大数据时代政务云安全风险估计及其审计运行研究
|
摘要
云计算实践推进了政府以云技术为支持与多源大数据相融合的政务服务云建设。然而,政务云面临着严峻的安全问题,大数据泄露、内部滥用、外部侵袭以及技术漏洞等诸多风险因素制约着政务云的正常运行,基于风险导向模式开展政务云安全审计势在必行,其通过监控威胁行为与挖掘安全事件进行审计取证,促进云模式在电子政务领域的广泛应用。在理论回顾基础上,分析大数据下政务云安全风险评估方式并例证阐释,通过云提供商和云租户之间的责任划分建立政务云安全审计运行框架,基于管理、技术以及标准三个维度探索政务云安全审计的运行保障,旨在为大数据时代政务云安全管理实践提供建设性思路。
The cloud computing practice has promoted the construction of government cloud with the government's cloud technology as the support and integration with multi-sources big data. However,the government cloud is faced with some serious security issues. Many risk factors such as big data leakage,internal abuse,external invasion,and technological loopholes,restrict the effective operation of the government cloud. It is imperative to carry out government cloud security audit based on the risk-oriented model. Through the monitoring of threat behavior and mining security incidents for audit forensics,the cloud model is widely used in the field of e-government. Based on the theoretical review,this paper analyzes the cloud security risk assessment methods under big data and exemplifies the validity of them. It establishes a government cloud security audit framework through the division of responsibilities between cloud providers and cloud tenants,and uses the three dimensions of management,technology,and standards to provide the operational protection of the government's cloud security audit with an aim to find constructive ideas for government cloud security management practices in the era of big data.
The cloud computing practice has promoted the construction of government cloud with the government's cloud technology as the support and integration with multi-sources big data. However,the government cloud is faced with some serious security issues. Many risk factors such as big data leakage,internal abuse,external invasion,and technological loopholes,restrict the effective operation of the government cloud. It is imperative to carry out government cloud security audit based on the risk-oriented model. Through the monitoring of threat behavior and mining security incidents for audit forensics,the cloud model is widely used in the field of e-government. Based on the theoretical review,this paper analyzes the cloud security risk assessment methods under big data and exemplifies the validity of them. It establishes a government cloud security audit framework through the division of responsibilities between cloud providers and cloud tenants,and uses the three dimensions of management,technology,and standards to provide the operational protection of the government's cloud security audit with an aim to find constructive ideas for government cloud security management practices in the era of big data.
引文
[1]刘国城.基于过程的电子政务云安全审计模式研究[J].新疆大学学报:哲学·人文社会科学版,2016(1):28-35.
[2]Kandias M,Virvilis N,Gritzalis D.The insider threat in cloud computing[J].Springer Berlin Heidelberg,2013,83(10):93-103.
[3]姜茸,马自飞,李彤,等.云计算安全风险因素挖掘及应对策略[J].现代情报,2015(1):85-90.
[4]王国峰,刘川意,潘鹤中,等.云计算模式内部威胁综述[J].计算机学报,2017(2):296-316.
[5]Wang P,Lin W H,Kuo P T,et al.Threat risk analysis for cloud security based on attack-defense trees[J].International Conference on Computing Technology,2012,1(2):106-111.
[6]张银燕,李弼程,崔家玮.基于云贝叶斯网络的目标威胁评估方法[J].计算机科学,2013(10):127-131.
[7]高杨,李东生,雍爱霞.结合网络层次分析法的云推理威胁评估模型[J].计算机应用研究,2016(11):3430-3434.
[8]Lee C,Kim S,Yeo Y,et al.Proposal of security requirements based on layers and roles for the srandardization of cloud computing security technology[J].Journal of Security Engineering,2013,10(4):473-488.
[9]张晓娟,郭娟.国外政府云计算安全标准建设及启示[J].电子政务,2016(4):83-90.
[10]林果园,贺珊,黄皓,等.基于行为的云计算访问控制安全模型[J].通信学报,2012(3):59-66.
[11]王于丁,杨家海,徐聪,等.云计算访问控制技术研究综述[J].软件学报,2015(5):1129-1150.
[12]Kim C S,Jang B I,Jung H K.A study on the security technology for introduction the secure cloud computing service[J].Journal of Security Engineering,2013,10(5):567-580.
[13]冯朝胜,秦志光,袁丁.云数据安全存储技术[J].计算机学报,2015(1):150-163.
[14]马友忠,孟小峰.云数据管理索引技术研究[J].软件学报,2015(1):145-166.
[15]Gilbert P,Chun B G,Cox L P,et al.Vision:automated security validation of mobile apps at app markets[A].The second international Workshop on Mobile Cloud Computing and Services[C].ACM,2011.
[16]闫莉,石润华,仲红,等.移动云计算环境中基于身份代理签名的完整性检测协议[J].通信学报,2015(10):278-286.
[17]Oberheide J,Veeraraghavan K,Cooke E,et al.Virtualized in-cloud security services for mobiledevices[C].New York,USA:ACM,2008.
[18]张伟,王汝传,李鹏.基于云安全环境的蠕虫传播模型[J].通信学报,2012(4):17-24.
[19]Chow R,Jakobsson M,Masuoka R,et al.Authentication in the clouds:a framework and its application to mobile users[C].New York,USA:ACM,2010.
[20]王中华,韩臻,刘吉强,等.云环境下基于PTPM和无证书公钥的身份认证方案[J].软件学报,2016(6):1523-1537.
[21]姜茸,张秋瑾,李彤,等.电子政务云安全风险分析[J].现代情报,2014(12):12-16.
[22]程桂枝,于秀娟.新技术环境下政务系统应用安全研究[J].科技管理研究,2014(12):165-169.
[23]章谦骅,章坚武.基于云安全技术的智慧政务云解决方案[J].电信科学,2017(3):107-111.
[24]胡俊,张熠,黄传河.基于云平台的政务信息系统的访问控制设计[J].华中科技大学学报:自然科学版,2013(12):147-151.
[25]李卫东,徐晓林.云政务信息资源共享的国家安全隐患及安全保障机制研究[J].华中科技大学学报:社会科学版,2017(6):90-97.
[26]彭友,王延章.信息系统内部安全审计机制[J].北京交通大学学报,2009(2):112-116.
[27]丁楠.基于机器学习的大学生自杀风险预测与分析[J].现代电子技术,2017(21):91-97.
[28]林云威,陆冬青,彭勇.基于D-S证据理论的电厂工业控制系统信息安全风险评估[J].华东理工大学学报:自然科学版,2014(8):500-505.
[29]薛晔,蔺琦珠,任耀.我国通货膨胀风险的预测模型——基于决策树与BP神经网络[J].经济问题,2016(1):82-89.
[30]肖奎喜,王满四,倪海鹏.供应链模式下的应收账款风险研究——基于贝叶斯网络模型的分析[J].会计研究,2011(11):65-71.
[31]Shannon C E.A Mathematical theory of communication[J].The Bell System Technical Journal,1948,27(3):378-656.
[32]刘国城,王会金.基于AHP和熵权的信息系统审计风险评估研究与实证分析[J].审计研究,2016(1):53-59.
[33]付钰,吴晓平,叶清,等.基于模糊集与熵权理论的信息系统安全风险评估研究[J].电子学报,2010(7):1489-1494.
[34]刘国城.基于大数据过程挖掘的互联网安全审计过程建模研究[J].兰州学刊,2018(3):95-106.
[35]王志英,葛世伦,苏翔.云用户数据安全风险感知乐观偏差及其影响实证[J].管理评论,2016(9):121-133.
[36]王会金.政府审计协同治理的研究态势、理论基础与模式构建[J].审计与经济研究,2016(6):3-11.
[37]丁滟,王怀民,史佩昌,等.可信云服务[J].计算机学报,2015(1):133-149.
[2]Kandias M,Virvilis N,Gritzalis D.The insider threat in cloud computing[J].Springer Berlin Heidelberg,2013,83(10):93-103.
[3]姜茸,马自飞,李彤,等.云计算安全风险因素挖掘及应对策略[J].现代情报,2015(1):85-90.
[4]王国峰,刘川意,潘鹤中,等.云计算模式内部威胁综述[J].计算机学报,2017(2):296-316.
[5]Wang P,Lin W H,Kuo P T,et al.Threat risk analysis for cloud security based on attack-defense trees[J].International Conference on Computing Technology,2012,1(2):106-111.
[6]张银燕,李弼程,崔家玮.基于云贝叶斯网络的目标威胁评估方法[J].计算机科学,2013(10):127-131.
[7]高杨,李东生,雍爱霞.结合网络层次分析法的云推理威胁评估模型[J].计算机应用研究,2016(11):3430-3434.
[8]Lee C,Kim S,Yeo Y,et al.Proposal of security requirements based on layers and roles for the srandardization of cloud computing security technology[J].Journal of Security Engineering,2013,10(4):473-488.
[9]张晓娟,郭娟.国外政府云计算安全标准建设及启示[J].电子政务,2016(4):83-90.
[10]林果园,贺珊,黄皓,等.基于行为的云计算访问控制安全模型[J].通信学报,2012(3):59-66.
[11]王于丁,杨家海,徐聪,等.云计算访问控制技术研究综述[J].软件学报,2015(5):1129-1150.
[12]Kim C S,Jang B I,Jung H K.A study on the security technology for introduction the secure cloud computing service[J].Journal of Security Engineering,2013,10(5):567-580.
[13]冯朝胜,秦志光,袁丁.云数据安全存储技术[J].计算机学报,2015(1):150-163.
[14]马友忠,孟小峰.云数据管理索引技术研究[J].软件学报,2015(1):145-166.
[15]Gilbert P,Chun B G,Cox L P,et al.Vision:automated security validation of mobile apps at app markets[A].The second international Workshop on Mobile Cloud Computing and Services[C].ACM,2011.
[16]闫莉,石润华,仲红,等.移动云计算环境中基于身份代理签名的完整性检测协议[J].通信学报,2015(10):278-286.
[17]Oberheide J,Veeraraghavan K,Cooke E,et al.Virtualized in-cloud security services for mobiledevices[C].New York,USA:ACM,2008.
[18]张伟,王汝传,李鹏.基于云安全环境的蠕虫传播模型[J].通信学报,2012(4):17-24.
[19]Chow R,Jakobsson M,Masuoka R,et al.Authentication in the clouds:a framework and its application to mobile users[C].New York,USA:ACM,2010.
[20]王中华,韩臻,刘吉强,等.云环境下基于PTPM和无证书公钥的身份认证方案[J].软件学报,2016(6):1523-1537.
[21]姜茸,张秋瑾,李彤,等.电子政务云安全风险分析[J].现代情报,2014(12):12-16.
[22]程桂枝,于秀娟.新技术环境下政务系统应用安全研究[J].科技管理研究,2014(12):165-169.
[23]章谦骅,章坚武.基于云安全技术的智慧政务云解决方案[J].电信科学,2017(3):107-111.
[24]胡俊,张熠,黄传河.基于云平台的政务信息系统的访问控制设计[J].华中科技大学学报:自然科学版,2013(12):147-151.
[25]李卫东,徐晓林.云政务信息资源共享的国家安全隐患及安全保障机制研究[J].华中科技大学学报:社会科学版,2017(6):90-97.
[26]彭友,王延章.信息系统内部安全审计机制[J].北京交通大学学报,2009(2):112-116.
[27]丁楠.基于机器学习的大学生自杀风险预测与分析[J].现代电子技术,2017(21):91-97.
[28]林云威,陆冬青,彭勇.基于D-S证据理论的电厂工业控制系统信息安全风险评估[J].华东理工大学学报:自然科学版,2014(8):500-505.
[29]薛晔,蔺琦珠,任耀.我国通货膨胀风险的预测模型——基于决策树与BP神经网络[J].经济问题,2016(1):82-89.
[30]肖奎喜,王满四,倪海鹏.供应链模式下的应收账款风险研究——基于贝叶斯网络模型的分析[J].会计研究,2011(11):65-71.
[31]Shannon C E.A Mathematical theory of communication[J].The Bell System Technical Journal,1948,27(3):378-656.
[32]刘国城,王会金.基于AHP和熵权的信息系统审计风险评估研究与实证分析[J].审计研究,2016(1):53-59.
[33]付钰,吴晓平,叶清,等.基于模糊集与熵权理论的信息系统安全风险评估研究[J].电子学报,2010(7):1489-1494.
[34]刘国城.基于大数据过程挖掘的互联网安全审计过程建模研究[J].兰州学刊,2018(3):95-106.
[35]王志英,葛世伦,苏翔.云用户数据安全风险感知乐观偏差及其影响实证[J].管理评论,2016(9):121-133.
[36]王会金.政府审计协同治理的研究态势、理论基础与模式构建[J].审计与经济研究,2016(6):3-11.
[37]丁滟,王怀民,史佩昌,等.可信云服务[J].计算机学报,2015(1):133-149.