Cloud security service realizes system and cloud security service implementation methodTechnical field
The present invention relates to communication technical field, particularly a kind of cloud security service realizes system and cloud security service implementation method.
Background technology
Cloud security promotes information security technology to realize on-demand service, promote the brand-new form that information security technology and secured data resource make full use of.Cloud security is as a kind of innovation and application pattern of field of information security technology, enjoyed international and domestic extensive concern since its concept is born always, be counted as the core that generation information safe practice is changed and business model is changed in recent years, there are wide market prospects.Main flow secure enterprise nearly all has at present participated in cloud security field all, and each company marches cloud security according to the conventional security technical field of oneself and market strategy from all directions.
Cloud computing is that a kind of IT infrastructure is paid and using forestland, is also a kind of information service payment and using forestland, simultaneously or a kind of novel computation schema sharing information resources based on the Internet.Cloud computing be a kind of by scalable, elasticity, shared physics and virtual resource pond to supply from the mode of service and to manage as required, and provide the pattern of access to netwoks.One of feature of cloud computing provides service as required by after relevant resource pool exactly, traditional sense is said, resource comprises computational resource, storage resources, Internet resources, but along with the development of information technology and the demand of relevant tenant, and secure resources possesses equally can the attribute in pond.Share just because of relevant resource poolization, cloud computing tenant is except facing traditional Information Security Risk, also be faced with the increment risk that cloud computing technology is introduced, how farthest dissolve the biggest problem avoiding associated safety risk to become accelerating cloud computing project and land.
Cloud computing tenant generally wishes can to using calculation services, stores service, network service the same; flexible self-service application use safety service as required; the increment risk that Network Isolation, data protection, access control etc. under solution cloud computing environment between each tenant are introduced due to cloud computing technology; the conventional security services such as such as VPN, IDS, UTM can be used as required again; solve traditional Information Security Risk; protect the data securities such as tenant's information system to greatest extent, and save cost payout greatly.
Based on the above characteristic of cloud computing, in conjunction with conventional information safe practice or safety information product, under cloud computing environment, self-service cloud security service is provided to become possibility by the mode of software definition by being required to be tenant.
Summary of the invention
The invention provides a kind of cloud security service and realize system and cloud security service implementation method, under cloud computing environment, for tenant provides safe, independent, self-service cloud security service.
For achieving the above object, the invention provides a kind of cloud security service and realize system, comprising:
Self-help service door, for generating corresponding security service resource request list according to the selection of tenant, and by described security service resource request table single transmit to cloud security service middleware, in described security service resource request list, record each security service resource that tenant request is rented;
Described cloud security service middleware, for the described security service resource request list that basis receives, detect in security service resource pool and whether include the whole described security service resource recorded in described security service resource request list, and when detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, generate corresponding instantiation instruction according to described security service resource request list, and described instantiation instruction is sent to cloud security service container;
Described cloud security service container, for the described instantiation instruction that basis receives, by each described security service resource instances recorded in the described security service resource request list in security service resource pool, and by a sub-container of independence in each described security service Resource Encapsulation after instantiation to described cloud security service container, the sub-container of described independence provides running environment for each described security service resource, for the described security service resource in the sub-container of described independence for described tenant provides the cloud security service of isolation.
Alternatively, described cloud security service middleware also for the described security service resource in the sub-container of described independence for before described tenant provides the cloud security service of isolation, according to preset arrangement rule, layout is carried out to each described security service resource in the sub-container of described independence.
Alternatively, also comprise:
Described cloud security service controller, for obtaining the topological structure of the virtual network residing for described tenant, and generate the routed path of described tenant to described cloud security service container according to described topological structure, the pending data sent to make described tenant are before entering the sub-container of described independence, and first traction is to described cloud security service middleware;
Described cloud security service middleware is also for calculating network traffics corresponding to described pending data.
Alternatively, described cloud security service controller is SDN controller.
For achieving the above object, present invention also offers a kind of cloud security service implementation method, comprising:
Self-help service door generates corresponding security service resource request list according to the selection of tenant, and by described security service resource request table single transmit to cloud security service middleware, in described security service resource request list, record each security service resource that tenant request is rented;
Described cloud security service middleware, according to the described security service resource request list received, detects in security service resource pool whether include the whole described security service resource recorded in described security service resource request list;
When detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, described cloud security service middleware generates corresponding instantiation instruction according to described security service resource request list, and described instantiation instruction is sent to cloud security service container;
Described cloud security service container is according to the described instantiation instruction received, by each described security service resource instances recorded in the described security service resource request list in security service resource pool, and by each described security service Resource Encapsulation after instantiation in a sub-container of independence in described cloud security service container, the sub-container of described independence provides running environment for each described security service resource;
Described security service resource in the sub-container of described independence provides the cloud security service of isolation for described tenant.
Alternatively, the described security service resource in the sub-container of described independence, for before described tenant provides the step of cloud security service, also comprises:
Described cloud security service middleware carries out layout according to preset arrangement rule to each described security service resource in the sub-container of described independence.
Alternatively, after detecting in security service resource pool the whole described security service resource including and record in described security service resource request list, also comprise:
Described cloud security service controller obtains the topological structure of the virtual network residing for described tenant, and generate the routed path of described tenant to described cloud security service container according to described topological structure, the pending data sent to make tenant are before entering the sub-container of described independence, and first traction is to described cloud security service middleware;
Described security service resource in the sub-container of described independence, for while described tenant provides the cloud security service of isolation, also comprises:
Described cloud security service middleware calculates network traffics corresponding to described pending data.
Alternatively, described cloud security service controller is SDN controller.
The present invention has following beneficial effect:
The invention provides a kind of cloud security service and realize system and cloud security service implementation method, technical scheme of the present invention based on resource pool technology by security service resource allocation pond, and provided by the cloud security service that container technique is each tenant request be isolated from each other, the running environment of inaccessible, to realize under cloud computing environment, for tenant provides safe, independent, self-service cloud security service.
Accompanying drawing explanation
Fig. 1 realizes the structural representation of system for a kind of cloud security service that the embodiment of the present invention one provides;
The flow chart of a kind of cloud security service implementation method that Fig. 2 provides for the embodiment of the present invention two;
The flow chart of a kind of cloud security service implementation method that Fig. 3 provides for the embodiment of the present invention three.
Embodiment
For making those skilled in the art understand technical scheme of the present invention better, below in conjunction with accompanying drawing system is realized to a kind of cloud security service provided by the invention and cloud security service implementation method is described in detail.
Embodiment one
Fig. 1 realizes the structural representation of system for a kind of cloud security service that the embodiment of the present invention one provides, as shown in Figure 1, this cloud security service realizes system and comprises: self-help service door 1, cloud security service middleware 2, cloud security service container 4 (Container) and security service resource pool 3 (ResourcesPool).
Wherein, self-help service door 1 is for generating corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware 2, in security service resource request list, record each security service resource that tenant request is rented.
Cloud security service middleware 2, for the security service resource request list that basis receives, detect in security service resource pool 3 and whether include in security service resource request list the whole security service resources recorded, and when detecting in security service resource pool 3 the whole security service resource including and record in security service resource request list, generate corresponding instantiation instruction according to security service resource request list, and instantiation instruction is sent to cloud security service container 4.
The instantiation instruction that cloud security service container 4 receives for basis, the each security service resource recorded in security service resource request list in security service resource pool 3 is carried out instantiation by container, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container 4, independent sub-container provides running environment for each security service resource, for the security service resource in independent sub-container for tenant provides the cloud security service of isolation.
In the present embodiment, container is a kind of software engineering, and various service of can packing application and dependence bag are in a transplantable container.Container uses sandbox mechanism completely, do not have any interface each other, almost do not have performance cost, can run in machine and data center easily.The most important thing is, they do not rely on any language, framework comprises system, the isolation of different security service application can well be realized by container technique, there is elasticity, autgmentability.
It should be noted that, in security service resource pool 3, rely on resource virtualizing technique, be resource pool by distributed heterogeneous security service resource virtualizing, make it can be carried out unified management and allocation schedule according to service condition and tenant to the application situation of resource.Be polymerized security service resource (also can be called " security service node ") that is dissimilar, difference in functionality in this security service resource pool 3, these security service resources can be hardware state (the server physical node of isomery dispersion) or software forms (the isomery virtual resources formed by virtualization software is trooped).
For convenience of those skilled in the art, technical scheme of the present invention is understood, below the cloud security service system provided the present embodiment is realized providing course of work during cloud security service to be described in detail to single tenant.
First, tenant logs in self-help service door 1 page, and self-help service door 1 provides the cloud security service list of menu mode, selects corresponding security service resource for tenant according to self-demand.Wherein, this cloud security service list can be sorted to each security service resource according to modes such as the classification of security service resource, existing forms, network access mode, protection intensity and categorical filtering shows.It should be noted that, when tenant selects required security service resource, tenant can also carry out customizing configuration (such as: the unlatching of the partial function of security service resource or closedown) to the relevant parameter of selected security service resource.If tenant is not configured the relevant parameter of security service resource, then self-help service door 1 can be defaulted as the relevant parameter employing default parameters of this security service resource.
After the cloud security service of tenant required for self selects corresponding one or more security service resource, 1, self-help service door generates corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware 2.Wherein, in this security service resource request list, record the ID that each security service resource selected by tenant is corresponding, and the relevant parameter that each security service resource is corresponding.
Then, cloud security service middleware 2, according to the security service resource request list received, detects in security service resource pool 3 whether include in security service resource request list the whole security service resources recorded.When cloud security service middleware 2 detects in security service resource pool 3 the whole security service resource including and record in security service resource request list, then cloud security service middleware 2 generates corresponding instantiation instruction according to this security service resource request list; When cloud security service middleware 2 detects in security service resource pool 3 at least one the security service resource not existing and record in security service resource request list, then to tenant's feedback security service request failure information.It should be noted that, can carry in this security service request failure information tenant ask but the title of non-existent each security service resource in security service resource pool 3, so that tenant selects other security service resources in time.
Generate instantiation instruction in cloud security service middleware 2 after, this instantiation instruction can be sent to cloud security service container 4 by cloud security service middleware 2.Cloud security service container 4 is according to the instantiation instruction received, the each security service resource instances recorded will be corresponded in security service resource request list in security service resource pool 3, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container 4, independent sub-container provides running environment for each security service resource, for the security service resource in independent sub-container for tenant provides the cloud security service of isolation.It should be noted that, after security service resource carries out instantiation by container, for tenant, when selecting and use certain security service, can not determine that this security service is provided by physical server, or packaged by container technique.Major part safety applications is all provide service by network, and tenant cannot determine that certain network IP by which kind of technology provided.
It should be noted that, if tenant is when selecting security service resource, relevant parameter for one or more security service resource has carried out customizing configuration, then when carrying out instantiation to corresponding security service resource, need to adjust accordingly the relevant parameter of these security service resources according to the customization configuration of tenant.And do not carry out the security service resource customizing configuration, then adopt default parameters to carry out instantiation.
The cloud security service that the present embodiment provides realizes system and has specific as follows:
1. tenant's isolation and service exclusively enjoy.This cloud security service realize system provided by the cloud security service that container technique is each tenant request be isolated from each other, the running environment of inaccessible, thus when this system provides cloud security service for many tenants, ensure that the fail safe of each tenant data in the process using cloud security service.
2. convenient, self-help service is provided.Realizing system in cloud security service provides in the process of cloud security service for tenant, only needs tenant applied for by self-help service door 1 and configure the cloud security service meeting self-demand, and without the need to extra man-machine interactively.In whole process, the time cost that tenant spends and running cost lower.
3. system flexibility is strong.For tenant, the security service resource in security service resource pool 3 is unlimited many, and tenant can ask any amount of security service resource at any time, and request amount is only by the restriction of cloud security service agreement.In addition, because each security service resource in security service resource pool 3 can be supplied with changing fast and automatically, therefore tenant can be increased the security service resource in the cloud security service of request or reduce fast by self-help service door 1.
In the present embodiment, alternatively, cloud security service middleware 2 carries out layout according to preset arrangement rule to each security service resource in independent sub-container before also providing the cloud security service of isolation for the security service resource in independent sub-container for tenant.Particularly, carry out layout by the network configuration changing resource pool to security service resource, network configuration can be the various ways based on multiple network agreement, includes but not limited to the OpenFlow agreement etc. supported based on open source software OpenVswitch.Carrying out layout to security service resource can raising efficiency, and dissimilar safety means, before which should be placed on, which should be put behind, and effect is different.Before such as DDoS equipment being placed on UTM equipment, when there is ddos attack, first can filtering out most of invalid traffic by DDoS safeguard, then carrying out security protection by UTM, avoid super-flow to exceed bandwidth restriction that UTM can effectively process.
It should be noted that, in actual applications, cloud security service provider according to the type of protection of security service resource each in security service resource pool 3, can carry out respective settings to this preset arrangement rule.Such as: before distributed denial of service (DistributedDenialofService is called for short DDoS) security service resource generally should be deployed in security gateway (UnifiedThreatManagement is called for short UTM) security service resource.
Alternatively, this security service realizes system and also comprises: cloud security service controller 5, this cloud security service controller 5 is deployed in cloud environment, cloud security service controller 5 is for detecting in security service resource pool 3 the whole security service resource including and record in security service resource request list during at cloud security service middleware 2, obtain the topological structure of the virtual network residing for tenant, and generate the routed path of tenant to cloud security service container 4 according to the topological structure of virtual network, using the pending data sent in cloud security service process before entering cloud security service container 4 to make tenant, first draw to cloud security service middleware 2.Therefore, the security service resource in independent sub-container provides the cloud security service of isolation during for tenant, cloud security service middleware 2 can also calculate network traffics corresponding to pending data.Certainly, this cloud security service middleware 2 also can measure the flow feeding back to tenant after the security service application that have passed through in container of pending data processes.
It should be noted that, because different tenants may be in different cloud environment networks, therefore can all arrange a cloud security service controller 5 in variant cloud environment network, this cloud security service controller 5 can by the virtual network flow lead of each tenant in corresponding cloud environment network to cloud security service middleware 2.In the present embodiment, by software defined network (SoftwareDefinedNetwork, be called for short SDN) technology, can under the prerequisite of the physical topological structure without the need to changing network, by tenant to the virtual network flow lead of independent sub-container to cloud security service middleware 2.Alternatively, cloud security service controller 5 is SDN controller.
In the present embodiment, by cloud security service controller, pending data are drawn to cloud security service middleware, thus the network traffics can treating deal with data are measured.Now, cloud security service provider can carry out charging based on these network traffics to corresponding tenant, thus makes cloud security service metrizability.
Embodiment two
The flow chart of a kind of cloud security service implementation method that Fig. 2 provides for the embodiment of the present invention two, as shown in Figure 2, this cloud security service implementation method realizes system based on cloud security service, wherein this cloud security service realizes the cloud security service that system adopts above-described embodiment one to provide and realizes system, and this cloud security service implementation method comprises:
Step 101: self-help service door generates corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware.
Wherein, each security service resource that tenant request is rented is recorded in security service resource request list.
Step 102: cloud security service middleware, according to the security service resource request list received, detects in security service resource pool whether include in security service resource request list the whole security service resources recorded.
When detecting in security service resource pool the whole security service resource including and record in security service resource request list, then perform step 103; Otherwise, cloud security service middleware is to tenant's feedback security service request failure information, can carry in this security service request failure information tenant ask but the title of non-existent each security service resource in security service resource pool, so that tenant selects other security service resources in time.
Step 103: cloud security service middleware generates corresponding instantiation instruction according to security service resource request list, and instantiation instruction is sent to cloud security service container.
Step 104: cloud security service container is according to the instantiation instruction received, by each security service resource instances recorded in the security service resource request list in security service resource pool, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container, independent sub-container provides running environment for each security service resource.
Step 105: for the security service resource in independent sub-container for tenant provides the cloud security service of isolation.
It should be noted that, for the specific descriptions of step each in the present embodiment, see corresponding contents in above-described embodiment one, can repeat no more herein.
The technical scheme that the present embodiment provides, the cloud security service being each tenant request by container technique provide be isolated from each other, the running environment of inaccessible, thus ensure that the fail safe of each tenant data in the process using cloud security service.
Embodiment three
The flow chart of the another kind of cloud security service implementation method that Fig. 3 provides for the embodiment of the present invention three, as shown in Figure 3, this cloud security service implementation method realizes system based on cloud security service, wherein this cloud security service realizes the cloud security service that system adopts above-described embodiment one to provide and realizes system, and this cloud security service implementation method comprises:
Step 201: self-help service door generates corresponding security service resource request list according to the selection of tenant, and by security service resource request table single transmit to cloud security service middleware, in security service resource request list, record each security service resource that tenant request is rented.
Step 202: cloud security service middleware, according to the security service resource request list received, detects in security service resource pool whether include in security service resource request list the whole security service resources recorded.
When detecting in security service resource pool the whole security service resource including and record in security service resource request list, then perform step 203; Otherwise, cloud security service middleware is to tenant's feedback security service request failure information, can carry in this security service request failure information tenant ask but the title of non-existent each security service resource in security service resource pool, so that tenant selects other security service resources in time.
Step 203: cloud security service controller obtains the topological structure of the virtual network residing for tenant, and generate the routed path of tenant to cloud security service container according to topological structure.
By step 203, can setting to the routed path of cloud security service container tenant, to make tenant using the pending data sent in cloud security service process before entering cloud security service container, first drawing to cloud security service middleware.
In step 203, alternatively, cloud security service controller is SDN controller.
Step 204: cloud security service middleware generates corresponding instantiation instruction according to security service resource request list, and instantiation instruction is sent to cloud security service container.
Step 205: cloud security service container is according to the instantiation instruction received, by each security service resource instances recorded in the security service resource request list in security service resource pool, and by each security service Resource Encapsulation after instantiation in the sub-container of the independence of in cloud security service container, independent sub-container provides running environment for each security service resource.
Step 206: cloud security service middleware, according to preset arrangement rule, carries out layout to each security service resource in independent sub-container.
In the present embodiment, when carrying out layout to each security service resource in independent sub-container, without the need to network O&M administrative staff to operations such as machine room scene plug netting twines, only need the long-range mode by software namely can to achieve the goal.
Step 207: each security service resource in independent sub-container provides the cloud security service of isolation for tenant, and cloud security service middleware calculates network traffics corresponding to pending data.
It should be noted that, for the specific descriptions of step each in the present embodiment, see corresponding contents in above-described embodiment one, can repeat no more herein.
In addition, as possibility a kind of in the present embodiment, when the testing result detected in step 202 is "Yes", next step performs step 204, now step 203 can perform with step 204 simultaneously, or to be positioned at after step 204 and any instant before being positioned at step 207 performs, particular content is not described in detail herein.
Compared with above-described embodiment two, the technical scheme of the present embodiment not only can be implemented as tenant provides safety, self-service cloud security service, but also can realize the metrizability of cloud security service.
Be understandable that, the illustrative embodiments that above execution mode is only used to principle of the present invention is described and adopts, but the present invention is not limited thereto.For those skilled in the art, without departing from the spirit and substance in the present invention, can make various modification and improvement, these modification and improvement are also considered as protection scope of the present invention.