CN116208401A - Cloud master station access control method and device based on zero trust - Google Patents
Cloud master station access control method and device based on zero trust Download PDFInfo
- Publication number
- CN116208401A CN116208401A CN202310136351.4A CN202310136351A CN116208401A CN 116208401 A CN116208401 A CN 116208401A CN 202310136351 A CN202310136351 A CN 202310136351A CN 116208401 A CN116208401 A CN 116208401A
- Authority
- CN
- China
- Prior art keywords
- access
- subject
- dynamic
- trust
- access control
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 49
- 238000011156 evaluation Methods 0.000 claims abstract description 50
- 238000011217 control strategy Methods 0.000 claims abstract description 13
- 230000006399 behavior Effects 0.000 claims description 48
- 238000004590 computer program Methods 0.000 claims description 11
- 238000003860 storage Methods 0.000 claims description 10
- 238000013135 deep learning Methods 0.000 claims description 9
- 238000004422 calculation algorithm Methods 0.000 claims description 7
- 238000013210 evaluation model Methods 0.000 claims description 3
- 238000009826 distribution Methods 0.000 description 38
- 238000005516 engineering process Methods 0.000 description 19
- 238000010586 diagram Methods 0.000 description 11
- 238000007726 management method Methods 0.000 description 10
- 238000013475 authorization Methods 0.000 description 9
- 238000002955 isolation Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 230000008569 process Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 230000007123 defense Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 238000012986 modification Methods 0.000 description 4
- 230000004048 modification Effects 0.000 description 4
- 238000012423 maintenance Methods 0.000 description 3
- 238000012544 monitoring process Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 230000004075 alteration Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000004891 communication Methods 0.000 description 2
- 238000010276 construction Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 238000010801 machine learning Methods 0.000 description 2
- 238000012795 verification Methods 0.000 description 2
- 206010000117 Abnormal behaviour Diseases 0.000 description 1
- 206010010947 Coordination abnormal Diseases 0.000 description 1
- 206010033799 Paralysis Diseases 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008602 contraction Effects 0.000 description 1
- 238000013527 convolutional neural network Methods 0.000 description 1
- 125000004122 cyclic group Chemical group 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 230000007613 environmental effect Effects 0.000 description 1
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 238000011160 research Methods 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 239000013589 supplement Substances 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Storage Device Security (AREA)
Abstract
The invention discloses a cloud master station access control method and device based on zero trust, wherein the method comprises the following steps: obtaining an access request of an access subject, the access request comprising: accessing attribute information of a subject and access behavior; performing dynamic trust evaluation on an access request of an access subject through an established cloud master service dynamic access control model; when the access request passes the dynamic trust evaluation, establishing a dynamic access control strategy based on the access request; and controlling the access behavior of the access subject based on the dynamic access control policy.
Description
Technical Field
The invention relates to the technical field of power distribution automation, in particular to a cloud master station access control method and device based on zero trust.
Background
In the process that the distribution automation system gradually evolves to the internet of things, the cloud deployment of the main station and the intelligent application of the terminal bring new safety problems and new safety requirements, the increasingly severe network safety situation is combined, the new generation of distribution automation system safety protection system is taken as a basis, the active defense and safety management and control technology of the distribution internet of things is taken as a support, the body robustness of the cloud main station and the intelligent distribution terminal is further reinforced, the virtual resource isolation and dynamic access control technology of the cloud main station are mainly broken through, the network safety of the distribution cloud main station and the intelligent terminal is comprehensively guaranteed, and the capability of resisting internal and external malicious attacks is improved.
The user identity and the access form of the distribution cloud master station are different, and the interaction between the businesses is frequent and the form is different, so that the risk points generated in the access process are numerous, and objects with access control are complex and changeable. Based on the zero trust concept, the access control needs to be realized by combining the self-architecture and the application scene of the power distribution cloud master station on the basis of fully researching the practical application of the existing zero trust technology, taking the identity as the center and taking the aspects of identity infrastructure, a security analysis platform, a control execution component and the like into consideration. Under the premise of ensuring normal and efficient service interaction between the inside of the master station and the access user, the unauthorized access, data leakage and abuse of the user are prevented through dynamic access control.
Thus, a technique is needed to enable control of cloud master access based on zero trust.
Disclosure of Invention
The technical scheme of the invention provides a cloud master access control method and device based on zero trust, which are used for solving the problem of how to control the cloud master access based on zero trust.
In order to solve the problems, the invention provides a cloud master access control method based on zero trust, which comprises the following steps:
obtaining an access request of an access subject, the access request comprising: accessing attribute information of a subject and access behavior;
performing dynamic trust evaluation on an access request of an access subject through an established cloud master service dynamic access control model;
when the access request passes the dynamic trust evaluation, establishing a dynamic access control strategy based on the access request;
and controlling the access behavior of the access subject based on the dynamic access control policy.
Preferably, the dynamic trust evaluation of the access request of the access subject by the cloud master service dynamic access control model includes:
judging whether the access subject is legal or not;
and judging whether the access subject has the access right of the access behavior.
Preferably, the attribute information of the access subject includes: subject properties, environment properties, and object properties.
Preferably, after the controlling the access behavior of the access subject based on the dynamic access control policy, the method further includes: and hiding the business resources of the cloud master station, and accessing the hidden business resources by the access main body.
Preferably, the access control policy includes:
recording and tracking the identity and the identity life cycle of the access subject;
intercepting the access behavior of the access main body, and dynamically judging the access authority of the access main body;
the access data of the access behaviour is encrypted before the access request is acquired.
Preferably, the method further comprises establishing a trust duration assessment model for: continuously portraying the identity of the access subject, continuously analyzing the access behavior, continuously evaluating the evaluation result, and generating a trust library;
and the cloud master service dynamic access control model carries out dynamic trust evaluation on the access request of the access subject based on the trust library.
Preferably, a cloud master station service dynamic access control model is established through a deep learning algorithm.
Based on another aspect of the present invention, the present invention provides a cloud master access control device based on zero trust, the device comprising:
an obtaining unit, configured to obtain an access request of an access subject, where the access request includes: accessing attribute information of a subject and access behavior;
the trust evaluation unit is used for carrying out dynamic trust evaluation on the access request of the access subject through the established cloud master station service dynamic access control model;
the establishing unit is used for establishing a dynamic access control strategy based on the access request after the access request passes the dynamic trust evaluation;
and the control unit is used for controlling the access behavior of the access subject based on the dynamic access control strategy.
Preferably, the dynamic trust evaluation of the access request of the access subject by the cloud master service dynamic access control model includes:
judging whether the access subject is legal or not;
and judging whether the access subject has the access right of the access behavior.
Preferably, the attribute information of the access subject includes: subject properties, environment properties, and object properties.
Preferably, the method further comprises: and hiding the business resources of the cloud master station, and accessing the hidden business resources by the access main body.
Preferably, the access control policy includes:
recording and tracking the identity and the identity life cycle of the access subject;
intercepting the access behavior of the access main body, and dynamically judging the access authority of the access main body;
the access data of the access behaviour is encrypted before the access request is acquired.
Preferably, the method further comprises establishing a trust duration assessment model for: continuously portraying the identity of the access subject, continuously analyzing the access behavior, continuously evaluating the evaluation result, and generating a trust library;
and the cloud master service dynamic access control model carries out dynamic trust evaluation on the access request of the access subject based on the trust library.
Preferably, a cloud master station service dynamic access control model is established through a deep learning algorithm.
Based on another aspect of the present invention, the present invention provides a computer readable storage medium, where the computer readable storage medium stores a computer program, where the computer program is configured to perform the above-mentioned method for controlling access to a cloud master based on zero trust.
Based on another aspect of the present invention, the present invention provides an electronic device, which is characterized in that the electronic device includes: a processor and a memory; wherein,,
the memory is used for storing the processor executable instructions;
the processor is used for reading the executable instructions from the memory and executing the instructions to realize the cloud master access control method based on zero trust.
The technical scheme of the invention provides a cloud master station access control method and device based on zero trust, wherein the method comprises the following steps: obtaining an access request of an access subject, the access request comprising: accessing attribute information of a subject and access behavior; performing dynamic trust evaluation on an access request of an access subject through an established cloud master service dynamic access control model; when the access request passes the dynamic trust evaluation, establishing a dynamic access control strategy based on the access request; and controlling the access behavior of the access subject based on the dynamic access control policy. According to the technical scheme, the access request of the access subject is subjected to information evaluation, and the access control strategy is formulated based on the subject attribute.
Drawings
Exemplary embodiments of the present invention may be more completely understood in consideration of the following drawings:
FIG. 1 is a flow chart of a cloud master access control method based on zero trust in accordance with a preferred embodiment of the present invention;
FIG. 2 is a schematic diagram of a zero trust architecture in accordance with a preferred embodiment of the present invention;
FIG. 3 is a schematic diagram of a dynamic access control model of a power distribution cloud master station service according to a preferred embodiment of the present invention;
fig. 4 is a schematic diagram of a cloud master service dynamic access control application mode according to a preferred embodiment of the present invention;
FIG. 5 is a power distribution master station terminal access dynamic access control architecture in accordance with a preferred embodiment of the present invention;
fig. 6 is a block diagram of a cloud master access control device based on zero trust according to a preferred embodiment of the present invention.
Detailed Description
The exemplary embodiments of the present invention will now be described with reference to the accompanying drawings, however, the present invention may be embodied in many different forms and is not limited to the examples described herein, which are provided to fully and completely disclose the present invention and fully convey the scope of the invention to those skilled in the art. The terminology used in the exemplary embodiments illustrated in the accompanying drawings is not intended to be limiting of the invention. In the drawings, like elements/components are referred to by like reference numerals.
Unless otherwise indicated, terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art. In addition, it will be understood that terms defined in commonly used dictionaries should be interpreted as having a meaning that is consistent with their meaning in the context of the relevant art and will not be interpreted in an idealized or overly formal sense.
Fig. 1 is a flowchart of a cloud master access control method based on zero trust according to a preferred embodiment of the present invention. Aiming at increasingly severe network security situations, the invention receives high importance on the network security protection of the key information base setting and the power monitoring system. In order to improve the security protection level of the power distribution master station in a cloud deployment mode, the problems of boundary blurring such as service virtualization deployment, computing resource sharing and storage space sharing faced by the cloud master station are researched, a power distribution master station resource virtualization isolation technology is formed, a service scene self-adaptive dynamic access control technology of a zero trust network model and a cloud master station abnormal network security state identification technology based on machine learning are adopted, a cloud master station active defense pattern is formed, and the comprehensive defense capability of the cloud master station on various known and unknown characteristic attack behaviors is effectively improved.
With the construction and development of the electric power Internet of things, after the cloud deployment of the power distribution main station, the power distribution main station develops to intelligentization and interconnection, service applications such as SCADA application, equipment state management and control of the original power distribution automation system main station, and advanced applications such as intelligent perception in PMS, power supply service command and Internet of things scenes are integrated and deployed on the power distribution cloud main station, and each service system loses the original natural isolation attribute based on a server, shares hardware computing resources and data storage resources, and provides convenience for virus propagation and attack propagation, so how to divide security grades for different types of power distribution services under the condition of resource sharing, formulate differentiated isolation technology, and meet the information interaction and data reading requirements of each service application.
According to the characteristics of various service applications, increased user access, frequent inter-service access and the like in the cloud master station, potential safety hazards and loopholes existing in the user access and the inter-service access are analyzed; inheriting a digital certificate system in a new generation of distribution automation cascade protection system, expanding identity identification elements such as flow information, routing information and the like, researching a dynamic access control strategy applicable to a cloud master station by using a modern identity and access management technology and a software boundary definition technology of zero trust according to a security principle of 'never trust and always verification' in zero trust; according to the access forms, exposure degrees, data importance and the like in each service scene, different security requirements of the cloud master station are analyzed, meanwhile, by combining the access forms, access amounts, longitudinal and transverse flow and the like of different service applications, the method for realizing dynamic trust evaluation, access management, resource authorization and access audit centering around the identity is developed, and the access control technology based on zero trust in the cloud deployment mode of the power distribution master station is developed.
As the concept of zero trust is gradually accepted by the industry, zero trust also goes through the evolution process from the prototype concept to the network security technology architecture which can fall to the ground, and gradually evolves into a new generation security architecture which covers numerous scenes such as cloud environment, big data center, micro service and the like. As shown in fig. 2.
The zero-trust access control strategy is analyzed according to the identity information, the authority information, the environment information, the trust level and other multi-data sources of the main body, and the access control strategy is formed by calculating the information in real time. The zero trust architecture emphasizes that the authorization access control policy is dynamic, rather than solidifying in a static rule policy, the security state should be changed in time during resource access to change the authorization policy.
Compared with the traditional security scheme which only pays attention to boundary protection and opens excessive access rights to authorized users, the invention provides an access control thought and method based on identity and with finer granularity in the user access and access stage. The method has the core concept that all entities in the network are not distinguished from an external network and an internal network and are not trusted, namely the whole network is in zero trust, all accesses and accesses in the network are required to be authenticated and authorized.
Therefore, the zero trust security model abandons the authorization, namely the trust mode, of the traditional role-based access control model in the process of accessing the application by the main body, and continuously authenticates the purported roles of the user or the main body and the corresponding access behaviors by using a dynamic evaluation means to judge whether the behaviors are within the access rights of the purported roles. And carrying out dynamic trust evaluation on the access authentication of legal subjects or illegal subjects and the compliance of access behaviors, establishing a trusted chain, ensuring the dynamic security of service access and ensuring the security and credibility of the user access behaviors in the current stage.
The distribution terminal is mainly accessed to the distribution main station through communication modes such as optical fibers, wireless networks and the like, and the distribution automation system with wide points and multiple surfaces and wide distribution faces the network attack risk from public networks or private networks due to the relative weakness of the prior safety protection measures and the enhancement of hacking means, so that the safe and reliable power supply of the distribution system to users is affected. Along with the construction and development of the Internet of things, the power distribution main station develops to intelligentization and interconnection, and the service mode, the function positioning and the working mode of each link become more flexible, open and efficient compared with the traditional main station-communication network-terminal architecture of the power distribution monitoring system. After the distribution automation master station is subjected to cloud deployment, the distribution automation master station has the characteristics of service virtualization, physical/storage resource sharing, data centralized processing, wide sharing, multiparty intersection and the like. Firstly, if the isolation measures of the virtual resources of the cloud platform are not in place, illegal access or information leakage among different applications can be caused; secondly, the probability of the existence of the loopholes caused by multiple systems and multiple applications of the cloud platform is increased, if the cloud platform cannot prevent abnormal behaviors in place, an attacker can submerge the system by utilizing the loopholes, and the system paralysis or out-of-control event occurs; thirdly, the current safety protection mechanism cannot adapt to the technical requirements of novel network architecture and cloud deployment of power distribution service, and cannot ensure the correct issuing of control instructions of the power distribution network and confidentiality of core service data.
Aiming at the characteristics of cloud deployment of the power distribution main station business, taking the zero trust security concept as guidance, taking the whole flow security of the business as a target, combing the security authentication technical means of the existing equipment and personnel of the power related control business, constructing entities such as people, services, equipment and the like to establish uniform digital identity marks, viewing the application, services, interfaces, data and the like as business resources, and reducing the exposure surface by constructing a protection surface; based on entity interaction relation of service flow and time-space attribute of service implementation, a safe trust boundary with service dynamic adaptability is defined based on a zero trust software boundary framework and an access control technology, user access behaviors, habits and the like of cloud master station service are recorded, analyzed and identified, classified in a grading manner, the trust degree of users is continuously and dynamically estimated, and minimum opening is performed according to an authorization result.
The invention provides a cloud master station access control method based on zero trust, which comprises the following steps:
step 101: obtaining an access request of an access subject, the access request comprising: accessing attribute information of a subject and access behavior;
preferably, accessing attribute information of the subject includes: subject properties, environment properties, and object properties.
Step 102: performing dynamic trust evaluation on an access request of an access subject through an established cloud master service dynamic access control model;
preferably, the dynamic trust evaluation of the access request of the access subject by the cloud master service dynamic access control model comprises the following steps:
judging whether the access subject is legal or not;
and judging whether the access subject has the access right of the access behavior.
Preferably, a cloud master station service dynamic access control model is established through a deep learning algorithm.
The method constructs the distribution cloud master station service dynamic access control model based on the attributes. The access control between the master station and the terminal based on the zero trust architecture is realized by establishing identity fingerprints for the power distribution terminal, comprising main body attributes (comprising MAC address, operating system, port, protocol, service and manufacturer), environment attributes (comprising online time, IP, access position and business flow size) and object attributes (comprising affiliated departments, manager, authorization time and authorization level), managing and controlling all access requests by means of continuous active scanning, passive monitoring detection, safe access control area and the like under the principle of 'continuous verification and never trust', carrying out continuous trust evaluation on various data sources, carrying out dynamic adjustment on authority according to the trust degree, and finally establishing a dynamic trust relationship, and constructing an access control model as shown in figure 3.
The invention carries out digital identity identification on all entities with interaction in the network, and replaces wide network access by fine-grained access based on 'identity' based on a software defined boundary technology. By utilizing the 'network stealth' characteristic of the technology, all the service resources of the master station in the cloud are hidden, so that an access subject does not know the specific position of the service, and can be connected through an authorized party. Meanwhile, all access traffic is transmitted in an encrypted manner, the access request of the main body is forwarded to the trusted gateway, and only traffic from the authorized main body is allowed to pass through, so that attacks such as user credential loss and connection hijacking can be resisted. And (3) based on a deep learning continuous trust evaluation technology, constructing a key means of trust from scratch, and performing real-time trust evaluation through an access request to realize risk judgment of an access context environment. And establishing a continuous trust evaluation model based on a deep learning algorithm such as a convolutional neural network, a cyclic neural network, a twin network and the like. The main trust has a short-time characteristic, and the continuous trust evaluation model dynamically adjusts the identity trust in the current context according to the authentication strength, the risk state and the environmental factors to form a dynamic trust relationship.
Step 103: when the access request passes the dynamic trust evaluation, establishing a dynamic access control strategy based on the access request;
step 104: and controlling the access behavior of the access subject based on the dynamic access control policy.
Preferably, after the controlling the access behavior of the access subject based on the dynamic access control policy, the method further includes: and hiding the business resources of the cloud master station, and accessing the hidden business resources by the access main body.
Preferably, the access control policy comprises:
recording and tracking the identity and the identity life cycle of the access subject;
intercepting the access behavior of the access main body, and dynamically judging the access authority of the access main body;
the access data of the access behaviour is encrypted before the access request is acquired.
Preferably, the method further comprises establishing a trust duration assessment model for:
continuously portraying the identity of the access subject, continuously analyzing the access behavior, continuously evaluating the evaluation result and generating a trust library; the cloud master business dynamic access control model carries out dynamic trust evaluation on access requests of access subjects based on the trust library.
The cloud master service dynamic access control application mode based on the zero trust network is completed through the researches of the identity security management center, the security proxy center, the trust continuous evaluation center and the dynamic access control center, and is shown in fig. 4. The infrastructure mainly comprises identity management and authority management functions, the identity management carries out the identity of various entities and the management of the life cycle of the identity, and the authority management carries out fine-granularity management and tracking analysis on the authorization strategy. And establishing an execution point of the dynamic access control capability strategy to form a security proxy center, authenticating the access subject by intercepting the access request of the user subject and utilizing the dynamic access control engine, dynamically judging the authority of the access subject, and releasing the request only when the authentication passes and the access authority is available. Meanwhile, all access traffic is encrypted by the cloud access security agent, so that the cloud access security agent has high performance and high expansion and contraction capability.
And constructing a trust continuous evaluation center, realizing continuous trust evaluation, and providing trust level evaluation for the trust continuous evaluation center by linkage with dynamic access control as an authorization judgment basis. The trust continuous evaluation is based on deep learning technology to continuously portray the identity, continuously analyze the access behavior, continuously evaluate the trust, finally generate and maintain a trust library, and provide decision basis for dynamic access control. In addition, the trust evaluation can also receive the analysis result of the cloud service provider security platform, and supplement scene data required by identity analysis, so that more accurate risk identification and trust evaluation can be performed. Dynamic access control and cloud access security proxy center are linked to authenticate and dynamically authorize all access requests, and are policy decision points of a zero trust architecture control plane. The dynamic access control is based on an identity library, a rights library and a trust library, wherein the identity library provides identity attributes of an access subject, the rights library provides a basic rights baseline, and the trust library is continuously maintained by identity analysis through real-time risk multidimensional association and trust evaluation. Finally, dynamic access control dynamically determines all access requests based on context attributes, trust levels, and security policies. As shown in fig. 5.
By applying the technologies of virtual resource isolation, zero trust access control, machine learning abnormal state identification, quick encryption and decryption, local wireless safe operation and maintenance and the like, a distribution automation system defense pattern oriented to the Internet of things is constructed together with a distribution automation system cascade protection system and a trusted computing technology, and from the aspects of ontology, interaction and operation and maintenance, the safety risks of illegal object access, virus/Trojan cross-application propagation, illegal utilization of a local operation and maintenance process and the like of power grid core data are effectively prevented, and the safety defense line under a new form of distribution service is built firmly.
The security risk faced by the power distribution cloud master station is deeply analyzed, a network security protection system is built, each container service access is dynamically and strictly controlled through the micro-isolation control platform, the dynamic access control of the cloud master station service is built based on a zero trust technology, the security admittance of entities such as personnel, equipment, services and systems is ensured, and the method has important guiding significance for the security protection of the cloud deployment of the power distribution master station.
Fig. 6 is a block diagram of a cloud master access control device based on zero trust according to a preferred embodiment of the present invention.
As shown in fig. 6, the present invention provides a cloud master access control device based on zero trust, the device includes:
an obtaining unit 601, configured to obtain an access request of an access subject, where the access request includes: accessing attribute information of a subject and access behavior; preferably, accessing attribute information of the subject includes: subject properties, environment properties, and object properties.
The trust evaluation unit 602 is configured to perform dynamic trust evaluation on an access request of an access subject through an established cloud master service dynamic access control model;
preferably, the dynamic trust evaluation of the access request of the access subject by the cloud master service dynamic access control model comprises the following steps:
judging whether the access subject is legal or not;
and judging whether the access subject has the access right of the access behavior.
Preferably, a cloud master station service dynamic access control model is established through a deep learning algorithm.
An establishing unit 603, configured to establish a dynamic access control policy based on the access request after the access request passes the dynamic trust evaluation;
preferably, the access control policy comprises:
recording and tracking the identity and the identity life cycle of the access subject;
intercepting the access behavior of the access main body, and dynamically judging the access authority of the access main body;
the access data of the access behaviour is encrypted before the access request is acquired.
The control unit 604 is configured to control an access behavior of the access subject based on the dynamic access control policy.
Preferably, the method further comprises: and hiding the business resources of the cloud master station, and accessing the hidden business resources by the access main body.
Preferably, the method further comprises establishing a trust duration assessment model for:
continuously portraying the identity of the access subject, continuously analyzing the access behavior, continuously evaluating the evaluation result and generating a trust library;
the cloud master business dynamic access control model carries out dynamic trust evaluation on access requests of access subjects based on the trust library.
The invention provides a computer readable storage medium, which stores a computer program for executing the cloud master access control method based on zero trust.
The present invention provides an electronic device, including: a processor and a memory; wherein,,
a memory for storing processor-executable instructions;
and the processor is used for reading the executable instructions from the memory and executing the instructions to realize the cloud master access control method based on zero trust.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein. The scheme in the embodiment of the invention can be realized by adopting various computer languages, such as object-oriented programming language Java, an transliteration script language JavaScript and the like.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present invention have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiments and all such alterations and modifications as fall within the scope of the invention.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
The invention has been described with reference to a few embodiments. However, as is well known to those skilled in the art, other embodiments than the above disclosed invention are equally possible within the scope of the invention, as defined by the appended patent claims.
Generally, all terms used in the claims are to be interpreted according to their ordinary meaning in the technical field, unless explicitly defined otherwise therein. All references to "a/an/the [ means, component, etc. ]" are to be interpreted openly as referring to at least one instance of said means, component, etc., unless explicitly stated otherwise. The steps of any method disclosed herein do not have to be performed in the exact order disclosed, unless explicitly stated.
Claims (16)
1. A cloud master access control method based on zero trust, the method comprising:
obtaining an access request of an access subject, the access request comprising: accessing attribute information of a subject and access behavior;
performing dynamic trust evaluation on an access request of an access subject through an established cloud master service dynamic access control model;
when the access request passes the dynamic trust evaluation, establishing a dynamic access control strategy based on the access request;
and controlling the access behavior of the access subject based on the dynamic access control policy.
2. The method of claim 1, wherein the dynamic trust evaluation of the access request of the access subject by the cloud master service dynamic access control model comprises:
judging whether the access subject is legal or not;
and judging whether the access subject has the access right of the access behavior.
3. The method of claim 1, the accessing the attribute information of the subject comprising: subject properties, environment properties, and object properties.
4. The method of claim 1, further comprising, after said controlling access behavior of an access subject based on said dynamic access control policy: and hiding the business resources of the cloud master station, and accessing the hidden business resources by the access main body.
5. The method of claim 1, the access control policy comprising:
recording and tracking the identity and the identity life cycle of the access subject;
intercepting the access behavior of the access main body, and dynamically judging the access authority of the access main body;
the access data of the access behaviour is encrypted before the access request is acquired.
6. The method of claim 1, further comprising building a trust duration assessment model for: continuously portraying the identity of the access subject, continuously analyzing the access behavior, continuously evaluating the evaluation result, and generating a trust library;
and the cloud master service dynamic access control model carries out dynamic trust evaluation on the access request of the access subject based on the trust library.
7. The method of claim 1, wherein the cloud master service dynamic access control model is established through a deep learning algorithm.
8. A zero trust based cloud master access control apparatus, the apparatus comprising:
an obtaining unit, configured to obtain an access request of an access subject, where the access request includes: accessing attribute information of a subject and access behavior;
the trust evaluation unit is used for carrying out dynamic trust evaluation on the access request of the access subject through the established cloud master station service dynamic access control model;
the establishing unit is used for establishing a dynamic access control strategy based on the access request after the access request passes the dynamic trust evaluation;
and the control unit is used for controlling the access behavior of the access subject based on the dynamic access control strategy.
9. The apparatus of claim 8, the dynamic trust evaluation of access requests to access a principal by a cloud master traffic dynamic access control model, comprising:
judging whether the access subject is legal or not;
and judging whether the access subject has the access right of the access behavior.
10. The apparatus of claim 8, the access subject's attribute information comprising: subject properties, environment properties, and object properties.
11. The apparatus of claim 8, further comprising: and hiding the business resources of the cloud master station, and accessing the hidden business resources by the access main body.
12. The apparatus of claim 8, the access control policy comprising:
recording and tracking the identity and the identity life cycle of the access subject;
intercepting the access behavior of the access main body, and dynamically judging the access authority of the access main body;
the access data of the access behaviour is encrypted before the access request is acquired.
13. The apparatus of claim 8, further comprising establishing a trust duration evaluation model for: continuously portraying the identity of the access subject, continuously analyzing the access behavior, continuously evaluating the evaluation result, and generating a trust library;
and the cloud master service dynamic access control model carries out dynamic trust evaluation on the access request of the access subject based on the trust library.
14. The apparatus of claim 8, wherein the cloud master service dynamic access control model is established by a deep learning algorithm.
15. A computer readable storage medium, characterized in that the computer readable storage medium stores a computer program for executing the method of any one of claims 1-7.
16. An electronic device, the electronic device comprising: a processor and a memory; wherein,,
the memory is used for storing the processor executable instructions;
the processor is configured to read the executable instructions from the memory and execute the instructions to implement the method of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310136351.4A CN116208401A (en) | 2023-02-20 | 2023-02-20 | Cloud master station access control method and device based on zero trust |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310136351.4A CN116208401A (en) | 2023-02-20 | 2023-02-20 | Cloud master station access control method and device based on zero trust |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116208401A true CN116208401A (en) | 2023-06-02 |
Family
ID=86507294
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310136351.4A Pending CN116208401A (en) | 2023-02-20 | 2023-02-20 | Cloud master station access control method and device based on zero trust |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116208401A (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116582373A (en) * | 2023-07-14 | 2023-08-11 | 北京辰尧科技有限公司 | User access control method, system and electronic equipment |
-
2023
- 2023-02-20 CN CN202310136351.4A patent/CN116208401A/en active Pending
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116582373A (en) * | 2023-07-14 | 2023-08-11 | 北京辰尧科技有限公司 | User access control method, system and electronic equipment |
| CN116582373B (en) * | 2023-07-14 | 2023-09-22 | 北京辰尧科技有限公司 | User access control method, system and electronic equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| Alhassan et al. | Information security in an organization | |
| Song et al. | An access control model for the Internet of Things based on zero-knowledge token and blockchain | |
| CN115426141A (en) | Cloud master station service dynamic access control method and system based on zero trust network | |
| Anand et al. | Vulnerability-based security pattern categorization in search of missing patterns | |
| Tyagi | Blockchain and Artificial Intelligence for Cyber Security in the Era of Internet of Things and Industrial Internet of Things Applications | |
| Sabella et al. | MEC security: Status of standards support and future evolutions | |
| CN116192481A (en) | Analysis method for secure communication mechanism between cloud computing server models | |
| Fernandez et al. | A critical analysis of Zero Trust Architecture (ZTA) | |
| CN116208401A (en) | Cloud master station access control method and device based on zero trust | |
| KR20210026710A (en) | Trust-Aware Role-based System in Public Internet-of-Things | |
| Yu et al. | Research on zero trust access control model and formalization based on rail transit data platform | |
| Simpson et al. | Resolving network defense conflicts with zero trust architectures and other end-to-end paradigms | |
| Sukiasyan | Secure data exchange in IIoT | |
| Alghayadh et al. | Privacy and trust in cloud computing | |
| Kuntze et al. | Secure mobile business information processing | |
| Mercado | Identifying the Advantages of Zero-Trust Architecture in the Cloud Environment | |
| Kou et al. | Research on Telecommuting Security Solution Based on Zero Trust Architecture | |
| Alwaheidi et al. | A Conceptual Model for Data-Driven Threat Analysis for Enhancing Cyber Security | |
| Guowei et al. | Design Scheme of Network Security Access System Based on Zero Trust | |
| Huang et al. | Risk Analysis of Information Security Involving Dynamic Agent Network | |
| Flores et al. | A GDPR-compliant Risk Management Approach based on Threat Modelling and ISO 27005 | |
| Zhang et al. | A Survey on the Security of the Metaverse | |
| Pan et al. | Research on illegal access behavior control of heterogeneous cloud resources based on lifecycle characteristics | |
| CN118233892A (en) | Electric power 5G zero trust safety protection frame based on micro-application | |
| Dai et al. | Research on 5G-Based Zero Trust Network Security Platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |