configured to The type of security service selected by the tenant performs the corresponding security service.
  • the structure of the service type obtaining module 701 is as shown in FIG.
  • a first request receiving unit 7011 configured to determine a security service type of the virtual machine rented by the tenant after receiving the resource form sent by the tenant Carrying, in the resource form, a virtual machine that the tenant requests to rent and parameters of the virtual machine
  • the first service providing unit 7012 is configured to provide one or more security service types that are determined to be suitable for the virtual machine.
  • the tenant selection; the first selection receiving unit 7013 is configured to receive information of one or more security service types selected by the tenant.
  • the service type obtaining module 701 further includes: a second selection receiving unit 7014, configured to: when the tenant accesses the cloud data center through the access gateway, receive a virtual machine security service type list sent by the security module, and according to the A list of virtual machine security service types, determining the type of security service selected by the tenant.
  • a second selection receiving unit 7014 configured to: when the tenant accesses the cloud data center through the access gateway, receive a virtual machine security service type list sent by the security module, and according to the A list of virtual machine security service types, determining the type of security service selected by the tenant.
  • the service type obtaining module 701 further includes:
  • the third request receiving unit 7015 is configured to: after receiving the virtual machine application sent by the tenant, determine a security service type of the virtual machine that is rented by the tenant, where the virtual machine application carries the virtual machine that the tenant requests to rent, a parameter of the virtual machine and a security service type requested by the tenant; a third optional determining unit 7016, configured to determine an optional security service type of the tenant according to a parameter of the virtual machine; a third selecting unit 7017, setting The type of security service selected as the tenant from the optional security service type in the tenant request.
  • the apparatus further comprises: a result feedback module 703, configured to feed back to the tenant the result of the security service corresponding to the one or more security service types that perform the tenant selection.
  • the above security service subscription device can be integrated into the cloud data center, and the cloud data center performs the corresponding functions.
  • An embodiment of the present invention provides a security service subscription method and apparatus, where a cloud data center acquires a security service type selected by a tenant, and the cloud data center performs a corresponding security service according to the security service type selected by the tenant, The cloud data center provides security services based on tenant needs, and solves the problem that a single security service delivery method cannot meet the needs of different tenants.
  • the devices/function modules/functional units in the above embodiments may be implemented by a general-purpose computing device, which may be centralized on a single computing device or distributed over a network of multiple computing devices.
  • each device/function module/functional unit in the above embodiment is implemented in the form of a software function module and sold or used as a stand-alone product, it can be stored in a computer readable storage medium.
  • the above mentioned computer readable storage medium may be a read only memory, a magnetic disk or an optical disk or the like. Any changes or substitutions that are readily conceivable within the scope of the present invention are intended to be included within the scope of the present invention. Therefore, the scope of the invention should be determined by the scope of the claims.
  • the present invention provides a security service subscription method and apparatus, where a cloud data center acquires a security service type selected by a tenant, and the cloud data center performs a corresponding security service according to the security service type selected by the tenant.
  • the cloud data center provides security services according to the needs of tenants, and solves the problem that a single security service delivery method cannot meet the needs of different tenants.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Physics & Mathematics (AREA)
  • Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)
  • Storage Device Security (AREA)

Abstract

本发明提供了一种安全服务订制方法和装置。涉及信息安全领域;解决了单一的安全服务提供方式不能满足不同租户的需求的问题。该方法包括:云数据中心获取租户选择的安全服务类型;所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服务。本发明提供的技术方案适用于云计算系统中,实现了云数据中心根据租户需求提供安全服务。

Description

安全服务订制方法和装置 技术领域 本发明涉及信息安全领域, 尤其涉及一种安全服务订制方法和装置。 背景技术 云计算数据中心中托管的不仅是客户的设备, 更是计算能力和 IT可用性。数据在 云端进行传输, 云计算数据中心为其调配所需的计算能力, 并对整个基础构架的后台 进行管理。 从软件、 硬件两方面运行维护, 软件层面不断根据实际的网络使用情况对 云平台进行调试, 硬件层面保障机房环境和网络资源正常运转调配。 数据中心去完成 整个 IT的解决方案, 客户可以完全不用操心后台, 就有充足的计算能力 (像水电供应 一样) 可以使用。 租户在使用云计算数据中心提供的服务中, 安全服务必不可少的。 然而, 为提高 安全资源的利用率, 鉴于云计算数据中心中, 不同租户对安全的要求不同, 同一租户 的不同资源由于用途不同, 给予的安全服务措施也不同。 故, 单一的安全服务提供方 式不能满足不同租户的需求。 发明内容 本发明实施例提供了一种安全服务订制方法和装置, 解决了单一的安全服务提供 方式不能满足不同租户的需求的问题。 本发明实施例提供了一种安全服务订制方法, 包括: 云数据中心获取租户选择的安全服务类型; 所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服务。 优选的, 所述云数据中心获取租户选择的安全服务类型包括: 所述云数据中心在接收租户发送的资源表单后, 确定所述租户租用的虚拟机的安 全服务类型,在所述资源表单中携带有所述租户请求租用的虚拟机和该虚拟机的参数; 所述云数据中心将确定的适合该虚拟机的一项或多项安全服务类型供所述租户选 择; 所述云数据中心接收所述租户选择的一项或多项安全服务类型的信息。 优选的, 所述云数据中心将确定的适合该虚拟机的一项或多项安全服务类型供所 述租户选择具体为: 所述云数据中心将确定的适合该虚拟机的安全服务类型的信息生成一张可选安全 服务类型列表, 所述可选安全服务类型列表包含多个表项, 每个表项对应一个可选安 全服务类型的信息。 优选的, 所述云数据中心接收所述租户选择的一项或多项安全服务类型的信息具 体为: 所述云数据中心接收租户返回的已选安全服务类型列表, 在该已选安全服务类型 列表中携带有租户选择的一项或多项可选安全服务类型。 优选的, 所述云数据中心在接收租户发送的资源表单后, 确定所述租户租用的虚 拟机的安全服务类型具体为: 所述云数据中心根据所述虚拟机的参数, 确定适合该虚拟机的安全服务类型作为 可选安全服务类型。 优选的, 该方法还包括: 在接入网关中的安全模块内配置所述租户的虚拟机安全服务类型列表, 所述虚拟 机安全服务类型列表中包括所述租户选择的安全服务类型。 优选的, 所述云数据中心获取租户选择的安全服务类型包括: 所述租户通过所述接入网关访问所述云数据中心时, 所述安全模块将所述虚拟机 安全服务类型列表发送至所述云数据中心; 所述云数据中心根据所述虚拟机安全服务类型列表, 确定所述租户选择的安全服 务类型。 优选的, 所述云数据中心获取租户选择的安全服务类型包括: 所述云数据中心在接收租户发送的虚拟机申请后, 确定所述租户租用的虚拟机的 安全服务类型, 在所述虚拟机申请中携带有所述租户请求租用的虚拟机、 该虚拟机的 参数和所述租户请求的安全服务类型; 所述云数据中心根据所述虚拟机的参数确定所述租户的可选安全服务类型; 所述云数据中心从所述租户请求中的可选安全服务类型作为所述租户选择的安全 服务类型。 优选的, 所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服务 的步骤之后, 还包括: 所述云数据中心将执行所述租户选择的一项或多项安全服务类型对应的安全服务 的结果反馈给所述租户。 本发明实施例还提供了另外一种安全服务订制方法, 包括: 租户选择需要的安全服务类型; 所述租户向云数据中心提交选择的安全服务类型, 请求相应的安全服务。 优选的, 所述租户选择需要的安全服务类型包括: 所述租户向云数据中心发送资源表单, 在所述资源表单中携带有所述租户请求租 用的虚拟机和该虚拟机的参数; 所述租户接收所述云数据中心返回一项或多项安全服务类型; 所述租户从所述可选安全服务类型列表中选择一项或多项可选安全服务类型。 优选的, 所述租户接收所述云数据中心返回一项或多项安全服务类型具体为: 所述租户接收所述云数据中心返回的可选安全服务类型列表, 所述可选安全服务 类型列表包含多个表项, 每个表项对应一个可选安全服务类型的信息。 优选的, 所述租户向云数据中心提交选择的安全服务类型, 请求相应的安全服务 包括: 所述租户将选择的可选安全服务类型的信息生成己选安全服务类型列表, 在该己 选安全服务类型列表中携带有租户选择的一项或多项可选安全服务类型; 所述租户向所述云数据中心发送所述已选安全服务类型列表。 优选的, 租户选择需要的安全服务类型包括: 所述租户在接入网关中的安全模块内配置所述租户的虚拟机安全服务类型列表, 所述虚拟机安全服务类型列表中包括所述租户选择的安全服务类型。 优选的, 所述租户向云数据中心提交选择的安全服务类型, 请求相应的安全服务 包括: 所述租户通过所述接入网关访问所述云数据中心时, 所述安全模块将所述虚拟机 安全服务类型列表发送至所述云数据中心。 优选的, 所述租户向云数据中心提交选择的安全服务类型, 请求相应的安全服务 包括: 所述租户向所述云数据中心发送虚拟机申请, 在所述虚拟机申请中携带有所述租 户请求租用的虚拟机、 该虚拟机的参数和所述租户请求的安全服务类型。 优选的, 所述租户向云数据中心提交选择的安全服务类型, 请求相应的安全服务 的步骤之后, 还包括: 所述租户接收所述云数据中心反馈的执行一项或多项安全服务类型对应的安全服 务的结果。 本发明实施例还提供了一种安全服务订制装置, 包括: 服务类型获取模块, 设置为获取租户选择的安全服务类型; 服务执行模块, 设置为根据所述租户选择的安全服务类型执行相应的安全服务。 优选的, 所述服务类型获取模块包括: 第一请求接收单元, 设置为在接收租户发送的资源表单后, 确定所述租户租用的 虚拟机的安全服务类型, 在所述资源表单中携带有所述租户请求租用的虚拟机和该虚 拟机的参数; 第一服务提供单元, 设置为将确定的适合该虚拟机的一项或多项安全服务类型供 所述租户选择; 第一选择接收单元,设置为接收所述租户选择的一项或多项安全服务类型的信息。 优选的, 所述服务类型获取模块还包括: 第二选择接收单元, 设置为在租户通过接入网关访问云数据中心时, 接收安全模 块发送的虚拟机安全服务类型列表, 并根据所述虚拟机安全服务类型列表, 确定所述 租户选择的安全服务类型。 优选的, 所述服务类型获取模块还包括: 第三请求接收单元, 设置为在接收租户发送的虚拟机申请后, 确定所述租户租用 的虚拟机的安全服务类型, 在所述虚拟机申请中携带有所述租户请求租用的虚拟机、 该虚拟机的参数和所述租户请求的安全服务类型; 第三可选确定单元, 设置为根据所述虚拟机的参数确定所述租户的可选安全服务 类型; 第三选择单元, 设置为从所述租户请求中的可选安全服务类型作为所述租户选择 的安全服务类型。 优选的, 该装置还包括: 结果反馈模块, 设置为将执行所述租户选择的一项或多项安全服务类型对应的安 全服务的结果反馈给所述租户。 本发明实施例提供了一种安全服务订制方法和装置, 云数据中心获取租户选择的 安全服务类型, 所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服 务, 实现了云数据中心根据租户需求提供安全服务, 解决了单一的安全服务提供方式 不能满足不同租户的需求的问题。 附图说明 图 1是本发明的实施例一提供的一种安全服务订制方法的流程图; 图 2是本发明的实施例一提供的又一种安全服务订制方法的流程图; 图 3是本发明的实施例二中可选安全服务列表的示意图; 图 4是本发明的实施例二中已选安全服务类型列表的示意图; 图 5是本发明的实施例三所使用的网络架构示意图; 图 6是本发明的实施例四提供的一种安全服务订制方法的流程图; 图 7是本发明的实施例五提供的一种安全服务订制装置的结构示意图; 图 8是图 7中服务类型获取模块 701的结构示意图。 具体实施方式 安全服务内涵丰富, 包括基础安全服务: 加密、 认证、 抗抵赖、 完整性保护等; 应用安全服务: 在线杀毒、 入侵检测、 安全预警、 内容监控等。 租户在选择租用云数 据中心的资源时, 往往比服务提供方更了解安全需求。 为了解决上述问题, 本发明的实施例提供了一种安全服务订制方法, 云计算数据 中可以将安全服务作为资源池维护, 租户选择对资源要实施的安全服务。 下文中将结合附图对本发明的实施例进行详细说明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互任意组合。 云数据中心在实现其他物理资源池化的时候, 必然也需要将安全资源进行集中管 理, 包括安全资源。 集中化的安全资源管理和运维, 可以提高云数据中心资源的使用 效率和管理效率。 利用安全资源可以对外提供安全服务, 包括, 安全检测类服务, 例 如安全扫描服务、 漏洞扫描服务、 网页扫描服务、 防篡改扫描服务、 端口扫描服务、 木马扫描服务、 流量监控服务等, 安全防护类资源, 包括安全加固服务、 密码加强服 务、 防木马注入服务、 防病毒服务、 数据流清洗服务、 防火墙服务等。 通过网络以按需、 易扩展的方式获得所需的资源是云计算的特点之一。 在云数据 中心, 安全可靠是租户最为关心的。 因此, 云数据中心的各种安全保护措施将显得极 其重要。 当前在云数据中心的安全服务方式都是默认在后台运行, 为云数据中心提供 安全保障, 由云数据中心统一对安全服务进行管理和分配。 传统的安全服务策略都是 依托统一的策略, 租户的资源获得的安全服务基本是相同的。 租户对资源的安全服务 提供那些服务不能参与。 在云数据中心, 对于不同的业务类别, 租户所需要的安全要求会有所不同。 同一 业务类别, 不同租户所要求的安全要求也会有所不同。 而且, 从云数据中心角度看, 为不同租户的不同资源提供统一的安全防护既不能准确满足租户的需求, 又不能对安 全资源进行高效配置。所以, 为了提高租户参与度, 提高租户对安全服务的租户体验, 云数据中心可以只负责安全资源的维护以及安全服务的执行与反馈。 而将安全服务类 型及强度交还给租户进行选择, 由租户决定对租用的资源进行那些类型的安全防护。 例如, 云数据中心, 维护了系统配置检查、 系统漏洞检查、 系统安全加固、 系统 补丁加固等安全资源; 在租户未选择要执行的安全服务前, 云数据中心不执行这些安 全服务, 当租户制定安全服务后, 云数据中心负责这些安全服务的执行并将执行结果 反馈给租户。 本发明的实施例所提供的安全服务订制方法由租户来选择待执行的安全服务类 型, 云数据中心在租户提交虚拟机租用要求后, 确定该虚拟机可用的安全服务类型, 提供给租户进行选择, 并按照租户选择后的安全服务类型, 为租户的虚拟机执行安全 保护。 下面结合附图, 对本发明的实施例一进行说明。 本发明实施例提供了一种安全服务订制方法, 使用该方法完成对租户提供安全服 务的流程如图 1所示, 包括: 步骤 101、 租户向云数据中心提交资源表单 Listl , 包括虚拟机的参数 (如 CPU、 内存、 DISK等) 要求, 以及说明清楚需要在虚拟机中预安装的操作系统及服务类型; 步骤 102、 云数据中心根据 Listl , 根据已有策略, 进行分析, 梳理出适合该虚拟 机使用安全服务类型作为可选安全服务类型, 制作可选安全服务类型列表 List2, 并反 馈给租户; 例如, 安全策略可以是, 根据操作系统类型指定系统配置检查内容。不同的系统, 系统配置检查不同。 步骤 103、 租户在 List2中, 选择一个或多个可选安全服务类型, 形成已选安全服 务类型列表 List3, 并发送给云数据中心; 其中 List3是 List2的子集。 步骤 104、 云数据中心按照 List3对该虚拟机进行安全检测及防护, 并将安全结果 反馈给租户; 步骤 105、 租户根据安全结果, 可以选择是否重新选择安全服务; 如果需要重新 选择安全服务, 重新回到步骤 103。 图 1所示流程的一种具体实施如图 2所示, 云数据中心, 通过 web门户或者客户 端向租户提供安全服务列表, 租户可在安全服务列表中选择需要的安全服务类型, 具 体流程包括: 步骤 201、 租户登录云数据中心 web门户或者客户端, 在 web门户或客户端中提 交虚拟机资源表单 Listl , 并发送给云数据中心; 步骤 202、 云数据中心根据 Listl , 返回给用户可选安全服务类型列表 List2, 如图
3所示, 客户可通过图 3所示的界面选择需要的安全能力 (安全服务类型); 步骤 203、 租户选择安全服务类型, 形成已选安全服务类型列表 List3, 如图 4所 示为 List3的一种具体实现: 已经订购安全能力列表, 发送给数据中心; 步骤 204、 云数据中心根据 List3, 执行安全检测和防护, 并将安全结果反馈给租 户; 步骤 205、 租户查看安全结果, 决定是否重新选择安全服务类型。 下面结合附图, 对本发明的实施例二进行说明。 本发明实施例提供了一种安全服务订制方法, 通过在云数据中心提供的接入网关 中的安全模块实现安全服务选择, 网络架构如图 5所示。 安全模块负责和云数据中心交互, 进行安全服务类型信息的发送和接收。 例如, 通过预先在接入网关的安全模块中设置好安全服务类型。 当租户通过这个安全模块进 行虚拟机资源使用, 安全模块将会将安全服务类型下发给云数据中心, 云数据中心将 安全模块的安全服务类型为该虚拟机进行安全检测和防护。 安全模块的功能也可以进行扩展, 例如安全模块可以根据预定义的策略, 对用户 接入网关的条件进行判断, 调整设置安全服务类型。 例如, 当接入网关发现租户的接 入环境是公用网络, 则安全模块会添加公用网络对应的安全服务类型, 或者增强了安 全模块的已有服务类型的执行强度。 在接入网关中的安全模块内配置所述租户的虚拟机安全服务类型列表, 所述虚拟 机安全服务类型列表中包括所述租户选择的安全服务类型。 虚拟机安全服务类型列表可以由云数据中心或者租户等有权限的用户通过远程连 接或者其他方式进行设置。 流程说明:
1、租户通过接入网关访问云数据中心的虚拟机系统时,接入网关中的安全模块将 虚拟机安全服务类型列表发给云数据中心;
2、云数据中心根据该虚拟机安全服务类型列表,对该虚拟机进行安全检测和防护, 并将执行结果反馈给租户;
3、 租户可根据安全结果, 判断是否调整安全服务类型。 下面结合附图, 对本发明的实施例三进行说明。 租户在发送虚拟机申请, 将期望的安全服务类型和虚拟机资源和服务要求一同发 给云数据中心, 云数据中心根据策略决定这些安全服务类型是否执行, 执行强度等, 并将执行的安全服务类型和执行的结果反馈给租户。 流程说明:
1、 租户向云数据中心提交虚拟机申请, 包括虚拟机的资源列表 Listl , 内容和实 施例一同, 和所述租户请求的安全服务类型的列表 List2;
2、 云数据中心按照安全策略, 根据 Listl , 从 List2筛选该虚拟机可用的安全服务 类型及执行强度等信息 List3 ; 云数据中心执行筛选的安全服务类型 List3, 并将安全 执行结果及 List3反馈给租户;云数据中心同时可选将建议租户应该为虚拟机执行的安 全服务类型 List4发送给租户;
3、 租户查看 List3, 并查看安全执行结果; 或者查看 List4, 并且重新发起安全服 务类型选择申请。 下面结合附图, 对本发明的实施例四进行说明。 本发明实施例提供了一种安全服务订制方法, 使用该方法实现云数据中心向租户 提供安全服务的流程如图 6所示, 包括: 步骤 601、 云数据中心获取租户选择的安全服务类型; 本步骤中, 首先租户选择需要的安全服务类型, 并向云数据中心提交选择的安全 服务类型, 请求相应的安全服务; 然后云数据中心再获取租户选择的安全服务类型。 本步骤中, 具体包括三种实现方式, 下面将分别进行说明。 方式一
1、租户向云数据中心发送资源表单,所述云数据中心在接收租户发送的资源表单 后, 确定所述租户租用的虚拟机的安全服务类型, 在所述资源表单中携带有所述租户 请求租用的虚拟机和该虚拟机的参数; 具体的, 所述云数据中心根据所述虚拟机的参数, 确定适合该虚拟机的安全服务 类型作为可选安全服务类型。
2、所述云数据中心将确定的适合该虚拟机的安全服务类型的信息生成一张可选安 全服务类型列表, 所述可选安全服务类型列表包含多个表项, 每个表项对应一个可选 安全服务类型的信息; 所述租户从所述可选安全服务类型列表中选择一项或多项可选安全服务类型, 将 选择的可选安全服务类型的信息生成已选安全服务类型列表, 在该已选安全服务类型 列表中携带有租户选择的一项或多项可选安全服务类型, 所述租户向所述云数据中心 发送所述已选安全服务类型列表。
3、所述云数据中心接收租户返回的已选安全服务类型列表,在该已选安全服务类 型列表中携带有租户选择的一项或多项可选安全服务类型。 方式二:
1、租户在接入网关中的安全模块内配置所述租户的虚拟机安全服务类型列表,所 述虚拟机安全服务类型列表中包括所述租户选择的安全服务类型。
2、所述租户通过所述接入网关访问所述云数据中心时,所述安全模块将所述虚拟 机安全服务类型列表发送至所述云数据中心;
3、所述云数据中心根据所述虚拟机安全服务类型列表,确定所述租户选择的安全 服务类型。 方式三:
1、租户向所述云数据中心发送虚拟机申请,在所述虚拟机申请中携带有所述租户 请求租用的虚拟机、 该虚拟机的参数和所述租户请求的安全服务类型; 所述云数据中 心在接收租户发送的虚拟机申请后, 确定所述租户租用的虚拟机的安全服务类型;
2、 所述云数据中心根据所述虚拟机的参数确定所述租户的可选安全服务类型; 3、所述云数据中心从所述租户请求中的可选安全服务类型作为所述租户选择的安 全服务类型。 步骤 602、 所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服 务; 在步骤 601中确定租户选择的安全服务类型完成后, 云数据中心即可执行该安全 服务类型对应的安全服务, 并获得执行结果数据。 步骤 603、 所述云数据中心将执行所述租户选择的一项或多项安全服务类型对应 的安全服务的结果反馈给所述租户。 下面结合附图, 对本发明的实施例五进行说明。 本发明实施例提供了一种安全服务订制装置, 其结构如图 7所示, 包括: 服务类型获取模块 701, 设置为获取租户选择的安全服务类型; 服务执行模块 702, 设置为根据所述租户选择的安全服务类型执行相应的安全服 务。 优选的, 所述服务类型获取模块 701的结构如图 8所示, 包括: 第一请求接收单元 7011, 设置为在接收租户发送的资源表单后, 确定所述租户租 用的虚拟机的安全服务类型, 在所述资源表单中携带有所述租户请求租用的虚拟机和 该虚拟机的参数; 第一服务提供单元 7012, 设置为将确定的适合该虚拟机的一项或多项安全服务类 型供所述租户选择; 第一选择接收单元 7013, 设置为接收所述租户选择的一项或多项安全服务类型的 信息。 优选的, 所述服务类型获取模块 701还包括: 第二选择接收单元 7014, 设置为在租户通过接入网关访问云数据中心时, 接收安 全模块发送的虚拟机安全服务类型列表, 并根据所述虚拟机安全服务类型列表, 确定 所述租户选择的安全服务类型。 优选的, 所述服务类型获取模块 701还包括: 第三请求接收单元 7015, 设置为在接收租户发送的虚拟机申请后, 确定所述租户 租用的虚拟机的安全服务类型, 在所述虚拟机申请中携带有所述租户请求租用的虚拟 机、 该虚拟机的参数和所述租户请求的安全服务类型; 第三可选确定单元 7016, 设置为根据所述虚拟机的参数确定所述租户的可选安全 服务类型; 第三选择单元 7017, 设置为从所述租户请求中的可选安全服务类型作为所述租户 选择的安全服务类型。 优选的, 该装置还包括: 结果反馈模块 703, 设置为将执行所述租户选择的一项或多项安全服务类型对应 的安全服务的结果反馈给所述租户。 上述安全服务订制装置可集成于云数据中心, 由云数据中心完成相应功能。 本发明的实施例提供了一种安全服务订制方法和装置, 云数据中心获取租户选择 的安全服务类型, 所述云数据中心根据所述租户选择的安全服务类型执行相应的安全 服务, 实现了云数据中心根据租户需求提供安全服务, 解决了单一的安全服务提供方 式不能满足不同租户的需求的问题。 本领域普通技术人员可以理解上述实施例的全部或部分步骤可以使用计算机程序 流程来实现, 所述计算机程序可以存储于一计算机可读存储介质中, 所述计算机程序 在相应的硬件平台上 (如系统、 设备、 装置、 器件等) 执行, 在执行时, 包括方法实 施例的步骤之一或其组合。 可选地, 上述实施例的全部或部分步骤也可以使用集成电路来实现, 这些步骤可 以被分别制作成一个个集成电路模块, 或者将它们中的多个模块或步骤制作成单个集 成电路模块来实现。 这样, 本发明不限制于任何特定的硬件和软件结合。 上述实施例中的各装置 /功能模块 /功能单元可以采用通用的计算装置来实现,它们 可以集中在单个的计算装置上, 也可以分布在多个计算装置所组成的网络上。 上述实施例中的各装置 /功能模块 /功能单元以软件功能模块的形式实现并作为独 立的产品销售或使用时, 可以存储在一个计算机可读取存储介质中。 上述提到的计算 机可读取存储介质可以是只读存储器, 磁盘或光盘等。 任何熟悉本技术领域的技术人员在本发明揭露的技术范围内, 可轻易想到变化或 替换, 都应涵盖在本发明的保护范围之内。 因此, 本发明的保护范围应以权利要求所 述的保护范围为准。 工业实用性 本发明实施例提供了一种安全服务订制方法和装置, 云数据中心获取租户选择的 安全服务类型, 所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服 务, 实现了云数据中心根据租户需求提供安全服务, 解决了单一的安全服务提供方式 不能满足不同租户的需求的问题。

Claims

权 利 要 求 书 、 一种安全服务订制方法, 包括: 云数据中心获取租户选择的安全服务类型;
所述云数据中心根据所述租户选择的安全服务类型执行相应的安全服务。 、 根据权利要求 1所述的安全服务订制方法, 其中, 所述云数据中心获取租户选 择的安全服务类型包括:
所述云数据中心在接收租户发送的资源表单后, 确定所述租户租用的虚拟 机的安全服务类型, 在所述资源表单中携带有所述租户请求租用的虚拟机和该 虚拟机的参数;
所述云数据中心将确定的适合该虚拟机的一项或多项安全服务类型供所述 租户选择;
所述云数据中心接收所述租户选择的一项或多项安全服务类型的信息。 、 根据权利要求 2所述的安全服务订制方法, 其中, 所述云数据中心将确定的适 合该虚拟机的一项或多项安全服务类型供所述租户选择包括: 所述云数据中心将确定的适合该虚拟机的安全服务类型的信息生成一张可 选安全服务类型列表, 所述可选安全服务类型列表包含多个表项, 每个表项对 应一个可选安全服务类型的信息。 、 根据权利要求 3所述的安全服务订制方法, 其中, 所述云数据中心接收所述租 户选择的一项或多项安全服务类型的信息包括: 所述云数据中心接收租户返回的已选安全服务类型列表, 在该已选安全服 务类型列表中携带有租户选择的一项或多项可选安全服务类型。 、 根据权利要求 2所述的安全服务订制方法, 其中, 所述云数据中心在接收租户 发送的资源表单后, 确定所述租户租用的虚拟机的安全服务类型包括: 所述云数据中心根据所述虚拟机的参数, 确定适合该虚拟机的安全服务类 型作为可选安全服务类型。 、 根据权利要求 1所述的安全服务订制方法, 其中, 该方法还包括: 在接入网关中的安全模块内配置所述租户的虚拟机安全服务类型列表, 所 述虚拟机安全服务类型列表中包括所述租户选择的安全服务类型。 、 根据权利要求 4所述的安全服务订制方法, 其中, 所述云数据中心获取租户选 择的安全服务类型包括:
所述租户通过所述接入网关访问所述云数据中心时, 所述安全模块将所述 虚拟机安全服务类型列表发送至所述云数据中心; 所述云数据中心根据所述虚拟机安全服务类型列表, 确定所述租户选择的 安全服务类型。 、 根据权利要求 1所述的安全服务订制方法, 其中, 所述云数据中心获取租户选 择的安全服务类型包括:
所述云数据中心在接收租户发送的虚拟机申请后, 确定所述租户租用的虚 拟机的安全服务类型,在所述虚拟机申请中携带有所述租户请求租用的虚拟机、 该虚拟机的参数和所述租户请求的安全服务类型; 所述云数据中心根据所述虚拟机的参数确定所述租户的可选安全服务类 型; 所述云数据中心从所述租户请求中的可选安全服务类型作为所述租户选择 的安全服务类型。 、 根据权利要求 1所述的安全服务订制方法, 其中, 所述云数据中心根据所述租 户选择的安全服务类型执行相应的安全服务的步骤之后, 还包括: 所述云数据中心将执行所述租户选择的一项或多项安全服务类型对应的安 全服务的结果反馈给所述租户。 0、 一种安全服务订制方法, 包括: 租户选择需要的安全服务类型;
所述租户向云数据中心提交选择的安全服务类型, 请求相应的安全服务。 1、 根据权利要求 10所述的安全服务订制方法,其中,所述租户选择需要的安全服 务类型包括: 所述租户向云数据中心发送资源表单, 在所述资源表单中携带有所述租户 请求租用的虚拟机和该虚拟机的参数; 所述租户接收所述云数据中心返回一项或多项安全服务类型;
所述租户从所述可选安全服务类型列表中选择一项或多项可选安全服务类 型。 、 根据权利要求 11所述的安全服务订制方法,其中,所述租户接收所述云数据中 心返回一项或多项安全服务类型具体为: 所述租户接收所述云数据中心返回的可选安全服务类型列表, 所述可选安 全服务类型列表包含多个表项, 每个表项对应一个可选安全服务类型的信息。 、 根据权利要求 12所述的安全服务订制方法,其中,所述租户向云数据中心提交 选择的安全服务类型, 请求相应的安全服务包括: 所述租户将选择的可选安全服务类型的信息生成已选安全服务类型列表, 在该已选安全服务类型列表中携带有租户选择的一项或多项可选安全服务类 型; 所述租户向所述云数据中心发送所述已选安全服务类型列表。 、 根据权利要求 10所述的安全服务订制方法,其中,租户选择需要的安全服务类 型包括: 所述租户在接入网关中的安全模块内配置所述租户的虚拟机安全服务类型 列表, 所述虚拟机安全服务类型列表中包括所述租户选择的安全服务类型。 、 根据权利要求 14所述的安全服务订制方法,其中,所述租户向云数据中心提交 选择的安全服务类型, 请求相应的安全服务包括: 所述租户通过所述接入网关访问所述云数据中心时, 所述安全模块将所述 虚拟机安全服务类型列表发送至所述云数据中心。 、 根据权利要求 10所述的安全服务订制方法,其中,所述租户向云数据中心提交 选择的安全服务类型, 请求相应的安全服务包括: 所述租户向所述云数据中心发送虚拟机申请, 在所述虚拟机申请中携带有 所述租户请求租用的虚拟机、该虚拟机的参数和所述租户请求的安全服务类型。 、 根据权利要求 10所述的安全服务订制方法,其中,所述租户向云数据中心提交 选择的安全服务类型, 请求相应的安全服务的步骤之后, 还包括: 所述租户接收所述云数据中心反馈的执行一项或多项安全服务类型对应的 安全服务的结果。 、 一种安全服务订制装置, 包括: 服务类型获取模块, 设置为获取租户选择的安全服务类型;
服务执行模块, 设置为根据所述租户选择的安全服务类型执行相应的安全 服务。 、 根据权利要求 18所述的安全服务订制装置,其中,所述服务类型获取模块包括: 第一请求接收单元, 设置为在接收租户发送的资源表单后, 确定所述租户 租用的虚拟机的安全服务类型, 在所述资源表单中携带有所述租户请求租用的 虚拟机和该虚拟机的参数;
第一服务提供单元, 设置为将确定的适合该虚拟机的一项或多项安全服务 类型供所述租户选择; 第一选择接收单元, 设置为接收所述租户选择的一项或多项安全服务类型 的信息。 、 根据权利要求 19所述的安全服务订制装置,其中,所述服务类型获取模块还包 括:
第二选择接收单元, 设置为在租户通过接入网关访问云数据中心时, 接收 安全模块发送的虚拟机安全服务类型列表, 并根据所述虚拟机安全服务类型列 表, 确定所述租户选择的安全服务类型。 、 根据权利要求 19或 20所述的安全服务订制装置, 其中, 所述服务类型获取模 块还包括: 第三请求接收单元, 设置为在接收租户发送的虚拟机申请后, 确定所述租 户租用的虚拟机的安全服务类型, 在所述虚拟机申请中携带有所述租户请求租 用的虚拟机、 该虚拟机的参数和所述租户请求的安全服务类型;
第三可选确定单元, 设置为根据所述虚拟机的参数确定所述租户的可选安 全服务类型; 第三选择单元, 设置为从所述租户请求中的可选安全服务类型作为所述租 户选择的安全服务类型。 、 根据权利要求 18所述的安全服务订制装置, 其中, 该装置还包括: 结果反馈模块, 设置为将执行所述租户选择的一项或多项安全服务类型对 应的安全服务的结果反馈给所述租户。
PCT/CN2014/083229 2013-10-25 2014-07-29 安全服务订制方法和装置 WO2015058569A1 (zh)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP14856207.7A EP3062479B1 (en) 2013-10-25 2014-07-29 Security service customizing method and apparatus
US15/031,811 US10686837B2 (en) 2013-10-25 2014-07-29 Method and device for customizing security service

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201310514151.4 2013-10-25
CN201310514151.4A CN103607426B (zh) 2013-10-25 2013-10-25 安全服务订制方法和装置

Publications (1)

Publication Number Publication Date
WO2015058569A1 true WO2015058569A1 (zh) 2015-04-30

Family

ID=50125626

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2014/083229 WO2015058569A1 (zh) 2013-10-25 2014-07-29 安全服务订制方法和装置

Country Status (4)

Country Link
US (1) US10686837B2 (zh)
EP (1) EP3062479B1 (zh)
CN (1) CN103607426B (zh)
WO (1) WO2015058569A1 (zh)

Families Citing this family (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103607426B (zh) * 2013-10-25 2019-04-09 中兴通讯股份有限公司 安全服务订制方法和装置
CN105337945A (zh) * 2014-08-12 2016-02-17 中兴通讯股份有限公司 云安全的维护处理方法及装置
CN106161399B (zh) * 2015-04-21 2019-06-07 新华三技术有限公司 一种安全服务交付方法及系统
CN106559391B (zh) * 2015-09-28 2021-01-01 中国移动通信集团公司 一种漏洞扫描的方法及装置
CN105450668A (zh) * 2015-12-30 2016-03-30 中电长城网际系统应用有限公司 云安全服务实现系统和云安全服务实现方法
CN107786517B (zh) * 2016-08-30 2020-11-03 中国电信股份有限公司 云安全业务的部署方法、系统以及安全控制系统
CN106685974A (zh) * 2016-12-31 2017-05-17 北京神州绿盟信息安全科技股份有限公司 一种安全防护服务建立、提供方法及装置
CN107204980B (zh) * 2017-05-25 2020-08-14 深信服科技股份有限公司 一种安全服务交付方法及系统
US20190158367A1 (en) * 2017-11-21 2019-05-23 Hewlett Packard Enterprise Development Lp Selection of cloud service providers to host applications
US10554675B2 (en) * 2017-12-21 2020-02-04 International Business Machines Corporation Microservice integration fabrics network intrusion detection and prevention service capabilities
CN108809963A (zh) * 2018-05-24 2018-11-13 中国科学院计算机网络信息中心 安全资源共享方法、装置及存储介质
US11620147B2 (en) * 2019-04-02 2023-04-04 International Business Machines Corporation Metadata service provisioning in a cloud environment

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307185A (zh) * 2011-06-27 2012-01-04 北京大学 适用于存储云内的数据隔离方法
CN102708316A (zh) * 2012-04-19 2012-10-03 北京华胜天成科技股份有限公司 一种用于多租户架构中数据隔离的方法
CN102904892A (zh) * 2012-10-17 2013-01-30 浪潮(北京)电子信息产业有限公司 一种云计算数据中心操作系统的安全模型及策略
CN103139159A (zh) * 2011-11-28 2013-06-05 上海贝尔股份有限公司 云计算架构中的虚拟机之间的安全通信
US20130227561A1 (en) * 2012-02-29 2013-08-29 Daniel J. Walsh Mechanism for Applying a Custom Security Type Label to Multi-Tenant Applications of a Node in a Platform-as-a-Service (PaaS) Environment
JP2013196343A (ja) * 2012-03-19 2013-09-30 Nec Corp クラウド型システムにおけるサービス間依存の管理方法
CN103607426A (zh) * 2013-10-25 2014-02-26 中兴通讯股份有限公司 安全服务订制方法和装置

Family Cites Families (47)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8468244B2 (en) * 2007-01-05 2013-06-18 Digital Doors, Inc. Digital information infrastructure and method for security designated data and with granular data stores
US8838755B2 (en) * 2007-03-23 2014-09-16 Microsoft Corporation Unified service management
US8095929B1 (en) * 2007-04-16 2012-01-10 Vmware, Inc. Method and system for determining a cost-benefit metric for potential virtual machine migrations
US10372490B2 (en) * 2008-05-30 2019-08-06 Red Hat, Inc. Migration of a virtual machine from a first cloud computing environment to a second cloud computing environment in response to a resource or services in the second cloud computing environment becoming available
US8931038B2 (en) * 2009-06-19 2015-01-06 Servicemesh, Inc. System and method for a cloud computing abstraction layer
US9069599B2 (en) * 2008-06-19 2015-06-30 Servicemesh, Inc. System and method for a cloud computing abstraction layer with security zone facilities
US9037692B2 (en) * 2008-11-26 2015-05-19 Red Hat, Inc. Multiple cloud marketplace aggregation
US20100175108A1 (en) * 2009-01-02 2010-07-08 Andre Protas Method and system for securing virtual machines by restricting access in connection with a vulnerability audit
US8250213B2 (en) * 2009-11-16 2012-08-21 At&T Intellectual Property I, L.P. Methods and apparatus to allocate resources associated with a distributive computing network
US9274848B2 (en) * 2009-12-03 2016-03-01 International Business Machines Corporation Optimizing cloud service delivery within a cloud computing environment
US8984503B2 (en) * 2009-12-31 2015-03-17 International Business Machines Corporation Porting virtual images between platforms
US9129086B2 (en) * 2010-03-04 2015-09-08 International Business Machines Corporation Providing security services within a cloud computing environment
CN102255933B (zh) * 2010-05-20 2016-03-30 中兴通讯股份有限公司 云服务中介、云计算方法及云系统
US8364959B2 (en) * 2010-05-26 2013-01-29 Google Inc. Systems and methods for using a domain-specific security sandbox to facilitate secure transactions
US9354939B2 (en) * 2010-05-28 2016-05-31 Red Hat, Inc. Generating customized build options for cloud deployment matching usage profile against cloud infrastructure options
WO2011152910A1 (en) * 2010-06-02 2011-12-08 Vmware, Inc. Securing customer virtual machines in a multi-tenant cloud
US20110314048A1 (en) * 2010-06-22 2011-12-22 Microsoft Corporation Social network user list detection and searching
US20120011077A1 (en) * 2010-07-12 2012-01-12 Bhagat Bhavesh C Cloud Computing Governance, Cyber Security, Risk, and Compliance Business Rules System and Method
US8656023B1 (en) * 2010-08-26 2014-02-18 Adobe Systems Incorporated Optimization scheduler for deploying applications on a cloud
US9053339B2 (en) * 2010-10-27 2015-06-09 Hytrust, Inc. System and method for secure storage of virtual machines
US9442771B2 (en) * 2010-11-24 2016-09-13 Red Hat, Inc. Generating configurable subscription parameters
US9699168B2 (en) * 2010-12-13 2017-07-04 International Business Machines Corporation Method and system for authenticating a rich client to a web or cloud application
US9104672B2 (en) * 2011-02-25 2015-08-11 International Business Machines Corporation Virtual security zones for data processing environments
US10375203B2 (en) * 2011-02-28 2019-08-06 Red Hat, Inc. Generating a selection of cloud data distribution service from alternative providers for staging data to host clouds
US8732267B2 (en) * 2011-03-15 2014-05-20 Cisco Technology, Inc. Placement of a cloud service using network topology and infrastructure performance
US8732811B2 (en) * 2011-03-28 2014-05-20 Canon Kabushiki Kaisha Systems and methods for implementing security services
US9262498B2 (en) * 2011-05-27 2016-02-16 Red Hat, Inc. Generating optimized host placement of data payload in cloud-based storage network
US8745266B2 (en) * 2011-06-30 2014-06-03 Citrix Systems, Inc. Transparent layer 2 redirection of request to single sign in service based on applying policy to content of request
US9141785B2 (en) * 2011-08-03 2015-09-22 Cloudbyte, Inc. Techniques for providing tenant based storage security and service level assurance in cloud storage environment
CN102932382B (zh) * 2011-08-08 2018-03-23 中兴通讯股份有限公司 安全按需供给方法及系统、业务类型获取方法
US20130055243A1 (en) * 2011-08-24 2013-02-28 Dell Products, Lp Unified Management Architecture to Support Multiple Platform-as-a-Service Workloads
US8528101B1 (en) * 2011-09-20 2013-09-03 Amazon Technologies, Inc. Integrated physical security control system for computing resources
JP2013109631A (ja) * 2011-11-22 2013-06-06 Canon Inc データ通信装置及びその制御方法、並びにプログラム
KR20130093806A (ko) * 2012-01-10 2013-08-23 한국전자통신연구원 클라우드 컴퓨팅 환경에서의 개인 정보 유출 알림 시스템 및 방법
US9003502B2 (en) * 2012-03-19 2015-04-07 Empire Technology Development Llc Hybrid multi-tenancy cloud platform
US9245111B2 (en) * 2012-05-01 2016-01-26 Red Hat, Inc. Owner command execution in a multi-tenant cloud hosting environment
US20140019960A1 (en) * 2012-07-12 2014-01-16 Microsoft Corporation Systems and methods of creating custom virtual machines
US9276942B2 (en) * 2012-09-07 2016-03-01 Oracle International Corporation Multi-tenancy identity management system
US9203866B2 (en) * 2012-09-07 2015-12-01 Oracle International Corporation Overage framework for cloud services
US20140101656A1 (en) * 2012-10-10 2014-04-10 Zhongwen Zhu Virtual firewall mobility
US9223635B2 (en) * 2012-10-28 2015-12-29 Citrix Systems, Inc. Network offering in cloud computing environment
US9130901B2 (en) * 2013-02-26 2015-09-08 Zentera Systems, Inc. Peripheral firewall system for application protection in cloud computing environments
US10348767B1 (en) * 2013-02-26 2019-07-09 Zentera Systems, Inc. Cloud over IP session layer network
US10484334B1 (en) * 2013-02-26 2019-11-19 Zentera Systems, Inc. Distributed firewall security system that extends across different cloud computing networks
US9294482B2 (en) * 2013-07-25 2016-03-22 Oracle International Corporation External platform extensions in a multi-tenant environment
US10268492B2 (en) * 2014-05-20 2019-04-23 Amazon Technologies, Inc. Low latency connections to workspaces in a cloud computing environment
US9930070B2 (en) * 2015-11-11 2018-03-27 International Business Machines Corporation Modifying security policies of related resources

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102307185A (zh) * 2011-06-27 2012-01-04 北京大学 适用于存储云内的数据隔离方法
CN103139159A (zh) * 2011-11-28 2013-06-05 上海贝尔股份有限公司 云计算架构中的虚拟机之间的安全通信
US20130227561A1 (en) * 2012-02-29 2013-08-29 Daniel J. Walsh Mechanism for Applying a Custom Security Type Label to Multi-Tenant Applications of a Node in a Platform-as-a-Service (PaaS) Environment
JP2013196343A (ja) * 2012-03-19 2013-09-30 Nec Corp クラウド型システムにおけるサービス間依存の管理方法
CN102708316A (zh) * 2012-04-19 2012-10-03 北京华胜天成科技股份有限公司 一种用于多租户架构中数据隔离的方法
CN102904892A (zh) * 2012-10-17 2013-01-30 浪潮(北京)电子信息产业有限公司 一种云计算数据中心操作系统的安全模型及策略
CN103607426A (zh) * 2013-10-25 2014-02-26 中兴通讯股份有限公司 安全服务订制方法和装置

Also Published As

Publication number Publication date
US20160248811A1 (en) 2016-08-25
US10686837B2 (en) 2020-06-16
EP3062479B1 (en) 2020-12-30
CN103607426B (zh) 2019-04-09
EP3062479A4 (en) 2016-08-31
CN103607426A (zh) 2014-02-26
EP3062479A1 (en) 2016-08-31

Similar Documents

Publication Publication Date Title
WO2015058569A1 (zh) 安全服务订制方法和装置
US10067547B2 (en) Power management control of remote servers
US9648040B1 (en) Authorization check using a web service request
US9306935B2 (en) Provisioning digital certificates in a network environment
US9501541B2 (en) Separation of pod provisioning and service provisioning
US9436813B2 (en) Multi-tenancy support for a product that does not support multi-tenancy
US8544068B2 (en) Business pre-permissioning in delegated third party authorization
JP6181185B2 (ja) Ldapベースのマルチカスタマ・インクラウド・アイデンティティ管理システム
US9076013B1 (en) Managing requests for security services
US9521053B1 (en) Providing diagnostic metrics for virtual connections over physical connections into a provider network
US9401954B2 (en) Scaling a trusted computing model in a globally distributed cloud environment
CN105991734B (zh) 一种云平台管理方法及系统
US9280646B1 (en) Methods, systems, and computer readable mediums for role-based access control involving one or more converged infrastructure systems
US9866547B2 (en) Controlling a discovery component, within a virtual environment, that sends authenticated data to a discovery engine outside the virtual environment
US20140317716A1 (en) Extending infrastructure security to services in a cloud computing environment
Ranjan The cloud interoperability challenge
TW201141126A (en) Apparatus and methods for managing network resources
WO2012129904A1 (zh) 一种虚拟机系统的访问控制方法和系统
CN106330813A (zh) 一种处理授权的方法、设备和系统
US20230092902A1 (en) Progressively validating access tokens
CN104967515B (zh) 一种身份认证方法及服务器
Bannazadeh et al. Virtualized application networking infrastructure
JPWO2021183186A5 (zh)
Akilandeswari et al. A review of literature on cloud brokerage services.
US20240283767A1 (en) Message routing system

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 14856207

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 15031811

Country of ref document: US

REEP Request for entry into the european phase

Ref document number: 2014856207

Country of ref document: EP

WWE Wipo information: entry into national phase

Ref document number: 2014856207

Country of ref document: EP