Newsletter 高速鐵路簡訊 . 交通部高速鐵路工程局
高鐵局雲端服務應用平台簡介 Introduction to the BOHSR Cloud Computing Platform
圖一 本局雲端應用服務平台示意圖。

本局為達到現有整體應用系統分享,提升可於雲端服務之需求,配合強化使用者於局外網登入局內作業,提供高安全資訊服務與使用便利性,業於103年12月進行整合雲端服務機制,並完成資安雙因素認證,增進本局雲端服務應用平台之安全登入環境。
一、本局雲端服務應用平台架構及認證機制
‧本局雲端服務應用平台,採用中央集控終端服務(Terminal VDI)為主體之「桌面虛擬化分享雲」應用軟體服務管理平臺,建構資訊應用系統的安全存取管理機制服務。此安全存取管理機制,係藉由雲端服務將資訊應用系統與使用者之間的直接連結區隔開來,以確保本局各單位內資訊應用的保密性與資料安全性,目前本局雲端應用伺服器架設5台虛擬桌面主機,各主機間可作負載平衡,並支援延伸跨網段負載平衡(圖一)。
‧本系統認證機制為微軟AD網域控管(Microsoft Active Directory)與一次性動態密碼鎖OTP(One Time Password)雙因素認證。本局網內使用者電腦不需OTP認證,執行遠端桌面連線後,經由網域帳號、密碼認證確認即可進入系統平台;外網人員電腦需經二段式雙因素認證,才可登入使用本系統平台已授權之內部資訊系統與軟體。在此機制運作下,網外使用者,除原執行遠端桌面連線,經由網域帳號、密碼認證確認後,系統驗證將進行OTP認證,使用者需使用USB OTP TOKEN或於個人手機安裝OTP APP提供即時之動態密碼,進行OTP動態密碼確認,完成雙因素認證後,才可登入本系統平台終端服務(Terminal VDI),經由系統平台使用內部資訊系統(圖二)。
二、分享雲的應用及權限管控
‧本局現有平台已建置各種應用軟體雲(軟體分享、公文系統、雲端列印及行動辦公需使用局內部應用系統等)與檔案目錄管理機制。
‧本系統之權限控管機制為微軟AD網域控管,所有已登入本系統平台終端服務之使用者,依AD權限授權使用資訊系統。
‧未來行政作業、訓練應用皆可利用此平台來進行存取權限管制與連線作業監控,以確保於學習應用平台亦可提供彈性的安全管理。
三、本局現有雲端服務效益
‧本系統平台建置之共享應用軟體雲,可提供快速的應用軟體授權,可節省軟體採購費用。
‧本系統平台可經由行動裝置(手機、平板、筆電等)完成辦公室各項業務(應用軟體雲分享之軟體、公文系統、雲端列印及局內部應用系統等)之行動辦公服務需求。
‧本系統平台將整合局內應用系統於雲端桌面,行動辦公功能運作使公務下達迅速應變,可第一時間處理公務,使本局整體行動力再次提升,增進本局整體工作效能。

To integrate BOHSR data and application on the cloud, the bureau introduced the integrated cloud computing mechanism into its operation systems in December of 2014. With utilization of cloud computing, user convenience will be greatly enhanced under assurance of information safety. The BOHSR cloud computing platform is equipped with the double-factor verification which will ensure safe access of this cloud application platform.
1.Verification mechanism of BOHSR cloud application platform structure
•The cloud computing application platform adopted the Terminal VDI as the main body of the "desktop virtualization shared cloud" application platform to construct a secure access management mechanism. This secure access management mechanism blocks direct connection of user access and the internal information system to ensure data security and the confidentiality of application information in each internal division. Currently there are five virtual desktop terminals connected to the cloud application server in which the terminals can balance workload and support cross-network balancing (Figure 1).
•The double-factor verification consists of the Microsoft Active Directory (AD) Control and One Time Password (OTP) verification. When the user is connected to the internal network and is remotely connected to the desktop, the user can access the platform by entering the domain username and password; when an external user wants to logon to the system, the user has to go through double-factor verification to gain access to authorized data information and software. Under this mechanism, after connecting to the remote desktop and entering domain credentials, the system will proceed with OTP verification where the external user needs to enter the password provided by USB OTP Token or OPT APP. Subsequent to the double-factor verification, the external user will be logged on to the Terminal VDI and gain access to internal system data (Figure 2).
2.Application clouds and authorization management
• Currently in BOHSR, mature and running applications include the application sharing platform, official documentation system, cloud printing application and internal mobile administration. In addition, the archive management system is also generally utilized by BOHSR staff.
• The permission control mechanism of the system is based on Microsoft AD domain control in which the responsibilities and limits of the logged on users are defined by the Microsoft AD System.
• In the future, this platform can be used to access administration and training information and also monitoring ongoing events. This platform will provide an accessible learning space for employees and act as a flexible management tool to administrators.
3.Benefits of BOHSR Cloud Service
• With shared access of software via this platform, authorization of software access will be more efficient and software procurement expenditure will be saved.
• Office work can be processed via application platforms such as the application sharing platform, official documentation system, cloud printing application and internal mobile administration system which is accessible by mobile devices (eg. cell phones, tablets, laptops).
• The platform will integrate all bureau applications into the cloud desktop , resulting in efficient response of office orders and actions. This will make a great difference in the overall efficiency and effectiveness of work in BOHSR.

  • 圖二 雙因素認證遠端桌面連線服務登入示意圖。
  • 分享: