CN114254301A - PaC-based security policy management method and device - Google Patents
PaC-based security policy management method and device Download PDFInfo
- Publication number
- CN114254301A CN114254301A CN202111575937.8A CN202111575937A CN114254301A CN 114254301 A CN114254301 A CN 114254301A CN 202111575937 A CN202111575937 A CN 202111575937A CN 114254301 A CN114254301 A CN 114254301A
- Authority
- CN
- China
- Prior art keywords
- plan
- strategy
- policy
- agent
- code
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/45—Structures or tools for the administration of authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/30—Creation or generation of source code
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computer Hardware Design (AREA)
- Stored Programmes (AREA)
Abstract
The disclosure provides a security policy management method based on PaC, which can be applied to the technical field of cloud computing. The method comprises the following steps: determining at least one business rule according to the business requirement information of the application program; generating a strategy plan according to the business rule; matching a strategy agent according to the business rule and the strategy plan; evaluating the strategic plan according to the matched strategic agent test; and when the strategy plan is determined to be tested successfully, carrying out version management on the application program and the strategy plan. The present disclosure also provides a PaC-based management security policy apparatus, device, storage medium, and program product.
Description
Technical Field
The present disclosure relates to the field of cloud computing technologies, and in particular, to the field of security operations and maintenance technologies, and in particular, to a method, an apparatus, a device, a medium, and a program product for managing a security policy based on PaC.
Background
With the advent of the information-oriented era and the falling practice of cloud computing technology in various fields, the traditional security operation and maintenance also caters to a new automatic and coding era. Existing firewall, waf, IDS, etc. devices or software all provide a large, complex Graphical User Interface (GUI), which increases ease of use and is friendly to security administrators.
Due to the fact that different manufacturers and different devices are provided, Graphical User Interfaces (GUI) are different, especially in heterogeneous environments, namely, various safety devices of multiple manufacturers exist, and with the increase of the number and the heterogeneous degree, complexity is increased for management and operation and maintenance.
In addition, as the security policy and the application program in the traditional technology are separated, the special security device manages the security policy, the application program applies for opening access authority to the security device, the security access policy originally used for the application program is often ignored when the application program is changed and iterated, the security policy cannot be changed synchronously, and thus, the false interception is caused. Moreover, the traditional security strategy is managed by people, is not easy to versify and repeat, and increases the probability of manual operation failure.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, apparatus, device, medium, and program product for managing security policies based on PaC.
According to a first aspect of the present disclosure, there is provided a method for managing security policies based on PaC, comprising: determining at least one business rule according to the business requirement information of the application program;
generating a strategy plan according to the business rule;
matching a strategy agent according to the business rule and the strategy plan;
evaluating the strategic plan according to the matched strategic agent test; and
and when the strategy plan is determined to be tested successfully, carrying out version management on the application program and the strategy plan.
According to an embodiment of the present disclosure, the method further comprises:
generating at least one policy agent based on the device type and the API document;
defining a resource range of the policy agent, and forming a resource range definition code, wherein the resource range comprises a bandwidth amount, a user number and response time; and
and writing the resource range definition code into a resource configuration database.
According to an embodiment of the present disclosure, the generating a policy plan according to the business rule includes:
abstracting and aggregating the business rules to form a business rule set; and
and generating a strategy plan code according to the business rule set according to the PaC standard.
According to an embodiment of the present disclosure, said matching a policy agent according to said business rules and said policy plan comprises:
acquiring a resource range definition code; and
and matching the resource range definition codes according to the business rules and the strategy plan to determine a strategy agent.
According to an embodiment of the present disclosure, the version managing the application and the policy plan includes:
acquiring application program identification information and acquiring at least one strategy plan code corresponding to the application program;
and storing the application program identification information and the strategy plan code into a code library.
A second aspect of the present disclosure provides an apparatus for managing security policies based on PaC, comprising:
the business rule determining module is used for determining at least one business rule according to the business requirement information of the application program;
the strategy plan generating module is used for generating a strategy plan according to the service rule;
the matching module is used for matching the strategy agent according to the service rule and the strategy plan;
the test evaluation module is used for evaluating the strategy plan according to the matched strategy agent test; and
and the version management module is used for managing the versions of the application program and the strategy plan after the strategy plan is determined to be tested successfully.
According to an embodiment of the present disclosure, a policy agent generation module for generating at least one policy agent according to a device type and an API document;
and the resource range defining module is used for defining the resource range of the strategy agent and forming a resource range defining code, wherein the resource range comprises the bandwidth amount, the user number and the response time.
A third aspect of the present disclosure provides an electronic device, comprising: one or more processors; a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the above-described method for managing security policies based on PaC.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method of managing security policies based on PaC.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the above-described method of managing security policies based on PaC.
According to the method for managing the security policy based on the PaC, provided by the embodiment of the disclosure, a plurality of policy agents are obtained by performing adaptive development on the API or the automation script of the traditional security equipment, the service requirements are abstracted to generate service rules, and the plurality of service rules form a policy plan; and the strategy plan code is tested, the success rate of code execution is improved, and the version management is carried out on the strategy plan code which is successfully tested. By using code management, the system can uniformly manage the security policy, improve the efficiency of safe operation and maintenance and the service continuity, and reduce the failure rate and misoperation.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically illustrates a flow diagram of a method of managing security policies based on PaC in accordance with an embodiment of the present disclosure;
FIG. 2 schematically illustrates a flow diagram of a policy agent generation method according to an embodiment of the present disclosure;
fig. 3 schematically illustrates a flow diagram of another method for managing security policies based on PaC in accordance with an embodiment of the present disclosure;
fig. 4 schematically illustrates a block diagram of an apparatus for managing security policies based on PaC in accordance with an embodiment of the present disclosure; and
fig. 5 schematically illustrates a block diagram of an electronic device adapted to implement a method of managing security policies based on PaC in accordance with an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The terms appearing in the embodiments of the present disclosure are explained first:
WAF (WebApplicationFirewall, WAF): the Web application protection wall is a product specially providing protection for Web application by executing a series of security policies aiming at HTTP/HTTPS, and based on deep understanding of Web application service and logic, the WAF detects and verifies the content of various requests from a Web application program client, ensures the security and the legality of the requests, and blocks illegal requests in real time, thereby effectively protecting various website sites.
IaC (Infrastructure as Code, IaC), the Infrastructure, i.e., Code, creates, configures, and deploys Infrastructure components by writing the Code. These infrastructure components include various types of cloud resources, such as: networks, computing, databases, security control and management tools, and the like.
DevOps: the combination of personnel, processes, and products can provide continuous delivery of value to the end user.
The PaC (Policy as Code) Policy is a Code, and the Policy is coded and managed by using a Code management mode.
Based on the above technical problem, an embodiment of the present disclosure provides a method for managing a security policy based on PaC, where the method includes: determining at least one business rule according to the business requirement information of the application program; generating a strategy plan according to the business rule; matching a strategy agent according to the business rule and the strategy plan; testing and evaluating the strategy plan according to the matched strategy agent; and when the strategy plan is determined to be tested successfully, carrying out version management on the application program and the strategy plan.
According to the method for managing the security policy based on the PaC, provided by the embodiment of the disclosure, a plurality of policy agents are obtained by performing adaptive development on the API or the automation script of the traditional security equipment, the service requirements are abstracted to generate service rules, and the plurality of service rules form a policy plan; and the strategy plan code is tested, the success rate of code execution is improved, and the version management is carried out on the strategy plan code which is successfully tested. By using code management, the system can uniformly manage the security policy, improve the efficiency of safe operation and maintenance and the service continuity, and reduce the failure rate and misoperation.
An application scenario of the method for managing the security policy based on PaC provided by this embodiment may be a security operation and maintenance scenario, and a developer acquires a service requirement of an application program, for example, an application program, which needs to start http and https services, that is, 80 and 443 ports; it is necessary to prohibit ip with source address a from accessing the 80 ports of the application, a firewall of a certain vendor B brand of security devices, at 21:20:15-22:20:15 each day. Abstracting this business requirement into a number of business rules, namely open 80 and 443 to the a application, requires 21:00-22:00 ip with source address A is prohibited from accessing 80 ports of the application. Aggregating a plurality of business rules into strategy plan codes, distributing the strategy plan codes to corresponding developed policy agent strategy agents, implementing the strategy plan codes in a production environment after the strategy plan codes are executed successfully, and incorporating the application program and the strategy plan into version management.
A method of managing a security policy based on PaC of the disclosed embodiment will be described in detail below with reference to fig. 1 to 3.
Fig. 1 schematically illustrates a flow diagram of a method of managing security policies based on PaC in accordance with an embodiment of the present disclosure.
As shown in fig. 1, the method for managing security policies based on PaC of this embodiment includes operations S210 to S250, and the method may be performed by a server or other computing device.
In operation S210, at least one business rule is determined according to the business requirement information of the application program.
In one example, first, business requirement information of an application program is obtained, where the business requirement information of the embodiment of the present disclosure generally refers to a requirement of business personnel on security, and generally, the business requirement information of the application program may be abstracted into a plurality of business rules. In combination with application scenario description, for example, an application needs to open http and http services, i.e. 80 and 443 ports, and ip with source address a needs to be prohibited from accessing the 80 ports of the application for a certain period of time (21:00-22:00), and a firewall of a certain manufacturer B brand of the security device. Determining a business rule according to the business demand information: 80 and 443 ports were developed for the A application; ip with source address a is prohibited from accessing the 80 ports of the application every day for the specific time period.
In operation S220, a strategy plan is generated according to the business rule.
In one example, a policy plan is generated according to the business rules obtained in operation S210, and the policy plan is usually declarative code and expressed in json format.
For example, it may be:
with_items:
-http
-deny 21:00:00-22:00:00
-https
in operation S230, the policy agent is matched according to the business rules and the policy plan.
In an actual environment, a developer develops a plurality of policy agent policies according to information such as equipment types and manufacturer APIs, each policy agent corresponds to physical equipment of different manufacturers, the security equipment of the application program is determined to be a firewall of a brand B of a certain manufacturer according to business rules, and then the policy agent matched with the policy plan is determined.
In operation S240, the strategy plan is evaluated according to the matched strategy agent test.
In one example, the operation requires test evaluation of the policy plan obtained in operation S230 to be allocated to the matched policy agent, and each policy agent defines in advance a resource range, where the resource range characterizes capabilities of the policy agent, such as capacity (bandwidth amount, user amount), speed (response time), Mac address, and the like. The resources in the policy agent are evaluated by comparing the attributes of the resources with the business rules, and the resources can also be attributes such as rules of a firewall, conditions supported by a firewall product, quintuple, time, statistical proportion and the like. And executing the strategy plan and confirming the execution condition of the strategy plan, thereby improving the success rate of executing the strategy plan.
In operation S250, when it is determined that the strategic plan test is successful, version management is performed on the application and the strategic plan.
In one example, after it is determined that the policy plan test is successful, where the flag of successful test takes the security device policy plan as a criterion, that is, the current policy plan can be normally executed and validated, the application program and the policy plan are brought into git together for version management, different applications correspond to one or more policy plans (policy codes), and the policy codes and the application program are in a many-to-one relationship; when it is determined that the test of the policy plan fails, if the current policy plan cannot be normally executed and validated, operations S210 to S240 need to be re-executed, the policy plan and the policy agent are modified, and the test is performed again.
According to the method for managing the security policy based on the PaC, which is provided by the embodiment of the disclosure, the business requirements are abstracted to generate the business rules, and the multiple business rules form the policy plan; and the strategy planning codes which are successfully tested are subjected to version management, and by using the code management, the safety strategies can be uniformly managed, so that the efficiency of safe operation and maintenance and the service continuity are improved, and the fault rate and the misoperation are reduced.
Next, a generation process of the policy agent will be described with reference to fig. 2, and fig. 2 schematically shows a flowchart of a policy agent generation method according to an embodiment of the present disclosure.
As shown in fig. 2, operations S310 to S330 are included.
At least one policy agent is generated according to the device type and the API document in operation S310.
In one example, since the existing security device manufacturers provide their own unique graphical user interfaces GUI, the devices are different, and the GUIs are different, in a large infrastructure environment, the security devices of multiple manufacturers form a heterogeneous environment, which results in disadvantages of multiple and chaotic security policies, too high management cost, and not flexible enough. Therefore, in the present operation, first, a policy agent (policy agent) of the heterogeneous device is developed by adaptation according to the type of the device, API provided by the manufacturer, or an automation tool script (e.g., playlist for different devices). In an actual environment, a plurality of policy agents can be developed, and each policy agent corresponds to a physical device of a different manufacturer.
In operation S320, a resource scope of the policy agent is defined, forming a resource scope definition code. In operation S330, the resource scope definition code is written to the resource configuration database.
In operation S320, after obtaining the policy agent in the heterogeneous environment, in order to enable the policy plan to operate normally, a resource range of the policy agent needs to be defined according to the capability of the policy agent, where the resource range includes parameters such as a bandwidth amount, a user number, and a response time, and a resource range definition code is formed. And writing the resource definition code rule obtained in the above steps into a resource configuration database for storage.
Fig. 3 schematically illustrates a flow chart of another method for managing security policies based on PaC in accordance with an embodiment of the present disclosure. As shown in fig. 3, operations S410 to S470 are mainly included.
In operation S410, at least one business rule is determined according to the business requirement information of the application program.
The operation is the same as the technical solution and principle of operation S210 shown in fig. 1, and is not described herein again.
In operation S420, a strategy plan is generated according to the business rule.
The steps from the business rules to the strategy plan are as follows, firstly, the business rules are abstracted and aggregated to form a business rule set; in order to realize universality, the strategy call receiving code of the embodiment of the disclosure adopts a json format and conforms to the mainstream PaC standard in the industry, and the strategy plan code is generated by the service rule set according to the PaC standard.
After the strategy plan is generated, the strategy agent corresponding to the strategy plan needs to be matched according to the strategy plan for execution, specifically including operation S430 and operation S440.
In operation S430, a resource scope definition code is acquired. In operation S440, the resource scope definition code is matched according to the business rules and the policy plan to determine the policy agent.
In one example, operations S430 and S440 are processes of matching a policy plan with a policy agent, obtaining a resource scope definition code from a resource configuration database, and determining a policy agent that can execute the policy plan according to a device type required in a business rule.
In operation S450, the strategy plan is evaluated according to the matched strategy agent test.
The technical solution and principle of the operation are the same as those of the operation S240 shown in fig. 1, and are not described herein again.
In operation S460, when it is determined that the strategic plan test is successful, version management is performed on the application and the strategic plan.
In one example, after determining that the policy plan test is successful, for example, whether the firewall device in the above example supports the time dimension (21:00-22:00 prohibits ip access 80 ports with source address a), the test is performed in the formal environment and managed in the git code library after the test is successful, the version management includes management of the application programs and the policy codes, different application programs correspond to one or more policy codes, and the policy codes and the application programs are in a many-to-one relationship. Acquiring application program identification information and acquiring at least one strategy plan code corresponding to the application program; and saving the application program identification information and the strategy plan code into a code base. By using the codes to manage the traditional physical equipment uniformly, the low efficiency and the uncertainty of manual management are replaced, the safety operation and maintenance do not depend on the personal ability and experience, and the manageability of the traditional equipment is improved by combining the current cloud computing PaC standard.
Fig. 4 schematically shows a block diagram of an apparatus for managing security policies based on PaC according to an embodiment of the present disclosure.
As shown in fig. 4, the flow example generation apparatus 500 based on the structured flow template of this embodiment includes a business rule determination module 510, a policy plan generation module 520, a matching module 530, a test evaluation module 540, and a version management module 550.
The business rule determining module 510 is configured to determine at least one business rule according to the business requirement information of the application program. In an embodiment, the business rule determining module 510 may be configured to perform the operation S210 described above, which is not described herein again.
The strategic plan generating module 520 is used for generating a strategic plan according to the business rules. In an embodiment, the policy plan generating module 520 may be configured to perform the operation S220 described above, which is not described herein again.
The matching module 530 is used to match the policy agent according to the business rules and the policy plan. In an embodiment, the matching module 530 may be configured to perform the operation S230 described above, which is not described herein again.
The test evaluation module 540 is used to evaluate the strategy plan according to the matched strategy agent test. In an embodiment, the test evaluation module 540 may be configured to perform the operation S240 described above, which is not described herein again.
The version management module 550 is configured to perform version management on the application and the policy plan after determining that the policy plan test is successful. In an embodiment, the version management module 550 may be configured to perform the operation S250 described above, which is not described herein again.
According to the embodiment of the present disclosure, the method further includes:
and a policy agent generating module 560 for generating at least one policy agent according to the device type and the API document. In an embodiment, the policy agent generating module 560 may be configured to perform the operation S310 described above, which is not described herein again.
The resource range defining module 570 defines the resource range of the policy agent, and forms a resource range defining code, where the resource range includes the bandwidth amount, the number of users, and the response time. In an embodiment, the resource range defining module 570 may be configured to perform the operation S320 described above, which is not described herein again.
According to the embodiment of the present disclosure, any of the business rule determining module 510, the policy plan generating module 520, the matching module 530, the test evaluating module 540, the version managing module 550, the policy agent generating module 560 and the resource scope defining module 570 may be combined into one module to be implemented, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to an embodiment of the present disclosure, at least one of the business rule determining module 510, the policy plan generating module 520, the matching module 530, the test evaluating module 540, the version managing module 550, the policy agent generating module 560, and the resource scope defining module 570 may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable manner of integrating or packaging a circuit, or in any one of three implementations of software, hardware, and firmware, or in any suitable combination of any of them. Alternatively, at least one of the business rule determination module 510, the policy plan generation module 520, the matching module 530, the test evaluation module 540, the version management module 550, the policy agent generation module 560, and the resource scope definition module 570 may be implemented at least in part as a computer program module that, when executed, may perform corresponding functions.
Fig. 5 schematically illustrates a block diagram of an electronic device adapted to implement a method of managing security policies based on PaC in accordance with an embodiment of the present disclosure.
As shown in fig. 5, an electronic apparatus 900 according to an embodiment of the present disclosure includes a processor 901 which can perform various appropriate actions and processes in accordance with a program stored in a Read Only Memory (ROM)902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. Processor 901 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), among others. The processor 901 may also include on-board memory for caching purposes. The processor 901 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic apparatus 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other through a bus 904. The processor 901 performs various operations of the method flows according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may also be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flows according to embodiments of the present disclosure by executing programs stored in the one or more memories.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement the method according to an embodiment of the disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 902 and/or the RAM 903 described above and/or one or more memories other than the ROM 902 and the RAM 903.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the method for managing the security policy based on PaC provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 901. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed in the form of a signal on a network medium, and downloaded and installed through the communication section 909 and/or installed from the removable medium 911. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 909, and/or installed from the removable medium 911. The computer program, when executed by the processor 901, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.
Claims (10)
1. A method for managing security policies based on PaC, the method comprising:
determining at least one business rule according to the business requirement information of the application program;
generating a strategy plan according to the business rule;
matching a strategy agent according to the business rule and the strategy plan;
evaluating the strategic plan according to the matched strategic agent test; and
and when the strategy plan is determined to be tested successfully, carrying out version management on the application program and the strategy plan.
2. The method of claim 1, further comprising:
generating at least one policy agent based on the device type and the API document;
defining a resource range of the policy agent, and forming a resource range definition code, wherein the resource range comprises a bandwidth amount, a user number and response time; and
and writing the resource range definition code into a resource configuration database.
3. The method of claim 2, wherein generating a policy plan according to the business rules comprises:
abstracting and aggregating the business rules to form a business rule set; and
and generating a strategy plan code according to the business rule set according to the PaC standard.
4. The method of claim 2, wherein matching a policy agent according to the business rules and the policy plan comprises:
acquiring a resource range definition code; and
and matching the resource range definition codes according to the business rules and the strategy plan to determine a strategy agent.
5. The method of claim 3, wherein the versioning the application and the policy plan comprises:
acquiring application program identification information and acquiring at least one strategy plan code corresponding to the application program;
and storing the application program identification information and the strategy plan code into a code library.
6. An apparatus for managing security policies based on PaC, comprising:
the business rule determining module is used for determining at least one business rule according to the business requirement information of the application program;
the strategy plan generating module is used for generating a strategy plan according to the service rule;
the matching module is used for matching the strategy agent according to the service rule and the strategy plan;
the test evaluation module is used for evaluating the strategy plan according to the matched strategy agent test; and
and the version management module is used for managing the versions of the application program and the strategy plan after the strategy plan is determined to be tested successfully.
7. The apparatus of claim 6, further comprising:
the policy agent generation module is used for generating at least one policy agent according to the equipment type and the API document;
and the resource range defining module is used for defining the resource range of the strategy agent and forming a resource range defining code, wherein the resource range comprises the bandwidth amount, the user number and the response time.
8. An electronic device, comprising:
one or more processors;
a storage device for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of any of claims 1-5.
9. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, cause the processor to perform the method of any one of claims 1 to 5.
10. A computer program product comprising a computer program which, when executed by a processor, implements a method according to any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111575937.8A CN114254301A (en) | 2021-12-21 | 2021-12-21 | PaC-based security policy management method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202111575937.8A CN114254301A (en) | 2021-12-21 | 2021-12-21 | PaC-based security policy management method and device |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN114254301A true CN114254301A (en) | 2022-03-29 |
Family
ID=80793948
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202111575937.8A Pending CN114254301A (en) | 2021-12-21 | 2021-12-21 | PaC-based security policy management method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114254301A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116069387A (en) * | 2023-03-03 | 2023-05-05 | 北京特纳飞电子技术有限公司 | Storage device adaptation method, adaptation device, storage device and readable storage medium |
-
2021
- 2021-12-21 CN CN202111575937.8A patent/CN114254301A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116069387A (en) * | 2023-03-03 | 2023-05-05 | 北京特纳飞电子技术有限公司 | Storage device adaptation method, adaptation device, storage device and readable storage medium |
| CN116069387B (en) * | 2023-03-03 | 2023-08-29 | 北京特纳飞电子技术有限公司 | Storage device adaptation method, adaptation device, storage device and readable storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107317730B (en) | Method, equipment and system for monitoring state of block chain node | |
| US11842221B2 (en) | Techniques for utilizing directed acyclic graphs for deployment instructions | |
| US10761913B2 (en) | System and method for real-time asynchronous multitenant gateway security | |
| CN107979508B (en) | Micro-service test method and device | |
| US9350749B2 (en) | Application attack monitoring | |
| US11762763B2 (en) | Orchestration for automated performance testing | |
| US20210224076A1 (en) | Techniques for managing dependencies of an orchestration service | |
| US20190207867A1 (en) | Platform with multiple execution engines | |
| US10586025B2 (en) | Managing the display of hidden proprietary software code to authorized licensed users | |
| EP4094155A1 (en) | Techniques for utilizing directed acyclic graphs for deployment instructions | |
| CN111831567A (en) | Application test environment configuration method, device, system and medium | |
| CN114254301A (en) | PaC-based security policy management method and device | |
| US20190205182A1 (en) | Unified monitoring interface | |
| US10296737B2 (en) | Security enforcement in the presence of dynamic code loading | |
| US10255157B2 (en) | Type safe secure logging | |
| US11748686B1 (en) | Automated onboarding service | |
| CN115514632A (en) | Resource template arranging method, device and equipment for cloud service and storage medium | |
| US11709750B2 (en) | Dynamically mapping software infrastructure utilization | |
| CN114237821A (en) | Self-discovery method and device for Kubernetes container cluster, electronic device and storage medium | |
| US20140201839A1 (en) | Identification and alerting of network devices requiring special handling maintenance procedures | |
| US20230251921A1 (en) | Associating capabilities and alarms | |
| US20240095042A1 (en) | Techniques for providing cloud services on demand | |
| CN116257825A (en) | Object authority configuration method and device, electronic equipment and readable storage medium | |
| CN115525362A (en) | Parameter changing method and device based on operating system kernel parameter adjusting platform | |
| CN114219666A (en) | Policy information processing method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |