信息网络安全 ›› 2022, Vol. 22 ›› Issue (6): 86-93.doi: 10.3969/j.issn.1671-1122.2022.06.009

• 理论研究 • 上一篇    下一篇

基于零信任的敏感数据动态访问控制模型研究

郭宝霞1,2, 王佳慧3, 马利民1,2, 张伟2()   

  1. 1.北京信息科技大学网络文化与数字传播北京市重点实验室,北京 100101
    2.北京信息科技大学计算机学院,北京100101
    3.国家信息中心信息与网络安全部,北京 100045
  • 收稿日期:2022-03-09 出版日期:2022-06-10 发布日期:2022-06-30
  • 通讯作者: 张伟 E-mail:zhwei@bistu.edu.cn
  • 作者简介:郭宝霞(1997—),女,山西,硕士研究生,主要研究方向为网络安全、大数据安全|王佳慧(1983—),女,山西,研究员,博士,主要研究方向为云计算安全、大数据安全、云取证安全|马利民(1983—),男,山东,副教授,博士,主要研究方向为网络安全协议、信息隐藏技术、大数据安全|张伟(1980—),男,山东,教授,博士,主要研究方向为大数据存储与安全、软硬件协同设计
  • 基金资助:
    国家重点研发计划(2020YFC1522702)

Research on Dynamic Access Control Model of Sensitive Data Based on Zero Trust

GUO Baoxia1,2, WANG Jiahui3, MA Limin1,2, ZHANG Wei2()   

  1. 1. Beijing Key Laboratory of Internet Culture and Digital Dissemination Research, Beijing Information Science & Technology University, Beijing 100101, China
    2. School of Computer, Beijing Information Science & Technology University, Beijing 100101, China
    3. Department of Information and Security, the State Information Center, Beijing 100045, China
  • Received:2022-03-09 Online:2022-06-10 Published:2022-06-30
  • Contact: ZHANG Wei E-mail:zhwei@bistu.edu.cn

摘要:

随着大数据时代的来临,敏感数据安全问题越来越引起人们的重视。现有系统对访问主体进行用户身份认证成功后大多认为其身份可信,而攻击者一旦以失陷主体为跳板入侵网络内部,就可能会窃取或破坏敏感数据。因此,亟需研究一种动态的访问权限控制机制来保护系统的敏感信息资源。文章基于零信任架构,通过分析当前被保护系统的访问主体与访问客体的特点,提出了一种信任评估算法。算法通过获取多源属性进行动态信任评估,当失陷主体发生突变行为时,能迅速降低其信任值,在认证中及时阻断失陷主体威胁。算法通过属性加密进行动态授权,降低敏感资源被过度访问的可能性。实验结果表明,该模型可以实现访问授权的动态控制,并保证系统的时间开销和内存开销均在合理范围内。

关键词: 零信任, 动态访问控制, 信任评估, 敏感数据

Abstract:

With the advent of the era of big data, the security of sensitive data has attracted increasing attention. At present, most of the existing systems consider the access subject’s identity to be trusted after successful authentication, but once the attacker uses the lost subject as a springboard to invade the network, he may steal or destroy sensitive data. Therefore, it is urgent to study a fine-grained and flexible access control mechanism to protect the sensitive information resources of the system. Based on zero trust architecture, this paper proposes a trust evaluation algorithm by analyzing the characteristics of access subject and access object of the current protected system. By acquiring multi-source attributes for dynamic trust evaluation, the algorithm can quickly reduce the trust value of the lost subject when it has abrupt behavior, and timely block the threat of the lost subject in the authentication. The system implements dynamic authorization through attribute encryption to reduce the possibility of excessive access to sensitive resources. Experimental results show that this model can realize dynamic control of access authorization, and ensure that the time and memory cost of the system are in a reasonable range.

Key words: zero trust, dynamic access control, trust assessment, sensitive data

中图分类号: