WO2016169324A1 - Access management method for cloud computing data centre and cloud computing data centre - Google Patents

Access management method for cloud computing data centre and cloud computing data centre Download PDF

Info

Publication number
WO2016169324A1
WO2016169324A1 PCT/CN2016/073822 CN2016073822W WO2016169324A1 WO 2016169324 A1 WO2016169324 A1 WO 2016169324A1 CN 2016073822 W CN2016073822 W CN 2016073822W WO 2016169324 A1 WO2016169324 A1 WO 2016169324A1
Authority
WO
WIPO (PCT)
Prior art keywords
access
data center
cloud computing
terminal
target resource
Prior art date
Application number
PCT/CN2016/073822
Other languages
French (fr)
Chinese (zh)
Inventor
童遥
彭亦辉
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2016169324A1 publication Critical patent/WO2016169324A1/en

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/40Support for services or applications

Definitions

  • the present invention relates to the field of communications, and in particular, to a cloud computing data center access management method and a cloud computing data center.
  • Access control technology realizes the need for shared data management of the system by defining the access rights of the main body of the system to the object, and better prevents the theft and destruction of information, especially confidential information.
  • access control technologies such as DAC, MAC, RBAC, TRBAC, TBAC and so on.
  • DAC digital versatile disc
  • RBAC Random Access Binary Arithmetic Coding
  • TRBAC Transcription Binary Arithmetic Coding
  • TBAC Temporal Binary Arith Generation
  • the main technical problem to be solved by the present invention is to provide a cloud computing data center access management method and a cloud computing data center to solve the security problem of the existing cloud computing data center access.
  • the present invention provides a cloud computing data center access management method, including:
  • the terminal is authorized to access according to a preset access policy of the data center.
  • the data center performing identity verification on the terminal includes: calling attribute information in the data center attribute library, where the attribute information includes identity identification information that allows access; Align with the identification information of the terminal, and if they are the same, pass the authentication.
  • the access policy includes performing an authorized access when the current running environment satisfies the preset condition, and/or the current access number meets the preset number of conditions.
  • the method further includes: when the data center does not have the target resource corresponding to the access request, establishing a session with the target data center where the target resource is located through the central data center to perform authorized access. .
  • the establishing a session by the central data center and the target data center where the target resource is located for authorized access includes: searching, by the central data center, a target data center where the target resource is located, Establishing a session with the target data center, and the pre-set access policy of the target data center performs authorized access to the terminal.
  • the method further includes: performing security auditing on the access.
  • the security auditing of the access includes: generating an access log in a data center where the target resource is located, performing tracking according to the access information recorded in the access log, and determining whether the access information is A security audit policy that meets the preset settings to handle non-compliant access.
  • the present invention further provides a cloud computing data center, which includes an identity verification module, a resource search module, and a policy verification module:
  • the identity verification module is configured to receive an access request of the terminal, and perform identity verification on the terminal;
  • the resource searching module is configured to determine, by the identity verification, whether the target resource corresponding to the access request exists locally in the data center;
  • the policy verification module is configured to perform authorized access to the terminal according to a preset access policy of the data center if the target resource exists.
  • the external access module is further configured to: when the data center does not locally have the target resource corresponding to the access request, pass the central data center and the target resource.
  • the target data center in which it is located establishes a session for authorized access.
  • the security audit module is further configured to perform security auditing on the access after authorizing access to the terminal.
  • the data center receives the access request of the terminal, and performs identity verification on the terminal; after the identity verification, determines whether the target resource corresponding to the access request exists locally in the data center. If there is a target resource, the terminal is authorized to access according to the data center's pre-set access policy.
  • the access control condition is not limited by the access setting, as long as the access control is identified, and the access policy preset by the cloud computing data center is used to determine whether to perform authorized access after the identification, so that
  • the simple access identification combined with the cloud computing data center pre-set access policy ensures cloud computing data center access without affecting the processing power of the cloud computing data center, and improves the core competitiveness of the product.
  • FIG. 1 is a schematic flowchart of a cloud computing data center access management method according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic flowchart of a cloud computing data center access management method according to Embodiment 2 of the present invention
  • FIG. 3 is a schematic structural diagram 1 of a packet data gateway according to Embodiment 3 of the present invention.
  • FIG. 4 is a schematic structural diagram 2 of a packet data gateway according to Embodiment 3 of the present invention.
  • FIG. 5 is a schematic structural diagram 3 of a packet data gateway according to Embodiment 3 of the present invention.
  • FIG. 6 is a schematic structural diagram 4 of a packet data gateway according to Embodiment 3 of the present invention.
  • the cloud computing data center access management method of this embodiment includes the following steps:
  • Step S101 The data center receives an access request of the terminal, and performs identity verification on the terminal.
  • the data center here refers to the cloud computing system, which is deployed in units of areas, and the same level of areas establishes the same level of data centers.
  • the same level of data center is established in the same level of area, and a central data center is also established to manage the following level of data center.
  • the authentication of the terminal should be understood as determining whether the subject and/or resource of the access request of the terminal has rights.
  • the identity verification here should be understood as the overall identity verification of the entire cloud computing system, that is, once After authentication, access can be made in different levels of the entire cloud computing system, that is, in different domains, without multiple identifications, and the system is cumbersome to operate.
  • the authentication is a federation federation established between domains (data centers) in the entire cloud computing system.
  • the data center can authenticate the terminal by calling the attribute information in the data center attribute library, and the attribute information includes the identification information that is allowed to be accessed; comparing the attribute information with the identification information of the terminal, and if the same, the identity is verified. . That is, the data center queries whether the identity information is in the attribute library in the established attribute library. If it is verified, the attribute library should be understood as storing a large amount of identity information that allows access and data that allows access to the identity information. The attribute information sets different access data for people with different identity information.
  • the attribute information in the attribute library can be specifically set in a specific situation. In this way, a simple identity information comparison can be used to determine whether the verification is passed, and the verification processing speed is accelerated. Of course, it is not limited to this method for identification, and other ways of being able to identify it can be achieved.
  • Step S102 After the identity verification, determine whether there is a target resource corresponding to the access request locally in the data center;
  • the target resource here refers to the subject or/and resource that the access request wants to access, where the subject refers to the specific location, and the resource here refers to the specifically accessed data.
  • the data here includes data
  • the center uses the external or internal application database as the data source. After the business data in the application database is processed through standardization and data cleaning, it is collected and updated into the data stored in the data center.
  • Step S103 If the target resource exists, the terminal performs authorized access according to the preset access policy of the data center.
  • the access policy refers to some access control conditions set by the data center according to itself. It should be understood that the access policy here is some access restriction conditions that the data center flexibly sets according to its specific situation, so that the terminal access is performed. After simple authentication, it is not allowed to directly access, and authorized access according to the access policy established in advance by the data center, so as to ensure the access security of the data center. Specifically, the access policy includes performing authorization access when the current running environment meets the preset condition and/or when the current access number meets the preset number of conditions.
  • the operating environment here includes the physical environment of the data center itself, such as the temperature of the data center, etc., for example, when the temperature exceeds a certain threshold, access is not allowed, or the number of corresponding accesses is set according to different temperatures.
  • the operating environment here also includes the data center's own attributes, such as the usage of the data center CPU. When the usage rate is high, the access can be denied, or the number of allowed accesses can be set according to the CPU usage rate.
  • the access policy here may be a corresponding restriction condition set by the administrator according to specific management requirements, such as not allowing external access to certain specific data or requiring specific authorization to access. It should be understood that not only the above-mentioned access policy settings, but also other settings that ensure the access security of the data center should be included.
  • the central data center when the target resource corresponding to the access request does not exist locally in the data center, the central data center establishes a session with the target data center where the target resource is located to perform authorized access. Specifically, the central data center establishes a session with the target data center where the target resource is located for authorized access, and the central data center can find the target data center where the target resource is located, establish a session with the target data center, and set a preset access policy of the target data center. Authorized access to the terminal. It is worth noting that the target data center here refers to the data center where the target resource corresponding to the storage access request is located.
  • the central data center application here is understood to be information in which data center is stored for all resources in the cloud computing system.
  • the central processing power In addition to ensuring the data processing capability of the data center, the security control of the data center is enhanced, and after the terminal is authorized to access, the security audit is also performed on the access.
  • the security audit of the access security can generate an access log in the data center where the target resource is located, track the access information recorded by the access log, determine whether the access information meets the preset security audit policy, and process the non-compliant access. It should be understood that in which data center the resource corresponding to the access request is located, a log is generated in the data center, and a security audit is performed.
  • the cloud computing data center access management method in this example, in order to facilitate specific access Manage and pre-establish a data center architecture for hierarchical deployment and multi-level sharing.
  • a cross-platform access control and audit policy model is established based on the analysis of different granularity and type operations of the data center, which has high security defense and intrusion identification capabilities.
  • the corresponding multi-level access control model (PBAC) consists of seven basic elements: domain, subject, resource, environment, operation, attribute and strategy, and strategy evaluation mechanism.
  • the formal definition of PBAC is as follows:
  • D is the set of domains
  • S is the subject A collection
  • R is a collection of resources
  • E is a collection of environments
  • O is a collection of operations
  • A is a collection of attributes
  • P is a collection of policies.
  • a unified authentication framework with access control and resource access control as the main content is constructed. The method in this example is shown in Figure 2, including the following steps. :
  • Step S201 hierarchically establish an attribute library of each data center
  • LDAP Lightweight Directory Access Protocol
  • LDAP Lightweight Directory Access Protocol
  • the local data center stores local attribute information
  • the central data center stores all local attribute information, and implements dynamic update of the stored attribute information
  • Step S202 Establish a unified identity trust
  • the identity trust federation can be constructed based on the domain structure tree to form a cross-domain unified authentication system, and attributes are defined for the domain, the subject, the resource, the environment, and the operation in the domain, so that the terminal can be based on any one.
  • the policy defined by the domain accesses the resources in the domain; that is, the access to the resources in the entire system can be accessed by one authentication;
  • Step S203 Perform an access authorization
  • the distributed attribute authority centered on the establishment of the cross-domain trust federation and the attribute library and the policy library includes authentication for the authentication and the access policy, and the identity information is exchanged based on the attribute certificate CA.
  • the user completes the single-point login between domains by means of intra-domain identity authentication, thereby implementing access control.
  • an authorization framework based on the SAML standard and the XACML model
  • a certain intra-domain and inter-domain access policy evaluation mechanism is used to implement resources. Access control; that is, after passing the authentication, the access policy of the data center where the resource is located can be authenticated before authorized access can be performed to improve the security of the data center; specifically, under the hierarchical authentication and authorization system, the terminal
  • the local attribute authority is used to complete the identity authentication.
  • the local access policy is used to complete the access authorization. If the target resource is not local, the domain where the resource is located can be obtained by querying the central data center to establish a session connection with the local Attribute access policy implementation visit Authorization;
  • Step S204 Perform security audit on authorized access.
  • the security audit trail not only helps the administrator to ensure that the data resources are protected from illegal authorization operations, but also helps with data recovery.
  • Some audit systems can use the system's protective response to achieve more timely. Safe response.
  • security audits can be divided into audit trails, audit analysis, and response offices.
  • the audit system keeps track of the access behavior; the violation events are identified in the audit analysis stage, and the combination of manual analysis and automatic analysis can achieve the best results, while the automatic analysis requires pre-defined security audits.
  • Policy response processing is a system's protective measures, including invalidation of usage rights, invalidation of accounts, interruption of network connections, interruption of processes, etc.
  • the security audit determines whether the access information recorded in the log conforms to the access policy according to certain rules. Therefore, sufficient access information must be recorded in the access log.
  • E is a collection of environments
  • O is a collection of operations
  • A is a collection of attributes
  • P is a collection of access policies
  • L is a collection of events to be audited
  • R is a collection of audit policy items.
  • Res ⁇ CONFORM,VIOLATE,NOTAPPLICATION ⁇ where CONFORM indicates auditing, VIOLATE indicates non-compliant access, and NOTAPPLICATION indicates uncertainty.
  • CONFORM indicates auditing
  • VIOLATE indicates non-compliant access
  • NOTAPPLICATION indicates uncertainty.
  • the process and results of the security audit are generated and stored in the audit log in the form of audit records.
  • the detailed information of the violation access can be further restored, the nature of the violation is determined and processed in time;
  • the NOTAPPLICATION event can be comprehensively analyzed by other means to obtain the final judgment result.
  • the target resource of the access request is not exemplified locally, and the terminal completes the identity authentication in the domain of the terminal access request; the session between the domain where the subject is located and the policy decision point of the domain where the target resource is located is established through the central data center node, according to the trust
  • the federation trusts the principal credentials in the resource authority of the resource location authority; the entity accesses the resources and generates an access log in the domain where the target resource is located; and the security audit is performed by the audit authority of the domain where the target resource is located.
  • the embodiment provides a cloud computing data center.
  • the cloud computing data center includes an identity verification module, a resource searching module, and a policy verification module.
  • the identity verification module is configured to receive an access request of the terminal, and perform identity on the terminal.
  • the resource search module is configured to determine whether there is a target resource corresponding to the access request in the data center, and the policy verification module is configured to perform authorized access to the terminal according to the preset access policy of the data center if the target resource exists.
  • the embodiment provides a cloud computing data center.
  • the cloud computing data center further includes an external access module: the external access module is configured to use the central data when there is no target resource corresponding to the access request locally in the data center.
  • the center establishes a session with the target data center where the target resource is located for authorized access.
  • the cloud computing data center further includes a security auditing module.
  • the security auditing module is configured to perform security auditing on the access after authorizing access to the terminal.
  • the data center in this example can specifically establish a corresponding model, as shown in FIG. 6, including a resource directory system, a meta-database, a shared information base, an exchange information base, a statistical analysis database, an application server, and a data sharing exchange. platform.
  • a large amount of data needs to establish a data warehouse, and a security audit library with audit function.
  • the data center uses the external or internal application database as the data source. After the business data in the application database is processed through standardization and data cleaning, it is collected and updated into the data center storage.
  • Resource Directory System The data resources collected in the data center are classified according to the characteristics and types. Depending on the storage format, data resources can be divided into structured data, semi-structured data, and unstructured data.
  • Structured data can be extracted from data centers by data centers, while semi-structured data and unstructured data are generally Stored locally, the stored information is recorded in the resource catalog of the data center.
  • Metabase Consists of metadata and data dictionaries. Metadata is data that describes the characteristics of data itself and transformation rules, including data structure definitions, dimension definitions, data extraction, and mapping rule definitions. It can support data center system management and maintenance of data.
  • the data dictionary includes definitions and descriptions of data items, data streams, processing logic, external entities, classification codes, indicator systems, and the like.
  • Shared information base It stores the standardized data collected, extracted, cleaned and converted by the business application database and the lower-level shared information database in real time, and provides the data source for data exchange and sharing.
  • Exchange information base The user temporarily stores the exchange data of the heterogeneous database between the data centers and the data that is shared and exchanged between the internal and external databases for the security of the business database.
  • Statistical analysis database Analyze and analyze data according to a certain dimension, and provide support for statistical analysis and report production. The statistical analysis library is generally collected and updated periodically.
  • Data Warehouse Compared with operational databases, data warehouse provides online analysis and processing, data mining, decision support systems, online analysis, and intelligent query for processed data to support application decision analysis. The data warehouse is organized according to certain themes, and the storage capacity is generally large.
  • Security Audit Library The user stores the audit data of the database system.
  • Data sharing exchange platform used to provide data exchange services between different databases and different data formats.
  • the ETL system performs collection, cleaning, conversion, and comparison to solve the problem that information data between different information bases cannot be freely converted.
  • Data exchange is the core of data integration in data centers.
  • Data sharing is the data access and distribution based on data exchange. The data transfer between the shared information base and the business integration system is assisted by the shared exchange platform.
  • the cloud computing data center is configured to perform the cloud computing data center access management method described above.
  • the cloud computing data center can be a cloud computer, a cloud server, or the like.
  • the cloud computing data center can include at least one of a processing component, a memory, a power component, an input and output interface, and a communication component.
  • the processing component can perform all operations of implementing a cloud computing data center, such as data communications, logging operations, and the like.
  • Processing components may include one or more processors for executing instructions to implement all or a portion of the steps above.
  • the processing component can include one or more modules that facilitate interaction between the processing component and other components.
  • the memory is configured to store various types of data to support operation of the cloud computing data center. Examples of such data include instructions, messages, etc. of any application or method running in a cloud computing data center.
  • the memory can be implemented using any type of volatile or non-volatile memory device, or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable programmable Read Only Memory (EPROM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Magnetic Memory, Flash Memory, Disk or Optical Disk.
  • SRAM static random access memory
  • EEPROM electrically erasable programmable read only memory
  • EPROM erasable programmable Read Only Memory
  • PROM Programmable Read Only Memory
  • ROM Read Only Memory
  • Magnetic Memory Flash Memory
  • Disk Disk or Optical Disk.
  • Power components provide power to various components of the cloud computing data center.
  • the input/output interface provides an interface between the processing component and the peripheral interface module, and the peripheral interface module may be a keyboard, a click wheel, a button, or the like.
  • the communication component is configured to facilitate wired or wireless communication between the cloud computing data center and other devices.
  • the invention is applicable to the field of communication and is used for realizing secure access of a cloud computing data center.

Abstract

Provided are an access management method for a cloud computing data centre, and a cloud computing data centre, which are applied to the field of communications. The method comprises: a data centre receiving an access request of a terminal and performing identity verification on the terminal; after the identity verification is passed, determining whether a target resource corresponding to the access request exists locally in the data centre; and if so, authorizing, according to a pre-set access strategy of the data centre, the terminal to perform an access. Compared with the prior art, the limitation is not applied by setting complicated access control conditions for access; instead, identity recognition is performed on the access control, and after the identity recognition, it is judged whether authorization for access is necessary by means of the access strategy preset by the cloud computing data centre, so that the access to the cloud computing data centre is guaranteed by means of the simple identity recognition combined with the access strategy preset by the cloud computing data centre without affecting the processing capability of the cloud computing data centre, thereby, improving the core competitiveness of a product.

Description

一种云计算数据中心访问管理方法和云计算数据中心Cloud computing data center access management method and cloud computing data center 技术领域Technical field
本发明涉及通信领域,特别涉及一种云计算数据中心访问管理方法和云计算数据中心。The present invention relates to the field of communications, and in particular, to a cloud computing data center access management method and a cloud computing data center.
背景技术Background technique
访问控制技术通过定义系统的主体对客体的访问权限,实现了系统的共享数据管理的需求,较好的防止了对信息特别是机密信息的窃取和破坏。针对不同的安全应用环境要求,研究人员提出了许多不同的访问控制技术,如DAC、MAC、RBAC、TRBAC、TBAC等等。但是,现有访问控制技术要应用于数据中心还存在许多有待进一步改进和完善的地方。首先是灵活性有待进一步提高。现有访问控制技术都是通过对主体配置约束条件实现会话控制。由于访问控制应用系统配置的约束条件类型在设计和编码时就已固定;同时,为简化配置管理,在实际运行时系统配置的访问控制约束条件数量也不可能很多,如果多了,就会限制了访问控制的灵活性。现有访问控制技术的应用环境是由其会话实体配置的约束条件及相应的策略描述的,不会考虑系统的应用环境等因素,导致适应性比较差。Access control technology realizes the need for shared data management of the system by defining the access rights of the main body of the system to the object, and better prevents the theft and destruction of information, especially confidential information. For different security application environment requirements, researchers have proposed many different access control technologies, such as DAC, MAC, RBAC, TRBAC, TBAC and so on. However, there are still many areas for existing access control technologies to be applied to the data center that need further improvement and improvement. The first is that flexibility needs to be further improved. Existing access control technologies implement session control by configuring constraints on the principal. Since the type of constraint configured by the access control application system is fixed at the time of design and coding; at the same time, in order to simplify configuration management, the number of access control constraints configured by the system during actual operation is not likely to be large, and if it is too much, it will be limited. The flexibility of access control. The application environment of the existing access control technology is described by the constraints and corresponding policies of the session entity configuration, and does not consider factors such as the application environment of the system, resulting in poor adaptability.
目前对于云计算数据中心的部署,是以区域为单位进行部署,同一级别的区域建立同一级别的数据中心。访问控制机制的逻辑复杂程度将影响到系统的安全性能,但对于平均访问量高于普通系统数倍的云计算数据中心而言,过于复杂的访问控制会影响访问速率,削弱云计算数据中心的运算处理能力。如何在不影响云计算数据中心的处理能力时保证云计算数据中心访问的安全成为急需解决的问题。Currently, the deployment of cloud computing data centers is based on regional units, and the same level of data centers are established at the same level. The logical complexity of the access control mechanism will affect the security performance of the system. However, for cloud computing data centers with average access times higher than the average system, the excessively complex access control will affect the access rate and weaken the cloud computing data center. Operation processing capability. How to ensure the security of cloud computing data center access becomes an urgent problem to be solved without affecting the processing power of the cloud computing data center.
发明内容Summary of the invention
本发明要解决的主要技术问题是,提供一种云计算数据中心访问管理方法和云计算数据中心,解决现有云计算数据中心访问的安全问题。The main technical problem to be solved by the present invention is to provide a cloud computing data center access management method and a cloud computing data center to solve the security problem of the existing cloud computing data center access.
为解决上述问题,本发明提供一种云计算数据中心访问管理方法,包括:To solve the above problem, the present invention provides a cloud computing data center access management method, including:
数据中心接收终端的访问请求,对所述终端进行身份验证;Receiving, by the data center, an access request of the terminal, and performing identity verification on the terminal;
通过身份验证后,判定所述数据中心本地是否存在所述访问请求对应的目标资源;After the authentication, determining whether the target resource corresponding to the access request exists locally in the data center;
如果存在所述目标资源,根据所述数据中心的预先设置的访问策略对所述终端进行授权访问。If the target resource exists, the terminal is authorized to access according to a preset access policy of the data center.
在本发明的一种实施例中,所述数据中心对所述终端进行身份验证包括:调用所述数据中心属性库中的属性信息,所述属性信息包括允许访问的身份识别信息;通过属性信息与所述终端的身份识别信息比对,如果相同则通过身份验证。 In an embodiment of the present invention, the data center performing identity verification on the terminal includes: calling attribute information in the data center attribute library, where the attribute information includes identity identification information that allows access; Align with the identification information of the terminal, and if they are the same, pass the authentication.
在本发明的一种实施例中,所述访问策略包括当前运行环境满足预设条件时进行授权访问和/或当前访问数满足预设个数条件时进行授权访问。In an embodiment of the present invention, the access policy includes performing an authorized access when the current running environment satisfies the preset condition, and/or the current access number meets the preset number of conditions.
在本发明的一种实施例中,还包括:当所述数据中心本地不存在所述访问请求对应的目标资源时,通过中央数据中心与所述目标资源所在的目标数据中心建立会话进行授权访问。In an embodiment of the present invention, the method further includes: when the data center does not have the target resource corresponding to the access request, establishing a session with the target data center where the target resource is located through the central data center to perform authorized access. .
在本发明的一种实施例中,所述通过中央数据中心与所述目标资源所在的目标数据中心建立会话进行授权访问包括:通过所述中央数据中心查找所述目标资源所在的目标数据中心,与所述目标数据中心建立会话,所述目标数据中心的预先设置的访问策略对所述终端进行授权访问。In an embodiment of the present invention, the establishing a session by the central data center and the target data center where the target resource is located for authorized access includes: searching, by the central data center, a target data center where the target resource is located, Establishing a session with the target data center, and the pre-set access policy of the target data center performs authorized access to the terminal.
在本发明的一种实施例中,在对所述终端授权访问后,还包括:对所述访问进行安全审计。In an embodiment of the present invention, after authorizing access to the terminal, the method further includes: performing security auditing on the access.
在本发明的一种实施例中,所述对所述访问进行安全审计包括:在目标资源所在的数据中心生成访问日志,根据所述访问日志记录的访问信息进行跟踪,判断所述访问信息是否符合预设设置的安全审计策略,对不符合的访问进行处理。In an embodiment of the present invention, the security auditing of the access includes: generating an access log in a data center where the target resource is located, performing tracking according to the access information recorded in the access log, and determining whether the access information is A security audit policy that meets the preset settings to handle non-compliant access.
为解决上述问题,本发明还提供一种云计算数据中心,其中,包括身份验证模块、资源查找模块和策略验证模块:To solve the above problem, the present invention further provides a cloud computing data center, which includes an identity verification module, a resource search module, and a policy verification module:
所述身份验证模块用于接收终端的访问请求,对所述终端进行身份验证;The identity verification module is configured to receive an access request of the terminal, and perform identity verification on the terminal;
所述资源查找模块用于通过身份验证后,判定所述数据中心本地是否存在所述访问请求对应的目标资源;The resource searching module is configured to determine, by the identity verification, whether the target resource corresponding to the access request exists locally in the data center;
所述策略验证模块用于如果存在所述目标资源,根据所述数据中心的预先设置的访问策略对所述终端进行授权访问。The policy verification module is configured to perform authorized access to the terminal according to a preset access policy of the data center if the target resource exists.
在本发明的一种实施例中,还包括对外访问模块:所述对外访问模块用于当所述数据中心本地不存在所述访问请求对应的目标资源时,通过中央数据中心与所述目标资源所在的目标数据中心建立会话进行授权访问。In an embodiment of the present invention, the external access module is further configured to: when the data center does not locally have the target resource corresponding to the access request, pass the central data center and the target resource. The target data center in which it is located establishes a session for authorized access.
在本发明的一种实施例中,还包括安全审计模块,所述安全审计模块用于在对所述终端授权访问后,对所述访问进行安全审计。In an embodiment of the present invention, the security audit module is further configured to perform security auditing on the access after authorizing access to the terminal.
本发明的有益效果是:The beneficial effects of the invention are:
在本发明提供的云计算数据中心访问管理方法和云计算数据中心中,数据中心接收终端的访问请求,对终端进行身份验证;通过身份验证后,判定数据中心本地是否存在访问请求对应的目标资源;如果存在目标资源,根据数据中心的预先设置的访问策略对终端进行授权访问。与现有技术相比,不是通过对访问设置复杂的访问控制条件进行限制,只要对访问控制进行身份识别,在身份识别后通过云计算数据中心预先设置的访问策略判断是否进行授权访问,这样可以通过简单的身份识别结合云计算数据中心预先设置的访问策略在不影响云计算数据中心的处理能力时保证云计算数据中心访问,提高产品的核心竞争力。 In the cloud computing data center access management method and the cloud computing data center provided by the present invention, the data center receives the access request of the terminal, and performs identity verification on the terminal; after the identity verification, determines whether the target resource corresponding to the access request exists locally in the data center. If there is a target resource, the terminal is authorized to access according to the data center's pre-set access policy. Compared with the prior art, the access control condition is not limited by the access setting, as long as the access control is identified, and the access policy preset by the cloud computing data center is used to determine whether to perform authorized access after the identification, so that The simple access identification combined with the cloud computing data center pre-set access policy ensures cloud computing data center access without affecting the processing power of the cloud computing data center, and improves the core competitiveness of the product.
附图说明DRAWINGS
图1为本发明实施例一提供的云计算数据中心访问管理方法流程示意图;1 is a schematic flowchart of a cloud computing data center access management method according to Embodiment 1 of the present invention;
图2为本发明实施例二提供的云计算数据中心访问管理方法流程示意图;2 is a schematic flowchart of a cloud computing data center access management method according to Embodiment 2 of the present invention;
图3为本发明实施例三提供的分组数据网关结构示意图一;3 is a schematic structural diagram 1 of a packet data gateway according to Embodiment 3 of the present invention;
图4为本发明实施例三提供的分组数据网关结构示意图二;4 is a schematic structural diagram 2 of a packet data gateway according to Embodiment 3 of the present invention;
图5为本发明实施例三提供的分组数据网关结构示意图三;FIG. 5 is a schematic structural diagram 3 of a packet data gateway according to Embodiment 3 of the present invention; FIG.
图6为本发明实施例三提供的分组数据网关结构示意图四。FIG. 6 is a schematic structural diagram 4 of a packet data gateway according to Embodiment 3 of the present invention.
具体实施方式detailed description
为使本领域技术人员更好地理解本发明的技术方案,下面结合附图和具体实施方式对本发明作进一步详细描述。The present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.
实施例一 Embodiment 1
本实施例的云计算数据中心访问管理方法,如图1所示,包括以下步骤:The cloud computing data center access management method of this embodiment, as shown in FIG. 1 , includes the following steps:
步骤S101:数据中心接收终端的访问请求,对终端进行身份验证;Step S101: The data center receives an access request of the terminal, and performs identity verification on the terminal.
在该步骤中,这里的数据中心是指云计算系统中,以区域为单位进行部署,同一级别的区域建立同一级别的数据中心。为了便于管理,在同一级别的区域建立同一级别的数据中心,同样会建立中央数据中心来对下面级别的数据中心进行管理。这里的对终端的身份验证应该理解为要判断该终端的访问请求的主体和/或资源是否具有权限,这里的身份验证应该理解为是对整个云计算系统的整体的身份验证,即只要进行一次身份验证后,就可以在整个云计算系统不同级别即不同域中进行访问,而不用进行多次的身份识别,避免系统繁琐操作。也就是说该身份验证是整个云计算系统中各个域(数据中心)之间建立的信任联邦。具体的,数据中心对终端进行身份验证可以为调用数据中心属性库中的属性信息,属性信息包括允许访问的身份识别信息;通过属性信息与终端的身份识别信息比对,如果相同则通过身份验证。即数据中心通过在建立的属性库中查询身份信息是否在属性库中,如果在则验证通过,这里的属性库应该理解为存储了大量的允许访问的身份信息和允许访问身份信息对应访问的数据的属性信息,会对不同身份信息的人设置不同访问的数据。当然属性库中的属性信息可以更加具体情况进行具体设置。这样可以通过简单的身份信息对比就能确定是否验证通过,加快验证处理速度。当然,不限于该种方法进行身份识别,其他能够进行身份识别的方式都可以实现。In this step, the data center here refers to the cloud computing system, which is deployed in units of areas, and the same level of areas establishes the same level of data centers. In order to facilitate management, the same level of data center is established in the same level of area, and a central data center is also established to manage the following level of data center. The authentication of the terminal here should be understood as determining whether the subject and/or resource of the access request of the terminal has rights. The identity verification here should be understood as the overall identity verification of the entire cloud computing system, that is, once After authentication, access can be made in different levels of the entire cloud computing system, that is, in different domains, without multiple identifications, and the system is cumbersome to operate. That is to say, the authentication is a federation federation established between domains (data centers) in the entire cloud computing system. Specifically, the data center can authenticate the terminal by calling the attribute information in the data center attribute library, and the attribute information includes the identification information that is allowed to be accessed; comparing the attribute information with the identification information of the terminal, and if the same, the identity is verified. . That is, the data center queries whether the identity information is in the attribute library in the established attribute library. If it is verified, the attribute library should be understood as storing a large amount of identity information that allows access and data that allows access to the identity information. The attribute information sets different access data for people with different identity information. Of course, the attribute information in the attribute library can be specifically set in a specific situation. In this way, a simple identity information comparison can be used to determine whether the verification is passed, and the verification processing speed is accelerated. Of course, it is not limited to this method for identification, and other ways of being able to identify it can be achieved.
步骤S102:通过身份验证后,判定数据中心本地是否存在访问请求对应的目标资源;Step S102: After the identity verification, determine whether there is a target resource corresponding to the access request locally in the data center;
在该步骤中,这里的目标资源是指该访问请求想要访问的主体或/和资源,这里的主体是指具体在哪个位置,这里的资源是指具体访问的数据。这里的数据包括数据 中心以外部或内部的应用数据库作为数据源,应用数据库中的业务数据经过标准化、数据清洗等处理后经过采集、更新进入数据中心存储的数据。In this step, the target resource here refers to the subject or/and resource that the access request wants to access, where the subject refers to the specific location, and the resource here refers to the specifically accessed data. The data here includes data The center uses the external or internal application database as the data source. After the business data in the application database is processed through standardization and data cleaning, it is collected and updated into the data stored in the data center.
步骤S103:如果存在目标资源,根据数据中心的预先设置的访问策略对终端进行授权访问。Step S103: If the target resource exists, the terminal performs authorized access according to the preset access policy of the data center.
在该步骤中,访问策略是指数据中心根据自身设置的一些访问控制条件,应该理解为这里的访问策略是数据中心根据自身具体的情况进行灵活设置的一些访问限制条件,这样在对终端访问进行简单身份验证后,不是让其直接进行访问,根据数据中心预先建立的访问策略进行授权访问,这样能够保证数据中心的访问安全性。具体的,这里的访问策略包括当前运行环境满足预设条件时进行授权访问和/或当前访问数满足预设个数条件时进行授权访问。这里的运行环境包括数据中心自身的物理环境,比如数据中心的温度等,例如当温度超过一定阈值时就不允许访问,或者根据不同的温度设置对应允许访问的数量。这里的运行环境还包括数据中心自身属性,比如数据中心CPU的使用率,当使用率高时就可以拒绝访问,或者根据CPU的使用率设置对应允许访问的数量。当然这里的访问策略可以是管理员根据具体管理需要设置的相应的限制条件,比如对某些特定数据不允许外界访问或者需要特定授权才能访问等。应该理解为,不仅仅限于上述访问策略的设置,其他可以保证数据中心的访问安全的设置都应包含在内。In this step, the access policy refers to some access control conditions set by the data center according to itself. It should be understood that the access policy here is some access restriction conditions that the data center flexibly sets according to its specific situation, so that the terminal access is performed. After simple authentication, it is not allowed to directly access, and authorized access according to the access policy established in advance by the data center, so as to ensure the access security of the data center. Specifically, the access policy includes performing authorization access when the current running environment meets the preset condition and/or when the current access number meets the preset number of conditions. The operating environment here includes the physical environment of the data center itself, such as the temperature of the data center, etc., for example, when the temperature exceeds a certain threshold, access is not allowed, or the number of corresponding accesses is set according to different temperatures. The operating environment here also includes the data center's own attributes, such as the usage of the data center CPU. When the usage rate is high, the access can be denied, or the number of allowed accesses can be set according to the CPU usage rate. Of course, the access policy here may be a corresponding restriction condition set by the administrator according to specific management requirements, such as not allowing external access to certain specific data or requiring specific authorization to access. It should be understood that not only the above-mentioned access policy settings, but also other settings that ensure the access security of the data center should be included.
具体的,在上述步骤S102中当数据中心本地不存在访问请求对应的目标资源时,通过中央数据中心与目标资源所在的目标数据中心建立会话进行授权访问。具体的,通过中央数据中心与目标资源所在的目标数据中心建立会话进行授权访问可以通过中央数据中心查找目标资源所在的目标数据中心,与目标数据中心建立会话,目标数据中心的预先设置的访问策略对终端进行授权访问。值得注意的是,这里的目标数据中心是指存储访问请求对应的目标资源所在的数据中心。这里的中央数据中心应用理解为存储云计算系统中所有资源存在哪个数据中心中的信息。Specifically, in the foregoing step S102, when the target resource corresponding to the access request does not exist locally in the data center, the central data center establishes a session with the target data center where the target resource is located to perform authorized access. Specifically, the central data center establishes a session with the target data center where the target resource is located for authorized access, and the central data center can find the target data center where the target resource is located, establish a session with the target data center, and set a preset access policy of the target data center. Authorized access to the terminal. It is worth noting that the target data center here refers to the data center where the target resource corresponding to the storage access request is located. The central data center application here is understood to be information in which data center is stored for all resources in the cloud computing system.
进一步,考虑到访问控制机制的逻辑复杂程度将影响到云计算系统的安全性能,但对于平均访问量高于普通系统数倍的数据中心而言,过于复杂的访问控制会影响访问速率,削弱数据中心的运算处理能力。在保证数据中心的运算处理能力同时加强对数据中心的安全控制,在对终端授权访问后,还包括:对访问进行安全审计。具体的对访问进行安全审计可以在目标资源所在的数据中心生成访问日志,根据访问日志记录的访问信息进行跟踪,判断访问信息是否符合预设设置的安全审计策略,对不符合的访问进行处理。应该理解,这里访问请求对应的资源在哪个数据中心,在该数据中心进行生成日志,并且进行安全审计。Further, considering the logical complexity of the access control mechanism will affect the security performance of the cloud computing system, but for a data center whose average access volume is several times higher than that of the ordinary system, too complex access control will affect the access rate and weaken the data. The central processing power. In addition to ensuring the data processing capability of the data center, the security control of the data center is enhanced, and after the terminal is authorized to access, the security audit is also performed on the access. The security audit of the access security can generate an access log in the data center where the target resource is located, track the access information recorded by the access log, determine whether the access information meets the preset security audit policy, and process the non-compliant access. It should be understood that in which data center the resource corresponding to the access request is located, a log is generated in the data center, and a security audit is performed.
实施例二Embodiment 2
根据本实施例的云计算数据中心访问管理方法,本实例中为了便于对具体的访问 进行管理,预先建立针对分级部署、多级共享的数据中心架构。通过在层次式组织机构统一认证框架中部署数据中心节点,在分析数据中心不同粒度、类型操作的基础上建立了跨平台的访问控制和审计策略模型,具有较高的安全防御和入侵鉴别能力。具体的通过建立相应的多级访问控制模型(PBAC)由域、主体、资源、环境、操作、属性和策略七种基本元素以及策略评估机制组成。PBAC的形式化定义如下:基于策略的多级访问控制模型PBAC是一个七元组M={D,S,R,E,O,A,P},其中D为域的集合,S为主体的集合,R为资源的集合,E为环境的集合,O为操作的集合,A为属性的集合,P为策略的集合。在对PBAC进行形式化模型描述的基础上,构建了以接入访问控制和资源访问控制为主要内容的统一认证框架即云计算系统,本实例中的方法具体如图2所示,包括以下步骤:The cloud computing data center access management method according to the embodiment, in this example, in order to facilitate specific access Manage and pre-establish a data center architecture for hierarchical deployment and multi-level sharing. By deploying data center nodes in the unified authentication framework of hierarchical organizations, a cross-platform access control and audit policy model is established based on the analysis of different granularity and type operations of the data center, which has high security defense and intrusion identification capabilities. Specifically, the corresponding multi-level access control model (PBAC) consists of seven basic elements: domain, subject, resource, environment, operation, attribute and strategy, and strategy evaluation mechanism. The formal definition of PBAC is as follows: The policy-based multi-level access control model PBAC is a seven-tuple M={D, S, R, E, O, A, P}, where D is the set of domains, and S is the subject A collection, R is a collection of resources, E is a collection of environments, O is a collection of operations, A is a collection of attributes, and P is a collection of policies. On the basis of the formal model description of PBAC, a unified authentication framework with access control and resource access control as the main content is constructed. The method in this example is shown in Figure 2, including the following steps. :
步骤S201:分级建立各数据中心的属性库;Step S201: hierarchically establish an attribute library of each data center;
在该步骤中,具体的可以将LDAP(Lightweight Directory Access Protocol,轻量目录访问协议)用于PBAC模型中属性信息的存储,采用由一个中央数据中心和若干本地数据中心组成的层次式云计算数据中心,其中本地数据中心存储有本地的属性信息,而中央数据中心存储有所有本地属性信息,并实现存储的属性信息的动态更新;In this step, LDAP (Lightweight Directory Access Protocol) can be used to store attribute information in the PBAC model, using hierarchical cloud computing data consisting of a central data center and several local data centers. Center, where the local data center stores local attribute information, and the central data center stores all local attribute information, and implements dynamic update of the stored attribute information;
步骤S202:建立统一的身份识别信任;Step S202: Establish a unified identity trust;
在该步骤中,具体的可以以域结构树为基础构建身份信任联邦,形成跨域的统一认证系统,并为域以及域中的主体、资源、环境、操作定义属性,使得终端可以根据任意一个域制定的策略访问该域中的资源;即只要通过一次身份验证便可以对整个系统中能够访问的资源进行访问;In this step, the identity trust federation can be constructed based on the domain structure tree to form a cross-domain unified authentication system, and attributes are defined for the domain, the subject, the resource, the environment, and the operation in the domain, so that the terminal can be based on any one. The policy defined by the domain accesses the resources in the domain; that is, the access to the resources in the entire system can be accessed by one authentication;
步骤S203:进行访问授权;Step S203: Perform an access authorization;
在该步骤中,具体可以通过建立跨域的信任联邦以及以属性库和策略库为中心的分布式属性权威机构包括对身份验证和访问策略验证,采用基于属性证书CA的方式交换身份信息,使得用户以域内身份认证的方式完成域间的单点登录,从而实现接入访问控制;通过建立基于SAML标准和XACML模型的授权框架,使用一定的域内和域间的访问策略评估机制实现对资源的访问控制;即在通过身份验证后,还得通过访问资源所在的数据中心的访问策略验证后才能进行授权访问,提高数据中心的安全性;具体的为,在层次式的认证授权体系下,终端利用本地属性权威完成身份认证,如果目标资源也在本地,则利用本地访问策略完成访问授权,如果目标资源不在本地,则可以通过查询中央数据中心得到资源所在的域,与其建立会话连接,由当地的属性访问策略实现访问授权;In this step, the distributed attribute authority centered on the establishment of the cross-domain trust federation and the attribute library and the policy library includes authentication for the authentication and the access policy, and the identity information is exchanged based on the attribute certificate CA. The user completes the single-point login between domains by means of intra-domain identity authentication, thereby implementing access control. By establishing an authorization framework based on the SAML standard and the XACML model, a certain intra-domain and inter-domain access policy evaluation mechanism is used to implement resources. Access control; that is, after passing the authentication, the access policy of the data center where the resource is located can be authenticated before authorized access can be performed to improve the security of the data center; specifically, under the hierarchical authentication and authorization system, the terminal The local attribute authority is used to complete the identity authentication. If the target resource is also local, the local access policy is used to complete the access authorization. If the target resource is not local, the domain where the resource is located can be obtained by querying the central data center to establish a session connection with the local Attribute access policy implementation visit Authorization;
步骤S204:对授权访问进行安全审计。Step S204: Perform security audit on authorized access.
在该步骤中,安全审计跟踪不但有助于帮助管理员确保数据资源免遭非法授权操作的损害,还能对数据恢复提供帮助,有些审计系统可以借助系统的保护性响应,达到更为及时的安全应对效果。具体的,安全审计可分为审计跟踪、审计分析和响应处 理等几个阶段,在审计跟踪阶段,审计系统对访问行为进行跟踪记录;违规事件在审计分析阶段辨别,综合使用人工分析和自动分析方式可以达到最佳效果,而自动分析需预先定义安全审计策略;响应处理是系统的保护性措施,包括使用权限失效、使账户失效、中断网络连接、中断进程等。即安全审计是按照一定的规则决定日志中记载的访问信息是否符合访问策略的过程,因此,访问日志中必须记录足够的访问信息。审计策略需要对访问信息项以及审计方式进行描述。具体的,为了便于执行,可以先建立相应的安全审计模型,例如设置审计策略项,其是一个三元组r=(I,p,C),其中,I是访问信息项的集合,p是所记载的操作所对应的访问策略,C是审计方式的集合。安全审计策略模型是一个九元组,M={D,S,R,E,O,A,P,L,R},其中D为域的集合,S为主体的集合,R为资源的集合,E为环境的集合,O为操作的集合,A为属性的集合,P为访问策略的集合,L为待审计事件的集合,R为审计策略项的集合。安全审计是一个三元组,N=(l,R,Res),其中,l表示一条待审计事件,R是审计规则的集合,Res是审计判决,是对操作是否符合访问策略的判定结果,Res∈{CONFORM,VIOLATE,NOTAPPLICATION},其中,CONFORM表示审计通过,VIOLATE表示不符合策略的访问,NOTAPPLICATION表示不确定。安全审计的过程和结果以审计记录的形式生成并存储于审计库中,对于审计结果为VIOLATE的事件,可以进一步还原该违例访问的详细信息,判定其性质并及时做出处理;对于审计结果为NOTAPPLICATION的事件,可以通过其他手段进行综合分析,以获得最终的判定结果。In this step, the security audit trail not only helps the administrator to ensure that the data resources are protected from illegal authorization operations, but also helps with data recovery. Some audit systems can use the system's protective response to achieve more timely. Safe response. Specifically, security audits can be divided into audit trails, audit analysis, and response offices. In several stages, in the audit tracking phase, the audit system keeps track of the access behavior; the violation events are identified in the audit analysis stage, and the combination of manual analysis and automatic analysis can achieve the best results, while the automatic analysis requires pre-defined security audits. Policy; response processing is a system's protective measures, including invalidation of usage rights, invalidation of accounts, interruption of network connections, interruption of processes, etc. That is, the security audit determines whether the access information recorded in the log conforms to the access policy according to certain rules. Therefore, sufficient access information must be recorded in the access log. The audit policy needs to describe the access information items and the audit method. Specifically, in order to facilitate execution, a corresponding security audit model may be established, for example, an audit policy item is set, which is a triplet r=(I, p, C), where I is a set of access information items, and p is The access policy corresponding to the described operation, C is a collection of audit methods. The security audit policy model is a nine-tuple, M={D, S, R, E, O, A, P, L, R}, where D is a collection of domains, S is a collection of subjects, and R is a collection of resources. E is a collection of environments, O is a collection of operations, A is a collection of attributes, P is a collection of access policies, L is a collection of events to be audited, and R is a collection of audit policy items. The security audit is a triple, N=(l,R,Res), where l represents an event to be audited, R is a collection of audit rules, and Res is an audit decision, which is the result of determining whether the operation conforms to the access policy. Res∈{CONFORM,VIOLATE,NOTAPPLICATION}, where CONFORM indicates auditing, VIOLATE indicates non-compliant access, and NOTAPPLICATION indicates uncertainty. The process and results of the security audit are generated and stored in the audit log in the form of audit records. For the event whose audit result is VIOLATE, the detailed information of the violation access can be further restored, the nature of the violation is determined and processed in time; The NOTAPPLICATION event can be comprehensively analyzed by other means to obtain the final judgment result.
以访问请求的目标资源没在本地进行举例说明,终端在终端访问请求的域中完成身份认证;通过中央数据中心节点构建主体所在域与目标资源所在域的策略决策点之间的会话,根据信任联邦对主体身份凭证的信任在资源所在地域的属性权威机构进行访问授权;主体对资源进行访问并在目标资源所在域生成访问日志;由目标资源所在域的审计权威机构进行安全审计。通过应用本系统提供的访问控制和安全审计功能,整个系统的安全性和保密性大大加强,创造了良好的经济效益。The target resource of the access request is not exemplified locally, and the terminal completes the identity authentication in the domain of the terminal access request; the session between the domain where the subject is located and the policy decision point of the domain where the target resource is located is established through the central data center node, according to the trust The federation trusts the principal credentials in the resource authority of the resource location authority; the entity accesses the resources and generates an access log in the domain where the target resource is located; and the security audit is performed by the audit authority of the domain where the target resource is located. By applying the access control and security audit functions provided by the system, the security and confidentiality of the entire system are greatly enhanced, and good economic benefits are created.
实施例三Embodiment 3
本实施例提供一种云计算数据中心,如图3所示,该云计算数据中心包括身份验证模块、资源查找模块和策略验证模块:身份验证模块用于接收终端的访问请求,对终端进行身份验证;资源查找模块用于通过身份验证后,判定数据中心本地是否存在访问请求对应的目标资源;策略验证模块用于如果存在目标资源,根据数据中心的预先设置的访问策略对终端进行授权访问。The embodiment provides a cloud computing data center. As shown in FIG. 3, the cloud computing data center includes an identity verification module, a resource searching module, and a policy verification module. The identity verification module is configured to receive an access request of the terminal, and perform identity on the terminal. The resource search module is configured to determine whether there is a target resource corresponding to the access request in the data center, and the policy verification module is configured to perform authorized access to the terminal according to the preset access policy of the data center if the target resource exists.
本实施例提供一种云计算数据中心,如图4所示,该云计算数据中心还包括对外访问模块:对外访问模块用于当数据中心本地不存在访问请求对应的目标资源时,通过中央数据中心与目标资源所在的目标数据中心建立会话进行授权访问。 The embodiment provides a cloud computing data center. As shown in FIG. 4, the cloud computing data center further includes an external access module: the external access module is configured to use the central data when there is no target resource corresponding to the access request locally in the data center. The center establishes a session with the target data center where the target resource is located for authorized access.
本实施例提供一种云计算数据中心,如图5所示,该云计算数据中心还包括安全审计模块,安全审计模块用于在对终端授权访问后,对访问进行安全审计。This embodiment provides a cloud computing data center. As shown in FIG. 5, the cloud computing data center further includes a security auditing module. The security auditing module is configured to perform security auditing on the access after authorizing access to the terminal.
为了便于管理,本实例中的数据中心具体可以建立相应的模型,具体如图6所示,包括资源目录体系、元数据库、共享信息库、交换信息库、统计分析数据库以及应用服务器、数据共享交换平台。数据量特别大的需要建立数据仓库,具备审计功能的建立安全审计库。数据中心以外部或内部的应用数据库作为数据源,应用数据库中的业务数据经过标准化、数据清洗等处理后经过采集、更新进入数据中心存储。资源目录体系:对数据中心采集的数据资源按专题、类型等特征进行分类。根据存储形式的不同,数据资源可以分为结构化数据、半结构化数据和非结构化数据,结构化数据可以由数据中心从各业务数据库中抽取,而半结构化数据和非结构化数据一般存储于本地,存储信息记载于数据中心的资源目录库。元数据库:由元数据和数据字典组成。元数据是描述数据本身特征以及转换规则的数据,包括数据结构定义、维度定义、数据抽取和映射规则定义等若干种,可以支持数据中心系统对数据的管理和维护。数据字典中包括对数据的数据项、数据流、处理逻辑、外部实体、分类代码、指标体系等的定义和描述。共享信息库:存放由本级业务应用数据库、下级共享信息库实时汇总后经采集、抽取、清洗、转换后的标准化数据,作为数据中心对外提供数据交换与共享的数据源。共享数据库的数据需要定期进行维护以保证数据的一致性。交换信息库:用户暂存数据中心之间异构数据库的交换数据以及处于业务数据库的安全性考虑进行内外数据库共享和交换的数据。统计分析数据库:按一定的维度对数据进行分析统计,为数据统计分析、报表生产提供支持。统计分析库一般定期进行采集和更新。数据仓库:与操作性数据库相比,数据仓库提供对加工后数据的线上分析处理、数据挖掘,决策支持系统和联机分析、智能查询等功能,为应用决策分析提供支持。数据仓库按照一定的主题进行组织,一般存储容量较大。安全审计库:用户存储数据库系统的审计数据。数据共享交换平台:用于为不同数据库、不同数据格式之间提供数据交换服务。它将分离的数据资源整合到共享数据库中。主要包括数据交换共享功能和ETL(Extraction Transformation Loading,数据提取、转换和加载)功能。ETL系统进行采集清洗、转换、对比,解决不同信息库间信息数据无法自由转换的问题。数据交换是数据中心进行数据集成的核心,数据共享是在数据交换的基础上实现的数据访问和分发。共享信息库与业务集成系统的数据传输由共享交换平台协助完成。In order to facilitate management, the data center in this example can specifically establish a corresponding model, as shown in FIG. 6, including a resource directory system, a meta-database, a shared information base, an exchange information base, a statistical analysis database, an application server, and a data sharing exchange. platform. A large amount of data needs to establish a data warehouse, and a security audit library with audit function. The data center uses the external or internal application database as the data source. After the business data in the application database is processed through standardization and data cleaning, it is collected and updated into the data center storage. Resource Directory System: The data resources collected in the data center are classified according to the characteristics and types. Depending on the storage format, data resources can be divided into structured data, semi-structured data, and unstructured data. Structured data can be extracted from data centers by data centers, while semi-structured data and unstructured data are generally Stored locally, the stored information is recorded in the resource catalog of the data center. Metabase: Consists of metadata and data dictionaries. Metadata is data that describes the characteristics of data itself and transformation rules, including data structure definitions, dimension definitions, data extraction, and mapping rule definitions. It can support data center system management and maintenance of data. The data dictionary includes definitions and descriptions of data items, data streams, processing logic, external entities, classification codes, indicator systems, and the like. Shared information base: It stores the standardized data collected, extracted, cleaned and converted by the business application database and the lower-level shared information database in real time, and provides the data source for data exchange and sharing. The data of the shared database needs to be maintained regularly to ensure data consistency. Exchange information base: The user temporarily stores the exchange data of the heterogeneous database between the data centers and the data that is shared and exchanged between the internal and external databases for the security of the business database. Statistical analysis database: Analyze and analyze data according to a certain dimension, and provide support for statistical analysis and report production. The statistical analysis library is generally collected and updated periodically. Data Warehouse: Compared with operational databases, data warehouse provides online analysis and processing, data mining, decision support systems, online analysis, and intelligent query for processed data to support application decision analysis. The data warehouse is organized according to certain themes, and the storage capacity is generally large. Security Audit Library: The user stores the audit data of the database system. Data sharing exchange platform: used to provide data exchange services between different databases and different data formats. It consolidates separate data resources into a shared database. It mainly includes data exchange sharing function and ETL (Extraction Transformation Loading). The ETL system performs collection, cleaning, conversion, and comparison to solve the problem that information data between different information bases cannot be freely converted. Data exchange is the core of data integration in data centers. Data sharing is the data access and distribution based on data exchange. The data transfer between the shared information base and the business integration system is assisted by the shared exchange platform.
上述云计算数据中心被配置为执行上述云计算数据中心访问管理方法。该云计算数据中心可以是云计算机、云服务器等。该云计算数据中心可以包括处理部件、存储器、电力部件、输入输出接口、通信部件中的至少一个。The cloud computing data center is configured to perform the cloud computing data center access management method described above. The cloud computing data center can be a cloud computer, a cloud server, or the like. The cloud computing data center can include at least one of a processing component, a memory, a power component, an input and output interface, and a communication component.
处理部件可以执行实现云计算数据中心的全部操作,例如数据通信、记录操作等。处理部件可以包括一个或多个处理器,用以执行指令以实施上述方法中的所有或部分步骤。而且,处理部件可以包括利于处理部件与其他部件之间交互的一个或多个模块。 The processing component can perform all operations of implementing a cloud computing data center, such as data communications, logging operations, and the like. Processing components may include one or more processors for executing instructions to implement all or a portion of the steps above. Moreover, the processing component can include one or more modules that facilitate interaction between the processing component and other components.
存储器被配置为存储各种类型的数据以支持云计算数据中心的操作。这种数据的示例包括在云计算数据中心运行的任意应用或方法的指令、消息等。存储器可以使用任何类型的易失性或非易失性存储器件或其组合来实施,例如静态随机存取存储器(SRAM),电可擦除可编程只读存储器(EEPROM),可擦除可编程只读存储器(EPROM),可编程只读存储器(PROM),只读存储器(ROM),磁存储器,快闪存储器,磁盘或光盘。The memory is configured to store various types of data to support operation of the cloud computing data center. Examples of such data include instructions, messages, etc. of any application or method running in a cloud computing data center. The memory can be implemented using any type of volatile or non-volatile memory device, or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read only memory (EEPROM), erasable programmable Read Only Memory (EPROM), Programmable Read Only Memory (PROM), Read Only Memory (ROM), Magnetic Memory, Flash Memory, Disk or Optical Disk.
电力组件为云计算数据中心的各种组件提供电力。Power components provide power to various components of the cloud computing data center.
输入输出接口为处理组件和外围接口模块之间提供接口,上述外围接口模块可以是键盘、点击轮、按钮等。The input/output interface provides an interface between the processing component and the peripheral interface module, and the peripheral interface module may be a keyboard, a click wheel, a button, or the like.
通信组件被配置为便于云计算数据中心和其他设备之间有线或者无线方式的通信。The communication component is configured to facilitate wired or wireless communication between the cloud computing data center and other devices.
本领域普通技术人员可以理解上述方法中的全部或部分步骤可通过程序来指令相关硬件完成,上述程序可以存储于计算机可读存储介质中,如只读存储器、磁盘或光盘等。可选地,上述实施例的全部或部分步骤也可以使用一个或多个集成电路来实现。相应地,上述实施例中的各模块/单元可以采用硬件的形式实现,也可以采用软件功能模块的形式实现。本发明不限制于任何特定形式的硬件和软件的结合。One of ordinary skill in the art will appreciate that all or a portion of the above steps may be accomplished by a program that instructs the associated hardware, such as a read-only memory, a magnetic disk, or an optical disk. Alternatively, all or part of the steps of the above embodiments may also be implemented using one or more integrated circuits. Correspondingly, each module/unit in the foregoing embodiment may be implemented in the form of hardware or in the form of a software function module. The invention is not limited to any specific form of combination of hardware and software.
以上实施例仅用以说明本发明的技术方案而非限制,仅仅参照较佳实施例对本发明进行了详细说明。本领域的普通技术人员应当理解,可以对本发明的技术方案进行修改或者等同替换,而不脱离本发明技术方案的精神和范围,均应涵盖在本发明的权利要求范围当中。The above embodiments are only intended to illustrate the technical solutions of the present invention and are not to be construed as limiting the invention. It should be understood by those skilled in the art that the present invention may be modified or equivalently substituted without departing from the spirit and scope of the invention.
工业实用性Industrial applicability
本发明适用于通信领域,用以实现云计算数据中心的安全访问。 The invention is applicable to the field of communication and is used for realizing secure access of a cloud computing data center.

Claims (11)

  1. 一种云计算数据中心访问管理方法,包括:A cloud computing data center access management method includes:
    数据中心接收终端的访问请求,对所述终端进行身份验证;Receiving, by the data center, an access request of the terminal, and performing identity verification on the terminal;
    通过身份验证后,判定所述数据中心本地是否存在所述访问请求对应的目标资源;After the authentication, determining whether the target resource corresponding to the access request exists locally in the data center;
    如果存在所述目标资源,根据所述数据中心的预先设置的访问策略对所述终端进行授权访问。If the target resource exists, the terminal is authorized to access according to a preset access policy of the data center.
  2. 如权利要求1所述的云计算数据中心访问管理方法,其中,所述数据中心对所述终端进行身份验证包括:调用所述数据中心属性库中的属性信息,所述属性信息包括允许访问的身份识别信息;通过属性信息与所述终端的身份识别信息比对,如果相同则通过身份验证。The cloud computing data center access management method according to claim 1, wherein the data center authenticating the terminal comprises: invoking attribute information in the data center attribute library, the attribute information including allowing access The identification information is compared with the identification information of the terminal by the attribute information, and if the same, the identity is verified.
  3. 如权利要求1所述的云计算数据中心访问管理方法,其中,所述访问策略包括当前运行环境满足预设条件时进行授权访问和/或当前访问数满足预设个数条件时进行授权访问。The cloud computing data center access management method according to claim 1, wherein the access policy comprises performing an authorized access when the current running environment satisfies a preset condition and the authorized access is performed when the current access number satisfies a preset number of conditions.
  4. 如权利要求1所述的云计算数据中心访问管理方法,还包括:当所述数据中心本地不存在所述访问请求对应的目标资源时,通过中央数据中心与所述目标资源所在的目标数据中心建立会话进行授权访问。The cloud computing data center access management method according to claim 1, further comprising: when the data center does not have a target resource corresponding to the access request locally, through the central data center and the target data center where the target resource is located Establish a session for authorized access.
  5. 如权利要求4所述的云计算数据中心访问管理方法,其中,所述通过中央数据中心与所述目标资源所在的目标数据中心建立会话进行授权访问包括:通过所述中央数据中心查找所述目标资源所在的目标数据中心,与所述目标数据中心建立会话,所述目标数据中心的预先设置的访问策略对所述终端进行授权访问。The cloud computing data center access management method according to claim 4, wherein the establishing a session by the central data center and the target data center where the target resource is located for authorizing access comprises: searching for the target through the central data center The target data center where the resource is located establishes a session with the target data center, and the pre-set access policy of the target data center performs authorized access to the terminal.
  6. 如权利要求1-5任一项所述的云计算数据中心访问管理方法,其中,在对所述终端授权访问后,还包括:对所述访问进行安全审计。The cloud computing data center access management method according to any one of claims 1 to 5, further comprising: performing security auditing on the access after authorizing access to the terminal.
  7. 如权利要求6所述的云计算数据中心访问管理方法,其中,所述对所述访问进行安全审计包括:在目标资源所在的数据中心生成访问日志,根据所述访问日志记录的访问信息进行跟踪,判断所述访问信息是否符合预设设置的安全审计策略,对不符合的访问进行处理。The cloud computing data center access management method according to claim 6, wherein the performing security auditing on the access comprises: generating an access log in a data center where the target resource is located, and tracking according to the access information recorded by the access log And determining whether the access information meets a preset security auditing policy, and processing the non-compliant access.
  8. 一种云计算数据中心,包括身份验证模块、资源查找模块和策略验证模块:A cloud computing data center includes an authentication module, a resource finding module, and a policy verification module:
    所述身份验证模块设置为接收终端的访问请求,对所述终端进行身份验证;The identity verification module is configured to receive an access request of the terminal, and perform identity verification on the terminal;
    所述资源查找模块设置为通过身份验证后,判定所述数据中心本地是否存在所述访问请求对应的目标资源;The resource search module is configured to determine, by the identity verification, whether the target resource corresponding to the access request exists locally in the data center;
    所述策略验证模块设置为如果存在所述目标资源,根据所述数据中心的预先设置的访问策略对所述终端进行授权访问。The policy verification module is configured to authorize access to the terminal according to a preset access policy of the data center if the target resource exists.
  9. 如权利要求8所述的云计算数据中心,还包括对外访问模块,所述对外访问模块设置为当所述数据中心本地不存在所述访问请求对应的目标资源时,通过中央 数据中心与所述目标资源所在的目标数据中心建立会话进行授权访问。The cloud computing data center of claim 8, further comprising an external access module, wherein the external access module is configured to pass through the central area when the data center does not locally have the target resource corresponding to the access request The data center establishes a session with the target data center where the target resource is located for authorized access.
  10. 如权利要求8或9所述的云计算数据中心,还包括安全审计模块,所述安全审计模块设置为在对所述终端授权访问后,对所述访问进行安全审计。A cloud computing data center according to claim 8 or 9, further comprising a security auditing module, said security auditing module being arranged to perform a security audit of said access after authorizing access to said terminal.
  11. [根据细则26改正29.03.2016]
    一种非易失性计算机可读存储介质,包括可由云计算数据中心中的处理器执行的指令,用以执行云计算数据中心访问管理方法,包括:
    数据中心接收终端的访问请求,对所述终端进行身份验证;
    通过身份验证后,判定所述数据中心本地是否存在所述访问请求对应的目标资源;
    如果存在所述目标资源,根据所述数据中心的预先设置的访问策略对所述终端进行授权访问。
    [Correct according to Rule 26 29.03.2016]
    A non-transitory computer readable storage medium comprising instructions executable by a processor in a cloud computing data center to perform a cloud computing data center access management method, comprising:
    Receiving, by the data center, an access request of the terminal, and performing identity verification on the terminal;
    After the authentication, determining whether the target resource corresponding to the access request exists locally in the data center;
    If the target resource exists, the terminal is authorized to access according to a preset access policy of the data center.
PCT/CN2016/073822 2015-04-24 2016-02-15 Access management method for cloud computing data centre and cloud computing data centre WO2016169324A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510200650.5A CN106161566A (en) 2015-04-24 2015-04-24 A kind of cloud computation data center access management method and cloud computation data center
CN201510200650.5 2015-04-24

Publications (1)

Publication Number Publication Date
WO2016169324A1 true WO2016169324A1 (en) 2016-10-27

Family

ID=57144587

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/073822 WO2016169324A1 (en) 2015-04-24 2016-02-15 Access management method for cloud computing data centre and cloud computing data centre

Country Status (2)

Country Link
CN (1) CN106161566A (en)
WO (1) WO2016169324A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110636500A (en) * 2019-08-27 2019-12-31 西安电子科技大学 Access control system and method supporting cross-domain data sharing and wireless communication system
CN113407604A (en) * 2021-05-21 2021-09-17 上汽通用五菱汽车股份有限公司 Data integration method, system and computer readable storage medium
CN113704795A (en) * 2021-09-02 2021-11-26 杭州戎戍网络安全技术有限公司 Multi-domain access control formalized modeling method based on label attributes
CN113949529A (en) * 2021-09-09 2022-01-18 广州鲁邦通智能科技有限公司 Credible hybrid cloud management platform access method and system

Families Citing this family (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108768968A (en) * 2018-05-14 2018-11-06 有时数联科技(北京)有限公司 A kind of method and system that service request is handled based on data safety management engine
CN109359484A (en) * 2018-08-22 2019-02-19 北京中测安华科技有限公司 Processing method, device, equipment and the medium of the security audit terminal log of cloud platform
CN109325363A (en) * 2018-09-26 2019-02-12 平安普惠企业管理有限公司 Management method, device, computer equipment and the storage medium of authority information
CN109787862B (en) * 2019-01-17 2019-09-13 无锡华云数据技术服务有限公司 Detection method, device, electronic equipment and the storage medium of invalid resource
CN109842625A (en) * 2019-02-02 2019-06-04 北京奇安信科技有限公司 A kind of dynamic accesses control method and system
CN111538973A (en) * 2020-03-26 2020-08-14 成都云巢智联科技有限公司 Personal authorization access control system based on state cryptographic algorithm
CN112565189A (en) * 2020-11-04 2021-03-26 国网安徽省电力有限公司信息通信分公司 Access control system based on cloud computing data security
CN113010897B (en) * 2021-03-19 2023-06-13 中国联合网络通信集团有限公司 Cloud computing security management method and system
CN113238839B (en) * 2021-04-26 2022-04-12 深圳微品致远信息科技有限公司 Cloud computing based data management method and device
CN113726812B (en) * 2021-09-08 2023-06-30 北京鼎普科技股份有限公司 Terminal operation log auditing method and system

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986599A (en) * 2010-12-09 2011-03-16 北京交通大学 Network security control method based on cloud service and cloud security gateway
CN103795690A (en) * 2012-10-31 2014-05-14 华为技术有限公司 Cloud access control method, proxy server, and cloud access control system
US20140380048A1 (en) * 2013-06-25 2014-12-25 Orange Method and a server for processing a request from a terminal to access a computer resource

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101986599A (en) * 2010-12-09 2011-03-16 北京交通大学 Network security control method based on cloud service and cloud security gateway
CN103795690A (en) * 2012-10-31 2014-05-14 华为技术有限公司 Cloud access control method, proxy server, and cloud access control system
US20140380048A1 (en) * 2013-06-25 2014-12-25 Orange Method and a server for processing a request from a terminal to access a computer resource

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
LI, HONGXIA;: "Identity Authentication and Access Control Management System Implementation Strategy in Cloud Computing", MASTER'S DISSERTATION OF BEIJING UNIVERSITY OF POSTS AND TELECOMMUNICATIONS, 13 January 2011 (2011-01-13) *
TIAN, YAN ET AL.: "Cloud Security Management Platform Based on Identity Authorization and Access Control", MEASUREMENT & CONTROL TECHNOLOGY, vol. 32, no. 2, 31 December 2013 (2013-12-31) *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110636500A (en) * 2019-08-27 2019-12-31 西安电子科技大学 Access control system and method supporting cross-domain data sharing and wireless communication system
CN110636500B (en) * 2019-08-27 2022-04-05 西安电子科技大学 Access control system and method supporting cross-domain data sharing and wireless communication system
CN113407604A (en) * 2021-05-21 2021-09-17 上汽通用五菱汽车股份有限公司 Data integration method, system and computer readable storage medium
CN113704795A (en) * 2021-09-02 2021-11-26 杭州戎戍网络安全技术有限公司 Multi-domain access control formalized modeling method based on label attributes
CN113704795B (en) * 2021-09-02 2024-02-06 杭州戎戍网络安全技术有限公司 Multi-domain access control formalized modeling method based on label attribute
CN113949529A (en) * 2021-09-09 2022-01-18 广州鲁邦通智能科技有限公司 Credible hybrid cloud management platform access method and system

Also Published As

Publication number Publication date
CN106161566A (en) 2016-11-23

Similar Documents

Publication Publication Date Title
WO2016169324A1 (en) Access management method for cloud computing data centre and cloud computing data centre
US11599668B2 (en) Securing access to confidential data using a blockchain ledger
AU2019206006B2 (en) System and method for biometric protocol standards
US10326795B2 (en) Techniques to provide network security through just-in-time provisioned accounts
US10375054B2 (en) Securing user-accessed applications in a distributed computing environment
US10055561B2 (en) Identity risk score generation and implementation
KR102571829B1 (en) Core Network Access Provider
US11063928B2 (en) System and method for transferring device identifying information
US9130920B2 (en) Monitoring of authorization-exceeding activity in distributed networks
US9420002B1 (en) Authorization server access system
Hu et al. An access control scheme for big data processing
US20110107411A1 (en) System and method for implementing a secure web application entitlement service
Spivey et al. Hadoop Security: Protecting your big data platform
Ghaffari et al. Authentication and access control based on distributed ledger technology: A survey
Srinivas et al. Security maturity in NoSQL databases-are they secure enough to haul the modern it applications?
US20210075799A1 (en) Threat detection of application traffic flows
Dramé-Maigné et al. Centralized, distributed, and everything in between: Reviewing access control solutions for the IoT
Habiba et al. Access control management for cloud
Alkhresheh et al. DACIoT: Dynamic access control framework for IoT deployments
Namane et al. Grid and cloud computing security: A comparative survey
Duan et al. A multi-tenant access control method based on environmental attributes and security labels
KR100657353B1 (en) Security system and method for supporting a variety of access control policies, and recordable medium thereof
CN115033187B (en) Big data based analysis management method
Mohammad et al. A multi-layer security enabled quality of service (QoS) management architecture
Wong et al. Emerging issues and challenges for cloud data at the edge

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16782472

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16782472

Country of ref document: EP

Kind code of ref document: A1