CN114448700A - Data access method, data access system, computer device and storage medium - Google Patents

Data access method, data access system, computer device and storage medium Download PDF

Info

Publication number
CN114448700A
CN114448700A CN202210105441.2A CN202210105441A CN114448700A CN 114448700 A CN114448700 A CN 114448700A CN 202210105441 A CN202210105441 A CN 202210105441A CN 114448700 A CN114448700 A CN 114448700A
Authority
CN
China
Prior art keywords
user
access
service node
intranet
access service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210105441.2A
Other languages
Chinese (zh)
Inventor
李晓军
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Hangzhou Yigeyun Technology Co ltd
Original Assignee
Hangzhou Yigeyun Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Hangzhou Yigeyun Technology Co ltd filed Critical Hangzhou Yigeyun Technology Co ltd
Priority to CN202210105441.2A priority Critical patent/CN114448700A/en
Publication of CN114448700A publication Critical patent/CN114448700A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • H04L63/0218Distributed architectures, e.g. distributed firewalls
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/105Multiple levels of security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The present application relates to a data access method, a data access system, a computer device, a storage medium and a computer program product. The method comprises the following steps: the user access service node receives a user access request, and if the user access request is confirmed to pass the first authentication, the user access request is forwarded; and if the intranet application access service client determines that the user access determination request passes the third authentication, the intranet application access service client forwards the user access request to the intranet application through the intranet, so that the user end accesses the intranet application. By adopting the method, the functions of the gateway can be dispersed to each computing node of the public cloud, strong association is carried out among the nodes through the safety tunnel, multiple times of safety certification is carried out, the verification and certification states of the user access application are kept constantly, and the data access system is more reliable.

Description

Data access method, data access system, computer device and storage medium
Technical Field
The present application relates to the field of communications technologies, and in particular, to a data access method, a data access system, a computer device, and a storage medium.
Background
A conventional VPN (Virtual Private Network) can provide a secure data transmission tunnel service between enterprises or between individuals and enterprises. For access protection of resources, a traditional approach is to divide security areas, form a network boundary between the security areas, and deploy boundary security devices at the network boundary. The border security device includes a Firewall, an IPS (Intrusion Prevention System), a virus wall, a WAF (Web Application Firewall, Web Application level Intrusion Prevention System), and the like, and can protect against various attacks from outside the border, so as to construct an enterprise network security System, and this conventional manner may be referred to as a border security concept.
With the development of emerging technologies of cloud computing, and with the trend of business migration to the cloud and mobile office, data of enterprises are no longer limited in an intranet, and network security is no longer limited in boundary security. The security center of gravity is gradually shifted to data security at present, the data security of an enterprise intranet should be fully paid attention, and the traditional boundary-based network security architecture and solution are difficult to adapt to the modern enterprise network infrastructure.
In the related technology, the zero trust mechanism of the intranet data is protected by arranging a gateway on the intranet, and the default binding relationship between trust and network position is broken. In the conventional VPN architecture and the concept of the current zero trust architecture, all access deployment and resource control are concentrated on the gateway, the requirement on the gateway is high, and the reliability of data access is poor.
Disclosure of Invention
In view of the above, it is desirable to provide a data access system, a data access method, a computer device, and a storage medium that can secure and stably access intranet data for a user.
In a first aspect, the present application provides a data access method. The method is applied to a data access system, the data access system comprises at least one intranet application access service client and a plurality of edge computing nodes deployed on public cloud, the edge computing nodes are connected through a secure tunnel, and the edge computing nodes comprise at least one user access service node and at least one intranet application access service node; the method comprises the following steps:
the user access service node receives a user access request, and if the user access request is determined to pass first authentication according to a first authentication strategy configured in advance, the user access request is forwarded to the intranet application access service node;
the intranet application access service node receives the user access request, and if the user access request is determined to pass through second authentication according to a second authentication strategy configured in advance, the intranet application access service node forwards the user access request to the intranet application access service client;
and the intranet application access service client receives the user access request, and if the user access request is determined to pass the third authentication according to a preset third authentication strategy, the user access request is forwarded to the intranet application through an intranet, so that the user side accesses the intranet application.
In one embodiment, the user access request comprises first user information and a target access address;
if the user access request is determined to pass the first authentication according to the pre-configured first authentication policy, forwarding the user access request to the intranet application access service node, including:
and if the user access service node determines that the first access authority corresponding to the first user information contains a target access address according to a preset corresponding relationship between the user and the access authority, determining that the user access request passes the first authentication, and forwarding the user access request to the intranet application access service node.
In one embodiment, the first user information comprises first identity characteristic information and first communication characteristic information;
if the first access authority corresponding to the first user information contains the target access address according to the preset corresponding relation between the user and the access authority, determining that the user access request passes the first authentication, including:
and if the first communication characteristic information is in a preset target area and according to a preset corresponding relation between the user and the access authority, determining that the first access authority corresponding to the first identity characteristic information comprises a target access address, and determining that the user access request passes the first authentication.
In one embodiment, the data access system further comprises: the system comprises a control server, an intranet application end and at least one user end; the method further comprises the following steps:
the user access service node receives a user registration request sent by the user side, and forwards the user registration request to the control server, wherein the user registration request comprises user information of a plurality of users in a preset range, and the user information comprises identity characteristic information and communication characteristic information;
the intranet application access service node receives an application registration request sent by the intranet application terminal, and forwards the application registration request to the management and control server, wherein the application registration request comprises address information of an internal application, and the address information comprises a communication address and a communication port;
the management and control server sets a strategy according to a preset authority under the condition that the user registration request and the application registration request are received, allocates access authorities to each user contained in the user registration request according to the identity characteristic information and the communication characteristic information, generates corresponding relations between the users and the access authorities, and sends the corresponding relations between the users and the access authorities to the user access service node, the intranet application access service node and the intranet application access service client, wherein the access authorities comprise address information of at least one intranet application, and the access authorities enable the user side to access the intranet application.
In one embodiment, the setting a policy according to a preset authority, allocating an access authority to each user included in the user registration request according to the identity characteristic information and the communication characteristic information, and generating a corresponding relationship between the user and the access authority includes:
for each user in the user registration request, the management and control server calculates the corresponding trust feature degree of the user according to the identity feature information and the communication feature information through a preset trust feature algorithm; and distributing the access authority corresponding to the trust feature degree for the user according to the trust feature degree corresponding to the user and a preset authority setting strategy to generate the corresponding relation between the user and the access authority.
In one embodiment, the method further comprises:
and under the condition that the user access service node receiving the user access request fails, the management and control server sends the user access request received by the failed user access service node to other user access service nodes through the public cloud.
In a second aspect, the application also provides a data access system. The data access system comprises at least one intranet application access service client and a plurality of edge computing nodes deployed on public cloud, wherein the edge computing nodes are connected through a safety tunnel, and each edge computing node comprises at least one user access service node and at least one intranet application access service node; wherein:
the user access service node is used for receiving a user access request, and forwarding the user access request to the intranet application access service node if the user access request passes a first authentication according to a first authentication strategy configured in advance;
the intranet application access service node is used for receiving the user access request, and forwarding the user access request to the intranet application access service client if the user access request passes a second authentication according to a second authentication strategy configured in advance;
the intranet application access service client is used for receiving the user access request, and if the user access request is determined to pass the third authentication according to a preset third authentication strategy, the user access request is forwarded to the intranet application through an intranet, so that the user side accesses the intranet application.
In a third aspect, the present application also provides a computer device. The computer device comprises a memory storing a computer program and a processor implementing the steps of the above-described method embodiments when executing the computer program.
In a fourth aspect, the present application further provides a computer-readable storage medium. The computer-readable storage medium has stored thereon a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In a fifth aspect, the present application further provides a computer program product. The computer program product comprises a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
The invention provides a data access method, a data access system, a computer device and a storage medium. The data access system is deployed on a public cloud and comprises at least one user access service node, at least one intranet application access service node and at least one intranet application access service client, wherein the user access service node and the intranet application access service node are edge computing nodes of the public cloud; the method comprises the following steps: receiving a user access request through the user access service node, and forwarding the user access request to the intranet application access service node if the user access request is determined to pass the first authentication; the intranet application is accessed to the service node, and if the intranet application is accessed to the service node according to the corresponding relation between the pre-configured user and the access authority, whether the user access passes the second authentication is judged; if the request passes the second authentication, forwarding the user access request to the intranet application access service client; and the intranet application is accessed to a service client, and if the user access request passes the third authentication, the user access request is forwarded to the intranet application through an intranet, so that the user side accesses the intranet application. The data access method provided by the embodiment of the invention can be applied to a data access system deployed in a public cloud, the functions of the gateway are dispersed to each computing node of the public cloud, strong association is carried out between each node through a security forwarding tunnel, multiple times of security authentication is carried out, the verification and authentication states of user access application are kept constantly, and the data access system is safer and more reliable.
Drawings
FIG. 1 is a schematic diagram of a data access system in one embodiment;
FIG. 2 is a schematic flow chart diagram illustrating a method for data access in one embodiment;
FIG. 3 is a schematic diagram of the structure of a data access system in another embodiment;
FIG. 4 is a flow diagram illustrating the data forwarding steps in one embodiment;
FIG. 5 is a diagram illustrating an internal structure of a computer device according to an embodiment.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
The data access method provided in the embodiment of the present application may be applied to a data access system in an application environment shown in fig. 1, where the data access system includes at least one intranet application access service client 500, a management and control server 400, and a plurality of edge computing nodes deployed on a public cloud, and each of the edge computing nodes is connected by a secure tunnel, the edge computing nodes include at least one user access service node 200 and at least one intranet application access service node 300, and the intranet application access service client 500 is deployed on an intranet. The public cloud can be any other various cloud resources such as an Ali cloud or a Tencent cloud. The user terminal 100 accesses an application (intranet application) on the intranet 600 through the data access system. The user terminal 100 may be, but is not limited to, various personal computers, notebook computers, smart phones, tablet computers, internet of things devices and portable wearable devices, and the internet of things devices may be smart speakers, smart televisions, smart air conditioners, smart car-mounted devices, and the like. The portable wearable device can be a smart watch, a smart bracelet, a head-mounted device, and the like. Intranet application access service client 500 may be a server.
In this embodiment, a data access method is provided, as shown in fig. 2, including the following steps:
and 102, the user access service node receives the user access request, and if the user access request is determined to pass the first authentication according to a first authentication strategy configured in advance, the user access request is forwarded to the intranet application access service node.
The user access service node 200 is an edge computing node on a public cloud, and the data access system may include a plurality of user access service nodes 200, where the user access service nodes 200 are connected to the user terminal 100 through a first secure tunnel. The pre-configured first authentication policy may be a security authentication mode determined according to an actual application scenario, and specifically may be a mode of performing authentication according to information carried in the user access request.
Specifically, in response to the login operation of the user, the user terminal 100 obtains user name information and user password information input by the user, and when the user terminal 100 determines that the user passes the authentication according to the user name information and the user password information, the user terminal 100 displays a prompt message for successful login, where the prompt message is used to prompt the user to successfully log in the user terminal 100. In this way, in response to a data access operation of a user on the user terminal 100, the user terminal 100 may obtain a data access request corresponding to the data access operation, and the user terminal 100 may send the data access request to the user access service node 200 on the public cloud through the first secure tunnel. The data access request may be a request for a user to access an application in the intranet through the user terminal 100.
And 104, receiving the user access request by the intranet application access service node, and forwarding the user access request to the intranet application access service client if the user access request is determined to pass the second authentication according to a second authentication strategy configured in advance.
The second authentication policy configured in advance may be a secure authentication manner determined according to an actual application scenario, and specifically may be a manner of performing authentication according to information carried in the user access request. The preconfigured first authentication policy and the preconfigured second authentication policy may be the same policy or different policies, and may be specifically determined according to a security degree of an environment in which the edge computing node on the public cloud is located when the data access request is received.
Specifically, the user access service node 200 forwards the user access request passing the first authentication to the intranet application access service node 300 through the second secure tunnel. The specific forwarding process may be: the user access service node 200 determines, according to a target application to be accessed by the user access request, an intranet application access service node 300 client corresponding to the target application and the intranet application access service node 300, and the user access service node 200 may forward the user access request passing the first authentication to the intranet application access service node 300 corresponding to the target application. In this way, after receiving the user access request, the intranet application access service node 300 authenticates the user access request according to the second authentication policy configured in advance, and the specific authentication process may be authentication according to information carried in the user access request. And if the user access service node 200 determines that the user access request passes the second authentication, forwarding the user access request to the intranet application access service client 500 through a third secure tunnel.
And 106, the intranet application access service client receives the user access request, and if the user access request is determined to pass the third authentication according to a preset third authentication strategy, the intranet application is forwarded to the user access request, so that the user accesses the intranet application.
The preconfigured third authentication policy may be a security authentication manner determined according to an actual application scenario, and specifically may be an authentication manner performed according to information carried in the user access request. The preconfigured first authentication policy, the preconfigured second authentication policy, and the preconfigured third authentication policy may be the same policy or different policies, and may be specifically determined according to a security degree of an environment in which the intranet application access service client 500 is located when the data access request is received.
Specifically, the intranet application access client may be a client deployed on an intranet, and communicates with the intranet application access service node 300 on the public cloud and an application on the intranet.
In the data access method, a user access service node receives a user access request, and if the user access request is determined to pass a first authentication, the user access request is forwarded to an intranet application access service node; the intranet application accesses the service node, and if the access of the user passes the second authentication, the intranet application judges whether the access of the user passes the second authentication according to the preset corresponding relation between the user and the access authority; if the request passes the second authentication, forwarding the user access request to the intranet application access service client; and the intranet application is accessed to the service client, and if the user access request passes the third authentication, the user access request is forwarded to the intranet application through the intranet, so that the user end accesses the intranet application. The data access method provided by the embodiment of the invention can be applied to a data access system deployed in a public cloud, the functions of the gateway are dispersed to each computing node of the public cloud, strong association is carried out between each node through a security forwarding tunnel, multiple times of security authentication is carried out, the verification and authentication states of user access application are kept constantly, and the data access system is safer and more reliable.
In one embodiment, the user access request includes first user information and a target access address.
Accordingly, step 102: "if the user access request is determined to pass the first authentication according to the pre-configured first authentication policy, forwarding the user access request to the intranet application access service node", including:
and if the user access service node determines that the first access authority corresponding to the first user information contains a target access address according to a preset corresponding relation between the user and the access authority, and determines that the user access request passes the first authentication, the user access request is forwarded to the intranet application access service node.
The first user information comprises first identity characteristic information and first communication characteristic information, and the first identity characteristic information can comprise name information, gender information and organization information of the user; the first communication characteristic information may include mobile terminal information, mobile terminal identification information, and the like of the user, and the mobile terminal identification information may be mobile phone number information, and the like.
Specifically, the user access service node 200 receives a user access request sent by the user terminal 100 through the first secure tunnel. In this way, the user access service node 200 may parse the user access request to obtain the first identity characteristic information and the first communication characteristic information. The user access service node 200 obtains a first access right (a first access address set) corresponding to the first user information according to a pre-configured corresponding relationship between the user and the access right. Thus, the user access service node 200 determines whether the target access address is included in the first set of access addresses. If the target access address is included in the first set of access addresses, the user access service node 200 may determine that the user access request passes the first authentication. Under the condition that the user access request is determined to pass the first authentication, the user access service node 200 forwards the user access request to the intranet application access service node.
In one example, if the target access address is not included in the first set of access addresses, the user access service node 200 may determine that the user access request fails the first authentication. In this way, the user access service node 200 may generate the access barring prompt message, and return the access barring prompt message to the user terminal 100 through the first secure tunnel.
In one embodiment, the first user information includes first identity characteristic information and first communication characteristic information.
Correspondingly, the step "if the user access service node determines that the first access right corresponding to the first user information includes a target access address according to the pre-configured corresponding relationship between the user and the access right, and determines that the user access request passes the first authentication, then forwards the user access request to the intranet application access service node" includes:
and if the first communication characteristic information is in a preset target area and the first access authority corresponding to the first identity characteristic information comprises a target access address according to a preset corresponding relation between the user and the access authority, and the user access service node determines that the user access request passes the first authentication, forwarding the user access request to the intranet application access service node.
The first identity characteristic information may include name information, gender information, and organization information to which the user belongs; the first communication characteristic information may include mobile terminal information of the user, mobile terminal identification information, and location information of the mobile terminal.
Specifically, after receiving a user access request sent by the user terminal 100, the user access service node 200 analyzes the user access request to obtain first identity characteristic information, first communication characteristic information and a target access address corresponding to the user; in this way, the user access service node 200 may determine whether the organization information belonging to the first identity characteristic information is consistent with the organization information of the intranet corresponding to the intranet application of the target access address; if the information is consistent, the user access service node 200 may determine that the organization information of the mobile terminal identification information is consistent with the organization information of the intranet corresponding to the intranet application of the target access address; if the location information of the mobile terminal is in the preset target area, the user access service node 200 may determine whether the location information of the mobile terminal is in the preset target area, and if the location information of the mobile terminal is in the preset target area, the user access service node 200 may determine whether the first access right includes a target access address according to a pre-configured correspondence between the user and the access right. If the user access service node 200 determines that the first access authority corresponding to the first identity characteristic information includes the target access address, it is determined that the user access request passes the first authentication, and the user access request may be forwarded to the intranet application access service node.
In an example, the second authentication process of the second authentication policy and the third authentication process of the third authentication policy are similar to the first authentication process of the first authentication policy, and are not described herein again.
The data access method provided in this embodiment can disperse the function items of the gateway nodes at the control plane without relying on a single gateway node, and perform strong association between each dispersed node through a segmented secure forwarding tunnel, and perform secure authentication based on traffic and a user at each node, thereby ensuring that the user can constantly maintain the verification and authentication states of the user access application after passing the authentication.
In one embodiment, as shown in fig. 1, the data access system further comprises: the management and control server 400, the intranet application 600 and at least one user end 100, the intranet includes a plurality of internal applications, and the intranet 600 is the intranet application 600. The administration server 400 is deployed on a public cloud. Accordingly, as shown in fig. 3, the data access method further includes:
step 202, the user access service node receives a user registration request sent by a user side, and forwards the user registration request to the management and control server.
The user registration request comprises user information of a plurality of users in a preset range, and the user information comprises identity characteristic information and communication characteristic information. The preset range may be within the range of a target organization (business). The plurality of users within the preset range may be a plurality of employees included in the target organization, and the like. The identity characteristic information can comprise name information, gender information and organization information to which the identity characteristic information belongs; the communication characteristic information may include mobile terminal information, mobile terminal identification information, and the like.
Specifically, the target organization may include a plurality of levels (departments), each level may include a plurality of sub-levels, each sub-level may further include a plurality of grandchild levels, and each level may include a plurality of users. For example, the target organization may include a first hierarchy including a first sub-hierarchy and a second sub-hierarchy, and a second hierarchy may include a third sub-hierarchy and a fourth sub-hierarchy. Multiple users may be included within each sub-hierarchy.
In this way, the user terminal 100 can obtain the hierarchical structure information in the target organization and the user information of each user included in each hierarchy, generate a user registration request according to the hierarchical structure information in the target organization and the user information of each user included in each hierarchy,
and 204, the intranet application access service node receives an application registration request sent by the intranet application terminal, and forwards the application registration request to the management and control server.
The application registration request includes address information of the internal application, where the address information includes a communication address and a communication port, for example, the communication address is an IP address of the internal application, such as: 100.1.1.2, respectively; the communication port is a port number of an intranet application, such as: 6000.
specifically, the intranet application end may include a plurality of applications, and the intranet application end generates an application registration request according to the IP address information and the port number information of the plurality of applications, and directly forwards the application registration request to the intranet application access client, and the intranet application client forwards the application registration request to the corresponding intranet application access service node 300. The intranet application access service node 300 forwards the application registration request to the management and control server.
In an example, the intranet application terminal may respond to a selection operation of the intranet application, acquire a target intranet application, acquire IP address information and port number information of the target intranet application, and generate an application registration request corresponding to the target intranet application.
And step 206, the management and control server sets a policy according to a preset authority under the condition that the user registration request and the application registration request are received, allocates access authorities to each user included in the user registration request according to the identity characteristic information and the communication characteristic information, generates corresponding relations between the users and the access authorities, and issues the corresponding relations between the users and the access authorities to the user access service node, the intranet application access service node and the intranet application access service client.
Wherein, the access right includes address information of at least one intranet application, and the access right enables the user terminal 100 to access the intranet application. The preset authority setting strategy is an authorized access strategy, and can be actually the corresponding relation between the security level of the user and the intranet application, which is input by a manager on the management and control server; the security level of the user can be calculated according to the user information of the user, the security level of the user can also be directly set by a manager, and the determination mode of the security level of the specific user can be determined according to the actual application scene.
Specifically, the management and control server may calculate a target security level of the user according to a preset correspondence between the security level of the user and the intranet application, and determine target communication address information of the intranet application corresponding to the target security level. In this way, the management and control server may allocate an access right of the corresponding intranet application to the user, so that the user may access the intranet application corresponding to the target communication address information, where the communication address information may be, for example, IP address information or MAC address information.
In this way, the management and control server may issue the correspondence between the user and the access right to the multiple user access service nodes 200, the multiple intranet application access service nodes 300, and the intranet application access service client 500 corresponding to the intranet application access service nodes 300 on the public cloud.
In this embodiment, the data access method enables a user and an intranet application to simultaneously initiate a registration request to a management and control server, and a data access system is accessed in a bidirectional manner, that is, a specific user access client is deployed on the user intranet, so that the user intranet (intranet application) can directly realize reverse access with a node of the data access system, a data forwarding security tunnel can be constructed, a port number of the intranet application is prevented from being exposed in a public network, and an attack of the public network on the intranet application based on the port number is prevented.
In one embodiment, the data access method further includes:
under the condition that the user access service node 200 receiving the user access request fails, the management and control server sends the user access request received by the user access service node 200 which fails to the other user access service nodes 200 through the public cloud.
Specifically, the management and control server may monitor each edge computing node on the public cloud by using a preset heartbeat mechanism, and determine whether the edge computing node normally operates. When the management and control server monitors that the user access service node 200 receiving the user access request fails, the management and control server may take over the failed user access service node, and forward the user access request received by the node to other normally operating user access service nodes. The specific forwarding process may be: the management and control server determines other normally-running user access service nodes closest to the geographical position of the failed user access service node, and forwards the user access request; or it may be: and the management and control server determines other normally-operated user access service nodes with the most edge computing resources within a certain range of the geographical position of the user access service node with the fault, and forwards the user access request. In this way, after other normally operating user access service nodes receive the user access request forwarded by the management and control server, the processes executed in the above steps 102 to 106 may be continuously executed for the user access request.
Optionally, the management and control server monitors each edge computing node on the public cloud by using a preset heartbeat mechanism, and determines whether the edge computing node can normally operate by determining reachability information and fault information of each edge computing node.
The data access method provided in this embodiment can implement a distributed network attack through distributed nodes, and when the nodes of the entire forwarding path are attacked and broken down, other access node users can still continue to access the data. The layering of the forwarding plane also enables the forwarding path to be safer and more reliable, and when a communication fault occurs in a certain subsection, partial paths can be switched without switching the whole path.
In one embodiment, the data access method further includes:
aiming at each user in the user registration request, the management and control server calculates the corresponding trust feature degree of the user through a preset trust feature algorithm according to the identity feature information and the communication feature information; and distributing access authority corresponding to the trust feature degrees for the users according to the trust feature degrees corresponding to the users and a preset authority setting strategy to generate the corresponding relation between the users and the access authority.
As shown in fig. 4, the following describes in detail the data access method and the application process of the data access system with reference to a specific example, where the data access system includes a user side (PC, mobile phone), a user access service node, an intranet application access service node, a management and control server, and an intranet application access service client. The management and control server is connected to the user access service node, the intranet application access service node, and the intranet application access service client, and may perform communication, which is already shown in fig. 4. The intranet also includes an intranet user application and a user intranet gateway.
Step 1, a manager imports user information of a plurality of users of an intranet through a management and control server, and the management and control server takes over a user access service node (user side access service node), an intranet application access service node, an intranet application access client and an intranet application end of a data access system.
Step 2, deploying the service nodes on each edge computing node on the public cloud computing network, wherein the service nodes comprise a user access service node and an intranet application access service node; and deploying an intranet application access service client in the user intranet.
And 3, the user access service node is used for providing the access service function of the user side. The implementation process of the access service function may include: the user access service node performs security authentication on a user side (mobile terminal equipment of the user), and can perform security authentication through a user name and a user password. Therefore, the management and control server can calculate the trust characteristics of the users and establish an authorized access strategy of the intranet application, namely the corresponding relation between the users and the access authority; the method comprises the steps of creating a bidirectional secure forwarding tunnel 1 of a user side and a user access service node, creating a bidirectional secure forwarding tunnel 2 of the user access service node and an intranet application access service node, and performing bidirectional binding on the bidirectional secure forwarding tunnel 1 and the bidirectional secure forwarding tunnel 2. The user access service node receives the user traffic which passes the security authentication from the tunnel 1, and under the condition that the intranet application needs to be accessed, the user traffic (user access request) sent by the user side can be directly forwarded to the tunnel 2 through the binding relationship between the tunnel 1 and the tunnel 2.
And 4, the intranet application access service node and the intranet application access service client are corresponding deployment functions. Their main functions are: a. the intranet application is accessed to the client service, and the intranet application is accessed to the service to perform the safety access authentication function. b. The port number of the intranet application is shielded, and for a public cloud access node, only the intranet application access service can be seen, and the intranet application access client registered with the intranet application access service cannot be seen, so that the application of an intranet user is well protected. c. And establishing a bidirectional secure forwarding tunnel 3 for the intranet application access service and the intranet application access client service. d. And the bidirectional secure forwarding tunnel 2 and the bidirectional secure forwarding tunnel 3 are bound in a bidirectional mode.
Optionally, the intranet application access service node 1 and the intranet application access service client 1 need to deploy corresponding functions, and the intranet application access service client 1 goes to the intranet application access service 1 to go to a security access authentication function. That is, the intranet application access service client 1 goes to the intranet application access service 1 to perform the security access authentication function. The port number is only displayed at the service end, and the intranet application is also used as a client to register to the intranet application service node, at the moment, the intranet application can be used as the client, so that when the message is forwarded from the intranet application access service node to the intranet application, the outer layer of the message does not need to encapsulate the port number of TCP or UDP, and the reverse registration of the intranet application access service node and the intranet application access service client in the user intranet is realized.
When accessing the intranet application, the intranet application access service can directly forward the traffic from the user side to the tunnel 3 through the binding relationship between the tunnel 2 and the tunnel 3 by using the user traffic passing the security authentication from the tunnel 2.
For example, the IP address of the intranet application may be 100.1.1.2, the communication port number may be 6000; deploying a client of an intranet application access service in the intranet application, and establishing a tunnel 3 together with the public cloud border intranet application access service; after the establishment is successful, it indicates that the data message sent by the intranet application access service from the user access service can access the intranet network application. Managing and controlling the organization structure A; employee B; and the IP address and the port number of the intranet application are issued to the access service of the user side. Apply the intranet 100.1.1.2: 6000 are bound to tunnel 2. PC intranet access application 100.1.1.2: 6000; the data message is directly sent to the user side access service through the tunnel 1 at the PC side, secondary security authentication and strategy authorization are carried out on the service, and the data message is forwarded to the tunnel 2 after passing the authorized strategy. The intranet application accesses the service, after receiving the data message from the tunnel 2, the intranet application performs security authentication and policy authorization for three times, and forwards the data message to the tunnel 3 after passing the authorized policy. And if the intranet application access service receives the data message from the tunnel 3, performing security authentication and policy authorization for four times, and if the data message passes the authorization policy, forwarding the data message to the intranet user application through the organized intranet.
The data access method provided by the embodiment can realize a safe layered intranet access mechanism based on a zero trust architecture. And realizing the key points in the zero trust in a layered manner, and realizing a path through the whole function so as to improve the reliability of each node. In the control aspect, access deployment and resource control are not uniformly deployed on a uniform gateway, but user access, authentication, authorization and trust characteristic calculation are dispersed on each cloud computing network node of the system to work, and the dependence on a single gateway node in the current system is dispersed. In the forwarding layer, the forwarding tunnel for forwarding path calculation does not need to deploy forwarding VPN access equipment, but utilizes the existing public cloud network resources and the dispersed function realized by the control layer of the scheme to realize nodes, thereby realizing the layered path forwarding mode and increasing the stability and the safety of different sections of the whole forwarding path.
It should be understood that, although the steps in the flowcharts related to the embodiments described above are shown in sequence as indicated by the arrows, the steps are not necessarily performed in sequence as indicated by the arrows. The steps are not performed in the exact order shown and described, and may be performed in other orders, unless explicitly stated otherwise. Moreover, at least a part of the steps in the flowcharts related to the embodiments described above may include multiple steps or multiple stages, which are not necessarily performed at the same time, but may be performed at different times, and the execution order of the steps or stages is not necessarily sequential, but may be rotated or alternated with other steps or at least a part of the steps or stages in other steps.
Based on the same inventive concept, the embodiment of the present application further provides a data access system for implementing the above-mentioned data access method. The implementation scheme for solving the problem provided by the apparatus is similar to the implementation scheme described in the above method, so specific limitations in one or more embodiments of the data access system provided below may refer to the limitations on the data access method in the foregoing, and details are not described here.
The embodiment of the application provides a data access system, which is deployed on a public cloud, wherein the public cloud comprises a plurality of edge computing nodes, the edge computing nodes are connected through a secure tunnel, and the system comprises at least one user access service node 200, at least one intranet application access service node 300 and at least one intranet application access service client 500; wherein:
the user access service node 200 is configured to receive a user access request, and if it is determined that the user access request passes a first authentication according to a pre-configured first authentication policy, forward the user access request to the intranet application access service node 300;
the intranet application access service node 300 is configured to receive the user access request, and if it is determined that the user access request passes the second authentication according to a second authentication policy configured in advance, forward the user access request to the intranet application access service client 500;
the intranet application access service client 500 is configured to receive the user access request, and if it is determined that the user access request passes the third authentication according to a third authentication policy configured in advance, forward the user access request to the intranet application through an intranet, so that the user end 100 accesses the intranet application.
The various modules in the data access system described above may be implemented in whole or in part by software, hardware, and combinations thereof. The modules can be embedded in a hardware form or independent from a processor in the computer device, and can also be stored in a memory in the computer device in a software form, so that the processor can call and execute operations corresponding to the modules.
In one embodiment, a computer device is provided, which may be a server, the internal structure of which may be as shown in fig. 5. The computer device includes a processor, a memory, and a network interface connected by a system bus. Wherein the processor of the computer device is configured to provide computing and control capabilities. The memory of the computer device includes a non-volatile storage medium and an internal memory. The non-volatile storage medium stores an operating system, a computer program, and a database. The internal memory provides an environment for the operating system and the computer program to run on the non-volatile storage medium. The database of the computer device is used for storing data related to the access. The network interface of the computer device is used for communicating with an external terminal through a network connection. The computer program is executed by a processor to implement a data access method.
Those skilled in the art will appreciate that the architecture shown in fig. 5 is merely a block diagram of some of the structures associated with the disclosed aspects and is not intended to limit the computing devices to which the disclosed aspects apply, as particular computing devices may include more or less components than those shown, or may combine certain components, or have a different arrangement of components.
In one embodiment, a computer device is further provided, which includes a memory and a processor, the memory stores a computer program, and the processor implements the steps of the above method embodiments when executing the computer program.
In an embodiment, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
In an embodiment, a computer program product is provided, comprising a computer program which, when being executed by a processor, carries out the steps of the above-mentioned method embodiments.
It should be noted that, the user information (including but not limited to user device information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application are information and data authorized by the user or sufficiently authorized by each party.
It will be understood by those skilled in the art that all or part of the processes of the methods of the embodiments described above can be implemented by hardware instructions of a computer program, which can be stored in a non-volatile computer-readable storage medium, and when executed, can include the processes of the embodiments of the methods described above. Any reference to memory, database, or other medium used in the embodiments provided herein may include at least one of non-volatile and volatile memory. The nonvolatile Memory may include Read-Only Memory (ROM), magnetic tape, floppy disk, flash Memory, optical Memory, high-density embedded nonvolatile Memory, resistive Random Access Memory (ReRAM), Magnetic Random Access Memory (MRAM), Ferroelectric Random Access Memory (FRAM), Phase Change Memory (PCM), graphene Memory, and the like. Volatile Memory can include Random Access Memory (RAM), external cache Memory, and the like. By way of illustration and not limitation, RAM can take many forms, such as Static Random Access Memory (SRAM) or Dynamic Random Access Memory (DRAM), among others. The databases referred to in various embodiments provided herein may include at least one of relational and non-relational databases. The non-relational database may include, but is not limited to, a block chain based distributed database, and the like. The processors referred to in the embodiments provided herein may be general purpose processors, central processing units, graphics processors, digital signal processors, programmable logic devices, quantum computing based data processing logic devices, etc., without limitation.
The technical features of the above embodiments can be arbitrarily combined, and for the sake of brevity, all possible combinations of the technical features in the above embodiments are not described, but should be considered as the scope of the present specification as long as there is no contradiction between the combinations of the technical features.
The above-mentioned embodiments only express several embodiments of the present application, and the description thereof is more specific and detailed, but not construed as limiting the scope of the present application. It should be noted that, for a person skilled in the art, several variations and modifications can be made without departing from the concept of the present application, which falls within the scope of protection of the present application. Therefore, the protection scope of the present application should be subject to the appended claims.

Claims (10)

1. A data access method is applied to a data access system, the data access system comprises at least one intranet application access service client and a plurality of edge computing nodes deployed on a public cloud, the edge computing nodes are connected through a secure tunnel, and the edge computing nodes comprise at least one user access service node and at least one intranet application access service node; the method comprises the following steps:
the user access service node receives a user access request, and if the user access request is determined to pass first authentication according to a first authentication strategy configured in advance, the user access request is forwarded to the intranet application access service node;
the intranet application access service node receives the user access request, and if the user access request is determined to pass through second authentication according to a second authentication strategy configured in advance, the intranet application access service node forwards the user access request to the intranet application access service client;
and the intranet application access service client receives the user access request, and if the user access request is determined to pass the third authentication according to a preset third authentication strategy, the user access request is forwarded to the intranet application through an intranet, so that the user side accesses the intranet application.
2. The method of claim 1, wherein the user access request comprises first user information and a target access address;
if the user access request is determined to pass the first authentication according to the pre-configured first authentication policy, forwarding the user access request to the intranet application access service node, including:
and if the user access service node determines that the first access authority corresponding to the first user information contains a target access address according to a preset corresponding relationship between the user and the access authority, determining that the user access request passes the first authentication, and forwarding the user access request to the intranet application access service node.
3. The method of claim 2, wherein the first user information comprises first identity characteristic information and first communication characteristic information;
if the user access service node determines that the first access authority corresponding to the first user information includes a target access address according to a pre-configured corresponding relationship between the user and the access authority, and determines that the user access request passes the first authentication, the user access request is forwarded to the intranet application access service node, including:
and if the first communication characteristic information is in a preset target area and the user access service node determines that the first access authority corresponding to the first identity characteristic information comprises a target access address according to a preset corresponding relation between the user and the access authority, determining that the user access request passes the first authentication, and forwarding the user access request to the intranet application access service node.
4. The method of any of claims 1-3, wherein the data access system further comprises: the system comprises a control server, an intranet application end and at least one user end; the method further comprises the following steps:
the user access service node receives a user registration request sent by the user side, and forwards the user registration request to the control server, wherein the user registration request comprises user information of a plurality of users in a preset range, and the user information comprises identity characteristic information and communication characteristic information;
the intranet application access service node receives an application registration request sent by the intranet application terminal, and forwards the application registration request to the management and control server, wherein the application registration request comprises address information of an internal application, and the address information comprises a communication address and a communication port;
the management and control server sets a strategy according to a preset authority under the condition that the user registration request and the application registration request are received, allocates access authorities to each user contained in the user registration request according to the identity characteristic information and the communication characteristic information, generates corresponding relations between the users and the access authorities, and sends the corresponding relations between the users and the access authorities to the user access service node, the intranet application access service node and the intranet application access service client, wherein the access authorities comprise address information of at least one intranet application, and the access authorities enable the user side to access the intranet application.
5. The method according to claim 4, wherein the setting a policy according to a preset authority, allocating an access authority to each user included in the user registration request according to the identity characteristic information and the communication characteristic information, and generating a corresponding relationship between the user and the access authority comprises:
for each user in the user registration request, the management and control server calculates the corresponding trust feature degree of the user according to the identity feature information and the communication feature information through a preset trust feature algorithm; and distributing the access authority corresponding to the trust feature degree for the user according to the trust feature degree corresponding to the user and a preset authority setting strategy to generate the corresponding relation between the user and the access authority.
6. The method of claim 2, further comprising:
and under the condition that the user access service node receiving the user access request fails, the management and control server sends the user access request received by the failed user access service node to other user access service nodes through the public cloud.
7. A data access system is characterized by comprising at least one intranet application access service client and a plurality of edge computing nodes deployed on a public cloud, wherein the edge computing nodes are connected through a secure tunnel, and each edge computing node comprises at least one user access service node and at least one intranet application access service node; wherein:
the user access service node is used for receiving a user access request, and forwarding the user access request to the intranet application access service node if the user access request passes through first authentication according to a first authentication strategy configured in advance;
the intranet application access service node is used for receiving the user access request, and forwarding the user access request to the intranet application access service client if the user access request passes a second authentication according to a second authentication strategy configured in advance;
the intranet application access service client is used for receiving the user access request, and if the user access request is determined to pass the third authentication according to a preset third authentication strategy, the user access request is forwarded to the intranet application through an intranet, so that the user side accesses the intranet application.
8. A computer device comprising a memory and a processor, the memory storing a computer program, characterized in that the processor, when executing the computer program, implements the steps of the method according to any of claims 1-6.
9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the steps of the method according to any one of claims 1 to 6.
10. A computer program product comprising a computer program, characterized in that the computer program realizes the steps of the method of any one of claims 1-6 when executed by a processor.
CN202210105441.2A 2022-01-28 2022-01-28 Data access method, data access system, computer device and storage medium Pending CN114448700A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210105441.2A CN114448700A (en) 2022-01-28 2022-01-28 Data access method, data access system, computer device and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210105441.2A CN114448700A (en) 2022-01-28 2022-01-28 Data access method, data access system, computer device and storage medium

Publications (1)

Publication Number Publication Date
CN114448700A true CN114448700A (en) 2022-05-06

Family

ID=81369606

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210105441.2A Pending CN114448700A (en) 2022-01-28 2022-01-28 Data access method, data access system, computer device and storage medium

Country Status (1)

Country Link
CN (1) CN114448700A (en)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598498A (en) * 2022-01-28 2022-06-07 杭州亿格云科技有限公司 Access method, access system, computer device, and storage medium
CN114978709A (en) * 2022-05-24 2022-08-30 成都市第三人民医院 Lightweight unified security authentication system and method for medical application
CN115514576A (en) * 2022-10-09 2022-12-23 中国南方电网有限责任公司 Access identity authentication method, device, equipment and medium for power monitoring system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9430624B1 (en) * 2013-04-30 2016-08-30 United Services Automobile Association (Usaa) Efficient logon
CN106789537A (en) * 2017-01-20 2017-05-31 网宿科技股份有限公司 A kind of VPN construction method and system
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
CN113824791A (en) * 2021-09-23 2021-12-21 深信服科技股份有限公司 Access control method, device, equipment and readable storage medium
CN113890767A (en) * 2021-11-12 2022-01-04 中国联合网络通信集团有限公司 Network access method, device, equipment and storage medium
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN114598498A (en) * 2022-01-28 2022-06-07 杭州亿格云科技有限公司 Access method, access system, computer device, and storage medium

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9430624B1 (en) * 2013-04-30 2016-08-30 United Services Automobile Association (Usaa) Efficient logon
CN106789537A (en) * 2017-01-20 2017-05-31 网宿科技股份有限公司 A kind of VPN construction method and system
CN108600204A (en) * 2018-04-11 2018-09-28 浙江大学 A kind of corporate intranet access method based on Opposite direction connection and application layer tunnel
CN113824791A (en) * 2021-09-23 2021-12-21 深信服科技股份有限公司 Access control method, device, equipment and readable storage medium
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN113890767A (en) * 2021-11-12 2022-01-04 中国联合网络通信集团有限公司 Network access method, device, equipment and storage medium
CN114598498A (en) * 2022-01-28 2022-06-07 杭州亿格云科技有限公司 Access method, access system, computer device, and storage medium

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王刚;张英涛;杨正权;: "基于零信任打造封闭访问空间", 《信息安全与通信保密》, no. 08 *
黄懿;: "浅析零信任安全模型在水电集控管理信息大区网络安全中的应用", 《红水河》, vol. 38, no. 06, pages 4 *

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114598498A (en) * 2022-01-28 2022-06-07 杭州亿格云科技有限公司 Access method, access system, computer device, and storage medium
CN114978709A (en) * 2022-05-24 2022-08-30 成都市第三人民医院 Lightweight unified security authentication system and method for medical application
CN114978709B (en) * 2022-05-24 2023-06-27 成都市第三人民医院 Lightweight unified security authentication method for medical application
CN115514576A (en) * 2022-10-09 2022-12-23 中国南方电网有限责任公司 Access identity authentication method, device, equipment and medium for power monitoring system

Similar Documents

Publication Publication Date Title
US11962622B2 (en) Automated enforcement of security policies in cloud and hybrid infrastructure environments
US10554622B2 (en) Secure application delivery system with dial out and associated method
US11263305B2 (en) Multilayered approach to protecting cloud credentials
RU2763314C2 (en) Providing devices as service
US8910278B2 (en) Managing services in a cloud computing environment
US8948399B2 (en) Dynamic key management
US10331882B2 (en) Tracking and managing virtual desktops using signed tokens
US8843998B2 (en) Apparatus, systems and methods for secure and selective access to services in hybrid public-private infrastructures
KR101954440B1 (en) Providing mobile device management functionalities
Malik et al. Security framework for cloud computing environment: A review
JP6732800B2 (en) Location-based device activation
CN114448700A (en) Data access method, data access system, computer device and storage medium
JP2018525858A (en) Micro VPN tunneling for mobile platforms
CN114598498A (en) Access method, access system, computer device, and storage medium
US9871778B1 (en) Secure authentication to provide mobile access to shared network resources
el-Khameesy et al. A proposed model for enhancing data storage security in cloud computing systems
Raza et al. A review on security issues and their impact on hybrid cloud computing environment
Waghmare et al. Privacy in Multi-Tenancy Cloud
Tripathi et al. Security Issues On Cloud Computing
US20220150277A1 (en) Malware detonation
Londhe et al. Imperial Analysis of Threats and Vulnerabilities in Cloud Computing.
Chhikara et al. Analyzing security solutions in cloud computing
Biswas et al. A survey on data security in cloud computing: Issues and mitigation techniques
Mohammed et al. A Novel Approach for Handling Security in Cloud Computing Services
CN114640512A (en) Security service system, access control method, and computer-readable storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination