CN112199691A - Privileged account management middle platform system - Google Patents

Abstract

The invention provides a privileged account management middle station system, which comprises a southbound engine, a policy engine and a northbound engine, wherein the southbound engine is used for the privileged account of an enterprise data center; the policy engine is used for checking and analyzing the compliance of the privileged account; compared with the prior art, the method has the following beneficial effects that the northbound engine is used for solving the password consumption capability of the privileged account managed in the southbound engine: the method can realize automatic management and operation and maintenance, and can consume the password of the privileged account subjected to automatic management to the application in the northbound engine, so that the service of the enterprise application system is ordered and uninterrupted.

Description

Privileged account management middle platform system

Technical Field

The invention belongs to the field of password middling management, and particularly relates to a privileged account number management middling system.

Background

For a long time, due to the limitation of the IT level, most privileged accounts are reserved in the hands of a system administrator, so that the management of the privileged accounts is only limited in the management and audit of admission, but in recent years, with the development of cloud computing, the internet of things and 5G technologies, the privileged accounts are rapidly increased, the privileged accounts are ubiquitous, various internet of things detection devices, automation tools, large data platforms and the like, the IT system is not associated or called with the privileged accounts at any time, the whole life cycle of the privileged accounts is out of the scope of manual preservation and admission audit, and the central privileged account management system is required to realize the functions of north-south management and consumption.

Disclosure of Invention

Aiming at the defects in the prior art, the invention aims to provide a privileged account management middlebox system to solve the problems in the background art.

The technical scheme of the invention is realized as follows: a privileged account management central station system comprises a southbound engine, a policy engine and a northbound engine, wherein the southbound engine is used for privileged accounts of an enterprise data center;

the policy engine is used for checking and analyzing the compliance of the privileged account;

the northbound engine is used for solving the password consumption capability of the privileged account managed in the southbound engine.

As a preferred implementation mode, the southbound engine comprises four parts, account number discovery, account number management, use auditing and threat analysis;

the account discovery is used for carrying out real-time or timing detection, scanning and discovery on the account of an enterprise, scanning a certain target through the account discovery, finally carrying out data analysis and icon presentation according to a scanned result, so that enterprises or organizations can clearly know the distribution condition of privileged accounts through a scanning overview page, summarizing the accounts after the scanning is finished, then evaluating and classifying the accounts, and actively managing the classified privileged accounts to a privileged account management central platform system to carry out uniform automatic operation and maintenance management;

the account management is used for uniformly managing privileged accounts in enterprise resources, realizing uniform single sign-on, password substitution and authority division, mainly realizing uniform sign-on entry for users by uniform single sign-on, and verifying the identity during sign-on, so that the legal identity of an access person can be ensured; the password substitution is mainly realized in the way that after a user logs in the system and wants to access a target end, the system can automatically help the user to substitute the password, and users do not need to know the password, so that the security of the password is ensured; the authority division mainly realizes fine-grained division of the authority of the user for using the privileged account, and ensures that the authority of each person is minimized and rationalized;

the auditing is used for session real-time monitoring and auditing, the session real-time monitoring mainly realizes that the session process used after logging in the system is recorded, and the system can also realize that an auditor can watch the operation process on a terminal B when an operator operates on the terminal A, and controls intervention to terminate the session if the behavior of the operator is considered unsafe; auditing mainly realizes the mode of storing the session use process as video or text, and stores the session use process uniformly for subsequent tracing and source tracing;

the threat analysis is used for deeply expanding network information and system information for accounts which take over various systems, judging abnormal behaviors to generate threat early warning by analyzing and learning data of a monitored object, establishing a privileged account behavior monitoring mechanism, and detecting and early warning the abnormal behaviors of the privileged accounts in real time.

As a preferred implementation, the policy engine includes four parts, namely a policy engine one, a policy engine two, a policy engine three and a policy engine four;

the policy engine I is used for controlling access to privileged accounts, for example, when sensitive privileged accounts in an enterprise need to be used, an approval process is started, and the privileged accounts can be used only after being approved by a leader at the upper level; or when a third party external person in the enterprise wants to use the account, setting one-time password access, and immediately changing the password of the account after the third party external person finishes using the account to ensure the security of the password,

the system can automatically generate passwords meeting the requirements of password strength and complexity after the policies are customized, and can set regular password verification and password change, and the system can automatically execute the regular password verification and password change after the setting is finished;

the strategy engine is used for managing and controlling audit retention date, and the system sets the retention time required by the audit log to meet the requirement of the enterprise on the retention time of the audit log;

the strategy engine IV is used for managing and controlling a threat analysis strategy, and can send out accurate real-time alarm to the ongoing attack through the strategy setting of the threat analysis, thereby obviously shortening the opportunity window of an attacker and reducing the loss; meanwhile, detailed information about the attack can be accessed in time, and the remediation speed is accelerated.

As a preferred embodiment, the northbound engine comprises four parts, a consumption engine one, a consumption engine two, a consumption engine three and a consumption engine four;

the consumption engine I is used for solving the password storage in the middleware, the application program codes, the configuration files and the scripts, displaying all highly sensitive plaintext passwords in a function mode, and storing the passwords in the system in a centralized and safe mode, so that an enterprise can meet the compliance requirements of internal examination and external examination, regularly replacing the passwords, and monitoring privilege access to all systems, databases and application programs;

the consumption engine II is used for solving the use scenes in automation tools and containerization, such as DevOps, Jenkins and Ansblie, and realizing rapid automatic batch nanotube service application for privileged accounts scattered on the automation tools, and achieving the effect that plaintext passwords do not fall to the ground through interface calling;

the consumption engine is used for light-weight application, needs frequent password input application, can be encrypted in a network access mode, and is very flexible while the safety is ensured;

the consumption engine is used for providing various types of interfaces and supporting different development languages, such as Net, Java, C, C + +, VBScript, command lines and similar languages, and has good multi-language support.

After the technical scheme is adopted, the invention has the beneficial effects that: the method can realize automatic management and operation and maintenance, and can consume the password of the privileged account subjected to automatic management to the application in the northbound engine, so that the service of the enterprise application system is ordered and uninterrupted.

Drawings

In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, and it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings are obtained according to the drawings without creative efforts.

Fig. 1 is a schematic structural diagram of a privileged account management middlebox system according to the present invention;

FIG. 2 is a schematic structural diagram of the southbound engine in the embodiment;

FIG. 3 is a schematic diagram of the policy engine in the embodiment;

FIG. 4 is a schematic structural diagram of the northbound engine in the embodiment.

Detailed Description

The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.

Referring to fig. 1, the present invention provides a technical solution: a privileged account management middle platform system comprises a southbound engine, a policy engine and a northbound engine, wherein the southbound engine is used for automatically discovering and actively managing privileged accounts of an enterprise data center, such as an operating system, a database, network equipment, safety equipment, industrial control equipment, virtualization and automation tools and all privileged accounts on a cloud platform, and then automatically managing the privileged accounts managed in the system in a full life cycle without manual interference,

the policy engine is used for checking and analyzing the compliance of the privileged account, so that the management of the privileged account of the data center can meet the laws and regulations of the password security law, the network security law, the basic requirements of information security technology network security level protection and the like, such as the requirement on the complexity of the password, the frequency of password replacement, the regular verification of the password and the like, and the approval process is also started for the privileged account with high authority to ensure that the privileged account with high authority is used safely and reliably,

the northbound engine is used for solving the password consumption capability of the privileged account managed in the southbound engine, for example, after the password of the privileged account is replaced in the southbound engine, the service can be ensured to be kept uninterrupted in the northbound engine, the service order is also kept, the privileged account of enterprise resources can have the full ecological capability, the privileged account can be ensured to be managed by the southbound engine, and the password consumption capability can be provided for the northbound engine.

Referring to fig. 2, the southbound engine includes four parts, account discovery, account management, usage auditing, and threat analysis;

the account discovery is used for carrying out real-time or timing detection, scanning and discovery on the account of an enterprise, scanning a certain target through the account discovery, finally carrying out data analysis and icon presentation according to a scanned result, so that enterprises or organizations can clearly know the distribution condition of privileged accounts through a scanning overview page, summarizing the accounts after the scanning is finished, then evaluating and classifying the accounts, and actively managing the classified privileged accounts to a privileged account management central platform system to carry out uniform automatic operation and maintenance management;

the account management is used for uniformly managing privileged accounts in enterprise resources, realizing uniform single sign-on, password substitution and authority division, mainly realizing uniform sign-on entry for users by uniform single sign-on, and verifying the identity during sign-on, so that the legal identity of an access person can be ensured; the password substitution is mainly realized in the way that after a user logs in the system and wants to access a target end, the system can automatically help the user to substitute the password, and users do not need to know the password, so that the security of the password is ensured; the authority division mainly realizes fine-grained division of the authority of the user for using the privileged account, and ensures that the authority of each person is minimized and rationalized;

the auditing is used for session real-time monitoring and auditing, the session real-time monitoring mainly realizes that the session process used after logging in the system is recorded, and the system can also realize that an auditor can watch the operation process on a terminal B when an operator operates on the terminal A, and controls intervention to terminate the session if the behavior of the operator is considered unsafe; auditing mainly realizes the mode of storing the session use process as video or text, and stores the session use process uniformly for subsequent tracing and source tracing;

the threat analysis is used for deeply expanding network information and system information for accounts which take over various systems, judging abnormal behaviors to generate threat early warning by analyzing and learning data of a monitored object, establishing a privileged account behavior monitoring mechanism, and detecting and early warning the abnormal behaviors of the privileged accounts in real time.

Referring to fig. 3, the policy engine includes four parts, a first policy engine, a second policy engine, a third policy engine and a fourth policy engine;

the policy engine I is used for controlling access to privileged accounts, for example, when sensitive privileged accounts in an enterprise need to be used, an approval process is started, and the privileged accounts can be used only after being approved by a leader at the upper level; or when a third party external person in the enterprise wants to use the account, setting one-time password access, and immediately changing the password of the account after the third party external person finishes using the account to ensure the security of the password,

the system can automatically generate passwords meeting the requirements of password strength and complexity after the policies are customized, and can set regular password verification and password change, and the system can automatically execute the regular password verification and password change after the setting is finished;

the strategy engine is used for managing and controlling audit retention date, and the system sets the retention time required by the audit log to meet the requirement of the enterprise on the retention time of the audit log;

the strategy engine IV is used for managing and controlling a threat analysis strategy, and can send out accurate real-time alarm to the ongoing attack through the strategy setting of the threat analysis, thereby obviously shortening the opportunity window of an attacker and reducing the loss; meanwhile, detailed information about the attack can be accessed in time, and the remediation speed is accelerated.

Referring to fig. 4, the northbound engine includes four parts, a consumption engine one, a consumption engine two, a consumption engine three and a consumption engine four;

the consumption engine I is used for solving the password storage in the middleware, the application program codes, the configuration files and the scripts, displaying all highly sensitive plaintext passwords in a function mode, and storing the passwords in the system in a centralized and safe mode, so that an enterprise can meet the compliance requirements of internal examination and external examination, regularly replacing the passwords, and monitoring privilege access to all systems, databases and application programs;

the consumption engine II is used for solving the use scenes in automation tools and containerization, such as DevOps, Jenkins and Ansblie, and realizing rapid automatic batch nanotube service application for privileged accounts scattered on the automation tools, and achieving the effect that plaintext passwords do not fall to the ground through interface calling;

the consumption engine is used for light-weight application, needs frequent password input application, can be encrypted in a network access mode, and is very flexible while the safety is ensured;

the consumption engine IV is used for providing various types of interfaces and supporting different development languages, such as Net, Java, C, C + +, VBScript, command lines and similar languages, and has good multi-language support;

in a word, the privileged account management middle platform system comprises a southbound engine, a policy engine and a northbound engine, all privileged accounts managed manually or managed in a table form by an enterprise data center system administrator are managed into the system, unified management and operation and maintenance are performed, management, use, password replacement, audit and threat analysis of the privileged accounts are performed, automatic management of a full life cycle is achieved, a good closed loop is formed, the effect of automatic southbound management and consumption of the privileged accounts is achieved through the privileged account management middle platform system, and the safety of enterprise data center resources is guaranteed.

The above description is only for the purpose of illustrating the preferred embodiments of the present invention and is not to be construed as limiting the invention, and any modifications, substitutions and improvements made within the spirit and principle of the present invention should be included in the scope of the present invention.

Claims (4)

1. A privileged account management central station system comprises a southbound engine, a policy engine and a northbound engine, and is characterized in that the southbound engine is used for privileged accounts of an enterprise data center;

the policy engine is used for checking and analyzing the compliance of the privileged account;

the northbound engine is used for solving the password consumption capability of the privileged account managed in the southbound engine.

2. The system of claim 1, wherein: the southbound engine comprises four parts, namely account number discovery, account number management, use audit and threat analysis;

the account discovery is used for carrying out real-time or timing detection, scanning and discovery on the account of an enterprise, scanning a certain target through the account discovery, finally carrying out data analysis and icon presentation according to a scanned result, so that enterprises or organizations can clearly know the distribution condition of privileged accounts through a scanning overview page, summarizing the accounts after the scanning is finished, then evaluating and classifying the accounts, and actively managing the classified privileged accounts to a privileged account management central platform system to carry out uniform automatic operation and maintenance management;

the account management is used for uniformly managing privileged accounts in enterprise resources, realizing uniform single sign-on, password substitution and authority division, mainly realizing uniform sign-on entry for users by uniform single sign-on, and verifying the identity during sign-on, so that the legal identity of an access person can be ensured; the password substitution is mainly realized in the way that after a user logs in the system and wants to access a target end, the system can automatically help the user to substitute the password, and users do not need to know the password, so that the security of the password is ensured; the authority division mainly realizes fine-grained division of the authority of the user for using the privileged account, and ensures that the authority of each person is minimized and rationalized;

the auditing is used for session real-time monitoring and auditing, the session real-time monitoring mainly realizes that the session process used after logging in the system is recorded, and the system can also realize that an auditor can watch the operation process on a terminal B when an operator operates on the terminal A, and controls intervention to terminate the session if the behavior of the operator is considered unsafe; auditing mainly realizes the mode of storing the session use process as video or text, and stores the session use process uniformly for subsequent tracing and source tracing;

the threat analysis is used for deeply expanding network information and system information for accounts which take over various systems, judging abnormal behaviors to generate threat early warning by analyzing and learning data of a monitored object, establishing a privileged account behavior monitoring mechanism, and detecting and early warning the abnormal behaviors of the privileged accounts in real time.

3. The system of claim 1, wherein: the strategy engine comprises four parts, namely a first strategy engine, a second strategy engine, a third strategy engine and a fourth strategy engine;

the policy engine I is used for controlling access to privileged accounts, for example, when sensitive privileged accounts in an enterprise need to be used, an approval process is started, and the privileged accounts can be used only after being approved by a leader at the upper level; or when a third party external person in the enterprise wants to use the account, setting one-time password access, and immediately changing the password of the account after the third party external person finishes using the account to ensure the security of the password,

the system can automatically generate passwords meeting the requirements of password strength and complexity after the policies are customized, and can set regular password verification and password change, and the system can automatically execute the regular password verification and password change after the setting is finished;

the strategy engine is used for managing and controlling audit retention date, and the system sets the retention time required by the audit log to meet the requirement of the enterprise on the retention time of the audit log;

the strategy engine IV is used for managing and controlling a threat analysis strategy, and can send out accurate real-time alarm to the ongoing attack through the strategy setting of the threat analysis, thereby obviously shortening the opportunity window of an attacker and reducing the loss; meanwhile, detailed information about the attack can be accessed in time, and the remediation speed is accelerated.

4. The system of claim 1, wherein: the northbound engine comprises four parts, namely a consumption engine I, a consumption engine II, a consumption engine III and a consumption engine IV;

the consumption engine I is used for solving the password storage in the middleware, the application program codes, the configuration files and the scripts, displaying all highly sensitive plaintext passwords in a function mode, and storing the passwords in the system in a centralized and safe mode, so that an enterprise can meet the compliance requirements of internal examination and external examination, regularly replacing the passwords, and monitoring privilege access to all systems, databases and application programs;

the consumption engine II is used for solving the use scenes in automation tools and containerization, such as DevOps, Jenkins and Ansblie, and realizing rapid automatic batch nanotube service application for privileged accounts scattered on the automation tools, and achieving the effect that plaintext passwords do not fall to the ground through interface calling;

the consumption engine is used for light-weight application, needs frequent password input application, can be encrypted in a network access mode, and is very flexible while the safety is ensured;

the consumption engine is used for providing various types of interfaces and supporting different development languages, such as Net, Java, C, C + +, VBScript, command lines and similar languages, and has good multi-language support.

Images