CN115865606A - Distributed network construction method under zero trust - Google Patents
Distributed network construction method under zero trust Download PDFInfo
- Publication number
- CN115865606A CN115865606A CN202211556084.8A CN202211556084A CN115865606A CN 115865606 A CN115865606 A CN 115865606A CN 202211556084 A CN202211556084 A CN 202211556084A CN 115865606 A CN115865606 A CN 115865606A
- Authority
- CN
- China
- Prior art keywords
- trust
- client
- message
- center
- agent
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000010276 construction Methods 0.000 title claims description 7
- 238000000034 method Methods 0.000 claims abstract description 30
- 238000011156 evaluation Methods 0.000 claims description 42
- 230000008569 process Effects 0.000 claims description 19
- 238000013475 authorization Methods 0.000 claims description 12
- 238000011217 control strategy Methods 0.000 claims description 9
- 238000012790 confirmation Methods 0.000 claims description 6
- 238000012546 transfer Methods 0.000 claims description 3
- 238000010586 diagram Methods 0.000 description 14
- 238000004590 computer program Methods 0.000 description 7
- 230000006399 behavior Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 4
- 230000009471 action Effects 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 230000003993 interaction Effects 0.000 description 3
- 230000004044 response Effects 0.000 description 3
- 238000003860 storage Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000009472 formulation Methods 0.000 description 2
- 230000000977 initiatory effect Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000009826 distribution Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000012795 verification Methods 0.000 description 1
Images
Landscapes
- Computer And Data Communications (AREA)
Abstract
The invention relates to a method for constructing a distributed network under a zero trust framework, which comprises the following steps: step 1, establishing connection with an agent center when a new client accesses; step 2, the client initiates a subscription message to the agent for topic subscription; and 3, the client publishes the message according to the topic subscribed in the step 2. The invention can improve the safety of the distributed system to a great extent.
Description
Technical Field
The invention belongs to the technical field of information communication, and relates to a distributed network construction method, in particular to a distributed network construction method under zero trust.
Background
Nowadays, information technology is changing day by day, open sharing becomes mainstream of the era, and the emergence of open computing environments such as cloud computing and distributed computing marks that an information system gradually develops from a single domain, a closed type to a cross-domain and cooperative type. The complexity of network information resources under a big data environment makes the protection of the information resources and private data more difficult, the traditional access control model can not realize the protection of the private information and the safe interaction of confidential data under a complex network environment, and an access control model with fine granularity and high flexibility is urgently needed, so that an access control model (ABAC) based on attributes is produced. The access control model based on the attributes can adapt to a complex network environment in a fine-grained manner, and meanwhile, the attributes are used for describing users and resources, so that the access control model has enough advantages in the aspects of flexibility and expandability, and the security of anonymous access can be ensured in a large-scale distributed environment.
Aiming at the problem that the traditional network security model cannot meet the requirement of intranet security, the network security model based on zero trust is produced. For any subject accessing the network, including the person initiating the access, the device initiating the access and the application being accessed, the default is the non-trusted state at each access, and the trust of dynamic access needs to be constructed through continuous identity verification and access authorization. This is the core idea of the zero trust network security model, and its essence is to center the identity of the access principal to perform access control.
The combination of the zero trust network and the dynamic access control technology is a research hotspot of the security of the current internet of things and is also a new development direction. The existing distributed network security protection technology faces the potential safety hazards of illegal terminal access, utilization attack of a legal terminal, unauthorized malicious terminal access and the like due to the problems of insufficient security authentication of 'terminal (equipment) -application (behavior) -user (role)', insufficient security monitoring of terminal network access behaviors, insufficient terminal access control fineness and dynamic adaptability and the like.
Through searching, the published patent documents which are the same as or similar to the invention are not found.
Disclosure of Invention
The invention aims to overcome the defects of the prior art, provides a distributed network construction method under zero trust with reasonable design, high flexibility, safety and reliability, and can improve the safety of a distributed system to a great extent.
The invention solves the practical problem by adopting the following technical scheme:
a method for constructing a distributed network under a zero trust framework comprises the following steps:
step 1, establishing connection with an agent center when a new client accesses;
step 2, the client initiates a subscription message to the agent to perform topic subscription;
and 3, the client publishes the message according to the topic subscribed in the step 2.
Further, the specific steps of step 1 include:
(1) The new client puts forward an authentication application to an authentication center of the trust evaluation module, and the authentication center inquires whether the new client exists in the existing black-and-white list: (1) if the certificate exists in the blacklist, refusing to return the certificate (2), if the certificate exists in the whitelist, returning the certificate with the main body attribute, and if the certificate with the initial trust value (3) does not exist in the whitelist, returning the certificate with the main body attribute and does not have the initial trust value;
(2) A new client initiates a connection request to an agent center and attaches a certificate, a Policy Enforcement Point (PEP) intercepts the request, the PEP firstly transfers client information to a trust evaluation center of a trust evaluation module, and the trust evaluation center calculates the current trust value of the client;
(3) After the client trust value is obtained, the PEP judges whether the connection request is allowed or not according to a trust threshold value; if the trust value is satisfied, forwarding the connection request to the agent, and updating the list to the authentication center at the same time;
(4) After the agent center successfully establishes connection with the client, the connection confirmation information is fed back, the message is intercepted by the PEP, trust evaluation is carried out again, the trust evaluation is carried out on the client and the agent center at the same time, and then the connection confirmation information is forwarded.
Further, the specific steps of step 2 include:
(1) A client initiates a subscription message to an agent, is intercepted by a PEP, firstly passes through a trust evaluation center to carry out trust evaluation on the current client, directly refuses the application if the trust level is lower than the trust threshold required by the topic subscription, and updates a blacklist;
(2) The PEP provides the current trust value of the client to a policy decision point PDP in an access control module, the trust degree is used as an important subject attribute to participate in the authorization process, the PDP searches for a satisfied access control policy at the policy management point PAP according to various attribute information and the client trust value, if the request is rejected, a rejection message is returned to the client, and if the request is allowed, a subscription message is forwarded to an agent;
(3) And the proxy receives the subscription request, forwards a subscription success/failure message to the client, intercepts and delivers the subscription success/failure message to the trust evaluation center by the PEP, performs trust evaluation on the proxy center and the client and updates the trust list.
Further, the specific steps of step 3 include:
(1) The client issues a message to the agent center according to the theme, the message is intercepted by the PEP, firstly, the trust evaluation center is handed over to carry out trust evaluation on the current client, if the trust value is too low, the current issuance is directly refused, and the blacklist is updated;
(2) The PEP provides the current trust value of the client to the PDP, the PDP searches for a satisfied access control strategy at the PAP according to each item of attribute information and the trust value of the client, if the release is refused, a refusing message is returned to the client, and if the release is allowed, the releasing message is forwarded to the agent center;
(3) The agent center receives the client release information, inquires the latest trust list from the trust evaluation center, forwards the subject message to the subscribing client according to the trust value, if the trust value of the client does not reach the trust threshold value required by receiving the message, sends a message rejection notice to the client, and informs the client that the message is not received on the subject and attaches the reason;
(4) The agent center feeds back success/failure information of issuing to the issuing client, and the PEP intercepts and transmits the information to the trust evaluation center, so as to carry out trust evaluation on the agent and the client and update the trust list.
The invention has the advantages and beneficial effects that:
1. the invention provides a method for constructing a distributed network under a zero trust framework, which comprises the following steps: the system comprises a client, an agent center, an access control module and a trust evaluation module; the client and agent center is the basic component in the subscription/publication mode, the client is the publisher and the subscriber of the message, and the agent is responsible for accepting the client request and managing the subscription and publication of the message. According to the invention, the access control module and the trust evaluation module are added under the framework of the traditional subscription/publication mode, and the security of a distributed system is improved to a great extent by utilizing the advantages of fine granularity and high flexibility of an ABAC model and combining dynamic continuous trust evaluation.
2. The invention combines an ABAC access control model and continuous trust evaluation, and provides a distributed network construction method based on a subscription/publishing mode under a zero trust framework. The characteristics of fine granularity and high flexibility of the ABAC model are utilized, the security requirement of dynamic access in a distributed network is met, the security vacancy of the existing distributed Internet of things is overcome, and certain feasibility is achieved.
Drawings
FIG. 1 is a block diagram of the process flow of establishing a connection with a broker center when a new client accesses step 1 of the present invention;
FIG. 2 is a block diagram of the process flow of step 2 of the present invention for a client to initiate a subscription message to an agent for topic subscription;
FIG. 3 is a block diagram of a process flow for message distribution by a client of the present invention;
FIG. 4 is a block diagram of the process of authorization of user behavior by the ABAC model;
FIG. 5 is a block diagram of a trust evaluation center (PEC) in a trust evaluation module performing a trust evaluation of a user.
Detailed Description
The embodiments of the invention will be described in further detail below with reference to the accompanying drawings:
a method for constructing a distributed network under a zero trust framework, as shown in fig. 1 to 3, includes the following steps:
step 1, establishing connection with an agent center when a new client accesses;
the specific steps of the step 1 comprise:
(1) The new client puts forward an authentication application to an authentication center of the trust evaluation module, and the authentication center inquires whether the new client exists in the existing black and white list: (1) if the certificate exists in the blacklist, refusing to return the certificate (2), if the certificate exists in the whitelist, returning the certificate with the main attribute, if the certificate with the initial trust value (3) does not exist in the whitelist, similarly returning the certificate with the main attribute, and not having the initial trust value;
(2) A new client initiates a connection request to a proxy center and attaches a certificate, a Policy Enforcement Point (PEP) intercepts the request, the PEP firstly hands over client information to a trust evaluation center of a trust evaluation module, and the trust evaluation center calculates the current trust value of the client;
the trust evaluation center can be linked with a strategy decision point PDP and a strategy information point PIP in the access control module, and interaction records of users are collected and quantized into a comprehensive trust value;
(3) After the client trust value is obtained, the PEP judges whether the connection request is allowed or not according to a trust threshold value; if the trust value is satisfied, the connection request is forwarded to the agent, and meanwhile, the list is updated to the authentication center.
(4) After the agent center successfully establishes connection with the client, the connection confirmation information is fed back, the message is intercepted by the PEP, trust evaluation is carried out again, the trust evaluation is carried out on the client and the agent center (generally having a higher trust value) at the same time, and then the connection confirmation information is forwarded.
The agent is used as one of the trust evaluation objects, so that potential safety hazards caused by the untrusted agent can be effectively avoided, and the safety of the distributed system is improved to a great extent.
In this embodiment, a new client needs to establish connection with an agent center when accessing, and needs to apply for authentication from an authentication center before establishing connection, and can propose a connection application after acquiring a certificate, at this time, the application is intercepted by a PEP and handed over to a trust evaluation center to perform trust evaluation on the new client, and then the agent is forwarded to perform connection establishment. The proxy feeds back the establishment success/failure information, which is forwarded by the PEP and performs trust evaluation again for the proxy and the client.
Step 2, the client initiates a subscription message to the agent to perform topic subscription;
before receiving the message, the client needs to subscribe the topic, and the subscription message is initiated to the agent by the client;
the specific steps of the step 2 comprise:
(1) A client initiates a subscription message to an agent, is intercepted by a PEP, firstly passes through a trust evaluation center to carry out trust evaluation on the current client, directly refuses the application if the trust level is lower than the trust threshold required by the topic subscription, and updates a blacklist; subsequent authorization processes are not needed, and the overhead brought by access control is reduced;
(2) The PEP provides the current trust value of the client to a Policy Decision Point (PDP) in the access control module, the trust level will participate in the authorization process as an important subject attribute, and the PDP is at a policy management point (policy administration point) according to various attribute information and the client trust value , PAP), returns a denial message to the client if the request is denied, and forwards a subscription message to the proxy if allowed.
Because the process that the client subject directly applies for accessing the resource object does not exist in the invention, the invention makes certain changes to the access control process, and the access control strategy formulation and implementation are carried out based on the theme. The subject exists in a tree form, the access control strategy is established according to the subject tree, an administrator can distribute access authority matched with each subject, and the authorization process is carried out according to the authority, constraint and strategy under the subject;
(3) And the proxy receives the subscription request, forwards a subscription success/failure message to the client, intercepts and delivers the subscription success/failure message to the trust evaluation center by the PEP, performs trust evaluation on the proxy center and the client and updates the trust list.
In this embodiment, the process of canceling subscription is similar to the subscription application process, and therefore is not described in detail.
In the embodiment, a client needs to perform topic subscription before receiving a message, the subscription message is initiated to an agent by the client and is intercepted by a PEP (passive entry point), firstly, a trust evaluation center is handed over to perform trust evaluation on a current client, the PEP provides the current trust value of the client for a PDP, and the PDP searches for a satisfied access control strategy at a strategy management point according to various attribute information and the trust value of the client; and the proxy receives the subscription request, forwards a subscription success/failure message to the client, and is intercepted and forwarded to a trust evaluation center by the PEP, so that trust evaluation is carried out on the proxy and the client and a trust list is updated.
Step 3, the client publishes the message according to the topic subscribed in the step 2
The specific steps of the step 3 comprise:
(1) A client issues a message to an agent center according to a theme, the message is intercepted and captured by a PEP (Passive entry) and is handed over to a trust evaluation center to carry out trust evaluation on the current client, if the trust value is too low, the issuance is directly refused, and a blacklist is updated;
(2) The PEP provides the current trust value of the client to the PDP, the PDP searches for a satisfied access control strategy at the PAP according to each item of attribute information and the trust value of the client, if the release is refused, a refusing message is returned to the client, and if the release is allowed, the releasing message is forwarded to the agent center.
Due to the dynamic property of the distributed system, each time of subscribing/publishing of the message needs to be authorized, after one action is finished, the current authority of the user is invalidated, and the next time of the same action (such as publishing the same subject information again) needs to be authorized again;
(3) The agent center receives the client release information, inquires the latest trust list from the trust evaluation center, forwards the theme message to the subscribing client according to the trust value, if the trust value of the client does not reach the trust threshold value required by receiving the message, sends a message rejection notice to the client, and informs the client that the message is not received on the theme and the reason is attached;
(4) The agent center feeds back success/failure information of issuing to the issuing client, and the PEP captures and transfers the information to the trust evaluation center to carry out trust evaluation on the agent and the client and update the trust list.
In this embodiment, a client can publish a message according to a topic, and in a conventional subscription and publication mode, after receiving a message published by the client, an agent directly sends a client subscribed to the topic according to a subscription list, which is not in line with a zero trust idea. In the present model, restrictions are added to the issuance of messages, not only does the client require trust evaluation and access control decisions for message issuance, when the agent forwards the message, the client trust value also needs to be obtained, and the corresponding message forwarding is carried out on the client meeting the trust requirement.
In this embodiment, the system further includes an access control module for dynamically authorizing the user behavior;
the access control module functions and functions as follows:
the access control part of the invention adopts an attribute-based access control model (ABAC) and improves. The ABAC is an access control method that implements matching of access control rights to protected resources according to specified attributes of subjects and objects, environmental conditions, and a set of policies specified according to the attributes and conditions. Because the process that the client subject directly applies for accessing the resource object does not exist in the invention, the invention makes certain change to the ABAC model, and the access control strategy formulation and implementation of the invention are carried out based on the theme. The topics exist in a tree form, the access control strategy is created according to the topic tree, an administrator can allocate access authority matched with each topic to each topic, and the authorization process is carried out according to the authority, the constraint and the strategy under the topic.
The extensible access control markup language (XACML) is an OASIS specification that expresses access control policies for information access using the XML language, can support complex, fine-grained regular access control policy languages, and can be used to implement the ABAC authorization model. The model consists of 5 main parts: a) Policy Enforcement Point (PEP): a system entity performing access control by issuing a decision request and enforcing an authorization decision; b) Policy Decision Point (PDP): an entity for making an access control decision according to the access control policy and other attribute information; c) Policy management point (PAP): entities in the system that generate and maintain security policies; d) Policy Information Point (PIP): an entity for acquiring attribute information of a main body, an environment and resources, if certain attributes are absent in a request initiated by a PEP, finding and feeding back the attributes to a PDP for decision making; e) Context Processor (Context Processor): converts an external request into an XACML request and an XACML response into an external response, and digitally processes the XACML request (response) according to an attribute service.
The block diagram of the access control model is shown in fig. 4, which is not a research of the present invention and will not be described in detail.
In this embodiment, the system further includes a trust evaluation module, which performs continuous trust evaluation on the user behavior.
The trust evaluation module is illustrated as follows:
the trust evaluation module is divided into a Certification Authority Center (CAC) and a trust evaluation center (PEC) and is responsible for managing a trust system in a network, and the basic framework of the TEC is shown in fig. 5. The CAC is stored with a client black and white list and is responsible for certificate issuing, the TEC is responsible for the evaluation of the trust between any peer entities in a network system, the TEC is linked with modules such as a certification authorization center CAC and a strategy decision point PDP in the model, the historical record of access interaction between the entities is collected and quantized into comprehensive trust capability, the direct trust, the indirect trust and the recommendation trust are calculated by utilizing the similarity, the penalty mechanism, the trust attenuation and the like of the peer entities, the result is fed back to the strategy decision point PDP in the access control module for the next operation, and the trust is used as an important subject attribute to participate in the authorization process.
Generally, an access control strategy does not change frequently, but the trust level of a subject changes dynamically, and multiple abnormal behaviors can cause the trust level of the subject to be sharply reduced and even enter a blacklist, so that the overhead caused by access control is reduced to a certain extent, and part of behaviors of users with unqualified trust levels can be directly rejected without a subsequent authorization process. And the topic tree has hierarchy division, a trust level system is suitable for the model, and actions of subscription, release, receiving and the like under different topics correspond to different trust thresholds, so that the realization is easy.
In addition, the agent (Broker) is also used as one of the trust evaluation objects, which can effectively avoid the potential safety hazard brought by the untrusted agent and greatly improve the safety of the distributed system.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and so forth) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
Claims (4)
1. A distributed network construction method under a zero trust framework is characterized in that: the method comprises the following steps:
step 1, establishing connection with an agent center when a new client accesses;
step 2, the client initiates a subscription message to the agent to perform topic subscription;
and 3, the client publishes the message according to the topic subscribed in the step 2.
2. The method for constructing the distributed network under the zero trust framework according to claim 1, wherein: the specific steps of the step 1 comprise:
(1) The new client puts forward an authentication application to an authentication center of the trust evaluation module, and the authentication center inquires whether the new client exists in the existing black-and-white list: (1) if the certificate exists in the blacklist, refusing to return the certificate (2), if the certificate exists in the whitelist, returning the certificate with the main attribute, if the certificate with the initial trust value (3) does not exist in the whitelist, similarly returning the certificate with the main attribute, and not having the initial trust value;
(2) A new client initiates a connection request to a proxy center and attaches a certificate, a Policy Enforcement Point (PEP) intercepts the request, the PEP firstly transfers client information to a trust evaluation center of a trust evaluation module, and the trust evaluation center calculates the current trust value of the client;
(3) After the client trust value is obtained, the PEP judges whether the connection request is allowed or not according to a trust threshold value; if the trust value is satisfied, forwarding the connection request to the agent, and updating the list to the authentication center at the same time;
(4) After the agent center successfully establishes connection with the client, the connection confirmation information is fed back, the message is intercepted by the PEP, trust evaluation is carried out again, the trust evaluation is carried out on the client and the agent center at the same time, and then the connection confirmation information is forwarded.
3. The method for constructing the distributed network under the zero trust framework according to claim 1, wherein: the specific steps of the step 2 comprise:
(1) A client initiates a subscription message to an agent, the subscription message is intercepted by a PEP (Passive entry) and is firstly handed over to a trust evaluation center to carry out trust evaluation on the current client, if the trust level is lower than the trust threshold required by the topic subscription, the application is directly refused, and a blacklist is updated;
(2) The PEP provides the current trust value of the client to a policy decision point PDP in an access control module, the trust degree is used as an important subject attribute to participate in the authorization process, the PDP searches for a satisfied access control policy at the policy management point PAP according to various attribute information and the client trust value, if the request is rejected, a rejection message is returned to the client, and if the request is allowed, a subscription message is forwarded to an agent;
(3) And the proxy receives the subscription request, forwards a subscription success/failure message to the client, intercepts and delivers the subscription success/failure message to the trust evaluation center by the PEP, performs trust evaluation on the proxy center and the client and updates the trust list.
4. The method for constructing the distributed network under the zero trust framework according to claim 1, wherein: the specific steps of the step 3 comprise:
(1) The client issues a message to the agent center according to the theme, the message is intercepted by the PEP, firstly, the trust evaluation center is handed over to carry out trust evaluation on the current client, if the trust value is too low, the current issuance is directly refused, and the blacklist is updated;
(2) The PEP provides the current trust value of the client to the PDP, the PDP searches for a satisfied access control strategy at the PAP according to each item of attribute information and the trust value of the client, if the release is refused, a refusing message is returned to the client, and if the release is allowed, the releasing message is forwarded to the agent center;
(3) The agent center receives the client release information, inquires the latest trust list from the trust evaluation center, forwards the subject message to the subscribing client according to the trust value, if the trust value of the client does not reach the trust threshold value required by receiving the message, sends a message rejection notice to the client, and informs the client that the message is not received on the subject and attaches the reason;
(4) The agent center feeds back success/failure information of issuing to the issuing client, and the PEP intercepts and transmits the information to the trust evaluation center, so as to carry out trust evaluation on the agent and the client and update the trust list.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211556084.8A CN115865606A (en) | 2022-12-06 | 2022-12-06 | Distributed network construction method under zero trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202211556084.8A CN115865606A (en) | 2022-12-06 | 2022-12-06 | Distributed network construction method under zero trust |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN115865606A true CN115865606A (en) | 2023-03-28 |
Family
ID=85670239
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202211556084.8A Pending CN115865606A (en) | 2022-12-06 | 2022-12-06 | Distributed network construction method under zero trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN115865606A (en) |
Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10958662B1 (en) * | 2019-01-24 | 2021-03-23 | Fyde, Inc. | Access proxy platform |
| CN112653679A (en) * | 2020-12-14 | 2021-04-13 | 北京指掌易科技有限公司 | Dynamic identity authentication method, device, server and storage medium |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| CN114070600A (en) * | 2021-11-11 | 2022-02-18 | 上海电气集团数字科技有限公司 | Industrial Internet field identity access control method based on zero trust model |
| WO2022177876A1 (en) * | 2021-02-16 | 2022-08-25 | Bastionzero, Inc. | Zero trust authentication |
-
2022
- 2022-12-06 CN CN202211556084.8A patent/CN115865606A/en active Pending
Patent Citations (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10958662B1 (en) * | 2019-01-24 | 2021-03-23 | Fyde, Inc. | Access proxy platform |
| CN112653679A (en) * | 2020-12-14 | 2021-04-13 | 北京指掌易科技有限公司 | Dynamic identity authentication method, device, server and storage medium |
| CN113051602A (en) * | 2021-01-22 | 2021-06-29 | 东南大学 | Database fine-grained access control method based on zero trust architecture |
| WO2022177876A1 (en) * | 2021-02-16 | 2022-08-25 | Bastionzero, Inc. | Zero trust authentication |
| CN114070600A (en) * | 2021-11-11 | 2022-02-18 | 上海电气集团数字科技有限公司 | Industrial Internet field identity access control method based on zero trust model |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN113507462B (en) | Zero-trust data monitoring and early warning method, device, system and storage medium | |
| CN107093228B (en) | Authorization method, device and system applied to electronic lock | |
| CN112073400B (en) | Access control method, system, device and computing equipment | |
| CN113010911B (en) | Data access control method, device and computer readable storage medium | |
| CN112765639B (en) | Security micro-service architecture based on zero trust access strategy and implementation method | |
| US9081982B2 (en) | Authorized data access based on the rights of a user and a location | |
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| CN106685955B (en) | Radius-based video monitoring platform security authentication method | |
| JP4904939B2 (en) | Group participation management method, system and program | |
| US8516602B2 (en) | Methods, apparatuses, and computer program products for providing distributed access rights management using access rights filters | |
| CN118041667A (en) | Block chain-based attribute access control system and method for Internet of things in edge computing environment | |
| US9467448B2 (en) | Consigning authentication method | |
| CN115664693A (en) | Resource access system, method, electronic device, and storage medium | |
| US8726335B2 (en) | Consigning authentication method | |
| CN108199866B (en) | Social network system with strong privacy protection | |
| CN116260656B (en) | Main body trusted authentication method and system in zero trust network based on blockchain | |
| CN111405005B (en) | Operation control method and system of block chain and controllable network terminal equipment | |
| CN116049860B (en) | Access control method, device, computer equipment and storage medium | |
| CN115296866B (en) | Access method and device for edge node | |
| KR20100060130A (en) | System for protecting private information and method thereof | |
| CN114826790B (en) | Block chain monitoring method, device, equipment and storage medium | |
| CN115865606A (en) | Distributed network construction method under zero trust | |
| CN115022008A (en) | Access risk assessment method, device, equipment and medium | |
| CN116204893A (en) | Access control method, access condition configuration method, device, equipment and medium | |
| Zhang et al. | Decentralized authorization and authentication based on consortium blockchain |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |