CN113596009A - Zero trust access method, system, zero trust security proxy, terminal and medium - Google Patents
Zero trust access method, system, zero trust security proxy, terminal and medium Download PDFInfo
- Publication number
- CN113596009A CN113596009A CN202110835317.7A CN202110835317A CN113596009A CN 113596009 A CN113596009 A CN 113596009A CN 202110835317 A CN202110835317 A CN 202110835317A CN 113596009 A CN113596009 A CN 113596009A
- Authority
- CN
- China
- Prior art keywords
- access
- zero
- trust
- user token
- virtual
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0281—Proxies
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
Abstract
The present disclosure provides a zero trust access method, a system, a zero trust security agent terminal and a computer readable storage medium based on virtual mapping, the method includes: performing virtual mapping on the zero trust security proxy to obtain a first virtual security proxy and a second virtual security proxy; acquiring a user token of an access subject and an object authority of an access object requested to be accessed by the access subject; and respectively sending a user token and an object authority to a first virtual security agent and a second virtual security agent, and respectively connecting the access subject and the access object in the first virtual security agent and the second virtual security agent based on the user token and the object authority. The embodiment of the disclosure utilizes a virtual mapping technology, respectively transmits the user token and the object authority based on the virtual security agent, and does not directly connect the access subject and the access object based on the user token and the object authority by the security agent, so as to at least ensure the self security of the zero-trust security agent.
Description
Technical Field
The present disclosure relates to the field of computer network technologies, and in particular, to a zero trust access method, a zero trust access system, a zero trust security proxy, a terminal, and a computer-readable storage medium.
Background
The core idea of the zero trust network security architecture is to break the limitation of physical boundary protection, and not to default to trust any user, equipment or system, application inside the physical security boundary, but to use identity authentication as the core and use authentication and authorization as the basis of access control. The key point is the safe delivery of application and data service, the core idea is dynamic authority management based on identity, and the key capability can be summarized as follows: asset-based, identity-centric, business security access, persistent trust evaluation, and minimum-authority-based dynamic access control.
In the zero trust network security architecture, a security agent in zero trust security is a necessary component for establishing a trusted channel between an access subject and an access object, and plays roles of isolating the access subject and the access object, filtering illegal access and strongly authenticating.
In the current zero-trust network security architecture, a zero-trust security agent is the first defense line of the architecture, and no matter experts, scholars or industrial technical research, the zero-trust security agent cannot be separated from the zero-trust security agent, in respective schemes, differentiated function realization is given to the zero-trust security agent, some functions are only authentication, some functions are authentication and application resource access after mapping, and the like, and have various characteristics, but most of the existing research focuses are realized on the function of a security gateway, the security of the security agent is ignored, the more one device function is, the more authority is, the higher risk is increased, and under the zero-trust architecture mode, the zero-trust security agent can be the most important defense line of the model, once the zero-trust security agent is attacked, the consequences are higher than the risks in the prior art, the loss is more disastrous, the initial purpose of zero-trust is to firstly authenticate and then communicate, and then in order to better achieve or enhance the security of the model, there is a necessity to improve the security of the security agent itself.
Disclosure of Invention
The invention provides a zero trust access method, a zero trust security proxy, a terminal and a computer readable storage medium, wherein the zero trust security proxy is subjected to virtual mapping, and two security proxies based on the virtual mapping respectively transmit a user token and an object authority so as to complete the connection between an access subject and an access object, thereby at least ensuring the security of the zero trust security proxy.
According to one aspect of the disclosure, a zero trust access method based on virtual mapping is provided, which is applied to a zero trust security proxy, and includes:
virtually mapping the zero-trust security proxy to obtain a first virtual security proxy and a second virtual security proxy;
acquiring a user token of an access subject and an object authority of an access object requested to be accessed by the access subject;
sending the user token and the object rights to the first virtual security agent and the second virtual security agent, respectively, and,
connecting the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively.
In one embodiment, after virtually mapping the zero-trust security proxy and before acquiring the user token of the access subject and the object authority of the access object requested to be accessed by the access subject, the method further includes:
receiving an access request about an access object initiated by an access subject;
sending the access request to a zero trust security control center so that the zero trust security control center verifies the access request, and sends the access request to an identity security management center after the access request is verified to be legal, then the identity security management center authenticates the access subject based on the access request, and returns a user token of the access subject and an object authority of the access object to the zero trust security control center after the identity authentication is completed, and then the zero trust security control center sends the user token and the object authority to the zero trust security agent;
the obtaining of the user token of the access subject and the object authority of the access object requested to be accessed by the access subject includes:
and acquiring a user token of an access subject and the object authority of the access object requested to be accessed by the access subject from the zero trust control center.
In one embodiment, after obtaining a user token of an access subject and an object right of an access object requested to be accessed by the access subject, and before sending the user token and the object right to the first virtual security agent and the second virtual security agent, respectively, the method further includes:
encrypting the user token and the object authority respectively to obtain an encrypted user token and an encrypted object authority;
the sending the user token and the object right to the first virtual security agent and the second virtual security agent, respectively, includes:
sending the encrypted user token and the encrypted object authority to the first virtual security agent and the second virtual security agent respectively;
the connecting the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively, includes:
decrypting the encrypted user token and the encrypted object permission in the first virtual security agent and the second virtual security agent respectively to obtain the user token and the object permission, and then connecting the access subject and the access object based on the user token and the object permission.
According to another aspect of the present disclosure, there is provided a zero trust security proxy comprising:
a virtual mapping module configured to perform virtual mapping on the zero-trust security proxy to obtain a first virtual security proxy and a second virtual security proxy;
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is configured to acquire a user token of an access subject and an object authority of an access object requested to be accessed by the access subject;
a sending module configured to send the user token and the object rights to the first virtual security agent and the second virtual security agent, respectively, and,
a connection module configured to connect the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively.
In one embodiment, the zero trust security proxy further comprises:
the receiving module is arranged for receiving an access request about an access object initiated by an access subject after the virtual mapping module performs virtual mapping on the zero-trust security proxy and before the acquisition module acquires the user token and the object authority;
the sending module is further configured to send the access request to a zero-trust security control center, so that the zero-trust security control center verifies the access request, sends the access request to an identity security management center after the access request is verified to be legal, enables the identity security management center to perform identity authentication on the access subject based on the access request, returns a user token of the access subject and an object authority of the access object to the zero-trust security control center after the identity authentication is completed, and sends the user token and the object authority to the zero-trust security agent through the zero-trust security control center;
the obtaining module is specifically configured to obtain, from the zero trust control center, a user token of an access subject and an object authority of an access object requested to be accessed by the access subject.
In one embodiment, the zero trust security proxy further comprises:
the encryption module is configured to encrypt the user token and the object permission respectively to obtain an encrypted user token and an encrypted object permission after the acquisition module acquires the user token and the object permission and before the sending module sends the user token and the object permission to the first virtual security agent and the second virtual security agent respectively;
the sending module is specifically configured to send the encrypted user token and the encrypted object permission to the first virtual security agent and the second virtual security agent, respectively;
the connection module is specifically configured to decrypt the encrypted user token and the encrypted object permission in the first virtual security agent and the second virtual security agent, respectively, to obtain the user token and the object permission, and then connect the access subject and the access object based on the user token and the object permission.
According to another aspect of the disclosure, a zero trust access system based on virtual mapping is provided, which includes the zero trust security agent, the zero trust security control center and the identity security management center,
the zero trust security control center is configured to verify the access request and send the access request to an identity security management center after the access request is verified to be legal;
and the identity security management center is configured to perform identity authentication on the access subject based on the access request, and return the user token of the access subject and the object authority of the access object to the zero-trust security control center after the identity authentication is completed.
According to still another aspect of the present disclosure, there is provided a terminal device, including a memory and a processor, where the memory stores a computer program, and when the processor runs the computer program stored in the memory, the processor executes the virtual mapping-based zero-trust access method.
According to yet another aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, the processor performs the virtual mapping-based zero-trust access method.
The technical scheme provided by the disclosure can comprise the following beneficial effects:
the zero trust access method based on virtual mapping provided by the disclosure obtains a first virtual security proxy and a second virtual security proxy by virtually mapping the zero trust security proxy; acquiring a user token of an access subject and an object authority of an access object requested to be accessed by the access subject; and respectively sending the user token and the object authority to the first virtual security agent and the second virtual security agent, and respectively connecting the access subject and the access object in the first virtual security agent and the second virtual security agent based on the user token and the object authority. The method and the device have the advantages that the two virtual security agents are obtained by virtually mapping the zero trust security agent, then the user token and the object authority are respectively transmitted based on the virtual security agents, and then the connection between the access subject and the access object is completed, so that the self security of the zero trust security agent is at least ensured.
Additional features and advantages of the disclosure will be set forth in the description which follows, and in part will be obvious from the description, or may be learned by the practice of the disclosure. The objectives and other advantages of the disclosure may be realized and attained by the structure particularly pointed out in the written description and claims hereof as well as the appended drawings.
Drawings
The accompanying drawings are included to provide a further understanding of the disclosed embodiments and are incorporated in and constitute a part of this specification, illustrate embodiments of the disclosure and together with the example serve to explain the principles of the disclosure and not to limit the disclosure.
Fig. 1 is a schematic flowchart of a zero trust access method based on virtual mapping according to an embodiment of the present disclosure;
fig. 2 is a schematic flowchart of another zero-trust access method based on virtual mapping according to an embodiment of the present disclosure;
fig. 3 is a schematic flowchart of another virtual mapping-based zero-trust access method according to an embodiment of the present disclosure;
fig. 4 is a schematic structural diagram of a zero-trust security proxy provided in an embodiment of the present disclosure;
fig. 5 is a schematic structural diagram of a zero-trust access system based on virtual mapping according to an embodiment of the present disclosure;
fig. 6 is a schematic structural diagram of a terminal device according to an embodiment of the present disclosure.
Detailed Description
To make the objects, technical solutions and advantages of the embodiments of the present disclosure more apparent, specific embodiments of the present disclosure are described below in detail with reference to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present disclosure, are given by way of illustration and explanation only, not limitation.
It should be noted that the terms "first," "second," and the like in the description and claims of the present disclosure and in the above-described drawings are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order; also, the embodiments and features of the embodiments in the present disclosure may be arbitrarily combined with each other without conflict.
In which the terminology used in the embodiments of the disclosure is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. As used in the disclosed embodiments and the appended claims, the singular forms "a," "an," and "the" are intended to include the plural forms as well, unless the context clearly indicates otherwise.
In the following description, suffixes such as "module", "component", or "unit" used to denote elements are used only for the convenience of explanation of the present disclosure, and have no specific meaning in themselves. Thus, "module", "component" or "unit" may be used mixedly.
To solve the above problem, please refer to fig. 1, where fig. 1 is a schematic flowchart of a zero trust access method based on virtual mapping according to an embodiment of the present disclosure, and the method is applied to a zero trust security broker, and includes steps S101 to S104.
In step S101, the zero-trust security agent is virtually mapped to obtain a first virtual security agent and a second virtual security agent.
The virtual mapping is a virtualization technology, in this embodiment, a zero-trust security agent is virtually mapped into two virtual security agents by using the virtual mapping technology, and interfaces of the two virtual security agents are used to transmit a user token of an access subject and an object authority of the access object, respectively, so as to ensure the security of the zero-trust security agent.
It can be understood that the zero trust security proxy is equivalent to a security gateway, and can isolate the extranet user from the intranet resource in a proxy mode, filter illegal accesses, and establish a trusted channel between the access device and the access resource.
In step S102, a user token of an access subject and an object authority of an access object requested to be accessed by the access subject are acquired.
Specifically, the zero-trust security agent obtains the user Token and the object authority of the access subject by using other interfaces (i.e. interfaces other than the first virtual security agent and the second virtual security agent) which are not subjected to virtual mapping, and the first virtual security agent and the second virtual security agent do not directly interact with external interfaces so as to ensure the security of the virtual security agent.
It can be understood that the token is an object of a right to perform some operations, the user token of this embodiment is a system object of an access (control operation) subject, and the object rights are rights to be able to access the object.
In step S103, the user token and the object authority are respectively sent to the first virtual security agent and the second virtual security agent.
In step S104, the access subject and the access object are connected based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively.
In the related technology, the zero-trust security proxy directly connects the access subject and the access object after receiving the user token and the object authority so as to complete the access between the subject and the object, and in the process, as the self security of the zero-trust security proxy is not considered, once the security of the zero-trust security proxy has problems, the zero-trust security proxy still can connect the access subject and the access object based on the user token and the object authority, the access security between the access objects can not be ensured, and further the problems of data leakage of the access object and the like are caused.
Compared with the related art, in the embodiment, before the zero trust is connected with the access subject and the access object, the user Token and the object authority are respectively sent to the corresponding virtual security agents, and the user Token and the object authority are respectively transmitted by the virtual security agents, wherein the two virtual security agents respectively store the user Token and the authority, so that single-point invalidation is avoided, and then the virtual security agents are directly interconnected with the access object, so that the purpose of protecting the zero trust security agents can be achieved, the access security of the access object is further ensured, and the problems of data leakage and the like of the access object are avoided.
Referring to fig. 2, fig. 2 is a schematic flow chart of another virtual mapping-based zero-trust access method provided in the embodiment of the present disclosure, based on the above embodiment, in this embodiment, a user token and an object authority are acquired from a zero-trust control center, so as to further achieve the purpose of protecting a zero-trust security proxy, specifically, after the zero-trust security proxy is subjected to virtual mapping (S101), and before the user token of an access subject and the object authority of an access object requested to be accessed by the access subject are acquired (S102), the method further includes step S201 and step S202, and step S102 is further divided into step S102 a.
In step S201, an access request for accessing an object, which is initiated by an access subject, is received.
Specifically, the first virtual security agent receives the access request of the access subject, and the zero trust security agent receives the access request of the access subject from the first virtual security agent, so that direct communication between the zero trust security agent and the access user is avoided, and the security is improved.
In this embodiment, after receiving the access request, the security agent authenticates the access subject and the access right through the security control center, and can only pass the authentication. The zero trust security agent is virtually mapped, and the two virtualized security agents respectively transmit the user Token and the access object authority and are directly interconnected with the access object, so that the purpose of protecting the zero trust security agent is achieved.
In step S202, the access request is sent to a zero trust security control center, so that the zero trust security control center verifies the access request, and sends the access request to an identity security management center after the access request is verified to be legitimate, and then the identity security management center performs identity authentication on the access subject based on the access request, and returns a user token of the access subject and an object authority of the access object to the zero trust security control center after the identity authentication is completed, and then the zero trust security control center sends the user token and the object authority to the zero trust security agent.
The zero-trust security control center can realize the functions of continuous security monitoring, trust evaluation, dynamic update of access control decision and the like of the whole access process. It may include a dynamic access control engine and a trust evaluation engine, which are security components that implement zero trust architecture dynamic access control and persistent trust evaluation. The dynamic access control engine dynamically judges that the authority of the access request is a policy decision point through multiple factors; the trust evaluation engine and the dynamic access control engine are linked to provide trust level evaluation for the dynamic access control engine to serve as an authorization judgment basis, the two engines are used for verifying the legality of the access request, and the access request is sent to the identity security management center for proxy user authentication after being verified to be legal.
In this embodiment, the identity security management center may implement functions of identity authentication, identity management, and rights management, receive an authentication request (i.e., a forwarded access request) from the zero-trust control center, and feed back user authentication Token and object rights through background processing.
In step S102a, a user token of an access subject and an object right of the access object requested to be accessed by the access subject are obtained from the zero trust control center.
In some embodiments, to further improve the security of the zero-trust security agent, the zero-trust security control center may further perform dynamic authentication on the access request, and simultaneously return the dynamic authentication result, the user Token, and the object authority to the zero-trust security agent, only if the dynamic authentication result is true, the zero-trust security agent sends the user Token and the object authority to the first virtual security agent and the second virtual security agent, respectively, that is, when the dynamic authentication result of the zero-trust security control center is not passed, the first virtual security agent and the second virtual security agent cannot obtain the user authentication Token and the object authority, and the access request will not be executed.
Referring to fig. 3, fig. 3 is a virtual mapping-based zero-trust access method provided by an embodiment of the present disclosure, based on the above embodiment, in this embodiment, a user' S forecourt and an object right are encrypted and then transferred to further improve security of a security proxy, specifically, after a user token of an access subject and an object right of an access object requested to be accessed by the access subject are obtained (step S102), and before the user token and the object right are respectively sent to the first virtual security proxy and the second virtual security proxy (step S103), step S301 is further included, step S103 is further divided into step S103a, and step S104 is divided into step S104 a.
In step S301, the user token and the object right are encrypted respectively to obtain an encrypted user token and an encrypted object right;
in step S103a, sending the encrypted user token and the encrypted object right to the first virtual security agent and the second virtual security agent, respectively;
in step S104a, the encrypted user token and the encrypted object permission are decrypted in the first virtual security agent and the second virtual security agent, respectively, to obtain the user token and the object permission, and then the access subject and the access object are connected based on the user token and the object permission.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a zero-trust security proxy, as shown in fig. 4, the zero-trust security proxy 40 includes a virtual mapping module 41, an obtaining module 42, a sending module 43, and a connecting module 44, wherein,
the virtual mapping module 41 is configured to perform virtual mapping on the zero-trust security agent, so as to obtain a virtual security agent including a first virtual security agent 411 and a second virtual security agent 412;
the obtaining module 42 is configured to obtain a user token of an access subject and an object authority of an access object requested to be accessed by the access subject;
the sending module 43, which is arranged to send the user token and the object rights to the first virtual security agent and the second virtual security agent, respectively, and,
the connection module 44 is configured to connect the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively.
In one embodiment, the zero trust security agent 40 further comprises:
the receiving module is arranged for receiving an access request about an access object initiated by an access subject after the virtual mapping module performs virtual mapping on the zero-trust security proxy and before the acquisition module acquires the user token and the object authority;
the sending module 43 is further configured to send the access request to a zero-trust security control center, so that the zero-trust security control center verifies the access request, and sends the access request to an identity security management center after the access request is verified to be legal, and then the identity security management center performs identity authentication on the access subject based on the access request, and returns a user token of the access subject and an object authority of the access object to the zero-trust security control center after the identity authentication is completed, and then the zero-trust control center sends the user token and the object authority to the zero-trust security agent;
the obtaining module 42 is specifically configured to obtain, from the zero trust control center, a user token of an access subject and an object authority of an access object requested to be accessed by the access subject.
In one embodiment, the zero trust security agent 40 further comprises:
the encryption module is configured to encrypt the user token and the object permission respectively to obtain an encrypted user token and an encrypted object permission after the acquisition module acquires the user token and the object permission and before the sending module sends the user token and the object permission to the first virtual security agent and the second virtual security agent respectively;
the sending module 43 is specifically configured to send the encrypted user token and the encrypted object permission to the first virtual security agent and the second virtual security agent, respectively;
the connection module 44 is specifically configured to decrypt the encrypted user token and the encrypted object permission in the first virtual security agent and the second virtual security agent, respectively, to obtain the user token and the object permission, and then connect the access subject and the access object based on the user token and the object permission.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a zero-trust access system based on virtual mapping, as shown in fig. 5, including the zero-trust security agent 40, the zero-trust security control center 50, and the identity security management center 60,
wherein, a, the virtual security agent 1 (i.e. the first virtual security agent 411) of the zero-trust security agent 40 receives an access request of an access subject (access subject personnel equipment application system) 10; b. the virtual security agent 1 sends the access request to (the other interfaces of) the zero trust security agent; c. and forwards the access request to the zero trust security control center 50 for verification by (the other interface of) the zero trust security broker 40; d. after the verification is legal, the trust security control center 50 sends the access request to the identity security management center 60 to carry out proxy user authentication; e. returning a user Token and an object authority to the zero trust security control center after the identity security management center agent user authentication; f. the other interfaces of the zero-trust security agent receive the user Token and the object authority (after the dynamic authentication result), g. the other interfaces of the zero-trust security agent encrypt the user Token and the object authority respectively and send the encrypted user Token and object authority to the virtual security agent 1 and the virtual security agent 2 (i.e. the second virtual security agent), and then connect the access subject and the access object (object such as access application/interface) 70 in the first virtual security agent 411 and the second virtual security agent 412 based on the user Token and the object authority, so as to obtain the functional data of the access object application interface.
The zero trust security control center 50 is configured to verify the access request and send the access request to the identity security management center after the access request is verified to be legitimate.
Specifically, the zero-trust security control center 50 includes a trust evaluation engine 51 and a dynamic access control engine 52, and the trust evaluation engine 51 and the dynamic access control engine 52 are used to verify the validity of the access request, and in some embodiments, the access request is dynamically authenticated in the whole process.
The identity security management center 60 is configured to perform identity authentication on the access subject based on the access request, and return the user token of the access subject and the object authority of the access object to the zero-trust security control center after the identity authentication is completed.
Specifically, the identity security management center 60 may include an identity authentication module 61, an identity management module 62, and a rights management module 63, where the identity authentication module 61 and the rights management module 63 issue a Token and an object right of a user according to a user authentication result, and the identity management module 62 may be configured to store user identity information of an access subject.
In some embodiments, the system may further include a secure intelligent analysis platform 80, which monitors the access behavior of the entire network environment and the access subject, performs an early warning when an abnormal condition occurs, and sends an intelligent analysis result (early warning) to the zero-trust security control center, so as to interrupt the user identity authentication process or the transmission between the user Token and the object authority and the zero-trust security agent, so as to further improve the access security of the zero-trust security agent.
Based on the same technical concept, the embodiment of the present disclosure correspondingly provides a terminal device, as shown in fig. 6, where the terminal device includes a memory 101 and a processor 102, the memory 101 stores a computer program, and when the processor 102 runs the computer program stored in the memory 101, the processor 102 executes the virtual mapping-based zero-trust access method.
Based on the same technical concept, embodiments of the present disclosure correspondingly provide a computer-readable storage medium, on which a computer program is stored, and when the computer program is executed by a processor, the processor executes the virtual mapping-based zero-trust access method.
It will be understood by those of ordinary skill in the art that all or some of the steps of the methods, systems, functional modules/units in the devices disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. In a hardware implementation, the division between functional modules/units mentioned in the above description does not necessarily correspond to the division of physical components; for example, one physical component may have multiple functions, or one function or step may be performed by several physical components in cooperation. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
Finally, it should be noted that: the above embodiments are only used for illustrating the technical solutions of the present disclosure, and not for limiting the same; while the present disclosure has been described in detail with reference to the foregoing embodiments, those of ordinary skill in the art will understand that: the technical solutions described in the foregoing embodiments may still be modified, or some or all of the technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present disclosure.
Claims (9)
1. A zero trust access method based on virtual mapping is applied to a zero trust security proxy and is characterized by comprising the following steps:
virtually mapping the zero-trust security proxy to obtain a first virtual security proxy and a second virtual security proxy;
acquiring a user token of an access subject and an object authority of an access object requested to be accessed by the access subject;
sending the user token and the object rights to the first virtual security agent and the second virtual security agent, respectively, and,
connecting the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively.
2. The method of claim 1, after virtually mapping the zero-trust security proxy and before obtaining a user token of an accessing subject and object rights of an accessing object requested to be accessed by the accessing subject, further comprising:
receiving an access request about an access object initiated by an access subject;
sending the access request to a zero trust security control center so that the zero trust security control center verifies the access request, and sends the access request to an identity security management center after the access request is verified to be legal, then the identity security management center authenticates the access subject based on the access request, and returns a user token of the access subject and an object authority of the access object to the zero trust security control center after the identity authentication is completed, and then the zero trust security control center sends the user token and the object authority to the zero trust security agent;
the obtaining of the user token of the access subject and the object authority of the access object requested to be accessed by the access subject includes:
and acquiring a user token of an access subject and the object authority of the access object requested to be accessed by the access subject from the zero trust control center.
3. The method of claim 1, after obtaining a user token of an access subject and an object right of an access object requested to be accessed by the access subject, and before sending the user token and the object right to the first virtual security agent and the second virtual security agent, respectively, further comprising:
encrypting the user token and the object authority respectively to obtain an encrypted user token and an encrypted object authority;
the sending the user token and the object right to the first virtual security agent and the second virtual security agent, respectively, includes:
sending the encrypted user token and the encrypted object authority to the first virtual security agent and the second virtual security agent respectively;
the connecting the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively, includes:
decrypting the encrypted user token and the encrypted object permission in the first virtual security agent and the second virtual security agent respectively to obtain the user token and the object permission, and then connecting the access subject and the access object based on the user token and the object permission.
4. A zero trust security proxy, comprising:
a virtual mapping module configured to perform virtual mapping on the zero-trust security proxy to obtain a first virtual security proxy and a second virtual security proxy;
the system comprises an acquisition module, a storage module and a processing module, wherein the acquisition module is configured to acquire a user token of an access subject and an object authority of an access object requested to be accessed by the access subject;
a sending module configured to send the user token and the object rights to the first virtual security agent and the second virtual security agent, respectively, and,
a connection module configured to connect the access subject and the access object based on the user token and the object authority in the first virtual security agent and the second virtual security agent, respectively.
5. The zero trust security proxy of claim 4, further comprising:
the receiving module is arranged for receiving an access request about an access object initiated by an access subject after the virtual mapping module performs virtual mapping on the zero-trust security proxy and before the acquisition module acquires the user token and the object authority;
the sending module is further configured to send the access request to a zero-trust security control center, so that the zero-trust security control center verifies the access request, sends the access request to an identity security management center after the access request is verified to be legal, enables the identity security management center to perform identity authentication on the access subject based on the access request, returns a user token of the access subject and an object authority of the access object to the zero-trust security control center after the identity authentication is completed, and sends the user token and the object authority to the zero-trust security agent through the zero-trust security control center;
the obtaining module is specifically configured to obtain, from the zero trust control center, a user token of an access subject and an object authority of an access object requested to be accessed by the access subject.
6. The zero trust security proxy of claim 4, further comprising:
the encryption module is configured to encrypt the user token and the object permission respectively to obtain an encrypted user token and an encrypted object permission after the acquisition module acquires the user token and the object permission and before the sending module sends the user token and the object permission to the first virtual security agent and the second virtual security agent respectively;
the sending module is specifically configured to send the encrypted user token and the encrypted object permission to the first virtual security agent and the second virtual security agent, respectively;
the connection module is specifically configured to decrypt the encrypted user token and the encrypted object permission in the first virtual security agent and the second virtual security agent, respectively, to obtain the user token and the object permission, and then connect the access subject and the access object based on the user token and the object permission.
7. A zero-trust access system based on virtual mapping, characterized in that it comprises a zero-trust security proxy as claimed in claims 4 and 5, a zero-trust security control center and an identity security management center,
the zero trust security control center is configured to verify the access request and send the access request to an identity security management center after the access request is verified to be legal;
and the identity security management center is configured to perform identity authentication on the access subject based on the access request, and return the user token of the access subject and the object authority of the access object to the zero-trust security control center after the identity authentication is completed.
8. A terminal device comprising a memory and a processor, the memory having a computer program stored therein, the processor executing the virtual mapping based zero trust access method according to any one of claims 1 to 3 when the processor runs the computer program stored in the memory.
9. A computer-readable storage medium, on which a computer program is stored, which, when executed by a processor, performs the virtual mapping-based zero-trust access method according to any of claims 1 to 3.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110835317.7A CN113596009B (en) | 2021-07-23 | 2021-07-23 | Zero trust access method, system, zero trust security proxy, terminal and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110835317.7A CN113596009B (en) | 2021-07-23 | 2021-07-23 | Zero trust access method, system, zero trust security proxy, terminal and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113596009A true CN113596009A (en) | 2021-11-02 |
| CN113596009B CN113596009B (en) | 2023-03-24 |
Family
ID=78249146
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110835317.7A Active CN113596009B (en) | 2021-07-23 | 2021-07-23 | Zero trust access method, system, zero trust security proxy, terminal and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113596009B (en) |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113987560A (en) * | 2021-12-29 | 2022-01-28 | 北京交研智慧科技有限公司 | Zero trust authentication method and device for data and electronic equipment |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN114785577A (en) * | 2022-04-12 | 2022-07-22 | 中国联合网络通信集团有限公司 | Zero trust verification method, system and storage medium |
| CN115001770A (en) * | 2022-05-25 | 2022-09-02 | 山东极光智能科技有限公司 | Zero-trust-based service access control system and control method |
| CN115333755A (en) * | 2022-10-17 | 2022-11-11 | 四川中电启明星信息技术有限公司 | Multi-attribute identity authentication method based on continuous trust evaluation |
| CN115378625A (en) * | 2022-04-21 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | Cross-network information security interaction method and system |
Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104731635A (en) * | 2014-12-17 | 2015-06-24 | 华为技术有限公司 | Virtual machine access control method and virtual machine access control system |
| CN108809935A (en) * | 2018-04-20 | 2018-11-13 | 国网江西省电力有限公司信息通信分公司 | A kind of cloud environment or the safety access control method under virtual environment and device |
| CN111490993A (en) * | 2020-04-13 | 2020-08-04 | 江苏易安联网络技术有限公司 | Application access control security system and method |
| CN112115484A (en) * | 2020-09-27 | 2020-12-22 | 中国工商银行股份有限公司 | Access control method, device, system and medium for application program |
| US20210014274A1 (en) * | 2019-07-09 | 2021-01-14 | Salesforce.Com, Inc. | Group optimization for network communications |
| CN112261444A (en) * | 2020-10-16 | 2021-01-22 | 成都华栖云科技有限公司 | Media stream encryption method based on high-performance virtual gateway |
| CN112311788A (en) * | 2020-10-28 | 2021-02-02 | 北京锐安科技有限公司 | Access control method, device, server and medium |
| US20210112059A1 (en) * | 2019-10-09 | 2021-04-15 | Salesforce.Com, Inc. | Application programmer interface platform with direct data center access |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| CN112788048A (en) * | 2021-01-22 | 2021-05-11 | 新华三信息安全技术有限公司 | Authentication information synchronization method and device |
| CN112822308A (en) * | 2021-04-19 | 2021-05-18 | 德思信息科技(南京)有限公司 | Method and system for high-speed safety virtual network proxy |
| CN112994928A (en) * | 2021-02-04 | 2021-06-18 | 中国联合网络通信集团有限公司 | Virtual machine management method, device and system |
-
2021
- 2021-07-23 CN CN202110835317.7A patent/CN113596009B/en active Active
Patent Citations (12)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104731635A (en) * | 2014-12-17 | 2015-06-24 | 华为技术有限公司 | Virtual machine access control method and virtual machine access control system |
| CN108809935A (en) * | 2018-04-20 | 2018-11-13 | 国网江西省电力有限公司信息通信分公司 | A kind of cloud environment or the safety access control method under virtual environment and device |
| US20210014274A1 (en) * | 2019-07-09 | 2021-01-14 | Salesforce.Com, Inc. | Group optimization for network communications |
| US20210112059A1 (en) * | 2019-10-09 | 2021-04-15 | Salesforce.Com, Inc. | Application programmer interface platform with direct data center access |
| CN111490993A (en) * | 2020-04-13 | 2020-08-04 | 江苏易安联网络技术有限公司 | Application access control security system and method |
| CN112115484A (en) * | 2020-09-27 | 2020-12-22 | 中国工商银行股份有限公司 | Access control method, device, system and medium for application program |
| CN112261444A (en) * | 2020-10-16 | 2021-01-22 | 成都华栖云科技有限公司 | Media stream encryption method based on high-performance virtual gateway |
| CN112311788A (en) * | 2020-10-28 | 2021-02-02 | 北京锐安科技有限公司 | Access control method, device, server and medium |
| CN112788048A (en) * | 2021-01-22 | 2021-05-11 | 新华三信息安全技术有限公司 | Authentication information synchronization method and device |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| CN112994928A (en) * | 2021-02-04 | 2021-06-18 | 中国联合网络通信集团有限公司 | Virtual machine management method, device and system |
| CN112822308A (en) * | 2021-04-19 | 2021-05-18 | 德思信息科技(南京)有限公司 | Method and system for high-speed safety virtual network proxy |
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113987560A (en) * | 2021-12-29 | 2022-01-28 | 北京交研智慧科技有限公司 | Zero trust authentication method and device for data and electronic equipment |
| CN114615328A (en) * | 2022-01-26 | 2022-06-10 | 北京美亚柏科网络安全科技有限公司 | Safety access control system and method |
| CN114615328B (en) * | 2022-01-26 | 2024-03-12 | 北京美亚柏科网络安全科技有限公司 | Security access control system and method |
| CN114785577A (en) * | 2022-04-12 | 2022-07-22 | 中国联合网络通信集团有限公司 | Zero trust verification method, system and storage medium |
| CN114785577B (en) * | 2022-04-12 | 2024-02-06 | 中国联合网络通信集团有限公司 | Zero trust verification method, system and storage medium |
| CN115378625A (en) * | 2022-04-21 | 2022-11-22 | 国家计算机网络与信息安全管理中心 | Cross-network information security interaction method and system |
| CN115378625B (en) * | 2022-04-21 | 2024-03-08 | 国家计算机网络与信息安全管理中心 | Cross-network information security interaction method and system |
| CN115001770A (en) * | 2022-05-25 | 2022-09-02 | 山东极光智能科技有限公司 | Zero-trust-based service access control system and control method |
| CN115333755A (en) * | 2022-10-17 | 2022-11-11 | 四川中电启明星信息技术有限公司 | Multi-attribute identity authentication method based on continuous trust evaluation |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113596009B (en) | 2023-03-24 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113596009B (en) | Zero trust access method, system, zero trust security proxy, terminal and medium | |
| KR102347659B1 (en) | Secure provisioning and management of devices | |
| US8407462B2 (en) | Method, system and server for implementing security access control by enforcing security policies | |
| US8452954B2 (en) | Methods and systems to bind a device to a computer system | |
| CN108111473B (en) | Unified management method, device and system for hybrid cloud | |
| US20060224897A1 (en) | Access control service and control server | |
| CN110489996B (en) | Database data security management method and system | |
| CN104283879B (en) | Virtual machine remote connection method and system | |
| US11424915B2 (en) | Terminal registration system and terminal registration method with reduced number of communication operations | |
| CN104320389A (en) | Fusion identify protection system and fusion identify protection method based on cloud computing | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| GB2516939A (en) | Access authorisation system and secure data communications system | |
| CN112669104B (en) | Data processing method of leasing equipment | |
| CN104243452B (en) | A kind of cloud computing access control method and system | |
| CN113901432A (en) | Block chain identity authentication method, equipment, storage medium and computer program product | |
| CN113328979B (en) | Method and device for recording access behaviors | |
| CN109359450B (en) | Security access method, device, equipment and storage medium of Linux system | |
| CN108900595B (en) | Method, device and equipment for accessing data of cloud storage server and computing medium | |
| CN117389974A (en) | File secure sharing method based on super fusion system | |
| US10298588B2 (en) | Secure communication system and method | |
| CN108989302B (en) | OPC proxy connection system and connection method based on secret key | |
| CN112491886A (en) | Security control method, system, device and storage medium based on network system | |
| CN114301967A (en) | Narrow-band Internet of things control method, device and equipment | |
| CN114024682A (en) | Cross-domain single sign-on method, service equipment and authentication equipment | |
| CN112513840A (en) | Scalable certificate management system architecture |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |