CN115529157B - Enterprise application access system, method and access system based on zero trust - Google Patents

Enterprise application access system, method and access system based on zero trust Download PDF

Info

Publication number
CN115529157B
CN115529157B CN202210945544.XA CN202210945544A CN115529157B CN 115529157 B CN115529157 B CN 115529157B CN 202210945544 A CN202210945544 A CN 202210945544A CN 115529157 B CN115529157 B CN 115529157B
Authority
CN
China
Prior art keywords
access
policy
application
enterprise application
terminal
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210945544.XA
Other languages
Chinese (zh)
Other versions
CN115529157A (en
Inventor
刘敬良
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Snow Technology Co ltd
Original Assignee
Beijing Snow Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Snow Technology Co ltd filed Critical Beijing Snow Technology Co ltd
Priority to CN202210945544.XA priority Critical patent/CN115529157B/en
Publication of CN115529157A publication Critical patent/CN115529157A/en
Application granted granted Critical
Publication of CN115529157B publication Critical patent/CN115529157B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • H04L63/102Entity profiles
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3218Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs
    • H04L9/3221Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials using proof of knowledge, e.g. Fiat-Shamir, GQ, Schnorr, ornon-interactive zero-knowledge proofs interactive zero-knowledge proofs

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The application discloses an enterprise application access system, method and access system based on zero trust, wherein the access system comprises: the data receiving module is used for receiving a request data packet from the access terminal, wherein the request data packet comprises an access request for enterprise application and terminal user identity information corresponding to the access terminal; the identity verification engine is used for carrying out identity verification on the identity information of the terminal user in the request receiving module and determining whether the access terminal has access rights to enterprise applications or not; the policy matching engine is used for performing policy matching on the access terminal when the identity verification engine determines that the access terminal has the access right to the enterprise application, and determining the application policy of the access terminal; and the service routing module is used for sending the access request and the application policy to the enterprise application based on a preset service routing algorithm so that the enterprise application provides the access right within the application policy range for the access terminal. The pressure of the enterprise when deploying the enterprise application can be relieved.

Description

Enterprise application access system, method and access system based on zero trust
Technical Field
The application relates to the technical field of network security, in particular to an enterprise application access system, method and access system based on zero trust.
Background
At present, when a user accesses enterprise applications through terminal equipment, an intranet and an extranet are required to be distinguished for access under a traditional network architecture, and the access to the inside and the outside is required to be realized through a complex strategy and architecture, so that the enterprise generates no small pressure when deploying the enterprise applications.
Disclosure of Invention
In view of this, the application provides an enterprise application access system, method and access system based on zero trust, which can relieve the pressure of an enterprise when deploying enterprise applications.
According to one aspect of the present application, there is provided a zero trust based enterprise application access system, the system comprising:
the system comprises a data receiving module, an identity verification engine, a strategy matching engine and a service routing module;
the data receiving module is used for receiving a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application and terminal user identity information corresponding to the access terminal;
the identity verification engine is used for carrying out identity verification on the identity information of the terminal user in the request receiving module and determining whether the access terminal has access rights to the enterprise application or not;
the policy matching engine is used for performing policy matching on the access terminal when the identity verification engine determines that the access terminal has access rights to the enterprise application, and determining an application policy of the access terminal;
the business routing module is used for sending the access request and the application policy to the enterprise application based on a preset business routing algorithm so that the enterprise application provides the access terminal with the access right within the application policy range.
Optionally, the system further comprises:
the policy configuration platform is used for configuring authorized identity information and application access policies;
the policy synchronization module is used for storing the authorized identity information and the application access policy issued by the policy configuration platform;
the identity verification engine is specifically configured to read the authorized identity information in the policy synchronization module, and perform identity verification on the identity information of the terminal user according to the authorized identity information;
the policy matching engine is specifically configured to read the application access policy in the policy synchronization module, and perform policy matching on the access terminal according to the application access policy.
Optionally, the system comprises:
the policy configuration platform provides a visual configuration UI interface for an enterprise application manager, and the enterprise application manager inputs and/or imports the authorized identity information and the application access policy through the visual configuration UI interface.
Optionally, the system further comprises:
the policy sharing module is used for storing the latest authorized identity information and the latest application access policy issued by the policy configuration platform in real time and generating a first time stamp of the latest authorized identity information and a second time stamp of the latest application access policy;
the strategy synchronization timer is used for carrying out periodic timing according to a preset strategy synchronization period;
the policy synchronization module is further configured to read the first timestamp and the second timestamp in the policy sharing module in response to a periodic timing end signal of the policy synchronization timer, and determine whether the currently stored authorization identity information and the application access policy in the policy synchronization module are up to date according to the first timestamp and the second timestamp, and if not, read the up to date authorization identity information and the first timestamp corresponding thereto and the up to date application access policy and the second timestamp corresponding thereto in the policy sharing module.
Optionally, the system further comprises:
the safety detection engine is used for analyzing the access behavior and the position behavior of the real-time flow data received by the data receiving module;
the policy matching engine is further used for dynamically adjusting the application policy based on the real-time access behavior analysis result and the position behavior analysis result;
the business routing module is further used for sending the dynamically adjusted application strategy and the real-time traffic data to the enterprise application.
Optionally, the system comprises:
the security detection engine is further configured to identify whether a threat behavior applied to the enterprise exists in the access terminal based on the access behavior analysis result and the location behavior analysis result;
and the service routing module is further used for terminating the sending of the real-time traffic data and sending threat behavior prompt information to the access terminal when the security detection engine recognizes that the access terminal has threat behaviors to the enterprise application.
Optionally, the system comprises:
the data receiving module is further used for receiving an access recovery request from the access terminal;
the security detection engine is further configured to identify, based on the access restoration request, whether a threat behavior of the access terminal to the enterprise application has been released;
the service routing module is further configured to resume sending the real-time traffic data when the security detection engine recognizes that the threat behavior has been released.
Optionally, the system further comprises:
the log analysis module is used for collecting access logs of the enterprise application by different access terminals, analyzing the access logs, determining authorization identity adjustment information and application access policy adjustment information, and reporting the access logs, the authorization identity adjustment information and the application access policy adjustment information to the policy configuration platform.
According to another aspect of the present application, there is provided a zero-trust-based enterprise application access method, applied to the foregoing zero-trust-based enterprise application access system, the method including:
the data receiving module receives a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application and terminal user identity information corresponding to the access terminal;
the identity verification engine performs identity verification on the identity information of the terminal user in the request receiving module, and determines whether the access terminal has access rights to the enterprise application or not;
when the identity verification engine determines that the access terminal has access rights to the enterprise application, the policy matching engine performs policy matching on the access terminal to determine an application policy of the access terminal;
and the business routing module sends the access request and the application policy to the enterprise application based on a preset business routing algorithm so that the enterprise application provides the access terminal with the access right within the application policy range.
According to yet another aspect of the present application, there is provided an enterprise application access system, including the zero trust-based enterprise application access system, an access terminal, and an enterprise application server described above; the enterprise application access system based on zero trust comprises: the system comprises a data receiving module, an identity verification engine, a strategy matching engine and a service routing module;
the data receiving module is used for receiving a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application and terminal user identity information corresponding to the access terminal;
the identity verification engine is used for carrying out identity verification on the identity information of the terminal user in the request receiving module and determining whether the access terminal has access rights to the enterprise application or not;
the policy matching engine is used for performing policy matching on the access terminal when the identity verification engine determines that the access terminal has access rights to the enterprise application, and determining an application policy of the access terminal;
the business routing module is used for sending the access request and the application policy to the enterprise application based on a preset business routing algorithm so that the enterprise application provides the access terminal with the access right within the application policy range.
By means of the technical scheme, the enterprise application access system, the enterprise application access method and the enterprise application access system based on zero trust are characterized in that firstly, through a data receiving module, an access request of an access terminal to an enterprise application and terminal user identity information corresponding to the access terminal are received, and then, an identity verification engine performs identity verification on the terminal identity information to determine whether the access terminal has access rights to the enterprise application. And then, the policy matching engine starts to perform policy matching on the terminal, and finally, the service routing module sends the access request and the application policy to the enterprise application together based on a routing algorithm. Therefore, the unified access system combines data receiving, identity verification, strategy matching and service routing, so that the access problem of the terminal user when accessing the enterprise application is solved in one-stop mode, and the pressure of the enterprise for deploying the enterprise application is relieved.
The foregoing description is only an overview of the technical solutions of the present application, and may be implemented according to the content of the specification in order to make the technical means of the present application more clearly understood, and in order to make the above-mentioned and other objects, features and advantages of the present application more clearly understood, the following detailed description of the present application will be given.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 illustrates a schematic diagram of an enterprise application access system based on zero trust provided by an embodiment of the present application;
FIG. 2 illustrates another zero trust based enterprise application access system schematic provided by embodiments of the present application;
FIG. 3 illustrates an enterprise application access method based on zero trust provided by embodiments of the present application;
FIG. 4 illustrates an enterprise application access system provided by an embodiment of the present application.
Detailed Description
The present application will be described in detail hereinafter with reference to the accompanying drawings in conjunction with embodiments. It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other.
In this embodiment, there is provided an enterprise application access system based on zero trust, as shown in fig. 1, the system includes:
a data receiving module 101, an authentication engine 102, a policy matching engine 103 and a traffic routing module 104.
The data receiving module 101 is configured to receive a request packet from an access terminal, where the request packet includes an access request for an enterprise application and terminal user identity information corresponding to the access terminal.
Zero trust represents a new generation of network security protection concept, and is characterized by breaking default 'trust', namely 'continuous verification' and 'never trust', which are summarized by a sentence of popular words. Anyone, devices and systems inside and outside the enterprise network are not trusted by default, and the trust basis for access control is reconstructed based on identity authentication and authorization, thereby ensuring identity trust, device trust, application trust and link trust. Based on the zero trust principle, three 'security' of the office system can be ensured: terminal security, link security, and access control security.
In this embodiment of the present application, a user initiates an access request to a target application through an access terminal, where the target application may be an enterprise application, and then a data receiving module 101 in the zero trust-based enterprise application access system of the present application receives a request packet sent from the access terminal. The access terminal may include a mobile phone, a tablet computer, a desktop computer, or the like, and the request packet includes an access request for an enterprise application and terminal user identity information. The user identity information may include a login location or login time of the user, and the terminal device may request access to the enterprise application through the internet of things, 5G, web, and the like. When the terminal equipment requests to access the enterprise application, short-time TCP connection is established to the outside, the terminal user identity information (such as user attribute and equipment fingerprint) with the terminal equipment and the access request are sent to the access system, and the terminal user identity information and the access request are deployed through the access system and then sent to the enterprise application, as shown in figure 2.
The authentication engine 102 is configured to perform authentication on the identity information of the terminal user in the request receiving module, and determine whether the access terminal has access rights to the enterprise application.
In the embodiment of the present application, after the authentication engine 102 obtains the request packet, authentication is first performed on the end user identity information in the request packet to identify whether the end user has the right to use the enterprise application.
Specifically, after the identity verification engine 102 obtains the user identity information received by the data receiving module 101, the identity information of the terminal user is matched according to the preset authorized identity information in the system, if the identity of the terminal user hits the authorized identity information, the terminal user can be considered to pass the identity verification, otherwise, the terminal user is refused to access.
The policy matching engine 103 is configured to perform policy matching on the access terminal when the authentication engine determines that the access terminal has access rights to the enterprise application, and determine an application policy of the access terminal.
In this embodiment of the present application, after the data receiving module 101 obtains the identity information of the terminal user, the policy matching engine 103 performs policy matching on the terminal device to determine an application policy of the terminal user to the enterprise application, for example, the application policy may include a target application function that allows the access of the terminal user, target application data that allows the access of the terminal user, and the like, and sends the application policy to the enterprise application after determining the application policy of the access terminal.
The service routing module 104 is configured to send the access request and the application policy to the enterprise application based on a preset service routing algorithm, so that the enterprise application provides the access terminal with access rights within the application policy range.
In this embodiment of the present application, after the policy matching engine 103 determines the application policy, the service routing module 104 determines an optimal transmission path based on a preset service routing algorithm, and sends an access request and the application policy to the enterprise application, so that the enterprise application obtains the access rights of the corresponding end user. The access rights may be authorized in a part of the enterprise application, or may be authorized in the whole range of the enterprise application.
In an embodiment of the present application, optionally, as shown in fig. 2, the system further includes:
a policy configuration platform 105 for configuring authorization identity information and applying access policies.
And the policy synchronization module 106 is configured to store the authorization identity information and the application access policy issued by the policy configuration platform.
The identity verification engine 102 is specifically configured to read the authorized identity information in the policy synchronization module, and perform identity verification on the identity information of the terminal user according to the authorized identity information.
The policy matching engine 103 is specifically configured to read the application access policy in the policy synchronization module, and perform policy matching on the access terminal according to the application access policy.
In embodiments of the present application, policy configuration platform 105 may be authorized for an enterprise administrator, who configures authorization identity information and applies access policies in policy configuration platform 105.
Then, after the enterprise administrator configures the authorization identity information and applies the access policy in the policy configuration platform 105, the authorization identity information and the access policy are issued to the policy synchronization module 106 by the policy configuration platform 105. The policy configuration platform 105 supports dynamic change of policy configuration, and the policy synchronization module 106 may store authorization identity information and application access policies of history and current time.
Specifically, the identity verification engine 102 may also read the authorized identity information stored in the policy synchronization module 106, and then verify the identity information of the end user according to the authorized identity information.
Similarly, the policy matching engine 103 may read the access policy stored in the policy synchronization module 106, and perform policy matching on the access terminal according to the access policy.
Therefore, different authorized user identity information and access strategies can be customized individually according to different enterprise demands, and meanwhile, the authorized user identity information and the access strategies can be changed at any time according to different demands in different periods, so that the method has flexibility.
In this embodiment of the present application, optionally, the policy configuration platform 105 provides a visual configuration UI interface to an enterprise application administrator, where the enterprise application administrator inputs and/or imports the authorization identity information and the application access policy through the visual configuration UI interface.
In this embodiment, the policy configuration platform 105 may be displayed on an enterprise application manager through a visual configuration UI interface, so that the manager may intuitively configure the authorization identity information and the application access policy in the platform through the visual interface. The configuration mode can be selected to be directly input into a corresponding module of the platform, or can be configured in an integral introduction mode, so that the configuration efficiency can be improved.
In an embodiment of the present application, optionally, the system further includes:
a policy sharing module 107, configured to store latest authorized identity information and a latest application access policy issued in real time by the policy configuration platform, and generate a first timestamp of the latest authorized identity information and a second timestamp of the latest application access policy;
a policy synchronization timer 108 for performing periodic timing according to a preset policy synchronization period;
the policy synchronization module 106 is further configured to read the first timestamp and the second timestamp in the policy sharing module in response to a periodic timing end signal of the policy synchronization timer, and determine whether the currently stored authorized identity information and the application access policy in the policy synchronization module are up to date according to the first timestamp and the second timestamp, and if not, read the up to date authorized identity information and the first timestamp corresponding thereto and the up to date application access policy and the second timestamp corresponding thereto in the policy sharing module.
In this embodiment of the present application, after the enterprise administrator configures the authorization identity information and the access policy through the policy configuration platform 105, the policy sharing module 107 may store the real-time authorization identity information and the real-time application access policy issued by the policy configuration platform 105, and mark a first timestamp on the latest authorization identity information at the current time, and mark a second timestamp on the latest application access policy at the current time.
Specifically, the policy configuration platform 105 issues the latest authorized identity information and the configuration policy to the policy sharing module 107, and the policy sharing module 107 marks a first timestamp and a second timestamp on the stored authorized identity information and the stored configuration policy respectively, so as to represent the corresponding information version. The policy timer 108 is used to periodically time, for example, once every minute of time. When the policy timer 108 finishes counting once, the policy synchronization module 106 may read the primary authorization identity information and the configuration policy and the corresponding first timestamp and second timestamp in the policy sharing module 107, if the timestamp corresponding to the information stored in the policy synchronization module 106 is consistent with the timestamp corresponding to the information stored in the policy sharing module 107, the storage content in the policy synchronization module 106 is kept unchanged, and if the timestamp is inconsistent with the timestamp corresponding to the information stored in the policy sharing module 107, the information stored in the policy synchronization module 106 is replaced with the latest information with the latest timestamp in the policy sharing module 107, so that the access system can manage the terminal access according to the latest configuration information.
In an embodiment of the present application, optionally, the method further includes: a security detection engine 109, configured to perform access behavior and location behavior analysis on the real-time traffic data received by the data receiving module;
the policy matching engine 103 is further configured to dynamically adjust the application policy based on the real-time access behavior analysis result and the location behavior analysis result;
the service routing module 104 is further configured to send the dynamically adjusted application policy and the real-time traffic data to the enterprise application.
In the above embodiment, after the policy configuration platform 105 in the access system issues the access policy to the target application, the security detection engine 109 starts to analyze the real-time traffic data received by the data receiving module 101. The real-time flow data comprise the access behaviors and the position behaviors of the terminal user, and finally the access behavior analysis results and the position behavior analysis results of the terminal user are obtained.
Then, the policy matching engine 103 dynamically adjusts the application policy for the obtained real-time access behavior analysis result and the obtained location behavior analysis result.
Then, the service routing module 104 sends the dynamically adjusted application policy and the real-time traffic data to the enterprise application. Thus, even if the end user passes the initial verification and obtains the authority to access the enterprise application, if the operation beyond the authorized range occurs in the subsequent operation, the enterprise application can adjust the application strategy at any time according to the real-time condition, and the authorization to the end user can be stopped at any time.
Therefore, after the user obtains the access right to the enterprise application and enters the enterprise terminal, the access system can still verify the user identity information in real time, and adjust the access strategy at any time according to the verification result, so that the access security is improved.
In this embodiment of the present application, optionally, the security detection engine 109 is further configured to identify, based on the access behavior analysis result and the location behavior analysis result, whether the access terminal has a threat behavior for the enterprise application;
the service routing module 104 is further configured to terminate sending the real-time traffic data and send threat behavior prompt information to the access terminal when the security detection engine identifies that the access terminal has threat behaviors to the enterprise application.
In this embodiment of the present application, after the security detection engine 109 analyzes the real-time traffic data received by the data receiving module 101 and finally obtains the access behavior analysis result and the location behavior analysis result of the end user, whether the access terminal has a threat behavior to the enterprise application may be identified based on the result.
Then, when the service routing module 104 obtains that the threat behavior of the access terminal identified by the security detection engine 109 exists on the enterprise application, the sending of the real-time traffic data may be terminated, and threat behavior prompt information may be sent to the access terminal.
Specifically, if the threat behavior of the access terminal is identified, the data channel can be disconnected in order to ensure the access security and the data security of the enterprise application, so that the access of the access terminal to the enterprise application is disconnected. In addition, in order to avoid that the user cannot normally access the application due to misidentification of the behavior of the access terminal, after the data channel is disconnected, the access terminal can send a complaint request to the access system, and if the access system judges that the access is allowed to be recovered, the data channel can be recovered, so that the access terminal can continue to access the enterprise application.
In this embodiment of the present application, optionally, the data receiving module 101 is further configured to receive an access recovery request from the access terminal;
the security detection engine 109 is further configured to identify, based on the access restoration request, whether a threat behavior of the access terminal to the enterprise application has been resolved;
the service routing module 104 is further configured to resume sending the real-time traffic data when the security detection engine recognizes that the threat behavior has been released.
In this embodiment, if the access system determines that access is allowed to be recovered, the data receiving module 101 may be further configured to receive an access recovery request from the access terminal, and then, after receiving the access recovery request, the security detection engine 109 identifies whether the threat behavior of the access terminal to the enterprise application is released by acquiring the access behavior and the location behavior of the end user.
The traffic routing module 104 then resumes the transmission of the real-time traffic data if the security detection engine 109 recognizes that the threat activity of the access terminal to the enterprise application has been resolved.
Therefore, if the user is prompted to have threat behaviors when accessing the enterprise application, if the user can stop the operation of the threat behaviors and request to recover the access rights, the system can select to recover the authorization rights of the terminal user according to the actual situation, so that the terminal user can continuously access the enterprise application, the safety of the enterprise application is ensured, and the access termination caused by misoperation of the user can be avoided.
In an embodiment of the present application, optionally, the system further includes:
the log analysis module 110 is configured to collect access logs of the enterprise application by different access terminals, analyze the access logs, determine authorization identity adjustment information and application access policy adjustment information, and report the access logs, the authorization identity adjustment information and the application access policy adjustment information to a policy configuration platform.
In this embodiment, the policy configuration information may also be optimized automatically in real time. In a specific application scenario, in the process that the access terminal accesses the enterprise application through the data channel, the log analysis module 110 may collect access logs generated when the access terminal accesses the enterprise application, collect access logs of different access terminals to the enterprise application, collect and report the access logs to the policy configuration platform 105, and the policy configuration platform 105 automatically adjusts policy configuration information after learning the access logs through a preset policy adjustment model, or an enterprise application administrator dynamically adjusts the policy configuration information according to the access logs manually.
By applying the technical scheme of the embodiment, the access system comprises a data receiving module, an identity verification engine, a policy matching engine and a service routing module. The data receiving module is used for receiving a request data packet from the access terminal, wherein the data packet comprises an access request for enterprise application and terminal user identity information corresponding to the access terminal; the identity verification engine is used for carrying out identity verification on the identity information of the terminal user in the request receiving module and determining whether the access terminal has access rights to the enterprise application or not; and the policy matching engine is used for performing policy matching on the access terminal when the identity verification engine determines that the access terminal has the access right to the enterprise application, determining the application policy of the access terminal, and the post-service routing module is used for sending the access request and the application policy to the enterprise application based on a preset service routing algorithm so as to enable the enterprise application to provide the access right within the application policy range for the access terminal. For the cooperation of the access system with data receiving, identity verification, policy matching and service routing, the access system is constructed between the access terminal and the enterprise application, one-stop type access problem of the terminal user accessing the enterprise application is solved, and pressure of the enterprise when the enterprise deploys the enterprise application can be relieved.
Further, as a refinement and extension of the foregoing embodiment, to fully describe the implementation procedure of this embodiment, another enterprise application access method based on zero trust is provided, as shown in fig. 3, where the method includes:
step 201, a data receiving module receives a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application and terminal user identity information corresponding to the access terminal;
step 202, an identity verification engine performs identity verification on the identity information of the terminal user in the request receiving module, and determines whether the access terminal has access rights to the enterprise application;
step 203, when the authentication engine determines that the access terminal has access rights to the enterprise application, the policy matching engine performs policy matching on the access terminal, and determines an application policy of the access terminal;
and 204, the service routing module sends the access request and the application policy to the enterprise application based on a preset service routing algorithm, so that the enterprise application provides the access terminal with access rights within the application policy range.
Based on the above system shown in fig. 1 to 2, correspondingly, the embodiment of the present application further provides an access system, as shown in fig. 4, including an enterprise application access system 301 based on zero trust, an access terminal 302, and an enterprise application server 303; the zero trust based enterprise application access system comprises: a data receiving module 101, an authentication engine 102, a policy matching engine 103, and a traffic routing module 104;
the data receiving module 101 is configured to receive a request data packet from an access terminal, where the request data packet includes an access request for an enterprise application and terminal user identity information corresponding to the access terminal;
the authentication engine 102 is configured to perform authentication on the identity information of the terminal user in the request receiving module, and determine whether the access terminal has access rights to the enterprise application;
the policy matching engine 103 is configured to perform policy matching on the access terminal when the identity verification engine determines that the access terminal has access rights to the enterprise application, and determine an application policy of the access terminal;
the service routing module 104 is configured to send the access request and the application policy to the enterprise application based on a preset service routing algorithm, so that the enterprise application provides the access terminal with access rights within the application policy range.
Those skilled in the art will appreciate that the drawings are merely schematic illustrations of one preferred implementation scenario, and that the modules or flows in the drawings are not necessarily required to practice the present application. Those skilled in the art will appreciate that modules in an apparatus in an implementation scenario may be distributed in an apparatus in an implementation scenario according to an implementation scenario description, or that corresponding changes may be located in one or more apparatuses different from the implementation scenario. The modules of the implementation scenario may be combined into one module, or may be further split into a plurality of sub-modules.
The foregoing application serial numbers are merely for description, and do not represent advantages or disadvantages of the implementation scenario. The foregoing disclosure is merely a few specific implementations of the present application, but the present application is not limited thereto and any variations that can be considered by a person skilled in the art shall fall within the protection scope of the present application.

