云服务的内部威胁及其控制研究

doi:10.3969/j.issn.1671-1122.2015.08.012

信息网络安全 ›› 2015, Vol. 15 ›› Issue (8): 76-81.doi: 10.3969/j.issn.1671-1122.2015.08.012

云服务的内部威胁及其控制研究

贺滢睿(), 王靖亚

中国人民公安大学网络安全保卫学院,北京 102600

收稿日期:2015-07-09 出版日期:2015-08-01 发布日期:2015-08-21
作者简介:
贺滢睿（1991-）,女,新疆,硕士研究生,主要研究方向：网络安全执法技术、公安信息化;王靖亚（1966-）,女,陕西,教授,硕士,主要研究方向：信息安全、公安信息化。
基金资助:
公安理论与软科学研究计划[2013LLYJGADX003]

Research of Insider Threats and Countermeasures under Cloud Service

HE Ying-rui(), WANG Jing-ya

School of Network Security, People’s University of Public Security of China, Beijing 102600, China

Received:2015-07-09 Online:2015-08-01 Published:2015-08-21

摘要/Abstract

摘要：

云服务的兴起,使云安全问题也备受关注。一方面海量数据存储在云端,另一方面用户对数据的完整性、保密性和可用性有更高要求。云服务提供商为了确保客户的数据安全,不仅需要面对外部威胁,也要应对具有同样破坏力的内部威胁。在外部威胁已经引起广泛关注的今天,由于对内部威胁的忽视,使内部威胁成为主要攻击模式之一。很多提供云服务的企业并未对此问题有充分认识。同时在云服务模式下,以往的安全策略必然不能解决新形势下、新架构下的内部威胁。文章介绍了云服务背景下的内部威胁,提出了解决内部威胁的控制模型和控制流程,并对内部威胁评估、行政控制、技术控制、监控以及响应进行了详细阐述,以期为解决云服务背景下的内部威胁提供帮助。

关键词: 云服务, 内部威胁, 控制

Abstract:

With the development of cloud service, cloud security is increasingly drawing people’s attention. At this stage, the value of data is more important, and under cloud service, on the one hand mass data storage in the cloud, on the other hand the user for data integrity, confidentiality, availability have higher requirements. This puts forward higher security requirements for cloud service providers.In order to guarantee the data security of customers, cloud service providers not only need to face to the external threats, but also confront with the internal threat which has a destructive and influential effects as well as the external. The external threat has caused wide concern today, the internal threat to the neglect, so that the internal threat to become one of the main attack mode, and have the huge damage. CERT Insider Threat Center has conducted a survey of cloud service providers, to understanding of the management and technical controls of internal threats, found in the cloud services model, many of cloud service providers did not this problem be fully recognized. And in the cloud service mode, the previous security policy will not be resolved under the new situation, the new framework of internal threats.This paper describes the internal threat under cloud services, and proposes control model and control process against insider threats. Insider threat assessment, administrative controls, technical controls, monitoring, and response areintroduced in detail, in order to help resolve internal threats under cloud service.

Key words: cloud service, insider threats, controls

中图分类号:

TP309

贺滢睿, 王靖亚. 云服务的内部威胁及其控制研究[J]. 信息网络安全, 2015, 15(8): 76-81.

HE Ying-rui, WANG Jing-ya. Research of Insider Threats and Countermeasures under Cloud Service[J]. Netinfo Security, 2015, 15(8): 76-81.

图/表 4

参考文献 16

[1]	Anonymous. Nine key cyber threats identified in Verizon data breach report[J].Health Management Technology, 2014, 35(6):22.
[2]	王辉,胥扬,杨光灿,等. 基于Insider Threat的安全防御体系结构研究[J]. 微计算机信息,2012, (7):9-11.
[3]	D. Trcek.An integral framework for information systems security management[J]. Computers & Security, 2003, 22(4): 337-360.
[4]	李兴华,马建峰.WAPI 实施方案中的密钥协商协议的安全性分析[J]. 计算机学报,2006,29(4):576-580.
[5]	Rees J, Bandyopadhyay S, Spafford E H.A Policy Framework for Information Security[J]. Communications of the ACM, 2003, 46(7):101-106.
[6]	Cappelli D M, Moore A P, Trzeciak R F.Insider Threats in the Sdlc: Lessons Learned from Actual Incidents of Fraud, Theft of Sensitive Information and It Sabotage[R]. USA: Software Engineering Institute of Carnegie Mellon University, 2006.
[7]	Keeney M, Kowalski E, Cappelli D, et al.Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors [R]. USA: Secret Service and CERT Coordination Center, 2005.
[8]	王斌君. 信息安全[M].北京:高等教育出版社,2008.
[9]	郭平,但光祥. 云计算中的混合加密算法[J].吉林大学学报(工学版),2012,42(S1):327-331.
[10]	HUANG Q L, MA Z F, YANG Y X, et al.Secure and Privacy-preserving DRM Scheme Using Homomorphic Encryption in Cloud Computing[J]. The Journal of China Universities of Posts and Telecommunications, 2013, (6):88-95.
[11]	Goyal V, Pandey O, Sahai A, et al.Attribute-based Encryption for Fine- grained Access Control of Encrypted Datap[C]//Proceedings of the 13th ACM Conference on Computer and Communications Security. New York: ACM Press, 2007.
[12]	Goyal V, Pandey O, Sahai A, et al.Attribute-based Encryption for Fine- grained Access Control of Encrypted Datap[C]//Proceedings of the 13th ACM Conference on Computer and Communications Security, New York: ACM Press, 2007.
[13]	彭伟. 面向云计算安全的同态加密技术应用研究[D]. 重庆:重庆大学,2014.
[14]	Ferraiolo D F, Kuhn D R.Role-based access control[C]//Proceedings of the15th National Computer Security Conference USA: Baltimore, 1992.
[15]	Sandhu R, Coyne E, Feinstein H, et al.Role-based Access Control Models[J]. IEEE Computer,1996, 29(2):38-47.
[16]	李凤华,苏铓,史国振,等.访问控制模型研究进展及发展趋势[J].电子学报,2012,(4):805-813.

云服务的内部威胁及其控制研究

Research of Insider Threats and Countermeasures under Cloud Service

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 4

参考文献 16

相关文章 15

编辑推荐

Metrics

本文评价

[1]	王巍, 胡永涛, 刘清涛, 王凯崙. 铁路运行环境下ERT可信根实体的软件化技术研究[J]. 信息网络安全, 2024, 24(5): 794-801.
[2]	周权, 陈民辉, 卫凯俊, 郑玉龙. 基于SM9的属性加密的区块链访问控制方案[J]. 信息网络安全, 2023, 23(9): 37-46.
[3]	石润华, 谢晨露. 云边缘环境中基于属性加密的可验证EMR外包解决方案[J]. 信息网络安全, 2023, 23(7): 9-21.
[4]	谢盈, 曾竹, 胡巍, 丁旭阳. 一种虚假数据注入攻击检测与补偿方法[J]. 信息网络安全, 2023, 23(6): 22-33.
[5]	张晓旭, 石润华. EHR系统中一种验证外包加密数据正确性的访问控制方案[J]. 信息网络安全, 2023, 23(5): 85-94.
[6]	朱怡昕, 苗张旺, 甘静鸿, 马存庆. 基于细粒度访问控制的勒索软件防御系统设计[J]. 信息网络安全, 2023, 23(10): 31-38.
[7]	顾兆军, 刘婷婷, 高冰, 隋翯. 基于GAN-Cross的工控系统类不平衡数据异常检测[J]. 信息网络安全, 2022, 22(8): 81-89.
[8]	王健, 黄俊. 基于智能合约的日志安全存储与公平访问方法[J]. 信息网络安全, 2022, 22(7): 27-36.
[9]	郭宝霞, 王佳慧, 马利民, 张伟. 基于零信任的敏感数据动态访问控制模型研究[J]. 信息网络安全, 2022, 22(6): 86-93.
[10]	王浩洋, 李伟, 彭思维, 秦元庆. 一种基于集成学习的列车控制系统入侵检测方法[J]. 信息网络安全, 2022, 22(5): 46-53.
[11]	刘嘉微, 马兆丰, 王姝爽, 罗守山. 基于区块链的隐私信用数据受限共享技术研究[J]. 信息网络安全, 2022, 22(5): 54-63.
[12]	张光华, 闫风如, 张冬雯, 刘雪峰. 基于LSTM-Attention的内部威胁检测模型[J]. 信息网络安全, 2022, 22(2): 1-10.
[13]	徐茹枝, 吕畅冉, 龙燕, 刘远彬. 工业控制系统高隐蔽性数据攻击防御方法研究[J]. 信息网络安全, 2022, 22(12): 34-46.
[14]	顾兆军, 姚峰, 丁磊, 隋翯. 基于半实物的机场供油自控系统网络安全测试[J]. 信息网络安全, 2021, 21(9): 16-24.
[15]	靳姝婷, 何泾沙, 朱娜斐, 潘世佳. 基于本体推理的隐私保护访问控制机制研究[J]. 信息网络安全, 2021, 21(8): 52-61.