云服务的内部威胁及其控制研究

doi:10.3969/j.issn.1671-1122.2015.08.012

信息网络安全 ›› 2015, Vol. 15 ›› Issue (8): 76-81.doi: 10.3969/j.issn.1671-1122.2015.08.012

云服务的内部威胁及其控制研究

贺滢睿(), 王靖亚

中国人民公安大学网络安全保卫学院,北京 102600

收稿日期:2015-07-09 出版日期:2015-08-01 发布日期:2015-08-21
作者简介:
贺滢睿（1991-）,女,新疆,硕士研究生,主要研究方向：网络安全执法技术、公安信息化;王靖亚（1966-）,女,陕西,教授,硕士,主要研究方向：信息安全、公安信息化。
基金资助:
公安理论与软科学研究计划[2013LLYJGADX003]

Research of Insider Threats and Countermeasures under Cloud Service

Ying-rui HE(), Jing-ya WANG

School of Network Security, People’s University of Public Security of China, Beijing 102600, China

Received:2015-07-09 Online:2015-08-01 Published:2015-08-21

摘要/Abstract

摘要：

云服务的兴起,使云安全问题也备受关注。一方面海量数据存储在云端,另一方面用户对数据的完整性、保密性和可用性有更高要求。云服务提供商为了确保客户的数据安全,不仅需要面对外部威胁,也要应对具有同样破坏力的内部威胁。在外部威胁已经引起广泛关注的今天,由于对内部威胁的忽视,使内部威胁成为主要攻击模式之一。很多提供云服务的企业并未对此问题有充分认识。同时在云服务模式下,以往的安全策略必然不能解决新形势下、新架构下的内部威胁。文章介绍了云服务背景下的内部威胁,提出了解决内部威胁的控制模型和控制流程,并对内部威胁评估、行政控制、技术控制、监控以及响应进行了详细阐述,以期为解决云服务背景下的内部威胁提供帮助。

关键词: 云服务, 内部威胁, 控制

Abstract:

With the development of cloud service, cloud security is increasingly drawing people’s attention. At this stage, the value of data is more important, and under cloud service, on the one hand mass data storage in the cloud, on the other hand the user for data integrity, confidentiality, availability have higher requirements. This puts forward higher security requirements for cloud service providers.In order to guarantee the data security of customers, cloud service providers not only need to face to the external threats, but also confront with the internal threat which has a destructive and influential effects as well as the external. The external threat has caused wide concern today, the internal threat to the neglect, so that the internal threat to become one of the main attack mode, and have the huge damage. CERT Insider Threat Center has conducted a survey of cloud service providers, to understanding of the management and technical controls of internal threats, found in the cloud services model, many of cloud service providers did not this problem be fully recognized. And in the cloud service mode, the previous security policy will not be resolved under the new situation, the new framework of internal threats.This paper describes the internal threat under cloud services, and proposes control model and control process against insider threats. Insider threat assessment, administrative controls, technical controls, monitoring, and response areintroduced in detail, in order to help resolve internal threats under cloud service.

Key words: cloud service, insider threats, controls

中图分类号:

TP309

贺滢睿, 王靖亚. 云服务的内部威胁及其控制研究[J]. 信息网络安全, 2015, 15(8): 76-81.

Ying-rui HE, Jing-ya WANG. Research of Insider Threats and Countermeasures under Cloud Service[J]. Netinfo Security, 2015, 15(8): 76-81.

图/表 4

参考文献 16

[1]	Anonymous. Nine key cyber threats identified in Verizon data breach report[J].Health Management Technology, 2014, 35(6):22.
[2]	王辉,胥扬,杨光灿,等. 基于Insider Threat的安全防御体系结构研究[J]. 微计算机信息,2012, (7):9-11.
[3]	D. Trcek.An integral framework for information systems security management[J]. Computers & Security, 2003, 22(4): 337-360.
[4]	李兴华,马建峰.WAPI 实施方案中的密钥协商协议的安全性分析[J]. 计算机学报,2006,29(4):576-580.
[5]	Rees J, Bandyopadhyay S, Spafford E H.A Policy Framework for Information Security[J]. Communications of the ACM, 2003, 46(7):101-106.
[6]	Cappelli D M, Moore A P, Trzeciak R F.Insider Threats in the Sdlc: Lessons Learned from Actual Incidents of Fraud, Theft of Sensitive Information and It Sabotage[R]. USA: Software Engineering Institute of Carnegie Mellon University, 2006.
[7]	Keeney M, Kowalski E, Cappelli D, et al.Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors [R]. USA: Secret Service and CERT Coordination Center, 2005.
[8]	王斌君. 信息安全[M].北京:高等教育出版社,2008.
[9]	郭平,但光祥. 云计算中的混合加密算法[J].吉林大学学报(工学版),2012,42(S1):327-331.
[10]	HUANG Q L, MA Z F, YANG Y X, et al.Secure and Privacy-preserving DRM Scheme Using Homomorphic Encryption in Cloud Computing[J]. The Journal of China Universities of Posts and Telecommunications, 2013, (6):88-95.
[11]	Goyal V, Pandey O, Sahai A, et al.Attribute-based Encryption for Fine- grained Access Control of Encrypted Datap[C]//Proceedings of the 13th ACM Conference on Computer and Communications Security. New York: ACM Press, 2007.
[12]	Goyal V, Pandey O, Sahai A, et al.Attribute-based Encryption for Fine- grained Access Control of Encrypted Datap[C]//Proceedings of the 13th ACM Conference on Computer and Communications Security, New York: ACM Press, 2007.
[13]	彭伟. 面向云计算安全的同态加密技术应用研究[D]. 重庆:重庆大学,2014.
[14]	Ferraiolo D F, Kuhn D R.Role-based access control[C]//Proceedings of the15th National Computer Security Conference USA: Baltimore, 1992.
[15]	Sandhu R, Coyne E, Feinstein H, et al.Role-based Access Control Models[J]. IEEE Computer,1996, 29(2):38-47.
[16]	李凤华,苏铓,史国振,等.访问控制模型研究进展及发展趋势[J].电子学报,2012,(4):805-813.

云服务的内部威胁及其控制研究

Research of Insider Threats and Countermeasures under Cloud Service

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 16

相关文章 15

编辑推荐

Metrics

本文评价

[1]	杜义峰, 郭渊博. 一种基于信任值的雾计算动态访问控制方法[J]. 信息网络安全, 2020, 20(4): 65-72.
[2]	刘鹏, 何倩, 刘汪洋, 程序. 支持撤销属性和外包解密的CP-ABE方案[J]. 信息网络安全, 2020, 20(3): 90-97.
[3]	喻露, 罗森林. RBAC模式下数据库内部入侵检测方法研究[J]. 信息网络安全, 2020, 20(2): 83-90.
[4]	许盛伟, 王飞杰. 多机构授权下可追踪可隐藏的属性基加密方案[J]. 信息网络安全, 2020, 20(1): 33-39.
[5]	李瑞兴, 许力, 方禾. 基于功率控制与中继协作的抗窃听攻击模型[J]. 信息网络安全, 2020, 20(1): 40-45.
[6]	白嘉萌, 寇英帅, 刘泽艺, 查达仁. 云计算平台基于角色的权限管理系统设计与实现[J]. 信息网络安全, 2020, 20(1): 75-82.
[7]	汪金苗, 王国威, 王梅, 朱瑞瑾. 面向雾计算的隐私保护与访问控制方法[J]. 信息网络安全, 2019, 19(9): 41-45.
[8]	叶阿勇, 金俊林, 孟玲玉, 赵子文. 面向移动终端隐私保护的访问控制研究[J]. 信息网络安全, 2019, 19(8): 51-60.
[9]	尚文利, 尹隆, 刘贤达, 赵剑明. 工业控制系统安全可信环境构建技术及应用[J]. 信息网络安全, 2019, 19(6): 1-10.
[10]	秦中元, 韩尹, 张群芳, 朱雪金. 一种改进的多私钥生成中心云存储访问控制方案[J]. 信息网络安全, 2019, 19(6): 11-18.
[11]	亢保元, 颉明明, 司林. 基于生物识别技术的多云服务器认证方案研究[J]. 信息网络安全, 2019, 19(6): 45-52.
[12]	尚文利, 张修乐, 刘贤达, 尹隆. 工控网络局域可信计算环境构建方法与验证[J]. 信息网络安全, 2019, 19(4): 1-10.
[13]	陈瑞滢, 陈泽茂, 王浩. 工业控制系统安全监控协议的设计与优化研究[J]. 信息网络安全, 2019, 19(2): 60-69.
[14]	蔡方博, 何泾沙, 朱娜斐, 韩松. 分布式访问控制模型中节点级联失效研究[J]. 信息网络安全, 2019, 19(12): 47-52.
[15]	吕宗平, 丁磊, 隋翯, 顾兆军. 基于时间自动机的工业控制系统网络安全风险分析[J]. 信息网络安全, 2019, 19(11): 71-81.