CN114745145A - Business data access method, device and equipment and computer storage medium - Google Patents
Business data access method, device and equipment and computer storage medium Download PDFInfo
- Publication number
- CN114745145A CN114745145A CN202110017660.0A CN202110017660A CN114745145A CN 114745145 A CN114745145 A CN 114745145A CN 202110017660 A CN202110017660 A CN 202110017660A CN 114745145 A CN114745145 A CN 114745145A
- Authority
- CN
- China
- Prior art keywords
- service
- application
- access
- verification
- certificate
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0884—Network architectures or network communication protocols for network security for authentication of entities by delegation of authentication, e.g. a proxy authenticates an entity to be authenticated on behalf of this entity vis-à-vis an authentication entity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Storage Device Security (AREA)
Abstract
The application discloses a service data access method, a device, equipment and a computer storage medium, relating to the technical field of security, when a service access request of a service application is intercepted, on one hand, local security check is carried out through a security management client, when the security check passes, a target check certificate is distributed for the service access request, so that rapid service access can be realized according to the target check certificate, on the other hand, the security management client can also request a security management server to carry out deep security check on the service application, in the process of executing the service access flow, once an indication that the security management server indicates that the service application is a malicious application is received, the service access flow is blocked, so that the malicious application is prevented from accessing protected service resources, further, the response speed of the service access is improved, and the security of service access can be ensured.
Description
Technical Field
The application relates to the technical field of computers, in particular to the technical field of security, and provides a service data access method, a service data access device, service data access equipment and a computer storage medium.
Background
Under the large data environment, the network security threat is more complex than ever before, the concentration of data causes the concentration of targets and risks, and the data becomes the most main attack target. The traditional network security architecture idea is a security architecture based on a boundary, an intranet is safe by default, but after an illegal means is adopted to break through the boundary, intranet penetration can be easily achieved, and data leakage is caused.
With the opening of interconnection and sharing of data resources, physical boundaries are eliminated, and a stricter and innovative security protection technology, namely a zero-trust technology, is provided. The zero trust technology follows the principle of 'never trust and always verifying', the strategy is to distrust any person, thing or thing, break through the old network boundary protection thinking, adopt distrustful attitude to the network system inside or outside the boundary, and can complete authorization only after verification to realize access.
However, when the security requirement is high, the zero trust implementation needs to realize highly unified management of authorization and access control, any network access needs to be authenticated in the background, the degree of dependence on the network is high, the problems of verification and authorization timeout or failure easily occur in the scene of unstable network quality or weak network, the problem of frequent failure of network access occurs, the usability is poor, the network delay is high, and when the amount of system users is in a certain magnitude, the high-concurrency authorization and access control processing is not good for the processing capability of the background.
Therefore, how to balance security and system performance is an urgent problem to be solved.
Disclosure of Invention
Embodiments of the present application provide a method, an apparatus, and a device for accessing service data, and a computer storage medium, which are used to improve response speed of service access and ensure security of service access.
In one aspect, a method for accessing service data is provided, where the method is applied in a terminal device, and the method includes:
when a service access request of a service application is intercepted, performing local security verification on the service access request according to a preset zero trust access strategy;
sending a deep security verification request of the service application to a security management server;
when the local security check is passed, according to a target reachable area which is indicated by the service access request and is requested to be accessed by the service application, determining a matched target check certificate from a locally cached certificate set, and executing a service access process aiming at the target reachable area according to the target check certificate;
and in the execution process of the service access flow, if a deep security check result returned by the security management server responding to the deep security check request is received, and the service application is determined to be a malicious application according to the deep security check result, blocking the service access flow.
In one aspect, a method for accessing service data is provided, where the method is applied in a security management server, and the method includes:
receiving a deep security check request of a service application sent by a security management client; the deep security verification request is triggered when the security management client side intercepts a service access request of the service application;
performing deep security verification according to the application characteristic information carried by the deep security verification request;
in the process of safety verification, if a certificate verification request which is sent by an intelligent gateway and carries a target verification certificate is received, verifying the target verification certificate; the certificate verification request is triggered by the intelligent gateway based on the target verification certificate sent by the security management client, and the target verification certificate is a service access request intercepted by the security management client to a service application access target reachable area and sent to the intelligent gateway when the service access request is subjected to local verification;
returning a verification result of the target verification certificate to the intelligent gateway so that the intelligent gateway executes a service access process aiming at the target reachable area according to the verification result;
and when the service application is determined to be the malicious application, returning a deep security verification result that the service application is the malicious application to the security management client, so that the security management client blocks the service access flow according to the deep security verification result.
In one aspect, a service data access apparatus is provided, where the apparatus is applied in a terminal device, and the apparatus includes:
the local verification unit is used for performing local security verification on the service access request according to a preset zero trust access strategy when the service access request of the service application is intercepted;
the receiving and sending unit is used for sending a deep security check request of the service application to a security management server;
a matching unit, configured to determine, according to a target reachable area requested to be accessed by the service application indicated by the service access request, a matched target verification credential from a locally cached credential set when local security verification passes, and execute a service access procedure for the target reachable area according to the target verification credential;
and the blocking unit is used for blocking the service access flow if a deep security check result returned by the security management server responding to the deep security check request is received and the service application is determined to be malicious application according to the deep security check result in the service access flow execution process.
In one aspect, a service data access apparatus is provided, where the apparatus is applied in a security management server, and the apparatus includes:
the system comprises a receiving and sending unit, a processing unit and a processing unit, wherein the receiving and sending unit is used for receiving a deep security check request of a service application sent by a security management client; the deep security verification request is triggered when the security management client side intercepts a service access request of the service application;
the depth checking unit is used for carrying out depth safety checking according to the application characteristic information carried by the depth safety checking request;
the certificate verification unit is used for verifying the target verification certificate if a certificate verification request carrying the target verification certificate and sent by the intelligent gateway is received in the process of safety verification; the certificate verification request is triggered by the intelligent gateway based on the target verification certificate sent by the security management client, and the target verification certificate is a service access request intercepted by the security management client to a service application access target reachable area and sent to the intelligent gateway when the service access request is subjected to local verification;
the receiving and sending unit is used for returning the verification result of the target verification certificate to the intelligent gateway so that the intelligent gateway executes a service access process aiming at the target reachable area according to the verification result; and when the service application is determined to be the malicious application, returning a deep security verification result that the service application is the malicious application to the security management client, so that the security management client blocks the service access flow according to the deep security verification result.
In one aspect, a computer device is provided, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the steps of any of the above methods when executing the computer program.
In one aspect, a computer storage medium is provided having computer program instructions stored thereon that, when executed by a processor, implement the steps of any of the above-described methods.
In one aspect, a computer program product or computer program is provided that includes computer instructions stored in a computer-readable storage medium. The computer instructions are read by a processor of a computer device from a computer-readable storage medium, and the computer instructions are executed by the processor to cause the computer device to perform the steps of any of the methods described above.
In the embodiment of the application, when a service access request of a service application is intercepted, on one hand, local security verification is carried out through a security management client, and when the security verification passes, a target verification certificate is distributed for the service access request, so that rapid service access can be realized according to the target verification certificate, on the other hand, the security management client can also request a security management server to carry out deep security verification on the service application, and in the process of executing a service access flow, once an indication that the service application is indicated to be malicious application by the security management server is received, the service access flow is blocked, so that the malicious application is prevented from accessing protected service resources, and further, the response speed of the service access is improved, and meanwhile, the security of the service access can be ensured.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings needed to be used in the description of the embodiments or the prior art will be briefly introduced below, it is obvious that the drawings in the following description are only the embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the provided drawings without creative efforts.
Fig. 1 is a schematic diagram of an architecture of a zero trust access security service provided in an embodiment of the present application;
fig. 2 is a schematic structural diagram of a security management system according to an embodiment of the present application;
fig. 3 is a flowchart illustrating a process of making a zero trust access policy according to an embodiment of the present application;
FIG. 4 is a schematic diagram of an interface for configuring a zero-trust access policy for a management user according to an embodiment of the present application;
fig. 5 is a schematic diagram of detailed information of a trusted application provided in an embodiment of the present application;
fig. 6 is a schematic interface diagram of a system for managing user configuration services according to an embodiment of the present application;
fig. 7 is a schematic interface diagram of a system for managing a user configuration service according to an embodiment of the present application;
fig. 8a to 8c are schematic diagrams of interfaces when a user uses a security management client according to an embodiment of the present application;
fig. 9 is a schematic flowchart of a service access method according to an embodiment of the present application;
fig. 10 is another schematic flow chart of a service access method according to an embodiment of the present application;
fig. 11 is a schematic diagram illustrating a security management server issuing a verification credential to a security management client according to an embodiment of the present application;
fig. 12 is a schematic structural diagram of a ticket encryption cache according to an embodiment of the present application;
fig. 13 is a schematic flowchart of a security management component performing local security check according to an embodiment of the present application;
fig. 14 is a schematic diagram illustrating a path for blocking access by an untrusted device according to an embodiment of the present application;
fig. 15 is a schematic view of a construction process of a local risk process library according to an embodiment of the present application;
fig. 16 is a schematic structural diagram of a service access device according to an embodiment of the present application;
fig. 17 is a schematic structural diagram of another service access device according to an embodiment of the present application;
fig. 18 is a schematic structural diagram of a computer device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the technical solutions in the embodiments of the present application will be described clearly and completely with reference to the accompanying drawings in the embodiments of the present application, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present application. In the present application, the embodiments and features of the embodiments may be arbitrarily combined with each other without conflict. Also, while a logical order is shown in the flow diagrams, in some cases, the steps shown or described may be performed in an order different than here.
The method related to the embodiment of the application can be based on the cloud technology, validity check can be carried out on the check certificate matched with the service access request, and when the validity check is passed, a service response result corresponding to the service access request can be obtained from a service server corresponding to the service application through the intelligent gateway; and moreover, the remote deep security check can be performed on the service application running on the user terminal, and when the deep security check result indicates that the service application is a malicious process, the user terminal is indicated to block the service access of the service application, so that the method and the device are suitable for the field of cloud security in the cloud technology.
Cloud technology refers to a hosting technology for unifying series of resources such as hardware, software, and network in a wide area network or a local area network to realize calculation, storage, processing, and sharing of data.
The Cloud technology (Cloud technology) is based on the general names of network technology, information technology, integration technology, management platform technology, application technology and the like applied in a Cloud computing business model, can form a resource pool, can be used as required, and is flexible and convenient. Cloud computing technology will become an important support. Background services of the technical network system require a large amount of computing and storage resources, such as video websites, picture-like websites and more web portals. With the high development and application of the internet industry, each article may have its own identification mark and needs to be transmitted to a background system for logic processing, data in different levels are processed separately, and various industrial data need strong system background support and can only be realized through cloud computing.
The Cloud Security (Cloud Security) refers to a generic name of Security software, hardware, users, organizations and Security Cloud platforms applied based on a Cloud computing business model. The cloud security integrates emerging technologies and concepts such as parallel processing, grid computing and unknown virus behavior judgment, abnormal monitoring of software behaviors in the network is achieved through a large number of meshed clients, the latest information of trojans and malicious programs in the internet is obtained and sent to the server for automatic analysis and processing, and then the virus and trojan solution is distributed to each client.
Specifically, the main research directions of cloud security include:
1. the cloud computing security mainly researches how to guarantee the security of the cloud and various applications on the cloud, including the security of a cloud computer system, the secure storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like;
2. the cloud of the security infrastructure mainly researches how to adopt cloud computing to newly build and integrate security infrastructure resources and optimize a security protection mechanism, and comprises the steps of constructing a super-large-scale security event and an information acquisition and processing platform through a cloud computing technology, realizing the acquisition and correlation analysis of mass information, and improving the handling control capability and the risk control capability of the security event of the whole network;
3. the cloud security service mainly researches various security services, such as anti-virus services and the like, provided for users based on a cloud computing platform.
For the convenience of understanding the technical solutions provided by the embodiments of the present application, some key terms used in the embodiments of the present application are explained first:
trusted applications: the user terminal trusted by the service application client side management end can access an application carrier of the internal service system, and may include any application that can be installed on the user terminal, including an application of an operating system and an application that can be installed by the user himself, such as Outlook, WeChat or office, and the like, and the application characteristic information of the trusted application includes information such as an application name, an information Digest Algorithm (MD 5) value of the application, and signature information. For example, the trusted application may be an application client such as a social client, an office client, a retrieval client (e.g., a browser client), a multimedia client (e.g., a video client), an entertainment client (e.g., a game client), an educational client, a live client, a news client, or a shopping client (e.g., an e-commerce client).
Reachable area: the user can access an internal site list set by an enterprise through the zero trust network, and according to a zero trust access strategy configured for the user, an internal site in the internal site list which can be accessed by the user is an accessible area of the user.
Login credentials: after the user successfully logs in the security management client, for example, the iOA client, the security management server corresponding to the security management client, for example, the iOA server, specifies an encryption string for the user, which represents login authorization information of the user, including user information and an authorization validity period, and is stored in the security management client in an encrypted manner.
And (3) verifying the certificate: or called network request voucher or bill, etc., the security management server is authorization information issued for a single service access request, and is used for identifying the authorization state of the network request, when the service access request is intercepted, the security management client or the security management server issues a check voucher for the security management client or the security management server, the network access proxy carries the check voucher to initiate access to the intelligent gateway, and the intelligent gateway forwards the service access request to the corresponding service server after the check voucher corresponding to the service access request passes the check of the security management server.
Zero trust access policy: the system consists of a trusted application which can be used by a user and an accessible reachable area, and the user can access any reachable area through any trusted application in the range of a zero-trust access policy of the user. The granularity of the zero trust access strategy is the login user, and different zero trust strategies are allowed to be made for different login users.
The intelligent gateway: or called zero trust gateway, deployed at the entrance of enterprise application program and data resource, and responsible for verifying and forwarding each service access request for accessing enterprise resource.
An access proxy component: the access agent is a terminal agent which is deployed in the controlled terminal equipment and initiates secure access, and is responsible for initiating a request of trusted identity verification of the access subject, and the verification identity is trusted, namely encrypted access connection can be established with the access gateway, and the access agent is also a policy execution point of access control.
Accessing a subject: in the network, the party initiating the access accesses the people/equipment/application of the intranet service resources.
Accessing an object: in the network, the accessed party is business resources of an enterprise intranet, data, a development test environment, an operation and maintenance environment and the like.
Zero trust access to secure services: as shown in fig. 1, a security management system provided in this embodiment of the application is a zero-trust network security service provider, the security management system includes a security management client (including a security management component and an access proxy component), a security management server and an intelligent gateway, a unified entry is provided for an access subject to request to access resources of an object through a network through the access proxy component and the intelligent gateway provided in a user terminal, the security management component and the security management server provide an authentication operation for the unified entry, only a service access request passing the authentication can be forwarded to the intelligent gateway by the access proxy component, and the access of an actual service system is proxied through the intelligent gateway.
Service addressing: in the distributed cascade deployment mode, different services are deployed in different servers, and the process of searching for the server connection address deployed by the background service concerned by different service modules of the client is service addressing.
As interconnection and sharing of data resources are open, zero trust technology is increasingly applied.
At present, when a zero trust network is used for service access, the problem of ticket acquisition overtime or failure easily occurs in the scene of weak network every time when the network quality is unstable, so that the problem of frequent failure of network access occurs, the usability is poor, and the network delay is high.
When the requirement on security is high, zero trust implementation needs to realize highly unified management of authorization and access control, service access requests need to synchronously apply for verification certificates to a server through a network, before services are applied to actual access to service sites, the services need to synchronously wait for the server to generate and respond to the verification certificates, the dependence degree on the network is high, the problem of verification and authorization timeout or failure easily occurs in the scene of unstable network quality or weak network, the problem of frequent failure of network access is caused, the usability is poor, the network delay is high, and when the quantity of system users is of a certain magnitude, high-concurrency authorization and access control processing is also beneficial to the processing capacity of a background.
In order to reduce the dependence on the network performance, the application of the verification certificate can be sunk into the user terminal, namely, a batch of verification certificates can be cached in the user terminal in advance, and then the user terminal automatically performs security verification and verification certificates, so that the verification certificate is rapidly issued, and the network access problem under the weak network environment is optimized. In addition, for the sake of security, it is still necessary for the server to perform more comprehensive security check on the service application in the user terminal, so that the user terminal can asynchronously report the feature information of the service application, and if there is an abnormality, the server performs deep security check, even if the user terminal is notified to block the service access, the data security is ensured.
In view of this, embodiments of the present application provide a service data access method, in which, when a service access request of a service application is intercepted, on one hand, a local security check is performed by a security management client, when the security check passes, the target check certificate is distributed for the service access request, so that rapid service access can be realized according to the target check certificate, on the other hand, the security management client also requests the security management server to perform deep security check on the service application, in the process of executing the business access flow, upon receiving an indication that the security management server indicates that the business application is a malicious application, the service access flow is blocked so as to prevent malicious applications from accessing the protected service resources, and further, the response speed of the service access is improved, and meanwhile, the safety of the service access can be ensured.
In addition, in the method, a plurality of verification certificates of each service access combination are pre-cached locally, and after local verification of the service application triggering the service access request is passed, the corresponding verification certificate is distributed to the service application, so that the problems of network access blockage, high time delay and instability caused by the fact that the verification certificate needs to be applied to the server side every service access request are solved, and the stability of network access is improved while the time delay of network access is reduced.
In the embodiment of the application, the security management server may pre-issue the check credentials for the user according to the zero-trust network access policy configured for each user or the network access behavior of the user, for example, issue the check credentials for each service access combination corresponding to the zero-trust network access policy of the user, or issue the check credentials for a plurality of service access combinations with higher use frequency of the user, so that the check credentials are cached at the security management client, and the access speed during service access is increased.
After introducing the design concept of the embodiment of the present application, some simple descriptions are provided below for application scenarios to which the technical solution of the embodiment of the present application can be applied, and it should be noted that the application scenarios described below are only used for describing the embodiment of the present application and are not limited. In a specific implementation process, the technical scheme provided by the embodiment of the application can be flexibly applied according to actual needs.
The scheme provided by the embodiment of the application can be applied to a zero trust network access scene, as shown in fig. 2, the scheme is an architecture schematic diagram based on a security management system provided by the embodiment of the application, and the scene can include a plurality of user terminals 10, such as the user terminals 10-1 to the user terminals 10-n shown in fig. 2, and further include a terminal management server 20, an intelligent gateway 30, a service server 40 and a cloud killing server 50.
The user terminal 10 may be an intelligent terminal with a service data access function, such as a smart phone, a tablet computer, a notebook computer, a desktop computer, a wearable device, an intelligent home, and a head-mounted device. Each user terminal 10 may be a terminal device controlled by a user group, for example, a terminal device used by each employee in an enterprise, or a terminal device used by a member in a certain group organization.
As shown in fig. 2, each user terminal 10 may be installed with a business application 102 and a security management client 101. Business applications 102 may include trusted applications and may also include untrusted applications.
The terminal management server 20 may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or a cloud server providing basic cloud computing services such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a CDN, and a big data and artificial intelligence platform, but is not limited thereto.
The intelligent gateway 30 may be any gateway capable of implementing service access request authentication and request forwarding, and in a possible implementation manner, the terminal management server 20 and the intelligent gateway 30 may be implemented by the same device, for example, may be deployed in the same server, and of course, may also be deployed in different devices, which is not limited in this embodiment of the present application.
The service server 40 is an access object requested to be accessed by the service access request, for example, an internal site of an enterprise, and the contents of service data and the like on the service server 40 are protected access objects, and can only allow access when authorization verification passes.
The cloud searching and killing server 50 is configured to implement a cloud searching and killing function, and is configured to detect whether an application process of a business application is safe, for example, whether a bug exists or not, and whether a virus trojan exists or not, so as to give a result whether the application process is a malicious process or not. For example, the threat intelligence cloud check service may be an advisory or TAV antivirus engine.
In specific application, a user may install the security management client 101 on a user terminal in advance, and the security management client 101 may include a security management component (also referred to as a security management client) and an access Agent component (also referred to as an access Agent client), where the security management component is a security Agent (Agent) installed on a terminal device, and is used for interfacing with the security management server 20 and taking charge of a security check function, for example, may be responsible for verifying a trusted identity of a user on the user terminal, verifying whether the user terminal is trusted and whether a service application is trusted, applying an unknown process to the server for process check, and the like. The access agent component may hijack the device traffic through a virtual network card (e.g., a TUN/TAP virtual network card) to obtain a service access request, and interface with the intelligent gateway 30 to implement functions such as forwarding the service access request. And after the authentication of the security management component is passed, the access agent component is responsible for forwarding the service access request to the intelligent gateway, and if the service access request does not pass the authentication, the connection is directly connected or interrupted.
When a user logs in an account of the user on the security management client 101, the security management component may obtain, from the security management server 20, a zero-trust access policy configured by an administrator for the user, so that when the user initiates a network access by using the service application 102 on the user terminal 10, the access proxy component may intercept a service access request triggered by the network access, and request the security management component to perform security check on the service access request.
On one hand, when the security management component judges whether the service application initiating the access and the access site accord with a zero trust access strategy or not, if not, the security management component responds to the access agent component for a direct connection result, the access agent component directly forwards the service access request to a target service site needing to be connected after receiving the direct connection result, if the security management component judges that the zero trust strategy is met, the security management component needs to collect the characteristic information of the service application and judges whether the service application is a risk process or not, if so, a receipt refusing response is sent to the access agent component, and if not, the security management component obtains a verification certificate from a certificate list cached locally and responds to the access agent component.
The access agent component firstly initiates a request carrying a check certificate to the intelligent gateway 30, after receiving the request of the access agent component, the intelligent gateway 30 checks the check certificate to the security management server 20, if the check is successful, the intelligent gateway 30 successfully establishes connection with the access agent component, and then the access agent component sends the original service access request to the intelligent gateway 30, and the intelligent gateway 30 forwards the original service access request to a corresponding service server to proxy the actual application network access; if the check credential fails, the connection of the access proxy component to intelligent gateway 30 is broken.
On the other hand, the security management component may also collect more detailed feature information of the service application, asynchronously initiate deep security verification to the security management server 20, and the security management server 20 may perform security verification on the service application, or may also initiate a check request to the cloud killing server 50 to perform deep security verification on the service application, and when the security management server 20 or the cloud killing server 50 determines that the application process of the service application is a malicious process, the security management server 20 notifies the security management component to perform a blocking operation on an existing access link.
Of course, the method provided in the embodiment of the present application is not limited to be used in the application scenario shown in fig. 2, and may also be used in other possible application scenarios, and the embodiment of the present application is not limited. The functions that can be implemented by each device in the application scenario shown in fig. 2 will be described in the following method embodiments, and will not be described in detail herein.
In the embodiment of the present application, before performing service access based on the zero trust access policy, a zero trust access policy needs to be made for each user, so a process of making the zero trust access policy is described below. Fig. 3 is a flow chart illustrating a process of making a zero trust access policy.
Step 301: and the security management server issues an open zero-trust access strategy to the security management client.
In the embodiment of the present application, when the zero-trust access policy is initially set, because of the lack of policy setting basis, for example, for an enterprise, the enterprise may include different departments, and applications or resources used by different departments may be different, so that an enterprise administrator may not know which trusted applications or reachable areas are to be configured for which users. Therefore, the administrative user can release the policy, that is, the set of trusted applications of each user is any application, and the set of reachable areas is any area, that is, the user can access any area with any application.
The management user is a user having a management authority in a user group, for example, an enterprise administrator in an enterprise, and a user terminal where a security management client that logs in a management user account is located is a management user terminal. As shown in fig. 4, an interface diagram for configuring a zero-trust access policy for an administration user is shown, where the interface may be an interface of a security management client logged in to an account of the administration user at runtime. In this interface, the administrative user may select a user that needs to configure the policy, for example, may select to configure "all network accounts" in the account tree in the interface shown in fig. 4, which means to configure the policy for all users in a user group (e.g., an enterprise), or may select to configure the policy for a certain user or a certain user group, which means that the administrative user may select an account of the user or the group that needs to configure.
A zero-trust access policy is the granularity of user-application-service sites, and thus after a user is selected, the application and service site of the user need to be configured, as shown in fig. 4, specifically includes "trusted application configuration" and "service system configuration", where the trusted application configuration is used to configure a trusted application corresponding to the user for the user, the service system configuration is used to configure a service site corresponding to the user for the user, that is, a reachable area of the user, that is, an accessible internal site area, and after the trusted application and service site are configured, the user can access any service site through any trusted application.
Specifically, when the administrative user performs the trusted application configuration, the configuration preset by the system may be selected, or the configuration may be automatically edited, as shown in fig. 4, since the administrative user does not know which applications are to be configured for which users during the initial configuration, the administrative user may release the policy, and in order to facilitate the initial configuration of the administrative user, an application group of "any application" is set, that is, a trusted application set, and the administrative user may select any application, so that the user may use any application to access the reachable area. Different application groups can be set for different operating systems, so that even the same user can configure different trusted application sets for different operating systems, and the user can have different zero-trust access policies when logging in a security management client by using devices of different operating systems.
Fig. 5 is a schematic diagram illustrating details of a trusted application. When the management user configures the trusted application for the user, the management user may check the detail information of the application to determine whether to configure the application as the trusted application, as shown in fig. 5, the detail information of the application may include information such as a process name, an application name, signature information, version information, a censorship result, a process MD5, and a Secure Hash Algorithm (SHA) 256 value of the application.
Specifically, when the management user performs service system configuration, the configuration preset by the system may be selected, or the configuration may be edited by itself, as shown in fig. 4, since the management user does not know which service systems are better to be configured for which users during initial configuration, the management user may release the policy, and in order to facilitate the initial configuration of the management user, set a service system group of "all urls", that is, an reachable area set, and the management user may select all urls, so that the user may use the application to access any reachable area.
After releasing the policy, the service access conditions of all users in the enterprise can be collected, and then configuration can be performed according to the historical service access conditions when application or service system configuration is performed subsequently. For example, when a zero-trust access right is configured for a certain user or group, an application with a high historical access frequency of the user or the enterprise may be displayed on a configuration page for the management user to check, and the selected application is the trusted application configured for the user or group.
As shown in fig. 6 and 7, a schematic diagram of an interface for configuring a business system for an administrative user. As shown in fig. 6 and fig. 7, in the edit page accessible to the business system, the administrative user may select a representation type of the business system, such as an Internet Protocol Address (IP Address) or a domain name, fig. 6 is an example of the edit page taking the IP Address as an example, and fig. 7 is an example of the edit page taking the domain name as an example.
As shown in fig. 6, when selecting the IP address type, the administrative user may edit the contents such as the specified IP address or IP segment accessible by the user and the specific port accessed, and as shown in fig. 7, when selecting the domain name type, the administrative user may edit the contents such as the domain name accessible by the user and the specific port accessed.
Step 302: the security management client collects network access acquisition information of the user terminal.
When the user uses the system, the user needs to install a security management client on the user terminal and log in an account of the user terminal so as to open zero-trust office through the security management client. Fig. 8a to 8c are schematic diagrams of interfaces when a user uses a security management client.
Because the zero trust access policy is based on the user identity, the user needs to log in the own account in the security management client, when the user does not log in, the interface is as shown in fig. 8a, wherein "XXXX" is the name of the security management client, when the user does not log in, only the offline function of the security management client can be realized, and further, the user can be prompted to enter items such as "account not logged in", "trusted software is not configured", and the login page as shown in fig. 8a is displayed, and the user can select a code scanning login or account password form to log in. After the user successfully logs in the safety management client, the safety management server side issues a login certificate for the user, the login authorization information of the user is represented and comprises user information and an authorization validity period, the safety management client side encrypts and stores the login certificate in the client side, and the login certificate can be used for verification in subsequent identity verification.
After the user successfully logs in the security management client, the 'account is not logged in' on the interface is changed into 'account is logged in', and since the security management server can issue a zero trust access policy to the user based on the identity of the user after the user logs in, the trusted software of the user is also configured, so that the 'trusted software unconfigured' on the interface is also changed into 'trusted software configured'.
For example, when a zero-trust office is opened, the user can log in the security management client to realize a zero-trust office function, and the user can operate the "office security real-time protection" to enter the detail page of the office security real-time protection shown in fig. 8b, and in the page, the user can know the item categories of specific protection, such as the "real-time protection policy", the "antivirus protection engine", and the "security reinforcement policy", and can view the detailed items corresponding to each category, such as the detailed items corresponding to the "real-time protection policy" shown in fig. 8b, including protection in the aspect of "application entry protection" and protection in the aspect of "system bottom layer protection". In addition, the user may further operate "the trusted software has been configured", and then enter the details page of the trusted application as shown in fig. 8c, in which the user may know the trusted application corresponding to the user, as shown in fig. 8c, when the administrative user releases the policy, the trusted application of the user is any application.
When a user accesses an internal site by specifically using an application on a user terminal, the security management client may collect network access collection information of the user, where the network access collection information includes application-related information such as an application path initiating a network access, version information of an application execution file, MD5 of the application execution file, signature information and certificate chain information of the application execution file, and a destination URL of access.
Step 303: and the security management client reports the collected network access acquisition information to the security management server.
Step 304: the security management server generates policy assistance information based on network access acquisition information of each user.
After receiving the network access acquisition information sent by the security management client, the security management server can analyze the network access acquisition information, and further generate policy auxiliary information for assisting a management user in formulating a management policy according to the analyzed content.
Specifically, the user may use some applications to frequently access the internal site during use, and the reported network access acquisition information may include repeated content, so that the security management server may perform cache deduplication operations to reduce the processing burden of the security management server. And then, the security management server checks certificate chain information of the execution file, for example, whether the certificate chain information contains blacklist certificate information is judged, the characteristic information of the application execution file reported by the security management client is sent to the cloud checking and killing server to check whether the file is a malicious process, and finally auxiliary policy information is generated according to the checking result of the certificate and the application checking result of the cloud checking and killing server, so that an enterprise administrator can specify a zero trust access policy according with the characteristics of the enterprise based on the auxiliary policy information.
Step 305: the administrative user pulls the policy assistance information from the security management server.
Step 306: and the management user formulates a zero trust access strategy according to the strategy auxiliary information.
The auxiliary policy information may include a common secure application name and application feature information, an accessed enterprise internal site, a mapping relationship between an application and an accessed internal site, and the like, so that when a management user edits a zero-trust access policy for a certain user or group, the management user may select from the common application and internal site in the site network access information base to form a corresponding zero-trust access policy.
In the embodiment of the application, after the zero trust access policy of each user is configured, service access can be performed according to the zero trust access policy of each user. Fig. 9 is a schematic flow chart of a service access method provided in the embodiment of the present application.
Step 901: and the safety management client intercepts and captures a service access request of the service application.
Step 902: and the security management client performs local security verification on the service access request according to a preset zero trust access strategy.
Step 903: and when the local security check is passed, the security management client determines a matched target check certificate from the certificate set cached locally according to the target reachable area requested to be accessed by the service application indicated by the service access request.
Step 904: and the safety management client initiates a service access process to the intelligent gateway.
Specifically, the security management client initiates a service access process for the target reachable area to the intelligent gateway according to the target verification certificate.
Step 905: and the intelligent gateway initiates a certificate verification request carrying a target verification certificate to the security management server.
Step 906: the security management server verifies the target verification certificate.
Step 907: and the safety management server returns a verification result to the intelligent gateway.
Step 908: and the intelligent gateway executes a service access process aiming at the target reachable area according to the verification result.
Step 909: and the safety management client sends a deep safety check request of the service application to the safety management server.
Step 910: and the full management server carries out deep safety verification according to the application characteristic information carried by the deep safety verification request.
Step 911: and the safety management server returns a deep safety check result to the safety management client.
Step 912: and when the safety management client determines that the service application is a malicious application according to the deep safety check result, blocking a service access flow.
In the above flows, the process of steps 902 to 908 is a local check fast access flow, that is, after the local check is successful, a check certificate is sent fast to realize the fast access of the service application, and the process of steps 909 to 912 is an asynchronous submission flow, wherein the process of steps 902 to 908 and the process of steps 909 to 912 may be performed asynchronously and concurrently, and when the process of steps 909 to 912 determines that the service application is a malicious application, the process of steps 902 to 908 is immediately interrupted.
Therefore, in the embodiment of the application, when a service access request of a service application is intercepted, on one hand, local security verification is performed through the security management client, and when the security verification passes, a target verification certificate is distributed for the service access request, so that rapid service access can be realized according to the target verification certificate, on the other hand, the security management client can also request the security management server to perform deep security verification on the service application, and in the process of executing the service access flow, once an indication that the service application is indicated to be malicious by the security management server is received, the service access flow is blocked, so that the malicious application is prevented from accessing protected service resources, and further, the response speed of the service access is improved, and meanwhile, the security of the service access can be ensured.
Fig. 10 is another schematic flow chart of the service access method provided in the embodiment of the present application.
Step 1001: and the safety management server issues a verification certificate of at least one service access combination to the safety management component.
In the embodiment of the application, the idea of the zero trust technology is that the verification is never trusted and always performed, so that a verification certificate is required to be used when the verification is performed in a specific service access process. Generally, each time there is a service access event, the security management client requests the security management server for the required verification credentials, but when the system concurrency is large, the processing pressure of the security management server is high, and thus in order to reduce the burden of the security management server, the security management server may issue the verification credentials to the security management client in advance.
As shown in fig. 10, the security management client may specifically include a security management component and an access agent component, where the security management component interacts with the security management client to implement security management related functions, for example, to verify a trusted identity of a user on the device, verify whether the device is trusted and whether an application is trusted, apply an unknown process to a server for process submission, and the access agent component interacts with the intelligent gateway to implement request forwarding related functions.
Specifically, the security management server may determine, according to a zero trust access policy or a historical service access condition, a service access combination for which a check credential needs to be issued.
The zero-trust access policy refers to a mapping relationship that is specified by an enterprise administrator and allows a trusted application used by a user to access a specific service site (reachable area), and is an example of the zero-trust access policy as shown below.
In the above example, each "accessibleeara" node is a reachable region, and each "trustedapp" node is a trusted application.
In the embodiment of the application, a service access combination can be determined according to the reachable area and the trusted application of the zero trust access policy, one service access combination comprises one trusted application and one reachable area, the security management server respectively generates at least one verification certificate for the determined service access combination and issues the verification certificate to the security management client, and a batch of verification certificates which accord with the reachable area and the trusted application are issued to the client in advance to serve as an initial version of the verification certificate encryption cache.
For example, for a user a, a trusted application set in a zero-trust access policy of the user a includes an application 1 and an application 2, and a reachable area set includes a reachable area 1 and a reachable area 2, so that 4 service access combinations can be formed, that is, the application 1-reachable area 1, the application 1-reachable area 2, the application 2-reachable area 1, and the application 2-reachable area 2, and the security management server can distribute a plurality of tickets for each combination and issue the tickets to a security management client that the user a logs in.
In the embodiment of the present application, after the release policy in the embodiment shown in fig. 3 is used, frequency information of each user accessing an internal site by using an application in an enterprise, including a mapping relationship of the sites accessed by the application and frequency information of a process accessing a site, may be collected and obtained, and ranked, and then the security management server may issue the verification credentials for a service access combination with a higher frequency, for example, may issue the verification credentials corresponding to the sites and the applications to the security management client in advance according to the frequency and the rank (for example, 500 previous times).
The frequency information may include frequency information of a single user, frequency information of a group in which the user is located, or frequency information of an enterprise in which the user is located.
During actual application, a batch of verification certificates which accord with the reachable region and the trusted application can be issued to the client in advance according to the reachable region and the trusted application in the zero-trust access strategy and serve as initial versions of the verification certificate encryption cache, and in the subsequent use process, the verification certificates of corresponding sites and applications can be issued in batch according to the frequency information of the sites accessed by the users in the enterprise by using the applications.
Fig. 11 is a schematic diagram illustrating that the security management server issues the verification certificate to the security management client, where the ticket is the verification certificate. The security management server includes a ticket center for implementing the function related to the verification credential, and after the ticket center generates the verification credential, the security management server may respond to multiple sets of "application-URL-device" information to the security management clients of different devices, where each ticket is a credential required by a user to access a specific URL using a specific application, as shown in fig. 11, each ticket corresponds to a combination of application-URLs, and a device is a device where the security management client logged in a user account is located.
Step 1002: and the security management component carries out encryption caching on the verification certificate.
In the embodiment of the application, the security management component can update the verification certificate issued by the security management server to the certificate set cached by the security management component. In addition, in order to ensure the security of the check certificate, the security management client may perform encryption caching on the check certificate.
Specifically, when the security management client constructs a ticket cache, a trusted application and an access site url are used as unique keys, one check certificate corresponds to one cache entry, and one cache entry is composed of a key and a value, wherein the key in the cache entry comprises the trusted application and the access site url, the trusted application can store an application name and also comprise detailed characteristic information of the application, such as md5, signature information of an execution file, latest modification time and other information, and the check certificate issued by the security management server is used as the value corresponding to the key in the cache.
As shown in fig. 12, which is a schematic structural diagram of a ticket encryption cache, where fig. 12 illustrates a structure of a ticket encryption cache by taking a trusted application as An example, An access application 1 is a trusted application, and for each access site in a reachable area set, that is, the access sites url 1-urln illustrated in fig. 12, multiple service access combinations can be constructed, each service access combination can correspond to multiple check certificates, a service access combination for performing service access on An access site url1 by the access application 1 illustrated in fig. 12 can correspond to the check certificates a 1-An, a service access combination for performing service access on An access site url2 by the access application 1 can correspond to the check certificates B1-Bn, and so on.
Step 1003: the access proxy component intercepts the service access request.
Specifically, when the user accesses the service through the application on the user terminal, the access proxy component may intercept the corresponding service access request. The access agent component can hijack the flow on the user terminal through the TUN/TAP virtual network card, and further intercept and capture the service access request triggered on the user terminal.
Step 1004: the access proxy component initiates an authentication request to the security management component.
In the embodiment of the present application, based on the idea of the zero trust technology, during each service access, verification needs to be performed, and therefore the access proxy component needs to apply a verification certificate required for verification to the security management component, so the access proxy component may initiate an authentication request to the security management component, where the authentication request may carry information such as a source IP or a domain name, a source port, a destination IP or a domain name, a destination port, and a Process (PID) corresponding to an application of the service access request.
Step 1005: and the safety management component sends a deep safety check request of the service application to the safety management server.
Therefore, the security management component can know which application specifically performs service access according to the process PID carried in the authentication request, and further the security management component can acquire application characteristic information such as MD5, a process path, the latest process modification time, copyright information, signature information and the like corresponding to the application. The safety management component can retrieve the application characteristic information from the device cache, and when the application characteristic information does not exist in the cache or the characteristic information is incomplete, the safety management component can obtain the corresponding application characteristic information from the absolute path of the service application.
And further, the security management component sends the collected application characteristic information together with information such as a source IP or a domain name, a source port, a destination IP or a domain name, a destination port and a local signature result of the service access request transmitted by the access agent component, signature information of a process executable file, a login certificate, equipment information and the like to the security management server so as to initiate an asynchronous submission request to the security management server. The certificate chain detailed information may include information such as a digest algorithm, a root certificate name, a root certificate serial number, a root certificate expiration time, a medium certificate name, a medium certificate serial number, a medium certificate expiration time, a signature certificate name, a signature certificate serial number, a signature certificate expiration time, a signature state, a signer name, a timestamp, and signature verification error information.
Generally speaking, when the security management component does not cache the verification credential, the security management component needs to request the security management server for the verification credential, so the security management component sends the above information to the security management server to apply for the verification credential to the security management server, the security management server detects whether the service application is a high-risk application, if the service application is a high-risk application, the security management server rejects the response ticket, if the service application is not a high-risk application, the service application is a trusted application or an unknown application, determines whether the current device is a trusted device, and when it is detected that the trusted device and the service application have the right to access the target reachable area, the security management server normally responds to the verification credential to the security management component. The verification of the trusted device is used for verifying whether the device meets the control conditions, such as whether virus killing can be passed and whether the configuration conditions of the management user are met.
When the security management component caches the verification certificate, the security management component can perform local security verification, and when the local security verification passes, the target verification certificate of the service access request is matched, so as to implement rapid issuing of the verification certificate, however, in order to increase the issuing speed of the target verification certificate of the security management component, the security management component usually performs local verification only on application characteristic information which can be rapidly acquired, for example, verification is performed on process MD5, process path, hash (hash), and the like, while acquisition of detailed information of a certificate chain is more time-consuming and is not beneficial to rapid issuing of the verification certificate, and a local risk process library stored by the security management component may have a condition that the version is not the latest version, so that in order to ensure the security of service access, whether the process is a malicious process or not is fully verified, the security management component still needs to asynchronously initiate a deep security verification request for detecting the application to the security management server, thereby requesting the security management server to perform a deep security check.
Step 1006: and when the local security check is passed, the security management component sends the target check certificate matched with the service access request to the access agent component.
In the embodiment of the application, after receiving the authentication request, the security management component performs local security check on the service access request to determine whether the service access request responds to the check certificate. As described above, the local security verification can be performed according to the feature information of the service application that can be quickly obtained, so as to reduce the time required by the local security verification and realize the quick issuing of the verification credential.
Fig. 13 is a schematic flow chart illustrating local security verification performed by the security management component.
S10061: the security management component verifies whether the business access request complies with a zero trust access policy.
Specifically, the security management component needs to verify whether the service application and the visited service site involved in the service access request conform to the zero-trust access policy, that is, verify whether the service application is a trusted application located in the trusted application set, and verify whether the service site requested to be visited is a reachable area in the reachable area set.
S10062: if the verification result of S10061 is yes, the security management component verifies whether the risk degree of the business application is greater than or equal to a preset risk threshold.
When the service application is a trusted application located in the trusted application set and the service site requesting access is an accessible area in the accessible area set, the service access request conforms to a zero trust access policy and needs to be executed according to a service access flow of a zero trust scene, and then the risk degree of the service application is further evaluated, that is, whether the risk degree of the service application is greater than or equal to a preset risk threshold value is determined.
Specifically, the security management component may determine the risk degree of the business application based on a local risk process library maintained by the security management component, and the construction of the local risk process library will be described in detail later, which is not described herein in detail. The safety management component can filter the collected application characteristic information and the characteristic information of the risk process in the local risk process library so as to determine whether the process information can pass through the filtering, if the process information can pass through the filtering, the risk degree of the business application is low, the verification certificate can be responded, and if the process information cannot pass through the filtering, the risk degree of the business application is high, and the verification certificate cannot be responded. Alternatively, the security management component can determine whether the business application is a malicious application according to the local risk process library.
S10063: and if the check result of the S10061 is negative, the security management component sends direct connection indication information to the access agent component.
If the service application is not the trusted application in the trusted application set or the service site requested to be accessed is not the reachable area in the reachable area set, the service access request is not in accordance with the zero trust access policy, the access request is executed in a direct connection mode, namely the security management component sends direct connection indication information to the access proxy component, and according to the direct connection indication information, the access proxy component sends the service access request to the target site accessed by the service access request so as to realize direct connection.
S10064: if the verification result of S10062 is no, the security management component matches the target verification credential.
If the safety management component determines that the application characteristic information of the business application can pass filtering or the business application is not located in the local risk process library, the risk degree of the business application is smaller than a preset risk threshold value, and the safety management component can respond the verification certificate to the access agent component.
Specifically, the security management component may match the target verification credential matched with the current service access request from the locally cached credential set according to the ticket cache structure shown in fig. 12, that is, the target reachable area of the service application request access in the service access request is used as the key used for matching, so as to obtain the corresponding target verification credential. Meanwhile, the bill is deleted in the bill caching structure, so that the bill is prevented from being repeatedly used.
S10065: if the check result of S10062 is yes, the security management component sends a credential rejection response to the access proxy component.
If the security management component determines that the application characteristic information of the business application cannot be filtered or the business application is located in a local risk process library, the risk degree of the business application is greater than or equal to a preset risk threshold value, that is, the business application is a malicious application or the corresponding process is not a risk process, the security management component can send a certificate rejection response to the access proxy component to reject the response to check the certificate, and then the access proxy component receives the certificate rejection response, and can perform corresponding processing, for example, service access of the business application can be interrupted.
S10066: the security management component sends the target verification credential to the access proxy component.
After the target verification certificate is obtained, the security management component may send the target verification certificate to the access proxy component, so that the access proxy component executes a service access process for the target reachable area according to the target verification certificate.
Specifically, the security management component may send the target verification credential to the access proxy component by way of local process communication.
Step 1007: and the access agent component sends a connection establishment request carrying the target verification certificate to the intelligent gateway.
The access agent component initiates a connection establishment request to the intelligent gateway so as to establish a hypertext Transfer Protocol over Secure Socket Layer (http) channel between the access agent component and the intelligent gateway.
Specifically, the target verification credential may be carried in an Authorization (Authorization) header field in the connection establishment request.
Step 1008: and the intelligent gateway initiates a certificate verification request to the security management server.
Specifically, after receiving the connection establishment request, the intelligent gateway can analyze the target verification certificate in the header field, and send the certificate verification request carrying the verification certificate to the bill center of the security management server to request the bill center to verify the target verification certificate. The target verification certificate is issued to the security management component by the bill center, so that the bill center can compare the target verification certificate carried in the certificate verification request with the verification certificate issued by the bill center to verify whether the target verification certificate is correct or not.
Step 1009: and the safety management server returns a verification result to the intelligent gateway.
When the verification of the verification certificate is completed, the safety management server returns a verification result to the intelligent gateway, when the verification of the verification certificate is successful, the verification result returned by the safety management server indicates that the verification of the target verification certificate is passed, and when the verification of the verification certificate is failed, the verification result returned by the safety management server indicates that the verification of the target verification certificate is not passed.
Step 1010: the intelligent gateway returns a connection establishment success response to the access proxy component.
As shown in fig. 10, when the security management server indicates that the verification is passed, the intelligent gateway returns a connection establishment success response to the access proxy component to establish a connection with the access proxy component successfully.
And if the safety management server indicates that the verification fails, the connection between the intelligent gateway and the intelligent gateway is interrupted, and a network access request is directly initiated to the target service server through the access proxy component to realize direct connection aiming at the flow of the application except the zero trust access strategy for accessing the specific site.
Step 1011: the access proxy component sends a service access request to the intelligent gateway.
Specifically, after the access proxy component establishes connection with the intelligent gateway, the access proxy component may send the service access request to the intelligent gateway by using a connection channel with the intelligent gateway.
Step 1012: and the intelligent gateway forwards the service access request to the target service server.
And the intelligent gateway forwards the service access request to a target service server corresponding to the target reachable area.
Step 1013: and the target service server returns a service response result to the intelligent gateway.
Step 1014: and the intelligent gateway returns a service response result to the access agent component.
Step 1015: the access proxy component returns a service response result to the service application.
Step 1016: and the safety management server returns a deep safety check result to the safety management component.
In the embodiment of the application, after the security management component receives the authentication request, the security management component executes two processes, one process is the process of the above step 906 to 1015, and the other process is the process of the step 905, and the two processes can be executed in parallel, so that in the process of executing the step 906 to 1015, the security management server in the background simultaneously performs deep security check on the service application.
Specifically, after receiving a deep security check request carrying application characteristic information sent by a security management component, a security management server periodically initiates a file submission request to a cloud check server such as threat information cloud check service security or tav, and after returning a submission result, the security management server returns a deep security check result to the security management component according to the submission result. For example, when the submission result indicates that the service application is a malicious application, the security management server notifies the security management component of a deep security verification result indicating that the service application is the malicious application, or when the submission result indicates that the service application is another type of application, the security management server notifies the security management component of a deep security verification result indicating that the service application is another type of application.
As shown in fig. 10, the security management server includes a policy center, a ticket center, and a submission service, where the policy center is used to implement a function related to a zero trust access policy, the ticket center is used to implement a function related to a verification credential, and the submission service interacts with the cloud killing server to implement a submission of a process file of a business application. And the safety management server carries out safety scheduling on the service flow through the strategy control engine and authorizes according to the user-equipment-software-application granularity. The security management server can further comprise an identity authentication module, an application detection module and an equipment credibility module, wherein the identity authentication module authenticates the identity of the user, the equipment credibility module authenticates the hardware information and the safety state of the equipment, and the application detection module detects whether the application process is safe, whether a bug exists or not, whether a virus Trojan exists or not and the like. The security management server can periodically send file delivery to cloud check servers such as threat intelligence cloud check service security or tav, and the like, and if a malicious process is identified, the client is informed to execute asynchronous blocking operation.
Step 1016: and when the safety management component determines the service application according to the deep safety check result, the service access flow of the service application is blocked.
Specifically, when the security management component determines that the service application is a malicious application according to the deep security check result, the security management component blocks the service access flow of the service application, that is, in the process of the above step 906 to 1015, once the security management component determines that the service application is a malicious application, the service access flow of the service application is immediately interrupted. Or when the safety management component determines that the service application is an application of a certain type according to the deep safety check result, the safety management component adds the information of the service application in an application library of the corresponding type.
In the embodiment of the application, if the deep security check result indicates that the service application is a malicious application, the security management component may delete the check certificate associated with the service application in the certificate set, and/or add the service application to the application blacklist, where the process with the identifier being a malicious process in the ticket encryption cache prevents the subsequent service application from being matched with the cache when applying for the check certificate.
Illustratively, check certificates of 4 sites, namely a process e accessing a site 1, a site 2, a site 3 and a site 4, are cached in a bill encryption cache, when a security management server detects that the process e initiating network access is a malicious process, the security management server pushes the check certificates to a security management component, the security management component can automatically delete the check certificate cache of all sites (namely the site 1, the site 2, the site 3 and the site 4) accessed by the process e, meanwhile, the process e is indicated to be the malicious process in the cache, in the subsequent client-side check certificate application process, if the process e applies for the check certificates again, the process applied for the current check certificates can be known to be the malicious process through the feature matching of the process e in the bill encryption cache, and the security management component directly refuses bill response.
As shown in fig. 14, a schematic diagram of a path for blocking access by an untrusted device is shown, where a cross mark indicates a blocking path, including a path (1) between a security management component and a security management server, a path (2) between the security management component and an access proxy component, and a path (3) between the access proxy component and an intelligent gateway, and an appropriate path may be selected according to actual circumstances.
(1) The access agent must comply with the access control policy before access can be initiated to the business system, otherwise the response to check the credentials can be denied, e.g., business access can be blocked by pathways (1) and (2) in fig. 14.
(2) The management is used to actively initiate zero trust access service interruption command at the device level, namely block all service access of a certain device.
(3) When the equipment safety compliance detection is unqualified, equipment-level interrupted zero trust access service can be automatically initiated, and all business access of high-risk equipment is blocked.
(4) When the asynchronous submission identifies the process abnormality, a blocking task can be automatically initiated to block the business access of the risk process.
Next, a process of constructing the local risk process library is described, and as shown in fig. 15, a schematic flow diagram of the construction of the local risk process library is shown.
The ring0 and the ring3 are respectively a driver layer and an Application layer of the operating system, and when an Application is started, a process needs to be created for the Application, so that the creation process of the process can be monitored by a process creation Application Program Interface (API) in the ring0 layer, for example, by using PsSetCreateProcessNotifyRoutine.
When a new process is created, the ring3 layer learns the creation information of the process, such as the PID and process name of the process. Furthermore, the security management client may calculate an absolute path (procpath) of the process and a latest modification time (updatetime) of the executable file of the process according to the PID of the process, may obtain a version number (filever) of the process, description information (filedc) of the executable file of the process, a size (filesize) of the executable file of the process, and version information (copyright) of the executable file of the process according to the absolute path (procpath) of the process, and may also calculate md5 of the process, a signer name (sign _ issuer) in the digital signature of the executable file of the process, a local verification result (sign _ check _ rst) and the like in parallel according to the absolute path (procpath) of the process, thereby obtaining the application feature information shown in fig. 15.
Wherein, the local signature verification result includes: digital signature verification passed (SIGN _ CHECK _ PASS), digital signature verification FAILED (SIGN _ CHECK _ FAILED), digital signature verification TIMEOUT (SIGN _ CHECK _ TIMEOUT), process NO digital signature (PROC _ NO _ SIGN _ INFO).
The process is regarded as an unknown application by default, and the safety management client side also adds the service application to a local unknown application library.
Meanwhile, the security management client asynchronously sends the application characteristic information to the security management server for submission, the security management server detects the security of the process file by pushing the application characteristic information to the cloud searching and killing server, if the application characteristic information is identified to be a malicious process, the cloud searching and killing server responds to the security management server, the security management server then pushes a list of the malicious process to the security management client, and after receiving the list of the malicious process, the security management client stores the characteristic information of the malicious process into a risk process library and deletes the characteristic information from an unknown application library.
In the embodiment of the application, the security management component monitors the zero trust access policy of the current user, and when the zero trust access policy of the security management server changes, the security management component monitors the change of the zero trust access control policy and automatically adjusts the entries in the bill encryption cache.
And if the trusted application or the reachable area is added in the zero trust access strategy, sending a certificate application request to the security management server according to the added trusted application or the reachable area, and updating the cached certificate set according to the verification certificate returned by the security management server. That is to say, for newly added trusted applications and url information, the entry is automatically added in the bill encryption cache by asynchronously applying for the verification certificate in batch to the security management server.
And if the fact that the trusted application or the reachable area is removed from the zero-trust access strategy of the login user is monitored, deleting the verification certificate associated with the removed trusted application or the reachable area from the certificate set. That is, for the deleted entry in the zero trust access policy, the entry of the corresponding process accessing the corresponding site may be automatically cleared.
Illustratively, check certificates of 3 sites, namely a process c and a process f for accessing a site 1, a site 2 and a site 3, exist in a bill encryption cache, a zero-trust access policy issued by a security management server changes at a certain moment in the middle, a trusted application set removes the process c, a process a and a process b are added, a site 1 is deleted in a reachable area, a site 4 is added, and then a security management component changes as follows:
(1) because process c has been deleted in the zero trust access policy, delete process c accesses the check credential cache of all current sites (site 1, site 2, and site 3).
(2) Because site 1 has been deleted in the zero trust access policy, the security management component will delete the check credential cache for process f to access site 1.
(3) Because the site 4 is added in the zero trust access policy, the security management component asynchronously applies for the check certificate of the process f for accessing the site 4 from the security management server, and adds the check certificate cache entry of the process f corresponding to the access site 4.
(4) Because the process a and the process b are added in the zero trust access strategy, the security management component asynchronously applies for the verification certificates of the process a and the process b for accessing the site 2, the site 3 and the site 4 to the security management server, and after receiving the verification certificates issued by the security management server in batches, the verification certificates are added into the verification certificate encryption cache.
In the embodiment of the application, the verification voucher has the validity period, and gradually reduces along with the consumption of the elements of the verification voucher, the safety management element can monitor the number of the verification vouchers still in the validity period, and when the safety management element regularly checks that the residual verification voucher of a certain node in the verification voucher cache reaches a certain threshold value, the asynchronous application of the safety management element to the verification voucher can be automatically triggered. That is to say, when it is monitored that the number of the check certificates associated with any service access combination is less than or equal to the preset number threshold, a certificate application request is sent to the security management server; or when the validity period of the check certificate associated with any service access combination is monitored to be less than or equal to the preset time threshold, a certificate application request is sent to the security management server, and then the check certificate is updated to the certificate set after the security management server responds to the certificate application request and returns the check certificate.
Therefore, when the access agent component applies for the verification certificate, the local cache does not have a corresponding cache, and the problem that the security management server is blocked due to the fact that the security management server needs to apply for the verification certificate synchronously is avoided.
In the embodiment of the application, the security management component and the access agent component both carry out the caching of the check certificate, after the safety management server issues the check certificate, the safety management component maintains the bill encryption cache structure, when the agent component is accessed to apply for the check certificate and send the check certificate to the agent component, the safety management component deletes the corresponding check certificate in the bill encryption cache structure, at this time, the access agent component caches the check certificate sent by the security management component, and because the check certificate has a certain validity period, in the validity period, the access proxy component does not need to request the check certificate from the security management component when the service application corresponding to the check certificate accesses the site, when the verification certificate is close to the end time of the validity period, the access agent component can also apply for the verification certificate to the safety management component in advance, so that the automatic renewal of the verification certificate is realized.
In summary, in the embodiment of the application, the verification certificates are applied in batches according to the condition that the user terminal accesses the site, and the local verification certificate encryption cache is adjusted according to the process detection result and the change of the zero trust access control strategy, so that the problems of network access blockage, high time delay and instability caused by the fact that the network request needs to synchronously apply the network access verification certificate to the security management server every time are solved, and the stability of network access is improved while the time delay of network access is reduced. And forming a site network access information base in the enterprise by collecting the network access behaviors of terminal users in the enterprise, wherein the site network access information base comprises the common process name, the process characteristic information, the accessed site in the enterprise and the mapping relation of the process access site. And (4) based on the site network access information base, making zero trust strategy information according with the characteristics of the enterprise.
The security management component regularly applies for verification certificates in batches from the security management server, encryption storage is realized at the security management client, and a bill cache structure with trusted application and a reachable area as key storage is formed. When the access agent component on the user terminal hijacks a service access request and initiates a check certificate application to the security management component, the security management client checks the application itself and the authority of the application to access a specific site, and takes the corresponding check certificate from the local cache as a new network access certificate, thereby realizing the automatic renewal of the check certificate on the user terminal. On one hand, extension during each check certificate application process is reduced, on the other hand, check certificate application can be performed on the network in a targeted mode according to the certificate times of the process access sites, the problems that a security management server waits for checking the environment, check certificates are generated, and the problem that the response delay of the network is high and the check certificate application fails under the weak network condition are solved, so that the normal use of network access cannot be influenced by the fault of a certain node of the security management server, the check certificate application efficiency is improved, and the usability of the system is enhanced.
The security management component asynchronously reports the network access behavior to the security management server during each network access, the security management server automatically identifies the abnormal access behavior, once the abnormal access behavior is identified, the abnormal access behavior is pushed to the security management component to block a service access flow, and meanwhile, corresponding items of a bill cache structure are adjusted, so that the subsequent verification certificate application process is automatically influenced.
Referring to fig. 16, based on the same inventive concept, an embodiment of the present application further provides a service data access apparatus 160, which is applied in a terminal device, and the apparatus includes:
the local checking unit 1601 is configured to, when a service access request of a service application is intercepted, perform local security checking on the service access request according to a preset zero trust access policy;
a transceiving unit 1602, configured to send a deep security check request of a service application to a security management server;
a matching unit 1603, configured to, when the local security check is passed, determine a matched target check certificate from the locally cached certificate set according to a target reachable area requested to be accessed by the service application indicated by the service access request, and execute a service access process for the target reachable area according to the target check certificate;
a blocking unit 1604, configured to, in the process of executing the service access flow, block the service access flow if a deep security check result returned by the security management server in response to the deep security check request is received, and it is determined that the service application is a malicious application according to the deep security check result.
Optionally, the apparatus further includes a local caching unit 1605;
the transceiving unit 1602, configured to receive a check certificate of at least one service access combination issued by the security management server according to the zero trust access policy or the historical service access condition; the method comprises the following steps that a trusted application and a reachable area form a service access combination, and the service access combination is associated with at least one verification certificate;
the local caching unit 1605 is configured to update the certificate set based on the check certificate issued by the security management server.
Optionally, the security management client includes a security management component and an access agent component;
the local checking unit 1601 is specifically configured to:
when the access agent component intercepts and captures a service access request, an authentication request is sent to the security management component;
determining whether the service access request conforms to a zero trust access policy or not through the security management component according to the authentication request;
when the security management component determines that the service access request conforms to the zero trust access policy, determining whether the risk degree of the service application is greater than or equal to a preset risk threshold;
optionally, the matching unit 1603 is specifically configured to:
when the safety management component determines that the risk degree of the business application is not greater than a preset risk threshold value, determining a target verification certificate matched with the business application and the target reachable area from the certificate set;
sending the target verification certificate to the access agent component through the security management component;
and executing the business access flow by the access agent component by using the target verification certificate.
Optionally, the apparatus further includes an access execution unit 1606 for:
sending a connection establishment request carrying a target verification certificate to the intelligent gateway through the access agent component;
receiving a connection establishment success response returned by the intelligent gateway through the access agent component; the successful response of connection establishment is sent by the intelligent gateway when the security management server passes the verification of the target verification certificate;
sending a service access request to the intelligent gateway by using a connection channel with the intelligent gateway through the access agent component;
receiving a service response result returned by the intelligent gateway through the access agent component; and the service response result is that the intelligent gateway forwards the service access request to a target service server corresponding to the target reachable area, and the target service server returns the service access request to the intelligent gateway.
Optionally, the local checking unit 1601 is further configured to:
when the security management component determines that the service access request does not conform to the zero trust access strategy, sending direct connection indication information to the access agent component;
and sending the service access request to a target service server of a target site accessed by the service access request through the access proxy component according to the direct connection indication information.
Optionally, the blocking unit 1604 is further configured to:
deleting the verification certificate associated with the service application in the certificate set; and/or the presence of a gas in the gas,
the business application is added to the application blacklist.
Optionally, the apparatus further includes a monitoring unit 1607, configured to monitor whether the zero trust access policy changes;
the local caching unit 1605 is further configured to, if it is monitored that a trusted application or a reachable area is added to the zero trust access policy, send a credential application request to the security management server according to the added trusted application or reachable area, and update a credential set according to a check credential returned by the security management server; and if the fact that the trusted application or the reachable area is removed from the zero-trust access strategy of the login user is monitored, deleting the verification certificate associated with the removed trusted application or the reachable area from the certificate set.
Optionally, the monitoring unit 1607 is further configured to send a credential application request to the security management server when it is monitored that the number of the check credentials associated with any service access combination is smaller than or equal to a preset number threshold; or when monitoring that the validity period of the check certificate associated with any service access combination is less than or equal to a preset time threshold, sending a certificate application request to the security management server;
the local caching unit 1605 is further configured to update the credential set according to the check credential returned by the security management server in response to the credential application request.
The apparatus may be configured to execute the method performed by the security management client in the embodiments shown in fig. 3 to fig. 15, and therefore, for functions and the like that can be implemented by each functional module of the apparatus, reference may be made to the description of the embodiments shown in fig. 3 to fig. 15, which is not repeated here. It should be noted that the local cache unit 1605 to the monitor unit 1607 are optional functional units, and are shown by dotted lines in fig. 16.
Referring to fig. 17, based on the same inventive concept, an embodiment of the present application provides a service data access apparatus, which is applied in a security management server, and includes:
a transceiver 1701, configured to receive a deep security check request of a service application sent by a security management client; the deep security verification request is triggered when a security management client intercepts a service access request of a service application;
a depth verification unit 1702, configured to perform depth security verification according to the application feature information carried in the depth security verification request;
a certificate checking unit 1703, configured to check the target verification certificate if a certificate checking request carrying the target verification certificate and sent by the intelligent gateway is received in a security checking process; the certificate verification request is triggered by the intelligent gateway based on a target verification certificate sent by the security management client, and the target verification certificate is a service access request which is intercepted by the security management client to obtain a service application access target reachable area and is sent to the intelligent gateway when the service access request is subjected to local verification;
the transceiver 1701 is configured to return a verification result of the target verification credential to the intelligent gateway, so that the intelligent gateway executes a service access process for the target reachable area according to the verification result; and when the service application is determined to be the malicious application, returning a deep security verification result that the service application is the malicious application to the security management client, so that the security management client blocks a service access flow according to the deep security verification result.
Optionally, the apparatus further comprises a credential provisioning unit 1704 configured to:
determining a service access combination for issuing a verification certificate for each user according to a zero trust access strategy or historical service access condition of each user; wherein, a trusted application and a reachable area form a service access combination;
and generating at least one verification certificate for each service access combination, and issuing the at least one verification certificate of each service access combination to each user.
The apparatus may be configured to execute the method executed by the security management server in the embodiments shown in fig. 3 to fig. 15, and therefore, for functions and the like that can be implemented by each functional module of the apparatus, reference may be made to the description of the embodiments shown in fig. 3 to fig. 15, which is not repeated here.
Referring to fig. 18, based on the same technical concept, an embodiment of the present application further provides a computer device 180, which may include a memory 1801 and a processor 1802.
The memory 1801 is used for storing computer programs executed by the processor 1802. The memory 1801 may mainly include a program storage area and a data storage area, wherein the program storage area may store an operating system, an application program required for at least one function, and the like; the storage data area may store data created according to use of the computer device, and the like. The processor 1802 may be a Central Processing Unit (CPU), a digital processing unit, or the like. The embodiment of the present application does not limit the specific connection medium between the memory 1801 and the processor 1802. In fig. 18, the memory 1801 and the processor 1802 of the embodiment of the present application are connected by a bus 1803, the bus 1803 is represented by a thick line in fig. 18, and the connection manner between other components is merely illustrative and not limited. The bus 1803 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in FIG. 18, but that does not indicate only one bus or type of bus.
The memory 1801 may be a volatile memory (volatile memory), such as a random-access memory (RAM); the memory 1801 may also be a non-volatile memory (non-volatile memory) such as, but not limited to, a read-only memory (rom), a flash memory (flash memory), a hard disk (HDD) or a solid-state drive (SSD), or the memory 1801 may be any other medium that can be used to carry or store desired program code in the form of instructions or data structures and that can be accessed by a computer. The memory 1801 may be a combination of the above memories.
A processor 1802, configured to execute the method executed by the security management client or the security management server in the embodiment shown in fig. 3 to fig. 15 when calling the computer program stored in the memory 1801.
In some possible embodiments, various aspects of the methods provided by the present application may also be implemented in the form of a program product including program code for causing a computer device to perform the steps of the methods according to various exemplary embodiments of the present application described above in this specification when the program product is run on the computer device, for example, the computer device may perform the methods performed by the security management client or the security management server in the embodiments shown in fig. 3 to fig. 15.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
While the preferred embodiments of the present application have been described, additional variations and modifications of these embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including the preferred embodiment and all changes and modifications that fall within the scope of the present application.
It will be apparent to those skilled in the art that various changes and modifications may be made in the present application without departing from the spirit and scope of the application. Thus, if such modifications and variations of the present application fall within the scope of the claims of the present application and their equivalents, the present application is intended to include such modifications and variations as well.
Claims (15)
1. A service data access method is applied to a terminal device, and the method comprises the following steps:
when a service access request of a service application is intercepted, performing local security verification on the service access request according to a preset zero trust access strategy;
sending a deep security verification request of the service application to a security management server;
when the local security verification passes, according to a target reachable area which is indicated by the service access request and is requested to access by the service application, determining a matched target verification certificate from a locally cached certificate set, and executing a service access process aiming at the target reachable area according to the target verification certificate;
and in the process of executing the service access flow, if a deep security check result returned by the security management server responding to the deep security check request is received and the service application is determined to be malicious application according to the deep security check result, blocking the service access flow.
2. The method of claim 1, wherein the method further comprises:
receiving a verification certificate of at least one service access combination issued by the security management server according to the zero trust access policy or the historical service access condition; the method comprises the following steps that a trusted application and a reachable area form a service access combination, and the service access combination is associated with at least one verification certificate;
and updating the verification certificate issued by the security management server to the certificate set.
3. The method of claim 1, wherein a security management component and an access proxy component are installed on the terminal device, and when a service access request of a service application is intercepted, local security verification is performed on the service access request according to a preset zero trust access policy, including:
when the access agent component intercepts the service access request, an authentication request is sent to the security management component;
determining whether the service access request conforms to the zero trust access policy or not through the security management component according to the authentication request;
when the safety management component determines that the service access request conforms to the zero trust access policy, determining whether the risk degree of the service application is greater than or equal to a preset risk threshold; and when the risk degree of the business application is not greater than the preset risk threshold, the local security check passes, or when the risk degree of the business application is greater than the preset risk threshold, the local security check fails.
4. The method of claim 3, wherein when the local security check passes, determining a matching target check certificate from a locally cached certificate set according to a target reachable area requested to be accessed by the service application indicated by the service access request, and performing a service access process according to the target check certificate, comprises:
when the safety management component determines that the risk degree of the business application is not greater than the preset risk threshold value, determining a target verification certificate matched with the business application and the target reachable area from the certificate set;
sending, by the security management component, the target verification credential to the access agent component;
and executing the business access flow by using the target verification certificate through the access agent component.
5. The method of claim 4, wherein the performing, by the access proxy component, the business access flow using the target check-up credentials comprises:
sending a connection establishment request carrying the target verification certificate to an intelligent gateway through the access agent component;
receiving a connection establishment success response returned by the intelligent gateway through the access proxy component; the successful connection establishment response is sent by the intelligent gateway when the security management server passes the verification of the target verification certificate;
sending the service access request to the intelligent gateway by the access agent component by using a connection channel with the intelligent gateway;
receiving a service response result returned by the intelligent gateway through the access agent component; and the service response result is that the intelligent gateway forwards the service access request to a target service server corresponding to the target reachable area, and the target service server returns the service access request to the intelligent gateway.
6. The method of claim 3, wherein after determining, by the security management component, from the authentication request, whether the business access request complies with the zero trust access policy, the method further comprises:
when the safety management component determines that the service access request does not conform to the zero trust access strategy, sending direct connection indication information to the access agent component;
and sending the service access request to a target service server of a target site accessed by the service access request through the access proxy component according to the direct connection indication information.
7. The method according to any one of claims 1 to 6, wherein if a deep security check result returned by the security management server is received and it is determined that the business application is a malicious application according to the deep security check result, the method further comprises:
deleting the verification certificate associated with the service application in the certificate set; and/or the presence of a gas in the gas,
and adding the service application to an application blacklist.
8. The method of any of claims 1 to 6, further comprising:
monitoring whether the zero trust access strategy is changed;
if the fact that the trusted application or the reachable area is added in the zero-trust access strategy is monitored, a certificate application request is sent to the security management server according to the added trusted application or the reachable area, and the certificate set is updated according to a check certificate returned by the security management server;
and if the fact that the trusted application or the reachable area is removed from the zero-trust access strategy of the login user is monitored, deleting the verification certificate associated with the removed trusted application or the reachable area from the certificate set.
9. The method of any of claims 1 to 6, further comprising:
when monitoring that the number of the verification certificates associated with any service access combination is smaller than or equal to a preset number threshold, sending a certificate application request to the security management server; or when monitoring that the validity period of the check certificate associated with any service access combination is less than or equal to a preset time threshold, sending a certificate application request to the security management server;
and updating the certificate set according to the check certificate returned by the security management server responding to the certificate application request.
10. A service data access method is applied to a security management server, and the method comprises the following steps:
receiving a deep security check request of a service application sent by a security management client; the deep security verification request is triggered when the security management client side intercepts a service access request of the service application;
performing deep security verification according to the application characteristic information carried by the deep security verification request;
in the process of safety verification, if a certificate verification request carrying a target verification certificate and sent by an intelligent gateway is received, verifying the target verification certificate; the certificate verification request is triggered by the intelligent gateway based on the target verification certificate sent by the security management client, and the target verification certificate is a service access request intercepted by the security management client to a service application access target reachable area and sent to the intelligent gateway when the service access request is subjected to local verification;
returning a verification result of the target verification certificate to the intelligent gateway so that the intelligent gateway executes a service access process aiming at the target reachable area according to the verification result;
and when the service application is determined to be the malicious application, returning a deep security verification result that the service application is the malicious application to the security management client, so that the security management client blocks the service access flow according to the deep security verification result.
11. The method of claim 10, wherein the method further comprises:
determining a service access combination for issuing a verification certificate for each user according to a zero trust access strategy or historical service access condition of each user; wherein, a trusted application and a reachable area form a service access combination;
and generating at least one verification certificate for each service access combination, and issuing the at least one verification certificate of each service access combination to each user.
12. A service data access device, which is applied in a terminal device, the device comprising:
the local verification unit is used for performing local security verification on the service access request according to a preset zero trust access strategy when the service access request of the service application is intercepted;
the receiving and sending unit is used for sending a deep security check request of the service application to a security management server;
a matching unit, configured to determine, according to a target reachable area requested to be accessed by the service application indicated by the service access request, a matched target verification credential from a locally cached credential set when local security verification passes, and execute a service access procedure for the target reachable area according to the target verification credential;
and the blocking unit is used for blocking the service access flow if a deep security check result returned by the security management server responding to the deep security check request is received and the service application is determined to be malicious application according to the deep security check result in the service access flow execution process.
13. A service data access device, wherein the device is applied in a security management server, and the device comprises:
the system comprises a receiving and sending unit, a processing unit and a processing unit, wherein the receiving and sending unit is used for receiving a deep security check request of a service application sent by a security management client; the deep security verification request is triggered when the security management client side intercepts a service access request of the service application;
the depth checking unit is used for carrying out depth safety checking according to the application characteristic information carried by the depth safety checking request;
the certificate verification unit is used for verifying the target verification certificate if a certificate verification request carrying the target verification certificate and sent by the intelligent gateway is received in the process of safety verification; the certificate verification request is triggered by the intelligent gateway based on the target verification certificate sent by the security management client, and the target verification certificate is a service access request intercepted by the security management client to a service application access target reachable area and sent to the intelligent gateway when the service access request is subjected to local verification;
the receiving and sending unit is used for returning the verification result of the target verification certificate to the intelligent gateway so that the intelligent gateway executes a service access process aiming at the target reachable area according to the verification result; and when the service application is determined to be the malicious application, returning a deep security verification result that the service application is the malicious application to the security management client, so that the security management client blocks the service access flow according to the deep security verification result.
14. A computer device comprising a memory, a processor, and a computer program stored on the memory and executable on the processor,
the processor, when executing the computer program, performs the steps of the method of any of claims 1 to 9 or 10 to 11.
15. A computer storage medium having computer program instructions stored thereon, wherein,
the computer program instructions, when executed by a processor, perform the steps of the method of any one of claims 1 to 9 or 10 to 11.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110017660.0A CN114745145B (en) | 2021-01-07 | 2021-01-07 | Business data access method, device and equipment and computer storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110017660.0A CN114745145B (en) | 2021-01-07 | 2021-01-07 | Business data access method, device and equipment and computer storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114745145A true CN114745145A (en) | 2022-07-12 |
| CN114745145B CN114745145B (en) | 2023-04-18 |
Family
ID=82273968
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110017660.0A Active CN114745145B (en) | 2021-01-07 | 2021-01-07 | Business data access method, device and equipment and computer storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114745145B (en) |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
| CN115134175A (en) * | 2022-09-01 | 2022-09-30 | 北京辰尧科技有限公司 | Security communication method and device based on authorization strategy |
Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
| CN101335626A (en) * | 2008-08-06 | 2008-12-31 | 中国网通集团宽带业务应用国家工程实验室有限公司 | Multi-stage authentication method and multi-stage authentication system |
| CN102694772A (en) * | 2011-03-23 | 2012-09-26 | 腾讯科技(深圳)有限公司 | Apparatus, system and method for accessing internet web pages |
| US20140020072A1 (en) * | 2012-07-13 | 2014-01-16 | Andrew J. Thomas | Security access protection for user data stored in a cloud computing facility |
| US20140189808A1 (en) * | 2012-12-28 | 2014-07-03 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
| CN109815656A (en) * | 2018-12-11 | 2019-05-28 | 平安科技(深圳)有限公司 | Login authentication method, device, equipment and computer readable storage medium |
| CN110213223A (en) * | 2019-03-21 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Business management method, device, system, computer equipment and storage medium |
| CN111131310A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Access control method, device, system, computer device and storage medium |
| CN111488598A (en) * | 2020-04-09 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Access control method, device, computer equipment and storage medium |
| CN111510453A (en) * | 2020-04-15 | 2020-08-07 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
| CN111898124A (en) * | 2020-08-05 | 2020-11-06 | 腾讯科技(深圳)有限公司 | Process access control method and device, storage medium and electronic equipment |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
| CN112073400A (en) * | 2020-08-28 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Access control method, system and device and computing equipment |
| CN112104625A (en) * | 2020-09-03 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Process access control method and device |
| CN112153032A (en) * | 2020-09-15 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Information processing method, device, computer readable storage medium and system |
| CN112149105A (en) * | 2020-10-21 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing system, method, related device and storage medium |
-
2021
- 2021-01-07 CN CN202110017660.0A patent/CN114745145B/en active Active
Patent Citations (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20050278775A1 (en) * | 2004-06-09 | 2005-12-15 | Ross Alan D | Multifactor device authentication |
| CN101335626A (en) * | 2008-08-06 | 2008-12-31 | 中国网通集团宽带业务应用国家工程实验室有限公司 | Multi-stage authentication method and multi-stage authentication system |
| CN102694772A (en) * | 2011-03-23 | 2012-09-26 | 腾讯科技(深圳)有限公司 | Apparatus, system and method for accessing internet web pages |
| US20140020072A1 (en) * | 2012-07-13 | 2014-01-16 | Andrew J. Thomas | Security access protection for user data stored in a cloud computing facility |
| US20140189808A1 (en) * | 2012-12-28 | 2014-07-03 | Lookout, Inc. | Multi-factor authentication and comprehensive login system for client-server networks |
| CN109815656A (en) * | 2018-12-11 | 2019-05-28 | 平安科技(深圳)有限公司 | Login authentication method, device, equipment and computer readable storage medium |
| CN110213223A (en) * | 2019-03-21 | 2019-09-06 | 腾讯科技(深圳)有限公司 | Business management method, device, system, computer equipment and storage medium |
| CN111131310A (en) * | 2019-12-31 | 2020-05-08 | 奇安信科技集团股份有限公司 | Access control method, device, system, computer device and storage medium |
| CN111488598A (en) * | 2020-04-09 | 2020-08-04 | 腾讯科技(深圳)有限公司 | Access control method, device, computer equipment and storage medium |
| CN111510453A (en) * | 2020-04-15 | 2020-08-07 | 深信服科技股份有限公司 | Business system access method, device, system and medium |
| CN111898124A (en) * | 2020-08-05 | 2020-11-06 | 腾讯科技(深圳)有限公司 | Process access control method and device, storage medium and electronic equipment |
| CN111935169A (en) * | 2020-08-20 | 2020-11-13 | 腾讯科技(深圳)有限公司 | Business data access method, device, equipment and storage medium |
| CN112073400A (en) * | 2020-08-28 | 2020-12-11 | 腾讯科技(深圳)有限公司 | Access control method, system and device and computing equipment |
| CN112104625A (en) * | 2020-09-03 | 2020-12-18 | 腾讯科技(深圳)有限公司 | Process access control method and device |
| CN112153032A (en) * | 2020-09-15 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Information processing method, device, computer readable storage medium and system |
| CN112149105A (en) * | 2020-10-21 | 2020-12-29 | 腾讯科技(深圳)有限公司 | Data processing system, method, related device and storage medium |
Cited By (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20220210173A1 (en) * | 2020-12-31 | 2022-06-30 | Fortinet, Inc. | Contextual zero trust network access (ztna) based on dynamic security posture insights |
| CN115134175A (en) * | 2022-09-01 | 2022-09-30 | 北京辰尧科技有限公司 | Security communication method and device based on authorization strategy |
| CN115134175B (en) * | 2022-09-01 | 2022-11-15 | 北京辰尧科技有限公司 | Security communication method and device based on authorization strategy |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114745145B (en) | 2023-04-18 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10574698B1 (en) | Configuration and deployment of decoy content over a network | |
| US10326730B2 (en) | Verification of server name in a proxy device for connection requests made using domain names | |
| US8214899B2 (en) | Identifying unauthorized access to a network resource | |
| US9055093B2 (en) | Method, system and computer program product for detecting at least one of security threats and undesirable computer files | |
| EP3264720B1 (en) | Using dns communications to filter domain names | |
| US8756697B2 (en) | Systems and methods for determining vulnerability to session stealing | |
| US20200067989A1 (en) | Hostname validation and policy evasion prevention | |
| CN112261172B (en) | Service addressing access method, device, system, equipment and medium | |
| JP5396051B2 (en) | Method and system for creating and updating a database of authorized files and trusted domains | |
| Bortolameotti et al. | Decanter: Detection of anomalous outbound http traffic by passive application fingerprinting | |
| EP3169039B1 (en) | Method and system for managing security certificates in a networked application environment | |
| US8769128B2 (en) | Method for extranet security | |
| US20120151565A1 (en) | System, apparatus and method for identifying and blocking anomalous or improper use of identity information on computer networks | |
| US8555365B2 (en) | Directory authentication method for policy driven web filtering | |
| CN112149105A (en) | Data processing system, method, related device and storage medium | |
| CN114902612A (en) | Edge network based account protection service | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| US10904274B2 (en) | Signature pattern matching testing framework | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| US11784993B2 (en) | Cross site request forgery (CSRF) protection for web browsers | |
| CN115189897A (en) | Access processing method and device for zero trust network, electronic equipment and storage medium | |
| RU2601147C2 (en) | System and method for detection of target attacks | |
| US20180316697A1 (en) | Method of aiding the detection of infection of a terminal by malware | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN115913583A (en) | Business data access method, device and equipment and computer storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |