CN116980167A - Zero-trust access control policy processing method, device, medium and program product - Google Patents
Zero-trust access control policy processing method, device, medium and program product Download PDFInfo
- Publication number
- CN116980167A CN116980167A CN202310084812.8A CN202310084812A CN116980167A CN 116980167 A CN116980167 A CN 116980167A CN 202310084812 A CN202310084812 A CN 202310084812A CN 116980167 A CN116980167 A CN 116980167A
- Authority
- CN
- China
- Prior art keywords
- policy rule
- rule item
- policy
- item
- strategy
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000003672 processing method Methods 0.000 title abstract description 7
- 238000000034 method Methods 0.000 claims abstract description 120
- 238000012550 audit Methods 0.000 claims abstract description 71
- 230000009471 action Effects 0.000 claims abstract description 45
- 238000011217 control strategy Methods 0.000 claims abstract description 25
- 230000002159 abnormal effect Effects 0.000 claims description 96
- 238000011156 evaluation Methods 0.000 claims description 57
- 238000012545 processing Methods 0.000 claims description 57
- 230000008569 process Effects 0.000 claims description 41
- 238000004590 computer program Methods 0.000 claims description 21
- 230000004044 response Effects 0.000 claims description 19
- 238000003860 storage Methods 0.000 claims description 17
- 238000012790 confirmation Methods 0.000 claims description 11
- 230000008859 change Effects 0.000 claims description 10
- 238000005457 optimization Methods 0.000 claims description 7
- 230000005856 abnormality Effects 0.000 claims description 6
- 230000003068 static effect Effects 0.000 description 27
- 239000003795 chemical substances by application Substances 0.000 description 20
- 238000012217 deletion Methods 0.000 description 14
- 230000037430 deletion Effects 0.000 description 14
- 238000010586 diagram Methods 0.000 description 13
- 238000001514 detection method Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 9
- 238000012986 modification Methods 0.000 description 9
- 230000004048 modification Effects 0.000 description 9
- 230000000903 blocking effect Effects 0.000 description 6
- 238000007726 management method Methods 0.000 description 6
- 208000024780 Urticaria Diseases 0.000 description 5
- 230000000694 effects Effects 0.000 description 4
- 230000002688 persistence Effects 0.000 description 4
- 238000004891 communication Methods 0.000 description 3
- 230000008878 coupling Effects 0.000 description 3
- 238000010168 coupling process Methods 0.000 description 3
- 238000005859 coupling reaction Methods 0.000 description 3
- 238000012549 training Methods 0.000 description 3
- 238000012546 transfer Methods 0.000 description 3
- 238000012795 verification Methods 0.000 description 3
- 241000700605 Viruses Species 0.000 description 2
- 238000013459 approach Methods 0.000 description 2
- 238000006243 chemical reaction Methods 0.000 description 2
- 230000007613 environmental effect Effects 0.000 description 2
- ZXQYGBMAQZUVMI-GCMPRSNUSA-N gamma-cyhalothrin Chemical compound CC1(C)[C@@H](\C=C(/Cl)C(F)(F)F)[C@H]1C(=O)O[C@H](C#N)C1=CC=CC(OC=2C=CC=CC=2)=C1 ZXQYGBMAQZUVMI-GCMPRSNUSA-N 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000003062 neural network model Methods 0.000 description 2
- 230000002085 persistent effect Effects 0.000 description 2
- 238000006467 substitution reaction Methods 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012384 transportation and delivery Methods 0.000 description 2
- 238000013473 artificial intelligence Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 238000004422 calculation algorithm Methods 0.000 description 1
- 230000015556 catabolic process Effects 0.000 description 1
- 238000013499 data model Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 238000006731 degradation reaction Methods 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011981 development test Methods 0.000 description 1
- 230000003203 everyday effect Effects 0.000 description 1
- 230000003631 expected effect Effects 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 238000009472 formulation Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000001737 promoting effect Effects 0.000 description 1
- 238000012552 review Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000013024 troubleshooting Methods 0.000 description 1
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1433—Vulnerability analysis
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Storage Device Security (AREA)
Abstract
The application provides a processing method, equipment, medium and program product of a zero-trust access control strategy, wherein the method comprises the following steps: receiving a new version zero trust access control strategy issued by a server; acquiring first characteristic information of a first flow authentication request; if the first characteristic information is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, not executing a disposal action corresponding to the first policy rule item, and collecting audit data; and reporting audit data to the server so that the server adjusts the first strategy rule item, continuously testing the adjusted first strategy rule item until the first strategy rule item is not adjusted any more, and updating the first association strategy rule item in the zero trust access control strategy of the current version into the finally adjusted first strategy rule item. So that the user access experience is not affected.
Description
Technical Field
The embodiment of the application relates to the technical field of network security, in particular to a processing method, equipment, medium and program product of a zero-trust access control strategy.
Background
The zero-trust access control policy is used for controlling the access authority of a user to intranet resources, such as service sites, and is mainly used for verifying the credibility of the user, the credibility of an application from which the user accesses, the credibility of a terminal from which the user accesses, and confirming whether the user has the authority to access a certain intranet resource or not, and the like. The granularity of the zero-trust access control policy is user, allowing different zero-trust access control policies to be formulated for different users.
In order to ensure the security of intranet resource access, an administrator often carries out version update on the zero-trust access control strategy. In the related art, the server may issue the new version zero trust access control policy to the terminal device, the terminal device updates the current version zero trust access control policy to the new version zero trust access control policy, the terminal device performs intranet resource access according to the new version zero trust access control policy, and may report audit data to the server, so as to allow an administrator to determine whether the new version zero trust access control policy is reasonable, if not, the administrator adjusts the new version zero trust access control policy, and issues the adjusted zero trust access control policy to the terminal device through the server, the terminal device updates the new version zero trust access control policy to the adjusted zero trust access control policy, performs resource access according to the adjusted zero trust access control policy, and reports audit data to the server, so as to allow the administrator to determine whether the zero trust access control policy is reasonable, and so on, until the administrator considers that the new version zero trust access control policy does not need to be adjusted.
However, since the new version of the zero trust access control policy may include some unreasonable policy rule terms, for example, in some scenarios, a certain user should be allowed to access a certain intranet resource through a certain application. But the handling action corresponding to the matched policy rule item is that the user is not allowed to access the intranet resource through the application under the scene. In summary, the policy handling approach described above may affect the user access experience.
Disclosure of Invention
The application provides a processing method, equipment, medium and program product of a zero-trust access control strategy, so that user access experience is not affected.
In a first aspect, an embodiment of the present application provides a method for processing a zero-trust access control policy, where the method is applied to a terminal device, and the method includes: receiving a new version zero trust access control strategy issued by a server; acquiring first characteristic information of a first flow authentication request; if the first characteristic information is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, not executing a disposal action corresponding to the first policy rule item, and collecting audit data; reporting audit data to a server so that the server determines an evaluation index of the first policy rule item based on the audit data, and responding to a confirmation operation of the first policy rule item when the evaluation index meets a corresponding preset condition so as to generate a policy update instruction; or, in response to an adjustment operation of the first policy rule item when the evaluation index does not satisfy the corresponding preset condition, generating a second policy rule item; receiving a policy updating instruction issued by a server, and updating a first association policy rule item of a first policy rule item in a zero trust access control policy of a current version into a first policy rule item based on the policy updating instruction; or, receiving a second policy rule item issued by the server, updating the first policy rule item into the second policy rule item, acquiring second characteristic information of a second traffic authentication request, taking the second characteristic information as new first characteristic information, taking the second policy rule item as new first policy rule item, continuing to execute the processing action corresponding to the first policy rule item if the first characteristic information is successfully matched with the first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, and collecting audit data until the first policy rule item is not adjusted any more.
In a second aspect, an embodiment of the present application provides a method for processing a zero-trust access control policy, where the method is applied to a server, and the method includes: issuing a new version zero trust access control strategy to the terminal equipment; receiving audit data reported by terminal equipment; the audit data are collected by the terminal equipment when the first characteristic information of the first flow authentication request is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero trust access control policy; determining an evaluation index of the first policy rule item based on the audit data; responding to the confirmation operation of the first strategy rule item when the evaluation index meets the corresponding preset condition so as to generate a strategy updating instruction; and issues a policy update instruction to the terminal equipment; the policy updating instruction is used for indicating that a first association policy rule item of a first policy rule item in the current version of zero-trust access control policy is updated to be the first policy rule item; or, in response to an adjustment operation of the first policy rule item when the evaluation index does not satisfy the corresponding preset condition, generating a second policy rule item; and issuing a second policy rule item to the terminal equipment.
In a third aspect, an embodiment of the present application provides a processing apparatus for a zero-trust access control policy, including: a transceiver module and a processing module; the receiving and transmitting module is used for receiving the new version zero trust access control strategy issued by the server; the receiving and transmitting module is also used for acquiring first characteristic information of the first flow authentication request; the processing module is used for not executing the disposal action corresponding to the first policy rule item and collecting audit data if the first characteristic information is successfully matched with the first policy rule item of the dynamically adjustable type in the new version zero-trust access control policy; the receiving-transmitting module is also used for reporting audit data to the server so that the server can determine the evaluation index of the first strategy rule item based on the audit data, and respond to the confirmation operation of the first strategy rule item when the evaluation index meets the corresponding preset condition so as to generate a strategy updating instruction; or, in response to an adjustment operation of the first policy rule item when the evaluation index does not satisfy the corresponding preset condition, generating a second policy rule item; the receiving and transmitting module is also used for receiving a policy updating instruction issued by the server, and the processing module is also used for updating a first association policy rule item of the first policy rule item in the current version zero-trust access control policy into a first policy rule item based on the policy updating instruction; or the receiving-transmitting module is further used for receiving a second policy rule item issued by the server, the processing module is further used for updating the first policy rule item into the second policy rule item, the receiving-transmitting module is further used for acquiring second characteristic information of the second traffic authentication request, the processing module is further used for taking the second characteristic information as new first characteristic information, taking the second policy rule item as new first policy rule item, continuing to execute the processing action corresponding to the first policy rule item if the first characteristic information is successfully matched with the first policy rule item of the dynamically adjustable type in the new version zero-trust access control policy, and collecting audit data until the first policy rule item is not adjusted any more.
In a fourth aspect, an embodiment of the present application provides a processing apparatus for a zero-trust access control policy, including: a transceiver module and a processing module; the receiving and transmitting module is used for transmitting a new version zero trust access control strategy to the terminal equipment; the receiving and transmitting module is also used for receiving audit data reported by the terminal equipment; the audit data are collected by the terminal equipment when the first characteristic information of the first flow authentication request is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero trust access control policy; the processing module is used for determining an evaluation index of the first strategy rule item based on the audit data; the processing module is further used for responding to the confirmation operation of the first strategy rule item when the evaluation index meets the corresponding preset condition so as to generate a strategy updating instruction; the receiving-transmitting module is also used for transmitting a strategy updating instruction to the terminal equipment; the policy updating instruction is used for indicating that a first association policy rule item of a first policy rule item in the current version of zero-trust access control policy is updated to be the first policy rule item; or the processing module is further used for responding to the adjustment operation of the first strategy rule item when the evaluation index does not meet the corresponding preset condition so as to generate a second strategy rule item; the transceiver module is further configured to issue a second policy rule item to the terminal device.
In a fifth aspect, an embodiment of the present application provides an electronic device, including: a processor and a memory for storing a computer program, the processor being for invoking and running the computer program stored in the memory for performing the method as in the first aspect, the second aspect or various implementations thereof.
In a sixth aspect, embodiments of the present application provide a computer readable storage medium storing a computer program for causing a computer to perform a method as in the first aspect, the second aspect or implementations thereof.
In a seventh aspect, embodiments of the present application provide a computer program product comprising computer program instructions for causing a computer to perform the method as in the first aspect, the second aspect or implementations thereof.
In an eighth aspect, embodiments of the present application provide a computer program that causes a computer to perform the method as in the first aspect, the second aspect or various implementations thereof.
By the technical scheme provided by the embodiment of the application, an idle running mode can be adopted for the policy rule items of the dynamically adjustable type, namely, the terminal equipment uses the policy rule items to match with the characteristic information of the flow authentication request and collects audit data, but does not execute the disposal action corresponding to the policy rule items. The terminal device reports the audit data to the server, the server determines the evaluation index of the policy rule items based on the audit data, so that when the evaluation index does not meet the corresponding preset condition, an administrator can adjust the policy rule items and continuously issue the policy rule items to the terminal device, the terminal device still adopts an idle running mode and reports the audit data, the administrator continuously adjusts the policy rule items until the evaluation index of the policy rule items reaches the standard, namely, the policy rule items are not adjusted any more, and the terminal device updates the associated policy rule items in the current version zero trust access control policy corresponding to the policy rule items into finally adjusted policy rule items. In other words, for the policy rule item of the dynamically adjustable type, the policy rule item is not immediately validated, but is tested and adjusted by the terminal device and the server to be validated after being adjusted to be qualified.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present application, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 provides a schematic diagram of a zero trust access process;
fig. 2A to fig. 2D are schematic diagrams of a policy configuration page according to an embodiment of the present application;
FIG. 3 is an interaction flow chart of a processing method of a zero-trust access control policy according to an embodiment of the present application;
FIG. 4 is a schematic diagram illustrating a control range of policy rule terms according to an embodiment of the present application;
FIG. 5 is a schematic diagram illustrating a control range of policy rule terms according to another embodiment of the present application;
FIG. 6 is a schematic diagram illustrating a control range of policy rule terms according to another embodiment of the present application;
fig. 7 is a schematic diagram of a processing apparatus 700 of a zero-trust access control policy according to an embodiment of the present application;
fig. 8 is a schematic diagram of a processing apparatus 800 of a zero-trust access control policy according to an embodiment of the present application;
Fig. 9 is a schematic block diagram of an electronic device provided by an embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and completely with reference to the accompanying drawings, in which it is apparent that the embodiments described are only some embodiments of the present application, but not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present application and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or server that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed or inherent to such process, method, article, or apparatus, but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Before describing the technical scheme of the application, the following description is made on the relevant knowledge of the technical scheme of the application:
1. and (3) intranet: also known as a local area network. In terms of scope, an intranet is a small portion of a network. If the least simple intranet is an intranet, two computers are connected by a network cable. An intranet, such as a school campus network or an enterprise network, is adopted in a general specific environment.
2. Intranet resources: may be sites, applications, systems (development test environments, operation and maintenance environments, production environments, etc.), data, interfaces, etc. in an intranet.
3. Outer net: also known as the internet. The internet is essentially global in scope.
4. Persistent library: data persistence is the conversion of a data structure or an object model in a memory into a relational model, an extensible markup language (Extensible Markup Language, XML), a JS object profile (Java Script Object Notation, JSON), a binary stream, etc., and the conversion of a storage model into a data model in a memory is collectively called, and a persistence library is a storage medium stored in a disk file or a data file local to a device and containing contents such as a relational model, XML, JSON, binary stream, etc., converted from a data structure or an object model in a memory, and can be implemented using an encrypted file, an embedded database, etc.
5. Direct access: in the zero-trust network access architecture, when a terminal initiates a network access request to a certain intranet resource through a certain application, after an access agent on the terminal hives traffic, network access is initiated to the intranet resource, such as a target site, through the access agent, that is, direct connection access is initiated, and the access agent sends a network response of the intranet resource to the application, wherein the access mode is called direct connection access.
6. Proxy access: in the zero-trust network access architecture, when a terminal initiates a network access request to a certain intranet resource through a certain application, after an access proxy on the terminal hives traffic, the access proxy initiates traffic forwarding to a zero-trust gateway, accesses the intranet resource through the zero-trust gateway, after the access, the zero-trust gateway sends a network response of the intranet resource to the access proxy, and the access proxy forwards the network response of the intranet resource to the application, wherein the access mode is called proxy access.
7. Zero trust access control policy: the method is used for controlling the access authority of the user to the intranet resources, such as service sites, and is mainly used for verifying the credibility of the user, the credibility of the application from which the user accesses, the credibility of the terminal from which the user accesses, and confirming whether the user has the authority to access the intranet resources or not, and the like.
8. Zero trust access procedure:
fig. 1 provides a schematic diagram of a zero-trust access process, and as shown in fig. 1, a security service client acts as a provider of a zero-trust network security service, provides a unified portal for a user to access intranet resources through network requests through an access proxy and a zero-trust gateway, provides authentication operation for the unified portal, and only the network requests through authentication can be forwarded to the zero-trust gateway by the access proxy, and the access of an actual service system is proxied through the zero-trust gateway.
Specifically, the functions of the security service client, the access proxy, the zero trust gateway and the server are respectively:
secure service client: a security Agent (Agent) installed on the terminal device, responsible for verifying the following information according to a zero-trust access control policy: whether the user is trusted, whether the terminal is trusted, whether the application is trusted, and the like, and checking the unknown application process to the server application process, and after the user successfully accesses the resource, reporting the audit data to the server by the terminal equipment.
Access agent: the access request, namely the access flow is hijacked through the TUN/TAP virtual network card, and after the access request is authenticated through the security service client, the flow authentication request is forwarded to the zero trust gateway, and if the authentication is not passed, the direct connection is carried out or the connection is interrupted.
Zero trust gateway: and the entrance of the intranet application program and the data resource is used for verifying, authorizing and forwarding each session request for accessing the intranet resource.
And (3) a server: and carrying out security scheduling on the access traffic by a zero-trust policy control engine, and authorizing according to the granularity of the person-equipment-software-application. It may include: the policy center, the ticket center and the censoring service may include: the device comprises an identity verification module, a device trusted module and an application detection module. The identity verification module is used for verifying the identity of a user, the equipment trusted module is used for verifying equipment hardware information and equipment safety state, and the application detection module is used for detecting whether an application process is safe or not, if so, whether a vulnerability exists, whether a virus Trojan exists or not and the like. The censoring service module may periodically initiate an application process censoring to the application detection service to enable the application detection service to detect whether the process is trusted, and when a malicious process is identified, notify the security service client to perform an asynchronous blocking operation. The ticket center can provide intranet resource access tickets for the access proxy, and when an access request sent by the zero trust gateway is received, the intranet resource access ticket in the request is verified.
As shown in fig. 1, the specific procedure of the zero trust access procedure includes:
s1: the user initiates an access request for intranet resources through the application.
S2: the access agent hijacking the access request flow and initiating a flow authentication request to the security service client, namely applying for the ticket of the current access request to the security service client.
Alternatively, the access agent may hijack the access request traffic through the TUN/TAP virtual network card. If the access agent determines that the current access request is of an agent access type according to the zero-trust access control strategy, the access agent requests an intranet resource access ticket; if the access agent determines that the current access request is of the direct access type according to the zero-trust access control strategy, the access agent hives the access request flow and directly accesses the intranet resources through the physical network card.
Optionally, the traffic authentication request includes at least one of, but is not limited to: a source internet protocol (Internet Protocol, IP) or domain name, a source port, a destination IP or domain name, a destination port, and a corresponding Process Identity (PID) are applied. This information is also referred to as characteristic information of the traffic authentication request.
S3: and the security service client acquires the characteristic information of the corresponding process through the PID sent by the access agent.
The characteristic information of the process comprises: MD5 of the process, process path, latest modification time of the process, copyright information, signature information, etc.
S4: the security service client sends the characteristic information of the process to the server so that the server detects whether the process is a trusted process.
The server may periodically initiate an application process review to the application detection service to detect the trustworthiness of the process, i.e. to detect whether the process is secure, including, for example, at least one of: whether the process has a vulnerability or not, and whether the process has a vulnerability or not. If the service virus Trojan horse and the like detect that the process is not a trusted process, namely a malicious process, the security service client is notified to execute the asynchronous blocking operation.
S5: the security service client sends a source IP address or domain name, a source port, a destination IP or domain name and a destination port to the server, and applies for the bill to the server, namely realizes the bill replacement.
Optionally, before S5, the security service client may match the feature information of the flow authentication request with the zero trust access control policy, so as to determine whether the user has access rights to access the intranet resource to be accessed, determine whether the intranet resource to be accessed belongs to the intranet resource, and so on. And if the user is judged to have the access authority terminal for accessing the intranet resource to be accessed and the intranet resource to be accessed belongs to the intranet resource, the security service client executes S5.
S6: if the security service client side applies the bill successfully and the process is a trusted process, the security service client side sends the bill, the maximum using times of the bill and the valid time of the bill to the access agency as a response.
S7: the access proxy initiates a hypertext transfer security protocol (Hyper Text Transfer Protocol over Secure Socket Layer, HTTPS) request to the zero-trust gateway.
Wherein the ticket is carried in the Authorization header field of the HTTPS request.
S8: after receiving the HTTPS request, the zero trust gateway analyzes the bill in the head field and sends the bill to the server so as to enable the server to check the bill.
S9: if the server verifies the ticket successfully, it indicates that the connection between the zero trust gateway and the access agent was successfully established. If the server fails to verify the ticket, it indicates that the connection between the zero trust gateway and the access agent has failed.
S10: after a connection is successfully established between the zero-trust gateway and the access proxy, the access proxy sends the access request to the zero-trust gateway.
S11: the zero trust gateway verifies the access request, and if the verification is successful, the access request is forwarded to the corresponding service server.
S12: the service server sends an access response to the zero trust gateway.
S13: the zero trust gateway sends an access response to the access agent.
S14: the access agent sends an access response to the application.
Optionally, if the user accesses the intranet resource successfully, the terminal device may report the information of the current access request as audit data to the server.
Optionally, the audit data may include at least one of, but is not limited to: characteristic information of the flow authentication request, control information of the access request (including parameter details when the security service client side and the server execute bill requests and respond), access request forwarding context information (including the size of a downlink data packet, the duration time of the access request forwarding and the like) of the access proxy and the zero trust gateway, and the like.
9. The static zero trust access control strategy, for short, is a static access strategy, and the strategy rule items included in the static zero trust access control strategy are all static strategy rule items, wherein the static strategy rule items comprise: access agents, i.e. user information, information about the intranet resources to be accessed, information about the applications from which they are accessed, information about the terminals from which they are accessed, handling actions, etc. The information of the user may include individual information of the user, such as a name, a department to which the user belongs, and may further include: the user's associated information, such as the associated roles and the affiliated organization architecture, etc. The information to access the intranet resource may include: resources such as IP address or domain name of the site, etc. The information of the application may include: application name, etc. The information of the terminal may include: a compliance detection level thereof, etc. If the characteristic information of the flow authentication request hits a certain policy rule item, the terminal equipment controls according to the corresponding handling action in the policy rule item. The treatment action may include: security alerting, secondary authentication, direct access, password change, blocking access, etc.
Typically static access policies vary less frequently. The static access strategy is to access the business system, functions, data and the like of the intranet through a single static global strategy. And generating a global single static access strategy by the server, issuing the strategy to a specific terminal based on the virtual group or the equipment identifier, and informing the security service client to pull the updated static access strategy or actively pushing the updated static access strategy to the security service client by the server when the strategy changes.
10. The dynamic zero trust access control strategy, which is called dynamic access strategy for short, comprises strategy rule items which are dynamic strategy rule items, wherein the dynamic strategy rule items comprise: access agents, i.e. user information, information about the intranet resources to be accessed, information about the applications from which they are accessed, information about the terminals from which they are accessed, dynamic factors, handling actions, etc. The dynamic factors may include: access time, network location where the resource to be accessed is located, security baseline, environmental status, etc.
11. Static and dynamic combined zero trust access control policy: firstly, the access authority of a user for intranet resources can be divided into static access authority and dynamic access authority, wherein the static access authority is an access authority strategy closely related to the user, the dynamic access authority is focused on intranet resource control rules of a security protection layer, and different treatment actions are executed on an access session of the intranet resources according to dynamic factors such as different environment states, security baselines, access time and the like of a terminal based on the security protection strategy formulated by an administrator.
12. Aiming at the dynamic policy part in the dynamic zero-trust access control policy or the dynamic and static combined zero-trust access control policy, an administrator can configure the dynamic zero-trust access control policy through a policy configuration page, wherein the administrator can realize the formulation of the dynamic access control policy by combining three elements of a user, an application and a resource, and realize the control of the dynamic access control policy in real time based on dynamic factors such as access time, network position where the resource to be accessed is located, a security baseline, an environment state and the like.
Fig. 2A to fig. 2D are schematic diagrams of a policy configuration page according to an embodiment of the present application.
As shown in fig. 2A, an administrator may configure a specified terminal system, i.e., an operating system of a terminal device, such as operating system 1, on a policy configuration page. And policy enforcement conditions may be configured on a policy configuration page: the specific applications are: application packet 1 and application packet 2, the specified network location is: network location packet 1 and network location packet 2.
As shown in fig. 2B, the user-associated policies may include: identity security policies, access security policies, and terminal security policies. For any policy rule item in the access security policy, the configuration page thereof is shown in fig. 2C, and the administrator may configure the following information, but is not limited thereto: policy name, policy description, whether the policy is to be opened, policy validity period, etc., as well as the user and application to which the policy is applicable. Wherein an administrator may perform various combinations based on various dynamic factors, issue different security access policies for a particular role, group of architectures, or particular user, and provide the functionality of saving and importing conditional templates, as shown in fig. 2D.
13. Control range of static policy rule terms: the system consists of a user, a terminal, an application and a resource to be accessed. In other words, if two static policy rule items relate to the same user, the same terminal, the same application, and the same resource to be accessed, then the control ranges of the two static policy rule items may be considered to be the same. Further, in the embodiment of the present application, the purpose of determining the control range of the policy rule item is to perform coverage, merging, etc. of the policy rule item, where coverage, merging, etc. of the policy rule item is generally for one terminal device, and considering that there is a one-to-one correspondence between a general user and the terminal device, based on this, the control range of the static policy rule item may be formed by an application and a resource to be accessed. In other words, if two static policy rule entries refer to the same application, the same resource to be accessed, then the control scope of the two static policy rule entries may be considered the same.
14. Control range of dynamic policy rule terms: the system consists of a user, a terminal, an application, a resource to be accessed and dynamic factors. The dynamic factor here may be one or more. In other words, if two dynamic policy rule items refer to the same user, the same terminal, the same application, the same resource to be accessed, and are the same dynamic factors, then the two dynamic will be considered to have the same control scope of the dynamic policy rule items. Further, in the embodiment of the present application, the purpose of determining the control range of the policy rule item is to perform coverage, merging, etc. of the policy rule item, where coverage, merging, etc. of the policy rule item is generally for one terminal device, and considering that there is a one-to-one correspondence between a general user and the terminal device, based on this, the control range of the dynamic policy rule item may be formed by an application, a resource to be accessed, and a dynamic factor. In other words, if two dynamic policy rule entries refer to the same application, the same resource to be accessed, and the same dynamic factor, then the control scope of the two dynamic policy rule entries may be considered the same.
15. Policy rule items of the enforcement type: the policy rule items which are effective immediately after the server issues the zero-trust access control policy to the terminal equipment are indicated, namely, the policy rule items can cover the associated policy rule items of the policy rule items in the current version of the zero-trust access control policy installed by the terminal equipment.
For example, in troubleshooting an intranet failure, the server needs to send down a policy rule item to the specified terminal device that will be marked as a enforcement type to recover the user's rights. As another example, in some emergency burst scenarios, the server needs to issue a policy rule item to the specified terminal device that adjusts, opens, or reclaims user rights, which policy rule item may be marked as a enforcement type.
The configuration parameters of the policy rule item of the enforcement category may include an effective time of the policy rule item, where the effective time may be a set period of time or may be permanent, that is, the policy rule item of the enforcement category may be valid for the set period of time or may be permanent. The policy rule item of the forced execution category valid in the set time period is applicable to emergency burst scenes. Policy rule terms for the enforcement categories that are permanently valid may be applied to scenarios where deterministic adjustments are made to the user's access rights.
If the traffic authentication request is successfully matched with one of the policy rule items, the terminal device can first detect whether the policy rule item is configured with an effective time. If the policy rule item configures an effective time, and the effective time is a set time period, the terminal device needs to detect whether the policy rule item is out of date, and if the policy rule item is out of date, the terminal device may automatically delete the corresponding rule item, or the terminal device may modify the handling action of the rule item to block access. If the policy rule item is valid, the terminal device may perform a handling action corresponding to the policy rule item. If the policy rule item configures an effective time, and the effective time is permanent, the terminal device may perform a handling action corresponding to the policy rule item.
16. Policy rule items of a dynamically adjustable type: refers to policy rule items that are not immediately validated after the server issues the zero-trust access control policy to the terminal device. The policy rule items with dynamically adjustable types are usually that policy developers cannot fully evaluate the access control effects of the policy rule items, or that the access control effects of the policy rule items may have a certain gap from the expected effects, which may affect the user access experience.
17. Association of certain policy rule terms: refers to an associated policy rule item that overlaps, either partially or completely, with the control scope of the policy rule item.
18. The evaluation index of a policy rule item may be the flow rate, access frequency, etc. of resource access through the policy rule item.
After the related knowledge of the technical scheme of the present application is introduced, the technical problems and the inventive concepts to be solved by the technical scheme of the present application will be described below:
as described above, in the related art, since the new version of the zero-trust access control policy may include some unreasonable policy rule items, for example, in some scenarios, a certain user should be allowed to access a certain intranet resource through a certain application. But the handling action corresponding to the matched policy rule item is that the user is not allowed to access the intranet resource through the application under the scene. In summary, the policy handling approach described above may affect the user access experience.
In order to solve the technical problem, the application provides that an idle running mode can be adopted for the policy rule items of a dynamically adjustable type, namely, the terminal equipment uses the policy rule items to match with the characteristic information of the flow authentication request and collects audit data, but does not execute the disposal action corresponding to the policy rule items. The terminal device reports the audit data to the server, the server determines the evaluation index of the policy rule items based on the audit data, so that when the evaluation index does not meet the corresponding preset condition, an administrator can adjust the policy rule items and continuously issue the policy rule items to the terminal device, the terminal device still adopts an idle running mode and reports the audit data, the administrator continuously adjusts the policy rule items until the evaluation index of the policy rule items reaches the standard, namely, the policy rule items are not adjusted any more, and the terminal device updates the associated policy rule items in the current version zero trust access control policy corresponding to the policy rule items into finally adjusted policy rule items. In other words, for the policy rule item of the dynamically adjustable type, the policy rule item is not immediately validated, but is tested and adjusted by the terminal device and the server to be validated after being adjusted to be qualified.
The technical scheme of the application will be described in detail as follows:
fig. 3 is an interaction flow chart of a processing method of a zero trust access control policy according to an embodiment of the present application, and as shown in fig. 3, the method is applied to a terminal device and a server, where the terminal device may be, but is not limited to, a smart phone, a tablet computer, a notebook computer, a desktop computer, a smart speaker, a smart watch, etc. The server may be an independent physical server, a server cluster or a distributed system formed by a plurality of physical servers, or may be a cloud server providing a base such as a cloud service, a cloud database, cloud computing, a cloud function, cloud storage, a network service, cloud communication, a middleware service, a domain name service, a security service, a content delivery network (Content Delivery Network, CDN), a big data and an artificial intelligence platform, but is not limited thereto. As shown in fig. 3, the method may include:
s310: the server issues a new version zero trust access control strategy to the terminal equipment;
optionally, the server may simultaneously issue one or more new versions of the zero-trust access control policy to the terminal device. It will be appreciated that the new version zero trust access control policy is relative to the current version of the terminal device zero trust access control policy, i.e. relative to the version currently used by the terminal device.
Alternatively, the new version of the zero trust access control policy may be configured by an administrator for the server through a policy configuration page of the management device. The management device may be a smart phone, tablet, notebook, desktop, etc.
Optionally, the new version zero-trust access control policy may be a static or dynamic zero-trust access control policy, or may be a dynamic and static zero-trust access control policy. Wherein the new version zero trust access control policy may comprise: a plurality of policy rule terms, each policy rule term may be a static policy rule term or a dynamic policy rule term.
For example, the static policy rule term is as follows: when the domain name of the intranet resource accessed by the user Zhang San is ABC.com, the port is 8791, the application used is an A browser, and the compliance detection level of the terminal used by the user Zhang San is low level, the release access can be executed.
For example, the dynamic policy rule term is as follows: when the domain name of the intranet resource accessed by the user Zhang San is ABC.com, the port is 8791, the used application is an A browser, the compliance detection level of the terminal used by the user Zhang San is low level, the network position is the enterprise extranet, and the access time is the working day working time, the open access can be executed.
S320: the terminal equipment acquires first characteristic information of a first flow authentication request;
the terminal device may obtain a current access request for accessing the intranet resource to be accessed, as in the zero-trust access procedure shown in fig. 1. The access proxy on the terminal device hives the access request, namely the access flow, through the TUN/TAP virtual network card, and is responsible for forwarding the flow authentication request to the zero trust gateway after authenticating the access request through the security service client, that is, the flow authentication request is used for requesting the zero trust gateway to authenticate the access request. In order to distinguish a flow authentication request currently acquired by the terminal device from flow authentication requests acquired at other times, the flow authentication request currently acquired by the terminal device is referred to as a first flow authentication request.
Alternatively, the characteristic information of the first traffic authentication request may be information carried by the first traffic authentication request.
Optionally, the first traffic authentication request includes at least one of, but is not limited to: source IP or domain name, source port, destination IP or domain name, destination port, application of the corresponding PID. Where the source IP refers to the IP of the device that originated the current access request. The source domain name refers to the domain name of the application that originated the current access request. A source port refers to a port of a device that initiated a current access request. The destination IP refers to an IP of an intranet resource to be accessed, and may be, for example, an IP of a certain site. The destination domain name may be a domain name of an intranet resource to be accessed, for example, may be a domain name of an enterprise business system. The destination port may be a port to be accessed to an intranet resource, for example, may be a port of a site. The application-corresponding PID refers to the PID corresponding to the application from which the access request originates.
S330: if the first characteristic information is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, the terminal equipment does not execute a disposal action corresponding to the first policy rule item and collects audit data;
optionally, the new version zero trust access control policy itself may include: policy rule items of the type may be dynamically adjusted and/or policy rule items of the type may be enforced. When configuring the new version zero trust access control policy, the administrator may mark the type of each policy rule item, or may mark only the policy rule items of the enforcement type, and default the policy rule items of the untagged type as the policy rule items of the dynamically adjustable type. Still alternatively, it may only tag policy rule items of a dynamically adjustable type, while default policy rule items of an unlabeled type are policy rule items of a mandatory type.
In one implementation, the dynamically adjustable type of policy rule item according to embodiments of the present application may be a dynamically adjustable type of policy rule item included in the new version of the zero trust access control policy itself.
In another implementation manner, the dynamically adjustable type policy rule item according to the embodiment of the present application includes: the new version zero trust access control policy itself includes dynamically adjustable type policy rule terms and dynamically adjustable type policy rule terms derived based on enforcement type policy rule terms.
The dynamically adjustable type of policy rule items derived based on the enforcement type of policy rule items will be described below:
assuming that a policy rule item of any enforcement type in the new version zero-trust access control policy is referred to as a fourth policy rule item, its association policy rule item in the current version zero-trust access control policy is referred to as a second association policy rule item, the control ranges of the fourth policy rule item and the second association policy rule item may partially overlap, as shown in fig. 4, in which case the terminal device may determine policy rule items corresponding to the rest of the control ranges of the second association policy rule item except for the partial intersection as policy rule items of a dynamically adjustable type. Where Vh represents the control range of the second association policy rule term and Vs represents the control range of the fourth policy rule term.
For example, assume that the fourth policy rule term is as follows: when the domain name of the intranet resource accessed by the user Zhang San is ABC.com, the port is 8791, the application used is an A browser, the compliance detection level of the terminal used by the user Zhang San is low level, the network position is the enterprise extranet, and the access time is 08:00-20:00 every day, the release access can be executed. And the second association policy rule term is as follows: when the domain name of the intranet resource accessed by the user Zhang San is ABC.com, the port is 8791, the application used is an A browser, the compliance detection level of the terminal used by the user Zhang San is low level, the network position is the enterprise extranet, and the access time is 10:00-24:00 per day, the release access can be executed. Then the policy rule entries corresponding to the remaining portions of the control range of the second association policy rule entry excluding the partial intersection are as follows: when the domain name of the intranet resource accessed by the user Zhang San is ABC.com, the port is 8791, the used application is an A browser, the compliance detection level of the terminal used by the user Zhang San is low level, the network position is the enterprise extranet, the release access can be executed only when the access time is 20:00 to 24:00 per day, and the terminal equipment determines that the type of the policy rule item is a dynamically adjustable type.
Optionally, the new version of the zero trust access control policy may further include, in addition to a plurality of policy rule items: the priority of each of these policy rule terms. After the terminal equipment acquires the first characteristic information, the first characteristic information needs to be matched with each policy rule item in the new version zero-trust access control policy, and if the first characteristic information is successfully matched with only one policy rule item of a dynamically adjustable type, the policy rule item is the first policy rule item. If the first characteristic information is successfully matched with a plurality of policy rule items at the same time, the policy rule item with the highest priority in the policy rule items is the policy rule item with the dynamically adjustable type, and the policy rule item with the dynamically adjustable type is the first policy rule item.
In the embodiment of the application, if the first characteristic information is successfully matched with the first policy rule item of the dynamically adjustable type in the new version zero-trust access control policy, the terminal equipment does not execute the disposal action corresponding to the first policy rule item, namely idle running, but the terminal equipment can collect audit data.
Optionally, the audit data may include at least one of, but is not limited to: characteristic information of the flow authentication request, control information of the access request (including parameter details when the security service client side and the server execute bill requests and respond), access request forwarding context information (including the size of a downlink data packet, the duration time of the access request forwarding and the like) of the access proxy and the zero trust gateway, and the like.
S340: the terminal equipment reports audit data to a server;
s350: the server determines an evaluation index of the first strategy rule item based on the audit data and determines the evaluation index of the first strategy rule item based on the audit data;
optionally, the server may input audit data reported by the terminal device and audit data reported by other terminal devices when the first policy rule item is adopted into the neural network model together, so as to obtain an evaluation index of the first policy rule item, where the evaluation index may be a flow rate, an access frequency, and the like of resource access through the policy rule item.
Optionally, the neural network model may be obtained through training a large amount of audit data and actual evaluation indexes corresponding to the audit data, where the actual evaluation indexes corresponding to the audit data are used as labels. The training mode referred to herein is a supervised training mode.
S360A to S380A are next performed, or S360B to S380B are performed.
S360A: the server responds to the confirmation operation of the first strategy rule item when the evaluation index meets the corresponding preset condition so as to generate a strategy updating instruction;
optionally, the administrator may determine whether the evaluation index meets a preset condition, if the evaluation index meets the preset condition, the administrator may click a "confirm" button on the management device, and the server may generate a policy update instruction based on the confirm operation, where the policy update instruction is used to instruct to update the first association policy rule item of the first policy rule item in the current version of zero-trust access control policy to the first policy rule item.
For example, assuming that the evaluation index calculated by the server is a resource access flow rate of 30, the preset condition corresponding to the evaluation index is that the resource access flow rate needs to be greater than the expected index 20, at this time, since the resource access flow rate is greater than the expected index, the administrator may click a "confirm" button on the management device, and the server may generate a policy update instruction based on the confirm operation.
S370A: the server issues a strategy updating instruction to the terminal equipment;
S380A: the terminal equipment updates a first association policy rule item of a first policy rule item in the current version zero-trust access control policy to a first policy rule item based on a policy update instruction;
It should be understood that the technical solutions formed by S330, S340, S350 and S360A to S380A, which indicate that the first policy rule item does not need to be adjusted, in which case the terminal device may update the first association policy rule item to the first policy rule item, i.e. the first policy rule item may be immediately validated.
Alternatively, in this case, the terminal device may mark the first policy rule item as a enforcement type, or the server may mark the type of the first policy rule item as an enforcement type in response to the type marking operation and issue the type to the terminal device.
S360B: the server responds to the adjustment operation of the first strategy rule item when the evaluation index does not meet the corresponding preset condition, so as to generate a second strategy rule item;
optionally, the administrator may determine that the evaluation index meets a preset condition, and if the evaluation index does not meet the preset condition, the administrator may click an "adjustment" button on the management device, and the server may generate the second policy rule item based on the adjustment operation.
For example, assuming that the evaluation index calculated by the server is that the resource access flow is 10, the preset condition corresponding to the evaluation index is that the resource access flow needs to be greater than the expected index 20, at this time, since the resource access flow is smaller than the expected index, the administrator may click on an "adjust" button on the management device, and the server may generate the second policy rule item.
S370B: the server transmits a second policy rule item to the terminal equipment;
S380B: and the terminal equipment updates the first strategy rule item into a second strategy rule item, acquires second characteristic information of the second flow authentication request, takes the second characteristic information as new first characteristic information, takes the second strategy rule item as new first strategy rule item, and continues to execute S330.
The terminal device may again obtain an access request. The access proxy on the terminal equipment hives the access request, namely the access flow, through the TUN/TAP virtual network card, and is responsible for forwarding a second flow authentication request to the zero trust gateway after authenticating the access request through the security service client, namely the second flow authentication request is used for requesting the zero trust gateway to authenticate the access request.
Alternatively, the characteristic information of the second traffic authentication request may be information carried by the second traffic authentication request.
Optionally, the second traffic authentication request includes at least one of, but is not limited to: source IP or domain name, source port, destination IP or domain name, destination port, application of the corresponding PID.
It should be understood that, in the technical solutions formed by S330, S340, S350 and S360B to S380B, which indicate that the first policy rule item needs to be adjusted, in this case, the terminal device may adjust the first association policy rule item until the evaluation index corresponding to the adjusted policy rule item meets the preset condition, and then the server issues the finally adjusted policy rule item to the terminal device, and the terminal device may update the first association policy rule item to the finally adjusted policy rule item, that is, the finally adjusted policy rule item may be immediately validated.
The application provides that an air running mode can be adopted for the policy rule items with dynamically adjustable types, and audit data is collected. The terminal device reports the audit data to the server, the server determines the evaluation index of the policy rule items based on the audit data, so that when the evaluation index does not meet the corresponding preset condition, an administrator can adjust the policy rule items and continuously issue the policy rule items to the terminal device, the terminal device still adopts an idle running mode and reports the audit data, the administrator continuously adjusts the policy rule items until the evaluation index of the policy rule items reaches the standard, namely, the policy rule items are not adjusted any more, and the terminal device updates the associated policy rule items in the current version zero trust access control policy corresponding to the policy rule items into finally adjusted policy rule items. In this way, an air running manner is adopted for the policy rule items of the dynamically adjustable type, and the corresponding treatment actions are not executed, so that the user access experience is not affected.
In addition, the server can issue a plurality of new versions of zero trust access control strategies at the same time, the terminal equipment runs empty on strategy rule items of a dynamically adjustable type in the zero trust access control strategies, and then audit data of the strategy rule items are reported to the server, and the strategy rule items are adjusted based on the run empty run strategy rule items.
Optionally, when the terminal device does not execute the handling action corresponding to the first policy rule item and collects the audit data, if the first feature information is successfully matched with the third policy rule item in the current version zero-trust access control policy, the terminal device executes the handling action corresponding to the third policy rule item. In other words, an asynchronous processing mode is adopted between the matching process of the first characteristic information and the first policy rule item and the executing of the disposition action corresponding to the third policy rule item, wherein the asynchronous processing mode means that the terminal equipment can match the first characteristic information with the new version zero-trust access control policy and the current version zero-trust access control policy at the same time, if the first characteristic information is successfully matched with the first policy rule item in the new version zero-trust access control policy, the null running can be performed, and if the first characteristic information is successfully matched with the third policy rule item in the current version zero-trust access control policy, the terminal equipment executes the disposition action corresponding to the third policy rule item.
In the embodiment of the application, an asynchronous processing mode is adopted between the matching process of the first characteristic information and the first strategy rule item and the executing of the processing action corresponding to the third strategy rule item, and based on the asynchronous processing mode, the normal access of the user is not blocked, so that the user experience can be improved.
Assuming that the policy rule item of any enforcement type in the new version of the zero-trust access control policy is referred to as a fourth policy rule item, its association policy rule item in the current version of the zero-trust access control policy is referred to as a second association policy rule item, the terminal device may update the second association policy rule item to the fourth policy rule item, in other words, the fourth policy rule item will immediately take effect, and the second association policy rule item will immediately fail.
It should be understood that there are three cases in which the control ranges of the fourth policy rule item and the second association policy rule item are as follows:
in the first case, as shown in fig. 4, the control range of the second association policy rule item and the control range of the fourth policy rule item may partially overlap. Where Vh represents the control range of the second association policy rule term and Vs represents the control range of the fourth policy rule term.
In the second case, as shown in fig. 5, the control range of the second association policy rule item is greater than the control range of the fourth policy rule item.
In the third case, as shown in fig. 6, the control range of the second association policy rule item is smaller than the control range of the fourth policy rule item.
For the first case, the fourth policy rule term is immediately validated and the second association policy rule term is immediately invalidated. However, the policy rule item corresponding to the remaining part except the partially overlapped part of the fourth policy rule item and the second association policy rule item in the control range of the second association policy rule item may be converted into a dynamically adjustable type, that is, the policy rule item will not fail immediately.
For the second case, the scenario may be that the policy developer or the administrator tightens the authority of the user to the intranet resource to be accessed, so that the control range of the fourth policy rule item is smaller than the control range of the second association policy rule item, and in order to conform to the scenario, the terminal device may make the fourth policy rule item immediately effective and make the second association policy rule item immediately ineffective.
For the third case, the scenario may be that the policy developer or the administrator intentionally expands the authority of the user to the intranet resource to be accessed, so that the control range of the fourth policy rule item is greater than the control range of the second association policy rule item, and in order to conform to the scenario, the terminal device may make the fourth policy rule item immediately effective, and make the second association policy rule item immediately ineffective.
In the embodiment of the application, aiming at the policy rule item of the forced execution type in the new version zero trust access control policy, the terminal equipment can immediately take effect, and the mode can be better suitable for emergency burst scenes, so that the user experience can be improved.
As described above, if the terminal device accesses the intranet resource to be accessed successfully, the terminal device may report audit data to the server, where the audit data may include at least one of the following, but is not limited to this: characteristic information of the flow authentication request, control information of the access request (including parameter details when the security service client side and the server execute bill requests and respond), access request forwarding context information (including the size of a downlink data packet, the duration time of the access request forwarding and the like) of the access proxy and the zero trust gateway, and the like. In the embodiment of the application, the terminal equipment can record the intranet resource access history, the intranet resource access history can be used as basic data, and the terminal equipment can determine the abnormal policy rule items in the new version zero trust access control policy and the current version zero trust access control policy based on the intranet resource access history; and reporting an indication message for indicating that the abnormal policy rule item is abnormal to the server.
Optionally, the intranet resource access history records may be multiple, where each intranet resource access history record is used to record an access condition of a certain user to a certain intranet resource, and each intranet resource access history record may include: the access frequency of a certain user to a certain intranet resource, the information of the intranet resource, the corresponding relation between the application from which the access is obtained and the intranet resource, the used zero-trust access control version, the details of policy execution access control and the like, but the method is not limited to the above. Further, if the dynamic access policy control scenario is adopted, the intranet resource access history record may further include: access time, network location where the resource to be accessed is located, security baseline, environmental status, and other dynamic factors.
In other words, each intranet resource access history record may include: coverage of used policy rule items, access frequency of a user to a certain intranet resource, used zero-trust access control version, specific used policy rule items and the like.
For example, a certain intranet resource access history is as follows: when the domain name of the intranet resource accessed by the user Zhang San is ABC.com, the port is 8791, the application used is an A browser, and the compliance detection level of the terminal used by the user Zhang San is low level, the release access is executed, the matched policy matching version is V1, V2 and V3, the policy rule item specifically matched is L1 in the V1 version, L2 in the V2 version and L3 in the V3 version, and the number of times of the user Zhang San accessing the intranet resource is 20.
Alternatively, the intranet resource access history record may be stored in a persistent repository of the terminal device, but is not limited thereto.
Optionally, in order to save the storage overhead of the terminal device, the persistence library may keep M days away from the current time, and the intranet resource access histories of N different versions of policies are respectively used for controlling the longest storage time of the user in the persistence library for the intranet resource access record and the maximum policy version number for the intranet resource access record, where M and N are two parameters issued from the server to the terminal device. In other words, the terminal device automatically deletes the intranet resource access history record beyond M days, and if the number of policy versions of the intranet resource access history record of a record exceeds N, the terminal device automatically deletes the earliest policy version.
Optionally, in order to save the storage overhead of the terminal device, the terminal device may further combine the plurality of intranet resource access histories, and a specific combining manner may be as follows, but is not limited thereto: the terminal device may combine the records of the same coverage of the used policy rule items. For example, if the static access policy control scenario is adopted, the terminal device may combine the records of the same user, application and intranet resources to be accessed, where the number of resource accesses included in the records after combination is correspondingly increased. If the dynamic access strategy control scene is adopted, the terminal equipment can combine the user, the application and the target resource with the records with the same intranet resource to be accessed and the dynamic factor, and the resource access times included in the combined records are correspondingly increased.
Alternatively, the exception policy rule term may be any of the following, but is not limited thereto: the method comprises the steps of missing strategy rule items, a plurality of overlapped strategy rule items, strategy rule items with the blocking access times reaching the preset times, and strategy rule items with the corresponding access rights not conforming to the history access rights obtained based on the intranet resource access history records, wherein the strategy rule items are missed by the terminal equipment in the preset time.
Optionally, if the abnormal policy rule item is a policy rule item missed by the terminal device within a preset duration; the terminal equipment reports an indication message for indicating that the abnormal policy rule item is abnormal to the server and then receives a first deleting instruction issued by the server; the exception policy rule item is deleted based on the first delete instruction.
Optionally, the preset duration may be issued to the terminal device by the server, or negotiated between the terminal device and the server, and so on. The preset duration may be, but is not limited to, one week, one month, one year, etc.
Optionally, the first deletion instruction is an instruction generated by the server in response to a deletion operation for the exception policy rule item. The first deletion instruction is used for indicating deletion of the abnormal policy rule item.
Optionally, if the abnormal policy rule item is a plurality of policy rule items with overlap; the terminal equipment reports an indication message for indicating that the abnormal policy rule item is abnormal to the server and then receives a merging instruction issued by the server; the exception policy rule entries are merged based on the merge instruction.
Optionally, the plurality of policy rule items that overlap include any of the following, but are not limited thereto: the method comprises the steps that a plurality of strategy rule items with the same coverage range and different treatment actions are overlapped, and a plurality of strategy rule items with the same execution actions are overlapped.
For example, if two policy rule items have the same coverage, but one handling action is direct access and the other handling action is blocking access, indicating that the two policy rule items are conflicting two policy rule items, then the server may generate a merge instruction in response to a merge operation on the two policy rule items and issue the merge instruction to the terminal device, where the terminal device merges the two policy rule items, such as only retaining the policy rule item for which the handling action is direct access.
For example, if two policy rule items, one policy rule item specifying an access time of 8:00 to 20:00, the handling action being a direct access, the other policy rule item specifying an access time of any time, the handling action being a direct access, the former being encompassed by the latter, the server may generate a merge instruction in response to a merge operation of the two policy rule items, and issue the merge instruction to the terminal device, the terminal device merging the two policy rule items, such as the merged policy rule item specifying an access time of any time, the handling action being a direct access.
Optionally, if the abnormal policy rule item is a policy rule item with blocking access times reaching a preset number; after reporting an indication message for indicating that the abnormal policy rule item is abnormal to the server, the terminal equipment also receives an optimization policy rule item issued by the server, and updates the abnormal policy rule item into the optimization policy rule item; or receiving a second deleting instruction issued by the server; the exception policy rule item is deleted based on the second delete instruction.
It should be appreciated that if a policy rule item blocks access too many times, it may affect the user's normal access. Based on this, for such policy rule items, an administrator may optimize them, e.g., may optimize the control scope or handling actions of the policy rule items, etc. Or, the administrator can directly perform a deletion operation on such policy rule items, and the server responds to the deletion operation to generate a second deletion instruction; the second delete instruction is for deleting such policy rule items.
Optionally, if the abnormal policy rule item is a policy rule item with a corresponding access right not being in accordance with the history access right obtained based on the intranet resource access history; the terminal device can also receive the permission change instruction issued by the server after reporting the indication message for indicating that the abnormal policy rule item is abnormal to the server; and changing the access rights corresponding to the abnormal policy rule items based on the rights changing instruction.
For example, when the access right of a certain policy rule item is the highest access right, but it is determined based on the intranet resource access history that the terminal device does not have an access record of a corresponding resource based on the policy rule item, the terminal device may report an indication message to the server, where the indication message may carry advice data of permission degradation or cancellation, the administrator may modify the permission of the policy rule item based on the indication message, the server generates a permission modification instruction in response to the permission modification operation, and issues the permission modification instruction to the terminal device, and the terminal device modifies the access right corresponding to the abnormal policy rule item based on the permission modification instruction.
Optionally, if the abnormal policy rule item is a policy rule item with a corresponding access right not being in accordance with the history access right obtained based on the intranet resource access history; the terminal equipment can automatically change the access right corresponding to the abnormal policy rule item without reporting the indication message. For example, the terminal device may tighten the access rights automatically upon hitting the policy rule item, such as promoting the handling action from direct access to post-secondary authentication access.
In the embodiment of the application, the terminal equipment can record the intranet resource access history, and determine the abnormal policy rule items in the new version zero trust access control policy and the current version zero trust access control policy based on the intranet resource access history; the method comprises the steps that indication information for indicating that an abnormal strategy rule item is abnormal is reported to a server, based on the indication information, the server can send a deletion instruction, a combination instruction, an optimization strategy rule item, an authority change instruction and the like for the abnormal strategy rule item to a terminal device, so that the terminal device can clear useless strategy rule items based on the deletion, combination, optimization, authority change and the like of the abnormal strategy rule item, avoid strategy rule expansion, reduce the number of strategy rule items, reduce the time consumption of the terminal and the strategy execution, improve the terminal performance and realize the availability and accuracy of the strategy, improve the matching efficiency of characteristic information and the strategy rule items, and further ensure the access efficiency of users.
The preferred embodiments of the present application have been described in detail above with reference to the accompanying drawings, but the present application is not limited to the specific details of the above embodiments, and various simple modifications can be made to the technical solution of the present application within the scope of the technical concept of the present application, and all the simple modifications belong to the protection scope of the present application. For example, the specific features described in the above embodiments may be combined in any suitable manner, and in order to avoid unnecessary repetition, various possible combinations are not described further. As another example, any combination of the various embodiments of the present application may be made without departing from the spirit of the present application, which should also be regarded as the disclosure of the present application.
It should be further understood that, in the various method embodiments of the present application, the sequence numbers of the foregoing processes do not mean the order of execution, and the order of execution of the processes should be determined by the functions and internal logic of the processes, and should not constitute any limitation on the implementation process of the embodiments of the present application.
The method provided by the embodiment of the application is described above, and the device provided by the embodiment of the application is described below.
Fig. 7 is a schematic diagram of a processing apparatus 700 of a zero-trust access control policy according to an embodiment of the present application, as shown in fig. 7, the apparatus 700 includes: a transceiver module 710 and a processing module 720;
the transceiver module 710 is configured to receive a new version of the zero trust access control policy issued by the server;
the transceiver module 710 is further configured to obtain first feature information of the first traffic authentication request;
the processing module 720 is configured to, if the first feature information is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, not execute a disposition action corresponding to the first policy rule item, and collect audit data;
the transceiver module 710 is further configured to report audit data to the server, so that the server determines an evaluation index of the first policy rule item based on the audit data, and respond to a confirmation operation of the first policy rule item when the evaluation index meets a corresponding preset condition, so as to generate a policy update instruction; or, in response to an adjustment operation of the first policy rule item when the evaluation index does not satisfy the corresponding preset condition, generating a second policy rule item;
the transceiver module 710 is further configured to receive a policy update instruction issued by the server, and the processing module 720 is further configured to update a first association policy rule item of the first policy rule item in the current version of zero-trust access control policy to the first policy rule item based on the policy update instruction; or, the transceiver module 710 is further configured to receive a second policy rule item issued by the server, the processing module 720 is further configured to update the first policy rule item to the second policy rule item, the transceiver module 710 is further configured to obtain second feature information of the second traffic authentication request, the processing module 720 is further configured to use the second feature information as new first feature information, use the second policy rule item as new first policy rule item, and continuously execute the processing action corresponding to the first policy rule item if the first feature information is successfully matched with the dynamically adjustable type of the first policy rule item in the new version zero-trust access control policy, and collect audit data until the first policy rule item is not adjusted any more.
Optionally, the transceiver module 710 is further configured to obtain an intranet resource access history of the terminal device; the processing module 720 is further configured to determine, based on the intranet resource access history, a new version zero trust access control policy and an abnormal policy rule item in the current version zero trust access control policy; the transceiver module 710 is further configured to report an indication message to the server, where the indication message indicates that the abnormal policy rule item is abnormal.
Optionally, the abnormal policy rule item is a policy rule item missed by the terminal device within a preset duration; after the transceiver module 710 reports an indication message for indicating that the abnormal policy rule item has an abnormality to the server, the transceiver module 710 is further configured to receive a first deletion instruction issued by the server; the processing module 720 is configured to delete the abnormal policy rule item based on the first deletion instruction.
Optionally, the abnormal policy rule item is a plurality of policy rule items that overlap; after the transceiver module 710 reports an indication message for indicating that the abnormal policy rule item is abnormal to the server, the transceiver module 710 is further configured to receive a merging instruction issued by the server; the processing module 720 is further configured to merge the exception policy rule items based on the merge instruction.
Optionally, the abnormal policy rule item is a policy rule item that blocks access times to reach a preset number of times; after the transceiver module 710 reports an indication message for indicating that the abnormal policy rule item has an abnormality to the server, the transceiver module 710 is further configured to receive an optimization policy rule item issued by the server, and the processing module 720 is further configured to update the abnormal policy rule item to the optimization policy rule item; or, the transceiver module 710 is further configured to receive a second deletion instruction issued by the server; the processing module 720 is further configured to delete the exception policy rule item based on the second delete instruction.
Optionally, the abnormal policy rule item is a policy rule item with a corresponding access right not conforming to a history access right obtained based on an intranet resource access history; after the transceiver module 710 reports an indication message for indicating that the abnormal policy rule item is abnormal to the server, the transceiver module 710 is further configured to receive an authority modification instruction issued by the server; the processing module 720 is further configured to change the access rights corresponding to the abnormal policy rule item based on the rights change instruction.
Optionally, the processing module 720 is further configured to: and executing the disposal action corresponding to the third strategy rule item if the first characteristic information is successfully matched with the third strategy rule item in the zero trust access control strategy of the current version while not executing the disposal action corresponding to the first strategy rule item and collecting the audit data.
Optionally, the processing module 720 is further configured to: determining a second association policy rule item of the fourth policy rule item in the current version zero-trust access control policy; the fourth policy rule item is a policy rule item of any enforcement type in the new version zero trust access control policy; and updating the second association policy rule item to a fourth policy rule item.
Optionally, the processing module 720 is further configured to: determining a control range of a fourth policy rule item and a control range of a second association policy rule item of the fourth policy rule item in the current version of zero-trust access control policy; the fourth policy rule item is a policy rule item of any enforcement type in the new version zero trust access control policy; and if the control range of the fourth policy rule item and the control range of the second association policy rule item have partial intersection, determining the policy rule items corresponding to the rest parts except the partial intersection in the control range of the second association policy rule item as the policy rule items of the dynamically adjustable type.
It should be understood that apparatus embodiments and method embodiments may correspond with each other and that similar descriptions may refer to the method embodiments. To avoid repetition, no further description is provided here. Specifically, the apparatus 700 shown in fig. 7 may execute the method embodiment corresponding to the terminal device in fig. 3, and the foregoing and other operations and/or functions of each module in the apparatus 700 are respectively for implementing the corresponding flow in each method corresponding to the terminal device in fig. 3, which is not described herein for brevity.
The apparatus 700 of the embodiment of the present application is described above in terms of functional modules in conjunction with the accompanying drawings. It should be understood that the functional module may be implemented in hardware, or may be implemented by instructions in software, or may be implemented by a combination of hardware and software modules. Specifically, each step of the method embodiment in the embodiment of the present application may be implemented by an integrated logic circuit of hardware in a processor and/or an instruction in a software form, and the steps of the method disclosed in connection with the embodiment of the present application may be directly implemented as a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. Alternatively, the software modules may be located in a well-established storage medium in the art such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, and the like. The storage medium is located in a memory, and the processor reads information in the memory, and in combination with hardware, performs the steps in the above method embodiments.
Fig. 8 is a schematic diagram of a processing apparatus 800 of a zero-trust access control policy according to an embodiment of the present application, as shown in fig. 8, the apparatus 800 includes: a transceiver module 810 and a processing module 820;
The transceiver module 810 is configured to issue a new version of the zero trust access control policy to the terminal device;
the transceiver module 810 is further configured to receive audit data reported by the terminal device; the audit data are collected by the terminal equipment when the first characteristic information of the first flow authentication request is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero trust access control policy;
the processing module 820 is configured to determine an evaluation index of the first policy rule item based on the audit data;
the processing module 820 is further configured to generate a policy update instruction in response to a confirmation operation on the first policy rule item when the evaluation index meets a corresponding preset condition; the receiving-transmitting module is also used for transmitting a strategy updating instruction to the terminal equipment; the policy updating instruction is used for indicating that a first association policy rule item of a first policy rule item in the current version of zero-trust access control policy is updated to be the first policy rule item; or alternatively, the process may be performed,
the processing module 820 is further configured to respond to an adjustment operation on the first policy rule item when the evaluation index does not meet the corresponding preset condition, so as to generate a second policy rule item; the transceiver module is further configured to issue a second policy rule item to the terminal device.
Optionally, the transceiver module 810 is further configured to receive an indication message that is reported by the terminal device and is used to indicate that the abnormal policy rule item is abnormal; the abnormal policy rule item is an abnormal policy rule item in a new version zero-trust access control policy and a current version zero-trust access control policy which are determined by the terminal equipment based on the intranet resource access history record.
Optionally, the abnormal policy rule item is a policy rule item missed by the terminal device within a preset duration; after the transceiver module 810 receives the indication message reported by the terminal device and used for indicating that the abnormal policy rule item is abnormal, the transceiver module 810 is further configured to issue a first deletion instruction to the terminal device; the first deleting instruction is used for indicating to delete the abnormal strategy rule item.
Optionally, the abnormal policy rule item is a plurality of policy rule items that overlap; after the transceiver module 810 receives the indication message reported by the terminal device and used for indicating that the abnormal policy rule item is abnormal, the transceiver module 810 is further configured to issue a merging instruction to the terminal device; the merging instruction is used for indicating the merging exception strategy rule item.
Optionally, the abnormal policy rule item is a policy rule item that blocks access times to reach a preset number of times; after the transceiver module 810 receives the indication message reported by the terminal device and used for indicating that the abnormal policy rule item is abnormal, the transceiver module 810 is further configured to issue an optimized policy rule item to the terminal device; or, a second deleting instruction is issued to the terminal equipment; the second delete instruction is for indicating deletion of the exception policy rule term.
Optionally, the abnormal policy rule item is a policy rule item with a corresponding access right not conforming to a history access right obtained based on an intranet resource access history; after the transceiver module 810 receives the indication message reported by the terminal device and used for indicating that the abnormal policy rule item is abnormal, the transceiver module 810 is further configured to issue an authority modification instruction to the terminal device; the permission changing instruction is used for indicating to change the access permission corresponding to the abnormal policy rule item.
It should be understood that apparatus embodiments and method embodiments may correspond with each other and that similar descriptions may refer to the method embodiments. To avoid repetition, no further description is provided here. Specifically, the apparatus 800 shown in fig. 8 may execute the method embodiment corresponding to the server in fig. 3, and the foregoing and other operations and/or functions of each module in the apparatus 800 are respectively for implementing the corresponding flow in each method corresponding to the server in fig. 3, which is not described herein for brevity.
The apparatus 800 of the embodiment of the present application is described above in terms of functional modules in conjunction with the accompanying drawings. It should be understood that the functional module may be implemented in hardware, or may be implemented by instructions in software, or may be implemented by a combination of hardware and software modules. Specifically, each step of the method embodiment in the embodiment of the present application may be implemented by an integrated logic circuit of hardware in a processor and/or an instruction in a software form, and the steps of the method disclosed in connection with the embodiment of the present application may be directly implemented as a hardware decoding processor or implemented by a combination of hardware and software modules in the decoding processor. Alternatively, the software modules may be located in a well-established storage medium in the art such as random access memory, flash memory, read-only memory, programmable read-only memory, electrically erasable programmable memory, registers, and the like. The storage medium is located in a memory, and the processor reads information in the memory, and in combination with hardware, performs the steps in the above method embodiments.
Fig. 9 is a schematic block diagram of an electronic device provided by an embodiment of the present application. The electronic device may be the above-described terminal device or a server.
As shown in fig. 9, the electronic device may include:
a memory 910 and a processor 920, the memory 910 being configured to store a computer program and to transfer the program code to the processor 920. In other words, the processor 920 may call and run a computer program from the memory 910 to implement the method in the embodiment of the present application.
For example, the processor 920 may be configured to perform the above-described method embodiments according to instructions in the computer program.
In some embodiments of the application, the processor 920 may include, but is not limited to:
a general purpose processor, digital signal processor (Digital Signal Processor, DSP), application specific integrated circuit (Application Specific Integrated Circuit, ASIC), field programmable gate array (Field Programmable Gate Array, FPGA) or other programmable logic device, discrete gate or transistor logic device, discrete hardware components, or the like.
In some embodiments of the application, the memory 910 includes, but is not limited to:
volatile memory and/or nonvolatile memory. The nonvolatile Memory may be a Read-Only Memory (ROM), a Programmable ROM (PROM), an Erasable PROM (EPROM), an Electrically Erasable EPROM (EEPROM), or a flash Memory. The volatile memory may be random access memory (Random Access Memory, RAM) which acts as an external cache. By way of example, and not limitation, many forms of RAM are available, such as Static RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double Data Rate SDRAM (Double Data Rate SDRAM), enhanced SDRAM (ESDRAM), synchronous Link DRAM (SLDRAM), and Direct memory bus RAM (DR RAM).
In some embodiments of the application, the computer program may be partitioned into one or more modules that are stored in the memory 910 and executed by the processor 920 to perform the methods provided by the present application. The one or more modules may be a series of computer program instruction segments capable of performing the specified functions, which are used to describe the execution of the computer program in the electronic device.
As shown in fig. 9, the electronic device may further include:
a transceiver 930, the transceiver 930 being connectable to the processor 920 or the memory 910.
The processor 920 may control the transceiver 930 to communicate with other devices, and in particular, may send information or data to other devices or receive information or data sent by other devices. Transceiver 930 may include a transmitter and a receiver. Transceiver 930 may further include antennas, the number of which may be one or more.
It will be appreciated that the various components in the electronic device are connected by a bus system that includes, in addition to a data bus, a power bus, a control bus, and a status signal bus.
The present application also provides a computer storage medium having stored thereon a computer program which, when executed by a computer, enables the computer to perform the method of the above-described method embodiments. Alternatively, embodiments of the present application also provide a computer program product comprising instructions which, when executed by a computer, cause the computer to perform the method of the method embodiments described above.
When implemented in software, may be implemented in whole or in part in the form of a computer program product. The computer program product includes one or more computer instructions. When loaded and executed on a computer, produces a flow or function in accordance with embodiments of the application, in whole or in part. The computer may be a general purpose computer, a special purpose computer, a computer network, or other programmable apparatus. The computer instructions may be stored in a computer-readable storage medium or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be transmitted from one website, computer, server, or data center to another website, computer, server, or data center by a wired (e.g., coaxial cable, fiber optic, digital subscriber line (digital subscriber line, DSL)) or wireless (e.g., infrared, wireless, microwave, etc.). The computer readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that contains an integration of one or more available media. The usable medium may be a magnetic medium (e.g., a floppy disk, a hard disk, a magnetic tape), an optical medium (e.g., a digital video disc (digital video disc, DVD)), or a semiconductor medium (e.g., a Solid State Disk (SSD)), or the like.
Those of ordinary skill in the art will appreciate that the various illustrative modules and algorithm steps described in connection with the embodiments disclosed herein may be implemented as electronic hardware, or combinations of computer software and electronic hardware. Whether such functionality is implemented as hardware or software depends upon the particular application and design constraints imposed on the solution. Skilled artisans may implement the described functionality in varying ways for each particular application, but such implementation decisions should not be interpreted as causing a departure from the scope of the present application.
In the several embodiments provided by the present application, it should be understood that the disclosed systems, devices, and methods may be implemented in other manners. For example, the apparatus embodiments described above are merely illustrative, and for example, the division of the modules is merely a logical function division, and there may be additional divisions when actually implemented, for example, multiple modules or components may be combined or integrated into another system, or some features may be omitted or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be an indirect coupling or communication connection via some interfaces, devices or modules, which may be in electrical, mechanical, or other forms.
The modules illustrated as separate components may or may not be physically separate, and components shown as modules may or may not be physical modules, i.e., may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment. For example, functional modules in various embodiments of the present application may be integrated into one processing module, or each module may exist alone physically, or two or more modules may be integrated into one module.
The above is only a specific embodiment of the present application, but the protection scope of the present application is not limited thereto, and any person skilled in the art can easily think about changes or substitutions within the technical scope of the present application, and the changes and substitutions are intended to be covered by the protection scope of the present application. Therefore, the protection scope of the present application shall be subject to the protection scope of the claims.
Claims (20)
1. A method for processing a zero-trust access control policy, wherein the method is applied to a terminal device, the method comprising:
receiving a new version zero trust access control strategy issued by a server;
Acquiring first characteristic information of a first flow authentication request;
if the first characteristic information is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, not executing a disposal action corresponding to the first policy rule item, and collecting audit data;
reporting the audit data to the server, so that the server determines an evaluation index of the first policy rule item based on the audit data, and responding to a confirmation operation of the first policy rule item when the evaluation index meets a corresponding preset condition, so as to generate a policy update instruction; or, in response to an adjustment operation on the first policy rule item when the evaluation index does not meet the corresponding preset condition, generating a second policy rule item;
receiving the strategy updating instruction issued by the server, and updating a first association strategy rule item of the first strategy rule item in the current version zero-trust access control strategy to the first strategy rule item based on the strategy updating instruction; or, receiving the second policy rule item issued by the server, updating the first policy rule item to the second policy rule item, acquiring second characteristic information of a second traffic authentication request, taking the second characteristic information as new first characteristic information, taking the second policy rule item as new first policy rule item, continuing to execute the treatment action corresponding to the first policy rule item if the first characteristic information is successfully matched with the first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy, and collecting audit data until the first policy rule item is not adjusted any more.
2. The method as recited in claim 1, further comprising:
acquiring an intranet resource access history of the terminal equipment;
determining abnormal policy rule items in the new version zero-trust access control policy and the current version zero-trust access control policy based on the intranet resource access history record;
and reporting an indication message for indicating that the abnormal strategy rule item is abnormal to the server.
3. The method according to claim 2, wherein the abnormal policy rule term is a policy rule term that the terminal device misses within a preset duration;
after reporting the indication message for indicating that the abnormal policy rule item has an abnormality to the server, the method further includes:
receiving a first deleting instruction issued by the server;
and deleting the abnormal strategy rule item based on the first deleting instruction.
4. The method of claim 2, wherein the abnormal policy rule term is a plurality of policy rule terms that overlap;
after reporting the indication message for indicating that the abnormal policy rule item has an abnormality to the server, the method further includes:
Receiving a merging instruction issued by the server;
and merging the abnormal strategy rule items based on the merging instruction.
5. The method according to claim 2, wherein the abnormal policy rule item is a policy rule item that blocks access times up to a preset number of times;
after reporting the indication message for indicating that the abnormal policy rule item has an abnormality to the server, the method further includes:
receiving an optimizing strategy rule item issued by the server,
updating the abnormal strategy rule item into the optimized strategy rule item; or alternatively, the process may be performed,
receiving a second deleting instruction issued by the server;
and deleting the abnormal strategy rule item based on the second deleting instruction.
6. The method according to claim 2, wherein the abnormal policy rule item is a policy rule item that the corresponding access right does not accord with the history access right obtained based on the intranet resource access history;
after reporting the indication message for indicating that the abnormal policy rule item has an abnormality to the server, the method further includes:
receiving an authority changing instruction issued by the server;
and changing the access right corresponding to the abnormal policy rule item based on the right changing instruction.
7. The method of any one of claims 1-6, further comprising:
and executing the disposal action corresponding to the third strategy rule item if the first characteristic information is successfully matched with the third strategy rule item in the current version zero-trust access control strategy while not executing the disposal action corresponding to the first strategy rule item and collecting audit data.
8. The method of any one of claims 1-6, further comprising:
determining a second association policy rule item of a fourth policy rule item in the current version zero-trust access control policy; the fourth policy rule item is a policy rule item of any enforcement type in the new version of the zero trust access control policy;
and updating the second association policy rule item to the fourth policy rule item.
9. The method of any one of claims 1-6, further comprising:
determining a control range of a fourth policy rule item and a control range of a second association policy rule item of the fourth policy rule item in the current version of zero-trust access control policy; the fourth policy rule item is a policy rule item of any enforcement type in the new version of the zero trust access control policy;
And if a partial intersection exists between the control range of the fourth policy rule item and the control range of the second association policy rule item, determining the policy rule items corresponding to the rest parts except the partial intersection in the control range of the second association policy rule item as the policy rule items of the dynamically adjustable type.
10. A method for processing a zero-trust access control policy, the method being applied to a server, the method comprising:
issuing a new version zero trust access control strategy to the terminal equipment;
receiving audit data reported by the terminal equipment; the audit data are collected by the terminal equipment when the first characteristic information of the first flow authentication request is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy;
determining an evaluation index of the first policy rule item based on the audit data;
responding to the confirmation operation of the first strategy rule item when the evaluation index meets the corresponding preset condition so as to generate a strategy updating instruction; and issuing the strategy updating instruction to the terminal equipment; the policy updating instruction is used for indicating that a first association policy rule item of the first policy rule item in the current version of zero-trust access control policy is updated to the first policy rule item; or alternatively, the process may be performed,
Responding to the adjustment operation of the first strategy rule item when the evaluation index does not meet the corresponding preset condition, so as to generate a second strategy rule item; and issuing the second policy rule item to the terminal equipment.
11. The method as recited in claim 10, further comprising:
receiving an indication message which is reported by the terminal equipment and used for indicating that the abnormal strategy rule item is abnormal;
the abnormal policy rule item is an abnormal policy rule item in the new version zero-trust access control policy and the current version zero-trust access control policy, which are determined by the terminal equipment based on an intranet resource access history.
12. The method of claim 11, wherein the abnormal policy rule term is a policy rule term that the terminal device misses within a preset duration;
after receiving the indication message reported by the terminal equipment and used for indicating that the abnormal policy rule item is abnormal, the method further comprises the following steps:
issuing a first deleting instruction to the terminal equipment;
the first deleting instruction is used for indicating to delete the abnormal strategy rule item.
13. The method of claim 11, wherein the abnormal policy rule term is a plurality of policy rule terms that overlap;
After receiving the indication message reported by the terminal equipment and used for indicating that the abnormal policy rule item is abnormal, the method further comprises the following steps:
issuing a merging instruction to the terminal equipment;
the merging instruction is used for indicating to merge the abnormal policy rule items.
14. The method according to claim 11, wherein the abnormal policy rule item is a policy rule item that blocks access times up to a preset number of times;
after receiving the indication message reported by the terminal equipment and used for indicating that the abnormal policy rule item is abnormal, the method further comprises the following steps:
issuing an optimization strategy rule item to the terminal equipment; or alternatively, the process may be performed,
issuing a second deleting instruction to the terminal equipment; the second deleting instruction is used for indicating to delete the abnormal policy rule item.
15. The method of claim 11, wherein the abnormal policy rule item is a policy rule item that corresponds to an access right that is not in compliance with a historical access right obtained based on the intranet resource access history;
after receiving the indication message reported by the terminal equipment and used for indicating that the abnormal policy rule item is abnormal, the method further comprises the following steps:
Issuing an authority change instruction to the terminal equipment;
the permission changing instruction is used for indicating to change the access permission corresponding to the abnormal policy rule item.
16. A processing apparatus for a zero trust access control policy, comprising: a transceiver module and a processing module;
the receiving and transmitting module is used for receiving the new version zero trust access control strategy issued by the server;
the receiving and transmitting module is also used for acquiring first characteristic information of a first flow authentication request;
the processing module is used for not executing the disposal action corresponding to the first policy rule item and collecting audit data if the first characteristic information is successfully matched with the first policy rule item of the dynamically adjustable type in the new version zero-trust access control policy;
the receiving-transmitting module is further configured to report the audit data to the server, so that the server determines an evaluation index of the first policy rule item based on the audit data, and respond to a confirmation operation of the first policy rule item when the evaluation index meets a corresponding preset condition, so as to generate a policy update instruction; or, in response to an adjustment operation on the first policy rule item when the evaluation index does not meet the corresponding preset condition, generating a second policy rule item;
The receiving and transmitting module is further used for receiving the policy updating instruction issued by the server, and the processing module is further used for updating a first association policy rule item of the first policy rule item in the current version of zero-trust access control policy into the first policy rule item based on the policy updating instruction; or the transceiver module is further configured to receive the second policy rule item issued by the server, the processing module is further configured to update the first policy rule item to the second policy rule item, the transceiver module is further configured to obtain second feature information of a second traffic authentication request, the processing module is further configured to use the second feature information as new first feature information, use the second policy rule item as new first policy rule item, and continuously execute a disposition action corresponding to the first policy rule item if the first feature information is successfully matched with a dynamically adjustable type first policy rule item in the new version zero trust access control policy, and collect audit data until the first policy rule item is not adjusted any more.
17. A processing apparatus for a zero trust access control policy, comprising: a transceiver module and a processing module;
The receiving and transmitting module is used for transmitting a new version zero trust access control strategy to the terminal equipment;
the receiving and transmitting module is also used for receiving audit data reported by the terminal equipment; the audit data are collected by the terminal equipment when the first characteristic information of the first flow authentication request is successfully matched with a first policy rule item of a dynamically adjustable type in the new version zero-trust access control policy;
the processing module is used for determining an evaluation index of the first strategy rule item based on the audit data;
the processing module is further used for responding to the confirmation operation of the first strategy rule item when the evaluation index meets the corresponding preset condition so as to generate a strategy updating instruction; the receiving and transmitting module is further used for transmitting the strategy updating instruction to the terminal equipment; the policy updating instruction is used for indicating that a first association policy rule item of the first policy rule item in the current version of zero-trust access control policy is updated to the first policy rule item; or alternatively, the process may be performed,
the processing module is further used for responding to the adjustment operation of the first strategy rule item when the evaluation index does not meet the corresponding preset condition so as to generate a second strategy rule item; the transceiver module is further configured to issue the second policy rule item to the terminal device.
18. An electronic device, comprising:
a processor and a memory for storing a computer program, the processor being for invoking and running the computer program stored in the memory to perform the method of any of claims 1 to 15.
19. A computer readable storage medium storing a computer program for causing a computer to perform the method of any one of claims 1 to 15.
20. A computer program product comprising computer programs/instructions which, when executed by a processor, implement the method of any one of claims 1 to 15.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310084812.8A CN116980167A (en) | 2023-01-13 | 2023-01-13 | Zero-trust access control policy processing method, device, medium and program product |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310084812.8A CN116980167A (en) | 2023-01-13 | 2023-01-13 | Zero-trust access control policy processing method, device, medium and program product |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN116980167A true CN116980167A (en) | 2023-10-31 |
Family
ID=88483785
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310084812.8A Pending CN116980167A (en) | 2023-01-13 | 2023-01-13 | Zero-trust access control policy processing method, device, medium and program product |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN116980167A (en) |
-
2023
- 2023-01-13 CN CN202310084812.8A patent/CN116980167A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US11399040B1 (en) | Subscription-based malware detection | |
| US10055561B2 (en) | Identity risk score generation and implementation | |
| US10798112B2 (en) | Attribute-controlled malware detection | |
| US11899763B2 (en) | Supervised learning system for identity compromise risk computation | |
| US20190207966A1 (en) | Platform and Method for Enhanced Cyber-Attack Detection and Response Employing a Global Data Store | |
| US20190207967A1 (en) | Platform and method for retroactive reclassification employing a cybersecurity-based global data store | |
| US9015845B2 (en) | Transit control for data | |
| US20200034454A1 (en) | Internet of things blockchain auditing | |
| US8578487B2 (en) | System and method for internet security | |
| US11240275B1 (en) | Platform and method for performing cybersecurity analyses employing an intelligence hub with a modular architecture | |
| US10820194B2 (en) | Systems and methods for securing access to computing resources by an endpoint device | |
| US11627148B2 (en) | Advanced threat detection through historical log analysis | |
| BR112013004345B1 (en) | system and method to avoid malware attached to a server | |
| EP4229532B1 (en) | Behavior detection and verification | |
| US10860382B1 (en) | Resource protection using metric-based access control policies | |
| US11556634B2 (en) | Systems and methods for event-based application control | |
| CN111314381A (en) | Safety isolation gateway | |
| CN114745145B (en) | Business data access method, device and equipment and computer storage medium | |
| KR101775517B1 (en) | Client for checking security of bigdata system, apparatus and method for checking security of bigdata system | |
| CN116996238A (en) | Processing method and related device for network abnormal access | |
| CN113194088B (en) | Access interception method, device, log server and computer readable storage medium | |
| CN116980167A (en) | Zero-trust access control policy processing method, device, medium and program product | |
| CN115801292A (en) | Access request authentication method and device, storage medium and electronic equipment | |
| CN114189383A (en) | Blocking method, device, electronic equipment, medium and computer program product | |
| CN112769731A (en) | Process control method, device, server and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication |