A service calling method and device, electronic equipment and machine readable storage medium

By deploying proxy services for critical services on public cloud platforms, synchronizing critical data assets, and having the proxy services handle call requests from untrusted environments, the problem of data assets being attacked in untrusted environments on public cloud platforms is solved, and the security protection of critical data assets is achieved.

CN116527316BActive Publication Date: 2026-07-14ALIBABA (CHINA) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
ALIBABA (CHINA) CO LTD
Filing Date
2023-03-24
Publication Date
2026-07-14

AI Technical Summary

Technical Problem

Public cloud platforms have security vulnerabilities when providing critical services to untrusted environments, which could lead to the leakage or tampering of critical data assets, and existing technologies are insufficient to effectively protect against them.

Method used

Deploy proxy services for critical services in trusted environments and synchronize critical data assets to the proxy services. The proxy services handle call requests from untrusted environments, avoiding direct access to critical services.

Benefits of technology

Effectively prevent user attacks in untrusted environments, protect the security of critical data assets, reduce security transformation costs, and maintain the stability of critical services.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116527316B_ABST
    Figure CN116527316B_ABST
Patent Text Reader

Abstract

One or more embodiments of the present specification provide a service calling method and device, electronic equipment and machine readable storage medium. The service calling method is applied to a public cloud platform in a trusted environment; the public cloud platform runs a key service provided for a user based on key data assets; the method comprises: deploying a proxy service for the key service on the public cloud platform, and synchronizing at least part of the key data assets in the key data assets to the proxy service; in response to a first calling request initiated by a user in a non-trusted environment for the key service, calling the proxy service to obtain a calling result corresponding to the first calling request; wherein the calling result is obtained by the proxy service based on the at least part of the key data assets stored by the proxy service; and returning the calling result to the user.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This specification relates to the field of cloud service technology, and more particularly to a service invocation method, apparatus, electronic device, and machine-readable storage medium. Background Technology

[0002] Public cloud service providers can typically offer critical services to users in trusted environments based on the critical data assets they maintain. A trusted environment refers to a physical environment controlled and managed by the public cloud service provider and can be considered a secure operating environment. Conversely, an untrusted environment refers to a physical environment not controlled and managed by the public cloud service provider and can be considered an insecure operating environment, potentially vulnerable to various attacks.

[0003] Because critical services are typically only provided to users in trusted environments, their security level is generally low, and they may lack security protection capabilities such as authentication, authorization, and encryption, or even have security vulnerabilities.

[0004] To expand the boundaries of distributed cloud, various public cloud service providers are currently offering dedicated public cloud services centered around the public cloud, using various product forms within customers' local data centers. However, customer local data centers are untrusted environments. If a public cloud platform provides critical services to users in an untrusted environment, and malicious users in that environment exploit the distributed cloud to attack the public cloud, it could lead to the leakage or tampering of critical data assets, severely impacting the security and production of the public cloud. Summary of the Invention

[0005] This application provides a service invocation method, which is applied to a public cloud platform in a trusted environment; the public cloud platform runs critical services provided to users based on critical data assets; the method includes:

[0006] Deploy proxy services for the critical services on the public cloud platform, and synchronize at least a portion of the critical data assets to the proxy services;

[0007] In response to a first call request initiated by a user in an untrusted environment for the critical service, the proxy service is invoked to obtain a call result corresponding to the first call request; wherein the call result is obtained by the proxy service based on the at least part of the critical data assets stored therein;

[0008] The result of the call is returned to the user.

[0009] This application also provides a service invocation apparatus, which is applied to a public cloud platform in a trusted environment; the public cloud platform runs critical services provided to users based on critical data assets; the apparatus includes:

[0010] A deployment unit is configured to deploy a proxy service for the critical service on the public cloud platform and synchronize at least a portion of the critical data assets to the proxy service.

[0011] The invocation unit is configured to respond to a first invocation request initiated by a user in an untrusted environment for the critical service, and invoke the proxy service to obtain a invocation result corresponding to the first invocation request; wherein the invocation result is obtained by the proxy service based on the at least part of the critical data assets stored therein;

[0012] The return unit is used to return the call result to the user.

[0013] This application also provides an electronic device, including a communication interface, a processor, a memory, and a bus, wherein the communication interface, the processor, and the memory are interconnected via the bus;

[0014] The memory stores machine-readable instructions, and the processor executes the above method by invoking the machine-readable instructions.

[0015] This application also provides a machine-readable storage medium storing machine-readable instructions, which, when called and executed by a processor, implement the above-described method.

[0016] Through the above embodiments, by deploying proxy services for critical services in a trusted environment, and having the proxy services provide services to users based on data copies of critical data assets (i.e., at least a portion of the critical data assets synchronized to the proxy services), it is possible to ensure that call requests initiated by users in untrusted environments for critical services terminate at the proxy services. This prevents call requests initiated by users in untrusted environments from reaching critical services, thus avoiding the threat of malicious users in untrusted environments attacking critical services and ensuring the security of critical data assets. Attached Figure Description

[0017] To more clearly illustrate the technical solutions of the embodiments in this specification, the drawings used in the description of the embodiments will be briefly introduced below. Obviously, the drawings described below are only some embodiments recorded in this specification. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0018] Figure 1 This is a schematic diagram of the architecture of a service invocation system, as illustrated in an exemplary embodiment.

[0019] Figure 2This is a schematic diagram illustrating the architecture of another service invocation system, as shown in an exemplary embodiment.

[0020] Figure 3 This is a schematic diagram illustrating the architecture of another service invocation system, as shown in an exemplary embodiment.

[0021] Figure 4 This is a flowchart illustrating a service invocation method as an exemplary embodiment;

[0022] Figure 5 This is a schematic diagram illustrating the architecture of another service invocation system, as shown in an exemplary embodiment.

[0023] Figure 6 This is a schematic diagram of the structure of an electronic device containing a service invocation device, as shown in an exemplary embodiment.

[0024] Figure 7 This is a block diagram illustrating a service invocation apparatus as an exemplary embodiment. Detailed Implementation

[0025] To enable those skilled in the art to better understand the technical solutions in this specification, the technical solutions in the embodiments of this specification will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this specification, and not all embodiments. Based on the embodiments in this specification, all other embodiments obtained by those skilled in the art without creative effort should fall within the scope of protection of this specification.

[0026] It should be noted that the steps of the corresponding methods are not necessarily performed in the order shown and described in this specification in other embodiments. In some other embodiments, the methods may include more or fewer steps than described in this specification. Furthermore, a single step described in this specification may be broken down into multiple steps in other embodiments; and multiple steps described in this specification may be combined into a single step in other embodiments.

[0027] Data assets are data resources, recorded electronically or physically, that are owned or controlled by individuals or businesses and that can generate future economic benefits.

[0028] In the field of cloud service technology, critical data assets can refer to data resources owned or controlled by the core applications of a public cloud. For example, critical data assets may include, but are not limited to, sensitive information such as core management service data, CMDB (Configuration Management Database) data, account data, and cloud service keys.

[0029] Public cloud service providers can offer critical services to users based on the critical data assets they maintain. These critical services refer to cloud services used to maintain critical data assets or to provide services to users based on those critical data assets.

[0030] For example, see Figure 1 , Figure 1 This is a schematic diagram illustrating the architecture of a service invocation system, as shown in an exemplary embodiment. Figure 1 As shown, critical services can be deployed on a public cloud platform in a trusted environment; users in the trusted environment can initiate access requests for critical services deployed on the public cloud platform to perform data read and write operations on the critical data assets maintained by the critical services.

[0031] The trusted environment can refer to the physical environment controlled and managed by the public cloud service provider, and can be considered a secure operating environment. Conversely, the untrusted environment can refer to the physical environment not controlled and managed by the public cloud service provider, and can be considered an insecure operating environment, potentially facing various attacks; for example, for a public cloud service provider, a data center controlled and managed by a cloud service customer or operator is considered an untrusted environment.

[0032] It should be noted that since critical services are usually only provided to users in trusted environments, their security level is generally low, and they may lack security protection capabilities such as authentication, authorization, and encryption, or even have security vulnerabilities.

[0033] To expand the boundaries of distributed cloud, various public cloud service providers are currently offering dedicated public cloud services centered around the public cloud, through various product forms, in customers' local data centers. For example, through a public cloud localization deployment service, public cloud service providers can provide users with a product experience consistent with the public cloud, meeting customers' needs for local data deployment, local processing of massive amounts of data, and low service latency. Another example is that public cloud service providers can deploy public cloud computing, storage, and network hardware to customers' designated data centers, building IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Software as a Service) on top of the hardware infrastructure according to the public cloud technology stack. Users obtain a product experience consistent with the public cloud, meeting enterprise users' requirements for dedicated infrastructure, dedicated hardware isolation, on-site computing scenarios, and security and privacy.

[0034] However, the customer's local data center is an untrusted environment. If the public cloud platform provides critical services to users in an untrusted environment, and malicious users in the untrusted environment use the distributed cloud to attack the public cloud, it may lead to the leakage or tampering of critical data assets, which will have a serious negative impact on the secure production of the public cloud.

[0035] For example, see Figure 2 , Figure 2 This is a schematic diagram illustrating the architecture of another service invocation system, as shown in an exemplary embodiment. Figure 2 As shown, users in an untrusted environment can initiate access requests to critical services deployed on a public cloud platform to perform data read and write operations on the critical data assets maintained by the critical services. At the same time, malicious users in an untrusted environment can also attack critical services through forgery, deception, impersonation, tampering, unauthorized access, and DoS attacks (Denial of Service attacks), resulting in the leakage or tampering of the critical data assets maintained by the critical services.

[0036] In related technologies, a web firewall can typically be added to the access path between the public cloud platform and the customer data center to enable capabilities such as encrypted data transmission and ACL (Access Control List) filtering.

[0037] For example, see Figure 3 , Figure 3 This is a schematic diagram illustrating the architecture of another service invocation system, as shown in an exemplary embodiment. Figure 3As shown, access requests from untrusted environments must first pass through the web firewall, which can filter out access requests initiated by malicious users based on pre-configured ACLs.

[0038] Therefore, in the embodiments shown above, once the Web firewall has a configuration vulnerability, or a critical service has a zero-day vulnerability that can be exploited, access requests initiated by malicious users in the untrusted environment will still reach the critical service, resulting in attacks on the critical service and leakage or tampering of critical data assets.

[0039] In view of this, this specification aims to propose a security protection mechanism that enables a public cloud platform in a trusted environment to provide critical services to users in an untrusted environment, thereby ensuring the security of critical data assets.

[0040] In implementation, a key service based on critical data assets runs on a public cloud platform in a trusted environment; the public cloud platform can deploy a proxy service for the key service in the trusted environment and can synchronize at least a portion of the critical data assets to the proxy service; further, in response to a first call request initiated by a user in an untrusted environment for the key service, the public cloud platform can call the proxy service to obtain a call result corresponding to the first call request, wherein the call result is obtained by the proxy service based on the at least a portion of the critical data assets stored therein; further, the public cloud platform can return the call result to the user.

[0041] Therefore, in the technical solution described in this specification, by deploying a proxy service for critical services in a trusted environment, and having the proxy service provide services to users based on data copies of critical data assets (i.e., at least a portion of the critical data assets synchronized to the proxy service), it is possible to ensure that calls initiated by users in untrusted environments for critical services terminate at the proxy service. This prevents calls initiated by users in untrusted environments for critical services from reaching the critical services, thus avoiding the threat of malicious users in untrusted environments attacking critical services and ensuring the security of critical data assets.

[0042] The present application will now be described through specific embodiments and in conjunction with specific application scenarios.

[0043] Please see Figure 4 , Figure 4 This is a flowchart illustrating a service invocation method as an exemplary embodiment. The service invocation method can be applied to a public cloud platform in a trusted environment; the public cloud platform can run critical services provided to users based on key data assets. For example... Figure 4 As shown, the service invocation method can perform the following steps:

[0044] Step 402: Deploy a proxy service for critical services on a public cloud platform and synchronize at least a portion of the critical data assets to the proxy service.

[0045] For example, a critical service Server_A can run on a public cloud platform in a trusted environment, and the critical service Server_A stores critical data assets DATA; a proxy service ProxyServer_A can be deployed for the critical service Server_A on the public cloud platform; a subset of the critical data assets DATA, data, can also be synchronized to the proxy service ProxyServer_A, that is, the proxy service ProxyServer_A can store a data copy of the subset data.

[0046] It should be noted that in step 402, the data flow between the critical service and the proxy service is unidirectional, from the former to the latter; and the proxy service cannot call the interface of the critical service, thereby ensuring that external users' access to the critical service can terminate at the proxy service and cannot reach the critical service.

[0047] In step 402, the key service can be configured with a proxy service for multiple untrusted environments, or a separate proxy service can be configured for each untrusted environment.

[0048] In one embodiment shown, since users in different untrusted environments may distrust each other, it is necessary not only to prevent malicious users in untrusted environments from launching attacks on critical data assets stored in critical services, but also to prevent malicious users in untrusted environments from launching attacks on at least some of the critical data assets stored in proxy services, so as to ensure that at least some of the data assets accessed by users in each untrusted environment are isolated from each other.

[0049] In this context, deploying proxy services for the critical services on the public cloud platform may specifically include: deploying various proxy services on the public cloud platform, each corresponding to a different untrusted environment; wherein the various proxy services are isolated from each other.

[0050] For example, see Figure 5 , Figure 5 This is a schematic diagram illustrating the architecture of another service invocation system, as shown in an exemplary embodiment. Figure 5As described above, user ServerClient_A1 is located in untrusted environment 1, and user ServerClient_A2 is located in untrusted environment 2. Corresponding proxy services ProxyServer_A1 and ProxyServer_A2 can be deployed for untrusted environment 1 and untrusted environment 2 respectively. The critical data assets data1 and data2 can be synchronized to the proxy services ProxyServer_A1 and ProxyServer_A2 respectively. Both critical data assets data1 and data2 are subsets of critical data asset DATA.

[0051] Since the proxy services ProxyServer_A1 and ProxyServer_A2 are isolated from each other, the data copy of the critical data asset data1 accessed by user ServerClient_A1 is also isolated from and invisible to the data copy of the critical data asset data2 accessed by user ServerClient_A2.

[0052] It should be noted that, in the embodiments shown above, the subsets of key data assets synchronized by the key services to different proxy services can be the same or different.

[0053] In one embodiment, the subsets of key data assets synchronized by the key services to different proxy services may be determined separately based on the service domains of each untrusted environment and may be different from each other. In this case, synchronizing at least a portion of the key data assets to the proxy services may specifically include: determining at least a portion of the key data assets corresponding to the service domains of each untrusted environment from the key data assets; and synchronizing the at least a portion of the key data assets corresponding to the service domains of each untrusted environment to the respective proxy services.

[0054] For example, critical data assets DATA can contain subsets corresponding to different service domains. During the deployment of proxy service ProxyServer_A1 for critical service Server_A in untrusted environment 1, based on the service domain of untrusted environment 1 (or the service domain registered by user ServerClient_A1), a subset data1 corresponding to the service domain of untrusted environment 1 can be determined from the critical data assets DATA, and this subset data1 can be synchronized to proxy service ProxyServer_A1. Similarly, based on the service domain of untrusted environment 2, a subset data2 corresponding to the service domain of untrusted environment 2 can be determined from the critical data assets DATA, and this subset data2 can be synchronized to proxy service ProxyServer_A2. The service domains of each untrusted environment can be divided according to geographical location, such as North China, East China, South China, etc., or according to other standards; this specification does not impose any particular restrictions on this.

[0055] It should be noted that in the above-described embodiments, by configuring different proxy services for different untrusted environments and determining the data subsets that need to be synchronized to each proxy service, it is beneficial to control the scope of data that may be leaked or tampered with.

[0056] In some possible embodiments, the configuration data on which the public cloud local deployment services in each untrusted environment depend can be identified as at least a portion of the key data assets that need to be synchronized to each agent service, taking into account the actual needs of users in each untrusted environment, thereby further controlling the scope of data that may be leaked or tampered with.

[0057] It should be noted that this specification does not limit the specific form of the proxy service in step 402. For example, a fully managed microservice platform can be used to deploy separate proxy service instances for each untrusted environment.

[0058] Step 404: In response to a first call request initiated by a user in an untrusted environment for the critical service, invoke the proxy service to obtain a call result corresponding to the first call request; wherein the call result is obtained by the proxy service based on the at least part of the critical data assets stored therein.

[0059] For example, after deploying a proxy service ProxyServer_A for a critical service Server_A on a public cloud platform and synchronizing a subset of critical data assets DATA to the proxy service ProxyServer_A, in response to the first call request initiated by user ServerClient_A in an untrusted environment for the critical service Server_A, the proxy service ProxyServer_A can be invoked so that the proxy service ProxyServer_A can obtain the call result corresponding to the first call request based on the data copy of the subset of critical data assets DATA stored in it.

[0060] Therefore, in the technical solution of this specification, by deploying a proxy service for the critical service, the critical service can be prevented from being directly exposed to an untrusted environment. Furthermore, the proxy service and the critical service are isolated from each other. Even if the proxy service is attacked, it will not affect the stability of the critical service. At the same time, only a subset of copies stored by the proxy service may be leaked or tampered with, which can effectively control the scope of damage when critical data assets are attacked.

[0061] In step 404, the public cloud platform may store a first correspondence between the domain names of the critical services and the IP (Internet Protocol) addresses of the critical services. For example, the domain name of the critical service Server_A is domain_A, and the IP address of the critical service Server_A is IP_A; please refer to Table 1, which is an exemplary embodiment illustrating a domain name resolution table.

[0062]

[0063] The public cloud platform can maintain the first correspondence based on the domain name resolution table shown in Table 1.

[0064] In related technologies, in response to a call request initiated by a user in an untrusted environment for the critical service, the public cloud platform can determine the IP address of the critical service corresponding to the domain name of the critical service carried in the call request based on the first correspondence, and can return the IP address of the critical service to the user so that the user can redirect the call request to the critical service based on the IP address of the critical service, thereby enabling the critical service to provide services to the user based on its stored critical data assets.

[0065] In one embodiment shown, in order to reduce the intrusiveness of the security transformation process to critical services and users, reduce the cost of security transformation, and avoid affecting the normal operation of critical services, domain hijacking can be used to redirect call requests originally intended for critical services to proxy services deployed for critical services.

[0066] In this case, the method may further include: updating the first correspondence to a second correspondence between the domain name of the key service and the IP address of the proxy service based on the IP address of the proxy service.

[0067] Accordingly, the step of responding to a first call request initiated by a user in an untrusted environment for the critical service, and invoking the proxy service to obtain a call result corresponding to the first call request, may specifically include: responding to a first call request initiated by a user in an untrusted environment for the critical service, determining the IP address of the proxy service corresponding to the domain name of the critical service carried in the first call request according to the second correspondence; returning the determined IP address of the proxy service to the user; receiving a second call request initiated by the user for the proxy service based on the IP address of the proxy service; responding to the second call request, invoking the proxy service to obtain a call result corresponding to the second call request, and using the call result corresponding to the second call request as the call result corresponding to the first call request.

[0068] For example, if a proxy service is deployed for a critical service, after deploying the proxy service ProxyServer_A for the critical service Server_A, the IP address of the critical service Server_A in the domain name resolution table can be updated to the IP address of the proxy service ProxyServer_A. In response to a first call request initiated by user ServerClient_A in untrusted environment 1 for the critical service Server_A, the IP address of the proxy service corresponding to the domain name domain_A of the critical service carried in the first call request can be determined based on the updated domain name resolution table, and the determined IP address of the proxy service can be returned to user ServerClient_A. Furthermore, a second call request initiated by user ServerClient_A for the proxy service ProxyServer_A can be received. In response to the second call request, the proxy service ProxyServer_A can be invoked to obtain the call result corresponding to the second call request based on its stored subset data, and the call result corresponding to the second call request can be used as the call result corresponding to the first call request.

[0069] In another embodiment shown, proxy services corresponding to each untrusted environment are deployed on the public cloud platform; the public cloud platform also stores a third correspondence between the IP addresses of the proxy services and the service domain identifiers of the untrusted environments. In this case, before returning the determined IP address of the proxy service to the user, the method further includes: determining, based on the third correspondence, the IP address of the proxy service corresponding to the service domain identifier of the untrusted environment carried in the first invocation request from the IP addresses of the various proxy services.

[0070] For example, the IP address of proxy server ProxyServer_A1 is IP_A1, and the IP address of proxy server ProxyServer_A2 is IP_A2; the service domain identifier of untrusted environment 1 is region1, and the service domain identifier of untrusted environment 2 is region2; after deploying proxy server ProxyServer_A1 and proxy server ProxyServer_A2 for the critical service Server_A respectively, please refer to Table 2, which is an exemplary embodiment illustrating an updated domain name resolution table.

[0071]

[0072] The public cloud platform can maintain the second and third correspondences based on the updated domain name resolution table shown in Table 2. In response to a first call request initiated by user ServerClient_A1 in untrusted environment 1 for the critical service Server_A, the updated domain name resolution table determines the IP address of the proxy service corresponding to the domain name domain_A and service domain identifier region1 of the critical service carried in the first call request as ProxyServer_A1, and returns the determined IP address ProxyServer_A1 to user ServerClient_A1. Furthermore, it can receive a second call request initiated by user ServerClient_A1 for the proxy service ProxyServer_A1. In response to the second call request, the proxy service ProxyServer_A1 can obtain the call result corresponding to the second call request based on its stored subset data1, and the call result corresponding to the second call request can be used as the call result corresponding to the first call request.

[0073] In some possible embodiments, the domain name resolution service (such as...) Figure 5 The DNS server shown can be deployed in a trusted environment to ensure mutual trust between the domain name resolution service and critical services.

[0074] It should be noted that in the above-described implementation, by hijacking the domain name and pointing the domain name resolution address to the proxy service configured for the critical service, only the proxy service is exposed to the untrusted environment, without exposing the critical service itself to the untrusted environment. Furthermore, for users in the untrusted environment, after adopting the above security mechanism, there is no need to change the configuration; they can still initiate call requests for the critical service.

[0075] Step 406: Return the call result to the user.

[0076] For example, after obtaining a data copy of the subset of key data asset DATA stored by the proxy service ProxyServer_A, and obtaining the call result corresponding to the first call request, the call result can be returned to the user ServerClient_A in the untrusted environment.

[0077] In one embodiment shown, the critical service may specifically be a data access service; the first invocation request may be used to request read or write operations on critical data assets stored in the data access service. To further ensure the security of critical data assets and prevent tampering with critical data assets or subset copies of critical data assets, a read-write separation architecture may be adopted to provide services to users in untrusted environments in read-only mode.

[0078] In this scenario, responding to a first call request initiated by a user in an untrusted environment for the critical service, and invoking the proxy service to obtain a call result corresponding to the first call request, may specifically include: if the first call request is for a read operation on critical data assets stored in the data access service, then the proxy service is invoked to perform a read operation on at least a portion of the critical data assets stored in the proxy service, obtaining a call result corresponding to the first call request; if the first call request is for a write operation on critical data assets stored in the data access service, then the first call request is rejected.

[0079] For example, if the first call request initiated by user ServerClient_A1 in untrusted environment 1 is to request a read operation on the critical data asset DATA stored in the critical service Server_A, then the proxy service ProxyServer_A1 deployed for untrusted environment 1 can be invoked to perform a read operation on the subset data1 stored in the proxy service ProxyServer_A1, and the call result corresponding to the first call request can be obtained.

[0080] For example, if the first call request initiated by user ServerClient_A1 in untrusted environment 1 is to request a write operation on the critical data asset DATA stored in the critical service Server_A, the first call request can be discarded directly, or a rejection response corresponding to the first call request can be returned to user ServerClient_A1 in untrusted environment 1.

[0081] In one embodiment shown, the proxy service deployed for the critical service can also provide the critical service to users in the trusted environment. In this case, the method may further include: in response to a third call request initiated by a user in the trusted environment for the critical service, invoking the proxy service to obtain a call result corresponding to the third call request; wherein the call result is obtained by the proxy service based on the at least part of the critical data assets stored therein.

[0082] In some possible embodiments, the key service may specifically be a data access service; the third invocation request may be used to request a read or write operation on key data assets stored in the data access service. The invocation of the proxy service to obtain a result corresponding to the third invocation request may specifically include: if the third invocation request is used to request a read operation on key data assets stored in the data access service, then the proxy service is invoked to perform a read operation on at least a portion of the key data assets stored in the proxy service, obtaining a result corresponding to the third invocation request; if the third invocation request is used to request a write operation on key data assets stored in the data access service, then the proxy service is invoked to perform a write operation on at least a portion of the key data assets stored in the proxy service, obtaining a result corresponding to the third invocation request.

[0083] In this specification, users in a trusted environment can also directly invoke the critical services to perform read and write operations on the critical data assets stored in the critical services; this specification does not limit this.

[0084] It should be noted that, in the embodiments shown above, the proxy service provides services to users in the trusted environment, which, compared to the implementation method where the key service provides services to users in the trusted environment, can further ensure the security and stability of the key data assets.

[0085] In addition, while ensuring compatibility, the proxy service can further enhance security, such as by introducing four-layer ACL control and seven-layer HTTP WAF security capabilities, which are not limited in this specification.

[0086] As can be seen from the above technical solutions, by deploying proxy services for critical services in a trusted environment, and having the proxy services provide services to users based on data copies of critical data assets (i.e., at least a portion of the critical data assets synchronized to the proxy services), it is possible to ensure that calls initiated by users in untrusted environments for critical services terminate at the proxy services. This prevents calls initiated by users in untrusted environments for critical services from reaching the critical services, thus avoiding the threat of malicious users in untrusted environments attacking critical services and ensuring the security of critical data assets.

[0087] Corresponding to the embodiments of the service invocation method described herein, this specification also provides an embodiment of a service invocation system and an embodiment of a service invocation device.

[0088] Please see Figure 6 , Figure 6 This is an exemplary embodiment illustrating the hardware structure of an electronic device housing a service invocation device. At the hardware level, the device includes a processor 602, an internal bus 604, a network interface 606, memory 608, and non-volatile memory 610, and may also include other necessary hardware. One or more embodiments of this specification can be implemented in software, for example, the processor 602 reads the corresponding computer program from the non-volatile memory 610 into memory 608 and then runs it. Of course, besides software implementation, one or more embodiments of this specification do not exclude other implementation methods, such as logic devices or a combination of hardware and software, etc. That is to say, the execution entity of the following processing flow is not limited to individual logic units, but can also be hardware or logic devices.

[0089] Please see Figure 7 , Figure 7 This is a block diagram illustrating a service invocation apparatus as an exemplary embodiment. This service invocation apparatus can be applied to, for example... Figure 6 The illustrated electronic device is used to implement the technical solution of this specification. The device is applied to a public cloud platform in a trusted environment; the public cloud platform runs critical services provided to users based on critical data assets; the device includes:

[0090] Deployment unit 702 is used to deploy proxy services for the critical services on the public cloud platform and synchronize at least a portion of the critical data assets to the proxy services.

[0091] Invocation unit 704 is configured to respond to a first invocation request initiated by a user in an untrusted environment for the critical service, and invoke the proxy service to obtain a invocation result corresponding to the first invocation request; wherein the invocation result is obtained by the proxy service based on the at least part of the critical data assets stored therein;

[0092] The return unit 706 is used to return the call result to the user.

[0093] In this embodiment, the deployment unit 702 is specifically used for:

[0094] Each proxy service corresponding to a different untrusted environment is deployed on the public cloud platform; wherein, the proxy services are isolated from each other.

[0095] In this embodiment, the deployment unit 702 is specifically used for:

[0096] Based on the service domain of each untrusted environment, at least a portion of the key data assets corresponding to the service domain of each untrusted environment are determined from the key data assets.

[0097] At least a portion of the critical data assets corresponding to the service domains of each untrusted environment will be synchronized to each proxy service.

[0098] In this embodiment, the public cloud platform stores a first correspondence between the domain names of the key services and the IP addresses of the key services;

[0099] The device further includes:

[0100] The update unit is configured to update the first correspondence relationship to a second correspondence relationship between the domain name of the key service and the IP address of the proxy service based on the IP address of the proxy service.

[0101] The calling unit 704 is specifically used for:

[0102] In response to a first call request initiated by a user in an untrusted environment for the critical service, the IP address of the proxy service corresponding to the domain name of the critical service carried in the first call request is determined according to the second correspondence.

[0103] The IP address of the determined proxy service is returned to the user;

[0104] Receive a second call request initiated by the user against the proxy service based on the IP address of the proxy service;

[0105] In response to the second call request, the proxy service is invoked to obtain the call result corresponding to the second call request, and the call result corresponding to the second call request is used as the call result corresponding to the first call request.

[0106] In this embodiment, each proxy service corresponding to each untrusted environment is deployed on the public cloud platform; the public cloud platform also stores a third correspondence between the IP addresses of the proxy services and the service domain identifiers of the untrusted environments.

[0107] The calling unit 704 is further configured to:

[0108] Based on the third correspondence, the IP address of the proxy service corresponding to the service domain identifier of the untrusted environment carried in the first call request is determined from the IP addresses of each proxy service.

[0109] In this embodiment, the key service is a data access service; the first invocation request is used to request a read or write operation on the key data assets stored in the data access service.

[0110] The calling unit 704 is specifically used for:

[0111] If the first call request is used to request a read operation on the key data assets stored in the data access service, then the proxy service is invoked to perform a read operation on at least a portion of the key data assets stored in the proxy service, and a call result corresponding to the first call request is obtained.

[0112] If the first call request is for a write operation on critical data assets stored in the data access service, then the first call request is rejected.

[0113] In this embodiment, the calling unit 704 is further configured to:

[0114] In response to a third call request initiated by a user in the trusted environment for the data access service, if the third call request is for requesting a read operation on key data assets stored in the data access service, then the proxy service is invoked to perform a read operation on at least a portion of the key data assets stored in the proxy service, and a call result corresponding to the third call request is obtained.

[0115] If the third call request is used to request a write operation on the critical data assets stored in the data access service, then the proxy service is invoked to perform a write operation on at least a portion of the critical data assets stored in the proxy service, and a call result corresponding to the third call request is obtained.

[0116] The specific implementation process of the functions and roles of each unit in the above device can be found in the implementation process of the corresponding steps in the above method, and will not be repeated here.

[0117] For the device embodiments, since they basically correspond to the method embodiments, the relevant parts can be referred to in the description of the method embodiments. The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate, and the components shown as units may or may not be physical units, that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of the solution in this specification according to actual needs. Those skilled in the art can understand and implement this without creative effort.

[0118] The systems, devices, modules, or units described in the above embodiments can be implemented by computer chips or entities, or by products with certain functions. A typical implementation device is a computer, which can take the form of a personal computer, laptop computer, cellular phone, camera phone, smartphone, personal digital assistant, media player, navigation device, email sending and receiving device, game console, tablet computer, wearable device, or any combination of these devices.

[0119] In a typical configuration, a computer includes one or more processors (CPU), input / output interfaces, network interfaces, and memory.

[0120] Memory may include non-persistent storage in computer-readable media, such as random access memory (RAM) and / or non-volatile memory, such as read-only memory (ROM) or flash RAM. Memory is an example of computer-readable media.

[0121] Computer-readable media, including both permanent and non-permanent, removable and non-removable media, can store information using any method or technology. Information can be computer-readable instructions, data structures, modules of programs, or other data. Examples of computer storage media include, but are not limited to, phase-change memory (PRAM), static random access memory (SRAM), dynamic random access memory (DRAM), other types of random access memory (RAM), read-only memory (ROM), electrically erasable programmable read-only memory (EEPROM), flash memory or other memory technologies, CD-ROM, digital versatile optical disc (DVD) or other optical storage, magnetic tape, disk storage, quantum memory, graphene-based storage media or other magnetic storage devices, or any other non-transferable medium that can be used to store information accessible by a computing device. As defined herein, computer-readable media does not include transient computer-readable media, such as modulated data signals and carrier waves.

[0122] The user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data used for analysis, data stored, data displayed, etc.) involved in this application are all information and data authorized by the user or fully authorized by all parties. Furthermore, the collection, use and processing of the relevant data must comply with the relevant laws, regulations and standards of the relevant countries and regions, and corresponding operation entry points are provided for users to choose to authorize or refuse.

[0123] It should also be noted that the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes said element.

[0124] The foregoing has described specific embodiments of this specification. Other embodiments are within the scope of the appended claims. In some cases, the actions or steps recited in the claims may be performed in a different order than that shown in the embodiments and may still achieve the desired result. Furthermore, the processes depicted in the drawings do not necessarily require the specific or sequential order shown to achieve the desired result. In some embodiments, multitasking and parallel processing are possible or may be advantageous.

[0125] The terminology used in one or more embodiments of this specification is for the purpose of describing particular embodiments only and is not intended to limit the scope of one or more embodiments of this specification. The singular forms “a,” “described,” and “the” as used in one or more embodiments of this specification and the appended claims are also intended to include the plural forms unless the context clearly indicates otherwise. It should also be understood that the term “and / or” as used herein refers to and includes any or all possible combinations of one or more associated listed items.

[0126] It should be understood that although the terms first, second, third, etc., may be used to describe various information in one or more embodiments of this specification, such information should not be limited to these terms. These terms are only used to distinguish information of the same type from one another. For example, first information may also be referred to as second information without departing from the scope of one or more embodiments of this specification, and similarly, second information may also be referred to as first information. Depending on the context, the word "if" as used herein may be interpreted as "when," "in response to a determination," or "when," or "in the event of a determination."

[0127] The above description is merely a preferred embodiment of one or more embodiments of this specification and is not intended to limit the scope of one or more embodiments of this specification. Any modifications, equivalent substitutions, improvements, etc., made within the spirit and principles of one or more embodiments of this specification should be included within the protection scope of one or more embodiments of this specification.

Claims

1. A service invocation method, said method being applied to a public cloud platform in a trusted environment; The public cloud platform runs key services provided to users based on critical data assets; the method includes: Deploy a proxy service for the critical service on the public cloud platform, and synchronize at least a portion of the critical data assets to the proxy service. The data flow between the critical service and the proxy service is unidirectional from the former to the latter, and the proxy service cannot call the interface of the critical service. In response to a first call request initiated by a user in an untrusted environment for the critical service, the proxy service is invoked to obtain a call result corresponding to the first call request; wherein, the call result is obtained by the proxy service based on the at least part of the critical data assets stored therein; the first call request terminates at the proxy service and does not reach the critical service; The result of the call is returned to the user.

2. The method according to claim 1, wherein deploying the proxy service for the critical service on the public cloud platform comprises: Each proxy service corresponding to a different untrusted environment is deployed on the public cloud platform; wherein, the proxy services are isolated from each other.

3. The method according to claim 2, wherein synchronizing at least a portion of the key data assets in the key data assets to the proxy service comprises: Based on the service domain of each untrusted environment, at least a portion of the key data assets corresponding to the service domain of each untrusted environment are determined from the key data assets. At least a portion of the critical data assets corresponding to the service domains of each untrusted environment will be synchronized to each proxy service.

4. The method according to claim 1, wherein the public cloud platform stores a first correspondence between the domain names of the key services and the IP addresses of the key services; The method further includes: Based on the IP address of the proxy service, the first correspondence is updated to a second correspondence between the domain name of the key service and the IP address of the proxy service; The response to a first call request initiated by a user in an untrusted environment for the critical service, invoking the proxy service to obtain a call result corresponding to the first call request, includes: In response to a first call request initiated by a user in an untrusted environment for the critical service, the IP address of the proxy service corresponding to the domain name of the critical service carried in the first call request is determined according to the second correspondence. The IP address of the determined proxy service is returned to the user; Receive a second call request initiated by the user against the proxy service based on the IP address of the proxy service; In response to the second call request, the proxy service is invoked to obtain the call result corresponding to the second call request, and the call result corresponding to the second call request is used as the call result corresponding to the first call request.

5. The method according to claim 4, wherein each proxy service corresponding to each untrusted environment is deployed on the public cloud platform; the public cloud platform also stores a third correspondence between the IP address of the proxy service and the service domain identifier of the untrusted environment; Before returning the determined IP address of the proxy service to the user, the method further includes: Based on the third correspondence, the IP address of the proxy service corresponding to the service domain identifier of the untrusted environment carried in the first call request is determined from the IP addresses of each proxy service.

6. The method according to claim 1, wherein the key service is a data access service; the first invocation request is used to request a read operation or a write operation on the key data assets stored in the data access service; The response to a first call request initiated by a user in an untrusted environment for the critical service, invoking the proxy service to obtain a call result corresponding to the first call request, includes: If the first call request is used to request a read operation on the key data assets stored in the data access service, then the proxy service is invoked to perform a read operation on at least a portion of the key data assets stored in the proxy service, and a call result corresponding to the first call request is obtained. If the first call request is for a write operation on critical data assets stored in the data access service, then the first call request is rejected.

7. The method according to claim 6, further comprising: In response to a third call request initiated by a user in the trusted environment for the data access service, if the third call request is for requesting a read operation on key data assets stored in the data access service, then the proxy service is invoked to perform a read operation on at least a portion of the key data assets stored in the proxy service, and a call result corresponding to the third call request is obtained. If the third call request is used to request a write operation on the critical data assets stored in the data access service, then the proxy service is invoked to perform a write operation on at least a portion of the critical data assets stored in the proxy service, and a call result corresponding to the third call request is obtained.

8. A service invocation apparatus, said apparatus being applied to a public cloud platform in a trusted environment; The public cloud platform operates key services provided to users based on critical data assets; the device includes: The deployment unit is used to deploy a proxy service for the critical service on the public cloud platform and synchronize at least a portion of the critical data assets in the critical data assets to the proxy service. The critical service and the proxy service have a one-way data flow from the former to the latter, and the proxy service cannot call the interface of the critical service. The invocation unit is configured to respond to a first invocation request initiated by a user in an untrusted environment for the critical service, and invoke the proxy service to obtain a invocation result corresponding to the first invocation request; wherein the invocation result is obtained by the proxy service based on the at least part of the critical data assets stored therein; the first invocation request terminates at the proxy service and does not reach the critical service; The return unit is used to return the call result to the user.

9. An electronic device, comprising a communication interface, a processor, a memory, and a bus, wherein the communication interface, the processor, and the memory are interconnected via the bus; The memory stores machine-readable instructions, and the processor executes the method according to any one of claims 1-7 by invoking the machine-readable instructions.

10. A machine-readable storage medium storing machine-readable instructions that, when invoked and executed by a processor, implement the method of any one of claims 1-7.