CN113347202A - Account identification management system of centralized account management and control platform - Google Patents
Account identification management system of centralized account management and control platform Download PDFInfo
- Publication number
- CN113347202A CN113347202A CN202110712525.8A CN202110712525A CN113347202A CN 113347202 A CN113347202 A CN 113347202A CN 202110712525 A CN202110712525 A CN 202110712525A CN 113347202 A CN113347202 A CN 113347202A
- Authority
- CN
- China
- Prior art keywords
- account
- centralized
- management
- authentication
- authorization
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000013475 authorization Methods 0.000 claims abstract description 36
- 238000000034 method Methods 0.000 claims description 15
- 230000007246 mechanism Effects 0.000 claims description 7
- 230000008569 process Effects 0.000 claims description 6
- 230000008520 organization Effects 0.000 claims description 3
- 230000032683 aging Effects 0.000 claims description 2
- 238000007726 management method Methods 0.000 abstract description 55
- 238000012550 audit Methods 0.000 abstract description 11
- 230000009286 beneficial effect Effects 0.000 abstract description 2
- 239000010410 layer Substances 0.000 description 8
- 238000012423 maintenance Methods 0.000 description 6
- 230000006399 behavior Effects 0.000 description 5
- 238000010276 construction Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 239000002346 layers by function Substances 0.000 description 4
- 238000011161 development Methods 0.000 description 2
- 230000018109 developmental process Effects 0.000 description 2
- 230000010354 integration Effects 0.000 description 2
- 238000013507 mapping Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000007405 data analysis Methods 0.000 description 1
- 238000013523 data management Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000009545 invasion Effects 0.000 description 1
- 238000011835 investigation Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 230000009466 transformation Effects 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0861—Network architectures or network communication protocols for network security for authentication of entities using biometrical features, e.g. fingerprint, retina-scan
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- Biomedical Technology (AREA)
- General Health & Medical Sciences (AREA)
- Storage Device Security (AREA)
Abstract
本发明提供一种集中账号管控平台的账号识别管理系统,所述集中账号管控平台关联多个数据库系统,对账号进行管理,包括:集中账号管理模块、集中账号认证模块、集中账号授权模块、集中账号审计模块。本发明的有益效果在于:通过数据库安全策略的实施,保障网络及系统安全、高效的运行,提高信息化服务质量。
The present invention provides an account identification management system of a centralized account management and control platform. The centralized account management and control platform is associated with multiple database systems to manage accounts, including: a centralized account management module, a centralized account authentication module, a centralized account authorization module, a centralized account Account audit module. The beneficial effects of the present invention are: through the implementation of the database security strategy, the network and the system are guaranteed to operate safely and efficiently, and the information service quality is improved.
Description
Technical Field
The invention relates to the technical field of system and network security, in particular to an account identification management system of a centralized account management and control platform.
Background
With the increasing severity of information security situation, security has been placed at the primary position of enterprise information construction. Many enterprises have established perfect management and assessment mechanisms in the aspect of database information security, and meanwhile, many information security technical measures are adopted, so that the protection of resources such as information systems, data, operating systems, networks and the like is realized from multiple layers. In many enterprises, the security of a network environment is ensured and the random access of a computer and various devices is avoided through systems such as an intrusion detection system, a vulnerability scanning system, antivirus software, network access control and the like; by building the bastion host, the centralized management, authentication, authorization and audit of basic software and hardware equipment such as a server, an operating system, a database, a switch, a router and the like are realized; a CA authentication center is established, and the problem of identity authentication of an information system is solved. However, a blank exists for the centralized security management and control aspect of the database system.
Through the development of years, the informatization construction of most of group enterprises develops from a control period to an integration period, in the control period, the enterprises inevitably need to construct a plurality of database systems which operate independently in order to meet the requirements of actual production and informatization management, most of the enterprises mainly consider the integrity and the availability of business functions during the construction of the database systems, and do not consider the effectiveness and the safety of system operation and maintenance in a unified way, so that the database systems are different in technical implementation modes of account numbers, authentication, authorization and audit management, short boards of information safety are difficult to conduct unified investigation, and the development of the enterprises to the integration period is also retarded. With the increase of enterprise database systems, on one hand, higher technical and occupational literacy requirements are put forward for database managers in view of the increase of the operation and maintenance workload of the database, and certain measures must be taken to improve the working efficiency of system managers; on the other hand, the security of the business system is substantially reduced because a uniform security policy cannot be implemented on the database system, and measures of the information system in the aspects of account number, authority, authentication and audit need to be perfected and unified, so that the security of the enterprise database system is improved. Therefore, enterprises need to establish a unified management platform to provide unified authentication information for each system, provide accurate user data and authority data, and can efficiently and conveniently perform data security audit, the management platform is constructed through the 4A technology, legal and safe information system use of enterprise users can be realized, the maintenance workload of system managers is reduced, and the database is guaranteed to operate safely and reliably.
The typical 4A unified security management platform uses identity Authentication as a core, and is composed of 4 main parts, namely unified Account number (Account) management, unified Authentication (Authentication) management, unified authority (Authorization) management and unified Audit (Audit) management. The system isolates an external network and an internal network, can prevent external malicious invasion and attack through identity and authority authentication, can monitor and audit internal behaviors, and carries out all-round control on the whole application environment. The wide control range, the variety of personnel involved, the technical types and the complex workflow all bring great challenges to the deployment, test, operation and maintenance of the platform.
Disclosure of Invention
According to the characteristics of the prior art, the invention provides a database scanning method and a system based on 4A account identification, which start from two aspects of technology and standard, improve the safety level of the existing information system by a technical means provided by a platform, and standardize the construction modes of a newly-built information system in the aspects of authentication, authorization, audit and the like through corresponding technical standards. The technical scheme is as follows.
A database system based on 4A account identification configures a centralized account management and control platform, wherein the centralized account management and control platform is associated with a plurality of database systems to manage accounts, and the method comprises the following steps: the system comprises a centralized account management module, a centralized account authentication module, a centralized account authorization module and a centralized account auditing module, wherein:
the centralized account management module provides the most basic data of user information in an LDAP or database mode by taking a primary account as an account for uniquely identifying a natural person, and realizes account synchronization with an information system through an account interface;
the centralized account authentication module is used for performing centralized authentication on the login process of all information systems and forwarding the centralized authentication to an external authentication component through a forced login authentication mechanism provided by a centralized account management and control platform or by means of an authentication hub to realize forced authentication;
the centralized account authorization module is used for managing the authorization of all accessed information system resources and operation resources, and the authorization management comprises entity-level authorization of the information system resources and fine-grained authorization management in the information system;
and the centralized account auditing module acquires log information of account operation in an account interface mode, analyzes an unauthorized access behavior by means of the log, and quickly positions and responds to the behavior.
The invention has the beneficial effects that: by implementing the database security policy, the network and the system can be ensured to operate safely and efficiently, and the informatization service quality is improved.
Drawings
FIG. 1 is a schematic diagram of a system framework according to an embodiment of the present invention.
Detailed Description
The embodiments of the invention will be described in detail below with reference to the drawings, but the invention can be implemented in many different ways as defined and covered by the claims.
As shown in fig. 1, the present patent mainly relates to data security in a database, and realizes functions of centralized management, centralized authentication, centralized authorization, and centralized audit of multiple sets of system user accounts by designing a set of centralized account management and control (4A) platform. A centralized account management module, a centralized account authentication module, a centralized account authorization module, a centralized account auditing module and the like are added in an original database system, and master-slave account mapping, single sign-on and authority mapping are used as main services.
As shown in fig. 1, the 4A technical framework architecture is composed of a presentation layer, a functional layer, a data layer, an access layer, and a resource layer, and the main functions of the system are as follows.
The presentation layer mainly accepts requests of users and returns data, and the targeted user group comprises system management personnel, operation and maintenance management personnel and general users.
The functional layer is a centralized account management and control platform, can be accessed to a plurality of databases, performs unified account management, unified authentication management, unified authority management and unified audit management on the databases, and is responsible for general management and safety management of the databases.
And the data layer encapsulates the operation of a plurality of databases accessed by the centralized account management and control platform into the data layer, and manages data through the functional layer. Including data acquisition, data storage, data management, data analysis, data backup, and the like.
And the access layer provides interface services including equipment interfaces, application interfaces, third-party interfaces, resource agents and the like.
The hardware equipment comprises a centralized account management and control platform consisting of a server, a router and a switch.
The technical scheme of the invention mainly explains a centralized account management module, a centralized account authentication module, a centralized account authorization module and a centralized account auditing module of the functional layer.
The centralized account management module provides the most basic data of user information in an LDAP or database manner with a primary account as an account uniquely identifying a natural person, and usually uses an account of a network access control system (such as an AD domain account of an employee) or an organizational structure and employee information provided in ERP. And the slave account numbers are all account numbers with the access authority of the information system, and account number synchronization with the information system is realized through an account number interface. The single-view management of the enterprise information system on the employee account is realized through centralized and role master-slave account management, the main management functions comprise the contents of account basic information, an aging strategy, a password strategy, an organization identifier and the like, the full life cycle management of the account is realized, one employee account is enabled to be effective, unique and traceable in the using process, and the account management safety of the information system is improved.
The centralized account authentication module realizes centralized authentication of all information system login processes by means of various authentication technologies such as dynamic authentication, PKI/CA authentication, biological authentication and the like, and realizes the forced authentication by forwarding to an external authentication component through a forced login authentication mechanism provided by a platform or by means of an authentication hub under the condition that part of function modules of the information system are not changed or only moderately changed, so that the mode that the original information system only has weak identity authentication is eliminated, and the safety requirement of the information system authentication mechanism is met. The realization of the centralized account login authentication also provides a single sign-on (SSO) function of an information system for enterprises, thereby not only avoiding the problem that multiple accounts use the same password, improving the safety of the information system, but also improving the working efficiency of staff, and enabling the staff to conveniently and rapidly enter different information systems to complete business processing.
And the centralized account authorization module is used for realizing management work of authorization of all accessed information system resources and operation resources, and the authorization management comprises entity-level authorization of the information system resources and fine-grained authorization management in the information system. Because the integrated authorization management relates to the transformation of a system authorization model, the workload is large, in the implementation process, the steps of entity-level authorization, role-level authorization and fine-grained authorization are carried out, a uniform authorization management model is formulated, the targets of 'old system access and new system reference' are achieved, the centralization of information system authorities is gradually realized, and the uniform operation and maintenance is finally realized.
The centralized account auditing module acquires log information in aspects of user access, data operation and the like of the information system in an interface mode by means of technologies such as Web Service, JDBC/ODBC, Telnet/SSH and the like, finds unauthorized access behaviors of a certain user on the system such as illegal login, illegal operation and the like by means of log analysis, and quickly positions and responds to the unauthorized behaviors, so that unsafe factors are eliminated in time, and the safety of the information system is ensured.
The safety technical framework provided by the centralized account management and control platform (4A platform) provides a high-performance safety guarantee mechanism for the information system, so that the safety performance of the information system can be improved, and the management level of the information system can be improved.
The above is only a preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes will occur to those skilled in the art. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.
Claims (5)
1. The utility model provides an account number recognition management system of concentrated account number management and control platform, a plurality of database systems of concentrated account number management and control platform relevance manage the account number, its characterized in that includes: the system comprises a centralized account management module, a centralized account authentication module, a centralized account authorization module and a centralized account auditing module, wherein:
the centralized account management module provides the most basic data of user information in a mode of using a primary account as an account for only identifying a natural person, namely LDAP or a database, and realizes account synchronization with an information system through an account interface;
the centralized account authentication module is used for performing centralized authentication on the login process of all information systems and forwarding the centralized authentication to an external authentication component through a forced login authentication mechanism provided by a centralized account management and control platform or by means of an authentication hub to realize forced authentication;
the centralized account authorization module authorizes all accessed information system resources and operation resources, and authorization management comprises entity-level authorization of the information system resources and fine-grained authorization management in the information system;
and the centralized account auditing module acquires log information of account operation in an account interface mode, analyzes an unauthorized access behavior by means of the log, and quickly positions and responds to the behavior.
2. The database system of claim 1, wherein the primary account managed by the centralized account management module comprises: the method further comprises an account scanning method of multiple databases, wherein the account scanning method comprises the following steps of using accounts of a network access control system or accounts with an organization structure and employee information provided in an ERP as main accounts:
and scanning related slave accounts in other databases by analyzing the information registered by the primary account, and realizing account synchronization with an information system through an account interface.
3. The database system of claim 2, wherein the centralized account management module establishes view management for all the primary and secondary accounts of a single user, the view management functions include account basic information, aging policy, password policy and organization identification, and the view management module has account full-life-cycle management, so that the accounts of the single user are effective, unique and traceable in the using process.
4. The database system according to claim 1, wherein the centralized authentication method comprises: the centralized authentication method realizes forced authentication under the condition of not changing or only moderately changing partial function modules of the information system, eliminates the mode that the original information system only has weak identity authentication, and meets the safety requirement on the authentication mechanism of the information system.
5. The database system of claim 1, wherein the centralized account authorization module comprises an authorization method: the method is developed according to the steps of entity-level authorization, role-level authorization and fine-grained authorization, and a uniform authorization management model is formulated.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110712525.8A CN113347202A (en) | 2021-06-25 | 2021-06-25 | Account identification management system of centralized account management and control platform |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110712525.8A CN113347202A (en) | 2021-06-25 | 2021-06-25 | Account identification management system of centralized account management and control platform |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113347202A true CN113347202A (en) | 2021-09-03 |
Family
ID=77478816
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110712525.8A Pending CN113347202A (en) | 2021-06-25 | 2021-06-25 | Account identification management system of centralized account management and control platform |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113347202A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189958A (en) * | 2022-07-18 | 2022-10-14 | 西安热工研究院有限公司 | Method for realizing authentication roaming and authentication between multi-level architectures |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105429999A (en) * | 2015-12-17 | 2016-03-23 | 北京荣之联科技股份有限公司 | Unified identity authentication system based on cloud platform |
| CN110334489A (en) * | 2019-07-12 | 2019-10-15 | 广州大白互联网科技有限公司 | A kind of unified single sign-on system and method |
| CN111914234A (en) * | 2020-09-21 | 2020-11-10 | 安徽长泰信息安全服务有限公司 | Data security management method applied to operation and maintenance auditing system |
| CN112804193A (en) * | 2020-12-21 | 2021-05-14 | 航天信息股份有限公司 | Unified account system for realizing multi-platform service intercommunication |
| CN112818335A (en) * | 2021-02-23 | 2021-05-18 | 山东铭云信息技术有限公司 | Method for managing and controlling safe operation and maintenance of privileged account |
-
2021
- 2021-06-25 CN CN202110712525.8A patent/CN113347202A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN105429999A (en) * | 2015-12-17 | 2016-03-23 | 北京荣之联科技股份有限公司 | Unified identity authentication system based on cloud platform |
| CN110334489A (en) * | 2019-07-12 | 2019-10-15 | 广州大白互联网科技有限公司 | A kind of unified single sign-on system and method |
| CN111914234A (en) * | 2020-09-21 | 2020-11-10 | 安徽长泰信息安全服务有限公司 | Data security management method applied to operation and maintenance auditing system |
| CN112804193A (en) * | 2020-12-21 | 2021-05-14 | 航天信息股份有限公司 | Unified account system for realizing multi-platform service intercommunication |
| CN112818335A (en) * | 2021-02-23 | 2021-05-18 | 山东铭云信息技术有限公司 | Method for managing and controlling safe operation and maintenance of privileged account |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115189958A (en) * | 2022-07-18 | 2022-10-14 | 西安热工研究院有限公司 | Method for realizing authentication roaming and authentication between multi-level architectures |
| CN115189958B (en) * | 2022-07-18 | 2024-01-19 | 西安热工研究院有限公司 | Method for realizing authentication roaming and authentication between multi-level architectures |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9602529B2 (en) | Threat modeling and analysis | |
| CN105656903B (en) | A kind of user safety management system of Hive platforms and application | |
| US10140453B1 (en) | Vulnerability management using taxonomy-based normalization | |
| CN110957025A (en) | Medical health information safety management system | |
| US8856881B2 (en) | Method and system for access control by using an advanced command interface server | |
| CN111064718B (en) | Dynamic authorization method and system based on user context and policy | |
| CN100490387C (en) | Token-based fine granularity access control system and method for application server | |
| CN105430000A (en) | Cloud computing security management system | |
| CN102195991A (en) | Terminal security management and authentication method and system | |
| CN101034983A (en) | System and method for realizing on-Internet true name of the network access user | |
| CN106534199A (en) | Distributed system authentication and permission management platform based on XACML and SAML under big data environment | |
| CN110719298A (en) | Method and device for supporting user-defined change of privileged account password | |
| CN112202708A (en) | Identity authentication method and device, electronic equipment and storage medium | |
| KR20140035146A (en) | Apparatus and method for information security | |
| CN110708156B (en) | Communication method, client and server | |
| CN109948331A (en) | A kind of weak passwurd detection system and method | |
| CN114866346B (en) | Password service platform based on decentralization | |
| Huo et al. | A blockchain-enabled trusted identifier co-governance architecture for the industrial internet of things | |
| CN113347202A (en) | Account identification management system of centralized account management and control platform | |
| CN116089970A (en) | Power distribution operation and maintenance user dynamic access control system and method based on identity management | |
| CN112131544B (en) | Shell script method for user management of springboard machine | |
| Yu et al. | Research on zero trust access control model and formalization based on rail transit data platform | |
| CN102238037B (en) | Collaborative Goal Policy Refinement Method | |
| CN112214772A (en) | Privilege certificate centralized management and control and service system | |
| CN117522293A (en) | An ERP management system suitable for power grid engineering |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210903 |