CN114553540B - Zero trust-based Internet of things system, data access method, device and medium - Google Patents
Zero trust-based Internet of things system, data access method, device and medium Download PDFInfo
- Publication number
- CN114553540B CN114553540B CN202210165043.XA CN202210165043A CN114553540B CN 114553540 B CN114553540 B CN 114553540B CN 202210165043 A CN202210165043 A CN 202210165043A CN 114553540 B CN114553540 B CN 114553540B
- Authority
- CN
- China
- Prior art keywords
- access
- access terminal
- identity
- security
- terminal
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/12—Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
Landscapes
- Engineering & Computer Science (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Medical Informatics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses an internet of things system based on zero trust, a data access method, a data access device and a medium, and relates to the technical field of network security, wherein the method comprises the following steps: responding to an access request sent by an access terminal, and performing first identity verification by the security agent according to the second identity information and the first identity information in the access request; when the first identity verification is passed, the security agent sends an access request to the identity authentication platform; the identity authentication platform performs second identity authentication on the access terminal according to the third identity information and the first identity information; when the second identity authentication is passed, adding access rights in the access request by the security gateway, and sending the access request to the micro isolation module; the micro isolation module grants an access function to the access terminal according to the access authority; the access terminal accesses the server according to the access function. According to the method and the system, through multiple times of identity verification, complete zero trust technology deployment from the access terminal to the server is realized, and the safety of the Internet of things system is improved.
Description
Technical Field
The invention relates to the technical field of network security, in particular to an internet of things system based on zero trust, a data access method, a data access device and a medium.
Background
In order to ensure the safety of the server and the data resources in the internet of things, a firewall is generally constructed to form physical boundary defense in the related art, and the server and the data resources to be protected are arranged in an 'intranet' inside the firewall. However, with the continuous rise of technologies such as cloud computing and big data, the boundary of the network architecture of the internet of things is also continuously expanded with the development of technologies, so that the traditional security boundary represented by a firewall is continuously broken down, and the security requirement of the internet of things is difficult to meet. Therefore, how to ensure the safety of the internet of things system becomes a problem to be studied urgently.
Disclosure of Invention
The present application aims to solve, at least to some extent, one of the technical problems in the related art. Therefore, the application provides the Internet of things system based on zero trust, the data access method, the data access device and the medium, so that complete zero trust technology deployment from the access terminal to the server can be realized, and the safety of the Internet of things system is improved.
In order to achieve the above purpose, the embodiment of the invention also provides an internet of things system based on zero trust, which comprises an access subsystem, a management subsystem and a background subsystem; the access subsystem comprises an access terminal and a security agent; the security agent is configured to respond to an access request of the access terminal, perform first authentication on the access terminal, and send the access request to the management subsystem after the first authentication is passed; the management subsystem comprises an identity authentication platform and a security gateway; the identity authentication platform is used for carrying out second identity authentication on the access terminal according to the access request; the security gateway is used for adding the access authority of the access terminal to the access request when the second identity authentication is passed; sending the access request added with the access authority to the background subsystem; the background subsystem comprises a micro isolation module and a server; and the micro isolation module is used for granting an access function to the access terminal according to the access authority so that the access terminal accesses the server according to the access function.
To achieve the above objective, an embodiment of the present invention provides a data access method, which is applied to an internet of things system based on zero trust, and the method includes the following steps: the access terminal sends an access request to the security agent; according to the first identity information in the access request and the pre-stored second identity information, performing first identity verification on the access terminal through the security agent; when the first authentication passes, the security agent sends the access request to the authentication platform; according to the stored third identity information and the first identity information, performing second identity verification on the access terminal through the identity authentication platform; when the second identity verification is passed, the security gateway adds the access authority of the access terminal in the access request and sends the access request to the micro isolation module; according to the access authority, granting an access function to the access terminal through the micro isolation module; and the access terminal accesses the server according to the access function.
To achieve the above object, an embodiment of the present invention further provides an apparatus, including: at least one processor; at least one memory for storing at least one program; the at least one program, when executed by the at least one processor, causes the at least one processor to perform the steps of the method as described above.
To achieve the above object, an embodiment of the present invention also provides a computer storage medium in which a processor-executable program is stored, which when executed by the processor, implements the steps of the foregoing method.
The beneficial effects of the embodiment of the application are as follows: the Internet of things system based on zero trust, which is provided by the embodiment of the application, comprises an access subsystem, a management subsystem and a background subsystem; the access subsystem comprises an access terminal and a security agent, the management subsystem comprises an identity authentication platform and a security gateway, and the background subsystem comprises a micro isolation module and a server; the application also provides a data access method, when the access terminal needs to access the server, the access terminal sends an access request to the security agent; the security agent performs first identity verification on the access terminal according to the stored second identity information and the first identity information in the access request; when the first identity verification is passed, the security agent sends an access request to the identity authentication platform; the identity authentication platform performs second identity authentication on the access terminal according to the stored third identity information and the first identity information; when the second identity verification is passed, the security gateway adds the access authority of the access terminal in the access request and sends the access request to the micro isolation module; the micro isolation module grants an access function to the access terminal according to the access authority; the access terminal accesses the server according to the access function. According to the embodiment of the application, through multiple times of identity verification, the complete zero trust technology deployment from the access terminal to the server is realized; furthermore, the management subsystem performs centralized management on the access request of the access terminal, thereby being beneficial to simplifying the complexity of the Internet of things system and improving the safety of the Internet of things system; and the management subsystem is used as a software boundary, provides effective separation for the access terminal and the server, and can effectively prevent the server from external attack, thereby improving the security of the Internet of things system.
Drawings
The accompanying drawings are included to provide a further understanding of the technical aspects of the present application, and are incorporated in and constitute a part of this specification, illustrate the technical aspects of the present application and together with the examples of the present application, and not constitute a limitation of the technical aspects of the present application.
Fig. 1 is a schematic diagram of an internet of things system based on zero trust provided in an embodiment of the present application;
FIG. 2 is a flowchart illustrating steps of a data access method according to an embodiment of the present disclosure;
fig. 3 is a flowchart of steps for accessing an access terminal to an internet of things system for the first time according to an embodiment of the present application;
fig. 4 is a schematic diagram of a data access device according to an embodiment of the present application.
Detailed Description
In order to make the objects, technical solutions and advantages of the present application more apparent, the present application will be further described in detail with reference to the accompanying drawings and examples. It should be understood that the specific embodiments described herein are for purposes of illustration only and are not intended to limit the present application.
It should be noted that although functional block diagrams are depicted as block diagrams, and logical sequences are shown in the flowchart, in some cases, the steps shown or described may be performed in a different order than the block diagrams in the system. The terms first, second and the like in the description and in the claims and in the above-described figures, are used for distinguishing between similar elements and not necessarily for describing a particular sequential or chronological order.
In the following description, suffixes such as "module", "part" or "unit" for representing elements are used only for facilitating the description of the present invention, and have no particular meaning in themselves. Thus, "module," "component," or "unit" may be used in combination.
Embodiments of the present application are further described below with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a schematic diagram of an internet of things system based on zero trust provided in an embodiment of the present application, where the system 100 includes, but is not limited to, an access subsystem 110, a management subsystem 120, and a background subsystem 130; wherein the access subsystem comprises an access terminal 111 and a security agent 112; the management subsystem includes an identity authentication platform 121 and a security gateway 122; the backend subsystem includes a micro-isolation module 131 and a server 132.
In the embodiment of the application, the access terminal refers to IoT (Internet of Things ) equipment in the internet of things, and also refers to terminal equipment comprising a software access portal of the internet of things. For example, in an internet of things system in the field of intelligent traffic management, major IoT devices include velocimeters, cameras, toll gate bays, etc. that are installed on roads, and these IoT devices generally need to periodically access servers in a physical network to complete the tasks of device keep-alive, authorization management and control, data reporting, etc. For another example, in the internet of things system, an administrator of the system may also operate a terminal device such as a personal computer (Personal Computer, PC), a mobile phone, a smart phone, a personal digital assistant (Personal Digital Assistant, PDA), a wearable device, a palm top PPC (Pocket PC), a tablet computer, or the like, access a server through a web, app, applet, or the like access portal.
In this embodiment of the present application, the security agent is configured to respond to an access request of the access terminal, perform a first authentication on the access terminal, and when the first authentication passes, forward the access request to the management subsystem. That is, the security agent corresponds to a "gatekeeper" of the access subsystem, responsible for authenticating the access terminal in response to the access request. It will be appreciated that in a relatively large internet of things system, there may be multiple security agents, with different security agents being responsible for handling access requests from access terminals in different areas.
The embodiment of the application also provides that a management subsystem is additionally arranged in the Internet of things system, and the subsystem is used for centrally managing access requests forwarded by a plurality of access terminals and different security agents and uniformly carrying out identity verification and identity authorization. In this way, various access behaviors of the scattered access terminals in the Internet of things system are uniformly managed and controlled, so that the management subsystem provided by the embodiment of the application is beneficial to simplifying the complexity of the Internet of things system, effectively improving the safety of the Internet of things system and realizing the technology deployment of 'zero trust'.
And in the management subsystem, an identity authentication platform and a security gateway are included. The identity authentication platform is used for carrying out second identity authentication on the access terminal according to the access request; when the second identity verification is passed, the security gateway adds the access authority of the access terminal to the access request; and sending the access request with the access authority to the background subsystem. Compared with the situation that the boundary between the terminal and the server is gradually invalid in the related art, the security gateway provided by the embodiment of the application can be used as a software boundary between the server and the access terminal to effectively block the access terminal and the server and prevent the server from being attacked by the outside, so that the security of important data resources in the server is effectively protected.
In the embodiment of the application, the background subsystem comprises a micro isolation module and a server, wherein the micro isolation module is used for granting the access function to the access terminal according to the access authority so that the access terminal accesses the server according to the access function. That is, the micro isolation module is used as a barrier in front of the server to grant a corresponding access function to the access terminal accessing the server, and the access terminal can only access part of the data of the server according to the access function, so that other data of the server can be protected, and the security of the data of the server is improved.
In this embodiment of the present application, a server may refer to a server, or a server cluster formed by a plurality of servers, or a cloud computing service center mounted on a cloud, where the server may store important data in an internet of things system, and complete a corresponding service process according to a service request, where the service process includes, but is not limited to, data access, authorization management and control, and so on.
With reference to fig. 1 and the foregoing, an embodiment of the present application provides an internet of things system based on zero trust, where in a stage where an access terminal in an access subsystem sends an access request, the embodiment of the present application provides a security agent to perform a first identity authentication on the access terminal; in the process that the security agent sends the access request to the background subsystem, the embodiment of the application provides that the management subsystem performs second identity verification on the access terminal and forwards the access request to the background subsystem; when the access request reaches the background subsystem, the micro isolation system grants the access terminal limited access function. Therefore, in the embodiment of the application, on each node of the access server of the access terminal, the access terminal is defaulted to be unreliable and needs to be authenticated, and in the background subsystem, even if the access terminal has completed authentication, the access function of the access terminal is limited, so that the complete deployment of the zero trust technology is truly realized on the traditional internet of things system. In this way, the zero trust-based internet of things system in the embodiment of the application can solve the problem that the boundary between the terminal and the server is invalid in the related technology to a certain extent, complete and multidimensional zero trust technology deployment is realized on the internet of things system, and the server can be effectively prevented from being attacked, so that the safety of the internet of things system is improved.
In some embodiments, as shown in fig. 1, the management subsystem in the embodiment of the present application further includes a wind control decision engine 123; the wind control decision engine is used for dynamically adjusting the risk level of the access terminal according to the abnormal behavior of the access terminal. It can be appreciated that when the access terminal initially accesses the internet of things system, the risk level of the access terminal may be defined as "general" because the access terminal has not performed the access. Alternatively, the risk level of the access terminal may be set to a predetermined level according to information such as the identity of the access terminal. And after the access terminal is accessed to the Internet of things system, the wind control decision engine can monitor various behaviors of the access terminal in the system and dynamically adjust the risk level of the access terminal according to the abnormal behaviors of the access terminal. The abnormal behavior of the access terminal comprises, but is not limited to, abnormal login of the terminal, error input password, abnormal consumption of the terminal and the like. For example, a user accesses the internet of things system through an access portal in the web, and the wind control decision engine monitors that the user inputs a wrong account number password for 3 times continuously, so that the access terminal is possibly occupied maliciously, an lawbreaker tries to attack a server through the access terminal, and therefore the risk decision engine adjusts the risk level of the access terminal from the original general state to the dangerous state.
It will be appreciated that, in order to ensure data security within the server, the risk level of the access terminal is related to its access rights to the server data. That is, the security gateway may determine the access right corresponding to the access terminal according to the risk level of the access terminal, and when the risk level changes due to the abnormal behavior of the user, the security gateway dynamically adjusts the access right corresponding to the access terminal according to the change of the risk level. For example, when the risk level changes from "general" to "dangerous", the security gateway may adjust the access authority of the access terminal from allowing access to data of a specified location in the server to not allowing access to the server, thereby improving security of the server.
In other embodiments, the access subsystem of an embodiment of the present application further includes a secure browser and a secure sandbox (not shown in fig. 1). In the above description, the access terminal in the embodiment of the present application also refers to a terminal device including a software access portal of the internet of things, where the access terminal may access the server through an access portal of the web, app, applet, etc. Therefore, the safe browser and the safe sandbox can be arranged in the terminal equipment, so that the user can access the server through the safe browser and the safe sandbox, and the safety of the access process is ensured.
For example, the terminal device is a computer provided with a secure browser, and when the user operates the computer, the user can open a login page of the internet of things system through the secure browser, so that the user accesses the background server through the secure browser. The secure browser is used for providing a secure access network for the access terminal, and a network address list which can be accessed securely is built in the browser. Through these network addresses, the user may access different network systems including, but not limited to, the internet of things system in the embodiments of the present application, and the secure browser may protect the user from accessing these network addresses. For a user, the security browser is insensitive to the protection action of the access process, that is to say, the security browser realizes that the sent data is encrypted by itself and then sent to the security agent; and the secure browser also can receive the data returned by the server by itself, decrypt the encrypted data and then display the encrypted data to the user in the front-end page of the Internet of things system. In addition, when the user uses the safe browser, a part of protection function can be realized on the browser page, for example, the watermark of the user information is displayed on the browser interface, so that the user information is prevented from being lost; and for example, the functions of page content copying, page storage or page screen capturing and the like are forbidden for a user in the browser, so that the data leakage of the accessed Internet of things system is prevented, and the system is prevented from being threatened.
In addition to the secure browser, a secure sandbox is included in the access subsystem. In the field of network architecture, a sandbox refers to a virtual system program that creates a virtual operating environment in which a user can access software, such as a secure browser, within the secure sandbox. Meanwhile, the security sandbox isolates the equipment data and the office environment of the access terminal from the Internet of things system, so that the security of the Internet of things system is prevented from being influenced by the access data and the office environment in the access terminal. For example, a secure browser is operated in a secure sandbox, a user accesses a cloud desktop and a cloud environment in an internet of things system through the secure browser, and besides the protection behavior realized by the secure browser in the above description, the secure sandbox can also realize effective isolation of the cloud desktop and the cloud environment from local equipment. For example, a user may log in to the cloud desktop, access files in the cloud desktop, and perform operations such as changing, deleting, and the like on the files in the cloud desktop; in addition, the user can upload the files in the local equipment to the cloud desktop, and can download the files in the cloud environment to the cloud desktop. However, the user cannot download the files in the cloud desktop to the local equipment, so that the cloud desktop, the cloud environment and the local equipment are effectively isolated, the leakage of the files in the cloud environment and the cloud desktop is avoided, and the safety of the Internet of things system is effectively ensured.
Through the combination of one or more embodiments, the embodiment of the application provides an internet of things system based on zero trust, which can solve the problem that the boundary between a terminal and a server in the related technology is invalid to a certain extent, realizes complete and multidimensional zero trust technology deployment on the internet of things system, and can effectively prevent the server from being attacked, thereby improving the safety of the internet of things system.
Referring to fig. 2, fig. 2 is a flowchart illustrating steps of a data access method according to an embodiment of the present application, where the method is applied to the zero trust based internet of things system described in the foregoing, and the method includes, but is not limited to, steps S200-S270:
s200, the access terminal is accessed to the Internet of things system for the first time;
specifically, before describing a process of an access terminal accessing a server, a process of the access terminal accessing the internet of things system for the first time is first described. Referring to fig. 3, fig. 3 is a flowchart illustrating steps of accessing an access terminal to an internet of things system for the first time according to an embodiment of the present application, where the method includes, but is not limited to, steps S300-S350:
s300, the access terminal sends a registration request to the security agent;
specifically, when the access terminal first accesses the internet of things system, a registration request is first sent to the security agent, where the registration request is used to indicate to the receiver that: the current access terminal requests access to the internet of things system. The fourth identity information and the validity identification are included in the registration request.
It should be noted that, in this embodiment of the present application, the identity information is used to characterize the identity of the access terminal or the user accessing the internet of things system through the access terminal, which may be in the form of an ID of the access terminal, an account password of the access terminal for accessing the internet of things system, or face information, fingerprint information, mobile phone number information, mailbox information, etc. of the user bound to the current access terminal, and in summary, a module in the system may perform identity verification through the identity information to determine which access terminal needs to access or access the internet of things system. The prefixes of the first identity information, the second identity information, the third identity information and the fourth identity information described in the embodiments of the present application are only used for distinguishing between different storage locations or identity information in different steps, and are not used for modifying the specific meaning of the identity information. It will of course be appreciated that there may be subtle differences in the specific form of identity information in different storage locations (e.g. in the security agent or in the authentication platform), and that no specific limitation is placed on the specific form of expression of identity information in the embodiments of the present application.
The validity identifier is a related identifier that can indicate the validity of the access terminal, for example, when the access terminal is an IoT device, the validity identifier may be a factory qualification number of the IoT device.
S310, responding to a registration request, and performing first validity verification on the access terminal by the security agent according to the validity identification;
specifically, when a registration request is received, the security agent performs a first validity verification on the access terminal according to the validity identifier. The validity verification is used for verifying whether the current access terminal is a legal device, and the specific verification form can be as follows: when the Internet of things system is built, relevant identifiers of supported manufacturers, namely legal access terminals agreed by the system, are stored in modules such as a security agent and an identity verification platform of the system. When the security agent receives the registration request, the legal identification in the registration request is compared with the relevant identification of the legal access terminal stored by the security agent, so that whether the current access terminal is legal or not is confirmed.
It should be noted that, in the first validity verification and the second validity verification described in the embodiments of the present application, the prefixes of "first", "second", and the like are only used to distinguish the verification process of different modules (security agent and identity verification) in the system on the access terminal, and are not used to modify the specific meaning of the validity verification.
S320, when the first validity verification passes, the security agent stores the fourth identity information as the second identity information and sends a registration request to the identity verification platform;
specifically, when the first validity verification passes, and the access terminal is a legal terminal, the security agent stores fourth identity information in the access request, and the identity information stored in the security agent is called second identity information. The security agent then sends the registration request to the authentication platform.
S330, responding to the registration request, and carrying out second validity verification on the access terminal by the identity authentication platform according to the validity identification;
specifically, when a registration request is received, the identity authentication platform performs second validity verification on the access terminal according to the validity identifier of the access terminal, so as to confirm whether the current access terminal is legal again. The second validity verification process is similar to the first validity verification process in step S310, and will not be described in detail here.
S340, when the second validity verification is passed, the identity verification platform stores the fourth identity information as the third identity information and sends the response information which is successfully registered to the security agent;
Specifically, when the second validity verification passes, the access terminal is a legal terminal, and the identity verification platform stores the fourth identity information in the access request, and the identity information stored in the security agent is called third identity information. Then, the authentication platform sends the response information of successful registration to the security agent.
S350, the security agent sends response information to the access terminal so that the access terminal can be successfully accessed to the Internet of things system;
specifically, after receiving the response information, the security agent forwards the response information to the access terminal, so that the access terminal can be successfully accessed into the internet of things system according to the response information.
Through steps S300-S350, the embodiment of the present application provides a step flow of accessing the access terminal to the internet of things system for the first time, step S200 has been explained, and step S210 is explained below.
S210, the access terminal sends an access request to the security agent;
specifically, when the access terminal needs to access the background server, the access terminal sends an access request to the security agent. For example, the access terminal may periodically send an access request to the security agent if it needs to access the server to perform a device keep-alive operation.
S220, according to the first identity information in the access request and the second identity information prestored by the security agent, performing first identity verification on the access terminal through the security agent;
specifically, the specific process of storing the second identity information by the security agent has been described in the method step in fig. 3, and the security agent performs the first identity verification on the access terminal according to the second identity information pre-stored by itself and the first identity information in the received access request. In the above description, each module in the internet of things system may perform identity verification on the access terminal according to the identity information. For example, in this step, the identity information used for performing the first identity authentication is an account number and a password, the first identity information and the second identity information are compared, and if the account numbers and the passwords in the two identity information are the same, the first identity authentication is illustrated to pass.
S230, when the first identity authentication is passed, the security agent sends an access request to the identity authentication platform;
specifically, when the first authentication in step S220 passes, the security agent forwards the access request to the authentication platform, and the authentication platform performs authentication again.
In some embodiments, in addition to performing authentication at the access terminal every time a module passes, so as to improve the security of data access, the security may be further improved by encrypting the data transmission process between the modules. Specifically, when the first authentication passes, the security agent encrypts the access request and sends the encrypted access request to the authentication platform. Therefore, even if the communication message between the access subsystem and the management subsystem is illegally intercepted, the encrypted access request can prevent the information of the access terminal from being leaked, so that the safety of the Internet of things system is ensured.
It will be appreciated that the various modules in the system may take different levels of encryption processing for access requests from different types of access terminals. For example, for an access terminal with higher security requirements, an access request can be encrypted by using a national encryption algorithm through an encryption chip of an entity; for access terminals with low security requirements, a software implementation method such as RSA algorithm (a public key algorithm) may be used to encrypt the access request.
S240, performing second identity verification on the access terminal through the identity authentication platform according to the first identity information and third identity information pre-stored by the identity authentication platform;
Specifically, the process of the identity authentication platform storing the third identity information is already clear from the description of fig. 3, when the access request is received, the identity authentication platform compares the third identity information stored by the identity authentication platform with the first identity information in the access request, so as to determine the identity of the current access terminal, and complete the second identity authentication.
It should be noted that, in the first authentication, the second authentication, and the third authentication described in the embodiments of the present application, the prefixes of "first", "second", and the like are only used to distinguish the authentication process of different modules (security agents and authentication) in the system to the access terminal, and are not used to modify the specific meaning of the authentication.
S250, when the second identity authentication is passed, the security gateway adds the access right of the access terminal in the access request, and sends the access request with the access right added to the micro isolation module;
specifically, when the second identity verification passes, the security gateway determines the access right corresponding to the access terminal, and adds the access right of the access terminal to the access request, and the access request carrying the access right is forwarded to the micro isolation module by the security gateway.
In the above description, it is mentioned that the access authority determined by the security gateway may change along with the change of the risk level determined by the wind control decision engine, when the wind control decision engine determines that the risk level of the access terminal is improved, which indicates that the risk of the current access terminal is high, the second identity authentication in the common form (that is, the authentication form just like comparing the identity ID) may misjudge the identity of the access terminal. Thus, in some embodiments, when the wind control decision engine determines that the risk level of the access terminal is increased and the second authentication passes, the authentication platform performs a third authentication on the access terminal. And, the third authentication may take a more advanced, more complex way of authentication than the first authentication and the second authentication. For example, the first identity verification and the second identity verification determine the identity of the access terminal only by comparing the identity IDs, and the form of the third identity verification may include verification code verification, fingerprint verification or face verification, for example, sending a verification code to a mobile phone binding the access terminal, prompting a user to input the verification code on a display page of the access terminal, and determining whether the third identity verification passes according to the correctness of the verification code, thereby determining the specific identity of the access terminal. Then, when the third identity verification is passed, the security gateway adds access rights to the access request and sends the access request to the micro isolation module.
According to the content mentioned in step S230 that encrypts the data transmission process between the access subsystem and the management subsystem, if the access request sent by the security agent to the authentication platform is the encrypted access request, the authentication platform needs to decrypt the access request first, and then perform the second authentication and the third authentication. Similarly to the encryption process of the security agent, in order to protect the security of the whole data access process from the access terminal to the server, the security gateway may encrypt the access request after the access authority is added, and send the encrypted access request to the micro isolation module.
S260, granting an access function to the access terminal through the micro isolation module according to the access authority;
specifically, after receiving the access request, the micro isolation module decrypts the access request if the access request is in an encrypted form, and obtains the access right in the access request.
When the internet of things system is constructed, various service data in the server can be classified, for example, the intelligent traffic internet of things system is taken as an example, for example, 1-level data is information of current access terminals, 2-level data is information of all access terminals of the same type, 3-level data is information of all access terminals in the same region. Then, the correspondence between the service data of different levels and the access rights of the access terminal is determined, and stored in the micro isolation module. When the micro isolation module receives the access request, searching in the corresponding relation according to the access authority, determining which service data in the server can be accessed by the access authority of the current access terminal, and then granting the access function of the service data corresponding to the access authority to the access terminal by the micro isolation module.
For example, when service data is classified, unique access identifiers are set for service data of different levels, the micro isolation module can grant the access function to the access terminal in a mode of sending the access identifier of the corresponding service data to the access terminal, and when the access terminal accesses the server, only the service data with the same identifier can be accessed, and other data cannot be accessed, so that effective protection of other data in the server is realized.
S270, the access terminal accesses the server according to the access function;
specifically, according to the above step S260, the access terminal accesses the service data specified in the server according to the granted access function, and completes the process of this data access.
Through steps S200-S270, the embodiment of the present application provides a data access method applied to an internet of things system based on zero trust, where the method includes: when the access terminal needs to access the server, the access terminal sends an access request to the security agent; the security agent performs first identity verification on the access terminal according to the stored second identity information and the first identity information in the access request; when the first identity authentication is passed, encrypting the access request by the security agent, and sending the encrypted access request to the identity authentication platform; the identity authentication platform decrypts the access request and performs second identity authentication on the access terminal according to the stored third identity information and the first identity information. If the risk level is increased by the wind control decision engine according to the abnormal behavior of the access terminal, when the second identity authentication passes, the identity authentication platform performs a more complex third identity authentication process on the access terminal; when the third identity verification is passed, the security gateway adds the access authority of the access terminal in the access request, encrypts the access request and sends the encrypted access request to the micro isolation module; the micro isolation module decrypts the access request, determines the accessible service data in the server according to the corresponding relation between the access authority and the storage, and grants the access function of the accessible service data to the access terminal; finally, the access terminal accesses the corresponding service data in the server according to the access function.
The method of the embodiment of the application realizes complete zero trust technology deployment from the access terminal to the server through multiple times of identity verification; in addition, the data security in the communication process is further ensured by encrypting the communication process among different modules in the system; finally, the security of the service data in the server is ensured by controlling the access authority.
In summary, through the combination of one or more embodiments, the embodiments of the present application provide an internet of things system based on zero trust, and provide a data access method applied to the system, so as to solve the problem of boundary failure between a terminal and a server in the related art to a certain extent, and implement complete and multidimensional zero trust technology deployment on the internet of things system, so that the server can be effectively prevented from being attacked, and the security of the internet of things system is improved.
Referring to fig. 4, fig. 4 is a schematic diagram of a data access apparatus according to an embodiment of the present application, where the apparatus 400 includes at least one processor 410, and at least one memory 420 for storing at least one program; one processor and one memory are illustrated in fig. 4.
The processor and the memory may be connected by a bus or otherwise, for example in fig. 4.
The memory, as a non-transitory computer readable storage medium, may be used to store non-transitory software programs as well as non-transitory computer executable programs. In addition, the memory may include high-speed random access memory, and may also include non-transitory memory, such as at least one disk storage device, flash memory device, or other non-transitory solid state storage device. In some embodiments, the memory optionally includes memory remotely located relative to the processor, the remote memory being connectable to the apparatus through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The above described apparatus embodiments are merely illustrative, wherein the units illustrated as separate components may or may not be physically separate, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
The embodiment of the application also discloses a computer storage medium, wherein a program executable by a processor is stored, and the program executable by the processor is used for realizing the data access method provided by the application when being executed by the processor.
Those of ordinary skill in the art will appreciate that all or some of the steps, systems, and methods disclosed above may be implemented as software, firmware, hardware, and suitable combinations thereof. Some or all of the physical components may be implemented as software executed by a processor, such as a central processing unit, digital signal processor, or microprocessor, or as hardware, or as an integrated circuit, such as an application specific integrated circuit. Such software may be distributed on computer readable media, which may include computer storage media (or non-transitory media) and communication media (or transitory media). The term computer storage media includes both volatile and nonvolatile, removable and non-removable media implemented in any method or technology for storage of information such as computer readable instructions, data structures, program modules or other data, as known to those skilled in the art. Computer storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital Versatile Disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other medium which can be used to store the desired information and which can be accessed by a computer. Furthermore, as is well known to those of ordinary skill in the art, communication media typically embodies computer readable instructions, data structures, program modules or other data in a modulated data signal such as a carrier wave or other transport mechanism and includes any information delivery media.
While the preferred embodiments of the present application have been described in detail, the present application is not limited to the above embodiments, and various equivalent modifications and substitutions can be made by those skilled in the art without departing from the spirit of the present application, and these equivalent modifications and substitutions are intended to be included in the scope of the present application as defined in the appended claims.
Claims (9)
1. The Internet of things system based on zero trust is characterized by comprising an access subsystem, a management subsystem and a background subsystem;
the access subsystem comprises an access terminal and a security agent;
the security agent is configured to respond to an access request of the access terminal, perform first authentication on the access terminal, and send the access request to the management subsystem after the first authentication is passed;
the management subsystem comprises an identity authentication platform and a security gateway;
the identity authentication platform is used for carrying out second identity authentication on the access terminal according to the access request;
the security gateway is used for adding the access authority of the access terminal to the access request when the second identity authentication is passed; sending the access request added with the access authority to the background subsystem;
The background subsystem comprises a micro isolation module and a server;
the micro isolation module is used for granting an access function to the access terminal according to the access authority so that the access terminal accesses the server according to the access function;
the management subsystem further comprises a wind control decision engine;
the wind control decision engine is used for dynamically adjusting the risk level of the access terminal according to the abnormal behavior of the access terminal;
the security gateway is further used for dynamically adjusting the access rights corresponding to the access terminal according to the risk level;
the abnormal behavior comprises abnormal login of the terminal, error password input and abnormal consumption of the terminal.
2. The zero trust based internet of things system of claim 1, wherein the access subsystem further comprises a secure browser and a secure sandbox;
the safety browser is used for providing a safety access network for the access terminal;
the security sandbox is used for isolating the equipment data of the access terminal from the office environment.
3. A data access method applied to the zero trust based internet of things system of any one of claims 1-2, the system comprising an access subsystem, a management subsystem and a background subsystem, the access subsystem comprising an access terminal, a security proxy, a security browser and a security sandbox, the management subsystem comprising an identity authentication platform, a security gateway and a wind control decision engine, the background subsystem comprising a micro isolation module and a server, the method comprising:
The access terminal sends an access request to the security agent;
according to the first identity information in the access request and the second identity information prestored by the security agent, performing first identity verification on the access terminal through the security agent;
when the first authentication passes, the security agent sends the access request to the authentication platform;
according to the first identity information and third identity information pre-stored by the identity authentication platform, performing second identity authentication on the access terminal through the identity authentication platform;
when the second identity verification is passed, the security gateway adds the access right of the access terminal in the access request, and sends the access request with the access right added to the micro isolation module;
according to the access authority, granting an access function to the access terminal through the micro isolation module;
and the access terminal accesses the server according to the access function.
4. A data access method according to claim 3, wherein the method further comprises:
when the first identity verification is passed, encrypting the access request by the security agent, and sending the encrypted access request to the identity authentication platform;
Decrypting, by the identity authentication platform, the access request sent by the security agent;
and when the second identity authentication is passed, the security gateway encrypts the access request added with the access authority and sends the encrypted access request to the micro isolation module.
5. A data access method according to claim 3, wherein after the step of performing second authentication on the access terminal by the authentication platform according to the first identity information and third identity information pre-stored by the authentication platform, the method further comprises:
when the wind control decision engine determines that the risk level of the access terminal is improved and the second identity authentication is passed, the identity authentication platform performs third identity authentication on the access terminal;
when the third identity verification is passed, the security gateway adds the access right to the access request and sends the access request to the micro isolation module;
wherein the form of the third identity verification comprises verification code verification, fingerprint verification or face verification.
6. The method for accessing data according to claim 3, further comprising the step of the access terminal initially accessing the internet of things system, the step specifically comprising:
The access terminal sends a registration request to the security agent, wherein the registration request comprises fourth identity information and a validity identifier;
responding to the registration request, and carrying out first validity verification on the access terminal by the security agent according to the validity identifier;
when the first validity verification is passed, the security agent stores the fourth identity information as the second identity information and sends the registration request to the identity authentication platform;
responding to the registration request, and carrying out second validity verification on the access terminal by the identity authentication platform according to the validity identifier;
when the second validity verification is passed, the identity authentication platform stores the fourth identity information as the third identity information and sends response information which is successfully registered to the security agent;
and the security agent sends the response information to the access terminal so that the access terminal can be successfully accessed to the Internet of things system.
7. The method according to any one of claims 3-6, wherein the granting, by the micro quarantine module, an access function to the access terminal according to the access right includes:
Classifying the service data in the server, and determining the corresponding relation between the service data of different levels and the access rights;
searching corresponding service data of the access right in the server according to the corresponding relation;
the micro isolation module grants the access function of the service data to the access terminal.
8. A data access device, comprising:
at least one processor;
at least one memory for storing at least one program;
the at least one program, when executed by the at least one processor, causes the at least one processor to implement the data access method of any of claims 3-7.
9. A computer storage medium in which a processor-executable program is stored, characterized in that the processor-executable program, when executed by the processor, implements the data access method of any of claims 3-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210165043.XA CN114553540B (en) | 2022-02-22 | 2022-02-22 | Zero trust-based Internet of things system, data access method, device and medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210165043.XA CN114553540B (en) | 2022-02-22 | 2022-02-22 | Zero trust-based Internet of things system, data access method, device and medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114553540A CN114553540A (en) | 2022-05-27 |
| CN114553540B true CN114553540B (en) | 2024-03-08 |
Family
ID=81677054
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210165043.XA Active CN114553540B (en) | 2022-02-22 | 2022-02-22 | Zero trust-based Internet of things system, data access method, device and medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114553540B (en) |
Families Citing this family (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115529157B (en) * | 2022-08-08 | 2023-08-01 | 北京雪诺科技有限公司 | Enterprise application access system, method and access system based on zero trust |
| CN115150208B (en) * | 2022-09-06 | 2022-11-25 | 信联科技(南京)有限公司 | Zero-trust-based Internet of things terminal secure access method and system |
| CN115865433B (en) * | 2022-11-17 | 2024-07-02 | 中国联合网络通信集团有限公司 | Service data request method, device and storage medium |
| CN116244975B (en) * | 2023-05-11 | 2023-07-25 | 众芯汉创(北京)科技有限公司 | Transmission line wire state simulation system based on digital twin technology |
| CN117155649B (en) * | 2023-08-31 | 2024-03-22 | 金锐软件技术(杭州)有限公司 | System and method for security protection of third party system accessing JAVA gateway |
| CN118157955B (en) * | 2024-03-12 | 2024-09-20 | 广州白驹科技有限公司 | Data communication security management method and device |
Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108632253A (en) * | 2018-04-04 | 2018-10-09 | 平安科技(深圳)有限公司 | Client data secure access method based on mobile terminal and device |
| WO2019157333A1 (en) * | 2018-02-08 | 2019-08-15 | Nussbaum Jared | Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor |
| CN112118102A (en) * | 2020-10-21 | 2020-12-22 | 国网天津市电力公司 | A power-specific zero-trust network system |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| EP3866436A1 (en) * | 2020-02-14 | 2021-08-18 | Zscaler, Inc. | Cloud access security broker systems and methods for active user identification and load balancing |
| CN113949573A (en) * | 2021-10-18 | 2022-01-18 | 天翼数字生活科技有限公司 | Zero-trust service access control system and method |
Family Cites Families (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US11863588B2 (en) * | 2019-08-07 | 2024-01-02 | Cisco Technology, Inc. | Dynamically tailored trust for secure application-service networking in an enterprise |
| US11290464B2 (en) * | 2019-12-18 | 2022-03-29 | Voya Services Company | Systems and methods for adaptive step-up authentication |
-
2022
- 2022-02-22 CN CN202210165043.XA patent/CN114553540B/en active Active
Patent Citations (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2019157333A1 (en) * | 2018-02-08 | 2019-08-15 | Nussbaum Jared | Peeirs:passive evaluation of endpoint identity and risk as a surrogate authentication factor |
| CN108632253A (en) * | 2018-04-04 | 2018-10-09 | 平安科技(深圳)有限公司 | Client data secure access method based on mobile terminal and device |
| EP3866436A1 (en) * | 2020-02-14 | 2021-08-18 | Zscaler, Inc. | Cloud access security broker systems and methods for active user identification and load balancing |
| CN112118102A (en) * | 2020-10-21 | 2020-12-22 | 国网天津市电力公司 | A power-specific zero-trust network system |
| CN112765639A (en) * | 2021-01-27 | 2021-05-07 | 武汉大学 | Security micro-service architecture based on zero trust access strategy and implementation method |
| CN113949573A (en) * | 2021-10-18 | 2022-01-18 | 天翼数字生活科技有限公司 | Zero-trust service access control system and method |
Non-Patent Citations (2)
| Title |
|---|
| 基于零信任架构实现的物联网终端接入安全研究;王首媛等;《邮电设计技术》(第07期);13-18 * |
| 电力物联网场景下基于零信任的分布式数据库细粒度访问控制;黄杰等;《信息安全研究》;第6卷(第7期);535-542 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114553540A (en) | 2022-05-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN114553540B (en) | Zero trust-based Internet of things system, data access method, device and medium | |
| US11134058B1 (en) | Network traffic inspection | |
| CN112422532B (en) | Service communication method, system and device and electronic equipment | |
| US10057282B2 (en) | Detecting and reacting to malicious activity in decrypted application data | |
| US9866567B2 (en) | Systems and methods for detecting and reacting to malicious activity in computer networks | |
| US20200012769A1 (en) | Systems and Methods for Providing Real Time Security and Access Monitoring of a Removable Media Device | |
| US20190356661A1 (en) | Proxy manager using replica authentication information | |
| CN115001870B (en) | Information security protection system, method and storage medium | |
| CN113542214B (en) | Access control method, device, equipment and machine-readable storage medium | |
| US9635017B2 (en) | Computer network security management system and method | |
| CN116319024B (en) | Access control method and device of zero trust system and zero trust system | |
| CN114513786A (en) | 5G feeder automation access control method, device and medium based on zero trust | |
| CN112311769A (en) | Method, system, electronic device and medium for security authentication | |
| CN117155716B (en) | Access verification method and device, storage medium and electronic equipment | |
| US11336667B2 (en) | Single point secured mechanism to disable and enable the access to all user associated entities | |
| CN117768236A (en) | Safety control and data desensitization platform and method based on API gateway | |
| CN108347411B (en) | Unified security guarantee method, firewall system, equipment and storage medium | |
| CN116743460A (en) | Data exchange isolation method, system, equipment and storage medium for internal and external network | |
| US20220343095A1 (en) | Fingerprint-Based Device Authentication | |
| CN108449753B (en) | Method for reading data in trusted computing environment by mobile phone device | |
| KR20160137032A (en) | Apparatus and method for authenticating remote of between networking devices | |
| Thomas et al. | IoT Security: Challenges, Best Practices, and Service Platforms | |
| JP2023025861A (en) | Model extraction attack detection device, remote authentication control system, model extraction attack detection method, and program | |
| CN115811423A (en) | Method and system for data flow direction control based on multi-factor authentication | |
| CN119544271A (en) | Single sign-on method and device based on zero trust proxy |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |