An endless variety of demands on electronic transaction web sites has attracted a large number of Independent Software Vendors (ISVs), which has led to an increasing enrichment of the range of e-commerce-related products being developed and used.
In the e-commerce cloud environment, ISVs purchase cloud hosts (e.g., use Amazon Web Services™, Microsoft Cloud™, etc.) and use the business accounts of transaction websites to obtain high-value commercial data from transaction website open platforms (e.g., the Taobao Open Platform (TOP)). However, when services (e.g., e-commerce services) are deployed on cloud hosts based on this high-value commercial data and access is provided to wide area networks, the account system of the service itself (e.g., service accounts) is what is being used (e.g., accessed) in connection with providing the e-commerce service. According to conventional art, security capabilities for these service accounts are weak (e.g., insecure) in comparison to business accounts on transaction websites.
For example, for services managed remotely (e.g., Windows remote desktop or Linux SSH), using such means as brute force cracking, enumerator or weak password attempts, hackers are able to invade cloud hosts directly to perform illegal operations and steal data. As another example, for services managed by website back ends, there is a similar risk that website account systems can be hacked. These services are also subject to various types of web attacks, such as Structured Query Language (SQL) injection, Cross Site Scripting (XSS) attacks, and file upload attacks.
Once a cloud hosting service is successfully invaded by a hacker, there is a risk of data leaks and even deletion of data logs such as the remote logon log. In the event of a successful attack, after destruction of logs is complete, the activities can become difficult to trace. In addition, because the service accounts and the business accounts are not associated, investigations into suck attacks are difficult.
According to conventional art, host security issues are generally resolved by using firewalls. For example, the system firewall can be configured using settings that restrict access to the services of a designated port to designated IP addresses. The client uses an authorized IP address to transmit a request to the cloud host, whereupon account system authentication of the service itself is performed. When authentication is passed, the service can be used normally. Although such a solution to host security issues reduces the scope of potential attacks, the security of the account system of the cloud hosting service itself is not strengthened. Additionally, because client IP addresses often change and multiple clients may share the same IP, the configuration of system firewall rules to restrict access to the services of a designated port to designated IP addresses reduces the flexibility of service privilege controls, and results in insufficient control granularity.