CN103795726A - Depth protection method for virtual data safety access - Google Patents
Depth protection method for virtual data safety access Download PDFInfo
- Publication number
- CN103795726A CN103795726A CN201410051158.1A CN201410051158A CN103795726A CN 103795726 A CN103795726 A CN 103795726A CN 201410051158 A CN201410051158 A CN 201410051158A CN 103795726 A CN103795726 A CN 103795726A
- Authority
- CN
- China
- Prior art keywords
- access
- data
- safety
- security
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 19
- 238000007726 management method Methods 0.000 claims abstract description 29
- 230000006870 function Effects 0.000 claims abstract description 15
- 238000012544 monitoring process Methods 0.000 claims abstract description 7
- 238000002955 isolation Methods 0.000 claims description 6
- 238000012550 audit Methods 0.000 claims description 4
- 230000005540 biological transmission Effects 0.000 claims description 2
- 230000009977 dual effect Effects 0.000 claims description 2
- 230000006386 memory function Effects 0.000 claims description 2
- 238000013500 data storage Methods 0.000 abstract description 5
- 238000005516 engineering process Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 2
- 238000011084 recovery Methods 0.000 description 2
- 230000006978 adaptation Effects 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000004069 differentiation Effects 0.000 description 1
- 238000009434 installation Methods 0.000 description 1
- 230000035800 maturation Effects 0.000 description 1
- 238000005728 strengthening Methods 0.000 description 1
- 230000003612 virological effect Effects 0.000 description 1
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention provides a depth protection method for virtual data safety access. The method can be widely applied to cloud computing and data storage and access safety protection of various virtualization systems. According to the method, a layered depth safety authentication and monitoring system is established, so that safety levels and anti-attack capacity of the virtual memory systems are effectively improved; meanwhile, different protection strategies are adopted for different users and access patterns, safety protection services of different levels are provided for different users, and the demands of different enterprises, different users and different applications for differentiated safety of cloud computing data services are met. By means of the method, data access and safety protection levels of a cloud computing center and the virtualization systems can be obviously improved, and even though outer-layer access authentication is broken, a virtual storage safety management system can still effectively protect safety of stored data with the help of an exclusive security access control function of itself.
Description
Technical field
The present invention relates to a kind of security protection technology field of the data storage and inquire that is applied to cloud computing and various virtualization systems, the defense-in-depth method of specifically a kind of virtual data secure access.
Background technology
The safety problem of cloud computing has become the major obstacles that affects cloud computing application.In various cloud computing safety problems, the most important with data security again, relate generally to data storage security, data recovery and protection, the data access aspect such as safely.
Particularly the protection protection to user's sensitive data and privacy information, is the key request of cloud computing application.Because the ownership of data assets under cloud computing mode may separate with administrative power, client will conduct interviews to data assets by the Internet and use, same hacker, viral wooden horse, disabled user also may access these data, thereby cause destruction or the leakage of the crucial sensitive information such as private data, payment accounts, access pin of client under cloud computing applied environment, therefore client has become the universal security problem of cloud computing application to the worry of data assets security.
Data storage security and data recovery and protection problem have had the solution of many maturations, as data image, disaster-tolerant backup etc.And for data access safety problem, due to features such as virtual, many tenants of cloud computing, dynamic, obscurity boundaries, make various traditional Technology On Data Encryptions such as encryption, fire compartment wall all be difficult to obtain comparatively desirable effect, therefore become the focus in cloud computing field for the research of cloud computing and virtualization system secure access technology.
The present invention has provided a kind of cloud computing data depth Protection Model, provides fairly perfect technical foundation for realizing the secure access of cloud computing data.
Summary of the invention
The object of this invention is to provide a kind of defense-in-depth method of virtual data secure access.
The cloud computing data virtual storage data depth means of defence that the present invention provides, comprises several parts of safety management agreement of client terminal, virtual memory safety management, network transmission and safety certification and user terminal access virtual storage system.Client terminal is divided into trusted terminal and ordinary terminal two classes, all supports access authentication and access control function; Virtual memory safety management system has access security management and data isolation memory function, and wherein data isolation is realized by a series of data security store isolated districts or safe secret room; Network transmits and is made up of the Internet and Intranet, and is connected to security authentication center, comprises local security authentication, or third party's safety certification, and concrete steps are as follows:
1, when the data of client terminal by access to netwoks virtual storage system, first under the management and control of user safety management function, be connected to by force security authentication center, confirmed visitor's legitimacy by authentication;
2, for legal visitor, client's safety management function further judges its type again, if credible client terminal, directly enters the access control flow process of virtual storage system, accesses the data of isolated area under the supervision of access-control protocol;
3 if normal client terminal, in entering access control flow process, also to accept client access security audit and access process security monitoring (than the stricter Monitoring and Controlling of fine granularity of access control), the data of access security isolated area under this dual control.
Excellent effect of the present invention: main innovate point of the present invention has been to provide a kind of defense-in-depth model framework of supporting virtual memory Data Access Security, and corresponding virtual memory Data Access Security classification hierarchical control machanism.
The present invention is widely used in the data storage security protection of cloud computing and various virtualization systems.
On the one hand; by the Layered Security authentication and monitoring of layering; can significantly improve safe class and the anti-attack ability of virtual storage system; even if common access authentication is broken; virtual memory safety management system, by self proprietary safe access control function, still can be protected the safety of storage data effectively.
On the other hand; by different user and access module are adopted to different protection strategies; not only can significantly improve the overall efficiency of data access; the cloud security service of dynamic differential can also be provided; for different user provides the safeguard protection service of different brackets, fully meet different enterprises, different user, the differentiation demand for security of different application to cloud computing data, services.
Accompanying drawing explanation
Fig. 1 is the structural representation of virtual data access defense-in-depth system.
Embodiment
Provide the present invention's implementation method and points for attention in actual applications below;
1) realization in client
The carrier of client can be PC, notebook, or smart mobile phone etc.Installation and the client protocol control software based on virtual memory safety management system adaptation of the present invention in client---mainly comprise customer account management, access control, access authentication client software, can possess the ability of secure access cloud computing/virtual storage system data;
2) realization in cloud computing virtual storage system
In cloud computing virtual storage system, develop and load based on virtual secure storage management system software of the present invention, make it have access security management and data isolation memory management functions.
Access security management function module has client's safety management/safety clothes service strategy, client access security audit and access process security monitoring function.Wherein client's safety management function comprises registration to client, mandate, Classification Management, access authentication management, access control etc.; Security service strategy is mainly to implement different security control grades for different client's classifications, takes different security control measures; Client access security audit and access process security monitoring, be mainly used in the control of strengthening to the unascertainable normal client end access of confidence in security.
Every safety management and control function, all should have corresponding supported protocol above, the End-to-End Security control of supported data access overall process.
Data isolation storage administration part, for adapting to better the dynamic distributed characteristic of cloud computing, can adopt the partitioned storage pattern under unified storage reflection, by data-storing in a series of data security store isolated districts or safe secret room.
The selection of access security authentication center and setting
Access security authentication center, can be included in a function of client's safety management in cloud computing/virtual storage system, also can select outside third party's safety certification.If select third party's authentication, will make corresponding setting in client's safety management function.
On the basis of above-mentioned the 1-3 article, can implement classified and layered access security wall calendar and control to different clients, realize the defense-in-depth to cloud computing virtual memory data.
Certainly, can also adopt encryption technology further to protect the critical data in virtual storage region, but this is not the emphasis of paying close attention in the present invention.
Claims (1)
1. the defense-in-depth method of a virtual data secure access, it is characterized in that: several parts of safety management agreement that comprise client terminal, virtual memory safety management, network transmission and safety certification, user terminal access virtual storage system, client terminal comprises trusted terminal and ordinary terminal two classes, all supports access authentication and access control function; Virtual memory safety management system, has access security management and data isolation memory function, and wherein data isolation is realized by a series of data security store isolated districts or safe secret room; Network transmits and is made up of the Internet and Intranet, and is connected to security authentication center, and security authentication center comprises local security authentication or third party's safety certification, and concrete steps are as follows:
1) when the data of client terminal by access to netwoks virtual storage system, first under the management and control of user safety management function, be connected to by force security authentication center, confirmed visitor's legitimacy by authentication;
2) for legal visitor, client's safety management function further judges its type again, if credible client terminal, directly enters the access control flow process of virtual storage system, accesses the data of isolated area under the supervision of access-control protocol;
3) if normal client terminal in entering access control flow process, also will be accepted client access security audit and access process security monitoring, the data of access security isolated area under this dual control.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410051158.1A CN103795726A (en) | 2014-02-14 | 2014-02-14 | Depth protection method for virtual data safety access |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201410051158.1A CN103795726A (en) | 2014-02-14 | 2014-02-14 | Depth protection method for virtual data safety access |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN103795726A true CN103795726A (en) | 2014-05-14 |
Family
ID=50671012
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201410051158.1A Pending CN103795726A (en) | 2014-02-14 | 2014-02-14 | Depth protection method for virtual data safety access |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN103795726A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105656837A (en) * | 2014-11-11 | 2016-06-08 | 江苏威盾网络科技有限公司 | Secure and controllable data protection system and method |
| CN105808987A (en) * | 2014-12-30 | 2016-07-27 | ***通信集团公司 | Mobile data interaction method and device |
| CN108200073A (en) * | 2018-01-12 | 2018-06-22 | 阳光保险集团股份有限公司 | A kind of sensitive data safety system |
| CN111291409A (en) * | 2020-02-03 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Data monitoring method and device |
| CN117010011A (en) * | 2023-06-13 | 2023-11-07 | 山东鼎夏智能科技有限公司 | Data protection system and method |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1953454A (en) * | 2006-10-27 | 2007-04-25 | 北京启明星辰信息技术有限公司 | A safe audit method based on role management and system thereof |
| US20090007042A1 (en) * | 2004-11-23 | 2009-01-01 | Lsi Corporation | Virtual data representation through selective bidirectional translation |
| CN103379089A (en) * | 2012-04-12 | 2013-10-30 | 中国航空工业集团公司第六三一研究所 | Access control method and system based on security domain isolation |
| CN103457958A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Cloud computing network server inner core safe access method |
| CN103544286A (en) * | 2013-10-28 | 2014-01-29 | 中国软件与技术服务股份有限公司 | Database protection method |
-
2014
- 2014-02-14 CN CN201410051158.1A patent/CN103795726A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20090007042A1 (en) * | 2004-11-23 | 2009-01-01 | Lsi Corporation | Virtual data representation through selective bidirectional translation |
| CN1953454A (en) * | 2006-10-27 | 2007-04-25 | 北京启明星辰信息技术有限公司 | A safe audit method based on role management and system thereof |
| CN103379089A (en) * | 2012-04-12 | 2013-10-30 | 中国航空工业集团公司第六三一研究所 | Access control method and system based on security domain isolation |
| CN103457958A (en) * | 2013-09-18 | 2013-12-18 | 浪潮电子信息产业股份有限公司 | Cloud computing network server inner core safe access method |
| CN103544286A (en) * | 2013-10-28 | 2014-01-29 | 中国软件与技术服务股份有限公司 | Database protection method |
Non-Patent Citations (1)
| Title |
|---|
| 王莉: "《数据库安全访问控制通信中间件的设计与实现》", 《计算机光盘软件与应用》 * |
Cited By (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105656837A (en) * | 2014-11-11 | 2016-06-08 | 江苏威盾网络科技有限公司 | Secure and controllable data protection system and method |
| CN105808987A (en) * | 2014-12-30 | 2016-07-27 | ***通信集团公司 | Mobile data interaction method and device |
| CN108200073A (en) * | 2018-01-12 | 2018-06-22 | 阳光保险集团股份有限公司 | A kind of sensitive data safety system |
| CN111291409A (en) * | 2020-02-03 | 2020-06-16 | 支付宝(杭州)信息技术有限公司 | Data monitoring method and device |
| CN111291409B (en) * | 2020-02-03 | 2022-12-20 | 支付宝(杭州)信息技术有限公司 | Data monitoring method and device |
| CN117010011A (en) * | 2023-06-13 | 2023-11-07 | 山东鼎夏智能科技有限公司 | Data protection system and method |
| CN117010011B (en) * | 2023-06-13 | 2024-01-30 | 山东鼎夏智能科技有限公司 | Data protection system and method |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Hou et al. | A survey on internet of things security from data perspectives | |
| US10268827B2 (en) | Method and system for securing data | |
| CN103003822B (en) | The domain authentication of platform resource is controlled | |
| KR101356282B1 (en) | Methods and systems for secure remote wake, boot, and login to a computer from a mobile device | |
| Han et al. | Security considerations for secure and trustworthy smart home system in the IoT environment | |
| RU2501081C2 (en) | Multi-factor content protection | |
| CN109918878A (en) | A kind of industrial internet of things equipment authentication and safety interacting method based on block chain | |
| CN106664563A (en) | Pairing computing devices according to a multi-level security protocol | |
| CN109447647A (en) | A kind of safety payment system based on block chain | |
| RU2495488C1 (en) | System and method of controlling devices and applications using multi-factor authentication | |
| WO2020042822A1 (en) | Cryptographic operation method, method for creating work key, and cryptographic service platform and device | |
| CN104169940A (en) | Method of restricting corporate digital information within corporate boundary | |
| CN101488952A (en) | Mobile storage apparatus, data secured transmission method and system | |
| CN106022080A (en) | Cipher card based on PCIe (peripheral component interface express) interface and data encryption method of cipher card | |
| CN103795726A (en) | Depth protection method for virtual data safety access | |
| US20140331294A1 (en) | Method of securing a computing device | |
| WO2020042798A1 (en) | Cryptographic operation and working key creation method and cryptographic service platform and device | |
| CN109525570A (en) | A kind of data hierarchy safety access control method of Cargo Oriented on Group client | |
| CN108615154A (en) | A kind of block chain digital signature system and process for using based on hardware encipherment protection | |
| KR20190030317A (en) | IoT Security System Based on the BlockChain and Security Method thereof | |
| CN101833620A (en) | Custom security JDBC driver-based database protective method | |
| CN110276615A (en) | A kind of mobile cut-in method of block chain digital asset and system | |
| Mukherjee et al. | Unified smart home resource access along with authentication using Blockchain technology | |
| CN107425964A (en) | Three-side password authentication and key agreement protocol based on the fault-tolerant smart card of information leakage | |
| Chen et al. | A secure mobile DRM system based on cloud architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| WD01 | Invention patent application deemed withdrawn after publication | ||
| WD01 | Invention patent application deemed withdrawn after publication |
Application publication date: 20140514 |