CN114465827A - Data confidential information protection system based on zero trust network - Google Patents

Data confidential information protection system based on zero trust network Download PDF

Info

Publication number
CN114465827A
CN114465827A CN202210375221.1A CN202210375221A CN114465827A CN 114465827 A CN114465827 A CN 114465827A CN 202210375221 A CN202210375221 A CN 202210375221A CN 114465827 A CN114465827 A CN 114465827A
Authority
CN
China
Prior art keywords
configuration
confidential information
module
information
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210375221.1A
Other languages
Chinese (zh)
Other versions
CN114465827B (en
Inventor
李彪
张超
徐建平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Hurricane Engine Information Technology Co ltd
Original Assignee
Nanjing Zhirenyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Zhirenyun Information Technology Co ltd filed Critical Nanjing Zhirenyun Information Technology Co ltd
Priority to CN202210375221.1A priority Critical patent/CN114465827B/en
Publication of CN114465827A publication Critical patent/CN114465827A/en
Application granted granted Critical
Publication of CN114465827B publication Critical patent/CN114465827B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24552Database cache management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Databases & Information Systems (AREA)
  • Computing Systems (AREA)
  • Software Systems (AREA)
  • Human Computer Interaction (AREA)
  • Medical Informatics (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data confidential information protection system based on a zero trust network, and belongs to the technical field of communication. The system comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system; the control surface module is used for carrying out addition, deletion, modification and check operations on the confidential information, verifying the authority information of an operator, storing the configuration information into the configuration center and sending a configuration updating signal to the configuration center; storing the confidential information by using a confidential information storage module; receiving and storing a configuration update signal by using a configuration center; calling an updating signal and actual configuration from the configuration center by using a configuration agent, applying the configuration, and simultaneously communicating with the sidecar main module; the confidential information is managed and verified by the sidecar main module; and receiving the micro-service call by utilizing an external system, and initiating a viewing request for the confidential information content.

Description

Data confidential information protection system based on zero trust network
Technical Field
The invention relates to the technical field of communication, in particular to a data confidential information protection system based on a zero trust network.
Background
Under the zero trust network, some sensitive information of the micro service, especially the password, the key, the token and the like for authenticating the external system, are usually stored in the configuration file or the environment variable. On one hand, the positions are unsafe and easy to be obtained by attackers, information is usually transferred among all systems in a plaintext mode, all insecurity of any link can cause leakage, and the protection difficulty is high. On the other hand, common development or operation and maintenance personnel can touch the database, so that the phenomenon of malicious library deletion and the like is easy to occur. Some solutions have recognized the problem of initially storing such sensitive information in a confidential storage component, but such information also requires a very efficient management system that manages which services/personnel can view which information. Moreover, when the services interface the information, corresponding SDKs are generally required to be imported and developed for different confidential storage components, which results in a large amount of template codes irrelevant to actual business logic being added to the project. The existing scheme is difficult to perform fine-grained quasi-real-time control on the information and the permission, and after the configuration of the data and the permission is changed, the service cannot effectively and timely acquire the changed data or apply the changed permission.
On the basis, some security hidden dangers also exist for certain scenes, one is that no zero trust protection is added on a communication loop, so that a man-in-the-middle attack or illegal client side stealing confidential information behavior possibly exists, the other is that confidential information still exists in a memory of the service, and an operation or operation and maintenance party of the service still possibly intercepts the actual content of the confidential information.
Disclosure of Invention
The invention aims to provide a data confidential information protection system based on a zero trust network, so as to solve the problems in the background technology.
In order to solve the technical problems, the invention provides the following technical scheme:
the data confidential information protection system based on the zero trust network comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system;
the control surface module is used for performing operations of adding, deleting, modifying and searching confidential information, verifying owner information, storing configuration information into the configuration center and sending a configuration updating signal to the configuration center; the confidential information storage module is used for storing confidential information; the configuration center is used for receiving and storing a configuration updating signal; the configuration agent is used for calling the updating signal and the actual configuration from the configuration center, applying the configuration and simultaneously communicating with the sidecar main module; the sidecar main module is used for realizing management and verification of confidential information; the external system is used for receiving micro-service call, and meanwhile, the micro-service can communicate with the sidecar main module to initiate a viewing request for confidential information content.
According to the technical scheme, the control surface module comprises a visual interface and a safety module;
the control plane module workflow includes:
aiming at confidential information needed to be used by the service, the administrator takes the service identification number as a storage path prefix, and the confidential information is persistently stored in a confidential information storage module through the visual interface operation of a control surface module;
aiming at a service needing to configure confidential information, an administrator creates corresponding configuration information and a configuration updating signal by taking a service identification number as a main key, wherein the configuration information comprises an access address of a confidential information storage module used by the service, black and white list control information of the confidential information and cache configuration information;
the control plane module sends the configuration information and the configuration updating signal to a configuration center;
and the administrator performs addition, deletion, modification and check operations on the configuration information and the confidential information through a visual interface, wherein the addition, deletion, modification and check operations of the configuration information and the confidential information require 2FA secondary verification and security module triple verification.
The control plane module authenticates all operations, and allows corresponding behaviors only when the administrator user has confidential information addition, deletion, modification and check of the corresponding authority points.
According to the technical scheme, the sidecar main module comprises a sidecar proxy module, a sidecar cache module and a sidecar confidential information management module;
the sidecar agent module is used for communicating with the configuration agent in an mtls mode, pulling configuration information corresponding to the service from the configuration center through the configuration agent, acquiring a configuration updating signal from the configuration agent through a long polling mode and applying configuration;
the sdecar agent module is also used for communicating with the confidential information storage module in an mtls mode, when the service initiates calling to an external system or initiates a request for checking the content of confidential information, the request is uniformly sent to the sdecar agent module, the sdecar agent module checks whether the service has the authority for requesting the information after receiving the request, and if the authority exists, the sdecar agent module initiates an information acquisition request to the confidential information storage module and executes corresponding operation;
the sidecar cache module is used for encrypting the acquired confidential information and caching the encrypted confidential information in a memory, and the caching behavior can be dynamically regulated and controlled by the configuration of the control plane module;
the sidecar confidential information management module is used for reporting the index information acquired by the confidential information storage module and the locally cached index information to the control plane module;
the control surface module queries the index information acquired by the confidential information storage module and the locally cached index information and displays the index information in a visual mode.
According to the above technical solution, the sidecar agent module includes:
after the sidecar agent module is started, an mtls communication mode is adopted, configuration information corresponding to the service is pulled from the configuration agent, and a configuration updating signal is obtained from the configuration agent through a long polling mode;
the configuration agent maintains long connection with the configuration center, forwards the configuration acquisition request to the configuration center, and simultaneously monitors a service configuration updating signal from the configuration center;
the sidecar agent module analyzes the configuration and applies the configuration, if the sidecar agent module receives a configuration updating signal, the last updating time of the configuration is firstly obtained and compared with the existing local configuration, and if the obtained last updating time is larger than the last updating time of the local configuration, the new configuration is pulled and the application is analyzed;
the sidecar agent module further comprises:
s4-1, the service initiates a service secret information viewing request to the external system, attaches the external system authentication information stored in the environment variable, namely the key attached with the storage of the secret information, and then enters the step S4-2; the key with the stored confidential information not attached thereto proceeds to step S4-5;
s4-2, after the sidecar agent module receives the service confidential information checking request, firstly checking whether the service has the inquiry authority of the confidential information according to the configuration information of the service;
s4-3, if the verification fails, reporting an error and recording a log; if the verification is passed, firstly checking whether the cache has confidential information of the service inquiry; if yes, the confidential information in the cache is directly returned to the service; if the secret information does not exist, trying to acquire the secret information from the secret information storage module;
s4-4, if the confidential information can not be obtained from the confidential information storage module, reporting an error and recording a log; if the confidential information can be acquired from the confidential information storage module, the confidential information is encrypted and cached in the local memory, and the confidential information is returned to the service;
s4-5, the sidecar agent module receives the service confidential information viewing request, acquires the authorization information, takes the authorization information as the key for storing the confidential information, and enters the steps S4-2 to S4-4 to acquire the real access address and the authorization information of the external system from the confidential information content;
the sidecar is a middleware form existing and mainly responsible for the treatment of the flow between services. The main function of the method is supplement during service operation, and combined with zero trust, the method greatly enhances the security of the system. Mainly comprises 3 aspects of safety: data transfer security, data storage security, data visibility security. Firstly, each sidecar and the core component apply for a certificate as an identity through a CA center, and mtls bidirectional identity authentication mode is adopted for mutual communication, so that the stealing difficulty in the data transmission process is greatly increased, and the data transmission safety is improved. Confidential information is stored in the confidential storage component in an encryption storage mode, even if a data hard disk is stolen, the data can be guaranteed not to be decrypted, and the data storage safety is improved. The sidecar plays a role in separating authorities and filtering data between services and data, can effectively prevent the services from acquiring data except authorization, and increases data visibility and safety.
And S4-6, handshaking with the external system by adopting an SPA first packet authentication mode, forwarding the service access request to the external system and attaching real authorization information.
According to the technical scheme, the SPA first packet verification mode comprises the following steps:
acquiring a general SPA initial packet field format;
a tcp connection request initiated by a service to a sidecar main module establishes tcp connection after three times of handshaking through tcp, the sidecar main module initiates a handshake packet to the service, and the service abstracts the acquired account password according to an encrypted seed in the handshake packet;
constructing an auth authentication packet and sending the auth authentication packet to db, wherein an account password sent by a service is acquired from an environment variable and is a database written by deployment;
the sidecar main module receives the authentication packet and then obtains an account password sent by the service, and obtains real database connection information;
the sdeca master module performs handshake authentication with the client in an SPA mode according to the database connection information, receives a handshake success OK packet sent by the client after the sdeca master module passes the authentication, and sends the handshake success OK packet to the service.
According to the above technical solution, the sidecar cache module includes:
randomly generating a 32-bit encryption key when the sidecar cache module is started, setting whether to start a cache, cache expiration time and a cache memory upper limit according to cache configuration, and setting the cache expiration time to be 5 minutes and the cache memory upper limit to be 1MB by default;
when the missed confidential information in the cache is obtained or a parameter refresh _ cache with forced refreshing is attached when the confidential information is obtained, the confidential information is stored in the cache, and the cached key is the concatenation of the key + version of the confidential information, so that the cache supports caching different versions of the same confidential information;
when the confidential information content is cached, the generated 32-bit encryption key is encrypted by an aes encryption algorithm and then is stored in the memory;
after the cache is full, if data needs to be stored in the cache, adopting an LFU (Linear feedback Unit) eviction strategy to evict a key with the lowest use frequency in the current cache;
if the refresh _ cache parameter is specified by the service when the confidential information is acquired, the confidential information is acquired from the confidential information storage module and the cache content is updated.
According to the above technical solution, the sidecar confidential information management module includes:
the sidecar confidential information management module records indexes each time the service acquires confidential information;
the sidecar confidential information management module reports the collected index information to Victoria metrics every 5 seconds by adopting a push mode, wherein the index information comprises the following steps: the number of times of obtaining, the size of occupied cache memory, the number of times of cache hits, and the number of times of changing (adding or evicting) keys in the cache for each secret storage key is served;
the control plane module can inquire the index information reported by the sidecar confidential information management module and display the telemetering information in a visual interface mode through aggregation.
According to the technical scheme, the safety module comprises an input device safety authentication submodule and an operation time safety authentication submodule;
the input equipment safety certification submodule is used for acquiring a daily movement track of input equipment for controlling a visual interface and carrying out intelligent certification on an administrator for controlling the input equipment; the operation time security authentication submodule is used for acquiring operation time for an administrator to add, delete, modify and check configuration information and confidential information through a visual interface and intelligently authenticating the administrator who operates;
the output ends of the input equipment safety authentication submodule and the operation time safety authentication submodule are connected to an error reporting port of the system, and logs are recorded when error reporting is generated.
According to the above technical solution, the input device security authentication sub-module includes:
extracting moving area tracks of H groups of input equipment from historical data, and dividing the H groups of data into a training set and a test set in a 9:1 mode;
constructing a moving area track graph according to training set data of the moving area track of the input equipment in historical data;
the moving area track graph comprises all moving track points in a training set, and the minimum distance between any moving track point and the edge of the moving area track graph does not exceed L, wherein L is a first safety difference value threshold;
obtaining test set data, substituting the test set data into the moving area track graph, obtaining the number of moving track points appearing outside the moving area track graph and the average value of the minimum distances between all the moving track points outside the moving area track graph and the edge of the moving area track graph in each group of data, and recording the average value as
Figure 412396DEST_PATH_IMAGE001
Wherein
Figure 396446DEST_PATH_IMAGE002
The number of moving track points appearing outside a moving area track graph in the ith group of data is indicated;
Figure 769658DEST_PATH_IMAGE003
the average value of the minimum distances between all the moving track points outside the moving area track graph and the edge of the moving area track graph in the ith group of data is referred to;
calculating a predicted output result according to a formula:
Figure 633709DEST_PATH_IMAGE004
wherein the content of the first and second substances,
Figure 182502DEST_PATH_IMAGE005
representing a predicted output result; y represents the number of test set data sets;
Figure 349172DEST_PATH_IMAGE006
respectively representing the number of moving track points of each group in the y groups of data, which appear outside the moving area track graph;
Figure 85047DEST_PATH_IMAGE007
respectively representing the average value of the minimum distances between all the moving track points of each group outside the moving area track graph and the edge of the moving area track graph in the y groups of data;
obtaining the moving track points of the current operation, and comparing the moving track points with the moving area track graph to obtain the number of the moving track points appearing outside the moving area track graph
Figure 877423DEST_PATH_IMAGE008
And an average value of minimum distances between all the movement locus points outside the movement region locus diagram and the edge of the movement region locus diagram
Figure 280722DEST_PATH_IMAGE009
Constructing a safety detection value:
Figure 618294DEST_PATH_IMAGE010
wherein the content of the first and second substances,
Figure 841465DEST_PATH_IMAGE011
representing a safety detection value;
Figure 906373DEST_PATH_IMAGE012
Figure 898600DEST_PATH_IMAGE013
respectively represent the detection coefficient values;
and acquiring a set safety threshold, generating error report if a safety detection value exceeds the safety threshold, and recording a log.
In the system, common input devices are all mouse input, the moving track areas of a mouse are different due to different behavior habits and arm lengths of each person, multiple historical data are analyzed, the moving area of the input device of an administrator is planned, once a track is greatly deviated or a track target cannot be obtained in any one operation, the situation that the administrator does not operate by himself is explained, the situation is probably caused by the fact that the administrator replaces the input device or a data channel is stolen, other input devices are externally connected, an alarm is given in time at the moment, and logs are counted for follow-up examination and analysis.
According to the above technical solution, the operation time security authentication sub-module includes:
acquiring the operation time of each operation of adding, deleting, modifying and checking the configuration information and the confidential information by an administrator through a visual interface;
selecting s groups of data as a training set for any one operation, and taking s +1 as a next prediction result;
the formula is established as follows:
Figure 672652DEST_PATH_IMAGE014
wherein the content of the first and second substances,
Figure 383119DEST_PATH_IMAGE015
represents the predicted operation time for the next time of any one operation;
Figure 251718DEST_PATH_IMAGE016
is a predicted intercept;
Figure 629609DEST_PATH_IMAGE017
is a predicted slope;
Figure 308983DEST_PATH_IMAGE018
in the case of s +1, the number of periods is predicted for the new trend,
Figure 506747DEST_PATH_IMAGE018
= 1; s is the historical data period number;
Figure 179036DEST_PATH_IMAGE019
Figure 145855DEST_PATH_IMAGE020
wherein the content of the first and second substances,
Figure 996131DEST_PATH_IMAGE021
represents a moving average of the u groups of data;
Figure 415611DEST_PATH_IMAGE022
represents a quadratic moving average under u groups of data; u represents the number of data sets participating in the move;
obtaining the operation time under the current operation, and recording as
Figure 891592DEST_PATH_IMAGE023
Constructing a second safety difference threshold, if any
Figure 712917DEST_PATH_IMAGE024
And if the second safety difference value threshold value is exceeded, generating error report and recording the log.
Compared with the prior art, the invention has the following beneficial effects:
the method can solve the problem that the confidential information is stolen or abused in the process of acquiring the sensitive information, such as database information, sensitive environment variable information, a secret key, token and the like (collectively referred to as confidential information) by an application program, can avoid the system security problem caused by the misuse or the theft of the confidential information, and can effectively protect the system;
the system stores the sensitive information of the service, particularly the password, the secret key and the like used for identity authentication in the confidential storage module after being encrypted, thereby avoiding the information from being exposed in environment variables and configuration files and increasing the information security of the service;
the system further improves the safety, improves the system performance and reduces the use threshold of service developers by docking different services through the sidecar module;
the invention provides a visual platform and an API (application programming interface) interface for managers and management programs to manage information content and information authority, and can control the information and the authority in a fine granularity manner, thereby greatly increasing the usability of the system and effectively preventing personnel or the system without the authority from acquiring confidential information;
the communication among the components of the system adopts an mtls zero trust communication mode, so that the safety in the information transmission process is improved, and the information is prevented from being intercepted or forged in the transmission process;
the system increases the encrypted cache in the memory aiming at the confidential information in the sidecar, thereby ensuring the data security, accelerating the response speed and simultaneously improving the availability of the system in the short-time shutdown state of the confidential storage module;
when the proxy service accesses the external system, the system adopts the SPA first packet authentication technology to reduce the resource consumption of the proxy, and has good resource occupation optimization effect on the condition of large data packets.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of the overall architecture of a data secret information protection system based on a zero trust network of the present invention;
FIG. 2 is a schematic diagram of the overall architecture of an embodiment of a data secret information protection system based on a zero trust network according to the present invention;
FIG. 3 is a schematic diagram of a partial mysql first-package authentication principle architecture of an embodiment of a data secret information protection system based on a zero trust network according to the present invention;
fig. 4 is a schematic diagram of a partial SPA first packet authentication format of an embodiment of the data secret information protection system based on the zero trust network.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-4, in the present embodiment:
the construction scene is an information protection scene such as a password under the condition that the service accesses the external mysql system, and mainly describes a case of protecting the mysql access information as confidential information.
mysql serves as a data persistence storage facility for the service, whose security determines the security of the entire service. In real life, program developers mistakenly delete the database for many times, operation developers directly log in the data through data connection information to modify the content of the database, and the like.
By introducing the system, the deployment module writes the database access information into the confidential information storage module through the control plane module, and configures the confidential information storage module into a service configuration corresponding environment variable. The service accesses data through database connection information in the environment variables, an actual request is sent to the sidecar main module, the sidecar main module obtains real database connection information from the confidential information storage module according to the transmitted database connection information, authentication information is sent to the mysql server through the SPA first packet authentication technology, and the request is directly proxied to the mysql server in a high-performance low-consumption mode without analyzing a mysql protocol data packet. Also with such a procedure, the service can normally access mysql but can never obtain the true mysql connection information. And the mysql that the service can access is restricted to this mysql in the deployed configuration and cannot access other mysql.
The specific implementation comprises the following steps:
the administrator deploys and configures mysql information, secret storage authority configuration of the service and environment variable information of the service;
an administrator deploys an account password and a data name which randomly generate mysql, and calls a mysql example to set a user service database name and add the account password;
the mtls mode is used for accessing the control plane module to write the mysql access information into the confidential information storage module, and the access authority of the confidential information is configured for the service;
the control plane module first checks whether the system's request token has the authority to write configuration and to write confidential information. And if the right exists, performing subsequent actions. The confidential information access rights configuration field of the service includes, but is not limited to, table 1. table 1 is a key field therein.
Figure 999673DEST_PATH_IMAGE025
The data format of the custom configuration item is as shown in table 2:
Figure 906449DEST_PATH_IMAGE026
the control surface module receives the configuration request, firstly checks the configuration validity, if the configuration is legal, checks whether the service has established confidential information access configuration according to the unique identification number of the service, if the configuration exists, the configuration is modified to the current incoming configuration, if the configuration does not exist, a piece of configuration information is newly added, and the configuration is stored in a storage database of the control surface module for persistent storage.
After the configuration storage is successful, the control plane module sends the configuration information to the configuration center module, and the current configuration center module is a high-performance redis cluster. And simultaneously, sending the unique service identification number to a redis stream of the configuration update signal, wherein the redis stream key is watch _ config: msp: service _ rule, and any information sent to the stream indicates that the corresponding service has configuration update.
The control plane module secret information management interface fields are shown in table 3:
Figure 920542DEST_PATH_IMAGE027
when the stored secret information is mysql connection information, i.e. in this example, the data structure of the data in table 3 is a nested structure, as shown in table 4:
Figure 861953DEST_PATH_IMAGE028
the control plane module stores the information into the secret storage module, and the storage key of the data is the service unique identifier/mysql _ database identifier:
for example 00635a8917ad7902c4f03332746546f4/mysql _ DB 1;
00635a8917ad7902c4f03332746546f4 is the unique identifier of the service, DB1 is the identifier of the database, and the identifier is written into the environment variable of the service by the deployment module;
and writing a storage database identifier (DB 1) of the confidential information as an account number, a password and a data name of the mysql into the environment variable of the service, and setting an access address of the mysql as an access address (127.0.0.1: 3306) of the sidecar into the environment variable of the service.
The service is deployed, and the service is injected into a sidecar container when being started and is stopped simultaneously with the service being started.
The service information is sent to the container cloud, and the container cloud is responsible for starting and scheduling the service container and the sidecar container, which is not the key point of the system, and the process is a relatively general process, so that the detailed description is omitted.
The service initiates an access request to the mysql according to the access information of the mysql acquired by the environment variable, and the request is actually sent to the sidecar main module because the access address of the mysql in the environment variable is the access address of the sidecar;
the service acquires mysql access information through environment variables:
MYSQL_HOST: 127.0.0.1
MYSQL_PORT: 3306
MYSQL_USERNAME: DB1
MYSQL_PASSWORD: DB1
MYSQL_DB_NAME: DB1
the service assembles mysql access information through the above information and connects the mysql:
"DB1:DB1@127.0.0.1:3306/DB1"
the Sidecar master module firstly checks whether the service is configured with the use authority of the confidential storage module according to the mysql access identification DB1, and determines whether the service has the access authority of the data corresponding to the DB1 through the black-and-white list field in the table 1. And after the service authority is confirmed, the confidential information corresponding to the mysql _ DB1 is obtained. The sidecar will get the actual mysql connection information shown in table 3 to establish a connection to the actual mysql store.
The sidecar main module adopts an SPA first packet authentication mode to proxy mysql traffic:
the main flow of the flow is shown in fig. 3 mysql first packet authentication principle, and the general SPA first packet field format is shown in fig. 4 SPA first packet verification format. Aiming at the connection characteristics of mysql, the flow still adopts the idea of first package authentication, but the first package authentication is adjusted to adapt to the mysql protocol, and the specific flow is as follows:
a tcp connection request is initiated by the service to the sidecar proxy, and a tcp connection is established after three times of handshaking through tcp. The Sidecar agent initiates a handshake packet to the service, which includes mysql capabilities, encryption seeds, etc. After the service abstracts the login password of mysql according to the encrypted seed in the handshake package, an auth authentication package is constructed and sent to db, the account password sent by the service is obtained from the environment variable and is marked by a database written by deployment, such as: DB1 DB1@127.0.0.1/DB 1.
The Sidecar master module receives the authentication packet and obtains the account password sent by the service, in this case DB1, and obtains the real database connection information, for example, one possible configuration is shown in Table 5:
Figure 319610DEST_PATH_IMAGE029
and the Sidecar agent performs handshake authentication with the mysql server side in an SPA mode according to the information. After the authentication is passed, the sidecar receives a handshake success OK packet sent by the mysql server, and the sidecar sends the handshake success OK packet to the service. At this time, for the service, DB1 is used as the username and password, and the connection is directly established with mysql, and the parsing and forwarding by all sidecars are not sensible to the service. But in reality DB1 is only a tag, and even if the tag is acquired by an attacker, there is no threat to the mysql database because the real connection and authentication information is kept secret.
After the connection is successfully established, the sidecar directly forwards the traffic on the tcp 3 layer load in the form of a non-analytic data packet, and the mode has good optimization on the resource consumption of the sidecar.
The above steps are the main flow of the service access mysql. In addition, the following steps are involved in this case:
sidecar dynamically sensing service configuration changes
The configuration administrator or the management system defines the confidential configuration information of the service through the control plane module, the information format is shown in table 1, and the confidential configuration information includes a service unique identification number, an engine unique identifier of the confidential storage module, a key white list allowing the service to be acquired, or a key black list not allowing the service to be accessed (only one of the two is defined), and the customized configuration includes a cache configuration: cache expiration time, cache memory occupancy limits, and the namespace where the keys that the service is allowed to access are located.
When the configuration is deployed and used for storing the confidential information of the service, a namespace of which the name is the unique identifier of the service is created for each service, and the namespace which the service is allowed to access is set as the unique identifier of the service when the configuration is issued. Each service can only access data under its own namespace.
The control plane module will send configuration and configuration update signals to the configuration center redis cluster, and the configuration center module will record the service configuration and push the configuration update signals to the signal queue.
Each sidecar will first get configuration details once after it is started and record them in local memory. The sidecar will then establish a long poll with the configuration agent module, polling for configuration change signals. The configuration agent module monitors a configuration update signal queue of the configuration center, and when data is added to the queue, the configuration agent takes out the corresponding data. The data in the signal queue is the unique identification number of the service, and when the configuration agent acquires the service identification number representing the configuration update of the service, the configuration agent notifies the corresponding sidecar through long polling.
After the Sidecar obtains the configuration change signal, the Sidecar initiates a request for obtaining the configuration last update time in the configuration center, and if the time is longer than the configuration update time in the local memory, the Sidecar initiates a request for obtaining all configurations. In this way sidecar configuration sensing can reach the millisecond level.
Caching and telemetering confidential information:
the sidecar encrypts and adds to the local cache each time confidential information is obtained. Before actually obtaining the confidential information, whether the confidential information exists in the local cache is checked, and if the confidential information exists, the confidential information is directly used and a request is not sent to the confidential storage module. Accessing mysql in this example is a high frequency behavior, and caching helps to reduce latency per response and data acquisition pressure on the confidential storage module. Meanwhile, when the confidential storage module is crashed occasionally, the cache also contributes to improving the usability of the system, and the confidential information can still be acquired from the cache until the cache is invalid. Cache eviction occurs after the cache expires and the cache occupation space reaches the upper limit, and some existing caches are deleted.
The sidecar records when the service acquires the confidential information every time, and finally, the data are actively pushed to Victoria metrics to be stored through a push mode so as to be used when the platform inquires and displays.
The service can directly obtain some confidential information needing to be used
Some information services may be in security and may not be stored in clear to local or external storage components, such as certain meta-information for control of the service, which typically requires encrypted storage and is tamper resistant.
Thus, the information can be securely stored in the confidential storage component, the service can securely obtain the confidential information by the sidecar, the service can simply send an http request to the sidecar when obtaining the information, and the service can specify the following additional parameters when obtaining the confidential information, as shown in table 6:
Figure 979261DEST_PATH_IMAGE030
it is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (10)

1. The data confidential information protection system based on the zero trust network is characterized in that: the system comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system;
the control surface module is used for performing addition, deletion, modification and check operations on confidential information, verifying authority information of an operator, storing configuration information into the configuration center, and sending a configuration updating signal to the configuration center; the confidential information storage module is used for storing confidential information; the configuration center is used for receiving and storing a configuration updating signal; the configuration agent is used for calling the updating signal and the actual configuration from the configuration center, applying the configuration and simultaneously communicating with the sidecar main module; the sidecar main module is used for realizing management and verification of confidential information; the external system is used for receiving the micro-service call, and meanwhile, the micro-service can communicate with the sidecar main module to initiate a viewing request for confidential information content.
2. The zero trust network based data secret information protection system of claim 1, wherein: the control surface module comprises a visual interface and a safety module;
the control plane module workflow includes:
aiming at confidential information needed to be used by the service, the administrator takes the service identification number as a storage path prefix, and the confidential information is persistently stored in a confidential information storage module through the visual interface operation of a control surface module;
aiming at a service needing to configure confidential information, an administrator creates corresponding configuration information and a configuration updating signal by taking a service identification number as a main key, wherein the configuration information comprises an access address of a confidential information storage module used by the service, black and white list control information of the confidential information and cache configuration information;
the control plane module sends the configuration information and the configuration updating signal to a configuration center;
and the administrator performs addition, deletion, modification and check operations on the configuration information and the confidential information through a visual interface, wherein the addition, deletion, modification and check operations of the configuration information and the confidential information require 2FA secondary verification and security module triple verification.
3. The zero trust network based data secret information protection system of claim 1, wherein: the sdecar main module comprises a sdecar proxy module, a sdecar cache module and a sdecar confidential information management module;
the sidecar agent module is used for communicating with the configuration agent in an mtls mode, pulling configuration information corresponding to the service from the configuration center through the configuration agent, acquiring a configuration updating signal from the configuration agent through a long polling mode and applying configuration;
the sdecar agent module is also used for communicating with the confidential information storage module in an mtls mode, when the service initiates calling to an external system or initiates a request for checking the content of confidential information, the request is uniformly sent to the sdecar agent module, the sdecar agent module checks whether the service has the authority for requesting the information after receiving the request, and if the authority exists, the sdecar agent module initiates an information acquisition request to the confidential information storage module and executes corresponding operation;
the sidecar cache module is used for encrypting the acquired confidential information and caching the encrypted confidential information in a memory, and the caching behavior can be dynamically regulated and controlled by the configuration of the control plane module;
the sidecar confidential information management module is used for reporting the index information acquired by the confidential information storage module and the locally cached index information to the control plane module;
the control surface module queries the index information acquired by the confidential information storage module and the locally cached index information and displays the index information in a visual mode.
4. The zero trust network based data secret information protection system of claim 3, wherein: the sidecar agent module comprises:
after the sidecar agent module is started, an mtls communication mode is adopted, configuration information corresponding to the service is pulled from the configuration agent, and a configuration updating signal is obtained from the configuration agent through a long polling mode;
the configuration agent maintains long connection with the configuration center, forwards the configuration acquisition request to the configuration center, and simultaneously monitors a service configuration updating signal from the configuration center;
the sidecar agent module analyzes the configuration and applies the configuration, if the sidecar agent module receives a configuration updating signal, the last updating time of the configuration is firstly obtained and compared with the existing local configuration, and if the obtained last updating time is larger than the last updating time of the local configuration, the new configuration is pulled and the application is analyzed;
the sidecar agent module further comprises:
s4-1, the service initiates a service secret information viewing request to the external system, attaches the external system authentication information stored in the environment variable, namely the key attached with the storage of the secret information, and then enters the step S4-2; the key with the stored confidential information not attached thereto proceeds to step S4-5;
s4-2, after the sidecar agent module receives the service confidential information checking request, firstly checking whether the service has the inquiry authority of the confidential information according to the configuration information of the service;
s4-3, if the verification fails, reporting an error and recording a log; if the verification is passed, firstly checking whether the cache has confidential information of the service inquiry; if yes, the confidential information in the cache is directly returned to the service; if the secret information does not exist, trying to acquire the secret information from the secret information storage module;
s4-4, if the confidential information can not be obtained from the confidential information storage module, reporting an error and recording a log; if the confidential information can be acquired from the confidential information storage module, the confidential information is encrypted and cached in the local memory, and the confidential information is returned to the service;
s4-5, the sidecar agent module receives the service confidential information viewing request, acquires the authorization information, takes the authorization information as the key for storing the confidential information, and enters the steps S4-2 to S4-4 to acquire the real access address and the authorization information of the external system from the confidential information content;
and S4-6, handshaking with the external system by adopting an SPA first packet authentication mode, forwarding the service access request to the external system and attaching real authorization information.
5. The zero trust network based data secret information protection system of claim 4, wherein: the SPA first packet verification mode comprises the following steps:
acquiring a general SPA initial packet field format;
a tcp connection request initiated by a service to a sidecar main module establishes tcp connection after three times of handshaking through tcp, the sidecar main module initiates a handshake packet to the service, and the service abstracts the acquired account password according to an encrypted seed in the handshake packet;
constructing an auth authentication packet and sending the auth authentication packet to db, wherein an account password sent by a service is acquired from an environment variable and is a database written by deployment;
the sidecar main module receives the authentication packet and then obtains an account password sent by the service, and obtains real database connection information;
the sdeca master module performs handshake authentication with the client in an SPA mode according to the database connection information, receives a handshake success OK packet sent by the client after the sdeca master module passes the authentication, and sends the handshake success OK packet to the service.
6. The zero trust network based data secret information protection system of claim 3, wherein: the sidecar cache module comprises:
randomly generating a 32-bit encryption key when the sidecar cache module is started, setting whether to start a cache, cache expiration time and a cache memory upper limit according to cache configuration, and setting the cache expiration time to be 5 minutes and the cache memory upper limit to be 1MB by default;
when the missed confidential information in the cache is obtained or a parameter refresh _ cache with forced refreshing is attached when the confidential information is obtained, the confidential information is stored in the cache, and the cached key is the concatenation of the key + version of the confidential information, so that the cache supports caching different versions of the same confidential information;
when the confidential information content is cached, the generated 32-bit encryption key is encrypted by an aes encryption algorithm and then is stored in the memory;
after the cache is full, if data needs to be stored in the cache, adopting an LFU (Linear feedback Unit) eviction strategy to evict a key with the lowest use frequency in the current cache;
if the refresh _ cache parameter is specified by the service when the confidential information is acquired, the confidential information is acquired from the confidential information storage module and the cache content is updated.
7. The zero trust network based data secret information protection system of claim 3, wherein: the sidecar confidential information management module includes:
the sidecar confidential information management module records indexes each time the service acquires confidential information;
the sidecar confidential information management module reports the collected index information to Victoria metrics every 5 seconds by adopting a push mode, wherein the index information comprises the following steps: the service aims at the obtaining times of each secret storage key, the occupied size of a cache memory, the number of cache hits and the number of changing times of the key in the cache;
the control plane module can inquire the index information reported by the sidecar confidential information management module and display the telemetering information in a visual interface mode through aggregation.
8. The zero trust network based data secret information protection system of claim 2, wherein: the safety module comprises an input device safety authentication sub-module and an operation time safety authentication sub-module;
the input equipment safety certification submodule is used for acquiring a daily movement track of input equipment for controlling a visual interface and carrying out intelligent certification on an administrator for controlling the input equipment; the operation time security authentication submodule is used for acquiring operation time for an administrator to add, delete, modify and check configuration information and confidential information through a visual interface and intelligently authenticating the administrator who operates;
the output ends of the input equipment safety authentication submodule and the operation time safety authentication submodule are connected to an error reporting port of the system, and logs are recorded when error reporting is generated.
9. The zero trust network based data secret information protection system of claim 8, wherein: the input device safety authentication sub-module comprises:
extracting moving area tracks of H groups of input equipment from historical data, and dividing the H groups of data into a training set and a testing set in a 9:1 mode;
constructing a moving area track graph according to training set data of a moving area track of input equipment in historical data;
the moving area track graph comprises all moving track points in a training set, and the minimum distance between any moving track point and the edge of the moving area track graph does not exceed L, wherein L is a first safety difference value threshold;
obtaining test set data, substituting the test set data into the moving area track graph, obtaining the number of moving track points appearing outside the moving area track graph and the average value of the minimum distances between all the moving track points outside the moving area track graph and the edge of the moving area track graph in each group of data, and recording the average value as
Figure 755159DEST_PATH_IMAGE001
Wherein
Figure 285498DEST_PATH_IMAGE002
The number of moving track points appearing outside a moving area track graph in the ith group of data is indicated;
Figure 428903DEST_PATH_IMAGE003
the average value of the minimum distances between all the moving track points outside the moving area track graph and the edge of the moving area track graph in the ith group of data is referred to;
calculating a predicted output result according to a formula:
Figure 310272DEST_PATH_IMAGE004
wherein the content of the first and second substances,
Figure 682478DEST_PATH_IMAGE005
representing a predicted output result; y represents the measurementThe number of data sets of the test set;
Figure 332902DEST_PATH_IMAGE006
respectively representing the number of moving track points of each group in the y groups of data, which appear outside the moving area track graph;
Figure 116051DEST_PATH_IMAGE007
respectively representing the average value of the minimum distances between all the moving track points of each group outside the moving area track graph and the edge of the moving area track graph in the y groups of data;
obtaining the moving track points of the current operation, and comparing the moving track points with the moving area track graph to obtain the number of the moving track points appearing outside the moving area track graph
Figure 219136DEST_PATH_IMAGE008
And an average value of minimum distances between all the movement locus points outside the movement region locus diagram and the edge of the movement region locus diagram
Figure 129454DEST_PATH_IMAGE009
Constructing a safety detection value:
Figure 899964DEST_PATH_IMAGE010
wherein the content of the first and second substances,
Figure 854014DEST_PATH_IMAGE011
representing a safety detection value;
Figure 709974DEST_PATH_IMAGE012
Figure 423983DEST_PATH_IMAGE013
respectively represent the detection coefficient values;
and acquiring a set safety threshold, generating error report if a safety detection value exceeds the safety threshold, and recording a log.
10. The zero trust network based data secret information protection system of claim 8, wherein: the operation time safety authentication sub-module comprises:
acquiring the operation time of each operation of adding, deleting, modifying and checking the configuration information and the confidential information by an administrator through a visual interface;
selecting s groups of data as a training set for any one operation, and taking s +1 as a next prediction result;
the formula is established as follows:
Figure 783421DEST_PATH_IMAGE014
wherein the content of the first and second substances,
Figure 173951DEST_PATH_IMAGE015
represents the predicted operation time for the next time of any one operation;
Figure 251628DEST_PATH_IMAGE016
is a predicted intercept;
Figure 503749DEST_PATH_IMAGE017
is a predicted slope;
Figure 107906DEST_PATH_IMAGE018
predicting the period number for the new trend; s is the historical data period number;
Figure 544703DEST_PATH_IMAGE019
Figure 985043DEST_PATH_IMAGE020
wherein the content of the first and second substances,
Figure 165488DEST_PATH_IMAGE021
represents a moving average of the u groups of data;
Figure 358572DEST_PATH_IMAGE022
represents a quadratic moving average under u groups of data; u represents the number of data sets participating in the move;
obtaining the operation time under the current operation, and recording as
Figure 966271DEST_PATH_IMAGE023
Constructing a second safety difference threshold, if any
Figure 893907DEST_PATH_IMAGE024
And if the second safety difference value threshold value is exceeded, generating error report and recording the log.
CN202210375221.1A 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network Active CN114465827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210375221.1A CN114465827B (en) 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210375221.1A CN114465827B (en) 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network

Publications (2)

Publication Number Publication Date
CN114465827A true CN114465827A (en) 2022-05-10
CN114465827B CN114465827B (en) 2022-06-24

Family

ID=81418274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210375221.1A Active CN114465827B (en) 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network

Country Status (1)

Country Link
CN (1) CN114465827B (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116069264A (en) * 2023-03-13 2023-05-05 南京飓风引擎信息技术有限公司 Application program data information storage control system

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20200084281A1 (en) * 2018-09-12 2020-03-12 Pivotal Software, Inc. Secure binding workflow
US10623390B1 (en) * 2017-08-24 2020-04-14 Pivotal Software, Inc. Sidecar-backed services for cloud computing platform
US20200133789A1 (en) * 2018-10-25 2020-04-30 EMC IP Holding Company LLC Application consistent snapshots as a sidecar of a containerized application
US10764244B1 (en) * 2019-06-12 2020-09-01 Cisco Technology, Inc. Systems and methods providing a multi-cloud microservices gateway using a sidecar proxy

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10623390B1 (en) * 2017-08-24 2020-04-14 Pivotal Software, Inc. Sidecar-backed services for cloud computing platform
US20200084281A1 (en) * 2018-09-12 2020-03-12 Pivotal Software, Inc. Secure binding workflow
US20200133789A1 (en) * 2018-10-25 2020-04-30 EMC IP Holding Company LLC Application consistent snapshots as a sidecar of a containerized application
US10764244B1 (en) * 2019-06-12 2020-09-01 Cisco Technology, Inc. Systems and methods providing a multi-cloud microservices gateway using a sidecar proxy

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116069264A (en) * 2023-03-13 2023-05-05 南京飓风引擎信息技术有限公司 Application program data information storage control system

Also Published As

Publication number Publication date
CN114465827B (en) 2022-06-24

Similar Documents

Publication Publication Date Title
AU2019206006B2 (en) System and method for biometric protocol standards
CN110535833B (en) Data sharing control method based on block chain
KR100866219B1 (en) System and method for processing authentication and authorization for simple network management protocol
CN107122674B (en) Access method of oracle database applied to operation and maintenance auditing system
US7660902B2 (en) Dynamic file access control and management
US8543827B2 (en) Methods and systems for providing access control to secured data
EP1645971B1 (en) Database access control method, database access controller, agent processing server, database access control program, and medium recording the program
US20020178370A1 (en) Method and apparatus for secure authentication and sensitive data management
CN107483495B (en) Big data cluster host management method, management system and server
CN114003943A (en) Safe double-control management platform for computer room trusteeship management
CN114465827B (en) Data confidential information protection system based on zero trust network
JP4181772B2 (en) Service providing apparatus, service providing method, computer-readable recording medium, and computer program
CN112347440B (en) User access authority division system of industrial control equipment and application method thereof
US8321915B1 (en) Control of access to mass storage system
KR100501125B1 (en) Policy verificating system of internet contents and method therefore
KR20060058546A (en) Method and apparatus for providing database encryption and access control
CN115941252A (en) MQTT dynamic access control method based on trust calculation
KR100545676B1 (en) Authentication Method And Authentication System Using Information About Computer System's State
KR101249343B1 (en) Method for protection of a digital rights file
KR102403303B1 (en) System for providing user authentication based ransomware encryption blocking service
US20240179141A1 (en) Agentless single sign-on for native access to secure network resources
US20240179143A1 (en) Native agentless efficient queries
US20240179184A1 (en) Enhanced authorization layers for native access to secure network resources
US20240179148A1 (en) Agentless in-memory caching for native network resource connections
CN113688427B (en) System for preventing managed data source from being abused based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230324

Address after: 1202-059, Floor 12, Building 5, Yunmi City, No. 19, Ningshuang Road, Yuhuatai District, Nanjing City, Jiangsu Province, 210000

Patentee after: Nanjing hurricane engine information technology Co.,Ltd.

Address before: 210000 1202-053, floor 12, building 5, yunmi City, No. 19, ningshuang Road, Yuhuatai District, Nanjing, Jiangsu Province

Patentee before: Nanjing zhirenyun Information Technology Co.,Ltd.

TR01 Transfer of patent right