CN114465827B - Data confidential information protection system based on zero trust network - Google Patents

Data confidential information protection system based on zero trust network Download PDF

Info

Publication number
CN114465827B
CN114465827B CN202210375221.1A CN202210375221A CN114465827B CN 114465827 B CN114465827 B CN 114465827B CN 202210375221 A CN202210375221 A CN 202210375221A CN 114465827 B CN114465827 B CN 114465827B
Authority
CN
China
Prior art keywords
configuration
module
information
confidential information
service
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210375221.1A
Other languages
Chinese (zh)
Other versions
CN114465827A (en
Inventor
李彪
张超
徐建平
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Nanjing Hurricane Engine Information Technology Co ltd
Original Assignee
Nanjing Zhirenyun Information Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nanjing Zhirenyun Information Technology Co ltd filed Critical Nanjing Zhirenyun Information Technology Co ltd
Priority to CN202210375221.1A priority Critical patent/CN114465827B/en
Publication of CN114465827A publication Critical patent/CN114465827A/en
Application granted granted Critical
Publication of CN114465827B publication Critical patent/CN114465827B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/20Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
    • G06F16/24Querying
    • G06F16/245Query processing
    • G06F16/2455Query execution
    • G06F16/24552Database cache management
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/602Providing cryptographic facilities or services
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • G06F21/6245Protecting personal data, e.g. for financial or medical purposes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/22Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks comprising specially adapted graphical user interfaces [GUI]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/28Restricting access to network management systems or functions, e.g. using authorisation function to access network configuration
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0884Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/16Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
    • H04L69/163In-band adaptation of TCP data exchange; In-band control procedures

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Theoretical Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Bioethics (AREA)
  • Physics & Mathematics (AREA)
  • General Health & Medical Sciences (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Human Computer Interaction (AREA)
  • Computational Linguistics (AREA)
  • Data Mining & Analysis (AREA)
  • Medical Informatics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention discloses a data confidential information protection system based on a zero trust network, and belongs to the technical field of communication. The system comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system; the control surface module is used for carrying out addition, deletion, modification and check operations on the confidential information, verifying the authority information of an operator, storing the configuration information into the configuration center and sending a configuration updating signal to the configuration center; storing the confidential information by using a confidential information storage module; receiving and storing a configuration update signal by using a configuration center; calling an updating signal and actual configuration from the configuration center by using a configuration agent, applying the configuration, and simultaneously communicating with the sidecar main module; the confidential information is managed and verified by the sidecar main module; and receiving the micro-service call by utilizing an external system, and initiating a viewing request for the confidential information content.

Description

Data confidential information protection system based on zero trust network
Technical Field
The invention relates to the technical field of communication, in particular to a data confidential information protection system based on a zero trust network.
Background
Under the zero trust network, some sensitive information of the micro service, especially the password, the key, the token and the like for authenticating the external system, are usually stored in the configuration file or the environment variable. On one hand, the positions are unsafe and are easy to obtain by attackers, information is usually transferred among all systems in a plaintext mode, all the insecurities of any link can cause leakage, and the protection difficulty is high. On the other hand, common development or operation and maintenance personnel can touch the database, so that the phenomenon of malicious library deletion and the like is easy to occur. Some solutions have recognized the problem of initially storing such sensitive information in a confidential storage component, but such information also requires a very efficient management system that manages which services/personnel can view which information. Moreover, when the service interfaces the information, corresponding SDKs are generally required to be imported for development with respect to different confidential storage components, which may result in a large amount of template codes unrelated to actual business logic being added to the project. The existing scheme is difficult to perform fine-grained quasi-real-time control on the information and the permission, and after the configuration of the data and the permission is changed, the service cannot effectively and timely acquire the changed data or apply the changed permission.
On the basis, some security hidden dangers also exist for certain scenes, one is that no zero trust protection is added on a communication loop, so that a man-in-the-middle attack or illegal client side stealing confidential information behavior possibly exists, the other is that confidential information still exists in a memory of the service, and an operation or operation and maintenance party of the service still possibly intercepts the actual content of the confidential information.
Disclosure of Invention
The invention aims to provide a data confidential information protection system based on a zero trust network, so as to solve the problems in the background technology.
In order to solve the technical problems, the invention provides the following technical scheme:
the data confidential information protection system based on the zero trust network comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system;
the control surface module is used for performing operations of adding, deleting, modifying and checking confidential information, verifying owner information, storing configuration information into the configuration center, and sending a configuration updating signal to the configuration center; the confidential information storage module is used for storing confidential information; the configuration center is used for receiving and storing a configuration updating signal; the configuration agent is used for calling the updating signal and the actual configuration from the configuration center, applying the configuration and simultaneously communicating with the sidecar main module; the sidecar main module is used for realizing management and verification of confidential information; the external system is used for receiving micro-service call, and meanwhile, the micro-service can communicate with the sidecar main module to initiate a viewing request for confidential information content.
According to the technical scheme, the control surface module comprises a visual interface and a safety module;
the control plane module workflow includes:
aiming at confidential information required to be used by the service, the administrator takes the service identification number as a prefix of a storage path, and the confidential information is persistently stored in a confidential information storage module through the operation of a visual interface of a control plane module;
aiming at a service needing to configure confidential information, an administrator creates corresponding configuration information and a configuration updating signal by taking a service identification number as a main key, wherein the configuration information comprises an access address of a confidential information storage module used by the service, black and white list control information of the confidential information and cache configuration information;
the control plane module sends the configuration information and the configuration updating signal to a configuration center;
and the administrator performs addition, deletion, modification and check operations on the configuration information and the confidential information through a visual interface, wherein the addition, deletion, modification and check operations of the configuration information and the confidential information require 2FA secondary verification and security module triple verification.
The control plane module authenticates all operations, and allows corresponding behaviors only when the administrator user has confidential information addition, deletion, modification and check of the corresponding authority points.
According to the technical scheme, the sidecar main module comprises a sidecar proxy module, a sidecar cache module and a sidecar confidential information management module;
the sidecar agent module is used for communicating with the configuration agent in an mtls mode, pulling configuration information corresponding to the service from the configuration center through the configuration agent, acquiring a configuration updating signal from the configuration agent through a long polling mode and applying configuration;
the sdecar agent module is also used for communicating with the confidential information storage module in an mtls mode, when the service initiates calling to an external system or initiates a request for checking the content of confidential information, the request is uniformly sent to the sdecar agent module, the sdecar agent module checks whether the service has the authority for requesting the information after receiving the request, and if the authority exists, the sdecar agent module initiates an information acquisition request to the confidential information storage module and executes corresponding operation;
the sidecar cache module is used for encrypting the acquired confidential information and caching the encrypted confidential information in a memory, and the caching behavior can be dynamically regulated and controlled by the configuration of the control plane module;
the sidecar confidential information management module is used for reporting the index information acquired by the confidential information storage module and the locally cached index information to the control plane module;
the control plane module can inquire the index information acquired by the confidential information storage module and the locally cached index information and display the index information in a visual mode.
According to the above technical solution, the sidecar agent module includes:
after the sidecar agent module is started, an mtls communication mode is adopted, configuration information corresponding to the service is pulled from the configuration agent, and a configuration updating signal is obtained from the configuration agent through a long polling mode;
the configuration agent maintains long connection with the configuration center, forwards the configuration acquisition request to the configuration center, and simultaneously monitors a service configuration updating signal from the configuration center;
the sidecar agent module analyzes the configuration and applies the configuration, if the sidecar agent module receives a configuration updating signal, the last updating time of the configuration is firstly obtained and compared with the existing local configuration, and if the obtained last updating time is larger than the last updating time of the local configuration, the new configuration is pulled and the application is analyzed;
the sidecar agent module further comprises:
s4-1, the service sends a request for checking the secret information of the service to the external system, attaches the authentication information of the external system stored in the environment variable, namely the key of the storage attached with the secret information, and then enters the step S4-2; the key with the stored confidential information not attached thereto proceeds to step S4-5;
s4-2, after the sidecar agent module receives the service confidential information checking request, firstly checking whether the service has the inquiry authority of the confidential information according to the configuration information of the service;
s4-3, if the verification fails, reporting an error and recording a log; if the verification is passed, firstly checking whether the cache has confidential information of the service inquiry; if yes, the confidential information in the cache is directly returned to the service; if the secret information does not exist, trying to acquire the secret information from the secret information storage module;
s4-4, if the confidential information can not be obtained from the confidential information storage module, reporting an error and recording a log; if the confidential information can be acquired from the confidential information storage module, the confidential information is encrypted and cached in the local memory, and the confidential information is returned to the service;
s4-5, the sidecar agent module receives the service confidential information viewing request, acquires the authorization information, takes the authorization information as the key for storing the confidential information, and enters the steps S4-2 to S4-4 to acquire the real access address and the authorization information of the external system from the confidential information content;
the sidecar is a middleware form existing and mainly responsible for the treatment of the flow between services. The main function of the method is supplement during service operation, and combined with zero trust, the method greatly enhances the security of the system. Mainly comprises 3 aspects of safety: data transfer security, data storage security, data visibility security. Firstly, each sidecar and the core component apply for a certificate through a CA center as an identity, mtls two-way identity authentication mode is adopted for mutual communication, the difficulty of stealing in the data transmission process is greatly increased, and the security of data transmission is increased. Confidential information is stored in the confidential storage component in an encryption storage mode, even if a data hard disk is stolen, the data can be guaranteed not to be decrypted, and the data storage safety is improved. The sidecar plays a role in separating authorities and filtering data between services and data, can effectively prevent the services from acquiring data except authorization, and increases data visibility and safety.
And S4-6, handshaking with the external system by adopting an SPA first packet authentication mode, forwarding the service access request to the external system and attaching real authorization information.
According to the technical scheme, the SPA first packet verification mode comprises the following steps:
acquiring a general SPA initial packet field format;
a tcp connection request initiated by a service to a sidecar main module establishes tcp connection after three times of handshaking through tcp, the sidecar main module initiates a handshake packet to the service, and the service abstracts the acquired account password according to an encrypted seed in the handshake packet;
constructing an auth authentication packet and sending the auth authentication packet to db, wherein an account password sent by a service is acquired from an environment variable and is a database written by deployment;
the sidecar main module receives the authentication packet and then obtains an account password sent by the service, and obtains real database connection information;
the sdeca master module performs handshake authentication with the client in an SPA mode according to the database connection information, receives a handshake success OK packet sent by the client after the sdeca master module passes the authentication, and sends the handshake success OK packet to the service.
According to the above technical solution, the sidecar cache module includes:
randomly generating a 32-bit encryption key when the sidecar cache module is started, setting whether to start a cache, cache expiration time and a cache memory upper limit according to cache configuration, and setting the cache expiration time to be 5 minutes and the cache memory upper limit to be 1MB by default;
when the missed confidential information in the cache is obtained or a parameter refresh _ cache with forced refreshing is attached when the confidential information is obtained, the confidential information is stored in the cache, and the cached key is the concatenation of the key + version of the confidential information, so that the cache supports caching different versions of the same confidential information;
when the confidential information content is cached, the generated 32-bit encryption key is encrypted by an aes encryption algorithm and then is stored in the memory;
after the cache is full, if data needs to be stored in the cache, adopting an LFU (Linear feedback Unit) eviction strategy to evict a key with the lowest use frequency in the current cache;
if the refresh _ cache parameter is specified by the service when the confidential information is acquired, the confidential information is acquired from the confidential information storage module and the cache content is updated.
According to the above technical solution, the sidecar confidential information management module includes:
the sidecar confidential information management module records indexes each time the service acquires confidential information;
the sidecar confidential information management module reports the collected index information to Victoria metrics every 5 seconds by adopting a push mode, wherein the index information comprises the following steps: the number of times of obtaining, the size of occupied cache memory, the number of times of cache hits, and the number of times of changing (adding or evicting) keys in the cache for each secret storage key is served;
the control plane module can inquire the index information reported by the sidecar confidential information management module and display the telemetering information in a visual interface mode through aggregation.
According to the technical scheme, the safety module comprises an input device safety authentication sub-module and an operation time safety authentication sub-module;
the input equipment safety certification submodule is used for acquiring a daily movement track of input equipment for controlling a visual interface and carrying out intelligent certification on an administrator for controlling the input equipment; the operation time security authentication submodule is used for acquiring operation time for an administrator to add, delete, modify and check configuration information and confidential information through a visual interface and intelligently authenticating the administrator who operates;
the output ends of the input equipment safety authentication submodule and the operation time safety authentication submodule are connected to an error reporting port of the system, and logs are recorded when error reporting is generated.
According to the above technical solution, the input device security authentication sub-module includes:
extracting moving area tracks of H groups of input equipment from historical data, and dividing the H groups of data into a training set and a test set in a 9:1 mode;
constructing a moving area track graph according to training set data of the moving area track of the input equipment in historical data;
the moving area track graph comprises all moving track points in a training set, and the minimum distance between any moving track point and the edge of the moving area track graph does not exceed L, wherein L is a first safety difference value threshold;
obtaining test set data, substituting the test set data into the moving area track graph, obtaining the number of moving track points appearing outside the moving area track graph and the average value of the minimum distances between all the moving track points outside the moving area track graph and the edge of the moving area track graph in each group of data, and recording the average value as
Figure 412396DEST_PATH_IMAGE001
Wherein
Figure 396446DEST_PATH_IMAGE002
The number of moving track points appearing outside a moving area track graph in the ith group of data is indicated;
Figure 769658DEST_PATH_IMAGE003
the average value of the minimum distances between all the moving track points outside the moving area track graph and the edge of the moving area track graph in the ith group of data is referred to;
calculating a predicted output result according to a formula:
Figure 633709DEST_PATH_IMAGE004
wherein the content of the first and second substances,
Figure 182502DEST_PATH_IMAGE005
representing a predicted output result; y represents the number of test set data sets;
Figure 349172DEST_PATH_IMAGE006
respectively representing the quantity of the moving track points of each group in the y groups of data, which appear outside the moving area track graph;
Figure 85047DEST_PATH_IMAGE007
respectively representing the average value of the minimum distances between all the moving track points of each group outside the moving area track graph and the edge of the moving area track graph in the y groups of data;
obtaining the moving track points of the current operation, and comparing the moving track points with the moving area track graph to obtain the number of the moving track points appearing outside the moving area track graph
Figure 877423DEST_PATH_IMAGE008
And an average value of minimum distances between all the movement locus points outside the movement region locus diagram and the edge of the movement region locus diagram
Figure 280722DEST_PATH_IMAGE009
Constructing a safety detection value:
Figure 618294DEST_PATH_IMAGE010
wherein the content of the first and second substances,
Figure 841465DEST_PATH_IMAGE011
representing a safety detection value;
Figure 906373DEST_PATH_IMAGE012
Figure 898600DEST_PATH_IMAGE013
respectively represent the detection coefficient values;
and acquiring a set safety threshold, generating error report if a safety detection value exceeds the safety threshold, and recording a log.
In the system, common input devices are input by a mouse, the movement track areas of the mouse are different due to different behavior habits and different arm lengths of each person, multiple historical data are analyzed, the movement areas of the input devices of an administrator are planned, once the track is greatly deviated or the track target cannot be obtained in any operation, the situation that the administrator does not operate by himself is shown, the situation is probably caused by the fact that the administrator replaces the input devices or the data channel is stolen, other input devices are accessed, an alarm is given in time at the moment, and a log is counted for follow-up examination and analysis.
According to the above technical solution, the operation time security authentication sub-module includes:
acquiring the operation time of each operation of adding, deleting, modifying and checking the configuration information and the confidential information by an administrator through a visual interface;
selecting s groups of data as a training set for any one of the operations, and taking s +1 as a next prediction result;
the formula is established as follows:
Figure 672652DEST_PATH_IMAGE014
wherein the content of the first and second substances,
Figure 383119DEST_PATH_IMAGE015
represents the predicted operation time for the next time of any one operation;
Figure 251718DEST_PATH_IMAGE016
is a predicted intercept;
Figure 629609DEST_PATH_IMAGE017
is a predicted slope;
Figure 308983DEST_PATH_IMAGE018
in the case of s +1, the number of periods is predicted for the new trend,
Figure 506747DEST_PATH_IMAGE018
= 1; s is the historical data period number;
Figure 179036DEST_PATH_IMAGE019
Figure 145855DEST_PATH_IMAGE020
wherein, the first and the second end of the pipe are connected with each other,
Figure 996131DEST_PATH_IMAGE021
represents a moving average of the u groups of data;
Figure 415611DEST_PATH_IMAGE022
represents a quadratic moving average under u groups of data; u represents the number of data sets participating in the move;
obtaining the operation time under the current operation, and recording as
Figure 891592DEST_PATH_IMAGE023
Constructing a second safety margin value threshold value, if any
Figure 712917DEST_PATH_IMAGE024
And if the second safety difference value threshold is exceeded, generating error report and recording the log.
Compared with the prior art, the invention has the following beneficial effects:
the method can solve the problem that the confidential information is stolen or abused in the process of acquiring the sensitive information, such as database information, sensitive environment variable information, a secret key, token and the like (collectively referred to as confidential information) by an application program, can avoid the system security problem caused by the misuse or the theft of the confidential information, and can effectively protect the system;
the system stores the sensitive information of the service, particularly the password, the secret key and the like used for identity authentication in the confidential storage module after being encrypted, thereby avoiding the information from being exposed in environment variables and configuration files and increasing the information security of the service;
the system further improves the safety, improves the system performance and reduces the use threshold of service developers by docking different services through the sidecar module;
the invention provides a visual platform and an API (application program interface) for managers and management programs to manage information content and information authority, can control the information and the authority in a fine granularity manner, greatly increases the usability of the system, and effectively prevents persons or systems without the authority from acquiring confidential information;
the communication among the components of the system adopts an mtls zero trust communication mode, so that the safety in the information transmission process is improved, and the information is prevented from being intercepted or forged in the transmission process;
the system increases the encrypted cache in the memory aiming at the confidential information in the sidecar, thereby ensuring the data security, accelerating the response speed and simultaneously improving the availability of the system in the short-time shutdown state of the confidential storage module;
when the proxy service accesses the external system, the system adopts the SPA first packet authentication technology to reduce the resource consumption of the proxy, and has good resource occupation optimization effect on the condition of large data packets.
Drawings
The accompanying drawings, which are included to provide a further understanding of the invention and are incorporated in and constitute a part of this specification, illustrate embodiments of the invention and together with the description serve to explain the principles of the invention and not to limit the invention. In the drawings:
FIG. 1 is a schematic diagram of the overall architecture of a data secret information protection system based on a zero trust network according to the present invention;
FIG. 2 is a schematic diagram of the overall architecture of an embodiment of a data secret information protection system based on a zero trust network according to the present invention;
FIG. 3 is a schematic diagram of a partial mysql first-package authentication principle architecture of an embodiment of a data secret information protection system based on a zero trust network according to the present invention;
fig. 4 is a schematic diagram of a partial SPA first packet authentication format of an embodiment of the data secret information protection system based on the zero trust network.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
Referring to fig. 1-4, in the present embodiment:
the construction scene is an information protection scene such as a password under the condition that the service accesses the external mysql system, and mainly describes a case of protecting the mysql access information as confidential information.
mysql serves as a data persistence storage facility for the service, whose security determines the security of the entire service. In real life, program developers mistakenly delete the database for many times, operation developers directly log in the data through data connection information to modify the content of the database, and the like.
By introducing the system, the deployment module writes the database access information into the confidential information storage module through the control plane module, and configures the confidential information storage module into a service configuration corresponding environment variable. The service accesses data through database connection information in the environment variables, an actual request is sent to the sidecar main module, the sidecar main module obtains real database connection information from the confidential information storage module according to the transmitted database connection information, authentication information is sent to the mysql server through the SPA first packet authentication technology, and the request is directly proxied to the mysql server in a high-performance low-consumption mode without analyzing a mysql protocol data packet. Also with such a procedure, the service can normally access mysql but can never obtain the true mysql connection information. And the mysql that the service can access is restricted to this mysql in the deployed configuration and cannot access other mysql.
The specific implementation comprises the following steps:
the administrator deploys and configures mysql information, confidential storage authority configuration of the service and environment variable information of the service;
an administrator deploys account passwords and data names which randomly generate mysql, and calls a mysql example to set a user service database name and add the account passwords;
the mtls mode is used for accessing the control plane module to write the mysql access information into the confidential information storage module, and the access authority of the confidential information is configured for the service;
the control plane module first checks whether the system's request token has the authority to write configuration and to write confidential information. And if the right exists, performing subsequent actions. The confidential information access rights configuration field of the service includes, but is not limited to, table 1. table 1 is a key field therein.
Figure 999673DEST_PATH_IMAGE025
The data format of the custom configuration item is as shown in table 2:
Figure 906449DEST_PATH_IMAGE026
the control surface module receives the configuration request, firstly checks the configuration validity, if the configuration is legal, checks whether the service has established confidential information access configuration according to the unique identification number of the service, if the configuration exists, the configuration is modified to the current incoming configuration, if the configuration does not exist, a piece of configuration information is newly added, and the configuration is stored in a storage database of the control surface module for persistent storage.
After the configuration storage is successful, the control plane module sends the configuration information to the configuration center module, and the current configuration center module is a high-performance redis cluster. And simultaneously, sending the service unique identification number to a redis stream of the configuration update signal, wherein the redis stream key is watch _ config: msp: service _ rule, and any information sent to the stream indicates that the corresponding service has configuration update.
The control plane module secret information management interface fields are shown in table 3:
Figure 920542DEST_PATH_IMAGE027
when the stored secret information is mysql connection information, i.e. in this example, the data structure of the data in table 3 is a nested structure, as shown in table 4:
Figure 861953DEST_PATH_IMAGE028
the control plane module stores the information into the secret storage module, and the storage key of the data is the service unique identifier/mysql _ database identifier:
for example 00635a8917ad7902c4f03332746546f4/mysql _ DB 1;
00635a8917ad7902c4f03332746546f4 is the unique identifier of the service, DB1 is the identifier of the database, and the identifier is written into the environment variable of the service by the deployment module;
and writing a storage database identifier (DB 1) of the confidential information as an account number, a password and a data name of the mysql into the environment variable of the service, and setting an access address of the mysql as an access address (127.0.0.1: 3306) of the sidecar into the environment variable of the service.
The service is deployed, and the service is injected into a sidecar container when being started and is stopped simultaneously with the service being started.
The service information is sent to the container cloud, and the container cloud is responsible for starting and scheduling the service container and the sidecar container, which is not the key point of the system, and the process is a relatively general process, so that the detailed description is omitted.
The service initiates an access request to the mysql according to the access information of the mysql acquired by the environment variable, and the request is actually sent to the sidecar main module because the access address of the mysql in the environment variable is the access address of the sidecar;
the service acquires mysql access information through an environment variable:
MYSQL_HOST: 127.0.0.1
MYSQL_PORT: 3306
MYSQL_USERNAME: DB1
MYSQL_PASSWORD: DB1
MYSQL_DB_NAME: DB1
the service assembles mysql access information through the above information and connects the mysql:
"DB1:DB1@127.0.0.1:3306/DB1"
the Sidecar master module firstly checks whether the service is configured with the use authority of the confidential storage module according to the mysql access identification DB1, and determines whether the service has the access authority of the data corresponding to the DB1 through the black-and-white list field in the table 1. And after the service authority is confirmed, the confidential information corresponding to the mysql _ DB1 is obtained. The sidecar will get the actual mysql connection information shown in table 3 to establish a connection to the actual mysql store.
The sidecar main module adopts an SPA first packet authentication mode to proxy mysql flow:
the main flow of the flow is shown in fig. 3 mysql first packet authentication principle, and the general SPA first packet field format is shown in fig. 4 SPA first packet verification format. Aiming at the connection characteristics of mysql, the flow still adopts the idea of first package authentication, but the first package authentication is adjusted to adapt to the mysql protocol, and the specific flow is as follows:
a tcp connection request is initiated by the service to the sidecar proxy, and a tcp connection is established after three times of handshaking through tcp. The Sidecar agent initiates a handshake packet to the service, which includes mysql capabilities, encryption seeds, etc. After the service abstracts the login password of mysql according to the encrypted seed in the handshake package, an auth authentication package is constructed and sent to db, the account password sent by the service is obtained from the environment variable and is marked by a database written by deployment, such as: DB1 DB1@127.0.0.1/DB 1.
The Sidecar master module receives the authentication packet and obtains the account password sent by the service, in this case DB1, and obtains the real database connection information, for example, one possible configuration is shown in Table 5:
Figure 319610DEST_PATH_IMAGE029
and the Sidecar agent performs handshake authentication with the mysql server side in an SPA mode according to the information. After the authentication is passed, the sidecar receives a handshake success OK packet sent by the mysql server, and the sidecar sends the handshake success OK packet to the service. At this time, for the service, DB1 is used as the username and password, and the connection is directly established with mysql, and the parsing and forwarding by all sidecars are not sensible to the service. But in reality DB1 is only a tag, and even if the tag is acquired by an attacker, there is no threat to the mysql database because the real connection and authentication information is kept secret.
After the connection is successfully established, the sidecar directly forwards the traffic on the tcp 3 layer load in the form of a non-parsed data packet, and the method is well optimized for the resource consumption of the sidecar.
The above steps are the main flow of the service access mysql. In addition, the following steps are involved in this case:
SIDecar dynamically senses service configuration changes
The configuration administrator or the management system defines confidential configuration information of the service through the control plane module, the information format is as shown in table 1, and the information format includes a service unique identification number, an engine unique identification of the confidential storage module, a key white list allowing the service to be acquired, or a key black list not allowing the service to be accessed (both can define only one), and the customized configuration includes a cache configuration: cache expiration time, cache memory occupancy limits, and the namespace where the keys that the service is allowed to access are located.
When the configuration is deployed and used for storing the confidential information of the service, a namespace of which the name is the unique identifier of the service is created for each service, and the namespace which the service is allowed to access is set as the unique identifier of the service when the configuration is issued. Each service can only access data under its own namespace.
The control plane module will send configuration and configuration update signals to the configuration center redis cluster, and the configuration center module will record the service configuration and push the configuration update signals to the signal queue.
Each sidecar will first get configuration details once it is started and record them in local memory. The sidecar will then establish a long poll with the configuration agent module, polling for configuration change signals. The configuration agent module monitors a configuration update signal queue of the configuration center, and when data is added to the queue, the configuration agent takes out the corresponding data. The data in the signal queue is the unique identification number of the service, and when the configuration agent acquires the service identification number representing the configuration update of the service, the configuration agent notifies the corresponding sidecar through long polling.
After the Sidecar obtains the configuration change signal, the Sidecar initiates a request to obtain the last update time of the configuration in the configuration center, and if the time is greater than the update time of the configuration in the local memory, the Sidecar initiates a request to obtain all the configurations. In this way the sidecar configuration sense can reach the millisecond level.
Caching and telemetering confidential information:
the sidecar encrypts and adds to the local cache each time confidential information is obtained. Before actually obtaining the confidential information, whether the confidential information exists in the local cache is checked, and if the confidential information exists, the confidential information is directly used and a request is not sent to the confidential storage module. Accessing mysql in this example is a high frequency behavior, and caching helps to reduce latency per response and data acquisition pressure on the confidential storage module. Meanwhile, when the confidential storage module is crashed occasionally, the cache also contributes to improving the usability of the system, and the confidential information can still be acquired from the cache until the cache is invalid. Cache eviction occurs after the cache expires and the cache occupation space reaches the upper limit, and some existing caches are deleted.
The sidecar records when the service acquires the confidential information every time, and finally, the data are actively pushed to Victoria metrics to be stored through a push mode so as to be used when the platform inquires and displays.
The service can directly obtain some confidential information needing to be used
Some information services may not be stored in clear to local or external storage components for security, such as certain meta-information of the service for control, which typically needs to be stored encrypted and tamper-proof.
Thus, the information can be securely stored in the confidential storage component, the service can securely obtain the confidential information by the sidecar, the service can simply send an http request to the sidecar when obtaining the information, and the service can specify the following additional parameters when obtaining the confidential information, as shown in table 6:
Figure 979261DEST_PATH_IMAGE030
it is noted that, herein, relational terms such as first and second, and the like may be used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Also, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
Finally, it should be noted that: although the present invention has been described in detail with reference to the foregoing embodiments, it will be apparent to those skilled in the art that changes may be made in the embodiments and/or equivalents thereof without departing from the spirit and scope of the invention. Any modification, equivalent replacement, or improvement made within the spirit and principle of the present invention should be included in the protection scope of the present invention.

Claims (6)

1. The data confidential information protection system based on the zero trust network is characterized in that: the system comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system;
the control surface module is used for performing addition, deletion, modification and check operations on confidential information, verifying authority information of an operator, storing configuration information into the configuration center, and sending a configuration updating signal to the configuration center; the confidential information storage module is used for storing confidential information; the configuration center is used for receiving and storing a configuration updating signal; the configuration agent is used for calling the updating signal and the actual configuration from the configuration center, applying the configuration and communicating with the sidecar main module; the sidecar main module is used for realizing management and verification of confidential information; the external system is used for receiving micro service call, simultaneously communicating the micro service with the sidecar main module and initiating a viewing request for confidential information content;
the sdecar main module comprises a sdecar agent module, a sdecar cache module and a sdecar confidential information management module;
the sidecar agent module is used for communicating with the configuration agent in an mtls mode, pulling configuration information corresponding to the service from the configuration center through the configuration agent, acquiring a configuration updating signal from the configuration agent through a long polling mode, and applying configuration;
the sdecar agent module is also used for communicating with the confidential information storage module in an mtls mode, when the service initiates calling to an external system or initiates a request for checking the content of confidential information, the request is uniformly sent to the sdecar agent module, the sdecar agent module checks whether the service has the authority for requesting the information after receiving the request, and if the authority exists, the sdecar agent module initiates an information acquisition request to the confidential information storage module and executes corresponding operation;
the sidecar cache module is used for encrypting the acquired confidential information and caching the encrypted confidential information in a memory, and the caching behavior is dynamically regulated and controlled by the configuration of the control plane module;
the sidecar confidential information management module is used for reporting the index information acquired by the confidential information storage module and the locally cached index information to the control plane module;
the control surface module queries the index information acquired by the confidential information storage module and the locally cached index information and displays the index information in a visual mode;
the index information includes: the service aims at the obtaining times of each secret storage key, the occupied size of a cache memory, the number of cache hits and the number of changing times of the key in the cache;
the sidecar agent module comprises:
after the sidecar agent module is started, an mtls communication mode is adopted, configuration information corresponding to the service is pulled from the configuration agent, and a configuration updating signal is obtained from the configuration agent through a long polling mode;
the configuration agent maintains long connection with the configuration center, forwards the configuration acquisition request to the configuration center, and simultaneously monitors a service configuration updating signal from the configuration center;
the sidecar agent module analyzes the configuration and applies the configuration, if the sidecar agent module receives a configuration updating signal, the last updating time of the configuration is firstly obtained and compared with the configuration existing locally, and if the obtained last updating time is larger than the last updating time of the local configuration, the new configuration is pulled and the application is analyzed;
the sidecar agent module further comprises:
s4-1, the service initiates a service secret information viewing request to the external system, attaches the external system authentication information stored in the environment variable, namely the key attached with the storage of the secret information, and then enters the step S4-2;
s4-2, after the sidecar agent module receives the service confidential information checking request, firstly checking whether the service has the inquiry authority of the confidential information according to the configuration information of the service;
s4-3, if the verification fails, reporting an error and recording a log; if the verification is passed, firstly checking whether the cache has confidential information of the service inquiry; if yes, the confidential information in the cache is directly returned to the service; if the secret information does not exist, trying to acquire the secret information from the secret information storage module;
s4-4, if the confidential information can not be obtained from the confidential information storage module, reporting an error and recording a log; if the confidential information can be acquired from the confidential information storage module, the confidential information is encrypted and cached in the local memory, and the confidential information is returned to the service;
and S4-5, handshaking with the external system by adopting an SPA first packet authentication mode, forwarding the service access request to the external system and attaching real authorization information.
2. The zero trust network based data secret information protection system of claim 1, wherein: the control surface module comprises a visual interface and a safety module;
the control plane module workflow includes:
aiming at confidential information needed to be used by the service, the administrator takes the service identification number as a prefix of a storage path, and stores the information into a confidential information storage module through the operation of a visual interface of a control surface module;
aiming at a service needing to configure confidential information, an administrator creates corresponding configuration information and a configuration updating signal by taking a service identification number as a main key, wherein the configuration information comprises an access address of a confidential information storage module used by the service, black and white list control information of the confidential information and cache configuration information;
the control plane module sends the configuration information and the configuration updating signal to a configuration center;
and the administrator performs operations of adding, deleting, modifying and checking the configuration information and the confidential information through a visual interface, wherein the operations of adding, deleting, modifying and checking the configuration information and the confidential information require 2FA secondary verification and security module triple verification.
3. The zero trust network based data secret information protection system of claim 1, wherein: the SPA first packet verification mode comprises the following steps:
acquiring a general SPA initial packet field format;
a tcp connection request sent to the sidecar main module by the service establishes tcp connection after three times of handshaking, the sidecar main module sends a handshake packet to the service, and the service abstracts the acquired account number password according to an encrypted seed in the handshake packet;
an auth authentication packet is constructed and sent to a database, at the moment, an account password sent by a service is obtained from an environment variable and is written into the database by a deployment module;
the sidecar main module receives the authentication packet and then obtains an account password sent by the service, and obtains real database connection information;
the sdeca master module performs handshake authentication with the client in an SPA mode according to the database connection information, receives a handshake success OK packet sent by the client after the sdeca master module passes the authentication, and sends the handshake success OK packet to the service.
4. The zero trust network based data secret information protection system of claim 3, wherein: the sidecar cache module comprises:
randomly generating a 32-bit encryption key when the sidecar cache module is started, setting whether to start a cache, cache expiration time and a cache memory upper limit according to cache configuration, and setting the cache expiration time to be 5 minutes and the cache memory upper limit to be 1MB by default;
when the missed confidential information in the cache is obtained or a parameter refresh _ cache with forced refreshing is attached when the confidential information is obtained, the confidential information is stored in the cache, and the cached key is the concatenation of the key + version of the confidential information, so that the cache supports caching different versions of the same confidential information;
when the confidential information content is cached, the generated 32-bit encryption key is encrypted by an aes encryption algorithm and then is stored in the memory;
after the cache is full, if data needs to be stored in the cache, adopting an LFU (Linear feedback Unit) eviction strategy to evict a key with the lowest use frequency in the current cache;
if the refresh _ cache parameter is specified by the service when the confidential information is acquired, the confidential information is acquired from the confidential information storage module and the cache content is updated.
5. The zero trust network based data secret information protection system of claim 3, wherein: the sidecar confidential information management module includes:
the sdecar confidential information management module records indexes each time the service acquires confidential information;
the sidecar confidential information management module reports the acquired index information to Victoria metrics every 5 seconds by adopting a push mode;
the control plane module can inquire the index information reported by the sidecar confidential information management module and display the telemetering information in a visual interface mode through aggregation.
6. The zero trust network based data secret information protection system of claim 2, wherein: the safety module comprises an input device safety authentication sub-module and an operation time safety authentication sub-module;
the input equipment safety authentication submodule is used for carrying out intelligent authentication on an administrator controlling the input equipment; the operation time security authentication submodule is used for acquiring operation time for an administrator to add, delete, modify and check configuration information and confidential information through a visual interface and intelligently authenticating the administrator who operates;
the output ends of the input equipment safety authentication submodule and the operation time safety authentication submodule are connected to an error reporting port of the system, and when error reporting occurs, logs are recorded.
CN202210375221.1A 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network Active CN114465827B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210375221.1A CN114465827B (en) 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210375221.1A CN114465827B (en) 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network

Publications (2)

Publication Number Publication Date
CN114465827A CN114465827A (en) 2022-05-10
CN114465827B true CN114465827B (en) 2022-06-24

Family

ID=81418274

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210375221.1A Active CN114465827B (en) 2022-04-11 2022-04-11 Data confidential information protection system based on zero trust network

Country Status (1)

Country Link
CN (1) CN114465827B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116069264B (en) * 2023-03-13 2023-06-13 南京飓风引擎信息技术有限公司 Application program data information storage control system

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10623390B1 (en) * 2017-08-24 2020-04-14 Pivotal Software, Inc. Sidecar-backed services for cloud computing platform
US10764244B1 (en) * 2019-06-12 2020-09-01 Cisco Technology, Inc. Systems and methods providing a multi-cloud microservices gateway using a sidecar proxy

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10693968B2 (en) * 2018-09-12 2020-06-23 Pivotal Software, Inc. Secure binding workflow
US11249856B2 (en) * 2018-10-25 2022-02-15 EMC IP Holding Company LLC Application consistent snapshots as a sidecar of a containerized application

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10623390B1 (en) * 2017-08-24 2020-04-14 Pivotal Software, Inc. Sidecar-backed services for cloud computing platform
US10764244B1 (en) * 2019-06-12 2020-09-01 Cisco Technology, Inc. Systems and methods providing a multi-cloud microservices gateway using a sidecar proxy

Also Published As

Publication number Publication date
CN114465827A (en) 2022-05-10

Similar Documents

Publication Publication Date Title
AU2019206006B2 (en) System and method for biometric protocol standards
CN110535833B (en) Data sharing control method based on block chain
CN107122674B (en) Access method of oracle database applied to operation and maintenance auditing system
KR100866219B1 (en) System and method for processing authentication and authorization for simple network management protocol
US8543827B2 (en) Methods and systems for providing access control to secured data
US7660902B2 (en) Dynamic file access control and management
US8019881B2 (en) Secure cookies
US7293098B2 (en) System and apparatus for storage and transfer of secure data on web
US5872847A (en) Using trusted associations to establish trust in a computer network
US5802178A (en) Stand alone device for providing security within computer networks
EP1645971B1 (en) Database access control method, database access controller, agent processing server, database access control program, and medium recording the program
US20020178370A1 (en) Method and apparatus for secure authentication and sensitive data management
US20150121498A1 (en) Remote keychain for mobile devices
Namasudra et al. A new table based protocol for data accessing in cloud computing.
CN116011005A (en) Method and system for preventing phishing or luxury software attacks
KR100842276B1 (en) Wireless RFID Medical Device Access Control Method Using WLAN Security Standard Technology
CN114465827B (en) Data confidential information protection system based on zero trust network
JP4181772B2 (en) Service providing apparatus, service providing method, computer-readable recording medium, and computer program
CN112347440B (en) User access authority division system of industrial control equipment and application method thereof
CN114499976A (en) Data exchange method for realizing cross-network exchange
US8321915B1 (en) Control of access to mass storage system
KR100501125B1 (en) Policy verificating system of internet contents and method therefore
KR20060058546A (en) Method and apparatus for providing database encryption and access control
KR101249343B1 (en) Method for protection of a digital rights file
CN113688427B (en) System for preventing managed data source from being abused based on block chain

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
TR01 Transfer of patent right

Effective date of registration: 20230324

Address after: 1202-059, Floor 12, Building 5, Yunmi City, No. 19, Ningshuang Road, Yuhuatai District, Nanjing City, Jiangsu Province, 210000

Patentee after: Nanjing hurricane engine information technology Co.,Ltd.

Address before: 210000 1202-053, floor 12, building 5, yunmi City, No. 19, ningshuang Road, Yuhuatai District, Nanjing, Jiangsu Province

Patentee before: Nanjing zhirenyun Information Technology Co.,Ltd.

TR01 Transfer of patent right