System for establishing access control policies in private cloud environment

Abstract

The invention provides a system for establishing access control policies in a private cloud environment. The system comprises a database (100), a context-sensing module (200), a local access control policy establishing module (300), a local access control policy optimizing module (400), a global access control policy establishing module (500), a global access control policy decomposing module (600), a sensitive information management module (700), a field information management module (800) and an auditing module (900). The system dynamically establishes the local access control policy in the private cloud environment, so that the established policy can meet requirements on dynamism and adaptivity of the private cloud environment; the system also realizes establishment and decomposition of a global access control policy which describes a composite service security requirement, so that the aim of avoiding leakage of sensitive information in the access control policy of a collaboration-participating service provider is achieved. The system has the characteristics of high security, high executing efficiency and high expandability.

Description

technical field [0001] The invention belongs to the technical field of computer security, and in particular relates to an access control policy construction system in a private cloud environment. It mainly designs and implements the construction of access control strategies in the private cloud environment from the perspective of the framework. Background technique [0002] Cloud Computing (Cloud Computing) takes the network as the carrier and virtualization technology as the basis, integrates traditional computing methods such as grid computing, distributed computing, and parallel computing, and integrates resources such as large-scale scalable applications, storage, computing, and data for collaboration. Working supercomputing mode. As an emerging business model that provides applications based on services and public participation, cloud computing technology meets the advantages of energy saving, emission reduction, green environmental protection and other advantages in i...

AI Technical Summary

Problems solved by technology

However, the method of selecting service combinations based on QoS optimization is mainly oriented to user functional requirements, lacking consideration of non-functional security requirements, lack of subject context information, object context information, The operation context information and environment context information are dynamically perceived and quantified, and then the local access control strategy is dynamically constructed, so that the constructed local access control strategy can be dynamically adjusted according to the context environment, so as to ensure that the constructed local access control strategy meets the requirements of the system. While providing security, it can also adapt to the characteristics of dynamics, adaptability and scalability of the private cloud environment; secondly, a single service in a private cloud environment has limited functions, and it is difficult to meet the ever-changing business needs of the system and users, which needs to be realized through service composition The effective sharing of resources enables each service to communicate with each other to complete tasks, and the partial access control policies that describe the security of different services involved in service composition may have different requirements, which may lead to conflicts in the global access control policies generated during the process of service composition However, the traditional service composition method still lacks the ability to integrate the possible conflicts in the process of constructing a global access control strategy that describes service composition security, so as to form a unified global access control strategy that describes service composition security. Consider; moreover, the service model of data hosting and resource sharing in the private cloud environment promotes collaborative services between service domains, and the access control policy describing the service combination security constitutes the global access control policy in the private cloud environment. The global access control policy covers the sensitive policy information of each collaborative service party participating in the service combination, so that the information content of the constructed global access control policy cannot be transmitted and shared with any untrustworthy service provider, so the global access control policy needs to be Implement reasonable protection of sensitive policy information during the decomposition process to ensure the security of policy information itself and the correct implementation of service composition

[0004] To sum up, the construction of access control policies in a private cloud environment will face three major challenges: (1) The dynamic adaptability of policies, that is, how to perceive the factors that affect the construction of local access control policies, and generate policies that can meet security and functional requirements. (2) Consistency of policies, that is, how to integrate different local access control policies in the process of building service composition to construct a global access control policy that describes the security of service composition; (3) Security of policy execution Security, that is, how to ensure the security of sensitive information in the global access control policy itself, so that the sensitive information in the access control policy of the service provider participating in the collaborative service is not shared with untrustworthy service providers

Images