[go: up one dir, main page]

CN116319024A - Access control method and device of zero trust system and zero trust system - Google Patents

Access control method and device of zero trust system and zero trust system Download PDF

Info

Publication number
CN116319024A
CN116319024A CN202310293396.2A CN202310293396A CN116319024A CN 116319024 A CN116319024 A CN 116319024A CN 202310293396 A CN202310293396 A CN 202310293396A CN 116319024 A CN116319024 A CN 116319024A
Authority
CN
China
Prior art keywords
trusted access
access
trusted
access control
decision
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202310293396.2A
Other languages
Chinese (zh)
Other versions
CN116319024B (en
Inventor
吴大明
王秀娟
常腾飞
孙大利
高峰
张志超
轩晓荷
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Ultrapower Information Safety Technology Co ltd
Ultrapower Software Co ltd
Original Assignee
Beijing Ultrapower Information Safety Technology Co ltd
Ultrapower Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Ultrapower Information Safety Technology Co ltd, Ultrapower Software Co ltd filed Critical Beijing Ultrapower Information Safety Technology Co ltd
Priority to CN202310293396.2A priority Critical patent/CN116319024B/en
Publication of CN116319024A publication Critical patent/CN116319024A/en
Application granted granted Critical
Publication of CN116319024B publication Critical patent/CN116319024B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/50Network services
    • H04L67/60Scheduling or organising the servicing of application requests, e.g. requests for application data transmissions using the analysis and optimisation of the required network resources

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The application discloses an access control method and device of a zero trust system and the zero trust system. The zero trust system of the present application comprises: a trusted access client, a trusted access controller, a continuous trust evaluation center, and a trusted access control gateway; the method comprises the following steps: acquiring an access request of an access subject intercepted by the trusted access client to a service system, and acquiring subject identity information of the access subject and whether the subject identity information is legal information; when the identity information of the main body of the access main body is legal information, a decision result generated by the continuous trust evaluation center is obtained; and controlling a trusted access control gateway to establish or disconnect network connection between the trusted access customer service end and the service system according to the decision result. According to the technical scheme, the safe access of the user to the original business system of the enterprise can be realized based on the zero trust system under the condition that the original business system of the enterprise is not changed.

Description

Access control method and device of zero trust system and zero trust system
Technical Field
The present disclosure relates to the field of network information security technologies, and in particular, to an access control method and apparatus for a zero trust system, and a zero trust system.
Background
At present, most enterprises still adopt a traditional network partition and isolation security model, and an enterprise intranet and an enterprise extranet are partitioned by boundary protection equipment, so that an enterprise security system is constructed. Under the traditional security system, intranet users default to have higher network authority, and extranet users such as offsite office staff and branch offices all need to access the enterprise intranet through a virtual private network (Virtual Private Network, VPN). It is not repudiated that traditional network security architectures have played a positive role in the past, but today, where advanced network attacks are abusive and internal malicious events are frequent, traditional network security architectures require iterative upgrades.
The security verification scene of boundary identity access control in the traditional network is mainly based on a passive static authentication method, namely, an identity authentication service is deployed on a solidified network boundary, the identity of a user is digitally managed in advance, static authentication credentials and strategies are configured for the user, when the user wants to access intranet resources or applications from an external network to cross the network boundary, the user performs identity authentication according to the preset authentication strategies, and after authentication is successful, the user can access the asset at will in the intranet without checking the credibility of the user identity again.
The identity access control in conventional networks requires configuration of elements including, for example, user identity digital configuration, such as configuration account numbers (Identity Document, IDs); user authentication mode configuration such as static password, dynamic password, token, certificate, biometric authentication factor, etc.; user access control processing configurations, such as including user accessible location, time, terminal, etc.; and configuring a user access authority model, and configuring the user access authority by binding the user identity with the asset account. Based on the above-configured elements, authentication in a conventional network generally includes the steps of:
first, a user logs in an access control gateway of an intranet network boundary using an account ID, and generally the access control gateway of the intranet network boundary and the intranet network boundary is provided by a VPN.
Then, the access control gateway reads a pre-configured Authentication mode and access control policy to authenticate the user identity, and general user identity information and access control policy come from a 4A (Authentication-Authorization-Account-audio, authentication-Authorization-Account-Audit, chinese name is unified security management platform solution) management platform of an intranet.
Then, after authentication is successful, the user enters the intranet, and the user initiates an access request to intranet resources according to the rights allocated in advance.
Finally, the intranet defaults to fully trust the user, and allows the user to log in intranet resources and use the intranet resources by using the account ID which is bound in advance.
According to analysis, in the traditional network construction scheme, the remote access of the intranet resources by the user is realized by a VPN technology, but with the continuous change and upgrading of the service mode, the VPN equipment is found to have high-risk loopholes such as signature verification, weak password blasting, interface injection and the like, and the problems of poor user experience, high comprehensive cost, complex operation and maintenance, low efficiency and the like exist in the daily use process. And the VPN adopts an open resource access mode, namely 'first connection and then authentication', and the mode maximally exposes the intranet resources to an attacker, so that a path for attacking the intranet resources is provided for the attacker. How to solve the problem of risk of complaints on the basis of not adjusting the existing enterprise network architecture and interfacing with the original management platform of the enterprise is a technical problem to be solved in the industry.
Disclosure of Invention
In order to overcome at least one of the above-mentioned problems, embodiments of the present application provide an access control method and apparatus for a zero-trust system, and a zero-trust system, so as to improve the security of an asset access process under the condition that an original business system of an enterprise is not changed as much as possible.
The embodiment of the application adopts the following technical scheme:
in a first aspect, an embodiment of the present application provides an access control method for a zero-trust system, where the zero-trust system includes a trusted access client, a trusted access controller, a continuous trust evaluation center, and a trusted access control gateway, and the method is performed by the trusted access controller, and the method includes:
acquiring an access request of an access subject intercepted by the trusted access client to a service system, and acquiring subject identity information of the access subject and whether the subject identity information is legal information;
when the identity information of the main body of the access main body is legal information, a decision result generated by the continuous trust evaluation center is obtained;
and controlling a trusted access control gateway to establish or disconnect network connection between the trusted access customer service end and the service system according to the decision result.
In a second aspect, an embodiment of the present application provides an access control device of a zero-trust system, where the zero-trust system includes a trusted access client, a trusted access controller, a continuous trust evaluation center, and a trusted access control gateway, the device is applied to the trusted access controller, and the device includes:
The first acquisition unit is used for acquiring an access request of an access subject intercepted by the trusted access client to a service system, and acquiring subject identity information of the access subject and whether the subject identity information is legal information;
the second acquisition unit is used for acquiring a decision result generated by the continuous trust evaluation center when the identity information of the main body of the access main body is legal information;
and the access control unit is used for controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service end and the service system according to the decision result.
In a third aspect, embodiments of the present application further provide a zero trust system, including: the system comprises a trusted access client, a trusted access controller, a continuous trust evaluation center and a trusted access control gateway, wherein the trusted access controller executes an access control method of a zero trust system.
In a fourth aspect, embodiments of the present application further provide a trusted access controller, including: a processor; and a memory arranged to store computer executable instructions that, when executed, cause the processor to perform a method of access control for a zero trust system.
In a fifth aspect, embodiments of the present application also provide a computer-readable storage medium storing one or more programs that, when executed by a trusted access controller including a plurality of application programs, cause the trusted access controller to perform a method of access control of a zero trust system.
The above-mentioned at least one technical scheme that this application embodiment adopted can reach following beneficial effect:
the trusted access controller of the embodiment of the application obtains the access request of the access subject intercepted by the trusted access client to the service system, and obtains the subject identity information of the access subject and whether the subject identity information is legal information; when the identity information of the main body of the access main body is legal information, a decision result generated by the continuous trust evaluation center is obtained; the trusted access control gateway can be controlled to establish or disconnect the network connection between the trusted access client and the service system according to the decision result.
According to the embodiment of the application, the access request is intercepted by the trusted access client, the trusted access control gateway is deployed at the exit boundary of the enterprise Internet, and the service system is hidden outside through the trusted access control gateway, so that the access request of the service system can be intercepted, the decision result corresponding to the access request is generated, the access behavior of the service system is released or blocked based on the decision result, and the access security of the service system can be improved under the condition that the original service system of the enterprise is not changed.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a flow chart of an access control method of a zero trust system according to an embodiment of the present application;
fig. 2 is a schematic flow chart of accessing a 4A management platform by an external network user in an embodiment of the present application;
fig. 3 is a schematic flow chart of accessing an application asset by an intranet user in an embodiment of the present application;
FIG. 4 is a schematic structural diagram of an access control device of a zero trust system according to an embodiment of the present application;
FIG. 5 is a schematic diagram of a zero trust system according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of a trusted access controller according to an embodiment of the present application.
Detailed Description
For the purposes, technical solutions and advantages of the present application, the technical solutions of the present application will be clearly and completely described below with reference to specific embodiments of the present application and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present application. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are within the scope of the present disclosure.
To facilitate an understanding of the following embodiments of the present application, the embodiments of the present application first introduce related technical terms.
Zero trust (Zero Trust Network, ZTN) is a planning for enterprise network security that is built around its component relationships, workflow planning and access policies based on the zero trust concept. Zero trust systems narrow the boundaries of network defenses to a single or smaller set of resources whose mind is that an enterprise should not automatically trust anyone/thing inside or outside, should not grant full trust rights to the system based on physical or network location, should verify any person/thing attempting to access the enterprise system prior to authorization, and access to application assets is granted only when required by the application asset.
The zero trust system trusted access client, the trusted access controller, the continuous trust evaluation center and the trusted access control gateway in the embodiment of the application, wherein the trusted access client is a terminal device trusted by the zero trust system and is deployed to collect risk data (such as a user terminal operating system version and vulnerability patch information, an installed software version, violation and piracy software installation information, terminal virus information, terminal compliance baseline information, terminal vulnerability information, firewall information, antivirus software information, log information and the like) of an access subject in real time; the continuous trust evaluation center is deployed to perform trust evaluation on the access subject and/or the access object (i.e. the business system) based on the risk data, and generates a decision result based on the trust evaluation result; the trusted access controller is deployed to pass or block access to the access subject based on the decision result; the trusted access control gateway is deployed to correspond to a business system within the hidden enterprise and dynamically adjust access rights of the access agent.
The embodiment of the application provides an access control method of a zero-trust system, which is executed by a trusted access controller, as shown in fig. 1, and provides a flow chart of the access control method of the zero-trust system in the embodiment of the application, wherein the method at least comprises the following steps S110 to S130:
step S110, the access request of the access subject intercepted by the trusted access client to the service system is obtained, and the subject identity information of the access subject and whether the subject identity information is legal information are obtained.
As described above, in the original network architecture of the enterprise, the user sends a login authentication request to the access control gateway, and the access control gateway controls the access right of the user according to the login authentication result.
The embodiment of the application is different from the prior art in that the trusted access client intercepts the access request of the access subject and sends the intercepted access request to the trusted access controller, so that the trusted access controller can control the trusted access control gateway to dynamically authorize the access authority of the access subject based on the access request. Where the access agent includes a user, a device, an application, a system, etc., the business system refers to an internal application asset of the enterprise, including, for example, an application, an interface, a function, data, etc.
Alternatively, the trusted access client may intercept only access requests initiated by the access principal for access and use of the internal application asset, while the trusted access client need not intercept access requests initiated by the access principal for other assets. In a possible embodiment, the trusted access client may initially identify the access request initiated by the access agent, such as analyzing address information in the access request, whether the access request is in a list of addresses to be verified, etc., determining whether the access request is to access an internal application asset, and if so, the trusted access client intercepts the access request and sends it to the trusted access controller.
When the access subject logs in to the trusted access client, the trusted access client also collects the subject identity information of the access subject and sends the subject identity information to the trusted access controller, and the trusted access controller obtains whether the subject identity information is legal information or not through the authentication server.
Step S120, when the identity information of the access subject is legal information, obtaining a decision result generated by the continuous trust evaluation center.
When determining that the identity information of the main body of the access main body is legal information, the embodiment of the application further obtains a decision result generated by the continuous trust evaluation center. Optionally, when the access subject logs in to the trusted access client, the trusted access client further continuously collects risk data of the access subject, continuously sends the collected risk data to the continuous trust evaluation center, the continuous trust evaluation center performs trust evaluation based on the risk data, generates a decision result according to the trust evaluation result, and sends the generated decision result to the trusted access controller, wherein the decision result comprises a release decision and a non-release decision, and the non-release decision comprises a blocking decision and a secondary authentication decision.
And step S130, controlling a trusted access control gateway to establish or disconnect the network connection between the trusted access customer service end and the service system according to the decision result.
When the trusted access controller receives the decision result of the continuous trust evaluation center, whether the trusted access control gateway establishes network connection between the trusted access customer service end and the service system is controlled according to specific decision content, so that the access authority of the access main body can be dynamically authorized.
Based on the access control method of the zero trust system shown in fig. 1, the trusted access controller of this embodiment obtains the access request of the access subject intercepted by the trusted access client to the service system, and obtains the subject identity information of the access subject and whether the subject identity information is legal information; when the identity information of the main body of the access main body is legal information, a decision result generated by the continuous trust evaluation center is obtained; the trusted access control gateway can be controlled to establish or disconnect the network connection between the trusted access client and the service system according to the decision result. According to the embodiment, the access request is intercepted by the trusted access client, the trusted access control gateway is deployed at the exit boundary of the enterprise Internet, and the service system is hidden outside by the trusted access control gateway, so that the access request of the service system can be intercepted, a decision result corresponding to the access request is generated, the access behavior of the service system is released or blocked based on the decision result, and the access security of the service system is improved under the condition that the original service system of the enterprise is not changed.
In some embodiments of the present application, the step S110 of obtaining the identity information of the accessing subject and whether the identity information of the accessing subject is legal information includes:
a principal identity authentication request carrying principal identity information of an access principal is sent to an authentication server, so that the authentication server returns a principal identity authentication result and sends a trust evaluation request to a continuous trust evaluation center when the principal identity authentication result is that the principal identity information is legal information;
and acquiring whether the principal identity information is legal information or not according to the principal identity authentication result returned by the authentication server.
The authentication server in this embodiment is an original authentication server in an enterprise original network architecture, when the trusted access client obtains the principal identity information of the access principal, the trusted access client generates a principal identity authentication request based on the principal identity information of the access principal and sends the principal identity authentication request to the authentication server, the authentication server verifies the validity of the principal identity information according to the received principal identity authentication request, generates a principal identity authentication result and returns the principal identity authentication result to the trusted access controller, and in addition, when the principal identity is legal, the authentication server also generates a trust evaluation request and sends the trust evaluation request to the continuous trust evaluation center, so that the continuous trust evaluation center performs trust evaluation and dynamic decision based on the trust evaluation request.
The decision results in the embodiment of the application comprise a release decision and a non-release decision, and when the decision result is the release decision, the trusted access control gateway is controlled to establish network connection between the trusted access customer service end and the service system; and when the decision result is a non-release decision, controlling the trusted access control gateway to disconnect the network connection between the trusted access customer service terminal and the service system.
In some scenarios of the embodiments of the present application, the non-release decision further includes a secondary authentication decision and a blocking decision, and when the decision result received by the trusted access controller is the secondary authentication decision, the trusted access controller sends a secondary authentication request carrying the secondary authentication decision to the trusted access client, and obtains a secondary authentication result corresponding to the secondary authentication request, and when the secondary authentication result is that the secondary authentication passes, the trusted access control gateway is controlled to establish network connection between the trusted access client and the service system.
For example, the trusted access controller sends a secondary authentication request carrying a secondary authentication decision to the trusted access client, the trusted access client obtains secondary authentication information corresponding to the secondary authentication request and sends the secondary authentication information to the trusted access controller, the trusted access controller sends the secondary authentication information to the authentication server, and the authentication server generates a secondary authentication result based on the secondary authentication information and returns the secondary authentication result to the trusted access controller, so that the trusted access controller obtains the secondary authentication result.
And when the decision result received by the trusted access controller is that the secondary authentication fails or blocks the decision, controlling the trusted access control gateway to disconnect the network connection between the trusted access customer service end and the service system.
In some embodiments of the present application, the method in fig. 1 further comprises:
and acquiring the service system information, wherein the service system information comprises address information of a service system, the service system comprises a 4A management platform and application assets (the 4A management platform is a special internal application asset) which are single-logged in through the 4A management platform, and the address information of the corresponding service system is the address information of the 4A management platform and the address information of the corresponding application asset.
In a corresponding step S130, the trusted access control gateway is controlled to establish or disconnect a network connection between the trusted access client and the service system according to the decision result, which specifically includes:
and controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the service system according to the service system information and the decision result.
For example, the trusted access controller sends the service system information and the decision result to the trusted access control gateway, and when the decision result is a release decision, the trusted access control gateway establishes network connection between the trusted access customer service end and the service system according to the address information of the service system, so as to realize dynamic access of the user to the service system. When the decision result is a blocking decision, the trusted access control gateway judges the network connection state between the service system and the trusted access customer service end, if the network connection state is connected, the network connection between the service system and the trusted access customer service end is disconnected, and if the network connection state is disconnected, the network disconnection state between the service system and the trusted access customer service end is maintained.
In some embodiments of the present application, after the trusted access client establishes a network connection with the service system, the method of fig. 1 further includes:
detecting whether a new decision result sent by the continuous trust evaluation center is received or not;
and when a new decision result sent by the continuous trust evaluation center is received, controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service end and the service system according to the new decision result.
The continuous trust evaluation center of the embodiment continuously performs authentication evaluation and dynamic decision, and sends the new dynamic decision to the trusted access controller every time the new dynamic decision is generated, so that the trusted access controller can control the trusted access control gateway to establish or disconnect network connection between the trusted access client and the service system according to the new dynamic decision so as to dynamically authorize the access subject in the whole access process.
As described above, when the service system in the embodiment of the present application includes the application asset and the 4A management platform for single sign-on, step S130 controls the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the service system according to the decision result, which specifically includes:
Controlling a trusted access control gateway to establish or disconnect network connection between the trusted access customer service end and the 4A management platform according to a decision result;
when the trusted access control gateway establishes network connection between the trusted access customer service terminal and the 4A management platform, a decision result corresponding to an asset access request is obtained, wherein the asset access request is an access request of the trusted access client terminal to a first application asset initiated on the 4A management platform;
and controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the first application asset according to the decision result corresponding to the asset access request.
That is, when the access subject accesses the first application asset, the embodiment firstly controls the access subject to log in the 4A management platform through the zero trust system, when the access subject successfully logs in the 4A management platform, the 4A management platform presents the application asset list in the authority of the access subject, and if the access subject initiates the access request of the first application asset in the application asset list on the 4A management platform, the decision result corresponding to the access request of the first application asset is obtained again, so that the trusted access controller controls the trusted access control gateway to establish the network connection between the trusted access client and the first application asset based on the decision result corresponding to the access request of the first application asset.
The following describes in detail the access control method based on the zero trust system according to the embodiment of the present application with reference to the access control process diagrams shown in fig. 2 and 3.
In some scenes, when enterprise personnel need to perform office, operation and maintenance and development tests, the enterprise personnel can access a business system in an enterprise from the internet in a browser, a client side and other modes, for example, a 4A management platform.
As shown in fig. 2, taking the external network user login 4A management platform as an example, the external network user requests to login the trusted access client through the user terminal, for example, the external network user requests to login the trusted access client through a password+sms/SIM authentication mode or a fingerprint authentication mode. And the trusted access client sends a login request to the trusted access client, and in the process of requesting login, risk data about the external network user and the user terminal are automatically collected through the trusted access client and third party software deployed at the trusted access client, and the risk data are sent to the continuous trust evaluation center.
The trusted access controller generates a main body identity authentication request according to the user identity and the user terminal identity in the login request and sends the main body identity authentication request to the authentication server, and the authentication server performs identity authentication and authority authentication on the user and the user terminal according to the main body identity authentication request, generates a main body identity authentication result and returns the main body identity authentication result to the trusted access controller. In addition, the authentication server sends a trust evaluation request to the continuous trust evaluation center under the condition that the identity authentication result of the main body is that the identity of the main body is legal.
And when the continuous trust evaluation center receives a trust evaluation request, carrying out trust evaluation on the access subject according to the access subject risk data sent by the trusted access client, and generating a dynamic decision according to the trust evaluation result. Optionally, the continuous trust evaluation center may further obtain security attribute information of the service system, evaluate a security level of the service system based on the security attribute information of the service system, generate a final information evaluation result according to the trust evaluation result of the access subject and the security level evaluation result of the service system, and generate a dynamic decision according to the final information evaluation result, and send the dynamic decision to the trusted access controller.
The dynamic decision comprises a release decision, a blocking decision and a secondary authentication decision, wherein the release decision is generated when the identity of the access subject is trusted, the blocking decision is generated when the identity of the access subject is not trusted, the secondary authentication decision is generated when the identity of the access subject is suspect, the secondary authentication policy comprises a single-factor authentication policy and a multi-factor authentication policy, the single-factor authentication policy is based on one authentication mode for authentication, the multi-factor authentication policy is based on more than two authentication modes, and the authentication modes comprise facial recognition, dynamic passwords and the like.
And the trusted access controller correspondingly controls the trusted access control gateway according to the received main identity authentication result and the received decision result. For example, when the principal identity authentication result is that the principal identity information is illegal information, an authentication failure message is sent to the trusted access client, and the user terminal is notified of the authentication failure message through the trusted access client. When the identity authentication result of the main body is that the identity information of the main body is legal information, an authentication success message and a dynamic decision are sent to the trusted access client on one hand, a control instruction is generated according to the dynamic decision and sent to the trusted access control gateway on the other hand, so that the trusted access control gateway establishes network connection between the trusted access client and the trusted access control gateway according to the control instruction and establishes network connection between the trusted access control gateway and the 4A management platform, the network connection between the trusted access client and the 4A management platform is realized, and the user terminal logs in the 4A management platform through the network connection between the trusted access client and the 4A management platform.
It can be seen that the access control process shown in fig. 2 is particularly suitable for remote office requirements, such as enabling internal office personnel, salesmen, partners, outsourcers, agents, third party personnel, etc. of an enterprise to safely access different systems of enterprise automatic office (Office Automation, OA), mail, billing, customer relationship management (Customer Relationship Management, CRM), worksheets, maintenance, etc. and to perform dynamic access control. The embodiment can reasonably solve the problem of VPN on the basis of meeting the daily access requirement of the user, and effectively ensures the safety and stability of the whole access environment.
In other scenarios, enterprises manage access to an intranet by terminals and dynamically authorize access behaviors by trusted access control gateways deployed between application assets and users in order to cope with unauthorized access to malicious or unintentional applications and data from internal personnel (including third parties, outsources, and employees) and lateral movement of external threats inside, and take security precautions such as desensitization, encryption, watermarking, etc. on sensitive data.
Taking an example of accessing a first application asset by an intranet user through a 4A management platform as shown in fig. 3, the intranet user logs in the 4A management platform through a user terminal, an application asset list in the authority of the intranet user is presented on the 4A management platform, when the intranet user initiates an asset access request to the first application asset, the 4A management platform forwards the asset access request to a continuous trust evaluation center through a trusted access controller, alternatively, the 4A management platform can also directly send the asset access request to the continuous trust evaluation center, and when the continuous trust evaluation center receives the asset access request, trust evaluation and dynamic decision are carried out according to currently collected risk data, and a generated decision result is sent to the trusted access controller.
The continuous trust evaluation center can evaluate the access subject (intranet user information, user terminal information and the like) and the first application asset, generates a policy result corresponding to the relevant trust evaluation result and the trust evaluation result after filtering through the relevant risk evaluation model and the algorithm, and generates a release decision when the access subject is credible in identity and the security level of the first application asset is lower; generating a blocking decision when the access subject identity is not trusted; when the identity of the access subject is suspect or the security level of the first application asset is high, a secondary authentication decision is generated, wherein the secondary authentication policy comprises a single-factor authentication policy and a multi-factor authentication policy.
The trusted access controller performs corresponding control according to the received decision result, for example, when a release decision is received, the trusted access controller sends the address information of the first application asset to the trusted access control gateway, so that the trusted access control gateway establishes network connection between the trusted access control gateway and the first application asset based on the address information of the first application asset, and establishes network connection between the trusted access control gateway and the trusted access client, thereby realizing the network connection between the trusted access client and the first application asset, and the user terminal accesses the first application asset through the network connection between the trusted access client and the first application asset.
When the user terminal accesses the first application asset, the continuous trust evaluation center monitors the operation behavior of the user terminal in real time, carries out real-time trust evaluation on the operation behavior of the user terminal, such as sensitive instructions, compliance configuration of the asset and the like, generates a new decision result according to the evaluation result, and sends the new decision result to the trusted access controller, and the trusted access controller carries out corresponding dynamic control based on the new decision result.
As shown in fig. 4, the embodiment of the present application further provides an access control device 400 of a zero-trust system, where the zero-trust system includes a trusted access client, a trusted access controller, a persistent trust evaluation center, and a trusted access control gateway, and the device 400 is applied to the trusted access controller, and the device 400 includes a first acquiring unit 410, a second acquiring unit 420, and an access control unit 430, where:
a first obtaining unit 410, configured to obtain an access request of an access subject intercepted by the trusted access client to a service system, and obtain subject identity information of the access subject, and whether the subject identity information is legal information;
A second obtaining unit 420, configured to obtain a decision result generated by the continuous trust evaluation center when the identity information of the access subject is legal information;
and the access control unit 430 is configured to control the trusted access control gateway to establish or disconnect a network connection between the trusted access client and the service system according to the decision result.
In some embodiments of the present application, the first obtaining unit 410 is configured to send a principal identity authentication request carrying principal identity information of the access principal to an authentication server, so that the authentication server returns a principal identity authentication result and sends a trust evaluation request to the continuous trust evaluation center when the principal identity authentication result is that the principal identity information is legal information; and acquiring whether the principal identity information is legal information or not according to the principal identity authentication result returned by the authentication server.
In some embodiments of the present application, the decision result includes a release decision and a non-release decision, and the access control unit 430 is configured to control the trusted access control gateway to establish a network connection between the trusted access client and the service system when the decision result is a release decision; and when the decision result is a non-release decision, controlling the trusted access control gateway to disconnect the network connection between the trusted access customer service terminal and the service system.
In some embodiments of the present application, the non-release decision includes a secondary authentication decision and a blocking decision, and the access control unit 430 is specifically configured to send a secondary authentication request carrying the secondary authentication decision to the trusted access client if the decision result is the secondary authentication decision, obtain a secondary authentication result corresponding to the secondary authentication request, and when the secondary authentication result is that the secondary authentication passes, control the trusted access control gateway to establish network connection between the trusted access client and the service system; otherwise, the trusted access control gateway is controlled to disconnect the network connection between the trusted access customer service end and the service system.
In some embodiments of the present application, the apparatus 400 further includes a third acquisition unit;
a third obtaining unit, configured to obtain related information of the service system, where the related information of the service system includes address information;
the access control unit 430 is specifically configured to control the trusted access control gateway to establish or disconnect a network connection between the trusted access client and the service system according to the relevant information of the service system and the decision result.
In some embodiments of the present application, the apparatus 400 further comprises a detection unit;
the detection unit is used for detecting whether a new decision result sent by the continuous trust evaluation center is received or not;
the access control unit 430 is further configured to, when receiving a new decision result sent by the continuous trust evaluation center, control the trusted access control gateway to establish or disconnect a network connection between the trusted access client and the service system according to the new decision result.
In some embodiments of the present application, the service system includes a 4A management platform and an application asset single-logged in through the 4A management platform, and when the service system includes the application asset, the access control unit 430 is further configured to control the trusted access control gateway to establish or disconnect a network connection between the trusted access client and the 4A management platform according to the decision result; when the trusted access control gateway establishes network connection between the trusted access customer service terminal and the 4A management platform, a decision result corresponding to an asset access request is obtained, wherein the asset access request is an access request of the trusted access client terminal to a first application asset initiated on the 4A management platform; and controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the first application asset according to the decision result corresponding to the asset access request.
It can be understood that the above-mentioned access control device for the zero-trust system can implement each step of the access control method for the zero-trust system provided in the foregoing embodiment, and the relevant explanation about the access control method for the zero-trust system is applicable to the access control device for the zero-trust system, which is not described herein again.
As shown in fig. 5, the embodiment of the present application further provides a zero trust system, where the zero trust system 500 includes: trusted access client 510, trusted access controller 520, persistent trust evaluation center 530, and trusted access control gateway 540, wherein the trusted access controller performs the access control method of the zero trust system in the related embodiments described above;
the trusted access client 510 intercepts an access request of an access agent to a service system and transmits the intercepted access request to the trusted access controller 520; and trusted access client 510 gathers information about the accessing principal, including, for example, principal identity information of the accessing principal and risk data of the accessing principal.
The continuous trust evaluation center 530 performs continuous information evaluation and dynamic decision according to the risk data of the access subject and/or the security attribute information of the service system, and generates decision results.
Trusted access control gateway 540 is used to control the network connection between trusted access clients and the business system.
Fig. 6 is a schematic diagram of the structure of a trusted access controller according to one embodiment of the present application. Referring to fig. 6, at the hardware level, the trusted access controller includes a processor and a memory, and optionally an internal bus, a network interface. The Memory may include a Memory, such as a Random-Access Memory (RAM), and may further include a non-volatile Memory (non-volatile Memory), such as at least 1 disk Memory. Of course, the trusted access controller may also include the hardware required for other services.
The processor, network interface, and memory may be interconnected by an internal bus, which may be an ISA (Industry Standard Architecture ) bus, a PCI (Peripheral Component Interconnect, peripheral component interconnect standard) bus, or EISA (Extended Industry Standard Architecture ) bus, among others. The buses may be classified as address buses, data buses, control buses, etc. For ease of illustration, only one bi-directional arrow is shown in FIG. 6, but not only one bus or type of bus.
And the memory is used for storing programs. In particular, the program may include program code including computer-operating instructions. The memory may include memory and non-volatile storage and provide instructions and data to the processor.
The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs, and the access control device of the zero trust system is formed on a logic level. And the processor executes the program stored in the memory.
The method performed by the access control device of the zero trust system disclosed in the embodiment shown in fig. 1 of the present application may be applied to a processor or implemented by a processor. The processor may be an integrated circuit chip having signal processing capabilities. In implementation, the steps of the above method may be performed by integrated logic circuits of hardware in a processor or by instructions in the form of software. The processor may be a general-purpose processor, including a central processing unit (Central Processing Unit, CPU), a network processor (Network Processor, NP), etc.; but also digital signal processors (Digital Signal Processor, DSP), application specific integrated circuits (Application Specific Integrated Circuit, ASIC), field programmable gate arrays (Field-Programmable Gate Array, FPGA) or other programmable logic devices, discrete gate or transistor logic devices, discrete hardware components. The disclosed methods, steps, and logic blocks in the embodiments of the present application may be implemented or performed. A general purpose processor may be a microprocessor or the processor may be any conventional processor or the like. The steps of a method disclosed in connection with the embodiments of the present application may be embodied directly in hardware, in a decoded processor, or in a combination of hardware and software modules in a decoded processor. The software modules may be located in a random access memory, flash memory, read only memory, programmable read only memory, or electrically erasable programmable memory, registers, etc. as well known in the art. The storage medium is positioned in the memory, the processor reads the information in the memory, and the steps of the access control method of the zero trust system are completed by combining the hardware of the processor.
The trusted access controller may also execute the method executed by the access control device of the zero trust system in fig. 1, and implement the functions of the access control device of the zero trust system in the embodiment shown in fig. 1, which are not described herein.
Embodiments of the present application also provide a computer-readable storage medium storing one or more programs, the one or more programs including instructions, which when executed by a trusted access controller including a plurality of application programs, enable the trusted access controller to perform a method performed by an access control apparatus of a zero trust system in the embodiment shown in fig. 1.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present invention may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
It will be appreciated by those skilled in the art that embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The foregoing is merely exemplary of the present application and is not intended to limit the present application. Various modifications and changes may be made to the present application by those skilled in the art. Any modifications, equivalent substitutions, improvements, etc. which are within the spirit and principles of the present application are intended to be included within the scope of the claims of the present application.

Claims (10)

1. An access control method for a zero trust system, the zero trust system comprising a trusted access client, a trusted access controller, a continuous trust evaluation center, and a trusted access control gateway, the method performed by the trusted access controller, the method comprising:
acquiring an access request of an access subject intercepted by the trusted access client to a service system, and acquiring subject identity information of the access subject and whether the subject identity information is legal information;
when the identity information of the main body of the access main body is legal information, a decision result generated by the continuous trust evaluation center is obtained;
and controlling a trusted access control gateway to establish or disconnect network connection between the trusted access customer service end and the service system according to the decision result.
2. The method of claim 1, wherein the obtaining the principal identity information of the accessing principal and whether the principal identity information is legal information comprises:
sending a subject identity authentication request carrying subject identity information of the access subject to an authentication server, so that the authentication server returns a subject identity authentication result and sends a trust evaluation request to the continuous trust evaluation center when the subject identity authentication result is that the subject identity information is legal information;
And acquiring whether the principal identity information is legal information or not according to the principal identity authentication result returned by the authentication server.
3. The method of claim 1, wherein the decision result includes a release decision and a non-release decision, and the controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the service system according to the decision result includes:
when the decision result is a release decision, controlling the trusted access control gateway to establish network connection between the trusted access customer service end and the service system;
and when the decision result is a non-release decision, controlling the trusted access control gateway to disconnect the network connection between the trusted access customer service terminal and the service system.
4. A method according to claim 3, wherein the non-release decision comprises a secondary authentication decision and a blocking decision, and wherein when the decision result is a non-release decision, controlling the trusted access control gateway to disconnect the network connection between the trusted access client and the service system comprises:
if the decision result is a secondary authentication decision, sending a secondary authentication request carrying the secondary authentication decision to the trusted access customer service terminal, and acquiring a secondary authentication result corresponding to the secondary authentication request, and controlling the trusted access control gateway to establish network connection between the trusted access customer service terminal and the service system when the secondary authentication result is a secondary authentication pass;
Otherwise, the trusted access control gateway is controlled to disconnect the network connection between the trusted access customer service end and the service system.
5. The method of any one of claims 1-4, wherein the method further comprises:
acquiring relevant information of the service system, wherein the relevant information of the service system comprises address information;
the step of controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the service system according to the decision result comprises the following steps:
and controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service terminal and the service system according to the related information of the service system and the decision result.
6. The method of any one of claims 1-4, wherein after the trusted access client establishes a network connection with the service system, the method further comprises:
detecting whether a new decision result sent by the continuous trust evaluation center is received or not;
and when a new decision result sent by the continuous trust evaluation center is received, controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service end and the service system according to the new decision result.
7. The method of any of claims 1-4, wherein the business system comprises a 4A management platform and an application asset single sign-on via the 4A management platform, and wherein when the business system comprises the application asset, the controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the business system based on the decision result comprises:
controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service terminal and the 4A management platform according to the decision result;
when the trusted access control gateway establishes network connection between the trusted access customer service terminal and the 4A management platform, a decision result corresponding to an asset access request is obtained, wherein the asset access request is an access request of the trusted access client terminal to a first application asset initiated on the 4A management platform;
and controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access client and the first application asset according to the decision result corresponding to the asset access request.
8. An access control apparatus for a zero trust system, the zero trust system comprising a trusted access client, a trusted access controller, a continuous trust evaluation center, and a trusted access control gateway, the apparatus being applied to the trusted access controller, the apparatus comprising:
The first acquisition unit is used for acquiring an access request of an access subject intercepted by the trusted access client to a service system, and acquiring subject identity information of the access subject and whether the subject identity information is legal information;
the second acquisition unit is used for acquiring a decision result generated by the continuous trust evaluation center when the identity information of the main body of the access main body is legal information;
and the access control unit is used for controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service end and the service system according to the decision result.
9. The apparatus of claim 8, wherein the apparatus further comprises a detection unit;
the detection unit is used for detecting whether a new decision result sent by the continuous trust evaluation center is received or not;
and the access control unit is further used for controlling the trusted access control gateway to establish or disconnect the network connection between the trusted access customer service end and the service system according to the new decision result when receiving the new decision result sent by the continuous trust evaluation center.
10. A zero trust system, the zero trust system comprising: a trusted access client, a trusted access controller, a continuous trust evaluation center and a trusted access control gateway, wherein the trusted access controller performs the access control method of the zero trust system of any one of claims 1-7.
CN202310293396.2A 2023-03-23 2023-03-23 Access control method and device of zero trust system and zero trust system Active CN116319024B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310293396.2A CN116319024B (en) 2023-03-23 2023-03-23 Access control method and device of zero trust system and zero trust system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310293396.2A CN116319024B (en) 2023-03-23 2023-03-23 Access control method and device of zero trust system and zero trust system

Publications (2)

Publication Number Publication Date
CN116319024A true CN116319024A (en) 2023-06-23
CN116319024B CN116319024B (en) 2024-07-30

Family

ID=86792316

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310293396.2A Active CN116319024B (en) 2023-03-23 2023-03-23 Access control method and device of zero trust system and zero trust system

Country Status (1)

Country Link
CN (1) CN116319024B (en)

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116707807A (en) * 2023-08-09 2023-09-05 中电信量子科技有限公司 Distributed zero-trust micro-isolation access control method and system
CN117353989A (en) * 2023-09-25 2024-01-05 北京景安云信科技有限公司 Access admission identity authentication system based on security trust evaluation
CN117729057A (en) * 2024-02-18 2024-03-19 北京建恒信安科技有限公司 Method for accessing zero trust based on identity security
CN118659936A (en) * 2024-08-21 2024-09-17 北京远鉴信息技术有限公司 A trusted access control system, method, electronic device and storage medium
CN118869338A (en) * 2024-08-23 2024-10-29 国电南瑞南京控制系统有限公司 A novel information interaction security defense method, device and system for power distribution master station system

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN114070600A (en) * 2021-11-11 2022-02-18 上海电气集团数字科技有限公司 Industrial Internet field identity access control method based on zero trust model
CN114615328A (en) * 2022-01-26 2022-06-10 北京美亚柏科网络安全科技有限公司 Safety access control system and method
CN115001870A (en) * 2022-08-02 2022-09-02 国汽智控(北京)科技有限公司 Information security protection system, method and storage medium
CN115001770A (en) * 2022-05-25 2022-09-02 山东极光智能科技有限公司 Zero-trust-based service access control system and control method
CN115361186A (en) * 2022-08-11 2022-11-18 哈尔滨工业大学(威海) A Zero Trust Network Architecture for Industrial Internet Platforms
CN115426141A (en) * 2022-08-19 2022-12-02 国网河南省电力公司电力科学研究院 Cloud master station service dynamic access control method and system based on zero trust network

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113949573A (en) * 2021-10-18 2022-01-18 天翼数字生活科技有限公司 Zero-trust service access control system and method
CN114070600A (en) * 2021-11-11 2022-02-18 上海电气集团数字科技有限公司 Industrial Internet field identity access control method based on zero trust model
CN114615328A (en) * 2022-01-26 2022-06-10 北京美亚柏科网络安全科技有限公司 Safety access control system and method
CN115001770A (en) * 2022-05-25 2022-09-02 山东极光智能科技有限公司 Zero-trust-based service access control system and control method
CN115001870A (en) * 2022-08-02 2022-09-02 国汽智控(北京)科技有限公司 Information security protection system, method and storage medium
CN115361186A (en) * 2022-08-11 2022-11-18 哈尔滨工业大学(威海) A Zero Trust Network Architecture for Industrial Internet Platforms
CN115426141A (en) * 2022-08-19 2022-12-02 国网河南省电力公司电力科学研究院 Cloud master station service dynamic access control method and system based on zero trust network

Cited By (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116707807A (en) * 2023-08-09 2023-09-05 中电信量子科技有限公司 Distributed zero-trust micro-isolation access control method and system
CN116707807B (en) * 2023-08-09 2023-10-31 中电信量子科技有限公司 Distributed zero-trust micro-isolation access control method and system
CN117353989A (en) * 2023-09-25 2024-01-05 北京景安云信科技有限公司 Access admission identity authentication system based on security trust evaluation
CN117353989B (en) * 2023-09-25 2024-05-28 北京景安云信科技有限公司 Access admission identity authentication system based on security trust evaluation
CN117729057A (en) * 2024-02-18 2024-03-19 北京建恒信安科技有限公司 Method for accessing zero trust based on identity security
CN118659936A (en) * 2024-08-21 2024-09-17 北京远鉴信息技术有限公司 A trusted access control system, method, electronic device and storage medium
CN118869338A (en) * 2024-08-23 2024-10-29 国电南瑞南京控制系统有限公司 A novel information interaction security defense method, device and system for power distribution master station system

Also Published As

Publication number Publication date
CN116319024B (en) 2024-07-30

Similar Documents

Publication Publication Date Title
AU2019206006B2 (en) System and method for biometric protocol standards
US11604861B2 (en) Systems and methods for providing real time security and access monitoring of a removable media device
CN116319024B (en) Access control method and device of zero trust system and zero trust system
CN112073400B (en) Access control method, system, device and computing equipment
CN114598540B (en) Access control system, method, device and storage medium
CN114629719B (en) Resource access control method and resource access control system
CN110213215B (en) Resource access method, device, terminal and storage medium
US9769167B2 (en) Authentication and authorization using device-based validation
CN113536258A (en) Terminal access control method and device, storage medium and electronic equipment
CN114553540B (en) Zero trust-based Internet of things system, data access method, device and medium
US10924481B2 (en) Processing system for providing console access to a cyber range virtual environment
EP3687139B1 (en) Secure provisioning and validation of access tokens in network environments
US11663325B1 (en) Mitigation of privilege escalation
US10412097B1 (en) Method and system for providing distributed authentication
US20250190536A1 (en) Application identification
US12363106B2 (en) Risk-based factor selection
US20240297887A1 (en) Mid-session trust assessment
CN116975805A (en) Data processing method, device, equipment, storage medium and product
US20250039174A1 (en) Using hidden fields for bot detection
WO2025122305A1 (en) Application identification
CN119966703A (en) A network access control method, system, device and medium based on zero trust
CN116961967A (en) Data processing method, device, computer readable medium and electronic equipment
CN118233117A (en) Access control method, device, electronic equipment and storage medium
CN119728131A (en) Security management method, device and computer readable medium
CN120150989A (en) A method for ensuring information exchange security in a data environment

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant