CN106603535B - Security system framework based on SaaS platform - Google Patents
Security system framework based on SaaS platform Download PDFInfo
- Publication number
- CN106603535B CN106603535B CN201611171693.6A CN201611171693A CN106603535B CN 106603535 B CN106603535 B CN 106603535B CN 201611171693 A CN201611171693 A CN 201611171693A CN 106603535 B CN106603535 B CN 106603535B
- Authority
- CN
- China
- Prior art keywords
- server
- client
- security
- service
- area
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 230000003993 interaction Effects 0.000 claims abstract description 4
- 230000003068 static effect Effects 0.000 claims abstract description 4
- 238000013475 authorization Methods 0.000 claims description 7
- 238000001914 filtration Methods 0.000 abstract description 3
- 238000002955 isolation Methods 0.000 abstract description 2
- 230000008901 benefit Effects 0.000 description 3
- 230000006378 damage Effects 0.000 description 2
- 238000013523 data management Methods 0.000 description 2
- 230000006872 improvement Effects 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 241001269238 Data Species 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000000151 deposition Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000002427 irreversible effect Effects 0.000 description 1
- 238000000034 method Methods 0.000 description 1
- 230000008439 repair process Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 238000012549 training Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/102—Entity profiles
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer And Data Communications (AREA)
- Storage Device Security (AREA)
Abstract
The present invention relates to a kind of security system frameworks based on SaaS platform, it include client and data base set group facility, there are client and data base set group facility to can be carried out data interaction, three-level firewall is provided between client and data base set group facility, constitute client's petiolarea, isolated area, application service area, database server area, using first order firewall isolation client's petiolarea and service end, server-side is allowed only to open HTTP and HTTPS service outward, application service is separated mutually with WEB static resource using second level firewall, it is set only to provide service to isolated area and external interface, isolated data is used for using third level firewall.The protection filtering for realizing that data are successively communicated there are three firewall is mutually independent is gathered around as a result,.It is divided into four regions, it can be achieved that better authority distribution, promotes safety in utilization.
Description
Technical field
The present invention relates to a kind of system architecture more particularly to a kind of security system frameworks based on SaaS platform.
Background technique
System is the key that SaaS system success or failure safely, and the substantive characteristics of SaaS determines the importance of system safety.It passes
Data are all voluntarily managed by user under system mode, and all business datums of enterprise customer are all stored in SaaS confession under SaaS model
This end of quotient is answered, and these data are all the core datas of enterprise, whether enterprise relievedly uses this system, if relievedly number
It is managed according to this system is given, depends entirely on this system in the design and guarantee of secure context.The change of data management power and responsibility
So that the system of SaaS software is different from safely traditional software, there are minus and plus factors.
Particularly, it is a disadvantage that thinking that SaaS mode is dangerous in user's consciousness, they think the core oneself enterprise
It is unsafe that calculation is managed according to third party is given;The exposure of SaaS system on the internet, will be faced than being limited in local area network
The more security threats of interior legacy system.Advantageously: in terms of system data safety, important is not the function of software
Can, but artificial factor.
Employee in ordinary enterprises did not receive more rigorous awareness of safety training, if enterprise all deposits data
Pipe is in enterprises, it is more likely that can by employee it is careless between leak, and personnel safety realize quality this respect, SaaS clothes
The data management staff of business quotient obviously wants professional very much, can be than enterprise because they know very well that customer data is this reason of vertical life
The common employee of industry more understands how properly to deposit pipe data;Aspect is stolen in data defence, SaaS service provider more has reason to treasure every
One customer data.
Enterprise will not generally spend many thoughts to ensure the safety of every data, this will need to put into very big cost and people
Power.And for the SaaS service provider of profession, one of most important task is exactly the data of safekeeping client, therefore they
Investment in safety measure is centainly significantly larger than common enterprise.
Just as the house of Bank Insurance system deposited pipe safety and must be higher than from far away any general public, so
Selection SaaS service provider carrys out hosted data, actually enjoys higher safety guarantee with lower price.It is broken in data defence
Bad aspect, it must be exactly the safety for depositing pipe of data when facing natural and man-made calamities that this is signified.
Furthermore if ordinary enterprises database by the disaster factors such as objective, irreversible destruction when, it is difficult to repair
The breakage of complex data.And passing through the service of SaaS mode, enterprise can just enjoy more ground multi-computer back-up with less expensive price
All full guards.
It is a kind of based on SaaS platform to found in view of the above shortcomings, the designer, is actively subject to research and innovation
Security system framework makes it with more the utility value in industry.
Summary of the invention
In order to solve the above technical problems, the object of the present invention is to provide a kind of security system frameworks based on SaaS platform.
Security system framework based on SaaS platform of the invention, includes client and data base set group facility, described
There are client and data base set group facility to can be carried out data interaction, in which: frame between the client and data base set group facility
Equipped with three-level firewall, client's petiolarea, isolated area, application service area, database server area, setting in the isolated area are constituted
There is HTTP server, certificate server is connected on the HTTP server, LDAP service is provided in the application service area
Device, Security Policy Server, security authorization service device are provided with data base set group facility in the database server area, adopt
With first order firewall isolation client's petiolarea and service end, server-side is allowed only to open HTTP and HTTPS service outward, using the
Second firewall separates application service mutually with WEB static resource, so that it is only provided service to isolated area and external interface, adopts
Isolated data is used for third level firewall.
Further, the above-mentioned security system framework based on SaaS platform, wherein the certificate server, composition are blocked
Cut and proxy server, intercept all HTTP and HTTPS request, therefrom extract user authentication information, then by believing with user
Cease ldap server mileage evidence matching, authenticate the legitimacy of user, if user be it is legal, forward requests to rear end
HTTP server;If illegal, terminate and this time request, and sends corresponding state code to client.
Further, the above-mentioned security system framework based on SaaS platform, wherein the ldap server be used for
It is outer that the access and certification of user information are provided.
Further, the above-mentioned security system framework based on SaaS platform, wherein the Security Policy Server is used
User information is obtained in configuration all relevant security strategies of system, and from ldap server, in conjunction with resource information, safe plan
Slightly, security service is provided.
Further, the above-mentioned security system framework based on SaaS platform, wherein the security authorization service device is logical
The user information for crossing Security Policy Server offer, in conjunction with resource information and security strategy, some for judging some user is asked
Seeking Truth is no corresponding permission, and gives and authorize.
Still further, the above-mentioned security system framework based on SaaS platform, wherein on the Security Policy Server
It is connected with web server cluster server and application server cluster server.
According to the above aspect of the present invention, the present invention has at least the following advantages:
1, the protection filtering for realizing that data are successively communicated there are three firewall is mutually independent is gathered around.
2, it is divided into four regions, it can be achieved that better authority distribution, promotes safety in utilization.
3, integral layout can be directly attached to existing SaaS platform building, easy to implement.
The above description is only an overview of the technical scheme of the present invention, in order to better understand the technical means of the present invention,
And can be implemented in accordance with the contents of the specification, the following is a detailed description of the preferred embodiments of the present invention and the accompanying drawings.
Detailed description of the invention
Fig. 1 is the structural schematic diagram of the security system framework based on SaaS platform.
The meaning of each appended drawing reference is as follows in figure.
1 client, 2 data base set group facility
3 client's petiolarea, 4 isolated area
5 application service area, 6 database server area
7 HTTP server, 8 certificate server
9 ldap server, 10 Security Policy Server
11 security authorization service device, 12 first order firewall
13 second level firewall, 14 third level firewall
15 web server cluster server, 16 application server cluster server
Specific embodiment
With reference to the accompanying drawings and examples, specific embodiments of the present invention will be described in further detail.Implement below
Example is not intended to limit the scope of the invention for illustrating the present invention.
Such as the security system framework based on SaaS platform of Fig. 1, includes client 1 and data base set group facility 2, there is visitor
Family end 1 and data base set group facility 2 can be carried out data interaction, and unusual place is: client 1 is set with data-base cluster
It is provided with three-level firewall between standby 2, constitutes client's petiolarea 3, isolated area 4, application service area 5, database server area 6.
Specifically, it is provided with HTTP server 7 in isolated area 4, certificate server 8 is connected on HTTP server 7.
Meanwhile ldap server 9, Security Policy Server 10, security authorization service device 11 are provided in application service area 5.Database
It is provided with data base set group facility 2 in server area 6, client's petiolarea 3 and server-side are isolated using first order firewall 12, allows clothes
Being engaged in, only open HTTP and HTTPS is serviced outward at end.Degree of exposure is reduced as a result,.Also, use second level firewall 13 makes
The application service of system core is mutually separated with WEB static resource, it is made only to provide service to isolated area 4 and external interface.Furthermore
Third level firewall 14 can be used for isolated data.Data relationship is system safety to prestige and enterprise customer's core business
In a most key ring, by third level firewall 14, data, other modules are mutually separated with system, other modules by
In the case where intrusion and destruction, makes every effort to data and protected.
From the point of view of a preferable embodiment of the invention, certificate server 8 can be used, constitute interception and agency service
Device.Thus all HTTP and HTTPS request are intercepted, user authentication information is therefrom extracted, (such as username and password) then
By the matching with 9 mileage evidence of user information ldap server, the legitimacy of user is authenticated, if user is legal, general
Request is forwarded to the HTTP server 7 of rear end;If illegal, terminate and this time request, and sends corresponding state to client 1
Code.
Furthermore, the ldap server 9 that the present invention uses is used to be provided out the access and certification of user information.Tool
For body, in order to efficiently read user information, LDAP (Lightweight Directory Access Protoc is used
01) agreement, LDAP are Light Directory Access Protocols, and advantage is that the reading clothes of high speed are provided by simple and clear bibliographic structure
Business, is highly suitable as the certification of user information.
Meanwhile in order to promote the safety of implementation, it is all relevant system can be configured by Security Policy Server 10
Security strategy.And it is possible to using Security Policy Server 10 from ldap server 9 obtain user information, in conjunction with resource information,
Security strategy provides security service.Corresponding to be, security authorization service device 11 of the present invention passes through security strategy
The user information that server 10 provides judges whether some request of some user has in conjunction with resource information and security strategy
Corresponding permission, and give and authorize.
Furthermore, it is contemplated that meet the cluster programming during SaaS platform use, is connected with web on Security Policy Server 10
Server cluster server 15 and application server cluster server 16.
It can be seen from the above written description and the attached drawings that after applying the present invention, gathering around and having the following advantages:
1, the protection filtering for realizing that data are successively communicated there are three firewall is mutually independent is gathered around.
2, it is divided into four regions, it can be achieved that better authority distribution, promotes safety in utilization.
3, integral layout can be directly attached to existing SaaS platform building, easy to implement.
The above is only a preferred embodiment of the present invention, it is not intended to restrict the invention, it is noted that for this skill
For the those of ordinary skill in art field, without departing from the technical principles of the invention, can also make it is several improvement and
Modification, these improvements and modifications also should be regarded as protection scope of the present invention.
Claims (1)
- Include client and data base set group facility 1. the security system framework based on SaaS platform, it is described have client with Data base set group facility can be carried out data interaction, it is characterised in that: be provided between the client and data base set group facility Three-level firewall constitutes client's petiolarea, isolated area, application service area, database server area, is provided in the isolated area HTTP server is connected with certificate server on the HTTP server, be provided in the application service area ldap server, Security Policy Server, security authorization service device are provided with data base set group facility in the database server area, using Client's petiolarea and service end is isolated in level-one firewall, allows server-side only to open HTTP and HTTPS service outward, using the second level Firewall separates application service mutually with WEB static resource, it is made only to provide service to isolated area and external interface, using the Three-level firewall is used for isolated data;The certificate server constitutes interception and proxy server, intercepts all HTTP and HTTPS request, therefrom extract user Authentication information authenticates the legitimacy of user, if user is then by the matching with user information ldap server mileage evidence Legal, then forward requests to the HTTP server of rear end;If illegal, terminate and this time request, and is sent to client Corresponding state code;The ldap server is used to be provided out the access and certification of user information;The Security Policy Server is for configuring All relevant security strategies of system, and obtain user information from ldap server and provided in conjunction with resource information, security strategy Security service;The user information that the security authorization service device is provided by Security Policy Server, in conjunction with resource information and safe plan Slightly, judge whether some request of some user has corresponding permission, and give and authorize;Web server cluster server and application server cluster server are connected on the Security Policy Server.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611171693.6A CN106603535B (en) | 2016-12-17 | 2016-12-17 | Security system framework based on SaaS platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201611171693.6A CN106603535B (en) | 2016-12-17 | 2016-12-17 | Security system framework based on SaaS platform |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN106603535A CN106603535A (en) | 2017-04-26 |
| CN106603535B true CN106603535B (en) | 2019-08-20 |
Family
ID=58599806
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201611171693.6A Expired - Fee Related CN106603535B (en) | 2016-12-17 | 2016-12-17 | Security system framework based on SaaS platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN106603535B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN107819856A (en) * | 2017-11-14 | 2018-03-20 | 广西巨玖文化产业有限公司 | Cultural and Creative Industries service platform based on SOA framework |
| CN109684530B (en) * | 2018-12-07 | 2024-01-30 | 新疆农垦科学院 | Information push service system based on web management and mobile phone applet application |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS platform and SaaS application system |
| CN103067344A (en) * | 2011-10-24 | 2013-04-24 | 国际商业机器公司 | Non-invasive method and equipment for automatically issuing safety regulations in cloud environment |
| CN103164828A (en) * | 2011-12-19 | 2013-06-19 | 上海博腾信息科技有限公司 | Electronic government affair system based on software as a service (SaaS) |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8578465B2 (en) * | 2009-07-21 | 2013-11-05 | Cisco Technology, Inc. | Token-based control of permitted sub-sessions for online collaborative computing sessions |
-
2016
- 2016-12-17 CN CN201611171693.6A patent/CN106603535B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103067344A (en) * | 2011-10-24 | 2013-04-24 | 国际商业机器公司 | Non-invasive method and equipment for automatically issuing safety regulations in cloud environment |
| CN103164828A (en) * | 2011-12-19 | 2013-06-19 | 上海博腾信息科技有限公司 | Electronic government affair system based on software as a service (SaaS) |
| CN103051631A (en) * | 2012-12-21 | 2013-04-17 | 国云科技股份有限公司 | Unified security authentication method for PaaS platform and SaaS application system |
Non-Patent Citations (3)
| Title |
|---|
| SAAS模式下访问控制的研究及应用;袁琦;《中国优秀硕士学位论文全文数据库(信息科技辑)》;20121015;全文 |
| SaaS环境下的安全问题;焦燕廷 等;《网络安全技术与应用》;20130115;全文 |
| 基于SaaS模式的电子政务应用架构的分析与设计;梁斌;《软件产业与工程》;20130510;正文第3章节,附图1-4 |
Also Published As
| Publication number | Publication date |
|---|---|
| CN106603535A (en) | 2017-04-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Mohammed | Cloud identity and access management–a model proposal | |
| US11847197B2 (en) | System and method for identity management | |
| US11563728B2 (en) | System and method for identity management | |
| EP3860083B1 (en) | Method for identity management | |
| CN106055967A (en) | SAAS platform user organization permission management method and system | |
| CN108959902A (en) | A kind of mutli-system integration platform and method, computer readable storage medium | |
| CN105991734A (en) | Cloud platform management method and system | |
| CN102761551A (en) | System and method for multilevel cross-domain access control | |
| US20240364689A1 (en) | Accessing Cloud Environments Through Administrative Tenancies To Comply With Sovereignty Requirements | |
| CN101635704A (en) | Application security exchange platform based on trusted technology | |
| CN105046125A (en) | A Hierarchical System-Based Application Access Method for OA System | |
| CN106603535B (en) | Security system framework based on SaaS platform | |
| Maheswari et al. | Blockchain-based access control model for student academic record with authentication | |
| CN107395577B (en) | Large-scale electric power enterprise salary safety coefficient | |
| Danturthi | Database and Application Security: A Practitioner's Guide | |
| Zou | Research on user information security based on cloud computing | |
| Bava et al. | Information security risk assessment in healthcare: the experience of an Italian Paediatric Hospital | |
| Rao et al. | Access controls | |
| Li | Cloud Computing Strategy Analysis in Small and Medium-Sized Enterprises | |
| CN109150909A (en) | A kind of campus unified single sign-on system | |
| Hu et al. | Data Security Access Control Model of Cloud Computing | |
| Ezziyyani et al. | Security techniques and specifications for the resources protection in mediation systems | |
| Liu et al. | Research in techniques of personal identity management | |
| Zeng | The analysis of big Data application mode and security risk | |
| Nikolovski | AUTHENTICATION OF USERS IN HETEROGENEOUS INFORMATION ENVIRONMENT. |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20190820 Termination date: 20201217 |
|
| CF01 | Termination of patent right due to non-payment of annual fee |