题名

建構雲端環境資料安全存取模型暨績效評估

并列篇名

Construction and Efficiency Evaluation of a Secure Data Access Model in the Cloud Computing Environment

作者

陳志誠(Patrick S. Chen);劉用貴(Yong-Kuei Liu)

关键词

雲端運算 ; 資訊安全 ; 主動驗證 ; 優先權多級安全 ; 分散式資料存取 ; cloud computing ; information security ; active authentication ; multi-level security ; distributed data access

期刊名称

資訊管理學報

卷期/出版年月

23卷1期(2016 / 01 / 01)

页次

1 - 32

内容语文

繁體中文
中文摘要

由於在雲端環境中越權存取的威脅日益嚴重,使網路服務的風險與日遽增,雲端服務提供者本身是否具有足夠能力確保客戶的資料安全、防範非授權使用者對資料的存取或破壞,已成為雲端使用者最關切的議題。為確保雲端用戶資料的機密性和完整性,在提升大量資料存取效率的同時,強化用戶資料傳輸和儲存的安全是極其重要的,本研究提出了一個新的作法,能夠使分散式資料庫存取更安全、更有效率的主動驗證與排程方法,內容包括「主動式身分驗證」、「安全隔離與資料交換」、「優先權多級排程控制」、「分散式存取方法」及「RC4加解密技術」等。用戶作業必須透過私有雲主動驗證才能取得授權碼,其資料必須經過加密處理之後,再進入獨立通道透過安全隔離與資料交換,才能進入私有雲取得存取權限進行交易。為提升交易效率,我們建議結合優先權多級安全排程,進行分散式資料安全存取。經由實驗顯示,利他鎖定(Altruistic Locking, AL)排程原則能使分散式資料庫存取更有效率。經由檢視表將優先權及多級安全相互結合模擬,達到資料安全存取的目的。研究結果顯示,要做好存取控制,必先做好「讀」的控管,即可解決大部分不當存取的威脅,本研究並發現,做好「寫」的排程序列化,即可有效避免死結發生。研究顯示此一雲端資料安全存取架構能有效的遏止越權存取,也可提高交易並行性,增進資料存取效能性,透由實驗結果顯示,私有雲以優先權多級安全及分散式資料庫存取方式,AL能更快更有效的完成交易,能盡快的將費時較短的交易完成(Commit),減少交易重新執行(Rollback),避免死結發生。經由兩組實驗比較,驗證私有雲分散式資料庫中「優先權多級安全及鎖定」AL優於傳統的二階段鎖定(2-Phase Locking, 2PL),以AL 作為排程的機制確實能獲得更佳的效能,說明了本研究架構之可用性。
英文摘要

Purpose-Due to the growing intelligent attacks, internet service providers are facing more and more risks. It has become a big concern, especially in the emerging cloud computing environment, whether the service providers have the capability to properly protect users’ data from attacks and prevent unauthorized access. Design/methodology/approach - In order to meet the information security requirements of confidentiality, integrity and availability with consideration of access efficiency in the presence of huge amount of data, we proposed an efficient and secure data access model covering active authentication, encryption/decryption, and access to databases. Findings-Through experiments, we found that the control of "read" will solve most unauthorized access problems and serialization of "write" will avoid deadlocks. Research limitations/implications-We designed a multi-layered, distributed database system and proposed a secure access model in which only two locking mechanisms, two-phase locking and altruistic locking, are compared. Other mechanisms are not considered in this study. Practical implications-A prototype was implemented to test the applicability of the proposed model. The system first authenticates a user and then assigns him a ticket. This process accomplishes fined-grained access control. After analyzing the data obtained from the experiments, we found that the proposed data access model is well suited for the cloud computing environment in terms of security and efficiency. Originality/value-This study proposes a new approach to system security, permitting distributed database access and efficient scheduling. The system allows active identity verification, secure data isolation and information exchange, multi-level scheduling based on priorities, distributed access control and use of encryption technology.
主题分类 基礎與應用科學 > 資訊科學
社會科學 > 管理學
参考文献
  1. 陳志誠、林淑瓊、李興漢、許派立(2009)。資訊資產分類與風險評鑑之研究-以銀行業者為例。中華民國資訊管理學報,16(3),55-84。
    連結:
  2. 葉桂珍、張榮庭(2006)。企業之資訊安全策略與其產業別及資訊化程度關係探討。中華民國資訊管理學報,13(2),113-143。
    連結:
  3. Brodkin, J. “Gartner: Seven Cloud-computing Security Risks,” http://www.networkworld.com/news/2008/070208-cloud.html, Network World, 2008/07/02.
  4. European Network and Information Security Agency (2010), 'Cloud computing: benefits, risks and recommendations for information security', European Network and Information Security Agency, available at http://www.enisa.europa.eu/act/rm/files/eliverables/cloud-computing-risk-assessment (accessed 17 February 2014).
  5. CSA (2012), Security Guidance for Critical Areas of Focus in Cloud Computing v3.0.https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
  6. Gartner(2010), http://www.garther.com/technology/home.jsp.
  7. Bell, D.E.,LaPadula, L.J.(1976).Technical RePort MTR-2997Technical RePort MTR-2997,Bedford MA:Mitre corp.
  8. Chen, P.S.,Li, S.H.,Liu, Y.K.(2010).Scheduling the access to multi-level secure databases in a wireless network environment.International Journal of Innovative Computing, Information and Control,6(12),5381-5403.
  9. David, R.,Son, S.H.(1993).A secure two phase locking protocol.Proceedings of the twelfth IEEE Symposium on Reliable Distributed Systems (SRDS 1993),Princeton, NJ, USA:
  10. Ferraiolo, D.F.,Sandhu, R.,Gavrila, S.,Kuhn, D.,Chandramouli, R.(2001).Proposed NIST standard for role-based access control.ACM Transactions on Information and Systems Security,4(3),224-274.
  11. Garcia-Molina, H.,Ullman, J.,Widom, J.(2008).Database Systems: The Complete Book.India:Pearson Education.
  12. Goodhue, D.L.,Straub, D.W.(1991).Security Concerns of System Users:A Study of Perceptions of the Adequacy of Security Measures.Information & Management,20(1),13-27.
  13. Hinke, T.,Schaefer, M.(1975).Rome Air Development Center Technical ReportRome Air Development Center Technical Report,System Development Corp..
  14. Jung, D.(2001).Transformational and transactional leadership and their effects on creativity in groups.Creativity Research Journal,13,185-195.
  15. Jung, J.-Y.,Qiu, J.L.,Kim, Y.-C.(2001).Internet Connectedness and Inequality: Beyond the "Divide".Communication Research,28(4),507-535.
  16. Kankanhalli, A.,Tan, B.C.Y.,Wei, K.K..Contributing knowledge to electronic knowledge repositories:An Empirical Investigation.Mis Quarterly,29(1),113-143.
  17. Kim, H.W.,Park, D.S.,Rhee, H.K.,Kim, U.M.(2001).Advanced transaction scheduling protocol for multilevel secure database in wireless mobile network environment.Proceedings of Joint fourth IEEE International Conference on ATM (ICATM 2001) and High Speed Intelligent Internet Symposium,Seoul, Korea:
  18. Lang, U.(2010).OpenPMF SCaaS: Authorization as a service for cloud & SOA applications.Proceedings of the second IEEE International Conference on Cloud Computing Technology and Science (CloudCom 2010),Indianapolis, Indiana, USA:
  19. Lewis, S.,Wiseman, S.(1997).Securing an object relational database.Proceedings of the thirteenth Anunual Computer Security Applications Conference (ACSAC 1997),San Diego, California, USA:
  20. Lin, J.,Lu, X.,Yu, L.,Zou, Y.,Zha, L.(2010).Vega Warden: A uniform user management system for cloud applications.Proceedings of the 2010 IEEE International Conference on Networking, Architecture and Storage (NAS 2010),Macau, China:
  21. Niemeyer, R. E.(1997).Using Web technologies in two MLS environment: A security analysis.Proceedings of the thirteenth Anunual Computer Security Applications Conference (ACSAC 1997),San Diego, California, USA:
  22. Pang, H.,Carey, M.J.,Livny, M.(1995).Multiclass query scheduling in real-time database systems.IEEE Transactions on Knowledge and Data Engineering,7(4),533-551.
  23. Pfleeger, C.P.,Pfleeger, S.L.(2002).Security in Computing.USA:Prentice-Hall Int..
  24. Salem, K.,Garcia-Molina, H.,Shands, J.(1994).Altruistic Locking.ACM Transactions on Database Systems,19(1),117-169.
  25. Sandhu, R.S.,Coyne, E.J.,Feinstein, H.L.,Youman, C.(1996).Role-based access control models.IEEE Computer,29(2),38-47.
  26. Wood, C.,Summers, R.C.,Fernandez, E.B.(1979).Authorization in multilevel database models.Information Systems,4(2),155-161.
  27. 陳志誠、王瀞慧(2011)。金融機構雲端運算架構下客戶資料防護之探討。2011產業資訊應用暨個案競賽(CIIA 2011),台灣:
  28. 陳志誠、宋子傑(2005)。在無線網路環境中基於用戶優先權與利他鎖定之多級安全資料庫存取控制。資訊安全通訊,11(3),51-67。
  29. 劉家驊、洪士凱(2010)。雲端運算資料安全防護機制之研究。2010 電腦視覺、影像處理與資訊技術研討會(CVIPIT 2010),台灣:
被引用次数
  1. (2020)。雲深不知處─行動雲端服務創新模式與演進。產業與管理論壇,22(2),38-64。
print cancel