1. Technical Field
The present disclosure relates generally to an apparatus, method and system for context-aware security control in a cloud environment and, more particularly, to an apparatus, method and system for controlling data transmission between a user and a cloud based on context information in network Open Systems Interconnection (OSI) layers 3 and 4 in connection with a cloud virtual desktop or cloud storage service.
2. Description of the Related Art
Context-aware security technology refers to technology for performing security functionality, such as the control of data transmission, based on context information, such as the location and device of a user and time.
A cloud service enables a remote user terminal to access and use a cloud server over a network. For this purpose, a cloud virtual desktop service provides virtual desktop interworking protocols, such as PC over IP (PCoIP), Independent Computing Architecture (ICA), the Simple Protocol for Independent Computing Environments (SPICE), etc., and a cloud storage service provides data transmission protocols, such as Hyper Text Transfer Protocol (HTTP), Web Distribute Authoring and Versioning (WebDAV), etc., thereby supporting data transmission between a cloud service and a remote user terminal.
The data transmission control of a conventional cloud service is performed using a method of simply blocking an access Internet Protocol (IP) address or a method of deactivating a data transmission function in a cloud server or a user terminal. However, this conventional cloud service is disadvantageous in that it is difficult to apply fine-grained security policies, as in the case where a service is controlled based on context information, such as a user location, device information, and time.
As a related technology, Korean Patent Application Publication No. 10-2013-0094359 entitled “System and Method for Enhancing Authentication using Mobile Cloud Access Contextual Information” discloses a method of enhancing user authentication based on context information in a cloud service.
The invention disclosed in Korean Patent Application Publication No. 10-2013-0094359 has the advantage of diversifying authentication means or providing various access network security levels based on context information. However, since a user terminal and an authentication server perform user authentication while directly communicating with each other, an opportunity for attacking a weak point of an authentication server may be provided to a malicious attacker.
Another related technology is disclosed in the paper entitled “Enabling Secure Location-base Services in Mobile Cloud Computing,” Proceedings of the second ACM SIGCOMM workshop on Mobile cloud computing, Yan Zhu, et al., Aug. 12, 2013.