[go: up one dir, main page]
More Web Proxy on the site http://driver.im/

CN116881956B - Permission management method and device oriented to multi-cloud resource management - Google Patents

Permission management method and device oriented to multi-cloud resource management Download PDF

Info

Publication number
CN116881956B
CN116881956B CN202311154001.7A CN202311154001A CN116881956B CN 116881956 B CN116881956 B CN 116881956B CN 202311154001 A CN202311154001 A CN 202311154001A CN 116881956 B CN116881956 B CN 116881956B
Authority
CN
China
Prior art keywords
authorization
role
time
roles
cloud platform
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202311154001.7A
Other languages
Chinese (zh)
Other versions
CN116881956A (en
Inventor
李强
陈又咏
蔡清远
程明
赖嘉庆
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Information and Telecommunication Co Ltd
Fujian Yirong Information Technology Co Ltd
Great Power Science and Technology Co of State Grid Information and Telecommunication Co Ltd
Original Assignee
State Grid Information and Telecommunication Co Ltd
Fujian Yirong Information Technology Co Ltd
Great Power Science and Technology Co of State Grid Information and Telecommunication Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Information and Telecommunication Co Ltd, Fujian Yirong Information Technology Co Ltd, Great Power Science and Technology Co of State Grid Information and Telecommunication Co Ltd filed Critical State Grid Information and Telecommunication Co Ltd
Priority to CN202311154001.7A priority Critical patent/CN116881956B/en
Publication of CN116881956A publication Critical patent/CN116881956A/en
Application granted granted Critical
Publication of CN116881956B publication Critical patent/CN116881956B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/604Tools and structures for managing or administering access control systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2137Time limited access, e.g. to a computer or data
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Bioethics (AREA)
  • General Health & Medical Sciences (AREA)
  • Computer Hardware Design (AREA)
  • Health & Medical Sciences (AREA)
  • Software Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Automation & Control Theory (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

The invention discloses a rights management method and device for multi-cloud resource management, and particularly relates to the technical field of rights management, wherein the rights management method and device comprises a data processing module, an information acquisition module, a marking module, an authorization strategy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization strategy module and the real-time judging module are in communication connection with the data processing module; according to the marking conditions of enterprise users and roles, corresponding authorization strategies are formulated, so that the security of the cloud platform and the flexibility of access control are improved, and the authorization process of normal enterprise users is reduced; and judging whether the role or enterprise user performs the authorization step again or not by comparing the offline time of the role with the offline time threshold and comparing the offline times with the offline times threshold so as to reduce potential security vulnerabilities or risks, solve the problem of complex authorization of cloud platform resources and ensure the security of accessing the cloud resources at the enterprise user based on the cloud platform.

Description

Permission management method and device oriented to multi-cloud resource management
Technical Field
The invention relates to the technical field of rights management, in particular to a rights management method and device for multi-cloud resource management.
Background
With the rapid development of cloud computing markets, enterprises are converting from single cloud services to hybrid cloud and multi-cloud services, the technical advantages of different cloud manufacturers can be fully utilized by using a multi-cloud architecture, and the strategy of multi-cloud deployment can be dynamically adjusted according to the requirements of services, technologies, performances and the like, so that the multi-cloud architecture provides great convenience for rapid innovation of the enterprises, a plurality of challenges are brought, the management of the multi-cloud is more and more complex, independent management processes and systems are required to be built for each cloud platform, and particularly, the management is abnormal and complex in terms of user resource management of a plurality of cloud platforms.
The enterprise has higher requirements on security in communication with the cloud platform, the enterprise user generally comprises a plurality of access roles, when the existing enterprise user accesses the cloud platform by using different access roles, in order to ensure the security of cloud resources of the cloud platform, the authority of the access roles to access the cloud resources of the cloud platform needs to be authorized and managed according to the difference of each cloud platform to the access roles, and the cloud platforms are authorized one by one, so that the problems of great workload and complexity exist, and the access efficiency is affected.
In order to solve the above problems, a technical solution is now provided.
Disclosure of Invention
In order to overcome the above drawbacks of the prior art, embodiments of the present invention provide a rights management method and apparatus for multi-cloud resource management to solve the problems set forth in the background art.
In order to achieve the above purpose, the present invention provides the following technical solutions:
a rights management method facing to multi-cloud resource management comprises the following steps:
step S1: collecting historical authorization process information and historical operation information, and calculating a historical authority security assessment coefficient according to the historical authorization process information and the historical operation information; marking the diagonal color by comparing the historical authority security assessment coefficient with an authority security assessment threshold;
step S2: calculating the role risk rate, and marking enterprise users according to the comparison between the role risk rate and the role risk rate threshold value; according to the marked condition of enterprise users and the marked condition of roles, an authorization strategy is formulated;
step S3: and acquiring real-time safety information, obtaining the offline time and offline times of the roles according to the real-time safety information, and judging whether to re-authorize or not through comparison of the offline time and the offline time threshold value and comparison of the offline times and the offline time threshold value.
In a preferred embodiment, the historical authorization process information includes an authorization summary value, and the authorization summary value is obtained by:
setting standard authorization time which is the average value of the times used for successful authorization in the authorization step; in the history of acquisition, the number of times of authorizing steps of the cloud platform to the character in the history is acquired, the authorizing steps of the cloud platform to the character in the history are numbered, and the number of authorizing steps of the cloud platform to the character in the history is marked as,/>Is a positive integer; acquiring time used by each cloud platform in the history of successful authorization for the role;
calculating an authorization clique value, wherein the authorization clique value is expressed as follows:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value;
the authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role;
the historical operation information is reflected by the operation safety value; acquiring the total access times of the roles on the cloud platform, and acquiring the abnormal access times of the roles on the cloud platform after the roles are successfully authorized; acquiring the times of exceeding the authority of a role in a certain access process; setting an override authority number threshold, and marking the number of times of the access process, which exceeds the authority number threshold in the access process, as an authority override value;
calculating an operation safety value according to the abnormal access times, the total access times and the authority override value;
and weighting and summing the authorized camping value, the authorized success rate and the operation safety value to obtain a historical authority safety evaluation coefficient.
In a preferred embodiment, a rights security assessment threshold is set; and marking the roles as dangerous roles when the historical permission safety evaluation coefficient is larger than the permission safety evaluation threshold, and marking the roles as safe roles when the historical permission safety evaluation coefficient is smaller than or equal to the permission safety evaluation threshold.
In a preferred embodiment, in step S2, a role risk is calculated from the number of roles marked as dangerous roles within the enterprise user and the number of roles marked as safe roles within the enterprise user; setting a role risk threshold, and marking enterprise users as dangerous enterprise users when the role risk is larger than the role risk threshold; when the role risk rate is smaller than or equal to the role risk rate threshold value, marking the enterprise user as a normal enterprise user;
when the enterprise user is marked as a dangerous enterprise user, generating a three-level authorization signal; when the enterprise user is marked as a normal enterprise user and the role is marked as a dangerous role, generating a secondary authorization signal; when an enterprise user is marked as a normal enterprise user and a role is marked as a security role, a primary authorization signal is generated.
In a preferred embodiment, in step S3, real-time security information is collected, the real-time security information being represented by the character off-line time;
setting an offline time threshold, and generating a role re-authorization signal when the offline time of the role is greater than the offline time threshold;
recording the times of generating the role re-authorization signal; setting an offline frequency threshold, and generating an enterprise user re-authorization signal when the frequency of generating the role re-authorization signal is greater than the offline frequency threshold.
In a preferred embodiment, the rights management device for cloud resource management comprises a data processing module, an information acquisition module, a marking module, an authorization strategy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization strategy module and the real-time judging module are in communication connection with the data processing module;
the information acquisition module acquires historical authorization process information and historical operation information, the historical authorization process information and the historical operation information are sent to the data processing module, and the data processing module calculates a historical authority security assessment coefficient;
the information acquisition module acquires real-time safety information, the real-time safety information is sent to the data processing module, and the data processing module processes the real-time safety information to obtain the offline time and offline times of the roles;
the marking module marks the diagonal colors through the comparison of the historical authority security assessment coefficient and the authority security assessment threshold; the marking module marks the enterprise users according to the comparison of the role risk rate and the role risk rate threshold value;
the authorization policy module formulates an authorization policy according to the marked condition of the enterprise user and the marked condition of the role;
the real-time judging module judges whether to re-authorize or not through the comparison of the offline time and the offline time threshold value and the comparison of the offline times and the offline times threshold value.
The rights management method and the rights management device for the cloud resource management have the technical effects and advantages that:
1. calculating a historical authority security assessment coefficient through the historical authorization process information and the historical operation information, and marking different roles as dangerous roles or safe roles according to comparison of the historical authority security assessment coefficient and an authority security assessment threshold; such tagging and categorization may help enterprise users quickly learn about the security status of the roles.
2. Marking the enterprise users as dangerous enterprise users or normal enterprise users according to the role risk rate and the role risk rate threshold value; such tagging and categorization may help enterprise users identify enterprise users with higher security risks; according to the marking conditions of enterprise users and roles, a corresponding authorization strategy is formulated, so that the problem that resources of a cloud platform are complex to authorize is solved, the security and the access control flexibility of the cloud platform are improved, and meanwhile, the authorization process of normal enterprise users is reduced.
3. By acquiring the offline time of the role, comparing the offline time of the role with the offline time threshold and comparing the offline times with the offline times threshold, judging whether the role or the enterprise user carries out the authorization step again so as to reduce potential security holes or risks, and by re-authorizing, the access authority of the whole enterprise user is ensured to be effectively managed, so that the offline condition of the role inside the enterprise user can be timely dealt with, and the security of accessing the cloud resources on the basis of the cloud platform by the enterprise user is ensured.
Drawings
FIG. 1 is a schematic diagram of a rights management method for multi-cloud resource management according to the present invention;
fig. 2 is a schematic structural diagram of a rights management unit for multi-cloud resource management according to the present invention.
Detailed Description
The following description of the embodiments of the present invention will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present invention, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
Example 1
Fig. 1 shows a rights management method for multi-cloud resource management, which includes the following steps:
step S1: collecting historical authorization process information and historical operation information, and calculating a historical authority security assessment coefficient according to the historical authorization process information and the historical operation information; and marking the diagonal colors by comparing the historical permission safety evaluation coefficients with permission safety evaluation thresholds.
Step S2: calculating the role risk rate, and marking enterprise users according to the comparison between the role risk rate and the role risk rate threshold value; and formulating an authorization strategy according to the marked condition of the enterprise user and the marked condition of the role.
Step S3: and acquiring real-time safety information, obtaining the offline time and offline times of the roles according to the real-time safety information, and judging whether to re-authorize or not through comparison of the offline time and the offline time threshold value and comparison of the offline times and the offline time threshold value.
In step S1, an enterprise user generally accesses a cloud platform with more than one role to obtain cloud resources, and the cloud platform authorizes the enterprise user first and then authorizes the enterprise user to include the corresponding role; enterprise users include role 1, role 2, role 3. n is a positive integer.
And respectively acquiring historical authorization process information and historical operation information of the roles included by the enterprise user.
The authorization result of the authorization step of the cloud platform to the role is divided into authorization success and authorization failure; the total number of the authorization steps of the cloud platform to the character is the sum of the number of times that the authorization of the cloud platform to the character is successful and the number of times that the authorization of the cloud platform to the character is failed.
The historical authorization process information includes authorization values, which are obtained as follows:
setting standard authorization time, wherein the standard authorization time is set according to the security requirement of the cloud platform, the actual time used in the actual authorization process and other actual conditions; the standard authorization time setting steps are as follows: setting an authorization step corresponding to the cloud platform according to the security requirement of the cloud platform, wherein the higher the security requirement is, the more complicated the step is; performing simulation experiments on steps of the authorization process to obtain a large number of times of time used for executing the authorization process, namely the time used for successfully authorizing the authorization step, calculating the average value of the time used for successfully authorizing the authorization step under a large number of times, wherein the standard authorization time is the average value of the time used for successfully authorizing the authorization step; in the process of authorizing the enterprise user roles by the cloud platform in the later period, the time used for successful authorization of the enterprise user roles is generally longer than the standard authorization time due to the influence of manual operation.
The authorization value represents the fluency of authorization steps when a role of a user of an enterprise accesses a cloud platform.
In the history of acquisition, acquiring the times of authorizing steps of the cloud platform to the character in the history, numbering the authorizing steps of the cloud platform to the character in the history, and marking the number of authorizing steps of the cloud platform to the character in the history as;/>Is a positive integer; and acquiring the time used by each cloud platform in the history of successful authorization for the role.
Calculating an authorization campness value through the time used in the step of authorizing the character by the cloud platform and the standard authorization time, wherein the authorization campness value expression is as follows:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value; the greater the authorization value, the longer the time of the cloud platform authorization to the role in the history, the worse the fluency of the authorization step, and the authorization stepThe longer the exposure time of the security credentials, the greater the risk that there may be unauthorized access or attack during authorization; the windows of security vulnerabilities and risks are increased, making the cloud platform and related data vulnerable to unauthorized access or attack.
The authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role; the higher the success rate of the authorization, the higher the security during the authorization.
And acquiring historical operation information, wherein the historical operation information is embodied through an operation safety value.
The operation safety value represents the safety of a certain enterprise user when the role of the certain enterprise user acquires cloud resources of a certain cloud platform.
In the history, the total access times of the roles on the cloud platform are obtained, and after the roles are successfully authorized, the abnormal access times of the roles on the cloud platform are obtained, wherein the abnormal access times comprise the access times of an abnormal time period and the access times of an abnormal geographic position; the abnormal access times are the sum of the abnormal time period access times and the abnormal geographic position access times.
The total access times of the character on the cloud platform is the sum of the abnormal access times of the character on the cloud platform and the normal access times of the character on the cloud platform.
The cloud platform is generally accessed at a plurality of fixed geographic positions owned by the enterprise user, and the working time of the enterprise is also relatively fixed, namely the working time is fixed, so that the cloud platform is not accessed within the fixed working time and marked as abnormal time period access without accessing the enterprise user at the plurality of fixed geographic positions; the greater the number of abnormal accesses, the more serious the rights security problem may exist.
Acquiring the times of overriding authority of a character in a certain access process, wherein the overriding authority refers to the action of clicking cloud resources which do not belong to the authority of the character in the access process; setting an override authority frequency threshold in consideration of the condition that false clicking possibly exists, acquiring the frequency of the access process that the frequency of the override authority is greater than the override authority frequency threshold in the access process, marking the frequency of the access process that the frequency of the override authority is greater than the override authority frequency threshold as an authority override value, wherein the greater the authority override value is, the worse the access security of the character on the cloud platform in the history is, and the more serious the override behavior is; the rights override value is generally small, and if the rights override value is too large, the operation condition that serious rights override exists is indicated.
According to the abnormal access times, the total access times and the authority override value, an operation security value is calculated, for example, one way of calculating the operation security value is as follows: the operation safety value is obtained by multiplying the ratio of the abnormal access times to the total access times by the authority override value; the operation safety value reflects the safety of operation authority when the role accesses the cloud platform in the history, and the larger the ratio of the abnormal access times to the total access times and the larger the authority override value, the larger the result of multiplying the ratio of the abnormal access times to the total access times by the authority override value, namely the more serious the override behavior exists.
The historical authority security assessment coefficient is obtained by weighted summation of the authorized and smooth values and the authorized success rate and the operation security value, for example, the historical authority security assessment coefficient can be calculated by adopting the following formula:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Respectively historical authority security evaluation coefficient, authority success rate and operation security value>Weight factors of authorization and authorization success rate and operation safety value are respectively, and for better follow-up analysis according to the magnitude of the historical authority safety evaluation coefficient, the weight factors are +.>Greater than 0->Less than 0.
The larger the historical permission security assessment coefficient is, the worse the security of the access of the role to the cloud platform is in the history.
Setting a permission safety evaluation threshold value, and marking the diagonal color by comparing the historical permission safety evaluation coefficient with the permission safety evaluation threshold value.
Calculating historical permission security assessment coefficients corresponding to different roles included by enterprise users, marking the roles as dangerous roles when the historical permission security assessment coefficients are larger than a permission security assessment threshold, marking the roles as safe roles when the historical permission security assessment coefficients are smaller than or equal to the permission security assessment threshold, and marking the roles as safe roles when the historical permission security assessment coefficients are better in the authorization process of the cloud platform.
The authorization process and the operation behavior of the angle on the cloud platform can be comprehensively evaluated through the collection of the historical authorization process information and the historical operation information, and different roles can be marked as dangerous roles or safe roles according to the comparison of the historical permission safety evaluation coefficient and the permission safety evaluation threshold value; such tagging and categorization may help enterprise users quickly learn about the security status of the roles.
In step S2, the number of roles marked as dangerous roles in the enterprise user is obtained, the number of roles marked as safe roles in the enterprise user is obtained, and the role risk rate is calculated: role risk = number of dangerous roles/(number of roles of security role + number of roles of dangerous role); setting a role risk threshold, and marking enterprise users as dangerous enterprise users when the role risk is larger than the role risk threshold; and marking the enterprise user as a normal enterprise user when the role risk is less than or equal to the role risk threshold.
After the cloud platform authorizes the enterprise user, an authorization strategy is formulated according to the marked condition of the enterprise user and the marked condition of the role:
when the enterprise users are marked as dangerous enterprise users, three-level authorization signals are generated, and the cloud platform strictly executes authorization steps according to the generated three-level authorization signals when the enterprise users and roles access the cloud platform.
When the enterprise user is marked as a normal enterprise user and the role is marked as a dangerous role, generating a secondary authorization signal, and the cloud platform skips the authorization step according to the generated secondary authorization signal, wherein the role needs to strictly execute the authorization step.
When the enterprise user is marked as a normal enterprise user and the role is marked as a security role, a primary authorization signal is generated, and the cloud platform directly enters the cloud platform by skipping the authorization step when the enterprise user and the role access the cloud platform according to the generated primary authorization signal.
It is noted that the permission security evaluation threshold is set according to the magnitude of the historical permission security evaluation coefficient and actual conditions such as security requirement standards integrated by the professional technician on the cloud platform, and the details are not repeated here; the role risk threshold is set according to the role risk and the actual conditions such as security requirement standards of the cloud platform for the roles by professional technicians, and the like, and will not be repeated here.
The role risk rate reflects the overall safety condition of the roles in the enterprise users, and helps the enterprise users to quickly know the overall risk level of the roles; marking the enterprise users as dangerous enterprise users or normal enterprise users according to the role risk threshold; such tagging and categorization may help enterprise users identify enterprise users with higher security risks; according to marking conditions of enterprise users and roles, corresponding authorization strategies are formulated, and balance of safety and convenience is achieved; the security and access control flexibility of the cloud platform are improved, the authorization process of normal enterprise users is reduced, and user experience is improved.
In step S3, real-time security information is collected, and after the authorization policy is formulated, real-time access is monitored, and the real-time security information is reflected by the role offline time.
The role offline time refers to a period of time that an enterprise user role is offline during communication or access with the cloud platform.
Longer character off-line times may result in delayed data processing and responses, may delay discovery and processing of abnormal access or security events, which may increase response time to security threats, reduce the effectiveness of real-time monitoring, and may result in an increase in security vulnerabilities or risks.
Setting an offline time threshold, and generating a role re-authorization signal when the offline time of the role is greater than the offline time threshold and the role is dangerous to the access environment of the cloud platform after the role is offline for a long time; and the cloud platform re-authorizes the roles according to the generated role re-authorization signal, and the roles need to be re-authorized.
Recording the times of generating role re-authorization signals when the enterprise user roles access the cloud platform in real time; setting an offline frequency threshold, and generating an enterprise user re-authorization signal when the frequency of generating the role re-authorization signal is greater than the offline frequency threshold; and the cloud platform performs an authorization step on the angle after the enterprise user needs to perform the authorization step again according to the generated enterprise user re-authorization signal.
The number of times the character re-authorization signal is generated is marked as the offline number.
The offline time threshold is set according to the actual security requirement standard of the cloud platform for offline time, and is not described herein again; the offline frequency threshold is set according to the security requirement standard of the cloud platform for the offline frequency actually, and will not be described here again.
The method has the advantages that the offline time of the roles can be obtained, the states of the roles of the enterprise users in the communication or access process with the cloud platform can be monitored, whether the roles or the enterprise users are subjected to authorization steps again is judged through comparison of the offline time of the roles and the offline time threshold value and comparison of the offline times and the offline times threshold value, so that potential security holes or risks are reduced, the access authority of the whole enterprise users is effectively managed through re-authorization, the offline situation of the roles inside the enterprise users can be timely dealt with, the security risks are reduced, and the security of accessing the cloud resources based on the cloud platform in the enterprise users is guaranteed.
Example 2
The difference between embodiment 2 and embodiment 1 of the present invention is that this embodiment describes a rights management unit for multi-cloud resource management.
Fig. 2 is a schematic structural diagram of a rights management device for managing cloud resources, which includes a data processing module, an information acquisition module, a marking module, an authorization policy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization policy module and the real-time judging module are communicatively connected with the data processing module.
The information acquisition module acquires the historical authorization process information and the historical operation information, the historical authorization process information and the historical operation information are sent to the data processing module, and the data processing module calculates a historical authority security assessment coefficient.
The information acquisition module acquires real-time safety information, the real-time safety information is sent to the data processing module, and the data processing module processes the real-time safety information to obtain the offline time and offline times of the roles.
The marking module marks the diagonal colors through the comparison of the historical authority security assessment coefficient and the authority security assessment threshold; and the marking module marks the enterprise user according to the comparison of the role risk rate and the role risk rate threshold value.
The authorization policy module formulates an authorization policy according to the marked condition of the enterprise user and the marked condition of the role.
The real-time judging module judges whether to re-authorize or not through the comparison of the offline time and the offline time threshold value and the comparison of the offline times and the offline times threshold value.
The above formulas are all formulas with dimensionality removed and numerical calculation, the formulas are formulas with the latest real situation obtained by software simulation through collecting a large amount of data, and preset parameters and threshold selection in the formulas are set by those skilled in the art according to the actual situation.
The above embodiments may be implemented in whole or in part by software, hardware, firmware, or any other combination. When implemented in software, the above-described embodiments may be implemented in whole or in part in the form of a computer program product. The computer program product comprises one or more computer instructions or computer programs. When the computer instructions or computer program are loaded or executed on a computer, the processes or functions described in accordance with the embodiments of the present application are all or partially produced. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website site, computer, server, or data center to another website site, computer, server, or data center by wired (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains one or more sets of available media. The usable medium may be a magnetic medium (e.g., floppy disk, hard disk, magnetic tape), an optical medium (e.g., DVD), or a semiconductor medium. The semiconductor medium may be a solid state disk.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, specific working procedures of the above-described system, apparatus and module may refer to corresponding procedures in the foregoing method embodiments, which are not repeated herein.
In the several embodiments provided in this application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules described as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network modules. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional module in each embodiment of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
The functions, if implemented in the form of software functional modules and sold or used as a stand-alone product, may be stored in a computer-readable storage medium. Based on such understanding, the technical solution of the present application may be embodied essentially or in a part contributing to the prior art or in a part of the technical solution, in the form of a software product stored in a storage medium, including several instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to perform all or part of the steps of the methods described in the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a read-only memory (ROM), a random access memory (random access memory, RAM), a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely specific embodiments of the present application, but the scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Finally: the foregoing description of the preferred embodiments of the invention is not intended to limit the invention to the precise form disclosed, and any such modifications, equivalents, and alternatives falling within the spirit and principles of the invention are intended to be included within the scope of the invention.

Claims (5)

1. The rights management method for the cloud resource management is characterized by comprising the following steps of:
step S1: collecting historical authorization process information and historical operation information, and calculating a historical authority security assessment coefficient according to the historical authorization process information and the historical operation information; marking the diagonal color by comparing the historical authority security assessment coefficient with an authority security assessment threshold;
step S2: calculating the role risk rate, and marking enterprise users according to the comparison between the role risk rate and the role risk rate threshold value; according to the marked condition of enterprise users and the marked condition of roles, an authorization strategy is formulated;
step S3: acquiring real-time safety information, obtaining the offline time and offline times of the roles according to the real-time safety information, and judging whether to re-authorize or not through comparison of the offline time and an offline time threshold value and comparison of the offline times and an offline time threshold value;
the historical authorization process information comprises authorization values, and the acquisition logic of the authorization values is as follows:
setting standard authorization time which is the average value of the times used for successful authorization in the authorization step; in the history of acquisition, the number of times of authorizing steps of the cloud platform to the character in the history is acquired, the authorizing steps of the cloud platform to the character in the history are numbered, and the number of authorizing steps of the cloud platform to the character in the history is marked as,/>;/>Is a positive integer; acquiring time used by each cloud platform in the history of successful authorization for the role;
calculating an authorization clique value, wherein the authorization clique value is expressed as follows:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value;
the authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role;
the historical operation information is reflected by the operation safety value; acquiring the total access times of the roles on the cloud platform, and acquiring the abnormal access times of the roles on the cloud platform after the roles are successfully authorized; acquiring the times of exceeding the authority of a role in a certain access process; setting an override authority number threshold, and marking the number of times of the access process, which exceeds the authority number threshold in the access process, as an authority override value;
calculating an operation safety value according to the abnormal access times, the total access times and the authority override value;
and weighting and summing the authorized camping value, the authorized success rate and the operation safety value to obtain a historical authority safety evaluation coefficient.
2. The rights management method for multi-cloud resource management according to claim 1, wherein: setting a permission security assessment threshold; and marking the roles as dangerous roles when the historical permission safety evaluation coefficient is larger than the permission safety evaluation threshold, and marking the roles as safe roles when the historical permission safety evaluation coefficient is smaller than or equal to the permission safety evaluation threshold.
3. The rights management method for multi-cloud resource management according to claim 2, wherein: in step S2, calculating the role risk rate according to the number of roles marked as dangerous roles in the enterprise user and the number of roles marked as safe roles in the enterprise user; setting a role risk threshold, and marking enterprise users as dangerous enterprise users when the role risk is larger than the role risk threshold; when the role risk rate is smaller than or equal to the role risk rate threshold value, marking the enterprise user as a normal enterprise user;
when the enterprise user is marked as a dangerous enterprise user, generating a three-level authorization signal; when the enterprise user is marked as a normal enterprise user and the role is marked as a dangerous role, generating a secondary authorization signal; when an enterprise user is marked as a normal enterprise user and a role is marked as a security role, a primary authorization signal is generated.
4. A rights management method for multi-cloud resource management as claimed in claim 3, wherein: in step S3, collecting real-time safety information, wherein the real-time safety information is reflected by the off-line time of the character;
setting an offline time threshold, and generating a role re-authorization signal when the offline time of the role is greater than the offline time threshold;
recording the times of generating the role re-authorization signal; setting an offline frequency threshold, and generating an enterprise user re-authorization signal when the frequency of generating the role re-authorization signal is greater than the offline frequency threshold.
5. A rights management apparatus for multi-cloud resource management, configured to implement a rights management method for multi-cloud resource management as claimed in any one of claims 1 to 4, wherein: the system comprises a data processing module, an information acquisition module, a marking module, an authorization strategy module and a real-time judging module, wherein the information acquisition module, the marking module, the authorization strategy module and the real-time judging module are in communication connection with the data processing module;
the information acquisition module acquires historical authorization process information and historical operation information, the historical authorization process information and the historical operation information are sent to the data processing module, and the data processing module calculates a historical authority security assessment coefficient;
the information acquisition module acquires real-time safety information, the real-time safety information is sent to the data processing module, and the data processing module processes the real-time safety information to obtain the offline time and offline times of the roles;
the marking module marks the diagonal colors through the comparison of the historical authority security assessment coefficient and the authority security assessment threshold; the marking module marks the enterprise users according to the comparison of the role risk rate and the role risk rate threshold value;
the authorization policy module formulates an authorization policy according to the marked condition of the enterprise user and the marked condition of the role;
the real-time judging module judges whether to re-authorize or not through the comparison of the offline time and the offline time threshold value and the comparison of the offline times and the offline times threshold value;
the historical authorization process information comprises authorization values, and the acquisition logic of the authorization values is as follows:
setting standard authorization time which is the average value of the times used for successful authorization in the authorization step; in the history of acquisition, the number of times of authorizing steps of the cloud platform to the character in the history is acquired, the authorizing steps of the cloud platform to the character in the history are numbered, and the number of authorizing steps of the cloud platform to the character in the history is marked as,/>;/>Is a positive integer; acquiring time used by each cloud platform in the history of successful authorization for the role;
calculating an authorization clique value, wherein the authorization clique value is expressed as follows:the method comprises the steps of carrying out a first treatment on the surface of the Wherein (1)>Time taken for the authorization step of a cloud platform for a character, +.>For standard authorized time, ++>Is an authorized bumpy value;
the authorization success rate is the ratio of the number of times of successful authorization to the total number of times of the authorization step of the cloud platform to the role;
the historical operation information is reflected by the operation safety value; acquiring the total access times of the roles on the cloud platform, and acquiring the abnormal access times of the roles on the cloud platform after the roles are successfully authorized; acquiring the times of exceeding the authority of a role in a certain access process; setting an override authority number threshold, and marking the number of times of the access process, which exceeds the authority number threshold in the access process, as an authority override value;
calculating an operation safety value according to the abnormal access times, the total access times and the authority override value;
and weighting and summing the authorized camping value, the authorized success rate and the operation safety value to obtain a historical authority safety evaluation coefficient.
CN202311154001.7A 2023-09-08 2023-09-08 Permission management method and device oriented to multi-cloud resource management Active CN116881956B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202311154001.7A CN116881956B (en) 2023-09-08 2023-09-08 Permission management method and device oriented to multi-cloud resource management

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202311154001.7A CN116881956B (en) 2023-09-08 2023-09-08 Permission management method and device oriented to multi-cloud resource management

Publications (2)

Publication Number Publication Date
CN116881956A CN116881956A (en) 2023-10-13
CN116881956B true CN116881956B (en) 2024-01-09

Family

ID=88268471

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202311154001.7A Active CN116881956B (en) 2023-09-08 2023-09-08 Permission management method and device oriented to multi-cloud resource management

Country Status (1)

Country Link
CN (1) CN116881956B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117932673B (en) * 2024-01-24 2024-07-19 广东电网有限责任公司信息中心 Power grid data management system based on privacy calculation

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN105760745A (en) * 2014-12-15 2016-07-13 华为软件技术有限公司 Authority management method and device
CN115146297A (en) * 2022-09-02 2022-10-04 江苏荣泽信息科技股份有限公司 Authority management method and device for enterprise-level account
CN116506200A (en) * 2023-05-11 2023-07-28 余杰 Cloud security service implementation system and method
CN116708037A (en) * 2023-08-07 2023-09-05 勤源(江苏)科技有限公司 Cloud platform access right control method and system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107645482B (en) * 2016-07-22 2020-08-07 创新先进技术有限公司 Risk control method and device for business operation

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105760745A (en) * 2014-12-15 2016-07-13 华为软件技术有限公司 Authority management method and device
CN104935590A (en) * 2015-06-10 2015-09-23 南京航空航天大学 HDFS access control method based on role and user trust value
CN115146297A (en) * 2022-09-02 2022-10-04 江苏荣泽信息科技股份有限公司 Authority management method and device for enterprise-level account
CN116506200A (en) * 2023-05-11 2023-07-28 余杰 Cloud security service implementation system and method
CN116708037A (en) * 2023-08-07 2023-09-05 勤源(江苏)科技有限公司 Cloud platform access right control method and system

Also Published As

Publication number Publication date
CN116881956A (en) 2023-10-13

Similar Documents

Publication Publication Date Title
RU2477929C2 (en) System and method for prevention safety incidents based on user danger rating
JP2007193791A (en) Method for controlling risk in artificial neural network expert system, data processing system, and program
CN116881956B (en) Permission management method and device oriented to multi-cloud resource management
US11677776B2 (en) Dynamic attack path selection during penetration testing
EP4104410B1 (en) Security automation system with machine learning functions
US20210234877A1 (en) Proactively protecting service endpoints based on deep learning of user location and access patterns
WO2016048129A2 (en) A system and method for authenticating a user based on user behaviour and environmental factors
CN106951779A (en) A kind of USB security protection systems for selecting to analyze with equipment behavior based on user
CN118228211B (en) Software authorization authentication method
CN118157961A (en) Active simulation intrusion evaluation and full-link visual protection system, method and equipment
He et al. SCPN-based game model for security situational awareness in the Intenet of things
CN115296830A (en) Network collaborative attack modeling and harm quantitative analysis method based on game theory
Ahmed et al. Smart grid wireless network security requirements analysis
AlSadhan et al. Leveraging information security continuous monitoring for cyber defense
Abazari et al. Optimal response to computer network threats
CN113127882B (en) Terminal safety protection method, device, equipment and readable storage medium
CN117857221B (en) Authority management method and system for remote service platform
CN116366286A (en) Zero trust access control method and device
CN118568693A (en) System authority management method based on data analysis
US20240205260A1 (en) Network protection
DE102023102565B4 (en) Method for intrusion monitoring in a computer network as well as motor vehicle and cloud computing infrastructure
CN118691278B (en) Block chain-based data security asset circulation method and system
CN117097560B (en) Virtualized attack-defense countermeasure environment construction method
CN114035784B (en) Method and device for defining verification code flow through graph and rule set
Kpoze et al. Cybersecurity Risk Assessment for Beninese Power Grid SCADA system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant