CN113542238A - Risk judgment method and system based on zero trust - Google Patents
Risk judgment method and system based on zero trust Download PDFInfo
- Publication number
- CN113542238A CN113542238A CN202110728768.0A CN202110728768A CN113542238A CN 113542238 A CN113542238 A CN 113542238A CN 202110728768 A CN202110728768 A CN 202110728768A CN 113542238 A CN113542238 A CN 113542238A
- Authority
- CN
- China
- Prior art keywords
- micro
- service
- algorithm
- unit
- data
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0815—Network architectures or network communication protocols for network security for authentication of entities providing single-sign-on or federations
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The invention discloses a risk judgment method based on zero trust, which comprises the following steps: obtaining access flow or data; inputting the access flow or data into a multi-factor authentication microservice for analysis; analyzing whether algorithm auxiliary wind control is needed or not; inputting a single sign-on micro service; and determining whether to provide the user with access or not according to the analysis result of the single sign-on micro-service. The invention can continuously and dynamically evaluate and judge the risk of each user, organization, equipment and other targets in the system, thereby further improving the risk identification capability.
Description
Technical Field
The invention relates to the technical field of information security, in particular to a risk judgment method and system based on zero trust.
Background
Information security is always an important challenge in the information era, with the continuous rise of emerging technologies such as cloud computing, big data, internet of things and block chains, the 'bounded' security boundaries based on firewalls and the like are gradually broken down, the information security begins to evolve towards 'unbounded', and in the 'unbounded' network information era, zero-trust security gradually enters the visual field of people, so that the information security system becomes a new concept and a new architecture for solving the network security problem in the new era.
In the information security environment, identity authentication is the most widely applied, most basic and most core information security. In identity authentication under the zero trust standard, because the micro-service architecture can realize service decoupling and data isolation, the micro-service is used for identity authentication, and each function of the identity authentication can be combined in an independent micro-service form according to requirements, so that the requirements of different scenes and safety levels of the identity authentication can be met, and the micro-service architecture has great advantages.
Based on different application scenes and security level requirements, under comprehensive evaluation of speed, security, convenience in operation and the like, the used micro-services are different, and in order to meet business requirements, the designed identity authentication processes are different, and just because of the borderless architecture, the risk identification and control are not similar to those of the traditional method, and the traditional method can prevent illegal access, hijack and other behaviors from being outside a firewall or in a fixed risk identification mode.
However, under the zero trust architecture, each micro service may have a risk, and when the designed security system uses various micro services in a complex flow system, how to continuously perform risk assessment on targets such as various users, organizations, and devices in the system is a technical problem that needs to be solved at present.
Disclosure of Invention
In order to overcome the defects in the prior art, the present invention provides a risk determination method and system based on zero trust, which can continuously and dynamically perform risk determination.
To achieve the above and other objects, the present invention provides a risk determination method based on zero trust, which is characterized by comprising the steps of:
obtaining access flow or data;
inputting the access flow or data into a multi-factor authentication microservice for analysis;
analyzing whether algorithm auxiliary wind control is needed or not;
inputting a single sign-on micro service;
and determining whether to provide the user with access or not according to the analysis result of the single sign-on micro-service.
Further, the step of analyzing whether algorithm-assisted wind control is needed comprises:
if so, logging in an auxiliary algorithm micro service, analyzing and judging the access flow or data by the auxiliary algorithm micro service, and outputting the analysis result to the single sign-on micro service by combining the analysis result of the multi-factor authentication micro service;
if not, directly inputting the single sign-on micro service.
And further, the access flow or the data is input to the multi-factor authentication microservice for analysis, and after the analysis is finished, the analysis data is pushed to an auditing unit at regular time.
Further, after the single sign-on micro-service analysis is completed, the analysis data is pushed to the auditing unit at regular time.
Furthermore, after the audit unit analyzes the input various data, the data are encrypted and uploaded to an audit database for storage.
Further, after providing the user with access, the method further comprises:
inputting data information used by a user to the identity management microservice;
the identity management micro-service inputs data into the user management algorithm micro-service, and the user management algorithm micro-service continuously and dynamically analyzes the identity management micro-service and outputs a judgment result to the identity management micro-service;
inputting indexes to the global algorithm platform micro service by the user management algorithm micro service;
and the global algorithm platform micro-service updating model provides the user management algorithm micro-service and the flow risk identification algorithm micro-service.
Further, after providing the user with access, the method further comprises:
inputting data information used by a user to the ABAC micro-service;
the ABAC micro-service inputs data and indexes into a fine-grained authorization algorithm micro-service;
continuously and dynamically analyzing the ABAC micro-service by the fine-grained authorization algorithm micro-service, outputting a judgment result, and inputting an index to the global algorithm platform micro-service;
and the global algorithm platform micro-service updating model provides fine-grained authorization algorithm micro-service.
The invention also provides a risk judgment system based on zero trust, which comprises:
an access unit to obtain access traffic or data;
the multi-factor authentication unit is used for inputting access flow or data into the multi-factor authentication microservice for analysis;
the analysis unit is used for analyzing whether algorithm auxiliary wind control is needed or not;
the auxiliary algorithm unit is used for analyzing and judging the access flow or data and outputting the access flow or data to the single sign-on unit;
the single sign-on unit is used for inputting single sign-on micro services;
and the authorization use unit is used for determining whether to provide the user with access or not according to the analysis result of the single sign-on micro service.
Further, still include:
the auditing unit is used for auditing the received pushed data;
the IDM unit is used for inputting data information used by a user to the identity management microservice;
the user management algorithm unit is used for inputting data into the user management algorithm micro-service by the identity management micro-service, and the user management algorithm micro-service continuously and dynamically analyzes the identity management micro-service and outputs a judgment result to the identity management micro-service;
the ABAC unit is used for inputting the data and the index into the fine-grained authorization algorithm unit;
the fine-grained authorization algorithm unit is used for analyzing the ABAC unit, outputting a judgment result and inputting an index to the global algorithm platform unit;
the global algorithm platform unit is used for receiving indexes of the user management algorithm micro unit and the fine-grained authorization algorithm unit and updating the model;
and the global algorithm platform micro-service updating model provides the user management algorithm micro-service and the flow risk identification algorithm micro-service.
The invention also discloses an electronic device, the system comprises a processor and a memory,
the memory is used for storing an executable program;
the processor is configured to execute the executable program to implement any of the methods described above.
Compared with the prior art, the method and the system can continuously and dynamically evaluate and judge the risk of the targets such as each user, organization, equipment and the like in the system, thereby further improving the risk identification capability.
Drawings
Fig. 1 is a schematic flow chart of a risk determination method based on zero trust in an embodiment of the present invention;
fig. 2 is a schematic flow chart of a specific implementation of a risk determination method based on zero trust according to an embodiment of the present invention;
fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention.
Detailed Description
The present disclosure is described in further detail below with reference to the accompanying drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the disclosure and are not limiting of the disclosure. It should be further noted that, for the convenience of description, only some of the structures relevant to the present disclosure are shown in the drawings, not all of them.
Before discussing exemplary embodiments in more detail, it should be noted that some exemplary embodiments are described as processes or methods depicted as flowcharts. Although the steps are depicted in the flowchart as a sequential process, many of the steps can be performed in parallel, concurrently, or simultaneously. Further, the order of the steps may be rearranged, the process may be terminated when its operations are completed, and other steps not included in the drawings may be included. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc.
Example one
Fig. 1 is a schematic flow chart of a risk determination method based on zero trust in an embodiment of the present invention, including the following steps:
access traffic or data is obtained.
The access flow or data is input to a multi-factor authentication (MFA) microservice for analysis. The MFA can provide various identity authentication management, the service system provides a uniform authentication interface for different users, and the accuracy of the corresponding service security level is ensured according to the authority level of the user. Additional security of user credentials using MFAs may be defended against various cyber threats.
And analyzing whether algorithm auxiliary wind control is needed.
Inputting Single Sign On (SSO) micro service.
And determining whether to provide the user with access or not according to the analysis result of the single sign-on micro-service.
In an actual scene, most security systems use a single sign-on (SSO) function, and the SSO can guarantee the security input of a user, so that unified access of each service system is realized through one-time login without login authentication again. SSO solves the problems of multiple applications of an organization and complex management of multiple accounts.
The advantage of the SSO enables the entry rule engine of the identity Authentication system to make the traffic pressure of the entry relatively small, and in this embodiment, in a single sign-on scenario of a user, a rule engine based on multi-Factor Authentication (MFA) is combined, and an algorithm is performed in an assisted manner, so that the security recognition rate can be effectively improved. Although the multi-factor authentication and assisted algorithm cannot identify all risks of a single sign-on scenario, the resulting risk event itself is not harmful to the identity authentication system, and the main risk is that a list of applications and portal information (i.e., information related to the first page of single sign-on) that can be used by a specific user may be exposed, but in a subsequent process, in combination with other solutions, the problem can be solved.
In the step of analyzing whether algorithm-assisted wind control is needed or not, specifically, if the judgment is yes, the auxiliary algorithm is needed for service, the auxiliary algorithm microservice logs in the auxiliary algorithm microservice, analyzes and judges the access flow or data, and outputs the analysis result of the multi-factor authentication microservice to the single sign-on microservice. In some low risk scenarios, the user may not need to directly input to the single sign-on microservice and continue with the next process flow if the user does not need to input the single sign-on microservice.
In order to further enhance the risk identification rate and improve the safety, after the single sign-on micro-service analysis is completed, the analysis data is pushed to the auditing unit at regular time.
Further, the auditing unit analyzes various input data, namely, data (or information and logs) generated in each process link are collected and analyzed, the trust condition of a user is synthesized, the result is fed back to a node with authority management or a process for control, and the auditing result and the information are encrypted by an own encryption algorithm and uploaded to an auditing database for storage.
The auditing range is wide, and the auditing range is from the beginning of the network connection request of the user to the end of the result return of the access service. All operations, administration and operations are visual, controllable, manageable, trackable. The method has the advantages of realizing overall process audit of key data, identifying and recording abnormal data operation behaviors, giving an alarm in real time and ensuring transparent audit when the data is used. In the specific process implementation process, the process can be selectively implemented according to the actual business process requirements.
Example two
Referring to fig. 2, fig. 2 is a flowchart illustrating an embodiment of a zero trust based risk determination method according to the present invention.
In order to further enhance the risk identification rate and improve the security, based on the above embodiment, after providing the user with access, the method further includes:
inputting data information used by a user to an identity management (IDM) microservice;
the identity management micro-service inputs data and indexes into the user management algorithm micro-service, and meanwhile, the user management algorithm micro-service also continuously and dynamically analyzes the identity management micro-service and outputs a judgment result to the identity management micro-service;
inputting indexes to the global algorithm platform micro service by the user management algorithm micro service;
and the global algorithm platform micro-service updating model provides the user management algorithm micro-service and the flow risk identification algorithm micro-service.
In addition, in order to further improve the risk identification capability, on the basis of the above method, analysis is performed from another dimension at the same time, that is, analysis is performed from the attribute of the access data at the same time, so that in the process of using by the user, data information used by the user needs to be input into an attribute-based access control (ABAC) micro service;
the ABAC micro-service inputs data and indexes into a fine-grained authorization algorithm micro-service;
continuously and dynamically analyzing the ABAC micro-service by the fine-grained authorization algorithm micro-service, outputting a judgment result, and inputting an index to the global algorithm platform micro-service;
and the global algorithm platform micro-service updating model provides fine-grained authorization algorithm micro-service.
The analysis performed in the embodiment from the dimension of the attribute may include analyzing the following attributes:
1. accessing subject attributes: including the visitor's own attributes such as age, gender, department, role, etc.;
2. and (4) action attribute: reading, deleting, checking and the like;
3. object attributes: including attributes of the accessed object, such as the modification time of a record, creator, etc.;
4. the environment attribute is as follows: including time information, geographic location information, access platform information, etc.
Thus, the ABAC may set many flexible policies for access control, such as:
1. when the department of a document is the same as the user's department, the user can access the document;
2. when the user is the owner of a document and the status of the document is draft, the user can edit the document in real time;
3. the time setting of the access, such as prohibiting the person in department A from accessing the system B before nine am;
4. for access in a certain region, access to the a-system with administrator identity is prohibited.
Therefore, based on various flexible dynamic attribute control strategies, the risks can be continuously, dynamically and in real time analyzed and judged.
The global algorithm platform in this embodiment models various scenes according to historical data, constructs a hypothesis test that meets the conditions for the model of each scene by using different statistical distributions, models the conversion between the scenes, estimates signals that are converted between the scenes at the data level by using a simulation algorithm, and stores the signals in the database of the microservice.
And when the related algorithm micro-services of each non-global algorithm platform are used, the data and the related indexes are asynchronously pushed to the global algorithm platform, the algorithm platform estimates whether the existing scene is changed or not according to the pushed data and indexes, if the current scene is changed, the pre-calculated hypothesis is pushed to be tested into each algorithm micro-service, and the algorithm in the algorithm micro-service is updated.
In addition, the algorithm of the global algorithm platform is updated and corrected regularly by utilizing the increment or full data in the audit database, so that the algorithm in each algorithm microservice is updated, a strong system capable of being continuously and dynamically is formed, and the risk identification capability is further improved.
In addition, as a more preferred embodiment, in each microservice or step related to the algorithm, in order to make the algorithm judgment more accurate, asynchronous and quasi-synchronous (quasi-real-time) algorithms can be used as supplements and supports besides the related synchronous algorithms in the decision flow.
EXAMPLE III
The invention also provides a risk judgment system based on zero trust, which comprises:
an access unit to obtain access traffic or data;
the multi-factor authentication unit is used for inputting access flow or data into the multi-factor authentication microservice for analysis;
the analysis unit is used for analyzing whether algorithm auxiliary wind control is needed or not;
the auxiliary algorithm unit is used for analyzing and judging the access flow or data and outputting the access flow or data to the single sign-on unit;
the single sign-on unit is used for inputting single sign-on micro services;
and the authorization use unit is used for determining whether to provide the user with access or not according to the analysis result of the single sign-on micro service.
Based on the above-mentioned zero trust based risk decision system, a more preferred embodiment further includes:
the auditing unit is used for auditing the received pushed data;
the IDM unit is used for inputting data information used by a user to the identity management microservice;
the user management algorithm unit is used for inputting data into the user management algorithm micro-service by the identity management micro-service, and the user management algorithm micro-service continuously and dynamically analyzes the identity management micro-service and outputs a judgment result to the identity management micro-service;
the ABAC unit is used for inputting the data and the index into the fine-grained authorization algorithm unit;
the fine-grained authorization algorithm unit is used for analyzing the ABAC unit, outputting a judgment result and inputting an index to the global algorithm platform unit;
the global algorithm platform unit is used for receiving indexes of the user management algorithm micro unit and the fine-grained authorization algorithm unit and updating the model;
and the global algorithm platform micro-service updating model provides the user management algorithm micro-service and the flow risk identification algorithm micro-service.
The specific implementation process and method refer to the description of the first embodiment and are not described in detail.
In addition, referring to fig. 3, fig. 3 is a schematic structural diagram of an electronic device according to an embodiment of the present invention, and it can be understood that the methods shown in fig. 1 and fig. 2 can be applied to the electronic device shown in fig. 3, where the electronic device includes a processor and a memory.
As shown in fig. 3, the electronic device includes a processor 30 (the number of the processors 30 may be one or more, and fig. 3 exemplifies one processor) and a memory 31. In the embodiment of the present invention, the processor 30 and the memory 31 may be connected by a bus or other means, wherein fig. 3 illustrates the connection by the bus. In which the memory 31 stores executable programs that are executed by the processor 30 to implement the methods or steps of the above-described embodiments.
The disclosure also extends to computer programs, particularly computer programs on or in a carrier, adapted for putting the disclosure into practice. The program may be in the form of source code, object code, a code intermediate source and object code such as partially compiled form, or in any other form suitable for use in the implementation of the method according to the disclosure. It will also be noted that such programs may have many different architectural designs. For example, program code implementing the functionality of a method or system according to the present disclosure may be subdivided into one or more subroutines.
Many different ways to distribute the functionality among these subroutines will be apparent to the skilled person. The subroutines may be stored together in one executable file, forming a self-contained program. Such an executable file may include computer-executable instructions, such as processor instructions and/or interpreter instructions (e.g., Java interpreter instructions). Alternatively, one or more or all of the subroutines may be stored in at least one external library file and linked with the main program either statically or dynamically (e.g., at run time). The main program contains at least one call to at least one of the subroutines. Subroutines may also include function calls to each other. Embodiments directed to a computer program product comprising computer executable instructions for performing each of the process steps of at least one of the set forth methods. These instructions may be subdivided into subroutines and/or stored in one or more files, which may be statically or dynamically linked.
Another embodiment related to a computer program product comprises computer executable instructions for each of the means corresponding to at least one of the systems and/or products set forth. These instructions may be subdivided into subroutines and/or stored in one or more files, which may be statically or dynamically linked.
The carrier of the computer program may be any entity or device capable of carrying the program. For example, the carrier may comprise a storage medium such as a (ROM, e.g. a cd ROM or a semiconductor ROM) or a magnetic recording medium, e.g. a floppy disk or hard disk. Further, the carrier may be a transmissible carrier such as an electrical or optical signal, which may be conveyed via electrical or optical cable or by radio or other means. When the program is embodied in such a signal, the carrier may be constituted by such cable or device. Alternatively, the carrier may be an integrated circuit in which the program is embedded, the integrated circuit being adapted for performing, or for use in the performance of, the relevant method.
The embodiments mentioned above are intended to illustrate rather than to limit the disclosure, and that those skilled in the art will be able to design many alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. Use of the verb "comprise" and its conjugations does not exclude the presence of elements or steps other than those stated in a claim. The article "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The disclosure may be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In the device claim enumerating several means, several of these means may be embodied by one and the same item of hardware. The mere fact that certain measures are recited in mutually different dependent claims does not indicate that a combination of these measures cannot be used to advantage.
The different functions discussed herein may be performed in a different order and/or concurrently with each other. Further, if desired, one or more of the functions described above may be optional or may be combined.
The steps discussed above are not limited to the order of execution in the embodiments, and different steps may be executed in different orders and/or concurrently with each other. Further, in other embodiments, one or more of the steps described above may be optional or may be combined.
Although various aspects of the disclosure are set out in the independent claims, other aspects of the disclosure comprise combinations of features from the described embodiments and/or the dependent claims with the features of the independent claims, and not solely the combinations explicitly set out in the claims.
While the above describes example embodiments of the present disclosure, these descriptions should not be taken in a limiting sense. Rather, several variations and modifications may be made without departing from the scope of the present disclosure as defined in the appended claims.
It should be understood by those skilled in the art that the modules in the apparatus of the embodiment of the present disclosure may be implemented by a general-purpose computing apparatus, and the modules may be integrated into a single computing apparatus or a network group of computing apparatuses, and the apparatus in the embodiment of the present disclosure corresponds to the method in the foregoing embodiment, and may be implemented by executable program code, or by a combination of integrated circuits, so that the present disclosure is not limited to specific hardware or software, and combinations thereof.
It should be understood by those skilled in the art that the modules in the apparatus of the embodiment of the present disclosure may be implemented by general-purpose electronic devices, and the modules may be integrated into a single electronic device or a combination of devices composed of electronic devices.
Claims (10)
1. A risk judgment method based on zero trust is characterized by comprising the following steps:
obtaining access flow or data;
inputting the access flow or data into a multi-factor authentication microservice for analysis;
analyzing whether algorithm auxiliary wind control is needed or not;
inputting a single sign-on micro service;
and determining whether to provide the user with access or not according to the analysis result of the single sign-on micro-service.
2. The risk assessment method of claim 1, wherein the step of analyzing whether algorithm-assisted wind control is required comprises:
if so, logging in an auxiliary algorithm micro service, analyzing and judging the access flow or data by the auxiliary algorithm micro service, and outputting the analysis result to the single sign-on micro service by combining the analysis result of the multi-factor authentication micro service;
if not, directly inputting the single sign-on micro service.
3. The risk assessment method of claim 1, wherein the access traffic or data is input to a multifactor authentication microservice for analysis, and after the analysis is completed, the analysis data is pushed to the auditing unit at regular time.
4. The risk assessment method of claim 1, wherein the analysis data is pushed to the auditing unit at regular times after the single sign-on microservice analysis is completed.
5. A risk assessment method according to claim 3 or 4, wherein the audit unit encrypts and uploads the encrypted data to the audit database for storage after the various data entered have been analysed.
6. The risk assessment method of claim 1, further comprising, after providing access to the user:
inputting data information used by a user to the identity management microservice;
the identity management micro-service inputs data into the user management algorithm micro-service, and the user management algorithm micro-service continuously and dynamically analyzes the identity management micro-service and outputs a judgment result to the identity management micro-service;
inputting indexes to the global algorithm platform micro service by the user management algorithm micro service;
and the global algorithm platform micro-service updating model provides the user management algorithm micro-service and the flow risk identification algorithm micro-service.
7. The risk assessment method of claim 6, further comprising, after providing access to the user:
inputting data information used by a user to the ABAC micro-service;
the ABAC micro-service inputs data and indexes into a fine-grained authorization algorithm micro-service;
continuously and dynamically analyzing the ABAC micro-service by the fine-grained authorization algorithm micro-service, outputting a judgment result, and inputting an index to the global algorithm platform micro-service;
and the global algorithm platform micro-service updating model provides fine-grained authorization algorithm micro-service.
8. A zero trust based risk determination system, comprising:
an access unit to obtain access traffic or data;
the multi-factor authentication unit is used for inputting access flow or data into the multi-factor authentication microservice for analysis;
the analysis unit is used for analyzing whether algorithm auxiliary wind control is needed or not;
the auxiliary algorithm unit is used for analyzing and judging the access flow or data and outputting the access flow or data to the single sign-on unit;
the single sign-on unit is used for inputting single sign-on micro services;
and the authorization use unit is used for determining whether to provide the user with access or not according to the analysis result of the single sign-on micro service.
9. The risk assessment system of claim 8, further comprising:
the auditing unit is used for auditing the received pushed data;
the IDM unit is used for inputting data information used by a user to the identity management microservice;
the user management algorithm unit is used for inputting data into the user management algorithm micro-service by the identity management micro-service, and the user management algorithm micro-service continuously and dynamically analyzes the identity management micro-service and outputs a judgment result to the identity management micro-service;
the ABAC unit is used for inputting the data and the index into the fine-grained authorization algorithm unit;
the fine-grained authorization algorithm unit is used for analyzing the ABAC unit, outputting a judgment result and inputting an index to the global algorithm platform unit;
the global algorithm platform unit is used for receiving indexes of the user management algorithm micro unit and the fine-grained authorization algorithm unit and updating the model;
and the global algorithm platform micro-service updating model provides the user management algorithm micro-service and the flow risk identification algorithm micro-service.
10. An electronic device, wherein the system comprises a processor and a memory,
the memory is used for storing an executable program;
the processor is configured to execute the executable program to implement the method of any of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110728768.0A CN113542238B (en) | 2021-06-29 | 2021-06-29 | Zero trust-based risk judging method and system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110728768.0A CN113542238B (en) | 2021-06-29 | 2021-06-29 | Zero trust-based risk judging method and system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113542238A true CN113542238A (en) | 2021-10-22 |
| CN113542238B CN113542238B (en) | 2023-06-16 |
Family
ID=78126200
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110728768.0A Active CN113542238B (en) | 2021-06-29 | 2021-06-29 | Zero trust-based risk judging method and system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113542238B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114024766A (en) * | 2021-11-23 | 2022-02-08 | 重庆邮电大学 | Zero trust identity authentication method facing edge computing node |
Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2018053122A1 (en) * | 2016-09-14 | 2018-03-22 | Oracle International Corporation | Single sign-on and single logout functionality for a multi-tenant identity and data security management cloud service |
| CN108322471A (en) * | 2016-05-11 | 2018-07-24 | 甲骨文国际公司 | Multi-tenant identity and data security management cloud service |
| CN108900561A (en) * | 2018-09-28 | 2018-11-27 | 北京芯盾时代科技有限公司 | The method, apparatus and system of single-sign-on |
| CN109388937A (en) * | 2018-11-05 | 2019-02-26 | 用友网络科技股份有限公司 | A kind of single-point logging method and login system of multiple-factor authentication |
| CN110661782A (en) * | 2019-08-27 | 2020-01-07 | 紫光云(南京)数字技术有限公司 | Public basic service system based on single sign-on and micro-service architecture and implementation method thereof |
| CN112019560A (en) * | 2020-09-07 | 2020-12-01 | 长沙誉联信息技术有限公司 | End-to-end zero trust security gateway system |
| CN112165488A (en) * | 2020-09-28 | 2021-01-01 | 杭州安恒信息安全技术有限公司 | Risk assessment method, device and equipment and readable storage medium |
| CN112597472A (en) * | 2021-03-03 | 2021-04-02 | 北京视界云天科技有限公司 | Single sign-on method, device and storage medium |
| CN112653673A (en) * | 2020-12-08 | 2021-04-13 | 中国人寿保险股份有限公司 | Multi-factor authentication method and system based on single sign-on |
| CN112738047A (en) * | 2020-12-24 | 2021-04-30 | 贝壳技术有限公司 | Access control method of service system and zero trust system |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
-
2021
- 2021-06-29 CN CN202110728768.0A patent/CN113542238B/en active Active
Patent Citations (11)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108322471A (en) * | 2016-05-11 | 2018-07-24 | 甲骨文国际公司 | Multi-tenant identity and data security management cloud service |
| WO2018053122A1 (en) * | 2016-09-14 | 2018-03-22 | Oracle International Corporation | Single sign-on and single logout functionality for a multi-tenant identity and data security management cloud service |
| CN108900561A (en) * | 2018-09-28 | 2018-11-27 | 北京芯盾时代科技有限公司 | The method, apparatus and system of single-sign-on |
| CN109388937A (en) * | 2018-11-05 | 2019-02-26 | 用友网络科技股份有限公司 | A kind of single-point logging method and login system of multiple-factor authentication |
| CN110661782A (en) * | 2019-08-27 | 2020-01-07 | 紫光云(南京)数字技术有限公司 | Public basic service system based on single sign-on and micro-service architecture and implementation method thereof |
| CN112019560A (en) * | 2020-09-07 | 2020-12-01 | 长沙誉联信息技术有限公司 | End-to-end zero trust security gateway system |
| CN112165488A (en) * | 2020-09-28 | 2021-01-01 | 杭州安恒信息安全技术有限公司 | Risk assessment method, device and equipment and readable storage medium |
| CN112653673A (en) * | 2020-12-08 | 2021-04-13 | 中国人寿保险股份有限公司 | Multi-factor authentication method and system based on single sign-on |
| CN112738047A (en) * | 2020-12-24 | 2021-04-30 | 贝壳技术有限公司 | Access control method of service system and zero trust system |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| CN112597472A (en) * | 2021-03-03 | 2021-04-02 | 北京视界云天科技有限公司 | Single sign-on method, device and storage medium |
Non-Patent Citations (2)
| Title |
|---|
| 张宇等: "零信任研究综述", 《信息安全研究》 * |
| 李明: "基于可信身份认证的企业信任服务体系研究", 《信息安全研究》 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN114024766A (en) * | 2021-11-23 | 2022-02-08 | 重庆邮电大学 | Zero trust identity authentication method facing edge computing node |
| CN114024766B (en) * | 2021-11-23 | 2023-06-20 | 重庆邮电大学 | Zero trust identity authentication method for edge computing node |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113542238B (en) | 2023-06-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11750659B2 (en) | Cybersecurity profiling and rating using active and passive external reconnaissance | |
| US20210382949A1 (en) | Systems and methods for web content inspection | |
| US20220210200A1 (en) | Ai-driven defensive cybersecurity strategy analysis and recommendation system | |
| US20220078210A1 (en) | System and method for collaborative cybersecurity defensive strategy analysis utilizing virtual network spaces | |
| US10740411B2 (en) | Determining repeat website users via browser uniqueness tracking | |
| US11533330B2 (en) | Determining risk metrics for access requests in network environments using multivariate modeling | |
| CN109598117A (en) | Right management method, device, electronic equipment and storage medium | |
| JP5852676B2 (en) | Method, computer program, and system for determining vulnerability of a computer software application to an elevation of privilege attack | |
| US20220014561A1 (en) | System and methods for automated internet-scale web application vulnerability scanning and enhanced security profiling | |
| JP2014505960A (en) | System and method for application certification | |
| US20230269277A1 (en) | Systems and methods for determining risk ratings of roles on cloud computing platform | |
| CN113542238A (en) | Risk judgment method and system based on zero trust | |
| Hettiarachchige et al. | Holistic authentication framework for virtual agents; UK banking industry | |
| CN112306826A (en) | Method and apparatus for processing information for terminal | |
| CN114567678B (en) | Resource calling method and device for cloud security service and electronic equipment | |
| CN111598544B (en) | Method and device for processing information | |
| CN114546857A (en) | Interface test case generation method and device, electronic equipment and storage medium | |
| Ban et al. | A Survey on IoT Vulnerability Discovery | |
| Liu et al. | Understanding digital forensic characteristics of smart speaker ecosystems | |
| US10708282B2 (en) | Unauthorized data access detection based on cyber security images | |
| CN111639033A (en) | Software security threat analysis method and system | |
| Ntentos et al. | Assessing architecture conformance to security-related practices in infrastructure as code based deployments | |
| CN114765552B (en) | Data processing method, medium system, storage medium and electronic equipment | |
| CN111885006B (en) | Page access and authorized access method and device | |
| WO2023020429A1 (en) | Data auditing method and apparatus, and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |