基于零信任的敏感数据动态访问控制模型研究

doi:10.3969/j.issn.1671-1122.2022.06.009

信息网络安全 ›› 2022, Vol. 22 ›› Issue (6): 86-93.doi: 10.3969/j.issn.1671-1122.2022.06.009

基于零信任的敏感数据动态访问控制模型研究

郭宝霞¹^,², 王佳慧³, 马利民¹^,², 张伟²()

1.北京信息科技大学网络文化与数字传播北京市重点实验室,北京 100101
2.北京信息科技大学计算机学院,北京100101
3.国家信息中心信息与网络安全部,北京 100045

收稿日期:2022-03-09 出版日期:2022-06-10 发布日期:2022-06-30
通讯作者: 张伟 E-mail:zhwei@bistu.edu.cn
作者简介:郭宝霞（1997—）,女,山西,硕士研究生,主要研究方向为网络安全、大数据安全|王佳慧（1983—）,女,山西,研究员,博士,主要研究方向为云计算安全、大数据安全、云取证安全|马利民（1983—）,男,山东,副教授,博士,主要研究方向为网络安全协议、信息隐藏技术、大数据安全|张伟（1980—）,男,山东,教授,博士,主要研究方向为大数据存储与安全、软硬件协同设计
基金资助:
国家重点研发计划(2020YFC1522702)

Research on Dynamic Access Control Model of Sensitive Data Based on Zero Trust

GUO Baoxia¹^,², WANG Jiahui³, MA Limin¹^,², ZHANG Wei²()

1. Beijing Key Laboratory of Internet Culture and Digital Dissemination Research, Beijing Information Science & Technology University, Beijing 100101, China
2. School of Computer, Beijing Information Science & Technology University, Beijing 100101, China
3. Department of Information and Security, the State Information Center, Beijing 100045, China

Received:2022-03-09 Online:2022-06-10 Published:2022-06-30
Contact: ZHANG Wei E-mail:zhwei@bistu.edu.cn

摘要/Abstract

摘要：

随着大数据时代的来临,敏感数据安全问题越来越引起人们的重视。现有系统对访问主体进行用户身份认证成功后大多认为其身份可信,而攻击者一旦以失陷主体为跳板入侵网络内部,就可能会窃取或破坏敏感数据。因此,亟需研究一种动态的访问权限控制机制来保护系统的敏感信息资源。文章基于零信任架构,通过分析当前被保护系统的访问主体与访问客体的特点,提出了一种信任评估算法。算法通过获取多源属性进行动态信任评估,当失陷主体发生突变行为时,能迅速降低其信任值,在认证中及时阻断失陷主体威胁。算法通过属性加密进行动态授权,降低敏感资源被过度访问的可能性。实验结果表明,该模型可以实现访问授权的动态控制,并保证系统的时间开销和内存开销均在合理范围内。

关键词: 零信任, 动态访问控制, 信任评估, 敏感数据

Abstract:

With the advent of the era of big data, the security of sensitive data has attracted increasing attention. At present, most of the existing systems consider the access subject’s identity to be trusted after successful authentication, but once the attacker uses the lost subject as a springboard to invade the network, he may steal or destroy sensitive data. Therefore, it is urgent to study a fine-grained and flexible access control mechanism to protect the sensitive information resources of the system. Based on zero trust architecture, this paper proposes a trust evaluation algorithm by analyzing the characteristics of access subject and access object of the current protected system. By acquiring multi-source attributes for dynamic trust evaluation, the algorithm can quickly reduce the trust value of the lost subject when it has abrupt behavior, and timely block the threat of the lost subject in the authentication. The system implements dynamic authorization through attribute encryption to reduce the possibility of excessive access to sensitive resources. Experimental results show that this model can realize dynamic control of access authorization, and ensure that the time and memory cost of the system are in a reasonable range.

Key words: zero trust, dynamic access control, trust assessment, sensitive data

中图分类号:

TP309

郭宝霞, 王佳慧, 马利民, 张伟. 基于零信任的敏感数据动态访问控制模型研究[J]. 信息网络安全, 2022, 22(6): 86-93.

GUO Baoxia, WANG Jiahui, MA Limin, ZHANG Wei. Research on Dynamic Access Control Model of Sensitive Data Based on Zero Trust[J]. Netinfo Security, 2022, 22(6): 86-93.

图/表 10

图1

图2

图3

图4

图5

表1

图6

图7

图8

图9

参考文献 15

[1]	JOHN K. Build Security into Your Network's DNA: The Zero Trust Network Architecture[EB/OL]. (2010-11-05) [2022-03-17]. http://www.virtualstarmedia.com/downloads/Forrester_zero_trust_DNA.pdf.
[2]	WARD R, BEYER B. Beyondcorp: A New Approach to Enterprise Security[J]. Login the Magazine of USENIX&Sage, 2014, 39(6): 6-11.
[3]	Software Defined Perimeter Working Group. SDP Specification 1.0[EB/OL]. (2014-04-30) [2022-03-17]. https://downloads.cloudsecurityalliance.org/initiatives/sdp/SDP_Specification_1.0.pdf.
[4]	GAEHTGENS F, MACDONALD N. Use a CARTA Strategic Approach to Embrace Digital Business Opportunities in an Era of Advanced Threats[R]. Stamford: Gartner, G00332400, 2017.
[5]	ROSE S, BORCHERT O, MITCHELL S, et al. Zero Trust Architecture[R]. Gaithersburg: National Institute of Standards and Technology Special Publication, NIST.SP.800-207-draft2, 2020.
[6]	Tencent Security. Zero Trust Solution White Paper[EB/OL]. (2020-05-29) [2022-03-17]. https://cloud.tencent.com/developer/article/1636407.
	腾讯安全. 零信任解决方案白皮书[EB/OL]. (2020-05-29) [2022-03-17]. https://cloud.tencent.com/developer/article/1636407.
[7]	LIU Yuan, SUN Chen, ZHANG Yanling. A Zero Trust Network Research Based on Overlay Technology[J]. Netinfo Security, 2020, 20(10): 83-91.
	刘远, 孙晨, 张嫣玲. 基于Overlay技术的零信任网络研究[J]. 信息网络安全, 2020, 20(10): 83-91.
[8]	SONG Yufei, ZHOU Wenhui, LIU Jiandong, et al. Research on Satellite Internet Security Protection Based on Zero Trust[J]. Space-Integrated-Ground Information Networks, 2021, 2(3): 15-23.
	宋宇飞, 周文辉, 刘建东, 等. 基于零信任的卫星互联网安全防护研究[J]. 天地一体化信息网络, 2021, 2(3):15-23.
[9]	WU Kehe, CHENG Rui, JIANG Xiaochen, et al. Security Protection Scheme of Power IoT Based on SDP[J]. Netinfo Security, 2022, 22(2): 32-38.
	吴克河, 程瑞, 姜啸晨, 等. 基于SDP的电力物联网安全防护方案[J]. 信息网络安全, 2022, 22(2):32-38.
[10]	LIU Tao, MA Yue, JIANG Hefang, et al. Research on Grid Security Protection Architecture Based on Zero Trust[J]. Electric Power Information and Communication Technology, 2021, 19(7): 25-32.
	刘涛, 马越, 姜和芳, 等. 基于零信任的电网安全防护架构研究[J]. 电力信息与通信技术, 2021, 19(7):25-32.
[11]	HUANG Lanying, XIONG Zenggang, YE Conghuan. A Trust-Role Access Control Model for Cloud Computing[J]. Journal of Hubei Engineering University, 2016, 36(6): 57-61.
	黄兰英, 熊曾刚, 叶从欢. 一种面向云计算的信任-角色访问控制模型[J]. 湖北工程学院学报, 2016, 36(6):57-61.
[12]	YU Bo, TAI Xianqing, MA Zhijie. Study on Attribute and Trust-Based RBAC Model in Cloud Computing[J]. Computer Engineering and Applications, 2020, 56(9): 84-92.
	余波, 台宪青, 马治杰. 云计算环境下基于属性和信任的RBAC模型研究[J]. 计算机工程与应用, 2020, 56(9):84-92.
[13]	LI Xin. Access Control Strategy Based on Trust under Cloud Computing Platform[C]// IEEE. 2018 International Conference on Virtual Reality and Intelligent Systems (ICVRIS). New York:IEEE, 2018: 327-330.
[14]	ZHAO Zhiyuan, SUN Lei. Attribute-Based Access Control with Dynamic Trust in a Hybrid Cloud Computing Environment[C]// IEEE. Proceedings of the 2017 International Conference on Cryptography, Security and Privacy. New York: IEEE, 2017: 112-118.
[15]	WU Yunkun, JIANG Bo, PAN Ruixuan, et al. A SDN Access Control Mechanism Based on Zero Trust[J]. Netinfo Security, 2020, 20(8): 37-46.
	吴云坤, 姜博, 潘瑞萱, 等. 一种基于零信任的SDN网络访问控制方法[J]. 信息网络安全, 2020, 20(8): 37-46.

能力点	测试用例	测试结果
环境感知	终端受控设备管理	通过
	环境评分	通过
	IP管理	通过
动态访问控制	基于信任值的动态访问控制	通过
	基于操作系统及版本的控制	通过
	不同用户的动态访问控制	通过

基于零信任的敏感数据动态访问控制模型研究

Research on Dynamic Access Control Model of Sensitive Data Based on Zero Trust

RichHTML

PDF (PC)

可视化

摘要/Abstract

引用本文

使用本文

图/表 10

参考文献 15

相关文章 8

编辑推荐

Metrics

本文评价

[1]	吴云坤, 姜博, 潘瑞萱, 刘玉岭. 一种基于零信任的SDN网络访问控制方法[J]. 信息网络安全, 2020, 20(8): 37-46.
[2]	刘远, 孙晨, 张嫣玲. 基于Overlay技术的零信任网络研究[J]. 信息网络安全, 2020, 20(10): 83-91.
[3]	訾然, 刘嘉. 基于精益信任的风险信任体系构建研究[J]. 信息网络安全, 2019, 19(10): 32-41.
[4]	李建, 管卫利, 刘吉强, 吴杏. 基于信任评估的网络访问模型[J]. 信息网络安全, 2015, 15(10): 14-23.
[5]	郭飞, 张华, 高飞. SaaS模式下基于用户行为的动态访问控制模型研究与实现[J]. 信息网络安全, 2014, 14(12): 71-75.
[6]	金海;虞明城. 从源到端做好个人客户信息整体防护[J]. , 2012, 12(12): 0-0.
[7]	黄建文;田宏强;裴健. 运营商用户数据安全防护体系的探索与实践[J]. , 2012, 12(12): 0-0.
[8]	何立宝;黄刘生;杨威;罗永龙. 基于可信计算的P2P信任模型[J]. , 2009, 9(7): 0-0.