CN116415217A

CN116415217A - Instant authorization system based on zero trust architecture

Info

Publication number: CN116415217A
Application number: CN202211682894.8A
Authority: CN
Inventors: 白亚南; 王鹏飞; 杜笑天; 温万里; 孙志鹏; 郑大国
Original assignee: Second Research Institute Of Casic; Aerospace Science And Technology Network Information Development Co ltd
Current assignee: Second Research Institute Of Casic; Aerospace Science And Technology Network Information Development Co ltd
Priority date: 2022-12-27
Filing date: 2022-12-27
Publication date: 2023-07-11

Abstract

The invention belongs to the technical field of authorization authentication, in particular relates to an instant authorization system based on a zero trust architecture, and aims to solve the problems that an existing system authentication and authorization mode is inflexible, the protection level is low and dynamic risks are not considered. The invention comprises the following steps: the identity authentication subsystem is used for creating an identity library, managing the identity and authenticating the identity; the authorization management subsystem is used for establishing an authority library, executing an authorization policy and managing the authorization; and the intelligent identity analysis subsystem is used for analyzing the behavior of the user by utilizing machine learning to form an intelligent analysis result. The invention has self-adaptive identity authentication capability, dynamic fine-granularity authorization capability and intelligent identity analysis capability, avoids the problem of data leakage in the instant authorization process, fully considers the dynamic risk existing in the system, has flexible authentication and authorization modes and can meet the data-level prevention and control requirements.

Description

Instant authorization system based on zero trust architecture

Technical Field

The invention belongs to the technical field of authorization authentication, and particularly relates to an instant authorization system based on a zero trust architecture.

Background

Traditional security solution design concepts are based on boundary protection, assuming that anything already within the boundary is not threatening, and thus the boundary internals are substantially unobstructed. With the wide adoption of technologies such as cloud computing, big data, mobile office and the like, the boundary of a network is gradually blurred, the data is concentrated and fused to bring new challenges to data security protection, and the traditional security architecture based on the trust established by the network can not meet the requirements of future security protection for business systems and data. In particular, with the evolution of network attacks at a more complex and high level, internal threats such as illegal operations and rights abuse are increasing. At present, security events such as data leakage and the like mainly occur because an authentication and authorization mode is inflexible and can not meet changeable business scenes; the granularity of authority control is coarse, and the control requirement of the data level cannot be met; the access control measures are static, and hidden danger of dynamic risks is not considered.

Disclosure of Invention

In order to solve the problems in the prior art, namely the problems that the existing system authentication and authorization mode is inflexible, the protection level is low and the dynamic risk is not considered, the invention provides an instant authorization system based on a zero trust architecture, which comprises an identity authentication subsystem, an authorization management subsystem and an intelligent identity analysis subsystem;

the identity authentication subsystem is used for creating an identity library, managing the identity and authenticating the identity;

the authorization management subsystem is used for establishing an authorization library, executing an authorization strategy and managing the authorization;

the intelligent identity analysis subsystem is used for analyzing the behavior of the user by utilizing machine learning to form an intelligent analysis result.

In some preferred embodiments, the identity authentication subsystem comprises an identity management module, an identity authentication module, an identity library, and an authentication service interface;

the identity management module is used for establishing and maintaining an identity library, managing identity attributes, and changing and cancelling the identity attributes;

the identity authentication module is used for adaptively selecting a corresponding identity authentication mode to perform identity authentication of a user/service/equipment;

the identity library is used for storing identities and attributes;

the authentication service interface is used for providing an authentication interface and an identity synchronization interface for an external system, carrying out identity identification and token transfer, and realizing the butt joint and linkage with the external system.

In some preferred embodiments, the identity of the user/service/device is authenticated with an authentication policy of:

the user identity authentication strategy is based on risk identification of environmental factors, and authentication measures are adjusted by combining risk grades; the environmental factors comprise user behaviors, device fingerprints, geographic positions and time;

the identity authentication strategy of the service is to verify the identity of the service initiator and the identity of the initial request user of the service, and the identity is transferred based on the user token; the user token comprises an OAuth 2.0 format and a JWT format;

the identity authentication strategy of the equipment is that equipment related information is summarized to form an equipment asset library through continuous data automatic collection and aggregation, and equipment used by a user is compared with equipment information last used in the equipment asset library, so that the consistency of the equipment information and the equipment asset library information is ensured.

In some preferred embodiments, the authorization management subsystem includes an authorization management module, an authorization engine module, a rights library, and an authorization service interface;

the authorization management module is used for managing rules, strategies and attribute information in the authority library and maintaining rules, strategies and attribute information related to authorization;

the authorization engine is used for carrying out docking synchronization and information integration on input information of the external attribute, the analysis platform and the terminal management platform, providing real-time authorization judgment on an authorization request and carrying out real-time authorization processing;

the authority library is used for storing rules, strategies and attribute information;

the authorization service interface is used for providing an external authorization interface and protocol adaptation.

In some preferred embodiments, the intelligent identity analysis subsystem comprises a management center, a data collection module, an intelligent analysis module, and an external service interface;

the management center is used for integrating the input of the external platform, perfecting the identity information and forming a complete identity portrait;

the data collection module is used for acquiring data from the workflow and the log information, and filtering and grouping the data;

the intelligent analysis module is used for carrying out multidimensional analysis and characteristic extraction on the data, carrying out comprehensive judgment, realizing intelligent identity access and management driven by data analysis, and carrying out dynamic calculation through strategies, risks and attribute factors to provide dynamic authorization factors for the instant authorization system;

the external service interface is used for providing a service interface for an external system.

In some preferred embodiments, the instant authorization system has an access control flow as follows:

an administrator/user initiates a login request, and the system sends identity information submitted by the administrator/user to a portal for authentication;

the portal sends the identity information of the manager/user to the identity library for validity verification, judges whether the manager/user exists or not, and stops the access flow if the manager/user does not exist;

if the manager/user exists, the authentication policy library performs comprehensive judgment according to the attributes of the manager/user, the resource and the environment to acquire the authentication policy and authority of the manager/user;

and authenticating the administrator/user based on the authentication policy and the authority, and if the authentication is passed, performing corresponding resource access according to the granted authority.

In some preferred embodiments, the instant authorization system has an authentication and authorization method as follows:

the client requests to access the service provider; the service provider is a resource to be accessed, and the client is a registered user of an identity provider requesting to access the resource to be accessed;

the service provider generates an authentication request data packet, stores the authentication request data packet in a hidden field of the Html tag, and returns the Html tag to the user; the action address of the tag is the address of an identity provider configured in advance, and the Html tag is automatically submitted to the address of the identity provider;

the identity provider returns to the client authentication page to authenticate the client;

the client provides identity information for the service provider and requests authentication to pass, and after the service provider authenticates the client, the service provider generates a user access credential and signs the user access credential with a private key and returns the user access credential to the client;

the service provider acquires the user access credentials of the client, verifies the signature through the public key of the identity provider, and returns the resource to be accessed to the client after the verification is passed.

In some preferred embodiments, the user access credentials are used to prove the identity and rights of the client.

In some preferred embodiments, the authority control method of the authority management subsystem is as follows:

the policy management point generates a security policy described in XACML language, and a user requests to acquire a security token from STS service;

the STS service returns a valid access credential; the valid access credentials guarantee a security token, an access key, and a credential expiration time;

the policy enforcement point intercepts an access control request sent by a user, verifies a security token carried by the user, and sends the intercepted access control request to a policy decision point;

the policy decision point requests the attribute of the main body, the attribute of the resource and the attribute of the environment from the policy information point, and carries out access control decision based on the returned attribute, and returns the decision result to the policy execution point;

if the decision result is refusal, carrying out log recording; if the decision result is permission, the policy execution point executes the decision result, the user accesses the key ciphertext, decrypts the key ciphertext through the private key to obtain a symmetric key, and decrypts the data ciphertext to obtain a data plaintext.

In some preferred embodiments, the intelligent identity analysis subsystem comprises the following analysis methods:

the workflow obtains relevant data from all data sources;

applying a defined filter, grouping data according to the identified entity, and calculating and storing the configured characteristics;

analyzing each entity attribute based on the extracted characteristics, and generating a behavior summary of the specific entity by using an analysis model;

and judging the characteristic value of the user behavior according to the user image pair, and generating the user abnormal event by combining the behavior outline of the specific entity.

The invention has the beneficial effects that:

(1) The instant authorization system based on the zero trust architecture has the self-adaptive identity authentication capability. Based on the technologies of operating system level identity recognition technology, non-perception keystroke behavior recognition technology and the like, the identities of an accessor and an application device are compared, the accuracy of identity authentication of an access subject is improved, and an authentication and authorization policy system is provided on the basis of an open source authentication and authorization framework. An identity authentication pool is formed according to the existing multi-factor identity authentication mode, a proper identity authentication mode is selected according to requirements, and in the aspect of authentication modes, multiple authentication modes are logically combined together, such as a user name/password, a dynamic password, a token, a fingerprint and the like, a unified interface is provided through an SOA architecture, and interaction is carried out with an authentication module. And writing an authentication mode selection strategy according to the context environment where the user is located, such as the network state, the mode selected by the last login, the accessed resource and the like, and adaptively selecting the authentication required to be performed in the current environment.

(2) The instant authorization system based on the zero trust architecture has the dynamic fine grain authorization capability. And the data-level authority management based on the identity security level association is realized based on a fine-grained dynamic authorization management technology. An access control policy is defined by an attribute matching mechanism, and a data access authorization determination is made by dynamically calculating one or a set of attributes to determine whether a certain condition is satisfied. The method is dynamically adjusted according to the change of the attributes of the user, the resource, the environment and the like, and the yielding rights are always kept in the most proper state, so that the rights can be ensured to be accurately matched with the context environment (the attributes of the user, the resource and the environment), and the security of the resource can be ensured.

(3) The instant authorization system based on the zero trust architecture has intelligent identity analysis capability. Based on the contextual awareness of the entity behavior, security risk identification is performed. A user, file, network or some other entity is contextually aware, long-term, continuous recording and analysis of the user's behavior, as opposed to other similar user's behavior, a baseline summary of the user's behavior is developed, and any deviation from this behavior can be marked as a potential anomaly, which can be further investigated to quickly focus on the risk points that exist.

Drawings

Other features, objects and advantages of the present application will become more apparent upon reading of the detailed description of non-limiting embodiments, made with reference to the following drawings, in which:

FIG. 1 is a schematic diagram of the functional block components of an instant authorization system based on a zero trust architecture of the present invention;

FIG. 2 is a schematic diagram of the functional modules of an identity authentication subsystem of the instant authorization system based on the zero trust architecture of the present invention;

FIG. 3 is a schematic diagram of the functional block components of the authorization management subsystem of the instant authorization system based on the zero trust architecture of the present invention;

FIG. 4 is a schematic diagram of the functional block components of the intelligent identity analysis subsystem of the instant authorization system based on the zero trust architecture of the present invention;

FIG. 5 is a schematic diagram of the access control flow of the instant authorization system based on the zero trust architecture of the present invention;

FIG. 6 is a schematic diagram of an authentication and authorization method of the instant authorization system based on the zero trust architecture of the present invention;

FIG. 7 is a schematic diagram of an authorization authentication method of an identity authentication subsystem of an instant authorization system based on a zero trust architecture of the present invention;

FIG. 8 is a schematic diagram of a method of controlling rights of a rights management subsystem of an instant authorization system based on a zero trust architecture of the present invention;

FIG. 9 is a schematic diagram of an intelligent analysis method of an intelligent identity analysis subsystem of the instant authorization system based on a zero trust architecture of the present invention.

Detailed Description

The present application is described in further detail below with reference to the drawings and examples. It is to be understood that the specific embodiments described herein are merely illustrative of the invention and are not limiting of the invention. It should be noted that, for convenience of description, only the portions related to the present invention are shown in the drawings.

It should be noted that, in the case of no conflict, the embodiments and features in the embodiments may be combined with each other. The present application will be described in detail below with reference to the accompanying drawings in conjunction with embodiments.

The invention provides an instant authorization system based on a zero trust architecture, and provides a dynamic cloud data copy management algorithm based on storage node state information for a mobile distributed cloud storage system, aiming at the problem that the availability of the cloud storage system cannot be guaranteed by the existing data copy strategy due to the change of the storage node availability state in the distributed cloud storage system, and the availability of the cloud storage system is improved. The instant authorization system based on the zero trust architecture provides security authentication and authorization services of users, devices and the like for resource access, and ensures the access security of resources. Under the "zero trust" architecture, the concept of "identity" has been greatly expanded, including not only the identity of a person, but also the identity of a device, the identity of an application running on the device, the identity of an application interface, and the like. Natural entities such as people, equipment, applications, services and the like all have to register in an instant authorization system based on zero trust and form a digital identity, wherein due to the uncontrollability of equipment in a cloud environment, management and control of the equipment under the zero trust in the scheme are redefined, the equipment is not required to register at first, information of the user equipment is collected and recorded in the using process of the user, and corresponding measures are taken when the user replaces the common equipment. The identities can be classified in a multi-dimensional manner according to organization architecture and equipment types, and a proper identity life cycle management flow is established for various identities, so that people, equipment, applications and services can correspond to a unique digital identity and are associated with a series of identity attributes, and then self-adaptive access authorization capability is provided through the information and the attributes, and rights are dynamically adjusted according to the change of the attributes, so that the access of resources is safer.

The invention discloses an instant authorization system based on a zero trust architecture, which comprises an identity authentication subsystem, an authorization management subsystem and an intelligent identity analysis subsystem;

In order to more clearly describe the instant authorization system based on the zero trust architecture of the present invention, the following details of each module in the embodiment of the present invention are described with reference to fig. 1.

The instant authorization system based on the zero trust architecture of the first embodiment of the invention comprises an identity authentication subsystem, an authorization management subsystem and an intelligent identity analysis subsystem, and the details of each part are as follows:

and the identity authentication subsystem is used for carrying out identity library creation, identity management and identity authentication. As shown in fig. 2, the functional modules of the identity authentication subsystem of the instant authorization system based on the zero trust architecture of the present invention are schematically shown, and the identity authentication subsystem includes an identity management module, an identity authentication module, an identity library and an authentication service interface:

the identity management module is used for establishing and maintaining an identity library, managing identity attributes and changing and cancelling the identity attributes; the identity management module has a view identity management function and can manage identities according to different attributes such as architecture, departments, positions and the like;

the identity authentication module is used for adaptively selecting a corresponding identity authentication mode to perform identity authentication of the user/service/equipment;

the identity library is used for storing identities and attributes;

the authentication service interface is used for providing an authentication interface and an identity synchronization interface for the external system, carrying out identity identification and token transfer, and realizing the butt joint and linkage with the external system.

Identity authentication technology: user name/password, dynamic password, face recognition, fingerprint recognition, behavioral fingerprint, etc. The multi-factor authentication technology has compatibility: is compatible with international standard protocols such as FIDO2 and the like.

Identity authentication of the user/service/equipment, wherein the identity authentication policy is as follows:

the identity authentication strategy of the service is to verify the identity of the service initiator and the identity of the initial request user of the service, and the identity is transferred based on the user token; the user token is in a format which needs to consider compatibility, and the main formats comprise an OAuth 2.0 format and a JWT format; the access between services needs to verify the identity of the initial request user of the service in addition to the identity of the service initiator, namely the identity of the user needs to be transferred, and the transfer of the identity is realized based on a token technology;

And the authorization management subsystem is used for performing rights library creation, execution of authorization policies and authorization management. As shown in fig. 3, the functional modules of the authorization management subsystem of the instant authorization system based on the zero trust architecture of the present invention are schematically shown, and the authorization management subsystem includes an authorization management module, an authorization engine module, a rights library and an authorization service interface:

the authorization engine comprises an authorization information engine and a dynamic multidimensional attribute authorization engine:

the authorization information engine is used for carrying out docking synchronization and information integration on information input by external attributes, an analysis platform, a terminal management platform and the like;

the dynamic multidimensional attribute authorization engine is used for providing real-time authorization judgment for the authorization request and carrying out real-time authorization processing;

an authorization service interface for providing an external authorization interface and protocol adaptation.

And the intelligent identity analysis subsystem is used for analyzing the behavior of the user by utilizing machine learning to form an intelligent analysis result. As shown in fig. 4, a schematic diagram is formed by functional modules of an intelligent identity analysis subsystem of the instant authorization system based on the zero trust architecture of the present invention, where the intelligent identity analysis subsystem includes a management center, a data collection module, an intelligent analysis module and an external service interface:

the intelligent analysis module is used for carrying out multidimensional analysis and characteristic extraction on the data, carrying out comprehensive judgment, realizing intelligent identity access and management driven by data analysis, carrying out dynamic calculation through strategies, risks and attribute factors, and providing dynamic authorization factors for the instant authorization system;

and the external service interface is used for providing a service interface for an external system.

The intelligent identity analysis subsystem is used for integrating the information input of the external platform, enriching and perfecting the identity information and forming a complete identity portrait. The system has the capabilities of strategy analysis, anomaly analysis, risk analysis, behavior analysis and the like, supports comprehensive judgment of analysis results of multiple dimensions, and realizes intelligent identity access and management driven by data analysis. And dynamically calculating by using factors such as strategies, risks, attributes and the like, and providing dynamic authorization factors for the unified authorization management system.

The access control flow of the instant authorization system is as follows:

Fig. 5 is a schematic diagram of an access control flow of the instant authorization system based on the zero trust architecture according to the present invention, which includes:

the user sends a login request, submits the identity information to a portal for authentication, then sends the identity information of the user to an identity library for validity verification, judges whether the user exists, and stops the access flow to return a result if the user does not exist; if the user exists, the authentication policy library performs comprehensive judgment according to the attributes of the user, the resource and the environment, and decides the authentication policy and authority of the user; and if the user authentication is passed, the resource can be accessed according to the granted authority.

As shown in fig. 6, a schematic diagram of an authentication and authorization method of an instant authorization system based on a zero trust architecture of the present invention includes three roles:

service providers, i.e. resources to be accessed;

an identity owner, authenticating the identity of the user and generating rights information;

and the client side is used for accessing the user of the resource.

The invention relates to an authentication and authorization method of an instant authorization system based on a zero trust architecture, wherein a client is a registered user of an identity provider, namely, the client has a user name and a password of the client, and can confirm the identity information of the client; both the service provider and the identity provider will be set by the respective administrators to trust each other and both hold the public key of each other; when a client needs to access a resource provided by a service provider, the service provider authenticates and grants authorization to the client. The specific flow is as follows:

the client requests access to the service provider, such as browser open: http:// www.abc.com/resource; the service provider is a resource to be accessed, and the client is a registered user of an identity provider requesting to access the resource to be accessed;

the service provider discovers that the client fails to pass authentication, does not authorize the access right of the resource, generates an authentication request data packet, stores the authentication request data packet in a hidden field of the Html tag, and returns the Html tag to the user; the action address of the tag is the address of an identity provider configured in advance, and the Html tag is automatically submitted to the address of the identity provider; a sentence of javascript is arranged behind the Html label to automatically submit the Html label;

the Html tag above is automatically submitted to an address of the identity provider by javascript;

the client side provides own identity information for the service provider and requests authentication to pass;

after authenticating the client, the service provider generates a user access certificate and signs the user access certificate by using a private key, packages the signed certificate into a response format, and returns the response format to the client after being placed in an Html tag; the user access certificate is used for proving the identity and authority of the client; the user name password authentication can be used, and all modes such as other multi-factor authentication and the like can be used; because the identity provider holds the user name and password of the client and other security authentication information;

automatically submitting the Html tag to a service provider by javascript;

the SP reads the user access credential of the client in the Html tag, verifies the signature through the public key of the identity provider, trusts the user access credential, confirms that the user is a legal user of the identity provider, and returns the resource to be accessed to the client after the verification is passed.

Fig. 7 is a schematic diagram of an authorization authentication method of an identity authentication subsystem of an instant authorization system based on a zero trust architecture according to the present invention, including:

an inbound identity verifier: for each protocol supported by the system, there will be one inbound identity verifier: an inbound identity verifier comprising SAML 2.0,OpenID Connect,OAuth 2.0 and federated identity. In other words, the role of the SAML 2.0 request handler is to accept SAML requests from service providers, validate the SAML requests, then build a common object model understood by the authentication framework and send the requests to that model. The role of the SAML response builder is to accept the common object model from the authentication framework and build a SAML response therefrom. Both the request processor and the response builder are protocol aware, while the authentication framework is not coupled to any protocol.

Authentication framework: the public object model sent from the inbound identity verifier is converted into a local identity claim, which is then converted into an object model acceptable to the identity provider and the request is sent to the identity provider.

Inbound configuration: emphasis is placed on how to synchronize user information to the user storage center. Inbound configuration is supported through SCIM APIs. Both APIs support HTTP basic authentication. If the configuration API is invoked with basic authentication credentials, then a decision will be made as to where to store the user based on the inbound configuration of the resident service provider. SCIM API also supports OAuth 2.0. If the user uses OAuth credentials to authenticate the SCIM API, the system will load a configuration corresponding to the service provider that owns the OAuth client ID.

User storage: each user has different properties, such as uid, email, etc. Some attributes may be unique. For example, typically, a uid and a mail may be unique attributes of a user. After connecting the LDAP with the application, the application may authenticate the user using a unique attribute in the LDAP (as the user name of the user in the application). Considering our example, it may be a uid or mail attribute. Furthermore, in some cases, the application may use both of these properties. Thus, end users can use their uid or mail for authentication in the application.

Local authentication: the user is authenticated using the locally available credentials. This may be a user name/password, may be WA (integrated Windows authentication). The local identity verifier is separate from the inbound identity verifier. Once the initial request is handed over from the inbound verifier to the authentication framework, the authentication framework communicates with the service provider configuration component to find the local authentication information registered by the service provider corresponding to the current authentication request.

In local identity authentication, the multi-factor authentication means to be supported by the system mainly comprises the following steps:

1) Authentication means based on user name/password (standard configuration);

2) Authentication means based on token dynamic password (e.g., event or time based token);

3) Authentication modes (such as a short message one-time key and the like) based on the short message dynamic password;

4) An authentication mode based on a digital certificate system;

5) Authentication means based on biometric features.

When selecting the identity authentication mode, the following principle needs to be considered:

1) Is safe enough: authentication means are not easily imitated (including copying of authentication credentials, replay of authentication procedures) or attacked;

2) The cost is proper: security and cost are often inversely proportional, requiring different authentication means for systems of different value and where the account rights are different;

3) The use is convenient: everything is useful, and if an objection is caused by inconvenient use, all security measures are like a dummy.

The multi-factor identity authentication module can set different identity authentication modes according to different user identities and different managed resources, so that the authentication management of the user is more flexible and safer.

The early account authentication modes provided are as follows:

1) A user name/password authentication mode;

2) And (5) dynamic short message authentication.

As shown in fig. 8, a schematic diagram of a rights control method of a rights management subsystem of an instant authorization system based on a zero trust architecture of the present invention includes:

As shown in fig. 9, a schematic diagram of an intelligent analysis method of an intelligent identity analysis subsystem of an instant authorization system based on a zero trust architecture of the present invention includes:

the workflow obtains relevant data from all data sources;

It should be noted that, in the instant authorization system based on the zero trust architecture provided in the foregoing embodiment, only the division of the foregoing functional modules is illustrated, in practical application, the foregoing functional allocation may be performed by different functional modules according to needs, that is, the modules in the foregoing embodiment of the present invention are further decomposed or combined, for example, the modules in the foregoing embodiment may be combined into one module, or may be further decomposed into a plurality of sub-modules, so as to complete all or part of the functions described above. The names of the modules in the embodiments of the present invention are merely for distinguishing the modules, and are not considered as undue limitations of the present invention.

The terms "first," "second," and the like, are used for distinguishing between similar objects and not for describing a particular sequential or chronological order.

The terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus/apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus/apparatus.

Thus far, the technical solution of the present invention has been described in connection with the preferred embodiments shown in the drawings, but it is easily understood by those skilled in the art that the scope of protection of the present invention is not limited to these specific embodiments. Equivalent modifications and substitutions for related technical features may be made by those skilled in the art without departing from the principles of the present invention, and such modifications and substitutions will be within the scope of the present invention.

Claims

1. An instant authorization system based on a zero trust architecture is characterized by comprising an identity authentication subsystem, an authorization management subsystem and an intelligent identity analysis subsystem;

2. The zero trust architecture based instant authorization system of claim 1, wherein the identity authentication subsystem comprises an identity management module, an identity authentication module, an identity library, and an authentication service interface;

the identity library is used for storing identities and attributes;

3. The zero trust architecture based instant authorization system of claim 2, wherein the user/service/device authentication is based on the following authentication policies:

4. The zero trust architecture based instant authorization system of claim 1, wherein the authorization management subsystem comprises an authorization management module, an authorization engine module, a rights library, and an authorization service interface;

5. The zero trust architecture based instant authorization system of claim 1, wherein the intelligent identity analysis subsystem comprises a management center, a data collection module, an intelligent analysis module, and an external service interface;

6. The zero-trust-architecture-based instant authorization system of claim 1, wherein the instant authorization system has an access control flow:

7. The zero-trust-architecture-based instant authorization system of claim 6, wherein the instant authorization system is authenticated by the following method:

8. The zero trust architecture based instant authorization system of claim 7, wherein the user access credentials are used to prove the identity and rights of a client.

9. The zero-trust-architecture-based instant authorization system according to claim 1, wherein the authorization management subsystem has a right control method as follows:

10. The zero-trust-architecture-based instant authorization system of claim 1, wherein the intelligent identity analysis subsystem comprises the following analysis methods:

the workflow obtains relevant data from all data sources;