Claims (7)

1. An enterprise application access system based on zero trust, the system comprising:
the system comprises a policy configuration platform, a data receiving module, a security detection engine, an identity verification engine, a policy matching engine and a service routing module;
the strategy configuration platform is used for configuring authorized identity information and application access strategies;
the data receiving module is used for receiving a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application, an access recovery request and terminal user identity information corresponding to the access terminal;
the safety detection engine is used for analyzing the access behavior and the position behavior of the real-time flow data received by the data receiving module;
the identity verification engine is used for reading the latest authorized identity information, carrying out identity verification on the identity information of the terminal user in the data receiving module according to the latest authorized identity information, and determining whether the access terminal has access rights to the enterprise application or not;
the policy matching engine is used for reading the latest application access policy, performing policy matching on the access terminal according to the latest application access policy when the identity verification engine determines that the access terminal has access rights to the enterprise application, and dynamically adjusting the application policy of the access terminal based on a real-time access behavior analysis result and a position behavior analysis result;
the service routing module is configured to send the access request, the application policy, and the real-time traffic data to the enterprise application based on a preset service routing algorithm, so that the enterprise application provides the access terminal with access rights within the application policy range, when the access terminal has threat behaviors to the enterprise application, the service routing module terminates the sending of the real-time traffic data, sends threat behavior prompt information to the access terminal, and resumes the sending of the real-time traffic data when the threat behaviors have been released.
2. The system of claim 1, wherein the system further comprises a controller configured to control the controller,
the policy configuration platform provides a visual configuration UI interface for an enterprise application manager, and the enterprise application manager inputs and/or imports the authorized identity information and the application access policy through the visual configuration UI interface.
3. The system of claim 1, wherein the system further comprises:
the policy sharing module is used for storing the latest authorized identity information and the latest application access policy issued by the policy configuration platform in real time and generating a first time stamp of the latest authorized identity information and a second time stamp of the latest application access policy;
the strategy synchronization timer is used for carrying out periodic timing according to a preset strategy synchronization period;
and the policy synchronization module is used for responding to the periodic timing end signal of the policy synchronization timer, reading the first timestamp and the second timestamp in the policy sharing module, judging whether the currently stored authorized identity information and application access policy in the policy synchronization module are up-to-date according to the first timestamp and the second timestamp, and if not, reading the up-to-date authorized identity information and the corresponding first timestamp in the policy sharing module and the up-to-date application access policy and the corresponding second timestamp.
4. The system of claim 1, wherein the system further comprises a controller configured to control the controller,
the security detection engine is further configured to identify, based on the access behavior analysis result and the location behavior analysis result, whether the access terminal has a threat behavior to the enterprise application, and identify, based on the access restoration request, whether the threat behavior of the access terminal to the enterprise application has been released.
5. The system of claim 1, wherein the system further comprises:
the log analysis module is used for collecting access logs of the enterprise application by different access terminals, analyzing the access logs, determining authorization identity adjustment information and application access policy adjustment information, and reporting the access logs, the authorization identity adjustment information and the application access policy adjustment information to the policy configuration platform.
6. A zero-trust-based enterprise application access method applied to the zero-trust-based enterprise application access system of any one of claims 1 to 5, the method comprising:
the strategy configuration platform configures authorized identity information and application access strategy;
the data receiving module receives a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application, an access recovery request and terminal user identity information corresponding to the access terminal;
the security detection engine analyzes the access behavior and the position behavior of the real-time flow data received by the data receiving module;
the identity verification engine reads the latest authorized identity information, performs identity verification on the identity information of the terminal user in the data receiving module according to the latest authorized identity information, and determines whether the access terminal has access rights to the enterprise application or not;
the policy matching engine reads the latest application access policy, and when the identity verification engine determines that the access terminal has access rights to the enterprise application, the policy matching engine performs policy matching on the access terminal according to the latest application access policy, and dynamically adjusts the application policy of the access terminal based on a real-time access behavior analysis result and a position behavior analysis result;
the business routing module sends the access request, the application strategy and the real-time traffic data to the enterprise application based on a preset business routing algorithm, so that the enterprise application provides the access terminal with access rights within the application strategy range, when the access terminal has threat behaviors to the enterprise application, the sending of the real-time traffic data is terminated, threat behavior prompt information is sent to the access terminal, and when the threat behaviors are released, the sending of the real-time traffic data is restored.
7. An enterprise application access system, comprising:
the zero trust based enterprise application access system, access terminal, enterprise application server of any one of claims 1 to 5; the zero trust based enterprise application access system comprises: the system comprises a policy configuration platform, a data receiving module, a security detection engine, an identity verification engine, a policy matching engine and a service routing module;
the strategy configuration platform is used for configuring authorized identity information and application access strategies;
the data receiving module is used for receiving a request data packet from an access terminal, wherein the request data packet comprises an access request for enterprise application, an access recovery request and terminal user identity information corresponding to the access terminal;
the safety detection engine is used for analyzing the access behavior and the position behavior of the real-time flow data received by the data receiving module;
the identity verification engine is used for reading the latest authorized identity information, carrying out identity verification on the identity information of the terminal user in the data receiving module according to the latest authorized identity information, and determining whether the access terminal has access rights to the enterprise application or not;
the policy matching engine is used for reading the latest application access policy, performing policy matching on the access terminal according to the latest application access policy when the identity verification engine determines that the access terminal has access rights to the enterprise application, and dynamically adjusting the application policy of the access terminal based on a real-time access behavior analysis result and a position behavior analysis result;
the service routing module is configured to send the access request, the application policy, and the real-time traffic data to the enterprise application based on a preset service routing algorithm, so that the enterprise application provides the access terminal with access rights within the application policy range, when the access terminal has threat behaviors to the enterprise application, the service routing module terminates the sending of the real-time traffic data, sends threat behavior prompt information to the access terminal, and resumes the sending of the real-time traffic data when the threat behaviors have been released.
CN202210945544.XA 2022-08-08 2022-08-08 Enterprise application access system, method and access system based on zero trust Active CN115529157B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210945544.XA CN115529157B (en) 2022-08-08 2022-08-08 Enterprise application access system, method and access system based on zero trust

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210945544.XA CN115529157B (en) 2022-08-08 2022-08-08 Enterprise application access system, method and access system based on zero trust

Publications (2)

Publication Number Publication Date
CN115529157A CN115529157A (en) 2022-12-27
CN115529157B true CN115529157B (en) 2023-08-01

Family

ID=84696509

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210945544.XA Active CN115529157B (en) 2022-08-08 2022-08-08 Enterprise application access system, method and access system based on zero trust

Country Status (1)

Country Link
CN (1) CN115529157B (en)

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111212027A (en) * 2019-11-29 2020-05-29 云深互联(北京)科技有限公司 Network security verification method and device based on enterprise browser
CN112165461A (en) * 2020-09-10 2021-01-01 杭州安恒信息技术股份有限公司 Zero-trust dynamic authorization method and device and computer equipment
CN112416559A (en) * 2020-11-30 2021-02-26 中国民航信息网络股份有限公司 Scheduling policy updating method, service scheduling method, storage medium and related apparatus
CN114661485A (en) * 2020-12-23 2022-06-24 息象(北京)科技发展有限公司 Application program interface access control system and method based on zero trust architecture
CN114244595B (en) * 2021-12-10 2024-03-12 北京达佳互联信息技术有限公司 Authority information acquisition method and device, computer equipment and storage medium
CN114553540B (en) * 2022-02-22 2024-03-08 平安科技(深圳)有限公司 Zero trust-based Internet of things system, data access method, device and medium

Also Published As

Publication number Publication date
CN115529157A (en) 2022-12-27

Similar Documents

Publication Publication Date Title
CN107211016B (en) Session security partitioning and application profiler
EP2933981B1 (en) Method and system of user authentication
US20100146638A1 (en) Detection filter
US11962611B2 (en) Cyber security system and method using intelligent agents
US20200076799A1 (en) Device aware network communication management
CN110719203B (en) Operation control method, device and equipment of intelligent household equipment and storage medium
CN104239758A (en) Man-machine identification method and system
US11722510B2 (en) Monitoring and preventing remote user automated cyber attacks
EP4229532B1 (en) Behavior detection and verification
CN111314381A (en) Safety isolation gateway
CN103685192A (en) Method and device for limiting calling launched by third-party application
CN108123961A (en) Information processing method, apparatus and system
CN109413107A (en) A kind of credible platform connection method
CN115529157B (en) Enterprise application access system, method and access system based on zero trust
CN105791308A (en) Active identification domain user registration event information method, device and system
CN113472545B (en) Equipment network access method, device, equipment, storage medium and communication system
CN106953873B (en) Security management system for encrypted information of encryption equipment
CN114363073A (en) TLS encrypted traffic analysis method and device, terminal device and storage medium
CN114205169A (en) Network security defense method, device and system
CN115529156B (en) Access authentication method and device, storage medium and computer equipment
CN114039797B (en) Multi-factor authentication escape method and cloud platform
CN114884692B (en) Network access control method and device
WO2018088942A1 (en) Device and method for administration of a server
US11228618B2 (en) Seamless multi-vendor support for change of authorization through radius and other protocols
US20230336575A1 (en) Security threat monitoring for network-accessible devices

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant