Disclosure of Invention
In view of the above, the present invention is directed to a security system and a security protection method for protecting a cloud network system with a multi-layer structure.
According to one aspect of the present invention, there is provided a security system for securing a cloud network system of a multi-layered structure,
the security system comprises a security policy management unit, a security policy blockchain, a security policy rule base, a multi-layer security policy determination unit and a multi-layer security protection device, wherein,
each layer of safety protection device in the multi-layer cloud network safety protection device comprises a safety component of the layer,
the security policy rule library stores network parameters and security policy parameters of each layer of the cloud network system and interlayer mapping relation,
the security policy management unit configures a security level of a protection change object and transmits the security level of the protection change object and a capacity of the protection change object to the security policy blockchain,
the security policy blockchain issues the security level of the protection change object and the capacity of the protection change object received from the security policy management unit to each layer of the multi-layer security policy determination units through blockchains,
the security policy determining units of each layer respectively receive the security level of the protection change object and the capacity of the protection change object issued by the security policy blockchain, call network parameters, security policy parameters and interlayer mapping relations in the security policy rule base, determine the security policy of the layer, wherein when determining the security policy of the layer, the security area of the layer is updated based on the capacity of the protection change object, the existing protection area and the interlayer mapping relations, the security level of the layer is updated based on the security level of the protection change object and the security level of the existing protection area,
the security policy determining unit of each layer respectively inquires the security components of the layer matched with the updated security level of the layer and sends related information of the security components of the layer matched with the updated security level of the layer and the updated protection area of the layer to the security protection device of the corresponding layer,
each layer of safety protection device carries out safety protection on the updated protection area of the layer by utilizing the safety components of the layer matched with the updated safety level of the layer.
According to another aspect of the present invention, there is provided a security protection method for performing security protection on a cloud network system of a multi-layer structure, the security protection method including:
the security policy management unit configures the security level of the protection change object and issues the security level of the protection change object and the capacity of the protection change object to the security policy determination units of each layer through the security policy blockchain;
each layer of security policy determining unit updates the protection area of the layer based on the capacity of the protection change object, the existing protection area and the interlayer mapping relation, and updates the security level of the layer based on the security level of the protection change object and the security level of the existing protection area;
each layer of security policy determining unit respectively inquires the security components of the layer matched with the updated security level of the layer and sends related information of the security components of the layer matched with the updated security level of the layer and the updated protection area of the layer to the security protection device of the corresponding layer;
each layer of safety protection device is used for carrying out safety protection on the updated protection area of the layer by utilizing the safety components of the layer matched with the updated safety level of the layer.
The security system and the security protection method provided by the invention are suitable for a cloud network system with a multilayer structure, can realize security protection linkage of 'network follow-up and cloud follow-up', call interlayer mapping relations among different layers, automatically divide new specific security area boundaries and security levels, and are suitable for a cloud network integration service integrated security operation scene.
Detailed Description
Specific embodiments for carrying out the invention are described in detail below with reference to the accompanying drawings.
The safety system and the safety protection method of the embodiment of the invention are used for carrying out safety protection on the cloud network system with the multilayer structure. The cloud network system with the multilayer structure comprises a data layer, an application layer, a cloud layer, a network layer and a terminal layer from top to bottom. The safety system and the safety protection method of the embodiment of the invention can realize the layered linkage of the safety strategy of the cloud network system, and can realize the safety protection linkage of 'network follow-up and cloud follow-up'.
Fig. 2 shows a structural diagram of a security system according to an embodiment of the present invention. As shown in fig. 2, the security system of the embodiment of the present invention includes: the system comprises a security policy management unit S1, a security policy blockchain S2, a security policy determination unit S31, a security policy rule base S32 and a security protection device S4.
The security policy determining unit S31 and the security protection device S4 may be respectively divided into multiple layers according to the multiple-layer structure of the cloud network system. In the embodiment of the invention, the cloud network system comprises a data layer, an application layer, a cloud layer, a network layer and a terminal layer from top to bottom, so that the security policy determining unit S31 correspondingly comprises a data layer security policy determining unit S311, an application layer security policy determining unit S312, a cloud layer security policy determining unit S313, a network layer security policy determining unit S314 and a terminal layer security policy determining unit S315, and the security protecting device S4 correspondingly comprises a data layer security protecting device S41, an application layer security protecting device S42, a cloud layer security protecting device S43, a network layer security protecting device S44 and a terminal layer security protecting device S45. However, the security policy determination unit S31 may not be divided into the security policy determination units S311 to S315, and one security policy determination unit S31 may update the security policies of each layer as long as the security policies of each layer can be updated. The operation is the same regardless of whether the security policy determination units S311 to S315 of each layer respectively update the security policy of the layer or the security policy determination unit S31 respectively update the security policy of each layer, and in this embodiment, an embodiment in which the security policy determination unit S31 is divided into the security policy determination units S311 to S315 of each layer is described. The safety device S4 may be partially divided into the safety devices S41 to S45 of each layer, and each layer may be safely protected by one safety device S4 as long as the safety of each layer can be realized. The operation is the same regardless of whether the safety devices S41 to S45 of the respective layers are used for the safety protection of the respective layers or the safety device S4 is used for the safety protection of the respective layers, and in this embodiment, the safety device S4 is described as being implemented by dividing the safety device S41 to S45 of the respective layers.
And (3) storing network parameters, security policy parameters and interlayer mapping relations of each layer of the cloud network system in a security policy rule base (S32). The network parameters may include initial network parameters and current network parameters, and the security policy parameters may include initial security policy parameters and current security policy parameters. The inter-layer mapping relationship represents an association relationship of network devices between adjacent layers. By using the interlayer mapping relationship, when the security policy of the protection area of the previous layer is changed, the security policy of the associated protection area of the next layer can be changed in a linked manner.
When the protection object is changed, the security policy management unit S1 configures the security level of the protection change object, and transmits the security level of the protection change object and the capacity of the protection change object to the security policy blockchain S2. Wherein the modification of the protection object may include an increase in the protection object and a decrease in the protection object. Herein, the "protected object to be added" and the "protected object to be reduced" are collectively referred to as "protected altered object".
The security policy blockchain S2 issues the security level of the protection change object and the capacity of the protection change object received from the security policy management unit S1 to each layer of security policy determination units S311 to S315 in the security policy determination unit S31, respectively, through the blockchain.
The security policy determining units S311 to S315 of each layer respectively receive the security level of the protection change object and the capacity of the protection change object issued by the security policy blockchain S2, call the network parameters and the security policy parameters of each layer and the interlayer mapping relation in the security policy rule base S32, and determine the security policy of the layer. When determining the security policy of the layer, each of the security policy determining units S311 to S315 updates the protection area of the layer based on the capacity of the protection change object, the existing protection area, and the inter-layer mapping relationship, and updates the security level of the layer based on the security level of the protection change object and the security level of the existing protection area.
As an example for updating the protection area of the present layer, each of the layer security policy determination units S311 to S315 determines, when updating the protection area of the present layer based on the capacity of the protection change object, the existing protection area, and the interlayer mapping relation, the smallest protection area as the updated protection area based on the capacity of the protection change object and the existing protection area. When the protection change object is a protection object to be added, the protection area obtained by adding the protection object to be added and the existing protection area is used as the updated protection area. When the protection change object is a protection object to be reduced, the protection area obtained after deleting the protection object to be reduced from the existing protection area is used as the updated protection area.
As an example for updating the security level of the present layer, each of the security policy determination units S311 to S315 needs to update the security level of the present layer based on the security level of the protection change object and the security level of the existing protection area, in the following cases.
In case 1, when the protection change object is a protection object to be added, each of the security policy determining units S311 to S315 sets the highest security level among the security level of the protection change object and the security level of the existing protection area as the updated security level.
In case 2, when the protection change object is a protection object to be reduced, the individual layer security policy determination units S311 to S315 each hold the security level of the protection area after subtracting the protection object to be reduced from the existing protection area.
In case 3, when the protection change object is a protection object to be reduced, the security policy determination units S311 to S315 restore the security level of the layer to the original security level when there is no protection area to be protected after subtracting the protection object to be reduced from the existing protection area.
After each of the security policy determining units S311 to S315 updates the security level of the own layer and the protection area of the own layer, each of the security policy determining units S311 to S315 queries the security component of the own layer that matches the updated security level of the own layer, and transmits information related to the security component of the own layer that matches the updated security level of the own layer and the updated protection area of the own layer to the security protection device of the corresponding layer in the security protection device S4.
Fig. 4 is an illustration of the security components of the layers in the security device and their security capabilities. The security policy determining units S311 to S315 of each layer may query the security component of the layer matching the updated security level of the layer according to the security component and the security protection capability thereof shown in fig. 4.
Each of the safety protection devices S41 to S45 performs safety protection on the updated protection area of the present layer by using the present layer safety component matched with the updated safety level of the present layer.
If the security level of the layer is higher after updating than the original security level, each layer of security protection devices S41 to S45 in the security protection device S4 loads a security component matched with the updated security level of the layer on the network device related to the updated protection area of the layer, so as to perform security protection on the protection area of the layer.
If the security level of the layer is lower after updating than the original security level, each layer of security protection devices S41 to S45 in the security protection device S4 respectively uninstalls the corresponding security components from the network devices related to the updated protection area of the layer. But this typically occurs when the layer no longer has a protected object, in which case the security policy of the network device of the layer is restored to the original security policy.
According to the security system provided by the embodiment of the invention, the security protection linkage of 'network follow-up and cloud follow-up' can be realized, the interlayer mapping relation between different layers is called, and a new specific security area boundary and security level are automatically divided.
In another embodiment of the present invention, when the security policy is configured, the security policy management unit S1 is not limited to configuring the security level of the protection change Object, and may set various security parameters, for example, perform unified security mark se_token on the Subject and the Object, perform authorization on the Subject, configure the trusted verification policy, and the like. This security policy can be expressed as:
Security_Police{Se_Token(Sujects,Objects),Zone_defense}
the interlayer mapping relationship stored in the security policy rule base S32 may be expressed as (zone 0, zone1, zone2 …).
Assuming that the current security policy of the present layer is denoted as SP0{ ST (Subj 0, obj 0), zone0}, the security policy of the protection change object is denoted as Δsp { ST (Subj, obj), zone }, the updated security policy may be expressed as:
SP=ΔSP+SP0={MaxST(Subj0+Subj,Obj0+Obj),MinZone}
from the above representation, it can be seen that, when updating the security policy, the minimum protection area minizone is determined according to the capacity of the protection object, and the security protection level MaxST is determined according to the highest level of the protection object.
Specific examples of updating security levels and security zones for security systems in accordance with embodiments of the present invention are described below.
The initial network parameters and initial security policy parameters of the existing cloud network system are assumed to be as follows:
the available storage space of the cloud C1 is 500GB, the corresponding network boundaries are N1 and N2, and the initial security level is set to be level 2; the available storage space of the cloud C2 is 2000GB, the corresponding network boundaries are N3 and N4, and the initial security level is set to be level 2.
Assume that current network parameters and security policy parameters of the existing cloud network system are as follows:
the used storage space of the cloud C1 is 400GB, the remaining available storage space is 100GB, the corresponding network boundaries are N1 and N2, and the security level is set to be 2; the storage space of the cloud C2 is not used, the remaining available storage space is 2000GB, the corresponding network boundaries are N3 and N4, and the security level is set to be level 2.
In this embodiment, a case where a protection object of 150GB data is newly added will be described. The security policy management unit S1 sets the security level of the protection object of the newly added 150GB data to level 3, and sends the security level of the newly added protection object and the capacity of the newly added protection object to the security policy blockchain S2, and the security policy blockchain S2 distributes the security level (level 3) of the newly added protection object and the capacity (150 GB) of the newly added protection object to the data layer security policy determining unit S311, the application layer security policy determining unit S312, the cloud layer security policy determining unit S313, the network layer security policy determining unit S314, and the terminal layer security policy determining unit S315, respectively, through the blockchain.
First, the data layer security policy determining unit S311 updates the protection area to be protected of the data layer to 400GB (existing protection area) +150GB (newly added protection object) =550 GB (updated protection area), and updates the security level of the updated protection area to 3 levels.
Next, the application layer security policy determining unit S312 inherits the security policy of the data layer, updates the security level of the protection area of the application layer to 3 levels, and updates the protection area of the application layer.
Next, cloud layer security policy determining unit S313 updates the protection area of cloud C1 to 500GB (where 400GB is the original protection area and 100GB is the newly added protection area), updates the security level thereof to 3, updates the protection area of cloud C2 to 50GB, and updates the security level thereof to 3.
Then, the network layer security policy determination unit S314 updates the security level of the network boundaries N1, N2 of the cloud C1 to 3 levels, and updates the security level of the network boundaries N3, N4 of the cloud C2 to 3 levels.
Finally, the terminal layer security policy determining unit S315 updates the security level of the terminal access to level 3.
As described above, each layer of the security policy determination units in the security policy determination unit S31 updates the protection area and the security level of the present layer individually.
In the above embodiment, the example was described in which the security level of the lower layer is the same as that of the upper layer, but the security level of the lower layer may be set higher than that of the upper layer.
Next, a case will be described in which the security policy is updated by newly adding 150GB of protection objects in the above embodiment, and then 100GB of protection objects are reduced. The security policy management unit S1 sets the security level of the protection object of the 100GB data to be reduced to 3 levels, and transmits the security level of the protection object to be reduced and the capacity of the protection object to be reduced to the security policy blockchain S2, and the security policy blockchain S2 distributes the security level (3 levels) of the protection object to be reduced and the capacity (100 GB) of the protection object to be reduced to the data layer security policy determination unit S311, the application layer security policy determination unit S312, the cloud layer security policy determination unit S313, the network layer security policy determination unit S314, and the terminal layer security policy determination unit S315, respectively, through the blockchain.
First, the data layer security policy determining unit S311 updates the protection area to be protected by the data layer to 550GB (existing protection area) -100GB (protected object to be reduced) =450 GB (updated protection area), and retains the security level of the updated protection area as level 3.
Next, the application layer security policy determining unit S312 inherits the security policy of the data layer, updates the security level of the protection area of the application layer to 3 levels, and updates the protection area of the application layer.
Next, cloud layer security policy determination section S313 updates the protection area of cloud C1 to 450GB (where 500GB is the original protection area of cloud C1, and thus reduces the protection area to be reduced by 50GB to obtain the protection area of 450 GB), retains the security level of the updated protection area to 3 levels, updates the protection area of cloud C2 to 0GB (where 50GB is the original protection area of cloud C2, and thus reduces the protection area to be reduced by 50GB to obtain the protection area of 0GB, that is, there is no protection area), and restores the security level of cloud C2 to the original security level, that is, 2 levels.
Then, the network layer security policy determination unit S314 retains the security level of the network boundaries N1, N2 of the cloud C1 as level 3, and updates the security level of the network boundaries N3, N4 of the cloud C2 as level 2.
Finally, the terminal layer security policy determining unit S315 updates the security level of the terminal access to level 3.
As described above, the security policy determination units S311 to S315 of the respective layers in the security policy determination unit S31 update the protection area and the security level of the own layer, respectively.
Fig. 3 is a flowchart of a security protection method for a cloud network system of a multi-layer structure according to an embodiment of the present invention. As shown in fig. 3, the safety protection method according to the embodiment of the invention includes the following steps:
in step 301, the security policy management unit S1 configures a security level of a protection change object, and sends the security level of the protection change object and a capacity of the protection change object to the security policy blockchain S2.
In step 302, the security policy blockchain S2 issues the security level of the protection change object and the capacity of the protection change object to the security policy determining unit S31 of each layer through the blockchain.
In step 303, each of the security policy determining units S311 to S315 updates the protection area of the present layer based on the capacity of the protection change object, the existing protection area, and the inter-layer mapping relation, and updates the security level of the present layer based on the security level of the protection change object and the security level of the existing protection area.
When the protection change object is a protection object to be added, each of the security policy determining units S311 to S315 respectively adds the protection area obtained by adding the protection object to be added and the existing protection area as an updated protection area; when the protection change object is a protection object to be reduced, each of the security policy determination units S311 to S315 sets a protection area obtained by subtracting the protection object to be reduced from an existing protection area as an updated protection area.
When the protection change object is a protection object to be added, each of the security policy determining units S311 to S315 uses the highest security level of the protection change object and the security level of the existing protection area as the updated security level; when the protection change object is a protection object to be reduced, each of the security policy determination units S311 to S315 retains the security level of the protection area after subtracting the protection object to be reduced from the existing protection area; when the protection change object is a protection object to be reduced, each of the security policy determination units S311 to S315 restores the security level of the layer to the original security level when the protection area to be protected does not exist after subtracting the protection object to be reduced from the existing protection area. Here, the security level updated by the security policy determining unit of the next layer may be higher than or equal to the security level updated by the security policy determining unit of the previous layer.
In this embodiment, the execution sequence of the security policy determining units S311 to S315 of each layer is that the protection area and the security level of the data layer are updated from the data layer security policy determining unit S311 of the uppermost layer, then the application layer security policy determining unit S312 updates the application layer, then the cloud layer security policy determining unit S313, the network layer security policy determining unit S314, and finally the terminal layer security policy determining unit S315 of the lowermost layer updates the terminal layer.
Step 304, each layer of security policy determining units S311 to S315 respectively inquires about the security component of the layer matching the updated security level of the layer, and sends the related information of the security component of the layer matching the updated security level of the layer and the updated protection area of the layer to the security protection device of the corresponding layer.
In step 305, each of the security protection apparatuses S41 to S45 performs security protection on the updated protection area of the present layer by using the security component of the present layer that matches the updated security level of the present layer. When the security level of each layer is updated and is higher than the original security level, the security protection devices S41 to S45 of each layer load the security components matched with the updated security level of the layer on the network equipment related to the updated protection area of the layer respectively to carry out security protection on the updated protection area of the layer.
The operation of the safety protection method according to the embodiment of the present invention may be described in more detail with reference to the operation of each unit and device in the safety system shown in fig. 2, and a detailed description thereof will be omitted.
By the security protection method provided by the embodiment of the invention, the security protection linkage of 'network follow-up and cloud follow-up' can be realized, the interlayer mapping relation between different layers is called, and a new specific security area boundary and security level are automatically divided.
The foregoing description of embodiments of the invention has been presented for purposes of illustration and description, and is not intended to be exhaustive or limited to the embodiments disclosed. Many modifications and variations will be apparent to those of ordinary skill in the art without departing from the scope and spirit of the various embodiments described. The terminology used herein was chosen in order to best explain the principles of the embodiments, the practical application, or the technical improvement of market technology, or to enable others of ordinary skill in the art to understand the embodiments disclosed herein.