CN202663444U - Cloud safety data migration model - Google Patents

Abstract

Translated fromChinese

本实用新型提出一种云安全数据迁移模型，其包括：云租户、第三方审计、源云系统、目的云系统；第三方审计包括数据完整性检验功能，用于检验云系统中云租户的数据完整性状况；源云系统包括元数据节点，数据节点；目的云系统包括元数据节点，数据节点；元数据节点包括访问控制模块、迁移决策模块、整个云系统的元数据；访问控制模块用于验证云租户是否具备相应的操作权限；迁移决策模块用于生成和提交云租户数据迁移请求；元数据节点用于管理所有云租户的数据；数据节点用于存放所有云租户的实际数据及其备份。该模型克服了现有数据迁移模型的不足，降低了数据迁移过程中的安全风险，増强了云租户对数据迁移的控制力。

The utility model proposes a cloud security data migration model, which includes: cloud tenants, third-party audit, source cloud system, and destination cloud system; the third-party audit includes a data integrity inspection function for checking the data of cloud tenants in the cloud system Integrity status; the source cloud system includes metadata nodes and data nodes; the destination cloud system includes metadata nodes and data nodes; metadata nodes include access control modules, migration decision modules, and metadata of the entire cloud system; access control modules are used for Verify whether the cloud tenant has the corresponding operation authority; the migration decision module is used to generate and submit the cloud tenant data migration request; the metadata node is used to manage the data of all cloud tenants; the data node is used to store the actual data and backup of all cloud tenants . This model overcomes the deficiencies of existing data migration models, reduces security risks during data migration, and enhances cloud tenants' control over data migration.

Description

Translated fromChinese

一种云安全数据迁移模型A Cloud Security Data Migration Model

技术领域technical field

本实用新型涉及计算机安全领域，尤其涉及一种云安全数据迁移模型。The utility model relates to the field of computer security, in particular to a cloud security data migration model.

背景技术Background technique

云数据迁移是指将数据从一个云系统转存到另一个云系统中，包含私有云到公有云、公有云到私有云、公有云到公有云三种场景。Cloud data migration refers to the transfer of data from one cloud system to another cloud system, including three scenarios: private cloud to public cloud, public cloud to private cloud, and public cloud to public cloud.

私有云到公有云是最常见的一种场景。例如网络商城如eBay、Taobao和社交网络如Facebook、Myspace等在初期并没有海量数据需要管理，因此只需采用构建私有云甚至传统的存储解决方案。随着业务的扩大，其数据量也呈指数级增长，它们开始考虑一个可行的解决方案——租用公有云的存储空间，即将数据迁移到公有云中。这样一方面克服了企业私有云容量有限的缺陷，另一方面节约了超级数据中心的建造、运营和维护开销，并由云服务商的专业安全队伍维护数据的存储安全。Private cloud to public cloud is the most common scenario. For example, online shopping malls such as eBay, Taobao and social networks such as Facebook and Myspace do not have massive data to manage in the early stages, so they only need to build private clouds or even traditional storage solutions. As the business expands, its data volume also increases exponentially, and they begin to consider a feasible solution—renting the storage space of the public cloud, that is, migrating the data to the public cloud. In this way, on the one hand, it overcomes the shortcomings of limited private cloud capacity of enterprises, on the other hand, it saves the construction, operation and maintenance costs of the super data center, and the professional security team of the cloud service provider maintains the security of data storage.

公有云到私有云也很常见。假设某个企业购买了亚马逊S3的云存储服务，随着该公司业务的发展，发现有些数据变得非常机密，因此他们考虑将数据从公有云中迁移到企业内部的私有云中。Public to private clouds are also common. Assume that an enterprise purchases Amazon S3 cloud storage service. With the development of the company's business, it is found that some data has become very confidential, so they consider migrating the data from the public cloud to the enterprise's internal private cloud.

公有云到公有云是云计算发展的趋势。来自互联网数据中心(IDC)的调查显示，安全仍是用户采用云服务时所需面临的主要挑战。因此，随着云计算的推广和普及，当用户发现自己购买的云存储服务暴露出安全风险时，他们会将自己的数据迁移到安全等级更高的云服务商数据中心中。云存储服务的一个最明显特征是对大数据集的存储管理优化。如果用户想从普通用户升级为VIP用户，那么云服务商就要对该用户的数据采取一系列措施，如将其数据迁移到具有更快访问速度和更高安全等级的云存储系统中。又假设某个企业购买了亚马逊S3的云存储服务，该企业总部在上海，因此亚马逊公司会将该企业的数据部署在靠近上海的数据中心。随着业务的发展，该企业在北京设立了办事处，为了兼顾北京办事处的数据访问速率和服务质量，亚马逊公司需要将该企业的相关数据备份迁移到靠近北京的数据中心。Public cloud to public cloud is the development trend of cloud computing. According to a survey from Internet Data Center (IDC), security is still the main challenge users need to face when adopting cloud services. Therefore, with the promotion and popularization of cloud computing, when users find that the cloud storage services they purchase expose security risks, they will migrate their data to cloud service provider data centers with higher security levels. One of the most obvious features of cloud storage services is the optimization of storage management for large data sets. If a user wants to upgrade from an ordinary user to a VIP user, the cloud service provider must take a series of measures on the user's data, such as migrating the data to a cloud storage system with faster access speed and higher security level. It is also assumed that an enterprise has purchased Amazon S3 cloud storage service. The enterprise is headquartered in Shanghai, so Amazon will deploy the enterprise's data in a data center close to Shanghai. With the development of business, the company has set up an office in Beijing. In order to take into account the data access rate and service quality of the Beijing office, Amazon needs to migrate the relevant data backup of the company to a data center close to Beijing.

由上可见，数据迁移是云存储的一项重要服务。因此如何确保数据迁移的安全性，对云租户和云服务商来说都具有重要意义。一方面用户不必担心数据遭遇安全风险时造成的损失，享受更加便捷的数据访问和存储服务；另一方面提升了云服务商的信誉。如果数据迁移存在安全隐患，将给云租户和云服务商造成严重的后果。例如网络商城和社交网络的账户信息涉及个人隐私，如果这些信息被非法窃取或篡改，对这些企业而言，将面临灾难性的后果。It can be seen from the above that data migration is an important service of cloud storage. Therefore, how to ensure the security of data migration is of great significance to both cloud tenants and cloud service providers. On the one hand, users do not have to worry about the loss caused by data security risks, and can enjoy more convenient data access and storage services; on the other hand, it improves the reputation of cloud service providers. If there are security risks in data migration, it will cause serious consequences to cloud tenants and cloud service providers. For example, the account information of online shopping malls and social networks involves personal privacy. If such information is illegally stolen or tampered with, these enterprises will face disastrous consequences.

现有的数据迁移模型有：传统的数据迁移模型、HDFS或S3数据迁移模型、改进的HDFS或S3数据迁移模型。The existing data migration models include: traditional data migration model, HDFS or S3 data migration model, improved HDFS or S3 data migration model.

传统的数据迁移模型的实施包括两个过程：1）云租户将数据从云服务商A的数据中心下载到本地；2）云租户从本地将数据上传到云服务商B的数据中心中。图1是传统的数据迁移模型。The implementation of the traditional data migration model includes two processes: 1) the cloud tenant downloads data from the data center of cloud service provider A to the local; 2) the cloud tenant uploads the data from the local to the data center of cloud service provider B. Figure 1 is a traditional data migration model.

传统的数据迁移模型存在的缺陷有：1）将数据从云服务商A下载到本地，需要在本地临时准备数据存储设备，这对那些拥有海量存储数据的企业来说是不现实的；2）数据在取回和转存的过程中增加了网络安全风险，包括一般的网络攻击、reply攻击、middle攻击等；3）数据在取回和转存的过程中增加了云租户的通信和时间开销；4）对云租户来说，不能确保云租户数据取回后云服务商A是否留有备份或非法分析其残留数据。图1是传统的数据迁移模型。The shortcomings of the traditional data migration model are: 1) To download data from cloud service provider A to the local, it is necessary to temporarily prepare data storage devices locally, which is unrealistic for those enterprises with massive storage data; 2) The process of data retrieval and dumping increases network security risks, including general network attacks, reply attacks, middle attacks, etc.; 3) The process of data retrieval and dumping increases the communication and time overhead of cloud tenants ; 4) For cloud tenants, it is impossible to ensure whether cloud service provider A has a backup or illegally analyzes its residual data after cloud tenant data is retrieved. Figure 1 is a traditional data migration model.

HDFS或S3数据迁移模型的具体步骤为：1）用户A向其存储服务商（云系统1）发出数据迁移请求，请求包括源数据、目的地、对象；2）云系统1的元数据节点检查用户A是否具备其指定的数据迁移权限；3）云系统1的元数据节点向包含对象、目地路径的云系统2的元数据节点发送写请求；4）云系统2的元数据节点检查用户A是否具备向写请求中指定路径中写数据的权限；5）如果检查通过，云系统2的元数据节点与其数据节点生成一个write token（数据迁移时用）；6）云系统2的元数据节点将生成的write token返回给云系统1的元数据节点；7）云系统1的元数据节点将接收的write token分发给存有用户A数据的数据节点；8）云系统1的数据节点向write token指定的元数据节点发送数据（数据访问请求）和token；9）云系统2的元数据节点验证token以确定数据块能否写入；10）若验证通过，云系统2的元数据节点会向源数据节点发送目标数据节点的地址信息；11）源数据节点向目的数据节点写数据。图2是该模型的示意图。The specific steps of the HDFS or S3 data migration model are: 1) User A sends a data migration request to its storage service provider (cloud system 1), and the request includes source data, destination, and object; 2) Metadata node inspection of cloud system 1 Whether user A has the specified data migration authority; 3) The metadata node of cloud system 1 sends a write request to the metadata node of cloud system 2 containing the object and destination path; 4) The metadata node of cloud system 2 checks user A Whether it has the permission to write data in the path specified in the write request; 5) If the check is passed, the metadata node of cloud system 2 and its data node will generate a write token (used for data migration); 6) The metadata node of cloud system 2 Return the generated write token to the metadata node of cloud system 1; 7) The metadata node of cloud system 1 distributes the received write token to the data node storing user A's data; 8) The data node of cloud system 1 sends the write token to the The metadata node specified by token sends data (data access request) and token; 9) The metadata node of cloud system 2 verifies the token to determine whether the data block can be written; 10) If the verification is passed, the metadata node of cloud system 2 will Send the address information of the target data node to the source data node; 11) The source data node writes data to the target data node. Figure 2 is a schematic diagram of the model.

从上述过程中，可以看出存在3类安全风险：1）云系统1和云系统2双方的元数据节点间的通信安全。安全协议或token可能在这一阶段被拦截或篡改，黑客可能利用这些token假冒合法的一方欺骗另一方；2）源数据节点与目的元数据节点的通信安全。若发送的token被拦截，黑客获得了本应该只有源数据节点得知的地址信息；3）云系统1和云系统2双方的数据节点通信安全。From the above process, it can be seen that there are three types of security risks: 1) The communication security between the metadata nodes of cloud system 1 and cloud system 2. Security protocols or tokens may be intercepted or tampered at this stage, and hackers may use these tokens to impersonate the legitimate party to deceive the other party; 2) The communication between the source data node and the destination metadata node is secure. If the sent token is intercepted, the hacker obtains the address information that should only be known to the source data node; 3) The communication between the data nodes of cloud system 1 and cloud system 2 is secure.

由于元数据节点和数据节点都有可能被攻击者假冒，因此有两种方法提高迁移的安全性：实体认证和迁移数据的保护。Since both metadata nodes and data nodes may be impersonated by attackers, there are two ways to improve the security of migration: entity authentication and protection of migrated data.

首先，涉及数据迁移的双方元数据节点都需要进行某种安全认证。解决思路：使用SSL协议建立安全通道，用于传输后面的安全参数如数据加密密钥、MAC、随机密钥等，也用于源数据节点向目地元数据节点传送ticket等。First of all, both metadata nodes involved in data migration need some kind of security authentication. Solution: Use the SSL protocol to establish a secure channel, which is used to transmit subsequent security parameters such as data encryption keys, MAC, random keys, etc., and is also used to transmit tickets from source data nodes to destination metadata nodes.

其次，目地系统的元数据节点有权对源数据节点进行认证。认证不通过，就不能向目的系统中写入数据。Second, the metadata node of the destination system has the right to authenticate the source data node. If the authentication is not passed, data cannot be written to the target system.

最后，发送和接受双方都要对迁移的数据执行某种安全措施（特别是保证其机密性）。解决方案：数据需要用一个临时密钥加密，并将密文用预先设定的算法计算其MAC。Finally, both the sending and receiving parties must enforce some security measures (in particular, guaranteeing their confidentiality) on the migrated data. Solution: The data needs to be encrypted with a temporary key, and the ciphertext is calculated with a preset algorithm for its MAC.

具体体现在以下三个方面：1）SSL阶段。为两个系统建立一个安全通道，并传输安全参数：临时会话密钥（MAC计算时用）、随机密钥（对称加密时用）、最低权限的数据迁移ticket；2）最低权限的数据迁移ticket。主要考虑攻击者可能会截获ticket（也就是上面所说的token），对数据迁移造成危害。软件级的安全并不能阻止这种情况的发生，但是可以降低其带来的影响。即使攻击者通过物理手段截获了ticket，他所能做的也非常有限。例如，可以设计ticket为一次性的，一旦数据节点的ticket被目地系统的元数据节点认证通过，该ticket就过期作废了。一旦系统中存在两个相同的ticket请求认证，表明存在攻击者。这时，需要及时反馈给迁移管理者。这里可以用源ID、目的ID来作为ticket（一旦一个ID认证通过，立即被销毁）；3）数据加密处理。原来的数据形式为“数据块+hash值”，只能用于检测数据的完整性。现在的数据形式“数据块+hash值+MAC码（hash值和随机码计算所得）”，可保证迁移数据的完整性、机密性和防篡改。Specifically reflected in the following three aspects: 1) SSL phase. Establish a secure channel for the two systems and transmit security parameters: temporary session key (used in MAC calculation), random key (used in symmetric encryption), data migration ticket with least authority; 2) data migration ticket with least authority . The main consideration is that the attacker may intercept the ticket (that is, the token mentioned above), which will cause harm to the data migration. Software-level security cannot prevent this from happening, but it can reduce its impact. Even if an attacker intercepts the ticket by physical means, there is very little he can do. For example, the ticket can be designed to be one-time. Once the ticket of the data node is authenticated by the metadata node of the destination system, the ticket will expire and become invalid. Once there are two identical tickets requesting authentication in the system, it indicates that there is an attacker. At this time, timely feedback to the migration manager is required. Here, the source ID and destination ID can be used as a ticket (once an ID is authenticated, it will be destroyed immediately); 3) Data encryption processing. The original data form is "data block + hash value", which can only be used to check the integrity of the data. The current data form "data block + hash value + MAC code (calculated from hash value and random code)" can ensure the integrity, confidentiality and tamper-proof of the migrated data.

改进的HDFS或S3数据迁移模型的迁移过程如下：1）用户A身份通过认证后，源HDFS的MDM（迁移决策模块，融合在元数据节点中）向目的HDFS的元数据节点中的MDM发出SSL连接请求。此后双方元数据节点会协商后续的安全参数；2）接受到源元数据节点的迁移请求后，目的元数据节点生成一个会话密钥（Kdn，用于源元数据节点与目的元数据节点的通信）、一个随机数（Dhash，用于双重hash计算）。然后目的元数据节点将Kdh和Dhash发送给源元数据节点；3）源元数据节点在分配迁移任务给数据节点后，然后向目的元数据节点发送ticket请求（包括DataNode的IP地址列表）；4）目的元数据节点的MDM生成一系列的ticket，并用Kdst（只被目的元数据节点所知）加密每个ticket，然后向源元数据节点返回加密形式的tickets（tickets｛IP，Kdst{ticket（s，ip，filepath）}}）；5）源元数据节点接收到加密的tickets后，向每个数据节点分发ticket、Kdn、Dhash；6）分发完毕后，SSL连接终止。每个任务执行器使用Kdn和时间戳加密每个加密了的ticket，并将这个双重加密的ticket发送到目的元数据节点；7）目的元数据节点解密tickets，并更新每个ticket里的时间戳，然后返回与每个源数据节点对应数据节点的IP地址信息；8）每个源数据节点接收到目的数据节点的IP地址后，会用会话密钥（Kdn）加密每个将要迁移的数据块，得到第一个hash值（hash1），hash2则用Dhash计算得到。然后源数据节点向目的数据节点发送双重加密形式的数据块（数据块+hash1+hash2）。图3是该模型的示意图。The migration process of the improved HDFS or S3 data migration model is as follows: 1) After the identity of user A is authenticated, the MDM of the source HDFS (migration decision module, integrated in the metadata node) sends an SSL to the MDM in the metadata node of the destination HDFS Connection request. Afterwards, the metadata nodes of both parties will negotiate subsequent security parameters; 2) After receiving the migration request from the source metadata node, the destination metadata node generates a session key (Kdn, used for communication between the source metadata node and the destination metadata node ), a random number (Dhash, used for double hash calculation). Then the destination metadata node sends Kdh and Dhash to the source metadata node; 3) After the source metadata node assigns the migration task to the data node, it then sends a ticket request (including the IP address list of DataNode) to the destination metadata node; 4 ) The MDM of the destination metadata node generates a series of tickets, encrypts each ticket with Kdst (known only to the destination metadata node), and then returns encrypted tickets to the source metadata node (tickets{IP, Kdst{ticket( s, ip, filepath)}}); 5) After receiving the encrypted tickets, the source metadata node distributes the ticket, Kdn, and Dhash to each data node; 6) After the distribution is completed, the SSL connection is terminated. Each task executor encrypts each encrypted ticket with KDN and timestamp, and sends this double-encrypted ticket to the destination metadata node; 7) The destination metadata node decrypts the tickets and updates the timestamp in each ticket , and then return the IP address information of the data node corresponding to each source data node; 8) After each source data node receives the IP address of the destination data node, it will use the session key (Kdn) to encrypt each data block to be migrated , to get the first hash value (hash1), and hash2 is calculated with Dhash. Then the source data node sends the double-encrypted data block (data block+hash1+hash2) to the destination data node. Figure 3 is a schematic diagram of the model.

改进的HDFS或S3数据迁移模型可以保证数据迁移过程中的完整性和机密性，但是仍然存在不足，体现在：1）云租户数据从源云系统迁移后，是否存在数据备份或数据残留，云服务商是否存在非法分析用户数据的可能；2）对源、目的云系统缺乏监督机制，一旦发生数据迁移安全纠纷，容易造成云服务商互相推卸责任的局面，云租户无法确定是哪方的过错。例如，当云租户数据从云系统A安全地迁移到云系统B后，云系统A会删除该云租户迁移数据的元数据及所有数据备份。由于某种原因，用户数据到达云系统B后被非法删除或篡改，此时云服务商B为了保持自己的商业信誉，会咬定说是数据在云系统A中被非法删除或修改后才迁移过来的。在这种情况下，云租户无法确切知道到底是哪方的责任，即便云租户知道是云服务商B的过错，也无法维护自己的权益，因为云租户拿不出可靠的证据。3）不支持动态数据更新操作，例如修改或删除部分迁移中的数据，用户只能在迁移前或迁移结束后才能操作迁移数据，给用户使用带来不便。The improved HDFS or S3 data migration model can guarantee the integrity and confidentiality of the data migration process, but there are still deficiencies, which are reflected in: 1) After the cloud tenant data is migrated from the source cloud system, whether there is data backup or data residue, the cloud Whether the service provider may illegally analyze user data; 2) There is no supervision mechanism for the source and destination cloud systems. Once a data migration security dispute occurs, it is easy to cause cloud service providers to shirk responsibility from each other, and cloud tenants cannot determine which party is at fault . For example, when cloud tenant data is safely migrated from cloud system A to cloud system B, cloud system A will delete the metadata and all data backups of the cloud tenant's migrated data. For some reason, user data is illegally deleted or tampered with after reaching cloud system B. At this time, in order to maintain its business reputation, cloud service provider B will insist that the data was illegally deleted or modified in cloud system A before migrating over of. In this case, the cloud tenant cannot know exactly which party is responsible. Even if the cloud tenant knows that it is the fault of cloud service provider B, it cannot protect its rights and interests, because the cloud tenant cannot produce reliable evidence. 3) It does not support dynamic data update operations, such as modifying or deleting part of the data in the migration. Users can only operate the migration data before or after the migration, which brings inconvenience to users.

实用新型内容Utility model content

本实用新型的目的是提供一种云安全数据迁移模型，以降低数据迁移过程中的安全风险。The purpose of the utility model is to provide a cloud security data migration model to reduce security risks in the data migration process.

本实用新型为解决其技术问题所采用的技术方案是，The technical scheme that the utility model adopts for solving its technical problem is,

一种云安全数据迁移模型，包括：A cloud secure data migration model including:

云租户、第三方审计、源云系统、目的云系统；Cloud tenants, third-party audit, source cloud system, destination cloud system;

第三方审计，其包括数据完整性检验功能，用于检验云系统中云租户的数据完整性状况；Third-party audit, which includes data integrity verification function, used to verify the data integrity status of cloud tenants in the cloud system;

源云系统，其包括元数据节点，数据节点；Source cloud system, which includes metadata nodes and data nodes;

目的云系统，其包括元数据节点，数据节点；Target cloud system, which includes metadata nodes and data nodes;

元数据节点，其包括访问控制模块、迁移决策模块、整个云系统的元数据；Metadata node, which includes access control module, migration decision module, and metadata of the entire cloud system;

访问控制模块用于验证云租户是否具备相应的操作权限；The access control module is used to verify whether the cloud tenant has the corresponding operation authority;

迁移决策模块用于生成和提交云租户数据迁移请求；The migration decision module is used to generate and submit cloud tenant data migration requests;

元数据节点用于管理所有云租户的数据；Metadata nodes are used to manage the data of all cloud tenants;

数据节点用于存放所有云租户的实际数据及其备份。Data nodes are used to store the actual data and backups of all cloud tenants.

云租户是购买了源云服务商与目的云服务商的存储服务的实体，具备向源云系统中读写数据和向目的云系统迁移数据的权限。A cloud tenant is an entity that has purchased the storage services of the source cloud service provider and the destination cloud service provider, and has the authority to read and write data to the source cloud system and migrate data to the destination cloud system.

源云系统是为云租户提供云存储和云安全服务的实体，当云租户提出数据迁移要求时，源云系统能够安全地将云租户数据转存到其指定的目的云系统中，此外，能接受第三方审计的安全监督。The source cloud system is an entity that provides cloud storage and cloud security services for cloud tenants. When a cloud tenant requests data migration, the source cloud system can safely transfer the cloud tenant's data to its designated destination cloud system. In addition, it can Accept the safety supervision of third-party audit.

目的云系统是为云租户提供云存储和云安全服务的实体，当云租户提出数据迁移要求时，目的云系统能够接收来自云租户指定的源云系统的数据，此外，能接受第三方审计的安全监督。The destination cloud system is an entity that provides cloud storage and cloud security services for cloud tenants. When a cloud tenant requests data migration, the destination cloud system can receive data from the source cloud system specified by the cloud tenant. In addition, it can accept third-party audit safety supervision.

第三方审计能检查云租户位于云系统中数据的完整性的实体，当云租户提出数据迁移要求时，能够对源云系统数据的迁出、目的云系统数据的迁入以及迁移结束后源云系统对迁移数据的元数据及其数据备份的完全删除进行安全审计，此外，在审计过程中对云租户数据完全透明，即无法分析出审计数据的真实信息。The third-party audit is an entity that can check the integrity of the cloud tenant's data in the cloud system. When the cloud tenant requests data migration, it can check the migration of source cloud system data, destination cloud system data migration, and source cloud system data migration after migration. The system conducts a security audit on the metadata of the migrated data and the complete deletion of its data backup. In addition, the cloud tenant data is completely transparent during the audit process, that is, the real information of the audit data cannot be analyzed.

第三方审计能够同时处理多个云租户提交的数据迁移审计任务，即进行批审计。Third-party auditing can simultaneously process data migration auditing tasks submitted by multiple cloud tenants, that is, batch auditing.

第三方审计为云租户和云服务商双方所信赖，类似现实生活中的公证和监察机构。第三方审计满足三个要求：1）可以在不需要本地备份的情况下对云系统中云租户的数据进行完整性检验；2）在完整性检验过程中，对云租户数据完全透明，即无法分析出审计数据的真实信息；3）支持数据动态更新，云租户可以对云系统中的相关数据随时更新，如增加、修改和删除等；4）能同时处理多个云租户的数据迁移审计请求。Third-party auditing is trusted by both cloud tenants and cloud service providers, similar to notarization and monitoring agencies in real life. The third-party audit meets three requirements: 1) Integrity inspection of cloud tenant data in the cloud system can be performed without local backup; 2) During the integrity inspection process, it is completely transparent to cloud tenant data, that is, cannot Analyze the real information of the audit data; 3) Support dynamic update of data, cloud tenants can update relevant data in the cloud system at any time, such as adding, modifying and deleting; 4) Can handle data migration audit requests of multiple cloud tenants at the same time .

云租户在迁移数据前，可以先向第三方审计提交迁移安全审计请求，请求内容包括源云系统、目的云系统和要审计的数据。第三方审计会对云租户要审计的数据作一份全面的数据完整性检查，并将检查报告附加在审计通知书中发送给云租户。在收到第三方审计的审计通知书后，云租户对自己的数据的完整性有了清晰的认识，如果超出了云租户的接受范围，云租户会与源云服务商交涉，达成一致协议。随后云租户向源云服务商提交数据迁移请求，源云系统在确认云租户的身份和权限后，开始向目的云系统和第三方审计发出请求。之所以由源云系统向第三方审计发出迁移请求，主要是为了杜绝源云系统在迁移到云租户指定的目的云系统的同时，将云租户数据迁入到某个“秘密地”，用作日后非法分析。第三方审计对比云租户提交的安全审计请求和源云系统提交的迁移请求，若两个请求中指定的目的云系统一致，则表明安全，否则说明存在安全风险，应立刻向云租户报告这一情况。待通过目的云系统的一系列认证后，源云系统正式向目的云系统迁移数据，与此同时第三方审计也开始对整个迁移过程数据的完整性予以检查。这里，第三方审计的功能包括：1）对源云系统数据的迁出予以审计；2）对目的云系统数据的迁入予以审计；3）对源云系统迁移数据的元数据及数据备份的安全删除予以审计；4）对目的云系统中迁入的数据完整性予以审计。最后，当数据迁移结束后，源云系统和目的云系统会向云租户提交数据迁移完成报告，第三方审计也会向云租户提交迁移审计报告。云租户将迁移审计报告作为蓝本，对比源、目的云系统提交的报告，若内容一致，表明数据迁移安全，否则，云租户会以此为据维护自己的权益。最后，云租户可以继续委托第三方审计对目的云系统中的迁移数据进行完整性监察。Before migrating data, cloud tenants can submit a migration security audit request to a third-party audit. The content of the request includes the source cloud system, destination cloud system, and the data to be audited. The third-party audit will conduct a comprehensive data integrity check on the data to be audited by the cloud tenant, and attach the inspection report to the audit notice and send it to the cloud tenant. After receiving the audit notice from the third-party audit, the cloud tenant has a clear understanding of the integrity of its own data. If it exceeds the acceptable range of the cloud tenant, the cloud tenant will negotiate with the source cloud service provider to reach an agreement. Then the cloud tenant submits a data migration request to the source cloud service provider, and the source cloud system starts to send requests to the destination cloud system and third-party audit after confirming the identity and authority of the cloud tenant. The reason why the source cloud system sends a migration request to a third-party audit is mainly to prevent the source cloud system from migrating the cloud tenant data to a "secret place" while migrating to the destination cloud system specified by the cloud tenant for use as Illegal analysis in the future. The third-party audit compares the security audit request submitted by the cloud tenant with the migration request submitted by the source cloud system. If the destination cloud system specified in the two requests is the same, it indicates security. Otherwise, it indicates a security risk. Report this to the cloud tenant immediately Condition. After passing a series of certifications of the target cloud system, the source cloud system officially migrates data to the target cloud system. At the same time, the third-party audit also begins to check the integrity of the data during the entire migration process. Here, the functions of the third-party audit include: 1) auditing the migration of data from the source cloud system; 2) auditing the migration of data from the destination cloud system; 3) auditing the metadata and data backup of the migrated data from the source cloud system Auditing for safe deletion; 4) Auditing the integrity of data migrated into the target cloud system. Finally, when the data migration is completed, the source cloud system and the destination cloud system will submit a data migration completion report to the cloud tenant, and the third-party audit will also submit a migration audit report to the cloud tenant. Cloud tenants use the migration audit report as a blueprint to compare the reports submitted by the source and destination cloud systems. If the content is consistent, it indicates that the data migration is safe. Otherwise, cloud tenants will use this as evidence to protect their own rights and interests. Finally, cloud tenants can continue to entrust a third-party audit to monitor the integrity of the migrated data in the destination cloud system.

这种云安全数据迁移模型的优势在于：The advantages of this cloud secure data migration model are:

1）克服了传统的数据迁移模型所有缺陷，云租户不必亲自下载迁移数据后又重新上传到目的云系统；1) It overcomes all the defects of the traditional data migration model, and cloud tenants do not have to download and re-upload the migration data to the destination cloud system;

2）消除了HDFS或S3数据迁移模型迁移过程中的所有安全风险；2) Eliminate all security risks during migration of HDFS or S3 data migration model;

3）克服了改进的HDFS或S3数据迁移模型对源、目的云系统缺乏监督的缺陷，一旦发生数据迁移安全纠纷，第三方审计能很快确定事故起因，为云租户提供维护自身权益的有力证据；3) It overcomes the defect that the improved HDFS or S3 data migration model lacks supervision of the source and destination cloud systems. Once a data migration security dispute occurs, the third-party audit can quickly determine the cause of the accident and provide cloud tenants with strong evidence to protect their own rights and interests ;

4）克服了已有三种模型无法解决用户与云系统间的数据安全纠纷的缺陷；4) It overcomes the defect that the existing three models cannot solve data security disputes between users and cloud systems;

5）克服了已有三种模型无法确定数据迁移完成后源云系统是否完全删除迁移数据的元数据及其所有数据备份的不足；5) Overcome the shortcomings of the existing three models that cannot determine whether the source cloud system completely deletes the metadata of the migrated data and all data backups after the data migration is completed;

6）解决了已有三种模型中源云系统可能在迁移过程中秘密将云租户数据转移到某个地方的问题，即一份是迁移到云租户指定的目的云系统，另一份是源云系统事先计划的某个地点；6) Solve the problem that the source cloud system may secretly transfer the cloud tenant data to a certain place during the migration process in the existing three models, that is, one is migrated to the destination cloud system specified by the cloud tenant, and the other is the source cloud A location planned in advance by the system;

7）克服了已有三种模型在数据迁移过程中云租户无法动态更新迁移数据的缺陷，即迁移过程中云租户对迁移数据不具备访问权限；7) It overcomes the defect that the cloud tenants cannot dynamically update the migration data during the data migration process of the existing three models, that is, the cloud tenants do not have access to the migration data during the migration process;

8）克服了已有三种数据迁移模型在数据安全迁移到目的云系统后缺乏后续完整性监督的不足；8) Overcome the shortcomings of the existing three data migration models that lack follow-up integrity supervision after the data is safely migrated to the destination cloud system;

9）克服了已有三种模型中云租户对数据迁移过程完全透明的缺陷，第三方审计为云租户提供数据迁移的完整报告，増强了云租户对数据迁移的控制力；9) It overcomes the defect that cloud tenants are completely transparent to the data migration process in the existing three models, and the third-party audit provides cloud tenants with a complete report on data migration, which enhances cloud tenants' control over data migration;

10）第三方审计可以同时处理多个数据迁移请求，即进行批审计，不仅节约了云租户的时间、人力和物力开销，而且节约了社会资源，符合云计算的发展理念，为进一步扩大云规模经济具有重要意义。10) The third-party audit can process multiple data migration requests at the same time, that is, conduct batch audits, which not only saves the time, manpower and material costs of cloud tenants, but also saves social resources, which is in line with the development concept of cloud computing and provides a basis for further expanding the cloud scale. The economy matters.

附图说明Description of drawings

图1是传统的数据迁移模型结构示意图；Figure 1 is a schematic structural diagram of a traditional data migration model;

图2是HDFS或S3的数据迁移模型结构示意图；Fig. 2 is a schematic diagram of the data migration model structure of HDFS or S3;

图3是改进的HDFS或S3的数据迁移模型结构示意图；Fig. 3 is the structural representation of the data migration model of improved HDFS or S3;

图4是本实用新型提出的云安全数据迁移模型的结构示意图。Fig. 4 is a schematic structural diagram of the cloud security data migration model proposed by the utility model.

具体实施方式Detailed ways

为了使本实用新型实现的技术手段、创作特征、达成目的与功效易于明白了解，下面结合图示与具体实施例，进一步阐述本实用新型。In order to make the technical means, creative features, goals and effects achieved by the utility model easy to understand, the utility model will be further elaborated below in combination with illustrations and specific embodiments.

参考图3、图4，本实用新型提出的云安全数据迁移模型包括云租户、第三方审计、源云系统、目的云系统；第三方审计包括数据完整性检验功能，用于检验云系统中云租户的数据完整性状况；源云系统包括元数据节点，数据节点；目的云系统包括元数据节点，数据节点；元数据节点包括访问控制模块、迁移决策模块、整个云系统的元数据；访问控制模块用于验证云租户是否具备相应的操作权限；迁移决策模块用于生成和提交云租户数据迁移请求；元数据节点用于管理所有云租户的数据；数据节点用于存放所有云租户的实际数据及其备份。Referring to Fig. 3 and Fig. 4, the cloud security data migration model proposed by the utility model includes cloud tenants, third-party audit, source cloud system, and destination cloud system; The data integrity status of the tenant; the source cloud system includes metadata nodes and data nodes; the destination cloud system includes metadata nodes and data nodes; metadata nodes include access control modules, migration decision modules, and metadata of the entire cloud system; access control The module is used to verify whether the cloud tenant has the corresponding operation authority; the migration decision module is used to generate and submit the data migration request of the cloud tenant; the metadata node is used to manage the data of all cloud tenants; the data node is used to store the actual data of all cloud tenants and its backup.

根据这种云安全数据迁移模型，云环境下数据迁移的具体过程如下：According to this cloud security data migration model, the specific process of data migration in the cloud environment is as follows:

1.云租户向第三方审计提交迁移安全审计请求（包括源云系统、目的云系统）；1. The cloud tenant submits a migration security audit request (including source cloud system and destination cloud system) to a third-party audit;

2.第三方审计检查位于源云系统中迁移数据的完整性，生成迁移前的数据完整性报告，返回给云租户；2. The third-party audit checks the integrity of the migrated data located in the source cloud system, generates a data integrity report before migration, and returns it to the cloud tenant;

3.云租户查看报告后，若一切正常则向源云系统发出数据迁移请求（包括要迁移的数据、目的云系统、第三方审计等）；3. After the cloud tenant checks the report, if everything is normal, it will send a data migration request to the source cloud system (including the data to be migrated, the destination cloud system, third-party audit, etc.);

4.源云系统向目的云系统和第三方审计发出迁移请求；4. The source cloud system sends a migration request to the destination cloud system and third-party audit;

5.第三方审计获取迁移请求中的目的云系统，并将其与云租户提交的迁移安全审计请求中的指定的目的云系统比对，若两者不一致，则表明源云系统存在秘密转移云租户数据的行为，此时第三方审计需要及时向云租户报告这一情况；否则，第三方审计正式对源云系统和目的云系统进行安全迁移审计；5. The third-party audit obtains the destination cloud system in the migration request, and compares it with the specified destination cloud system in the migration security audit request submitted by the cloud tenant. If the two are inconsistent, it indicates that there is a secret transfer cloud system in the source cloud system. At this time, the third-party audit needs to report this situation to the cloud tenant in a timely manner; otherwise, the third-party audit will formally conduct security migration audits on the source cloud system and the destination cloud system;

6.待收到目的云系统的许可信息后，源云系统开始向目的云系统迁移数据（数据迁移过程由改进的HDFS或S3数据迁移模型给出）；6. After receiving the permission information of the destination cloud system, the source cloud system starts to migrate data to the destination cloud system (the data migration process is given by the improved HDFS or S3 data migration model);

7.数据迁移完毕，目的云系统向云租户和源云系统发送数据接收完毕信息（包括开始时间、结束时间、数据量、源云系统等）；7. After the data migration is completed, the destination cloud system sends data reception completion information (including start time, end time, data volume, source cloud system, etc.) to the cloud tenant and the source cloud system;

8.源云系统在收到目的云系统的数据接收完毕信息后，开始安全删除云租户的迁移数据，并向云租户发送数据迁移完毕信息（包括开始时间、结束时间、数据量、目的云系统，迁移数据删除信息等）；8. After the source cloud system receives the data reception completion information of the destination cloud system, it starts to delete the migration data of the cloud tenant safely, and sends the data migration completion information to the cloud tenant (including start time, end time, data volume, destination cloud system , migration data delete information, etc.);

9.第三方审计向云租户发送迁移审计报告（包括源云系统、目的云系统、开始时间、结束时间、数据量、源云系统迁移数据删除信息等）；9. The third-party audit sends a migration audit report to the cloud tenant (including source cloud system, destination cloud system, start time, end time, data volume, source cloud system migration data deletion information, etc.);

10.云租户将源云系统与目的云系统提交的信息与第三方审计的审计结果对比，若一致，则表明数据迁移安全，否则，说明存在欺骗云租户的行为。10. The cloud tenant compares the information submitted by the source cloud system and the destination cloud system with the audit results of the third-party audit. If they are consistent, it indicates that the data migration is safe; otherwise, it indicates that there is behavior to deceive the cloud tenant.

11.云租户可以继续委托第三方审计对目的云系统中的迁移数据进行完整性监察。11. Cloud tenants can continue to entrust a third-party audit to monitor the integrity of the migrated data in the destination cloud system.

以上显示和描述了本实用新型的基本原理、主要特征和本实用新型的优点。本行业的技术人员应该了解，本实用新型不受上述实施例的限制，上述实施例和说明书中描述的只是说明本实用新型的原理，在不脱离本实用新型精神和范围的前提下本实用新型还会有各种变化和改进，这些变化和改进都落入要求保护的本实用新型范围内。本实用新型要求保护范围由所附的权利要求书及其等同物界定。The basic principles, main features and advantages of the present utility model have been shown and described above. Those skilled in the industry should understand that the utility model is not limited by the above-mentioned embodiments. The above-mentioned embodiments and descriptions only illustrate the principle of the utility model. The utility model does not depart from the spirit and scope of the utility model There will also be various changes and improvements, and these changes and improvements all fall within the scope of the claimed utility model. The scope of protection required by the utility model is defined by the appended claims and their equivalents.

Claims (6)

Translated fromChinese

1.一种云安全数据迁移模型，其特征在于，包括：1. A cloud security data migration model, characterized in that, comprising:云租户、第三方审计、源云系统、目的云系统；Cloud tenants, third-party audit, source cloud system, destination cloud system;第三方审计，其包括数据完整性检验功能，用于检验云系统中云租户的数据完整性状况；Third-party audit, which includes data integrity verification function, used to verify the data integrity status of cloud tenants in the cloud system;源云系统，其包括元数据节点，数据节点；Source cloud system, which includes metadata nodes and data nodes;目的云系统，其包括元数据节点，数据节点；Target cloud system, which includes metadata nodes and data nodes;元数据节点，其包括访问控制模块、迁移决策模块、整个云系统的元数据；Metadata node, which includes access control module, migration decision module, and metadata of the entire cloud system;访问控制模块用于验证云租户是否具备相应的操作权限；The access control module is used to verify whether the cloud tenant has the corresponding operation authority;迁移决策模块用于生成和提交云租户数据迁移请求；The migration decision module is used to generate and submit cloud tenant data migration requests;元数据节点用于管理所有云租户的数据；Metadata nodes are used to manage the data of all cloud tenants;数据节点用于存放所有云租户的实际数据及其备份。Data nodes are used to store the actual data and backups of all cloud tenants.2.如权利要求1所述的一种云安全数据迁移模型，其特征在于，云租户是购买了源云服务商与目的云服务商的存储服务的实体，具备向源云系统中读写数据和向目的云系统迁移数据的权限。2. A cloud security data migration model according to claim 1, wherein the cloud tenant is an entity that has purchased storage services from the source cloud service provider and the destination cloud service provider, and has the ability to read and write data to the source cloud system and permission to migrate data to the destination cloud system.3.如权利要求1所述的一种云安全数据迁移模型，其特征在于，源云系统是为云租户提供云存储和云安全服务的实体，当云租户提出数据迁移要求时，源云系统能够安全地将云租户数据转存到其指定的目的云系统中，此外，能接受第三方审计的安全监督。3. A cloud security data migration model as claimed in claim 1, wherein the source cloud system is an entity that provides cloud storage and cloud security services for cloud tenants, and when a cloud tenant requests data migration, the source cloud system It can safely transfer cloud tenant data to its designated destination cloud system, and in addition, it can accept the security supervision of third-party audit.4.如权利要求1所述的一种云安全数据迁移模型，其特征在于，目的云系统是为云租户提供云存储和云安全服务的实体，当云租户提出数据迁移要求时，目的云系统能够接收来自云租户指定的源云系统的数据，此外，能接受第三方审计的安全监督。4. A cloud security data migration model as claimed in claim 1, wherein the target cloud system is an entity that provides cloud storage and cloud security services for cloud tenants, and when the cloud tenant requests data migration, the target cloud system It can receive data from the source cloud system specified by the cloud tenant, and in addition, can accept the security supervision of the third-party audit.5.如权利要求1所述的一种云安全数据迁移模型，其特征在于，第三方审计能检查云租户位于云系统中数据的完整性的实体，当云租户提出数据迁移要求时，能够对源云系统数据的迁出、目的云系统数据的迁入以及迁移结束后源云系统对迁移数据的元数据及其数据备份的完全删除进行安全审计，此外，在审计过程中对云租户数据完全透明，即无法分析出审计数据的真实信息。5. A kind of cloud security data migration model as claimed in claim 1, it is characterized in that, the entity that the third-party audit can check the integrity of the cloud tenant's data in the cloud system, when the cloud tenant proposes a data migration request, can The migration of data from the source cloud system, the migration of data into the destination cloud system, and the complete deletion of the metadata of the migrated data and the complete deletion of the data backup by the source cloud system after the migration is complete. Transparent, that is, the real information of the audit data cannot be analyzed.6.如权利要求1所述的一种云安全数据迁移模型，其特征在于，第三方审计能够同时处理多个云租户提交的数据迁移审计任务，即进行批审计。6. A cloud security data migration model according to claim 1, wherein the third-party audit can simultaneously process data migration audit tasks submitted by multiple cloud tenants, that is, perform batch audits.

Images