CN114553540A - Zero-trust-based Internet of things system, data access method, device and medium - Google Patents

Zero-trust-based Internet of things system, data access method, device and medium Download PDF

Info

Publication number
CN114553540A
CN114553540A CN202210165043.XA CN202210165043A CN114553540A CN 114553540 A CN114553540 A CN 114553540A CN 202210165043 A CN202210165043 A CN 202210165043A CN 114553540 A CN114553540 A CN 114553540A
Authority
CN
China
Prior art keywords
access
access terminal
identity
security
request
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210165043.XA
Other languages
Chinese (zh)
Other versions
CN114553540B (en
Inventor
郭倜颖
刘伟超
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ping An Technology Shenzhen Co Ltd
Original Assignee
Ping An Technology Shenzhen Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Ping An Technology Shenzhen Co Ltd filed Critical Ping An Technology Shenzhen Co Ltd
Priority to CN202210165043.XA priority Critical patent/CN114553540B/en
Publication of CN114553540A publication Critical patent/CN114553540A/en
Application granted granted Critical
Publication of CN114553540B publication Critical patent/CN114553540B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0209Architectural arrangements, e.g. perimeter networks or demilitarized zones
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks

Landscapes

  • Engineering & Computer Science (AREA)
  • Computing Systems (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a zero-trust-based Internet of things system, a data access method, a device and a medium, which relate to the technical field of network security, and the method comprises the following steps: responding to an access request sent by the access terminal, and performing first identity verification by the security agent according to the second identity information and the first identity information in the access request; when the first identity verification is passed, the security agent sends the access request to the identity authentication platform; the identity authentication platform carries out second identity authentication on the access terminal according to the third identity information and the first identity information; when the second identity authentication passes, the security gateway adds the access authority in the access request and sends the access request to the micro-isolation module; the micro-isolation module grants an access function to the access terminal according to the access right; the access terminal accesses the server according to the access function. Through multiple times of identity authentication, complete zero-trust technology deployment from the access terminal to the server is achieved, and the security of the Internet of things system is improved.

Description

Zero-trust-based Internet of things system, data access method, device and medium
Technical Field
The invention relates to the technical field of network security, in particular to a zero-trust-based Internet of things system, a data access method, a device and a medium.
Background
In order to secure servers and data resources in the internet of things, physical boundary defense is generally formed by constructing a firewall in the related art, and the servers and data resources to be protected are arranged in an intranet inside the firewall. However, with the continuous rise of technologies such as cloud computing and big data, the boundary of the network architecture of the internet of things is also continuously expanded with the development of the technologies, so that the traditional security boundary represented by a fire wall is continuously broken down, and the security requirement of the internet of things is difficult to meet. Therefore, how to ensure the safety of the internet of things system becomes a problem to be researched urgently.
Disclosure of Invention
The present application is directed to solving, at least to some extent, one of the technical problems in the related art. Therefore, the zero trust-based Internet of things system, the data access method, the data access device and the data access medium are provided, complete zero trust technology deployment from an access terminal to a server can be realized, and the safety of the Internet of things system is improved.
In order to achieve the above object, an embodiment of the present invention further provides a zero trust based internet of things system, where the system includes an access subsystem, a management subsystem, and a background subsystem; the access subsystem comprises an access terminal and a security agent; the security agent is used for responding to an access request of the access terminal, performing first identity verification on the access terminal, and sending the access request to the management subsystem after the first identity verification is passed; the management subsystem comprises an identity authentication platform and a security gateway; the identity authentication platform is used for carrying out second identity authentication on the access terminal according to the access request; the security gateway is used for adding the access authority of the access terminal in the access request when the second identity authentication is passed; sending the access request added with the access authority to the background subsystem; the background subsystem comprises a micro-isolation module and a server; and the micro-isolation module is used for granting an access function to the access terminal according to the access authority so that the access terminal accesses the server according to the access function.
In order to achieve the above object, an embodiment of the present invention provides a data access method, which is applied to the zero trust based internet of things system as described above, and the method includes the following steps: the access terminal sends an access request to the security agent; according to first identity information in the access request and second pre-stored identity information, performing first identity verification on the access terminal through the security agent; when the first identity verification is passed, the security agent sends the access request to the identity authentication platform; performing second identity verification on the access terminal through the identity authentication platform according to the stored third identity information and the first identity information; when the second identity authentication is passed, the security gateway adds the access authority of the access terminal in the access request and sends the access request to the micro-isolation module; according to the access authority, an access function is granted to the access terminal through the micro-isolation module; and the access terminal accesses the server according to the access function.
In order to achieve the above object, an embodiment of the present invention further provides an apparatus, where the apparatus includes: at least one processor; at least one memory for storing at least one program; when executed by the at least one processor, cause the at least one processor to carry out the steps of the method as described above.
To achieve the above object, an embodiment of the present invention further provides a computer storage medium, in which a program executable by a processor is stored, and the program executable by the processor realizes the steps of the foregoing method when being executed by the processor.
The beneficial effects of the embodiment of the application are as follows: the zero-trust-based Internet of things system comprises an access subsystem, a management subsystem and a background subsystem; the access subsystem comprises an access terminal and a security proxy, the management subsystem comprises an identity authentication platform and a security gateway, and the background subsystem comprises a micro-isolation module and a server; when the access terminal needs to access the server, the access terminal sends an access request to the security agent; the security agent performs first identity verification on the access terminal according to the stored second identity information and the first identity information in the access request; when the first identity verification is passed, the security agent sends the access request to the identity authentication platform; the identity authentication platform carries out second identity verification on the access terminal according to the stored third identity information and the stored first identity information; when the second identity authentication is passed, the security gateway adds the access authority of the access terminal in the access request and sends the access request to the micro-isolation module; the micro-isolation module grants an access function to the access terminal according to the access right; the access terminal accesses the server according to the access function. The embodiment of the application realizes complete zero trust technology deployment from the access terminal to the server through multiple times of identity authentication; moreover, the management subsystem carries out centralized management on the access request of the access terminal, which is beneficial to simplifying the complexity of the Internet of things system and improving the safety of the Internet of things system; and the management subsystem is used as a software boundary, so that effective separation is provided between the access terminal and the server, and the server can be effectively prevented from being attacked from the outside, so that the safety of the Internet of things system is improved.
Drawings
The accompanying drawings are included to provide a further understanding of the claimed subject matter and are incorporated in and constitute a part of this specification, illustrate embodiments of the subject matter and together with the description serve to explain the principles of the subject matter and not to limit the subject matter.
FIG. 1 is a schematic diagram of a zero trust based system of things provided by an embodiment of the present application;
FIG. 2 is a flowchart illustrating steps of a data access method according to an embodiment of the present application;
fig. 3 is a flowchart illustrating steps of an access terminal initially accessing an internet of things system according to an embodiment of the present application;
fig. 4 is a schematic diagram of a data access device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the present application and are not intended to limit the present application.
It should be noted that although functional block divisions are provided in the system drawings and logical orders are shown in the flowcharts, in some cases, the steps shown and described may be performed in different orders than the block divisions in the systems or in the flowcharts. The terms first, second and the like in the description and in the claims, and the drawings described above, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In the following description, suffixes such as "module", "part", or "unit" used to denote elements are used only for facilitating the explanation of the present invention, and have no peculiar meaning in itself. Thus, "module", "component" or "unit" may be used mixedly.
The embodiments of the present application will be further explained with reference to the drawings.
Referring to fig. 1, fig. 1 is a schematic diagram of a zero trust based internet of things system provided by an embodiment of the present application, where the system 100 includes, but is not limited to, an access subsystem 110, a management subsystem 120, and a background subsystem 130; wherein, the access subsystem comprises an access terminal 111 and a security agent 112; the management subsystem comprises an identity authentication platform 121 and a security gateway 122; the backend subsystem includes a micro-isolation module 131 and a server 132.
In the embodiment of the present application, the access terminal refers to both an IoT (Internet of Things) device in the Internet of Things and a terminal device including a software access portal of the Internet of Things. For example, in an internet of things system in the field of intelligent traffic management, main IoT devices include a speed meter, a camera, a toll gate, and the like, which are disposed on a road, and these IoT devices generally need to periodically access a server in a physical network to complete the operations of keeping the devices alive, performing authorization control, reporting data, and the like. For example, in the internet of things system, a manager of the system may operate a terminal device such as a Personal Computer (PC), a mobile phone, a smart phone, a Personal Digital Assistant (PDA), a wearable device, a pocket PC (ppc), a tablet PC, and the like, and access a server through an access portal such as a web, an app, and a applet.
In the embodiment of the application, the security proxy is configured to perform a first authentication on the access terminal in response to an access request of the access terminal, and forward the access request to the management subsystem after the first authentication is passed. That is, the security agent acts as a "gatekeeper" of the access subsystem, and is responsible for authenticating the access terminal according to the access request. It is understood that in a relatively large internet of things system, there may be a plurality of security agents, and different security agents are responsible for processing access requests of access terminals in different areas.
The embodiment of the application also provides that a management subsystem is additionally arranged in the internet of things system and is used for carrying out centralized management on access requests forwarded by different security agents from a plurality of access terminals and carrying out identity authentication and identity authorization in a unified manner. Therefore, various access behaviors of the distributed access terminals in the Internet of things system are uniformly controlled, so that the management subsystem provided by the embodiment of the application not only helps to simplify the complexity of the Internet of things system, but also can effectively improve the safety of the Internet of things system, and helps to realize 'zero trust' technology deployment.
And the management subsystem comprises an identity authentication platform and a security gateway. The identity authentication platform is used for carrying out second identity authentication on the access terminal according to the access request; when the second identity authentication is passed, the security gateway adds the access authority of the access terminal in the access request; and sending the access request added with the access authority to the background subsystem. Compared with the condition that the boundary between the terminal and the server gradually fails in the related technology, the security gateway provided by the embodiment of the application can be used as the software boundary between the server and the access terminal to effectively block the access terminal and the server and prevent the server from being attacked from the outside, so that the security of important data resources in the server is effectively protected.
In the embodiment of the application, the background subsystem comprises a micro-isolation module and a server, wherein the micro-isolation module is used for granting an access function to the access terminal according to the access authority so that the access terminal can access the server according to the access function. That is to say, the micro-isolation module is used as a "barrier" in front of the server to grant a corresponding access function to the access terminal accessing the server, and the access terminal can only access part of the data of the server according to the access function, so that other data of the server can be protected, and the security of the data of the server is improved.
In this embodiment of the application, a server may refer to one server, or a server cluster composed of a plurality of servers, or a cloud computing service center mounted on a cloud, where the server may store important data in an internet of things system, and complete a corresponding service process according to a service request, where the service process includes, but is not limited to, data access, authorization control, and the like.
With reference to fig. 1 and the above, an embodiment of the present application provides a zero trust based internet of things system, where in a stage of an access request sent by an access terminal in an access subsystem, a security agent performs a first identity verification on the access terminal; in the process that the security agent sends the access request to the background subsystem, the management subsystem performs second identity authentication on the access terminal and forwards the access request to the background subsystem; and when the access request reaches the background subsystem, the micro-isolation system grants the limited access function to the access terminal. Therefore, in the embodiment of the application, on each node of the access terminal accessing the server, the access terminal is defaulted to be untrusted and needs to be authenticated, and in the background subsystem, even if the access terminal completes authentication, the access function of the access terminal is limited, so that the complete deployment of the zero-trust technology on the traditional internet of things system is really realized. Therefore, the zero-trust-based internet of things system in the embodiment of the application can solve the problem of failure of the boundary between the terminal and the server in the related technology to a certain extent, complete and multidimensional zero-trust technology deployment is realized on the internet of things system, the server can be effectively prevented from being attacked, and the safety of the internet of things system is improved.
In some embodiments, as shown in fig. 1, the management subsystem in the embodiment of the present application further includes a wind control decision engine 123; and the wind control decision engine is used for dynamically adjusting the risk level of the access terminal according to the abnormal behavior of the access terminal. It can be understood that, when the access terminal initially accesses the internet of things system, the risk level of the access terminal may be set to "normal" because the access terminal has not performed an access action. Alternatively, the risk level of the access terminal may be set to a preset level based on information such as an identification of the access terminal. After the access terminal accesses the internet of things system, the wind control decision engine can monitor various behaviors of the access terminal in the system, and dynamically adjust the risk level of the access terminal according to the abnormal behavior of the access terminal. The abnormal behavior of the access terminal includes, but is not limited to, abnormal login of the terminal, error of input password, abnormal consumption of the terminal, and the like. For example, a user accesses an internet of things system through an access portal in the web, and a wind control decision engine monitors that the user inputs an incorrect account password for 3 times continuously, which indicates that the access terminal may be maliciously occupied, and a lawless person attempts to attack a server through the access terminal, so that the risk decision engine adjusts the risk level of the access terminal from the original "general" to "dangerous".
It will be appreciated that, in order to secure the data within the server, the risk level of the access terminal is related to its access rights to the server data. That is to say, the security gateway may determine the access right corresponding to the access terminal according to the risk level of the access terminal, and when the risk level changes due to the abnormal behavior of the user, the security gateway dynamically adjusts the access right corresponding to the access terminal according to the change of the risk level. For example, when the risk level changes from "general" to "dangerous", the security gateway may adjust the access authority of the access terminal from allowing access to data at a specified position in the server to disallow access to the server, thereby improving the security of the server.
In other embodiments, the access subsystem in the embodiments of the present application further includes a secure browser and a secure sandbox (not shown in fig. 1). As mentioned above, the access terminal in the embodiment of the present application also refers to a terminal device including a software access portal of the internet of things, and the access terminal may access the server through a web, app, an applet, and the like. Therefore, the security browser and the security sandbox can be arranged in the terminal equipment, so that a user can access the server through the security browser and the security sandbox, and the security of the access process is ensured.
For example, the terminal device is a computer provided with a secure browser, and when a user operates the computer, the user can open a login page of the internet of things system through the secure browser, so that the user can access the background server through the secure browser. The secure browser is used for providing a secure access network for the access terminal, and a network address list which can be accessed securely is built in the browser. Through these network addresses, the user can access different network systems including, but not limited to, the internet of things system in the embodiment of the present application, and the secure browser protects the process of the user accessing these network addresses. For a user, the security browser is insensitive to the protection behavior of the access process, namely the security browser automatically encrypts the sent data and sends the encrypted data to the security agent; and the safe browser also can receive the data returned by the server by self, decrypt the encrypted data and display the user in the front-end page of the Internet of things system. In addition, when a user uses the safety browser, partial protection functions can be realized on a browser page, for example, watermarks of user information are displayed on a browser interface, so that the user information is prevented from being lost; and for example, the user is prohibited from using functions of page content copying, page saving or page screen capturing and the like in the browser, so that the data of the accessed Internet of things system is prevented from being leaked, and the security threat is caused to the system.
In addition to the secure browser, a secure sandbox is included in the access subsystem. In the field of network architecture, a sandbox refers to a virtual system program, which creates a virtual operating environment, and a user can access software such as a secure browser in a secure sandbox. Meanwhile, the security sandbox isolates the equipment data and the office environment of the access terminal from the Internet of things system, so that the access data and the office environment in the access terminal are prevented from affecting the security of the Internet of things system. For example, a security browser is run in the security sandbox, and a user accesses a cloud desktop and a cloud environment in the internet of things system through the security browser, so that the security sandbox can achieve effective isolation of the cloud desktop and the cloud environment from local devices in addition to the protection actions achieved by the security browser mentioned in the above. For example, a user can log in a cloud desktop, access files in the cloud desktop, and perform operations such as changing and deleting on the files in the cloud desktop; in addition, the user can upload files in the local device to the cloud desktop, and can download files in the cloud environment to the cloud desktop. However, the user cannot download the file in the cloud desktop to the local device, so that the cloud desktop, the cloud environment and the local device are effectively isolated, the leakage of the file in the cloud environment and the cloud desktop is avoided, and the safety of the internet of things system is effectively guaranteed.
Through the combination of one or more embodiments, the embodiment of the application provides a zero-trust-based internet of things system, the system can solve the problem of failure of a boundary between a terminal and a server in the related technology to a certain extent, complete and multidimensional zero-trust technology deployment is realized on the internet of things system, the server can be effectively prevented from being attacked, and therefore the safety of the internet of things system is improved.
Referring to fig. 2, fig. 2 is a flowchart illustrating steps of a data access method provided by an embodiment of the present application, where the method is applied to the zero trust based internet of things system described in the foregoing, and the method includes, but is not limited to, steps S200 to S270:
s200, the access terminal is accessed to the Internet of things system for the first time;
specifically, before describing the process of the access terminal accessing the server, a process of the access terminal initially accessing the internet of things system is first set forth. Referring to fig. 3, fig. 3 is a flowchart illustrating steps of an access terminal initially accessing an internet of things system according to an embodiment of the present application, where the method includes, but is not limited to, steps S300 to S350:
s300, the access terminal sends a registration request to the security agent;
specifically, when the access terminal initially accesses the internet of things system, a registration request is first sent to the security agent, where the registration request is used to indicate to the receiving party: and the current access terminal requests to access the Internet of things system. The fourth identity information and the validity identification are included in the registration request.
It should be noted that, in the embodiment of the present application, the identity information is used to represent the identity of the access terminal or the user accessing the internet of things system through the access terminal, and the identity information may be in the form of an identity ID of the access terminal, an account password used by the access terminal to access the internet of things system, or face information, fingerprint information, mobile phone number information, mailbox information, and the like of the user bound to the current access terminal. In the first identity information, the second identity information, the third identity information and the fourth identity information described in the embodiments of the present application, prefixes such as "first" and "second" are only used to distinguish identity information in different storage locations or different steps, and are not used to modify the specific meaning of the identity information. It is of course understood that there may be slight differences in the specific form of identity information in different storage locations (e.g. in a secure agent or in an authentication platform), and the specific form of expression of identity information is not particularly limited in the embodiments of the present application.
The validity flag is a related flag that can indicate validity of the access terminal, for example, when the access terminal is an IoT device, the validity flag may be a factory qualification number of the IoT device.
S310, responding to the registration request, and carrying out first validity verification on the access terminal by the security proxy according to the validity identification;
specifically, when receiving a registration request, the security agent performs a first validity verification on the access terminal according to the validity identifier. The validity verification is used for verifying whether the current access terminal is a valid device, and the specific verification form may be: when the system of the internet of things is constructed, relevant identifications of supported manufacturers, namely legal access terminals approved by the system, are stored in modules of a security agent, an identity verification platform and the like of the system. When the security agent receives the registration request, the legality identifier in the registration request is compared with the related identifier of the legal access terminal stored by the security agent, so that whether the current access terminal is legal or not is confirmed.
It should be noted that, in the first validity verification and the second validity verification described in the embodiments of the present application, prefixes such as "first" and "second" are only used to distinguish authentication processes of different modules (security agent and identity verification) in the system for the access terminal, and are not used to modify specific meanings of the validity verification.
S320, when the first validity verification is passed, the security agent stores the fourth identity information as second identity information and sends the registration request to an identity verification platform;
specifically, when the first validity verification passes, which indicates that the access terminal is a valid terminal, the security proxy stores the fourth identity information in the access request, and the identity information stored in the security proxy is called as second identity information. The security agent then sends a registration request to the authentication platform.
S330, responding to the registration request, and performing second validity verification on the access terminal by the identity authentication platform according to the validity identification;
specifically, when receiving the registration request, the identity authentication platform performs a second validity verification on the access terminal according to the validity identifier of the access terminal, thereby confirming whether the current access terminal is valid again. The process of the second validity verification is similar to the process of the first validity verification in step S310, and is not described herein again.
S340, when the second validity verification is passed, the identity verification platform stores the fourth identity information as third identity information and sends response information of successful registration to the security agent;
specifically, when the second validity verification passes, which indicates that the access terminal is a valid terminal, the identity verification platform stores the fourth identity information in the access request, and the identity information stored in the security agent is referred to as third identity information. Then, the identity authentication platform sends response information of successful registration to the security agent.
S350, the security agent sends the response information to the access terminal so that the access terminal can be successfully accessed into the Internet of things system;
specifically, after receiving the response information, the security agent forwards the response information to the access terminal, so that the access terminal can successfully access the internet of things system according to the response information.
Through steps S300 to S350, the embodiment of the present application provides a process flow of the access terminal initially accessing the internet of things system, and after the step S200 is already described, a description of step S210 is started.
S210, the access terminal sends an access request to the security proxy;
specifically, when the access terminal needs to access the background server, the access terminal sends an access request to the security proxy. For example, if the access terminal needs to access the server for device keep-alive, it may send an access request to the security agent periodically.
S220, performing first identity verification on the access terminal through the security proxy according to the first identity information in the access request and second identity information prestored in the security proxy;
specifically, the method steps in fig. 3 have already described a specific process in which the security agent stores the second identity information, and the security agent performs the first identity authentication on the access terminal according to the second identity information pre-stored by itself and the first identity information in the received access request. In the above, each module in the internet of things system may perform identity verification on the access terminal according to the identity information. For example, in this step, if the identity information used for the first identity authentication is an account and a password, the first identity information and the second identity information are compared, and if the account and the password in the two identity information are the same, the first identity authentication is passed.
S230, when the first identity verification is passed, the security agent sends the access request to an identity authentication platform;
specifically, when the first authentication in step S220 passes, the security agent forwards the access request to the identity authentication platform, and the identity authentication platform performs authentication again.
In some embodiments, in addition to performing authentication on each module passed by the access terminal to improve the security of data access, the security can be further improved by encrypting the data transmission process between the modules. Specifically, when the first identity verification passes, the security agent encrypts the access request and sends the encrypted access request to the identity authentication platform. Therefore, even if the communication message between the access subsystem and the management subsystem is illegally intercepted, the encrypted access request can prevent the information of the access terminal from being leaked, and the safety of the Internet of things system is ensured.
It will be appreciated that for different types of access requests from access terminals, different levels of encryption may be employed by the various modules in the system. For example, for an access terminal with higher requirement on security, an access request can be encrypted by using a cryptographic algorithm through an encryption chip of an entity; for access terminals with low security requirements, the access request may be encrypted using a software implementation method such as the RSA algorithm (a public key algorithm).
S240, performing second identity verification on the access terminal through the identity authentication platform according to the first identity information and third identity information prestored in the identity authentication platform;
specifically, the process of storing the third identity information by the identity authentication platform is already clarified by the explanation of fig. 3, and when receiving the access request, the identity authentication platform compares the third identity information stored by the identity authentication platform with the first identity information in the access request, so as to determine the identity of the current access terminal and complete the second identity authentication.
It should be noted that, in the first authentication, the second authentication, and the third authentication described in the embodiments of the present application, prefixes such as "first" and "second" are only used to distinguish different modules (security agent and authentication) in the system from each other in the authentication process of the access terminal, and are not used to modify the specific meaning of the authentication.
S250, when the second identity authentication is passed, the security gateway adds the access authority of the access terminal in the access request, and sends the access request added with the access authority to the micro-isolation module;
specifically, when the second identity authentication is passed, the security gateway determines the access right corresponding to the access terminal, and adds the access right of the access terminal in the access request, and the access request carrying the access right is forwarded to the micro-isolation module by the security gateway.
In the above, it is mentioned that the access right determined by the security gateway may change with the change of the risk level determined by the wind control decision engine, and when the wind control decision engine determines that the risk level of the access terminal is increased, which indicates that the risk of the current access terminal is higher, the second authentication in the ordinary form (which refers to an authentication form of merely comparing identity IDs) may misjudge the identity of the access terminal. Therefore, in some embodiments, when the wind control decision engine determines that the risk level of the access terminal is increased and the second identity authentication passes, the identity authentication platform performs a third identity authentication on the access terminal. And, the third authentication may take a more advanced and complex authentication approach than the first authentication and the second authentication. For example, the first authentication and the second authentication only determine the identity of the access terminal by comparing the identity IDs, and the third authentication may include verification code authentication, fingerprint authentication, or face authentication, for example, sending a verification code to a mobile phone bound to the access terminal, prompting a user to input the verification code on a display page of the access terminal, and determining whether the third authentication passes or not according to the correctness of the verification code, thereby determining the specific identity of the access terminal. And then, when the third identity authentication is passed, adding access authority in the access request by the security gateway, and sending the access request to the micro-isolation module.
According to the content mentioned in step S230, which is encrypted in the data transmission process between the access subsystem and the management subsystem, if the access request sent to the authentication platform by the security agent is an encrypted access request, the authentication platform needs to decrypt the access request first, and then perform the second authentication and the third authentication. Similar to the encryption process of the security proxy, in order to protect the security of the whole data access process from the access terminal to the server, the security gateway may encrypt the access request to which the access right is added, and send the encrypted access request to the micro-isolation module.
S260, according to the access authority, an access function is granted to the access terminal through the micro-isolation module;
specifically, after receiving the access request, if the access request is in an encrypted form, the micro-isolation module decrypts the access request to obtain the access right in the access request.
When the internet of things system is constructed, various service data in the server can be classified firstly, taking the intelligent transportation internet of things system as an example, for example, level 1 data is information of a current access terminal, level 2 data is information of all access terminals of the same type, level 3 data is information of all access terminals in the same region. Then, the corresponding relation between the service data of different levels and the access authority of the access terminal is determined, and the corresponding relation is stored in the micro-isolation module. After receiving the access request, the micro-isolation module searches in the corresponding relation according to the access authority, and then determines which service data in the server can be accessed by the access authority of the current access terminal, and then the micro-isolation module grants the access function of the service data corresponding to the access authority to the access terminal.
For example, when service data is classified, unique access identifiers are set for the service data of different levels, the micro-isolation module grants the access function to the access terminal in a mode that the access identifier corresponding to the service data is sent to the access terminal, and when the access terminal accesses the server, only the service data with the same identifier can be accessed, and other data cannot be accessed, so that effective protection of other data in the server is realized.
S270, the access terminal accesses the server according to the access function;
specifically, according to the step S260, the access terminal accesses the service data specified in the server according to the granted access function, and completes the process of this data access.
Through steps S200 to S270, an embodiment of the present application provides a data access method applied to a zero trust based system of internet of things, where the method includes: when the access terminal needs to access the server, the access terminal sends an access request to the security proxy; the security agent performs first identity verification on the access terminal according to the stored second identity information and the first identity information in the access request; when the first identity verification is passed, the security agent encrypts the access request and sends the encrypted access request to the identity authentication platform; and the identity authentication platform decrypts the access request and performs second identity authentication on the access terminal according to the stored third identity information and the first identity information. If the risk level is increased by the wind control decision engine according to the abnormal behavior of the access terminal, when the second identity verification is passed, the identity authentication platform can perform a more complex third identity verification process on the access terminal; when the third identity authentication is passed, the security gateway adds the access authority of the access terminal in the access request, encrypts the access request and sends the encrypted access request to the micro-isolation module; the micro-isolation module decrypts the access request, determines the accessible service data in the server according to the access authority and the stored corresponding relation, and grants the access function of the accessible service data to the access terminal; and finally, the access terminal accesses the corresponding service data in the server according to the access function.
The method of the embodiment of the application realizes complete zero trust technology deployment from the access terminal to the server through multiple times of identity verification; moreover, the data security in the communication process is further ensured by encrypting the communication process among different modules in the system; and finally, the security of the service data in the server is ensured by controlling the access authority.
In summary, through the combination of one or more embodiments, the embodiment of the application provides a zero trust-based internet of things system and a data access method applied to the system, so that the problem of boundary failure between a terminal and a server in the related art is solved to a certain extent, complete and multidimensional zero trust technology deployment is realized on the internet of things system, the server can be effectively prevented from being attacked, and the security of the internet of things system is improved.
Referring to fig. 4, fig. 4 is a schematic diagram of a data access apparatus provided in an embodiment of the present application, where the apparatus 400 includes at least one processor 410 and at least one memory 420 for storing at least one program; in fig. 4, a processor and a memory are taken as an example.
The processor and memory may be connected by a bus or other means, such as by a bus in FIG. 4.
The memory, which is a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. Further, the memory may include high speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory located remotely from the processor, and these remote memories may be connected to the device over a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The above-described embodiments of the apparatus are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may also be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment.
The embodiment of the application also discloses a computer storage medium, wherein a program executable by a processor is stored, and the program executable by the processor is used for realizing the data access method provided by the application when being executed by the processor.
One of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as is well known to those of ordinary skill in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, Digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can accessed by a computer. In addition, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media as known to those skilled in the art.
While the preferred embodiments of the present invention have been described, the present invention is not limited to the above embodiments, and those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of the present invention, and such equivalent modifications or substitutions are included in the scope of the present invention defined by the claims.

Claims (10)

1. The zero-trust-based Internet of things system is characterized by comprising an access subsystem, a management subsystem and a background subsystem;
the access subsystem comprises an access terminal and a security agent;
the security agent is used for responding to an access request of the access terminal, performing first identity verification on the access terminal, and sending the access request to the management subsystem after the first identity verification is passed;
the management subsystem comprises an identity authentication platform and a security gateway;
the identity authentication platform is used for carrying out second identity authentication on the access terminal according to the access request;
the security gateway is used for adding the access authority of the access terminal in the access request when the second identity authentication is passed; sending the access request added with the access authority to the background subsystem;
the background subsystem comprises a micro-isolation module and a server;
and the micro-isolation module is used for granting an access function to the access terminal according to the access authority so that the access terminal accesses the server according to the access function.
2. The zero trust based internet of things system of claim 1, wherein the management subsystem further comprises a wind control decision engine;
the wind control decision engine is used for dynamically adjusting the risk level of the access terminal according to the abnormal behavior of the access terminal;
the security gateway is further used for dynamically adjusting the access authority corresponding to the access terminal according to the risk level;
the abnormal behaviors comprise abnormal login of the terminal, error of input passwords and abnormal consumption of the terminal.
3. The zero trust based internet of things system of any one of claims 1-2, wherein the access subsystem further comprises a secure browser and a secure sandbox;
the secure browser is used for providing a secure access network for the access terminal;
and the safety sandbox is used for isolating the equipment data of the access terminal from the office environment.
4. A data access method applied to the zero trust based internet of things system of any one of claims 1 to 3, the system comprising an access subsystem, a management subsystem and a background subsystem, wherein the access subsystem comprises an access terminal, a security agent, a security browser and a security sandbox, the management subsystem comprises an identity authentication platform, a security gateway and a wind control decision engine, and the background subsystem comprises a micro-isolation module and a server, the method comprising:
the access terminal sends an access request to the security agent;
according to first identity information in the access request and second identity information prestored in the security agent, performing first identity verification on the access terminal through the security agent;
when the first identity verification is passed, the security agent sends the access request to the identity authentication platform;
performing second identity verification on the access terminal through the identity authentication platform according to the first identity information and third identity information prestored in the identity authentication platform;
when the second identity authentication is passed, the security gateway adds the access authority of the access terminal in the access request, and sends the access request added with the access authority to the micro-isolation module;
according to the access authority, an access function is granted to the access terminal through the micro-isolation module;
and the access terminal accesses the server according to the access function.
5. The data access method of claim 4, further comprising:
when the first identity verification is passed, the security agent encrypts the access request and sends the encrypted access request to the identity authentication platform;
decrypting, by the authentication platform, the access request sent by the security agent;
and when the second identity authentication is passed, the security gateway encrypts the access request added with the access authority and sends the encrypted access request to the micro-isolation module.
6. The data access method according to claim 4, wherein after the step of performing a second identity verification on the access terminal by the identity authentication platform according to the first identity information and third identity information pre-stored by the identity authentication platform, the method further comprises:
when the wind control decision engine determines that the risk level of the access terminal is improved and the second identity authentication passes, the identity authentication platform performs third identity authentication on the access terminal;
when the third identity authentication passes, the security gateway adds the access authority in the access request and sends the access request to the micro-isolation module;
wherein the third identity authentication mode comprises authentication code authentication, fingerprint authentication or face authentication.
7. The data access method according to claim 4, further comprising a step of initially accessing, by the access terminal, the internet of things system, the step specifically comprising:
the access terminal sends a registration request to the security agent, wherein the registration request comprises fourth identity information and a legal identifier;
responding to the registration request, and the security proxy performs first validity verification on the access terminal according to the validity identification;
when the first validity verification passes, the security agent stores the fourth identity information as the second identity information and sends the registration request to the identity verification platform;
responding to the registration request, and performing second validity verification on the access terminal by the identity authentication platform according to the validity identification;
when the second validity verification passes, the identity verification platform stores the fourth identity information as the third identity information and sends response information of successful registration to the security agent;
and the security agent sends the response information to the access terminal so that the access terminal can successfully access the Internet of things system.
8. The data access method according to any one of claims 4-7, wherein the granting of the access function to the access terminal through the micro-isolation module according to the access right comprises:
grading service data in the server, and determining corresponding relations between the service data of different grades and access rights;
searching the service data corresponding to the access authority in the server according to the corresponding relation;
the micro-isolation module grants the access function of the service data to the access terminal.
9. A data access device, comprising:
at least one processor;
at least one memory for storing at least one program;
when executed by the at least one processor, cause the at least one processor to implement the data access method of any one of claims 4-8.
10. A computer storage medium in which a processor-executable program is stored, the processor-executable program, when executed by the processor, implementing a data access method as claimed in any one of claims 4 to 8.
CN202210165043.XA 2022-02-22 2022-02-22 Zero trust-based Internet of things system, data access method, device and medium Active CN114553540B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210165043.XA CN114553540B (en) 2022-02-22 2022-02-22 Zero trust-based Internet of things system, data access method, device and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210165043.XA CN114553540B (en) 2022-02-22 2022-02-22 Zero trust-based Internet of things system, data access method, device and medium

Publications (2)

Publication Number Publication Date
CN114553540A true CN114553540A (en) 2022-05-27
CN114553540B CN114553540B (en) 2024-03-08

Family

ID=81677054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210165043.XA Active CN114553540B (en) 2022-02-22 2022-02-22 Zero trust-based Internet of things system, data access method, device and medium

Country Status (1)

Country Link
CN (1) CN114553540B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115150208A (en) * 2022-09-06 2022-10-04 信联科技(南京)有限公司 Zero-trust-based Internet of things terminal secure access method and system
CN115529157A (en) * 2022-08-08 2022-12-27 北京雪诺科技有限公司 Zero trust based enterprise application access system, method and access system
CN115865433A (en) * 2022-11-17 2023-03-28 中国联合网络通信集团有限公司 Service data request method, device and storage medium
CN116244975A (en) * 2023-05-11 2023-06-09 众芯汉创(北京)科技有限公司 Transmission line wire state simulation system based on digital twin technology
CN117155649A (en) * 2023-08-31 2023-12-01 金锐软件技术(杭州)有限公司 System and method for security protection of third party system accessing JAVA gateway

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108632253A (en) * 2018-04-04 2018-10-09 平安科技(深圳)有限公司 Client data secure access method based on mobile terminal and device
WO2019157333A1 (en) * 2018-02-08 2019-08-15 Nussbaum Jared Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor
CN112118102A (en) * 2020-10-21 2020-12-22 国网天津市电力公司 Dedicated zero trust network system of electric power
US20210044623A1 (en) * 2019-08-07 2021-02-11 Cisco Technology, Inc. Dynamically tailored trust for secure application-service networking in an enterprise
CN112765639A (en) * 2021-01-27 2021-05-07 武汉大学 Security micro-service architecture based on zero trust access strategy and implementation method
US20210194883A1 (en) * 2019-12-18 2021-06-24 Voya Services Company Systems and methods for adaptive step-up authentication
EP3866436A1 (en) * 2020-02-14 2021-08-18 Zscaler, Inc. Cloud access security broker systems and methods for active user identification and load balancing
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2019157333A1 (en) * 2018-02-08 2019-08-15 Nussbaum Jared Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor
CN108632253A (en) * 2018-04-04 2018-10-09 平安科技(深圳)有限公司 Client data secure access method based on mobile terminal and device
US20210044623A1 (en) * 2019-08-07 2021-02-11 Cisco Technology, Inc. Dynamically tailored trust for secure application-service networking in an enterprise
US20210194883A1 (en) * 2019-12-18 2021-06-24 Voya Services Company Systems and methods for adaptive step-up authentication
EP3866436A1 (en) * 2020-02-14 2021-08-18 Zscaler, Inc. Cloud access security broker systems and methods for active user identification and load balancing
CN112118102A (en) * 2020-10-21 2020-12-22 国网天津市电力公司 Dedicated zero trust network system of electric power
CN112765639A (en) * 2021-01-27 2021-05-07 武汉大学 Security micro-service architecture based on zero trust access strategy and implementation method
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
王首媛等: "基于零信任架构实现的物联网终端接入安全研究", 《邮电设计技术》, no. 07, pages 13 - 18 *
黄杰等: "电力物联网场景下基于零信任的分布式数据库细粒度访问控制", 《信息安全研究》, vol. 6, no. 7, pages 535 - 542 *

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN115529157A (en) * 2022-08-08 2022-12-27 北京雪诺科技有限公司 Zero trust based enterprise application access system, method and access system
CN115150208A (en) * 2022-09-06 2022-10-04 信联科技(南京)有限公司 Zero-trust-based Internet of things terminal secure access method and system
CN115865433A (en) * 2022-11-17 2023-03-28 中国联合网络通信集团有限公司 Service data request method, device and storage medium
CN116244975A (en) * 2023-05-11 2023-06-09 众芯汉创(北京)科技有限公司 Transmission line wire state simulation system based on digital twin technology
CN116244975B (en) * 2023-05-11 2023-07-25 众芯汉创(北京)科技有限公司 Transmission line wire state simulation system based on digital twin technology
CN117155649A (en) * 2023-08-31 2023-12-01 金锐软件技术(杭州)有限公司 System and method for security protection of third party system accessing JAVA gateway
CN117155649B (en) * 2023-08-31 2024-03-22 金锐软件技术(杭州)有限公司 System and method for security protection of third party system accessing JAVA gateway

Also Published As

Publication number Publication date
CN114553540B (en) 2024-03-08

Similar Documents

Publication Publication Date Title
US11134058B1 (en) Network traffic inspection
US10958662B1 (en) Access proxy platform
US11075955B2 (en) Methods and systems for use in authorizing access to a networked resource
JP6965921B2 (en) Network function virtualization system and verification method
CN112422532B (en) Service communication method, system and device and electronic equipment
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
US11457040B1 (en) Reverse TCP/IP stack
US20190356661A1 (en) Proxy manager using replica authentication information
US20220394026A1 (en) Network identity protection method and device, and electronic equipment and storage medium
CN115001870B (en) Information security protection system, method and storage medium
US9635017B2 (en) Computer network security management system and method
CN110855709A (en) Access control method, device, equipment and medium for security access gateway
CN113542214B (en) Access control method, device, equipment and machine-readable storage medium
CN112311769B (en) Method, system, electronic device and medium for security authentication
CN106899561A (en) A kind of TNC authority control methods and system based on ACL
CN113614720A (en) Device and method for dynamically configuring access control of trusted application program
CN116319024A (en) Access control method and device of zero trust system and zero trust system
CN117155716B (en) Access verification method and device, storage medium and electronic equipment
CN108900595B (en) Method, device and equipment for accessing data of cloud storage server and computing medium
CN112291204B (en) Access request processing method and device and readable storage medium
US20220191041A1 (en) Authenticated elevated access request
CN117768236A (en) Safety control and data desensitization platform and method based on API gateway
US11336667B2 (en) Single point secured mechanism to disable and enable the access to all user associated entities
CN116996305A (en) Multi-level security authentication method, system, equipment, storage medium and entry gateway
CN114978544A (en) Access authentication method, device, system, electronic equipment and medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant