CN116567083A - Service data processing method, device, equipment and medium - Google Patents
Service data processing method, device, equipment and medium Download PDFInfo
- Publication number
- CN116567083A CN116567083A CN202210106482.3A CN202210106482A CN116567083A CN 116567083 A CN116567083 A CN 116567083A CN 202210106482 A CN202210106482 A CN 202210106482A CN 116567083 A CN116567083 A CN 116567083A
- Authority
- CN
- China
- Prior art keywords
- access
- service
- credential
- certificate
- request
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title claims abstract description 25
- 238000000034 method Methods 0.000 claims abstract description 133
- 230000003068 static effect Effects 0.000 claims abstract description 23
- 230000008569 process Effects 0.000 claims description 75
- 238000012545 processing Methods 0.000 claims description 57
- 230000004044 response Effects 0.000 claims description 17
- 230000000977 initiatory effect Effects 0.000 claims description 14
- 238000004590 computer program Methods 0.000 claims description 5
- 238000012544 monitoring process Methods 0.000 claims description 4
- 238000005516 engineering process Methods 0.000 abstract description 15
- 238000013473 artificial intelligence Methods 0.000 abstract 2
- 238000007726 management method Methods 0.000 description 208
- 238000011217 control strategy Methods 0.000 description 17
- 230000008859 change Effects 0.000 description 13
- 238000001514 detection method Methods 0.000 description 13
- 230000006870 function Effects 0.000 description 13
- 238000012795 verification Methods 0.000 description 13
- 238000010586 diagram Methods 0.000 description 8
- 230000000903 blocking effect Effects 0.000 description 7
- 230000002159 abnormal effect Effects 0.000 description 6
- 230000005540 biological transmission Effects 0.000 description 6
- 238000007689 inspection Methods 0.000 description 6
- 230000004048 modification Effects 0.000 description 6
- 238000012986 modification Methods 0.000 description 6
- 230000002085 persistent effect Effects 0.000 description 6
- 241000700605 Viruses Species 0.000 description 5
- 230000006399 behavior Effects 0.000 description 5
- 238000004891 communication Methods 0.000 description 5
- 230000008901 benefit Effects 0.000 description 4
- 230000007613 environmental effect Effects 0.000 description 4
- 230000008439 repair process Effects 0.000 description 4
- 206010000117 Abnormal behaviour Diseases 0.000 description 3
- 238000013500 data storage Methods 0.000 description 3
- 230000005856 abnormality Effects 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 2
- 238000011161 development Methods 0.000 description 2
- 230000000694 effects Effects 0.000 description 2
- 238000011156 evaluation Methods 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000002688 persistence Effects 0.000 description 2
- 230000003014 reinforcing effect Effects 0.000 description 2
- 238000011160 research Methods 0.000 description 2
- 238000012552 review Methods 0.000 description 2
- 230000001960 triggered effect Effects 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 238000013528 artificial neural network Methods 0.000 description 1
- 238000012098 association analyses Methods 0.000 description 1
- 238000012550 audit Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 239000003795 chemical substances by application Substances 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 230000002708 enhancing effect Effects 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 239000003999 initiator Substances 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000010295 mobile communication Methods 0.000 description 1
- 230000006855 networking Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008447 perception Effects 0.000 description 1
- 230000000737 periodic effect Effects 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 230000002787 reinforcement Effects 0.000 description 1
- 238000012954 risk control Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
- 239000002699 waste material Substances 0.000 description 1
- 239000013585 weight reducing agent Substances 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0807—Network architectures or network communication protocols for network security for authentication of entities using tickets, e.g. Kerberos
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
Abstract
The disclosure provides a business data processing method, a device, equipment and a medium, relates to the technical field of artificial intelligence, and can be applied to various scenes such as cloud technology, artificial intelligence, intelligent traffic, auxiliary driving and the like. The method comprises the steps of obtaining a first access certificate matched with a service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the service management client; sending a first credential acquisition request for indicating to acquire a second access credential to a management server, wherein the first credential acquisition request comprises the first access credential; acquiring a first credential acquisition result determined by the management server based on the first access credential and the access control policy list; and performing service access control based on the first certificate acquisition result. By the method, service access efficiency and security are improved.
Description
Technical Field
The present disclosure relates to the field of computers, and in particular, to a method, an apparatus, a device, and a medium for processing service data.
Background
In the context of data access to a business system, the data access rights to the business system are typically controlled by static policies. However, with the increase of data size and the continuous expansion of services, when adjusting the control policy, the static policy controlled by the access authority needs to be replaced integrally, which not only reduces the service access efficiency, but also has the problem of lower security for service access.
Disclosure of Invention
The present disclosure provides a method, an apparatus, a device, and a medium for processing service data, so as to solve at least one technical problem in the prior art.
In one aspect, the present disclosure provides a service data processing method, including:
responding to a service access event, and initiating a service access request through a target service process;
acquiring a first access credential matched with the service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client;
sending a first certificate acquisition request for indicating to acquire a second access certificate to a management server, wherein the first certificate acquisition request comprises the first access certificate;
Acquiring a first credential acquisition result determined by the management server based on the first access credential and an access control policy list;
and controlling the service access of the service access request based on the first certificate acquisition result.
In another aspect, a method for processing service data is provided, including:
acquiring a first certificate acquisition request sent by a terminal and used for indicating to acquire a second access certificate, wherein the first certificate acquisition request comprises a first access certificate matched with the service access request, which is sent by a target service process in response to a service access event, under the condition that the service access request is detected to indicate to access a first preset service object, and the first access certificate is determined according to dynamic factor data and static factor data of the terminal of a carrying service management client;
determining a first credential acquisition result based on a first access credential and an access control policy list in the first credential acquisition request;
and sending the first certificate acquisition result so that the terminal performs service access control on the service access request based on the first certificate acquisition result.
In another aspect, a service data processing apparatus is provided, where the apparatus includes:
the first request sending module is used for responding to the service access event and initiating a service access request through a target service process;
the first acquisition module is used for acquiring a first access certificate matched with the service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client;
the second request sending module is used for sending a first certificate acquisition request for indicating to acquire a second access certificate to the management server, wherein the first certificate acquisition request comprises the first access certificate;
the second acquisition module is used for acquiring a first credential acquisition result determined by the management server based on the first access credential and the access control policy list;
and the processing module is used for controlling the service access of the service access request based on the first certificate acquisition result.
In another aspect, a service data processing apparatus is provided, where the apparatus includes:
The first acquisition module is used for acquiring a first certificate acquisition request sent by the terminal and used for indicating to acquire a second access certificate, wherein the first certificate acquisition request comprises a first access certificate matched with the service access request, which is acquired under the condition that the service access request is detected to indicate to access a first preset service object, the service access request is sent by a target service process in response to a service access event, and the first access certificate is determined according to dynamic factor data and static factor data of the terminal carrying the service management client;
the result determining module is used for determining a first credential acquisition result based on a first access credential and an access control policy list in the first credential acquisition request;
and the sending module is used for sending the first certificate acquisition result so that the terminal can carry out service access control on the service access request based on the first certificate acquisition result.
In another aspect, an electronic device is provided, where the electronic device includes a processor and a memory, where at least one instruction or at least one program is stored, where the at least one instruction or the at least one program is loaded and executed by the processor to implement any of the methods described above.
In another aspect, a computer readable storage medium is provided, where at least one instruction or at least one program is stored, where the at least one instruction or the at least one program is loaded and executed by a processor to implement any of the methods described above.
Another aspect also provides a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer readable storage medium and executes the computer instructions to cause the computer device to perform any of the methods described above.
The service data processing method, device, equipment and medium provided by the disclosure have the following technical effects:
the embodiment of the disclosure initiates a service access request through a target service process by responding to a service access event; acquiring a first access credential matched with the service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client; sending a first credential acquisition request for indicating to acquire a second access credential to a management server, wherein the first credential acquisition request comprises the first access credential; acquiring a first credential acquisition result determined by the management server based on the first access credential and the access control policy list; and performing service access control based on the first certificate acquisition result. The first access certificate determined by combining the variable dynamic factor data and the static factor data of the terminal is used for determining a certificate acquisition result for acquiring the second access certificate based on the first access certificate and the access control strategy list, and service access control is performed based on the result, so that the terminal achieves real-time access control by hitting a dynamic rule item when the network, the terminal environment and the security state change, and processing logic which can be accessed only after suspected abnormal behavior or verification is implemented before sensitive resource access is advanced, rather than processing in a mode of asynchronous blocking after the process, so that the processing is timely and the flexibility is high. In addition, the service access efficiency and the security are improved, and the method and the device are applicable to various scenes such as emergency handling, temporary requirement, resource access in a specified time period and the like.
Drawings
In order to more clearly illustrate the embodiments of the present disclosure or the technical solutions and advantages of the prior art, the following description will briefly explain the drawings required for the embodiments or the prior art description, and it is apparent that the drawings in the following description are only some embodiments of the present disclosure, and other drawings may be obtained according to the drawings without inventive effort for those skilled in the art.
Fig. 1 is an application environment schematic diagram of a service data processing method provided in an embodiment of the present disclosure;
fig. 2 is a flow chart of a service data processing method according to an embodiment of the disclosure;
fig. 3 is a schematic partial flow chart of a service data processing method according to an embodiment of the disclosure;
fig. 4 is an interface schematic diagram of a service data processing method according to an embodiment of the present disclosure;
fig. 5 is a flow chart of a service data processing method according to an embodiment of the disclosure;
fig. 6 is a timing diagram of a service data processing method according to an embodiment of the present disclosure;
fig. 7 is a block diagram of a service data processing apparatus according to an embodiment of the present disclosure;
fig. 8 is a block diagram of a service data processing apparatus according to an embodiment of the present disclosure;
Fig. 9 is a schematic hardware structure of an apparatus for implementing the method provided by the embodiment of the disclosure.
Detailed Description
In order that those skilled in the art will better understand the present disclosure, a technical solution in the embodiments of the present disclosure will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present disclosure, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art without inventive effort, based on the embodiments in this disclosure, shall fall within the scope of the present disclosure.
For the purposes of clarity, technical solutions and advantages of the present disclosure, the following further details the embodiments of the present disclosure with reference to the accompanying drawings.
In order to facilitate understanding of the technical solutions described in the embodiments of the present disclosure and the technical effects thereof, the terms involved in the embodiments of the present disclosure are briefly described:
cloud technology (Cloud technology) is based on the general terms of network technology, information technology, integration technology, management platform technology, application technology and the like applied by Cloud computing business models, and can form a resource pool, so that the Cloud computing business model is flexible and convenient as required. Cloud computing technology will become an important support. Background services of technical networking systems require a large amount of computing, storage resources, such as video websites, picture-like websites, and more portals. Along with the high development and application of the internet industry, each article possibly has an own identification mark in the future, the identification mark needs to be transmitted to a background system for logic processing, data with different levels can be processed separately, and various industry data needs strong system rear shield support and can be realized through cloud computing.
Cloud Security (Cloud Security) refers to a generic term for Security software, hardware, users, institutions, secure Cloud platforms based on Cloud computing business model applications. Cloud security fuses emerging technologies and concepts such as parallel processing, grid computing, unknown virus behavior judgment and the like, acquires the latest information of Trojan horse and malicious programs in the Internet through abnormal monitoring of a large number of network clients on software behaviors, sends the latest information to a server for automatic analysis and processing, and distributes solutions of viruses and Trojan horse to each client.
The main research directions of cloud security include: 1. cloud computing security, namely, how to guarantee security of cloud and various applications on the cloud, including cloud computer system security, security storage and isolation of user data, user access authentication, information transmission security, network attack protection, compliance audit and the like; 2. clouding of a safety infrastructure, mainly researching how to build and integrate safety infrastructure resources by adopting cloud computing, and optimizing a safety protection mechanism, wherein the cloud computing technology is used for constructing a super-large-scale safety event and an information acquisition and processing platform, realizing acquisition and association analysis of mass information, and improving the control capability and risk control capability of the whole-network safety event; 3. cloud security services, mainly research on various security services provided for users based on cloud computing platforms, such as anti-virus services and the like.
Cloud storage (Cloud storage) is a new concept that extends and develops in the concept of Cloud computing, and a distributed Cloud storage system (hereinafter referred to as a storage system for short) refers to a storage system that integrates a large number of storage devices (storage devices are also referred to as storage nodes) of various types in a network to work cooperatively through application software or application interfaces through functions such as cluster application, grid technology, and a distributed storage file system, so as to provide data storage and service access functions for the outside.
At present, the storage method of the storage system is as follows: when creating logical volumes, each logical volume is allocated a physical storage space, which may be a disk composition of a certain storage device or of several storage devices. The client stores data on a certain logical volume, that is, the data is stored on a file system, the file system divides the data into a plurality of parts, each part is an object, the object not only contains the data but also contains additional information such as a data Identification (ID) and the like, the file system writes each object into a physical storage space of the logical volume, and the file system records storage location information of each object, so that when the client requests to access the data, the file system can enable the client to access the data according to the storage location information of each object.
The process of allocating physical storage space for the logical volume by the storage system specifically includes: physical storage space is divided into stripes in advance according to the set of capacity measures for objects stored on a logical volume (which measures tend to have a large margin with respect to the capacity of the object actually to be stored) and redundant array of independent disks (RAID, redundant Array of Independent Disk), and a logical volume can be understood as a stripe, whereby physical storage space is allocated for the logical volume.
The Database (Database), which can be considered as an electronic filing cabinet, is a place for storing electronic files, and users can perform operations such as adding, inquiring, updating, deleting and the like on the data in the files. A "database" is a collection of data stored together in a manner that can be shared with multiple users, with as little redundancy as possible, independent of the application.
The database management system (Database Management System, DBMS) is a computer software system designed for managing databases, and generally has basic functions of storage, interception, security, backup, and the like. The database management system may classify according to the database model it supports, e.g., relational, XML (Extensible Markup Language ); or by the type of computer supported, e.g., server cluster, mobile phone; or by the query language used, such as SQL (Structured Query Language ), XQuery; or by performance impact emphasis, such as maximum scale, maximum speed of operation; or other classification schemes. Regardless of the manner of classification used, some DBMSs are able to support multiple query languages across categories, for example, simultaneously. The scheme provided by the embodiment of the disclosure relates to cloud technology and other technologies, and is specifically described through the following embodiments.
The service data processing method provided by the present disclosure may be applied to an application environment as shown in fig. 1. As shown in fig. 1, the hardware environment may include at least a terminal 10, a management server 20, a terminal 30, a business server 40, and a gateway device 50.
The terminals 10 and 30 may be at least one of a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, a vehicle-mounted terminal, a smart television, etc., but are not limited thereto. The terminal 10 may be a user terminal, and a service management client and a proxy component may be mounted in the terminal 10, and communication between the service management client and the management server 20 is implemented through the service management client, and communication between the service management client and the service server 40 is implemented through the proxy component and the gateway device 50, so as to implement a service system and data access, where the number of the terminal 10 may be multiple, and this disclosure is not limited specifically. The terminal 30 may be a management terminal, and the number thereof may be one or more, which is not particularly limited in the present disclosure.
The management server 20 may provide background service for processing service data for the terminal 10 and the terminal 30, and the service server 40 may provide service for the terminal 10, where the management server 20 and the service server 40 may be independent physical servers, may be a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server for providing cloud computing service. The terminal and the server may be directly or indirectly connected through wired or wireless communication, and the disclosure is not limited herein. It should be noted that, the management server 20 and the service server 40 may be implemented as cloud servers in the cloud.
In some embodiments, the management server 20 and the business server 40 described above may also be implemented as nodes in a blockchain system. Blockchain (Blockchain) is a new application mode of computer technologies such as distributed data storage, point-to-point transmission, consensus mechanisms, encryption algorithms, and the like. The blockchain is essentially a decentralised database, and is a series of data blocks which are generated by association by using a cryptography method, and each data block contains information of a batch of network transactions and is used for verifying the validity (anti-counterfeiting) of the information and generating a next block. The blockchain may include a blockchain underlying platform, a platform product services layer, and an application services layer.
It should be noted that, in practical application, the above-mentioned service data processing method may be implemented in the terminal 10, or may be implemented in the management server, or may be implemented by at least one terminal, and at least one server and gateway device together.
Of course, the method provided by the embodiments of the present disclosure is not limited to use in the hardware environment illustrated in fig. 1, but may be used in other possible hardware environments, and the embodiments of the present disclosure are not limited thereto. The functions that can be implemented by the respective devices in the hardware environment shown in fig. 1 will be described in the following method embodiments, which will not be repeated here.
Fig. 2 is a flow chart of a service data processing method according to an embodiment of the disclosure. The present disclosure provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. The execution body of the service data processing method may be a service data processing device provided by the embodiment of the present disclosure, or a server integrated with the service data processing device, where the service data processing device may be implemented in a hardware or software manner. Taking the execution body as the terminal in fig. 1 as an example for explanation, as shown in fig. 2, the method may include:
s201: in response to the service access event, a service access request is initiated by the target service process.
The business access event is used for reflecting the access of the access subject trigger to the access object. By way of example only, the access entity may be a party initiating access in the network, a user/device/application accessing an intranet service resource, etc., and is a digital entity formed by a single or a combination of factors such as a user, a device, an application, etc. The access object may be a party to be accessed, i.e., an intranet business resource, in the network, including an application, a system environment (e.g., development testing environment, operation and maintenance environment, production environment, etc.), data, interfaces, functions, etc. Optionally, the access object may include a service system and a data resource corresponding to the service management client, where the service access event includes, but is not limited to, triggering operations for clicking, inputting, and the like.
The target business process is used for reflecting the instance of the business management client in the running process. In the event of a service access event being detected, a target service process may be invoked to initiate a service access request. The service access request may be used to indicate that access is requested to a service object that needs to be accessed, which may include both sensitive and non-sensitive service objects. For example only, the sensitive business object may include sensitive enterprise resources or data; the non-sensitive business objects may include accesses to non-enterprise resources (e.g., public network sites, accesses to common enterprise resources, etc.).
Before responding to the service access event, the method may further include a step of logging in the service management client, and identity authentication and logging in are performed through a login ticket, so that the service security access service in the terminal is performed according to the service management client. The login bill (namely big bill) is a certificate issued by the management server to the terminal after the terminal user passes identity authentication. The terminal user can automatically acquire a login bill after the login operation is finished through a plurality of identity authentication modes such as code scanning login, account password login, token login, IAM login and the like, each login bill has a login validity period and a use frequency, and the login bill automatically fails after the login is logged out or the validity period of the login bill is exceeded, so that the identity authentication and the login are required to be carried out again.
S202: and under the condition that the service access request is detected to be used for indicating to access a first preset service object, acquiring a first access credential matched with the service access request.
Wherein each service access request is used for indicating that the service object to be accessed can comprise a sensitive service object and a non-sensitive service object. The first preset business object here comprises a sensitive business object, i.e. a sensitive business system or data, such as enterprise resources or data. In case it is detected that the service access request is used to indicate that access to a sensitive service object is required, i.e. it is determined that the service access request is used to indicate a first preset service object.
The first access certificate is determined according to dynamic factor data and static factor data of the terminal of the carrying service management client. The service management client is installed on the terminal device and can be used to assist in verifying whether the identity of the access object on the device is trusted and whether the device and the application accessed by the device are trusted.
The dynamic factor data is network environment data for characterizing a terminal on which the service management client is installed. The dynamic factor data may include application characteristic information, environment awareness information, terminal compliance information, and the like of the access application. The application characteristic information may include information of MD5, file version information, file description, product name, process file SHA256, root certificate, signature certificate, etc. of the executable file to which the application corresponds. The context awareness information may include dynamic factor information such as terminal network area information (e.g., egress IP information), network environment information (e.g., physical network card IP information), whether the terminal user is accessing a sensitive system, etc. The terminal compliance information can comprise at least one of virus killing information, vulnerability restoration information, security reinforcement information, data protection information, real-time protection information, heartbeat detection information and the like.
The static factor data is used to characterize the static factors of the access object, and may include information of the access subject, access application feature information, access object, and the like. The information of the access subject may include account information of the access subject, authority information of the access subject, access operation data (e.g., use time and use frequency of using the first access ticket), and the like. The access object may include a specific sensitive business system or data, etc.
The first access credential may be a special credential set for a sensitive business system or data access. Under the condition that the access subject is detected to access the sensitive business object, the management server can limit the authority and the use scene of the access subject by issuing the first access certificate. The first access certificate can be used for dynamically accessing sensitive service systems and data, so that access security is enhanced.
When the state of the terminal and the access operation data (such as the frequency and time of accessing the sensitive service system and the data) of the access main body are in accordance with the dynamic access condition, the management server triggers the terminal to execute the re-authentication, and the sensitive service system and the data cannot be accessed until the terminal does not complete the re-authentication. After reauthentication is completed, the management server side sends a first access certificate specific to the access response of the service management client side to the current sensitive service system and data, wherein the first access certificate comprises the access authority and the access frequency of the access main body to the target system or data in a specific time, the first access certificate is stored by the terminal, the first access certificate is automatically carried by the subsequent access to the target service system or data, and the management server side judges whether the access of the access main body to the target system or data is legal or not according to the first access certificate sent by the terminal and the environmental state of the terminal. If the security state of the terminal does not reach the standard or the environment state hits the rule item which can not access the sensitive service system or the data in the access control strategy, the management server sets the first access certificate as invalid and blocks the current and subsequent access. And the management server side judges that the access control rule is met and then releases the access of the related target system or data until the terminal network environment changes.
In practical application, the service management client may acquire an access control policy list issued by the management server, and determine whether the gateway device is required for the access flow corresponding to the service access request based on the access control policy list. If the access flow is the first preset service object, namely the sensitive service object, the gateway equipment is needed for determining the access flow corresponding to the service access request based on the access control policy list, and the service access request is forwarded to the gateway equipment corresponding to the service server through the proxy client. Before forwarding the service access request to the service server through the gateway device, the terminal checks whether the first access credentials for the sensitive system or data access are stored in the local encryption persistent storage. If a first access credential exists, the first access credential is obtained. When the corresponding first access credential is not found, the first access credential may be a null value.
S203: and sending a first credential acquisition request for indicating to acquire a second access credential to a management server, wherein the first credential acquisition request comprises the first access credential.
Wherein the second access ticket may be a temporary access ticket for each access flow through the gateway device to the enterprise resource, where the second access ticket may be a network access ticket (ticket).
Optionally, the service management client, in addition to sending process feature information, terminal information, login user information, login credentials, traffic features, etc. that initiate the network access, the terminal will check if the first access credentials for the sensitive system or data access are stored in the local encryption persistent storage. If the first access certificate exists, the business management client side can carry the first access certificate and send the first access certificate to the management server side to execute the application of the second access certificate (receipt).
Access to the same service site by the same application for the validity period of the second access ticket will multiplex a second access ticket. After hijacking the flow, the proxy client firstly checks whether a second access certificate matched with the service site accessed by the current application exists in the local cache, if so, checks whether the second access certificate exists in the validity period, if so, the proxy client directly caches the second access certificate without applying the second access certificate to the service management client, otherwise, the proxy client can forward the access flow to the gateway equipment after successfully applying the receipt to the service management client. After the proxy client finishes the generation of the ticket, the proxy client adds the ticket into the ticket cache according to the ticket validity period parameter transmitted by the service management client, so that the follow-up access flow is facilitated.
S204: and acquiring a first credential acquisition result determined by the management server based on the first access credential and the access control policy list.
The access control policy list may be a control policy configured in advance. Illustratively, as shown in fig. 4, in the service control policy configuration interface, the access control policy list includes several access control policies, and the policy name, the policy type, the hit number, whether to apply, and the corresponding operations of the access control policies can be configured through the service control policy configuration interface. Each access control policy has its corresponding priority, e.g., if the priority is higher, the more forward the corresponding access control policy is ordered in the access control policy list, and conversely, the more backward the corresponding access control policy is ordered in the access control policy list. As further shown in fig. 4, the configurator may adjust the priority of the access control policy and the access control policy, and control according to the adjusted priority of the access control policy.
It should be understood that fig. 4 is merely exemplary, and specific content in the service control policy configuration interface may be adjusted according to practical situations, which is not specifically limited by the present disclosure.
Optionally, the first credential acquisition result may include: a result for indicating re-authentication of the service access event, a result for indicating adjustment of access rights to the service access event, a result for indicating that access to the service access event is legal, or a result for indicating that access to the service access event is illegal.
Optionally, when it is determined that the terminal run-time access decision meets the requirement based on the first access credential, the access legitimacy is primarily determined. If the access decision is judged to be unsatisfactory when the terminal runs, the management server is not reached, and results for indicating re-authentication, refusal, direct connection (without passing through gateway equipment) and the like can be obtained according to the access control strategy.
S205: and controlling the service access of the service access request based on the first certificate acquisition result.
In an optional implementation manner, the performing service access control based on the first credential acquisition result includes:
s301: acquiring a second access credential determined by the management server under the condition that the first credential acquisition result is used for indicating that the access to the service access event is legal;
S302: based on the acquired second access credential, performing service access control on the service access request; or alternatively, the process may be performed,
s303: and controlling to block the service access request under the condition that the first certificate acquisition result is used for indicating that the access to the service access event is illegal.
Optionally, under the condition that the first credential acquisition result is used for indicating that the access to the service access event is legal, acquiring a second access credential determined by the management server; and performing service access control on the service access request based on the acquired second access credential. Specifically, under the condition that the access attribute of the second access certificate meets authentication, the access flow corresponding to the service access request is forwarded to the gateway equipment through the proxy client, and the access flow is sent to the service server through the gateway equipment, so that service data access is realized. And controlling to block the service access request under the condition that the first certificate acquisition result is used for indicating that the access to the service access event is illegal.
In an optional implementation manner, the performing service access control on the service access request based on the first credential obtaining result includes:
s304: and generating a reauthentication instruction under the condition that the first credential acquisition result is used for indicating reauthentication of the service access event.
Optionally, the re-authentication may include an indication to re-authenticate. The re-authentication instruction can be realized by means of re-login, short message verification, face recognition, fingerprint recognition and the like. Specifically, a verification window requiring user authentication again can be displayed on the user interface, and verification modes including code scanning login, token login, short message verification, face recognition, fingerprint recognition and the like can be displayed on the verification window.
S305: and responding to the triggering operation of the re-authentication instruction, and sending an acquisition request for indicating the generation of the third access credential to the management server.
Optionally, under the condition of responding to a trigger operation of successfully logging in one of the login modes indicated by the re-authentication instruction, sending an acquisition request for indicating to generate a third access credential to the management server, and generating the third access credential for the current access process of the terminal by the management server.
S306: and performing service access control on the service access request based on the acquired third access credential.
In an optional embodiment, the performing, based on the obtained third access credential, service access control on the service access request includes:
S3061: sending a second credential acquisition request for indicating to acquire a second access credential to a management server, wherein the credential acquisition request comprises the third access credential;
s3063: acquiring a second credential acquisition result determined by the management server based on the third access credential and the access control policy list;
s3065: and controlling the service access of the service access request based on the second certificate acquisition result.
Optionally, the second credential acquisition result may include: a result for indicating re-authentication of the service access event, a result for indicating adjustment of access rights to the service access event, a result for indicating that access to the service access event is legal, or a result for indicating that access to the service access event is illegal.
Optionally, when it is determined that the terminal run-time access decision meets the requirement based on the third access ticket, the access legitimacy is preliminarily determined. If the access decision is judged to be unsatisfactory when the terminal runs, the server is not reached, and results for indicating re-authentication, refusal, direct connection (without passing through gateway equipment) and the like can be obtained according to the access control strategy.
In an optional implementation manner, the performing service access control on the service access request based on the first credential obtaining result includes:
s307: acquiring the adjusted target access right under the condition that the first certificate acquisition result is used for indicating to adjust the access right of the service access event;
s308: acquiring a second access credential determined by the management server based on the target access right;
s309: and carrying out service access control on the service access request based on the acquired second access certificate.
Optionally, adjusting the access rights of the service access event may include: and performing authority degradation adjustment on the access authority of the service access event, determining a second access certificate through the adjusted target access authority, and performing service access control through the second access certificate.
The embodiment of the disclosure initiates a service access request through a target service process by responding to a service access event; acquiring a first access credential matched with the service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client; sending a first credential acquisition request for indicating to acquire a second access credential to a management server, wherein the first credential acquisition request comprises the first access credential; acquiring a first credential acquisition result determined by the management server based on the first access credential and the access control policy list; and performing service access control based on the first certificate acquisition result. The first access certificate determined by combining the variable dynamic factor data and the static factor data of the terminal is used for determining a certificate acquisition result for acquiring the second access certificate based on the first access certificate and the access control strategy list, and service access control is performed based on the result, so that the terminal achieves real-time access control by hitting a dynamic rule item when the network, the terminal environment and the security state change, and processing logic which can be accessed only after suspected abnormal behavior or verification is implemented before sensitive resource access is advanced, rather than processing in a mode of asynchronous blocking after the process, so that the processing is timely and the flexibility is high. In addition, the service access efficiency and the security are improved, and the method and the device are applicable to various scenes such as emergency handling, temporary requirement, resource access in a specified time period and the like.
In an alternative embodiment, the method further comprises:
and under the condition that the service access request is detected to be used for indicating to access a second preset service object, the service access request is sent to a service server.
Optionally, the service management client may acquire an access control policy list issued by the management server, and determine, based on the access control policy list, whether the gateway device is required for the access flow corresponding to the service access request. If the non-enterprise resources are accessed (such as public network sites), the access flow corresponding to the service access request is determined based on the access control policy list without gateway equipment, and the access information can be directly obtained from the service server corresponding to the direct-connection service access request for responding to the proxy client.
In an alternative embodiment, the method further comprises:
sending a third credential acquisition request for indicating to acquire a second access credential to the management server under the condition that the service access request is detected to be used for indicating to access a third preset service object;
acquiring a third credential acquisition result determined by the management server based on the third credential acquisition request and an access control policy list;
And based on the third certificate acquisition result, performing service access control on the service access request.
Optionally, the service management client may acquire an access control policy list issued by the management server, and determine, based on the access control policy list, whether the gateway device is required for the access flow corresponding to the service access request. If the access is to the common enterprise resource, determining that the access flow corresponding to the service access request needs gateway equipment based on the access control policy list, and forwarding the service access request to the gateway equipment corresponding to the service server through the proxy client.
The third credential obtaining request may include process feature information, terminal information, login user information, login credentials, access flow feature, and the like collected by the service management client to initiate network access. The access traffic characteristics may include, among other things, the target system to be accessed, the target port, the source IP, the source port, the network protocol, etc.
Fig. 5 is a flow chart of a service data processing method according to an embodiment of the present disclosure. The present disclosure provides method operational steps as described in the examples or flowcharts, but may include more or fewer operational steps based on conventional or non-inventive labor. The order of steps recited in the embodiments is merely one way of performing the order of steps and does not represent a unique order of execution. The execution body of the service data processing method may be a service data processing device provided by the embodiment of the present disclosure, or a server integrated with the service data processing device, where the service data processing device may be implemented in a hardware or software manner. Taking the execution body as the management server in fig. 1 as an example for illustration, as shown in fig. 5, the method may include:
S501: the method comprises the steps of obtaining a first certificate obtaining request sent by a terminal and used for indicating to obtain a second access certificate, wherein the first certificate obtaining request comprises a first access certificate matched with the service access request when the service access request is detected to be used for indicating to access a first preset service object, the service access request is sent by a target service process in response to a service access event, and the first access certificate is determined according to dynamic factor data and static factor data of the terminal of a carrying service management client.
S502: determining a first credential acquisition result based on a first access credential in the first credential acquisition request;
s503: and sending the first certificate acquisition result so that the terminal performs service access control on the service access request based on the first certificate acquisition result.
It should be noted that, the specific details and details may be found in the foregoing embodiments, and are not described herein.
In an alternative embodiment, the method further comprises:
acquiring dynamic factor data obtained by real-time monitoring of a terminal;
and rejecting the service access request under the condition that the dynamic factor data indicates that the preset access condition is not met.
Alternatively, the dynamic factor data may include application characteristic information, environment awareness information, terminal compliance information, and the like of the access application. The preset access condition may include a case where the application characteristic information, the environment awareness information, and the terminal compliance information satisfy the corresponding preset conditions. This is described in detail below:
(1) Accessing application feature information of an application
The end user may perform application security detection on application feature information when accessing enterprise resources, including MD5, file version information, copyright information, file description, product name, process file SHA256, whether signed, and information such as root certificate, intermediate certificate, signature certificate, etc. of the executable file corresponding to the application. The service management client can detect the application together with the management server and set a process characteristic cache in the service management client so as to accelerate the efficiency of application detection.
(2) Terminal context awareness information
The service management client may detect terminal context awareness information, including detecting a change in a network area of the terminal (e.g., a change in an egress IP), a change in a network environment (e.g., a change in a physical network card IP), whether the terminal user is accessing a sensitive system, etc. The management server side allows an administrator to customize the terminal to execute the sensing strategy, can configure a plurality of different sensing strategies and apply the different sensing strategies to different terminals, and controls the frequency and reporting rules of terminal environment sensing.
The management server side supports the issue of different access control rules for the service management client side environment-aware results. The following list of scenario descriptions:
in the first scenario, when the terminal identifies that the special sensitive resource is about to be accessed, the user is forced to finish re-authentication, and identity verification is enhanced. And if the reauthentication is successfully completed within the effective time period, allowing the subsequent access authentication operation, otherwise, automatically interrupting the access.
And the second scene, the service management client recognizes that the network environment is changed, and the secondary identity verification is required to be forced so as to automatically sense the different-place login and access behaviors.
And setting access rights related to the network area by the management server aiming at partial personnel. Part of the resources can be accessed in the enterprise network, and the access to part of the sensitive resources is limited outside the enterprise network. And automatically adapting a rule subset associated with the network area in the access control rule after the service management client identifies that the network area of the terminal is changed. Different access rights of different network areas are realized. The user can automatically adjust the access authority according to the change of the network area or trigger the secondary identity verification and re-authorization.
(3) Terminal compliance information
The service management client side is resident in the equipment terminal and continuously and periodically performs the functions of virus checking and killing, bug repairing, safety reinforcing, data protection, real-time protection, heartbeat detection and the like in a silent mode, and the client side performs equipment safety detection, management and control reinforcing and abnormal repairing according to a policy issued and formulated by the management server side. When the service management client is identified, and safety equipment is detected through virus checking, real-time protection and the like, zero trust network access is allowed to be executed, if an abnormal item which can be automatically repaired is detected, the service management client executes automatic repair according to a management server policy, if the abnormal item which needs manual repair of a user is detected, a terminal carrying the service management client prompts the user through displaying the abnormal item, the abnormal cause and repair suggestion, and the user is forbidden to log in to execute identity authentication and zero trust access or to carry out right-reducing treatment before the user repairs the problems. For example, the terminal staff is working, detects that the terminal has a security baseline problem through compliance detection, performs the weight reduction processing based on policy setting, and triggers related enhanced authentication policies instead of directly disconnecting the network, thereby affecting the normal business working. The service management client uses the zero trust network access function in the security device through terminal compliance detection.
When a terminal initiates a network access request, a service management client automatically generates a run-time access decision based on terminal compliance information and a network environment result calculated during the user access request, and the run-time access decision is dynamic and real-time, and has the advantages of high efficiency, strong flexibility and low time delay, unlike an access control rule designated by an enterprise administrator. And rejecting or terminating the access to the enterprise resources after the compliance detection result or the environment perception of the equipment terminal does not meet the set requirements. And if the compliance of the equipment terminal meets the requirement, performing subsequent flow authentication operation.
In an optional embodiment, the determining the first credential acquisition result based on the first access credential in the first credential acquisition request includes:
under the condition that the service access request is used for indicating access target data, access attribute information of the first access certificate is acquired, and application characteristic information corresponding to a service management client corresponding to the service access request is acquired;
and determining a first credential acquisition result based on the access attribute information and the application feature information.
The access attribute information may include a ticket validity period or a maximum number of uses corresponding to the access ticket. The application characteristic information may include md5, signature information, application copyright information, and the like. The first credential retrieval result may include: a result for indicating re-authentication of the service access event, a result for indicating adjustment of access rights to the service access event, a result for indicating that access to the service access event is legal, or a result for indicating that access to the service access event is illegal.
In an optional embodiment, the determining the first credential acquisition result based on the access attribute information and the application feature information includes:
acquiring at least one target access control strategy under the condition that the access attribute information meets a first preset condition and the application characteristic information meets a second preset condition;
and determining a first credential acquisition result based on at least one of the target access control policies and the priority corresponding to each target access control policy.
The first preset condition may include that the first access ticket satisfies an authentication condition, for example, the usage frequency and the usage time meet the authentication condition. The second preset condition may include that the application characteristic information satisfies a security detection condition.
Optionally, the management server takes the dynamic factor of the terminal as a core element to be included in the generation process of the access control rule, and the terminal monitors the network, the security level and the environment state in real time. The matching logic of the dynamic rules is automatically triggered when a change is identified in the access control rules or dynamic factors of interest in the security policy, in several cases:
(1) If one of the dynamic rules is hit, access control is performed according to the contents of the dynamic rule. Continuing to show in fig. 4, if the adjusted "order 9" is hit, access control is performed according to the control policy corresponding to the order 9, that is, the control policy for verifying access is executed.
(2) If the hit dynamic rule item is not less than two items, the items with higher priority automatically cover the items with lower priority according to the priority of the strategy or rule designated by the administrator when setting the strategy or rule. When an enterprise manager configures the strategy, the management and control end automatically checks the strategy or rule configuration, automatically reminds the manager to execute priority configuration when a conflict or a mutual coverage relation exists between projects, if the manager does not manually specify, the safety reservation algorithm specifies to make priority ranking for the rule items, and displays the ranking rule to the enterprise manager for review and modification. Continuing to show in fig. 4, if the adjusted "order 6" and "order 9" are hit at the same time, access control is performed according to the control policy corresponding to the order 6, that is, the control policy for prohibiting access is executed.
(3) If the dynamic rule term is not hit, the policy will follow the general reference access rule and no dynamic control is performed.
In an alternative embodiment, the target access control policy includes: a first control policy for indicating re-authentication of the service access event, a second control policy for indicating adjustment of access rights to the service access event, a third control policy for indicating that access to the service access event is legal, or a fourth control policy for indicating that access to the service access event is illegal.
According to the method, a first certificate acquisition request which is sent by an acquisition terminal and used for indicating acquisition of a second access certificate is acquired, wherein the first certificate acquisition request comprises a first access certificate which is matched with a service access request and is sent by a target service process in response to a service access event when the service access request is detected to be used for indicating access to a first preset service object, and the first access certificate is determined according to dynamic factor data and static factor data of a terminal carrying a service management client; determining a first credential acquisition result based on a first access credential in the first credential acquisition request; and sending the first certificate acquisition result so that the terminal performs service access control on the service access request based on the first certificate acquisition result. The first access certificate determined by combining the variable dynamic factor data and the static factor data of the terminal is used for determining a certificate acquisition result for acquiring the second access certificate based on the first access certificate and the access control strategy list, and service access control is performed based on the result, so that the terminal achieves real-time access control by hitting a dynamic rule item when the network, the terminal environment and the security state change, and processing logic which can be accessed only after suspected abnormal behavior or verification is implemented before sensitive resource access is advanced, rather than processing in a mode of asynchronous blocking after the process, so that the processing is timely and the flexibility is high. In addition, the service access efficiency and the security are improved, and the method and the device are applicable to various scenes such as emergency handling, temporary requirement, resource access in a specified time period and the like.
Technical details of the method provided in the above embodiments are not described in detail, and reference may be made to the method provided in any of the above embodiments of the disclosure, which is not described herein.
In an alternative embodiment, the present disclosure further provides a service data processing system, where the service data processing system includes a terminal, a gateway device, and a management server, and the terminal includes a service management client and a proxy client. The business data processing system is described in detail below:
the service management client, the proxy client and the management server together form a dynamic access control environment. The service management client is mainly responsible for terminal environment sensing, dynamic compliance detection, flow authentication, application security detection and the like, the proxy client is mainly responsible for flow hijacking and flow forwarding, and the management server is mainly responsible for terminal environment sensing data automatic analysis, access control strategy generation and issuing, network access credential issuing and verification and the like. The interaction logic between the three mainly consists of the following aspects.
(a) The service management client can collect terminal environment information, including network area information, export IP, dynamic compliance detection result, and application information in operation, and after triggering the reporting condition set by the management server (for example, the time interval satisfies the periodic reporting condition, and a certain dynamic factor changes to satisfy the change, that is, the reporting condition, etc.), the terminal environment information is sent to the management server, and the management server determines whether the current security environment of the terminal is changed based on the historical data and the set security policy.
(b) When the management service terminal judges that the security level of the current terminal is reduced or the change consistent with the dynamic access control policy occurs based on the historical data and the set security policy, the service management client can update the local access control policy by synchronously responding to the mode that the client reports or directly pushes a command to the terminal, or execute corresponding processing logic to influence the current and subsequent network access. For example, when the management server identifies that the network area of the terminal is switched from a to B based on the environmental environment data reported by the client, the rule that the sensitive service system cannot be accessed by the B area in the dynamic access control policy is hit.
(c) After the proxy client side successfully applies the network access ticket (second access certificate) to the service management client side, a local ticket cache is constructed according to the valid period or the maximum use times of the ticket issued by the management server side, so that the defect that delay and flow waste are caused by frequent application of the ticket to the service management client side due to the fact that the same application accesses the same service system in a high-speed scene is avoided. In the case that the proxy client bill cache exists and is effective, the proxy client will not initiate flow authentication to the service management client, and directly decide the forwarding and actual proxy of the flow according to the bill cache.
(d) When the dynamic access control strategy changes or the dynamic factor of the terminal changes to trigger the change of the strategy hit rule, the service management client sends a command for designating the interruption of the access session or clearing the designated bill cache to the proxy client. The access session interruption specified by the terminal is applicable to a scene in which the current security environment and state of the terminal do not accord with the dynamic access rule and the current access needs to be interrupted immediately. Clearing the designated ticket cache is suitable for a scene that the subsequent session accessing enterprise resources via the intelligent gateway proxy needs to be reauthenticated or directly accessed, and the proxy client is required to immediately reinitiate a network access ticket application to the service management client, so that the service management client makes different access control behaviors.
The service management client and the proxy client are key control flow policy enforcement points for zero trust network access control. The proxy client is mainly used for hijacking all network access flows initiated by the access main body at the terminal, after the access flows are hijacked, the proxy client compares the target access address with enterprise resource information identified in an access control strategy in zero trust by analyzing the target access address of the flows, and recognizes that the hijacked flows need to be executed by the intelligent gateway, the proxy client needs to initiate a flow authentication request to the service management client, and is responsible for transmitting actual network access flows to the intelligent gateway through a physical network card after being authenticated by the service management client, and the intelligent gateway proxies actual service access; if the network traffic authentication or hijacked traffic which does not pass through the service management client is of a type which does not need the intelligent gateway to execute proxy, the proxy client component directly carries out network access and response processes on the hijacked original network access traffic with the corresponding destination service site through the physical network card, so as to realize direct connection access.
And the proxy client immediately initiates a flow authentication request to the service management client after recognizing that the hijacked flow needs to execute the flow proxy through the intelligent gateway. After receiving the flow authentication request, the service management client component firstly detects an application process of a request initiator, collects PE file information (such as a process file full path, MD5, signature information, process modification time and the like) of the request process, firstly compares the PE file information with a local encrypted cached application process characteristic cache, and if abnormality is found, terminates access. If no abnormality is found or the cache record is not matched, when the access credential is applied to the management server, the process information is cached to initiate asynchronous inspection information to the management server, wherein the asynchronous inspection information comprises the latest modification time of the process file, MD5, SHA256, copyright information, process signature information (comprising a digest algorithm, root certificate information, middle-level certificate information, signature certificate information, signer name and signature state) and the like. After the management server side executes the process inspection, the result is transmitted back to the client side to update the local application process characteristic encryption cache.
The management server side policy service is a rule generation and control center of the zero trust network access control policy. And the terminal is responsible for detecting an access ticket application request sent by the terminal and generating a ticket. The access control procedure is as follows:
After receiving the flow authentication request of the proxy client, the service management client acquires relevant information such as the process PE file information (process file full path, MD5, signature information, process modification time and the like), operating system information, URL access information, equipment information, a user login information proxy, a current user login bill and the like when applying the bill to the management server through a network. The management server detects whether the network bill application request accords with the access authority of the corresponding user and the access rule of the service system. And meanwhile, identifying whether the corresponding process is a malicious process or not from the management server-side censoring cache. And if the corresponding information of the process does not exist in the cache, initiating asynchronous inspection of the application process to the threat information cloud inspection service. After the access ticket application request sent by the detection terminal is compliant, the management server side ticket service generates a ticket corresponding to the request and responds to the business management client side and the proxy client side. The detailed steps may be as follows:
1) And collecting application process information in the enterprise through the client asynchronous inspection so as to form an application library.
2) After receiving a network access ticket application request of a client, a management server firstly checks whether a process md5 in the ticket request is a trusted md5 through a management server process sending cache, if so, the process md5 is checked whether a process name is in a process name list in an access control strategy, if not, the access request is considered to have no authority of the corresponding application to access enterprise resources, and response tickets are refused; if in the list, the next step is performed.
3) And (3) fishing out the process signature information of the same kind of process name from the application library according to the process name, comparing whether the signature in the bill application request is consistent with the signature information of the same kind of process name, and if so, automatically adding the md5 of the process name into a trusted application md5 list. If the signatures are not consistent, the response ticket is rejected.
4) The management server initiates asynchronous censorship for data in the application library periodically, updates censorship results to the management server censorship cache, and simultaneously sends down the client to update the application process characteristic encryption cache.
The management server takes the dynamic factors of the terminal as a core element to be incorporated into the generation process of the access control rule, and the terminal monitors the network, the security level and the environment state in real time. The matching logic of the dynamic rules is automatically triggered when a change in the dynamic factor discovery of interest in the access control rules or security policies is identified, as follows.
(1) If one of the dynamic rules is hit, access control is performed according to the contents of the dynamic rule.
(2) If the hit dynamic rule item is not less than two items, the items with higher priority automatically cover the items with lower priority according to the priority of the strategy or rule designated by the administrator when setting the strategy or rule. When an enterprise manager configures the strategy, the management and control end automatically checks the strategy or rule configuration, automatically reminds the manager to execute priority configuration when a conflict or a mutual coverage relation exists between projects, if the manager does not manually specify, the safety reservation algorithm specifies to make priority ranking for the rule items, and displays the ranking rule to the enterprise manager for review and modification.
(3) If the dynamic rule term is not hit, the policy will follow the general reference access rule and no dynamic control is performed.
And when the dynamic rule is generated and the dynamic factor data is changed, the terminal automatically tries to match, and the management server side executes flexible identity authentication and authority control through the first access certificate (namely the reauthentication bill). The description is as follows:
the first access ticket (i.e., reauthentication ticket) is a special ticket set for sensitive business systems or data access. Unlike login access credentials (i.e., big ticket) and second access credentials (i.e., small ticket), the first access credentials are set specifically for dynamic access to sensitive business systems and data, enhancing access security. Next, the login ticket, the network access ticket, and the reauthentication ticket are described in order:
the login access certificate (namely, big ticket) is a certificate issued by the management server to the terminal after the terminal user passes identity authentication. The terminal user can automatically acquire a login bill after finishing login operation through a plurality of identity authentication modes of the client, and the big bill automatically fails after logging out the client or exceeding the valid period of the bill.
The second access ticket (i.e., ticket) is a temporary access ticket issued by the zero trust function for each access flow to the enterprise resource through the intelligent gateway, and the access agent will multiplex a ticket by accessing the same service site through the same application during the ticket's validity period. After the proxy client hijacking the traffic, firstly checking whether the ticket matched with the business site accessed by the current application exists in the local cache, if so, checking whether the ticket exists in the validity period, if so, directly caching the ticket by the proxy client without applying the ticket to the business management client, otherwise, forwarding the access traffic to the gateway equipment after the proxy client successfully applying the ticket to the business management client. After the proxy client finishes the generation of the tickets, the proxy client adds the ticket into the ticket cache according to the ticket validity period parameters transmitted by the service management client, and the subsequent access flow is affected.
The first access ticket (i.e., reauthentication ticket) is a scenario for an accessing principal to access sensitive business systems and data. When the environmental state of the terminal and the access behavior of the access subject (such as the frequency and time of accessing the sensitive service system and data) accord with the dynamic access rule, the management server triggers the terminal to execute re-authentication, and the sensitive service system and the data cannot be accessed until the terminal does not complete the re-authentication. After reauthentication is completed, the management server responds to a specific reauthentication bill to the client for accessing the current sensitive service system and data, wherein the reauthentication bill comprises access authority and access frequency of an access subject for the target system or data in a specific time, the reauthentication bill is stored by the terminal, the reauthentication bill is carried on the subsequent access for the target service system or data, and the management server judges whether the access of the access subject for the target system or data is legal or not according to the reauthentication bill sent by the terminal and the environmental state of the terminal. If the security state of the terminal does not reach the standard or the environment state hits the rule item which can not access the sensitive service system or the data in the access control strategy, the management server sets the re-authentication ticket as invalid and blocks the current and subsequent access. And the management server side judges that the access control rule is met and then releases the access of the related target system or data until the terminal environment changes.
For ease of understanding, fig. 6 is a timing diagram of a service data processing method according to an embodiment of the present disclosure. As shown in fig. 6, a process of performing dynamic trust evaluation and control for a user accessing sensitive service systems or data by a service management client, proxy client, gateway device, and management server is illustrated.
The process of performing dynamic trust evaluation and control by the service management client, proxy client, access gateway and management server for users accessing sensitive service systems or data is described in connection with the above figures.
The service system initiates access to sensitive service sites or data and traffic is hijacked by the client full-traffic proxy client. The proxy client component initiates flow authentication to the service management client based on the information of the target service system, the network protocol, the process ID initiating access and the like of the flow. And the service management client judges whether the flow is accessed through the access gateway according to the dynamic access control strategy issued by the management server. If the non-enterprise resource is accessed (such as a public network site), the proxy client is directly responded to the direct access information. If the access to the common enterprise resources is performed, the service management client acquires process characteristic information, terminal information, login user information, login credentials and flow characteristics (such as a target system, a target port, a source IP, a source port, a network protocol and the like) for initiating network access, and initiates network access credentials (tickets) to the management server.
If the identification is based on the dynamic access control policy, the service management client sends the process characteristic information, the terminal information, the login user information, the login credentials and the flow characteristics for initiating the network access to the management server in the process of initiating the network access credentials (tickets) for sensitive enterprise resources or data, the terminal checks whether the local encryption persistent storage stores the re-authentication tickets for the sensitive system or data access, and if the local encryption persistent storage stores the re-authentication tickets, the service management client also takes the re-authentication tickets and sends the re-authentication tickets to the management server to execute the application of the network access credentials (tickets).
The traffic system initiates access to sensitive traffic sites or data and traffic is hijacked by the full traffic proxy client. The proxy client initiates flow authentication to the service management client based on the information such as the target service system, the network protocol, the process ID of the access initiation and the like of the flow. And the service management client judges whether the flow is accessed through the access gateway according to the dynamic access control strategy issued by the management server. If the non-enterprise resource is accessed (such as a public network site), the proxy client is directly responded to the direct access information. If the access to the common enterprise resources is performed, the service management client acquires process characteristic information, terminal information, login user information, login credentials and flow characteristics (such as a target system, a target port, a source IP, a source port, a network protocol and the like) for initiating network access, and initiates network access credentials (tickets) to the management server.
If the identification is based on the dynamic access control policy, the service management client sends the process characteristic information, the terminal information, the login user information, the login credentials and the flow characteristics for initiating the network access to the management server in the process of initiating the network access credentials (tickets) for sensitive enterprise resources or data, the terminal checks whether the local encryption persistent storage stores the re-authentication tickets for the sensitive system or data access, and if the local encryption persistent storage stores the re-authentication tickets, the service management client also takes the re-authentication tickets and sends the re-authentication tickets to the management server to execute the application of the network access credentials (tickets).
After receiving the ticket application request sent by the service management client, the management server checks whether the reauthentication ticket is out of date, and decides whether to respond to the ticket normally based on the current environment and security state information reported by terminal environment awareness, the historical access information (such as access time period and frequency) of the access subject and the dynamic access control rule specified by the enterprise administrator. The main decision flow is as follows:
(1) Firstly, the management server judges whether the target access service system or data is set sensitive data or not based on a dynamic access control strategy, if so, the step (2) is directly carried out; if not, then go to step (4).
(2) The management server side checks whether the reauthentication bill is legal (issued by the management server side or not and has correct format or not) or not, if the reauthentication bill is legal and has the validity, the step (3) is entered, and if the reauthentication bill is not legal, the step (11) is entered.
(3) And the management server decides whether to release access according to the access authority corresponding to the current sensitive system or data in the current time period according to the reauthentication bill. If the access right is provided in the current time period, entering the step (4); otherwise, the step (11) is entered.
(4) And comparing the application characteristic information (such as md5, signature information, application copyright information and the like) in the bill application request with the application censoring cache by the management server. If the application is found to be high-risk application, entering a step (5); otherwise, the step (11) is entered.
(5) And the management server adds application characteristic information (such as md5, signature information, application copyright information and the like) in the bill application request into a censoring queue, and sends the application information in the queue to a threat information cloud checking service execution process censoring according to a set strategy. And updating the local application censoring cache according to the result of the service response.
(6) The management service terminal judges whether the appointed application has the authority for accessing the corresponding service system or data or not based on the dynamic access control strategy, and if the appointed application has the authority, the step (7) is entered; otherwise, the step (11) is entered.
(7) Based on the security access strategy, the management server determines whether to directly release the access or not by combining dynamic factors such as object operation data, terminal network, security state, terminal environment and the like of the access subject, or allows the access or blocks the access after adjusting the access authority. If the signal is released, the step (9) is carried out; if the permission is required to be adjusted, the step (8) is carried out, and otherwise, the step (11) is carried out.
(8) And the management server adjusts the corresponding relation between the reauthentication bill and the current sensitive system or the corresponding access right of the data.
(9) The management server responds to the network access ticket (receipt) to the client, simultaneously specifies the maximum effective time and the maximum use times of the receipt, takes the maximum effective time and the maximum use times as the basis of the ticket cache by the proxy client, and then enters the step (10).
(10) And the service management client performs control on the flow according to the response information of the management server, and if the management server successfully responds to the network access ticket (receipt), the service management client forwards the ticket to the proxy client, and the proxy client forwards the flow and the ticket to the access gateway to perform actual service proxy client.
(11) The management server refuses to respond to the network access ticket (receipt) to the client, and the reason for designating refusing to respond to the receipt is that the client does not have the access authority (blocking) of the related service system or needs to be authenticated for access (re-authentication).
(12) If the management server side fails to respond to the network access ticket (receipt) successfully and the reason for refusing to respond to the receipt is that the client side does not have the access authority (blocking) of the related service system, the service management client side directly sends a flow blocking command to the proxy client side, and the proxy client side directly blocks the current flow and does not forward the current flow.
(13) If the management server side fails to respond to the network access ticket (receipt) successfully and the reason for refusing to respond to the receipt is that the receipt is required to be accessed (re-authenticated) after verification, the service management client side directly sends a blocking command to the proxy client side, and the proxy client side directly blocks the current flow and does not forward the current flow; and meanwhile, the service management client pops up a related re-authentication interface to remind the terminal user of accessing the sensitive service system or data after verifying the identity again.
(14) After the terminal user finishes the re-authentication operation, the client encrypts and stores the re-authentication ticket responded by the management server in a local persistence library.
When the service management client subsequently accesses the sensitive service system or data, the re-authentication ticket is read from the local persistence library, and the re-authentication ticket is carried when the management server applies for the network access ticket. The management server is responsible for checking the validity period and authority of the reauthentication bill. If the managed server side judges that the re-authentication bill is legal and within the validity period set by the manager, the sensitive service system or the data is accessed without repeated re-authentication; if the reauthentication bill is illegal or not in the validity period, the management server side requests the service management client side to re-initiate reauthentication, and the current access session is closed. Meanwhile, the management server accesses the related sensitive system or data according to the access authority of the re-authentication ticket. If the re-authentication ticket authority is cut or adjusted, the session is accessed to access the business system with valid authority.
It should be noted that, technical details not described in detail in the foregoing embodiments may refer to the method provided by any embodiment of the disclosure, which is not described herein.
The following are device embodiments of the present disclosure that may be used to perform method embodiments of the present disclosure. For details not disclosed in the embodiments of the apparatus of the present disclosure, please refer to the embodiments of the method of the present disclosure.
Referring to fig. 7, a block diagram of a service data processing apparatus according to an embodiment of the disclosure is shown. The device has the functions for realizing the method examples, and the functions can be realized by hardware or can be realized by corresponding software executed by hardware. The service data processing apparatus may include:
a first request sending module 710, configured to initiate a service access request through a target service process in response to a service access event;
a first obtaining module 720, configured to obtain a first access credential that matches the service access request when the service access request is detected to indicate access to a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client;
A second request sending module 730, configured to send a first credential obtaining request to a management server, where the first credential obtaining request is used to indicate obtaining a second access credential, and the first credential obtaining request includes the first access credential;
a second obtaining module 740, configured to obtain a first credential obtaining result determined by the management server based on the first access credential;
and the processing module 750 is configured to perform service access control on the service access request based on the first credential acquisition result.
In an alternative embodiment, the processing module is specifically configured to:
generating a re-authentication instruction under the condition that the first credential acquisition result is used for indicating to re-authenticate the service access event;
generating a third access credential in response to a triggering operation of the re-authentication instruction;
and based on the third access credential, performing service access control on the service access request.
In an alternative embodiment, the processing module further specifically includes:
sending a second credential acquisition request for indicating to acquire a second access credential to a management server, wherein the credential acquisition request comprises the third access credential;
acquiring a second credential acquisition result determined by the management server based on the third access credential and the access control policy list;
And controlling the service access of the service access request based on the second certificate acquisition result.
In an alternative embodiment, the processing module is specifically configured to:
acquiring the adjusted target access right under the condition that the first certificate acquisition result is used for indicating to adjust the access right of the service access event;
acquiring a second access credential determined by the management server based on the target access right;
and carrying out service access control on the service access request based on the acquired second access certificate.
In an alternative embodiment, the processing module is specifically configured to:
acquiring a second access credential determined by the management server under the condition that the first credential acquisition result is used for indicating that the access to the service access event is legal;
based on the acquired second access credential, performing service access control on the service access request; or alternatively, the process may be performed,
and controlling to block the service access request under the condition that the first certificate acquisition result is used for indicating that the access to the service access event is illegal.
Referring to fig. 8, a block diagram of a service data processing apparatus according to an embodiment of the disclosure is shown. The device has the functions for realizing the method examples, and the functions can be realized by hardware or can be realized by corresponding software executed by hardware. The service data processing apparatus may include:
A first obtaining module 810, configured to obtain a first credential obtaining request sent by a terminal and used to instruct to obtain a second access credential, where the first credential obtaining request includes a first access credential that is obtained and matched with a service access request, where the first access credential is detected that the service access request is used to instruct to access a first preset service object, and the service access request is sent by a target service process in response to a service access event, where the first access credential is determined according to dynamic factor data and static factor data of a terminal that carries a service management client;
a result determining module 820, configured to determine a first credential acquisition result based on the first access credential in the first credential acquisition request;
and a sending module 830, configured to send the first credential obtaining result, so that the terminal performs service access control on the service access request based on the first credential obtaining result.
In an alternative embodiment, the apparatus further comprises:
the second acquisition module is used for acquiring network environment data obtained by real-time monitoring of the terminal;
and the refusing processing module is used for refusing the service access request under the condition that the network environment data indicates that the preset access condition is not met.
In an alternative embodiment, the result determining module is specifically configured to:
under the condition that the service access request is used for indicating access target data, access attribute information of the first access certificate is acquired, and application characteristic information corresponding to a service management client corresponding to the service access request is acquired;
and determining a first credential acquisition result based on the access attribute information and the application feature information.
In an alternative embodiment, the result determining module is further specifically configured to:
acquiring at least one target access control strategy under the condition that the access attribute information meets a first preset condition and the application characteristic information meets a second preset condition;
and determining a first credential acquisition result based on at least one of the target access control policies and the priority corresponding to each target access control policy.
In an alternative embodiment, the target access control policy includes: a first control policy for indicating re-authentication of the service access event, a second control policy for indicating adjustment of access rights to the service access event, a third control policy for indicating that access to the service access event is legal, or a fourth control policy for indicating that access to the service access event is illegal.
The device provided in the above embodiment can execute the corresponding method in the embodiment of the disclosure, and has the corresponding functional module and beneficial effects of executing the method. Technical details not described in detail in the above embodiments may be found in the methods provided by any of the embodiments of the present disclosure.
The disclosed embodiments provide a computer device that may include a processor and a memory having stored therein at least one instruction, at least one program, code set, or instruction set that is loaded and executed by the processor to implement a method as described in any of the method embodiments described above.
The disclosed embodiments also provide a computer readable storage medium having stored therein at least one instruction, at least one program, code set, or instruction set that is loaded by a processor and that performs the method of any of the above method embodiments.
The disclosed embodiments also provide a computer program product or computer program comprising computer instructions stored in a computer readable storage medium. The processor of the computer device reads the computer instructions from the computer-readable storage medium, and the processor executes the computer instructions to cause the computer device to perform any of the methods described above for the present embodiment.
Further, fig. 9 shows a schematic hardware structure of an apparatus for implementing the method provided by the embodiment of the disclosure, where the apparatus may be a computer terminal, a mobile terminal or other apparatus, and the apparatus may also participate in forming or including an apparatus provided by the embodiment of the disclosure. As shown in fig. 9, the computer terminal 11 may include one or more processors 112 (shown as 112a, 112b, … …,112n in the figures) (the processor 112 may include, but is not limited to, a microprocessor MCU or a programmable logic device FPGA or the like processing means), a memory 114 for storing data, and a transmission means 116 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a Universal Serial Bus (USB) port (which may be included as one of the ports of the I/O interface), a network interface, a power supply, and/or a camera. It will be appreciated by those skilled in the art that the configuration shown in fig. 9 is merely illustrative and is not intended to limit the configuration of the electronic device. For example, the computer terminal 11 may also include more or fewer components than shown in fig. 9, or have a different configuration than shown in fig. 9.
It should be noted that the one or more processors 112 and/or other data processing circuits described above may be referred to generally herein as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated in whole or in part into any of the other elements in the computer terminal 11 (or mobile device). As referred to in the embodiments of the present disclosure, the data processing circuit acts as a processor control (e.g., selection of the variable resistance termination path to interface with).
The memory 114 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the methods described in the embodiments of the present disclosure, and the processor 112 executes the software programs and modules stored in the memory 104 to perform various functional applications and data processing, i.e., implement a neural network processing method as described above. Memory 114 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 114 may further include memory remotely located relative to the processor 112, which may be connected to the computer terminal 11 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 116 is used to receive or transmit data via a network. The specific example of the network described above may include a wireless network provided by a communication provider of the computer terminal 11. In one example, the transmission device 116 includes a network adapter (Network Interface Controller, NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 116 may be a Radio Frequency (RF) module for communicating with the internet wirelessly.
The display may be, for example, a touch screen type Liquid Crystal Display (LCD) that may enable a user to interact with a user interface of the computer terminal 11 (or mobile device).
It should be noted that: the foregoing sequence of the embodiments of the present disclosure is merely for description and does not represent the advantages or disadvantages of the embodiments. And the foregoing has described certain embodiments of the present disclosure. Other embodiments are within the scope of the following claims. In some cases, the actions or steps recited in the claims can be performed in a different order than in the embodiments and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In some embodiments, multitasking and parallel processing are also possible or may be advantageous.
The various embodiments in this disclosure are described in a progressive manner, and identical and similar parts of the various embodiments are all referred to each other, and each embodiment is mainly described as different from other embodiments. In particular, for the device and server embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and references to the parts of the description of the method embodiments are only required.
It will be understood by those skilled in the art that all or part of the steps for implementing the above embodiments may be implemented by hardware, or may be implemented by a program for instructing relevant hardware, where the program may be stored in a computer readable storage medium, and the storage medium may be a read-only memory, a magnetic disk or an optical disk, etc.
The foregoing description of the preferred embodiments of the present disclosure is not intended to limit the disclosure, but rather to enable any modification, equivalent replacement, improvement or the like, which fall within the spirit and principles of the present disclosure.
Claims (15)
1. A method for processing service data, comprising:
responding to a service access event, and initiating a service access request through a target service process;
Acquiring a first access credential matched with the service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client;
sending a first certificate acquisition request for indicating to acquire a second access certificate to a management server, wherein the first certificate acquisition request comprises the first access certificate;
acquiring a first credential acquisition result determined by the management server based on the first access credential and an access control policy list;
and controlling the service access of the service access request based on the first certificate acquisition result.
2. The method of claim 1, wherein the performing service access control on the service access request based on the first credential acquisition result comprises:
generating a re-authentication instruction under the condition that the first credential acquisition result is used for indicating to re-authenticate the service access event;
generating a third access credential in response to a triggering operation of the re-authentication instruction;
and based on the third access credential, performing service access control on the service access request.
3. The method of claim 2, wherein the performing service access control on the service access request based on the third access credential comprises:
sending a second credential acquisition request for indicating to acquire a second access credential to a management server, wherein the second credential acquisition request comprises the third access credential;
acquiring a second credential acquisition result determined by the management server based on the third access credential and the access control policy list;
and controlling the service access of the service access request based on the second certificate acquisition result.
4. A method according to any one of claims 1-3, wherein said performing service access control on said service access request based on said first credential acquisition result comprises:
acquiring the adjusted target access right under the condition that the first certificate acquisition result is used for indicating to adjust the access right of the service access event;
acquiring a second access credential determined by the management server based on the target access right;
and carrying out service access control on the service access request based on the acquired second access certificate.
5. A method according to any one of claims 1-3, wherein said performing service access control on said service access request based on said first credential acquisition result comprises:
acquiring a second access credential determined by the management server under the condition that the first credential acquisition result is used for indicating that the access to the service access event is legal;
based on the acquired second access credential, performing service access control on the service access request; or alternatively, the process may be performed,
and controlling to block the service access request under the condition that the first certificate acquisition result is used for indicating that the access to the service access event is illegal.
6. A method for processing service data, comprising:
acquiring a first certificate acquisition request sent by a terminal and used for indicating to acquire a second access certificate, wherein the first certificate acquisition request comprises a first access certificate matched with the service access request, which is sent by a target service process in response to a service access event, under the condition that the service access request is detected to indicate to access a first preset service object, and the first access certificate is determined according to dynamic factor data and static factor data of the terminal of a carrying service management client;
Determining a first credential acquisition result based on a first access credential and an access control policy list in the first credential acquisition request;
and sending the first certificate acquisition result so that the terminal performs service access control on the service access request based on the first certificate acquisition result.
7. The method of claim 6, wherein the method further comprises:
acquiring network environment data obtained by real-time monitoring of a terminal;
and rejecting the service access request under the condition that the network environment data indicates that the preset access condition is not met.
8. The method of claim 6, wherein the determining a first credential acquisition result based on the first access credential and the access control policy list in the first credential acquisition request comprises:
under the condition that the service access request is used for indicating access target data, access attribute information of the first access certificate is acquired, and application characteristic information corresponding to a service management client corresponding to the service access request is acquired;
and determining a first credential acquisition result based on the access attribute information, the application feature information and the access control policy list.
9. The method of claim 8, wherein the determining a first credential acquisition result based on the access attribute information, the application feature information, and an access control policy list comprises:
determining at least one target access control policy from an access control policy list under the condition that the access attribute information meets a first preset condition and the application characteristic information meets a second preset condition;
and determining a first credential acquisition result based on at least one of the target access control policies and the priority corresponding to each target access control policy.
10. The method of claim 9, wherein the target access control policy comprises: a first control policy for indicating re-authentication of the service access event, a second control policy for indicating adjustment of access rights to the service access event, a third control policy for indicating that access to the service access event is legal, or a fourth control policy for indicating that access to the service access event is illegal.
11. A traffic data processing apparatus, the apparatus comprising:
The first request sending module is used for responding to the service access event and initiating a service access request through a target service process;
the first acquisition module is used for acquiring a first access certificate matched with the service access request under the condition that the service access request is detected to be used for indicating to access a first preset service object; the first access certificate is determined according to dynamic factor data and static factor data of a terminal of the carrying service management client;
the second request sending module is used for sending a first certificate acquisition request for indicating to acquire a second access certificate to the management server, wherein the first certificate acquisition request comprises the first access certificate;
the second acquisition module is used for acquiring a first credential acquisition result determined by the management server based on the first access credential and the access control policy list;
and the processing module is used for controlling the service access of the service access request based on the first certificate acquisition result.
12. A traffic data processing apparatus, the apparatus comprising:
the first acquisition module is used for acquiring a first certificate acquisition request sent by the terminal and used for indicating to acquire a second access certificate, wherein the first certificate acquisition request comprises a first access certificate matched with the service access request, which is acquired under the condition that the service access request is detected to indicate to access a first preset service object, the service access request is sent by a target service process in response to a service access event, and the first access certificate is determined according to dynamic factor data and static factor data of the terminal carrying the service management client;
The result determining module is used for determining a first credential acquisition result based on a first access credential and an access control policy list in the first credential acquisition request;
and the sending module is used for sending the first certificate acquisition result so that the terminal can carry out service access control on the service access request based on the first certificate acquisition result.
13. An electronic device comprising a processor and a memory, wherein the memory has stored therein at least one instruction or at least one program that is loaded and executed by the processor to implement the business data processing method of any of claims 1-5 or the business data processing method of any of claims 6-10.
14. A computer readable storage medium having stored therein at least one instruction or at least one program loaded and executed by a processor to implement the traffic data processing method according to any one of claims 1 to 5 or the traffic data processing method according to any one of claims 6 to 10.
15. A computer program product, characterized in that it comprises at least one instruction or at least one program, which is loaded and executed by a processor to implement the business data processing method of any of claims 1-5 or the business data processing method of any of claims 6-10.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210106482.3A CN116567083A (en) | 2022-01-28 | 2022-01-28 | Service data processing method, device, equipment and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210106482.3A CN116567083A (en) | 2022-01-28 | 2022-01-28 | Service data processing method, device, equipment and medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116567083A true CN116567083A (en) | 2023-08-08 |
Family
ID=87497040
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210106482.3A Pending CN116567083A (en) | 2022-01-28 | 2022-01-28 | Service data processing method, device, equipment and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116567083A (en) |
-
2022
- 2022-01-28 CN CN202210106482.3A patent/CN116567083A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110213215B (en) | Resource access method, device, terminal and storage medium | |
| US20070136603A1 (en) | Method and apparatus for providing secure access control for protected information | |
| US20120311696A1 (en) | Override for Policy Enforcement System | |
| US10726141B2 (en) | Dynamically constructed capability for enforcing object access order | |
| CN111898124B (en) | Process access control method and device, storage medium and electronic equipment | |
| US11647026B2 (en) | Automatically executing responsive actions based on a verification of an account lineage chain | |
| CN113536258A (en) | Terminal access control method and device, storage medium and electronic equipment | |
| US9589130B2 (en) | Application trust-listing security service | |
| US10958670B2 (en) | Processing system for providing console access to a cyber range virtual environment | |
| US11381972B2 (en) | Optimizing authentication and management of wireless devices in zero trust computing environments | |
| US20230362263A1 (en) | Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain | |
| CN116938590B (en) | Cloud security management method and system based on virtualization technology | |
| CN114003943A (en) | Safe double-control management platform for computer room trusteeship management | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| US20200145420A1 (en) | Processing System For Providing Console Access To A Cyber Range Virtual Environment | |
| KR101775517B1 (en) | Client for checking security of bigdata system, apparatus and method for checking security of bigdata system | |
| KR102102932B1 (en) | Hacking Defense Contest System That Evaluates Optimization of Vulnerability Patch | |
| CN116567083A (en) | Service data processing method, device, equipment and medium | |
| US10412097B1 (en) | Method and system for providing distributed authentication | |
| CN112104625A (en) | Process access control method and device | |
| GB2583931A (en) | Network vulnerability detection | |
| CN116155565B (en) | Data access control method and device | |
| CN116961967A (en) | Data processing method, device, computer readable medium and electronic equipment | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN116800454A (en) | Method and system for data processing based on cloud platform |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |