CN114615055A - Access request processing method, data uploading method and device - Google Patents
Access request processing method, data uploading method and device Download PDFInfo
- Publication number
- CN114615055A CN114615055A CN202210234421.5A CN202210234421A CN114615055A CN 114615055 A CN114615055 A CN 114615055A CN 202210234421 A CN202210234421 A CN 202210234421A CN 114615055 A CN114615055 A CN 114615055A
- Authority
- CN
- China
- Prior art keywords
- terminal
- access
- score
- service system
- comparison result
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 59
- 238000003672 processing method Methods 0.000 title claims abstract description 5
- 230000008447 perception Effects 0.000 claims abstract description 85
- 230000007613 environmental effect Effects 0.000 claims abstract description 60
- 238000012545 processing Methods 0.000 claims description 27
- 244000035744 Hura crepitans Species 0.000 claims description 19
- 238000011156 evaluation Methods 0.000 claims description 19
- 238000004590 computer program Methods 0.000 claims description 16
- 238000005067 remediation Methods 0.000 claims 2
- 238000010586 diagram Methods 0.000 description 24
- 230000008439 repair process Effects 0.000 description 12
- 230000008569 process Effects 0.000 description 11
- 238000004891 communication Methods 0.000 description 8
- 230000006870 function Effects 0.000 description 8
- 230000006399 behavior Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000010276 construction Methods 0.000 description 3
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 238000004458 analytical method Methods 0.000 description 2
- 230000002155 anti-virotic effect Effects 0.000 description 2
- 239000003795 chemical substances by application Substances 0.000 description 2
- 238000012544 monitoring process Methods 0.000 description 2
- 230000000644 propagated effect Effects 0.000 description 2
- 230000002787 reinforcement Effects 0.000 description 2
- 239000004065 semiconductor Substances 0.000 description 2
- 230000009471 action Effects 0.000 description 1
- 230000002776 aggregation Effects 0.000 description 1
- 238000004220 aggregation Methods 0.000 description 1
- 238000013475 authorization Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000008901 benefit Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000000835 fiber Substances 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000002955 isolation Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012360 testing method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
Landscapes
- Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computer Security & Cryptography (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
本发明公开了一种访问请求的处理方法、数据上传方法和装置,涉及计算机技术领域。该方法的一具体实施方式包括:接收终端的环境评估数据;根据所述环境评估数据,确定所述终端的环境感知得分;接收所述终端发送的针对业务系统的访问请求;获取所述业务系统的预设访问分数,并确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果;根据所述比对结果,确定是否允许所述终端访问所述业务系统。该实施方式能够动态调整终端的访问控制权限,提升系统安全防护等级。
The invention discloses an access request processing method, data uploading method and device, and relates to the technical field of computers. A specific implementation of the method includes: receiving environmental assessment data of a terminal; determining an environmental perception score of the terminal according to the environmental assessment data; receiving an access request for a service system sent by the terminal; obtaining the service system and determine whether the environment perception score of the terminal is greater than or equal to the preset access score of the business system, so as to obtain a comparison result; according to the comparison result, determine whether to allow the terminal to access all business system. This embodiment can dynamically adjust the access control authority of the terminal and improve the system security protection level.
Description
技术领域technical field
本发明涉及计算机技术领域,尤其涉及一种访问请求的处理方法、数据上传方法和装置。The present invention relates to the field of computer technology, and in particular, to a method for processing an access request, a method and device for uploading data.
背景技术Background technique
很多现代企业已经实现了信息化办公。在信息化办公的过程中,员工日常工作离不开各种各样的业务系统支撑。随着企业业务系统的数量增长以及员工分工的愈渐复杂,企业数据的安全性要求越来越高,而云计算与大数据中心的迅速建设,也促使更多的企业将各业务系统资源进行集中搭建和管理。用户需要通过终端访问各业务系统,访问各业务系统的权限通常只由用户的身份决定,且访问权限是固定的,系统安全防护等级较低。Many modern enterprises have realized the information office. In the process of informatization office, the daily work of employees is inseparable from the support of various business systems. With the increase in the number of enterprise business systems and the increasingly complex division of labor among employees, the security requirements of enterprise data are getting higher and higher, and the rapid construction of cloud computing and big data centers has also prompted more enterprises to use the resources of various business systems. Centralized construction and management. Users need to access each business system through a terminal, and the authority to access each business system is usually determined only by the user's identity, and the access authority is fixed, and the system security protection level is low.
发明内容SUMMARY OF THE INVENTION
有鉴于此,本发明实施例提供一种访问请求的处理方法和装置,对终端进行环境评估,能够动态调整终端的访问控制权限,提升系统安全防护等级。In view of this, the embodiments of the present invention provide an access request processing method and apparatus, which can perform environmental assessment on a terminal, dynamically adjust the access control authority of the terminal, and improve the system security protection level.
第一方面,本发明实施例提供了一种访问请求的处理方法,应用于服务器端,包括:In a first aspect, an embodiment of the present invention provides a method for processing an access request, which is applied to a server, including:
接收终端的环境评估数据;Receive the environmental assessment data of the terminal;
根据所述环境评估数据,确定所述终端的环境感知得分;According to the environment evaluation data, determine the environment perception score of the terminal;
接收所述终端发送的针对业务系统的访问请求;receiving an access request for the service system sent by the terminal;
获取所述业务系统的预设访问分数,并确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果;Acquire the preset access score of the business system, and determine whether the environment perception score of the terminal is greater than or equal to the preset access score of the business system to obtain a comparison result;
根据所述比对结果,确定是否允许所述终端访问所述业务系统。According to the comparison result, it is determined whether to allow the terminal to access the service system.
可选地,所述获取所述业务系统的预设访问分数,包括:Optionally, the obtaining the preset access score of the business system includes:
确定所述终端的终端来源;determining the terminal source of the terminal;
确定所述业务系统针对所述终端来源的预设访问分数。A preset access score of the service system for the terminal source is determined.
可选地,所述终端的终端来源为办公设备:Optionally, the terminal source of the terminal is office equipment:
所述确定所述业务系统针对所述终端来源的预设访问分数,包括:The determining of the preset access score of the service system for the terminal source includes:
确定所述业务系统针对办公设备的第一访问分数及第二访问分数,所述第一访问分数大于所述第二访问分数;determining a first access score and a second access score of the business system for office equipment, where the first access score is greater than the second access score;
所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:The determining whether to allow the terminal to access the service system according to the comparison result includes:
在所述比对结果表征所述终端的环境感知得分大于或等于所述第一访问分数的情况下,允许所述终端访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the first access score, allowing the terminal to access the service system;
在所述比对结果表征所述终端的环境感知得分在所述第二访问分数与所述第一访问分数之间的情况下,允许所述终端通过沙盒访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is between the second access score and the first access score, allowing the terminal to access the service system through the sandbox;
在所述比对结果表征所述终端的环境感知得分小于或等于所述第二访问分数的情况下,禁止所述终端访问所述业务系统,并向所述终端下发环境修复消息。In the case that the comparison result indicates that the environment perception score of the terminal is less than or equal to the second access score, the terminal is prohibited from accessing the service system, and an environment restoration message is delivered to the terminal.
可选地,所述终端的终端来源为个人设备:Optionally, the terminal source of the terminal is a personal device:
所述确定所述业务系统针对所述终端来源的预设访问分数,包括:The determining of the preset access score of the service system for the terminal source includes:
确定所述业务系统针对个人设备的第三访问分数;determining a third access score for the business system for the personal device;
所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:The determining whether to allow the terminal to access the service system according to the comparison result includes:
在所述比对结果表征所述终端的环境感知得分大于或等于所述第三访问分数的情况下,允许所述终端通过沙盒访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the third access score, allowing the terminal to access the service system through the sandbox;
在所述比对结果表征所述终端的环境感知得分小于所述第三访问分数的情况下,禁止所述终端访问所述业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is lower than the third access score, the terminal is prohibited from accessing the service system.
可选地,所述获取所述业务系统的预设访问分数,包括:Optionally, the obtaining the preset access score of the business system includes:
确定所述访问请求对应的用户身份;determining the user identity corresponding to the access request;
确定所述业务系统针对所述用户身份的预设访问分数。A preset access score of the business system for the user identity is determined.
可选地,所述用户身份为员工用户:Optionally, the user identity is an employee user:
所述确定所述业务系统针对所述用户身份的预设访问分数,包括:The determining of the preset access score of the business system for the user identity includes:
确定所述业务系统针对员工用户的第四访问分数;determining a fourth access score of the business system for the employee user;
所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:The determining whether to allow the terminal to access the service system according to the comparison result includes:
在所述比对结果表征所述终端的环境感知得分大于或等于所述第四访问分数的情况下,允许所述终端访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the fourth access score, allowing the terminal to access the service system;
在所述比对结果表征所述终端的环境感知得分小于所述第四访问分数的情况下,禁止所述终端访问所述业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is less than the fourth access score, the terminal is prohibited from accessing the service system.
可选地,所述用户身份为第三方用户:Optionally, the user identity is a third-party user:
所述确定所述业务系统针对所述用户身份的预设访问分数,包括:The determining of the preset access score of the business system for the user identity includes:
确定所述业务系统针对第三方用户的第五访问分数;determining the fifth access score of the business system for the third-party user;
所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:The determining whether to allow the terminal to access the service system according to the comparison result includes:
在所述比对结果表征所述终端的环境感知得分大于或等于所述第五访问分数的情况下,允许所述终端通过沙盒访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the fifth access score, allowing the terminal to access the service system through the sandbox;
在所述比对结果表征所述终端的环境感知得分小于所述第五访问分数的情况下,禁止所述终端访问所述业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is less than the fifth access score, the terminal is prohibited from accessing the service system.
第二方面,本发明实施例提供了一种数据上传方法,应用于终端,包括:In a second aspect, an embodiment of the present invention provides a method for uploading data, applied to a terminal, including:
获取终端的环境评估数据;Obtain the environmental assessment data of the terminal;
将所述环境评估数据上传给服务器。Upload the environmental assessment data to the server.
可选地,所述将所述环境评估数据上传给服务器之后,还包括:Optionally, after uploading the environmental assessment data to the server, the method further includes:
接收所述服务器下方的环境修复消息;receiving an environment repair message under the server;
根据所述环境修复消息,对所述终端进行环境修复处理。According to the environment repair message, perform environment repair processing on the terminal.
可选地,所述环境评估数据包括以下至少之一:硬件数据、操作系统数据、安全基础软件数据及应用软件数据。Optionally, the environment assessment data includes at least one of the following: hardware data, operating system data, basic security software data, and application software data.
第三方面,本发明实施例提供了一种访问请求的处理装置,应用于服务器端,包括:In a third aspect, an embodiment of the present invention provides an apparatus for processing an access request, applied to a server, including:
数据接收模块,用于接收终端的环境评估数据;The data receiving module is used to receive the environmental assessment data of the terminal;
得分确定模块,用于根据所述环境评估数据,确定所述终端的环境感知得分;a score determination module, configured to determine the environmental perception score of the terminal according to the environmental assessment data;
请求接收模块,用于接收所述终端发送的针对业务系统的访问请求;a request receiving module, configured to receive an access request for the service system sent by the terminal;
比对模块,用于获取所述业务系统的预设访问分数,并确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果;A comparison module, configured to obtain the preset access score of the business system, and determine whether the environment perception score of the terminal is greater than or equal to the preset access score of the business system, so as to obtain a comparison result;
处理模块,用于根据所述比对结果,确定是否允许所述终端访问所述业务系统。and a processing module, configured to determine whether to allow the terminal to access the service system according to the comparison result.
第四方面,本发明实施例提供了一种数据上传装置,应用于终端,包括:In a fourth aspect, an embodiment of the present invention provides a data uploading apparatus, applied to a terminal, including:
数据获取模块,用于获取终端的环境评估数据;The data acquisition module is used to acquire the environmental assessment data of the terminal;
数据上传模块,用于将所述环境评估数据上传给服务器。The data uploading module is used for uploading the environmental assessment data to the server.
第五方面,本发明实施例提供了一种电子设备,包括:In a fifth aspect, an embodiment of the present invention provides an electronic device, including:
一个或多个处理器;one or more processors;
存储装置,用于存储一个或多个程序,storage means for storing one or more programs,
当所述一个或多个程序被所述一个或多个处理器执行,使得所述一个或多个处理器实现上述任一实施例所述的方法。When the one or more programs are executed by the one or more processors, the one or more processors implement the method described in any of the above embodiments.
第六方面,本发明实施例提供了一种计算机可读介质,其上存储有计算机程序,所述程序被处理器执行时实现上述任一实施例所述的方法。In a sixth aspect, an embodiment of the present invention provides a computer-readable medium on which a computer program is stored, and when the program is executed by a processor, implements the method described in any of the foregoing embodiments.
第七方面,本发明实施例提供了一种计算机程序产品,包括计算机程序,所述程序被处理器执行时实现上述任一实施例所述的方法。In a seventh aspect, an embodiment of the present invention provides a computer program product, including a computer program, which implements the method described in any of the foregoing embodiments when the program is executed by a processor.
上述发明中的一个实施例具有如下优点或有益效果:根据终端的环境评估数据,确定终端的环境感知得分。环境感知得分用于表征终端访问业务系统的安全程度。可以根据需求,为各业务系统预设访问分数,从而限定可以访问该业务系统的终端的最低环境感知得分,使得具有较大风险程度的终端无法访问业务系统。因此,本发明实施例可以保证业务系统对外提供服务过程中的安全性。An embodiment of the above invention has the following advantages or beneficial effects: determining the environment perception score of the terminal according to the environment evaluation data of the terminal. The environmental awareness score is used to characterize the security level of the terminal accessing the business system. An access score can be preset for each service system according to requirements, so as to limit the minimum environment perception score of a terminal that can access the service system, so that a terminal with a relatively high degree of risk cannot access the service system. Therefore, the embodiments of the present invention can ensure the security in the process of the service system providing services to the outside world.
此外,随着终端的运行,终端的环境评估数据是不断变化的,使得终端的环境感知得分也是不断变化的,最终使终端的访问控制权限也是不断变化的。因此,本发明实施例还可以动态调整终端的访问控制权限,提升系统安全防护等级。In addition, with the operation of the terminal, the environmental assessment data of the terminal is constantly changing, so that the environmental perception score of the terminal is also constantly changing, and finally the access control authority of the terminal is also constantly changing. Therefore, the embodiment of the present invention can also dynamically adjust the access control authority of the terminal to improve the security protection level of the system.
上述的非惯用的可选方式所具有的进一步效果将在下文中结合具体实施方式加以说明。Further effects of the above non-conventional alternatives will be described below in conjunction with specific embodiments.
附图说明Description of drawings
附图用于更好地理解本发明,不构成对本发明的不当限定。其中:The accompanying drawings are used for better understanding of the present invention and do not constitute an improper limitation of the present invention. in:
图1是本发明第一实施例提供的一种访问请求的处理方法的流程示意图;1 is a schematic flowchart of a method for processing an access request provided by a first embodiment of the present invention;
图2是本发明第二实施例提供的一种访问请求的处理方法的流程示意图;2 is a schematic flowchart of a method for processing an access request provided by a second embodiment of the present invention;
图3是本发明第三实施例提供的一种数据上传方法的流程示意图;3 is a schematic flowchart of a data uploading method provided by a third embodiment of the present invention;
图4是本发明第四实施例提供的一种业务系统对外提供服务的系统架构示意图;4 is a schematic diagram of a system architecture of a business system providing services to the outside world according to a fourth embodiment of the present invention;
图5是本发明第四实施例提供的一种终端运行环境的示意图;5 is a schematic diagram of a terminal operating environment provided by a fourth embodiment of the present invention;
图6是本发明第四实施例提供的一种业务系统对外提供服务的网络环境结构示意图;6 is a schematic structural diagram of a network environment in which a business system provides services to the outside world according to a fourth embodiment of the present invention;
图7是本发明第四实施例提供的一种业务系统动态访问权限的设置方法的示意图;7 is a schematic diagram of a method for setting dynamic access rights of a business system provided by a fourth embodiment of the present invention;
图8是本发明第四实施例提供的一种针对办公设备的动态访问权限的设置方式的示意图;8 is a schematic diagram of a method for setting dynamic access rights for office equipment according to a fourth embodiment of the present invention;
图9是本发明第四实施例提供的一种针对终端来源的动态访问权限的设置方式的示意图;9 is a schematic diagram of a method for setting dynamic access rights for terminal sources according to a fourth embodiment of the present invention;
图10是本发明第四实施例提供的一种针对用户身份的动态访问权限的设置方式的示意图;10 is a schematic diagram of a method for setting dynamic access rights for user identity provided by the fourth embodiment of the present invention;
图11是本发明的实施例提供的一种访问请求的处理装置的结构示意图;11 is a schematic structural diagram of an apparatus for processing an access request provided by an embodiment of the present invention;
图12是本发明的实施例提供的一种数据上传装置的结构示意图;12 is a schematic structural diagram of a data uploading apparatus provided by an embodiment of the present invention;
图13是适于用来实现本发明实施例的终端设备或服务器的计算机系统的结构示意图。FIG. 13 is a schematic structural diagram of a computer system suitable for implementing a terminal device or a server according to an embodiment of the present invention.
具体实施方式Detailed ways
以下结合附图对本发明的示范性实施例做出说明,其中包括本发明实施例的各种细节以助于理解,应当将它们认为仅仅是示范性的。因此,本领域普通技术人员应当认识到,可以对这里描述的实施例做出各种改变和修改,而不会背离本发明的范围和精神。同样,为了清楚和简明,以下的描述中省略了对公知功能和结构的描述。Exemplary embodiments of the present invention are described below with reference to the accompanying drawings, which include various details of the embodiments of the present invention to facilitate understanding and should be considered as exemplary only. Accordingly, those of ordinary skill in the art will recognize that various changes and modifications of the embodiments described herein can be made without departing from the scope and spirit of the invention. Also, descriptions of well-known functions and constructions are omitted from the following description for clarity and conciseness.
本申请技术方案中对数据的获取、存储、使用、处理等均符合国家法律法规的相关规定。The acquisition, storage, use, and processing of data in the technical solution of this application are in compliance with the relevant provisions of national laws and regulations.
图1是本发明第一实施例提供的一种访问请求的处理方法的流程示意图,如图1所示,该方法包括:FIG. 1 is a schematic flowchart of a method for processing an access request according to a first embodiment of the present invention. As shown in FIG. 1 , the method includes:
步骤101:接收终端的环境评估数据。Step 101: Receive environmental assessment data of the terminal.
环境评估数据为影响终端对外访问的安全性的相关数据。环境评估数据可以包括:硬件数据、操作系统数据、安全基础软件数据及应用软件数据等。具体地,操作系统数据可包括:操作系统版本号、操作系统补丁升级情况等。安全基础软件数据可包括:病毒库更新情况、杀毒情况记录等。The environmental assessment data is the relevant data that affects the security of the terminal's external access. The environmental assessment data may include: hardware data, operating system data, basic security software data, and application software data. Specifically, the operating system data may include: operating system version number, operating system patch upgrade status, and the like. Security basic software data may include: virus database update status, antivirus status records, etc.
步骤102:根据所述环境评估数据,确定所述终端的环境感知得分。Step 102: Determine an environment perception score of the terminal according to the environment evaluation data.
环境感知得分用于表征该终端访问外部业务系统的安全程度。环境感知得分的形式可根据具体需求来设定。环境感知得分可以表示为:高、中、低。环境感知得分还可通过百分制、十分制等来表示。The environment perception score is used to characterize the security degree of the terminal to access the external business system. The form of environmental perception score can be set according to specific needs. The environmental perception score can be expressed as: high, medium, and low. The environmental perception score can also be expressed by a percentage system, a ten-point system, and the like.
步骤103:接收所述终端发送的针对业务系统的访问请求。Step 103: Receive an access request for the service system sent by the terminal.
步骤104:获取所述业务系统的预设访问分数,并确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果。Step 104: Acquire the preset access score of the service system, and determine whether the environment perception score of the terminal is greater than or equal to the preset access score of the service system, so as to obtain a comparison result.
可以根据各业务系统对隐私性、安全性等的要求,为各业务系统设置不同的预设访问分数,从而限定可以访问该业务系统的终端的最低环境感知得分,使得具有较大风险程度的终端无法访问业务系统。Different preset access scores can be set for each business system according to the requirements of each business system for privacy and security, so as to limit the minimum environmental awareness score of the terminal that can access the business system, so that the terminal with a greater degree of risk can be used. The business system cannot be accessed.
步骤105:根据所述比对结果,确定是否允许所述终端访问所述业务系统。Step 105: According to the comparison result, determine whether to allow the terminal to access the service system.
在比对结果表征终端的环境感知得分大于或等于业务系统的预设访问分数的情况下,允许终端访问业务系统。在比对结果表征终端的环境感知得分小于业务系统的预设访问分数的情况下,禁止终端访问业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the preset access score of the service system, the terminal is allowed to access the service system. When the comparison result indicates that the environment perception score of the terminal is less than the preset access score of the service system, the terminal is prohibited from accessing the service system.
在本发明实施例中,根据终端的环境评估数据,确定终端的环境感知得分。环境感知得分用于表征环境访问外部业务系统的安全程度。可以根据需求,为各业务系统预设访问分数,从而限定可以访问该业务系统的终端的最低环境感知得分,使得具有较大风险程度的终端无法访问业务系统。因此,本发明实施例可以保证业务系统对外提供服务过程中的安全性。In the embodiment of the present invention, the environment perception score of the terminal is determined according to the environment evaluation data of the terminal. Context Awareness Score is used to characterize how secure an environment is to access external business systems. An access score can be preset for each service system according to requirements, so as to limit the minimum environment perception score of a terminal that can access the service system, so that a terminal with a relatively high degree of risk cannot access the service system. Therefore, the embodiments of the present invention can ensure the security in the process of the service system providing services to the outside world.
此外,随着终端的运行,终端的环境评估数据是不断变化的,使得终端的环境感知得分也是不断变化的,最终使终端的访问控制权限也是不断变化的。因此,本发明实施例还可以动态调整终端的访问控制权限,提升系统安全防护等级。In addition, with the operation of the terminal, the environmental assessment data of the terminal is constantly changing, so that the environmental perception score of the terminal is also constantly changing, and finally the access control authority of the terminal is also constantly changing. Therefore, the embodiment of the present invention can also dynamically adjust the access control authority of the terminal to improve the security protection level of the system.
图2是本发明第二实施例提供的一种访问请求的处理方法的流程示意图,如图2所示,该方法包括:FIG. 2 is a schematic flowchart of a method for processing an access request according to a second embodiment of the present invention. As shown in FIG. 2 , the method includes:
步骤201:接收终端的环境评估数据。Step 201: Receive environmental assessment data of the terminal.
步骤202:根据所述环境评估数据,确定所述终端的环境感知得分。Step 202: Determine an environment perception score of the terminal according to the environment evaluation data.
步骤203:接收所述终端发送的针对业务系统的访问请求。Step 203: Receive an access request for the service system sent by the terminal.
步骤204:确定所述终端的终端来源和/或所述访问请求对应的用户身份,并确定所述业务系统针对所述终端来源和/或用户身份的预设访问分数。Step 204: Determine the terminal source of the terminal and/or the user identity corresponding to the access request, and determine the preset access score of the business system for the terminal source and/or the user identity.
终端来源可包括:办公设备、个人设备、电脑、手机等。办公设备为系统或公司内部的设备。个人设备为非办公设备的其它设备。对于同一业务系统,可针对办公设备及个人设备设置不同的预设访问分数,从而可以更加灵活地控制终端访问业务系统的权限。具体地,由于办公设备是来自于系统或公司内部的设备,办公设备的可靠性通常要高于个人设备,因此,对于同一业务系统,针对办公设备的预设访问分数可以低于针对个人设备的预设访问分数。Terminal sources may include: office equipment, personal equipment, computers, mobile phones, etc. Office equipment is a system or equipment within a company. Personal equipment is other equipment than office equipment. For the same business system, different preset access scores can be set for office equipment and personal equipment, so that the authority of the terminal to access the business system can be controlled more flexibly. Specifically, since office equipment is from the system or within the company, the reliability of office equipment is usually higher than that of personal equipment. Therefore, for the same business system, the preset access score for office equipment can be lower than that for personal equipment. Default access score.
用户身份可包括:员工用户、第三方用户、普通用户、管理员用户等。员工用户为来自系统或公司内部的用户。第三方用户为非员工用户的用户。对于同一业务系统,可针对员工用户及第三方用户设置不同的预设访问分数,从而可以更加灵活地控制终端访问业务系统的权限。具体地,对于同一业务系统,针对员工用户的预设访问分数可以低于针对第三方用户的预设访问分数。User identities may include: employee users, third-party users, ordinary users, administrator users, and so on. Employee users are users from within the system or within the company. A third-party user is a user who is not an employee user. For the same business system, different preset access scores can be set for employee users and third-party users, so that the permissions of terminals to access the business system can be controlled more flexibly. Specifically, for the same business system, the preset access score for employee users may be lower than the preset access score for third-party users.
还可以根据终端来源和用户身份,为业务系统设置不同的预设访问分数。例如,对于同一业务系统,分别针对办公设备和员工用户、办公设备和第三方用户、个人设备和第三方用户、个人设备和管理员用户等,设置多个不同的预设访问分数。Different preset access scores can also be set for the business system according to the terminal source and user identity. For example, for the same business system, multiple different preset access scores are set for office equipment and employee users, office equipment and third-party users, personal equipment and third-party users, and personal equipment and administrator users.
步骤205:确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果。Step 205: Determine whether the environment perception score of the terminal is greater than or equal to the preset access score of the service system to obtain a comparison result.
步骤206:根据所述比对结果,确定是否允许所述终端访问所述业务系统。Step 206: According to the comparison result, determine whether to allow the terminal to access the service system.
在本发明实施例中,可根据终端的终端来源和/或访问请求对应的用户身份,为同一业务系统设置多个不同的预设访问分数,从而可以针对不同的业务场景和需求,灵活地控制终端对于业务系统的访问权限。In the embodiment of the present invention, according to the terminal source of the terminal and/or the user identity corresponding to the access request, a plurality of different preset access scores can be set for the same business system, so that the control can be flexibly controlled for different business scenarios and needs. The access authority of the terminal to the business system.
在本发明的一个实施例中,所述终端的终端来源为办公设备:所述确定所述业务系统针对所述终端来源的预设访问分数,包括:确定所述业务系统针对办公设备的第一访问分数及第二访问分数,所述第一访问分数大于所述第二访问分数;所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:在所述比对结果表征所述终端的环境感知得分大于或等于所述第一访问分数的情况下,允许所述终端访问所述业务系统;在所述比对结果表征所述终端的环境感知得分在所述第二访问分数与所述第一访问分数之间的情况下,允许所述终端通过沙盒访问所述业务系统;在所述比对结果表征所述终端的环境感知得分小于或等于所述第二访问分数的情况下,禁止所述终端访问所述业务系统,并向所述终端下发环境修复消息。In an embodiment of the present invention, the terminal source of the terminal is office equipment: the determining a preset access score of the business system for the terminal source includes: determining a first access score of the business system for the office equipment an access score and a second access score, the first access score is greater than the second access score; and determining whether to allow the terminal to access the service system according to the comparison result, including: in the comparison The result indicates that when the environment perception score of the terminal is greater than or equal to the first access score, the terminal is allowed to access the service system; when the comparison result indicates that the environment perception score of the terminal is in the first access score When the second access score is between the first access score, the terminal is allowed to access the service system through the sandbox; when the comparison result indicates that the environment perception score of the terminal is less than or equal to the second access score In the case of an access score, the terminal is prohibited from accessing the service system, and an environment repair message is delivered to the terminal.
对于终端来源为办公设备的终端,利用终端的环境感知得分,限定了终端访问业务系统的三种情况,从而更好地保证业务系统对外访问过程中的安全性。For a terminal whose source is office equipment, the environment perception score of the terminal is used to limit three situations for the terminal to access the business system, so as to better ensure the security of the business system during external access.
在本发明的一个实施例中,所述终端的终端来源为个人设备:所述确定所述业务系统针对所述终端来源的预设访问分数,包括:确定所述业务系统针对个人设备的第三访问分数;所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:在所述比对结果表征所述终端的环境感知得分大于或等于所述第三访问分数的情况下,允许所述终端通过沙盒访问所述业务系统;在所述比对结果表征所述终端的环境感知得分小于所述第三访问分数的情况下,禁止所述终端访问所述业务系统。In an embodiment of the present invention, the terminal source of the terminal is a personal device: the determining a preset access score of the service system for the terminal source includes: determining a third access score of the service system for the personal device access score; the determining whether to allow the terminal to access the service system according to the comparison result includes: indicating that the environment perception score of the terminal is greater than or equal to the third access score in the comparison result In this case, the terminal is allowed to access the service system through the sandbox; when the comparison result indicates that the environment perception score of the terminal is less than the third access score, the terminal is prohibited from accessing the service system .
对于终端来源为个人设备的终端,利用终端的环境感知得分,限定了终端访问业务系统的两种情况,从而更好地保证业务系统对外访问过程中的安全性。For a terminal whose source is a personal device, the environment perception score of the terminal is used to limit two situations in which the terminal accesses the business system, thereby better ensuring the security of the business system during external access.
在本发明的一个实施例中,所述用户身份为员工用户:所述确定所述业务系统针对所述用户身份的预设访问分数,包括:确定所述业务系统针对员工用户的第四访问分数;所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:在所述比对结果表征所述终端的环境感知得分大于或等于所述第四访问分数的情况下,允许所述终端访问所述业务系统;在所述比对结果表征所述终端的环境感知得分小于所述第四访问分数的情况下,禁止所述终端访问所述业务系统。In an embodiment of the present invention, the user identity is an employee user: the determining a preset access score of the business system for the user identity includes: determining a fourth access score of the business system for the employee user ;Determining whether to allow the terminal to access the service system according to the comparison result, comprising: in the case that the comparison result represents that the environment perception score of the terminal is greater than or equal to the fourth access score , allowing the terminal to access the service system; when the comparison result indicates that the environment perception score of the terminal is less than the fourth access score, prohibit the terminal from accessing the service system.
对于用户身份为员工用户的用户,利用业务系统针对员工用户的设置的预设访问分数,限定了员工用户访问业务系统的两种情况,从而更好地保证业务系统对外访问过程中的安全性。For a user whose user identity is an employee user, the preset access score set by the business system for the employee user is used to limit the two situations in which the employee user can access the business system, thereby better ensuring the security of the business system during external access.
在本发明的一个实施例中,所述用户身份为第三方用户:所述确定所述业务系统针对所述用户身份的预设访问分数,包括:确定所述业务系统针对第三方用户的第五访问分数;所述根据所述比对结果,确定是否允许所述终端访问所述业务系统,包括:在所述比对结果表征所述终端的环境感知得分大于或等于所述第五访问分数的情况下,允许所述终端通过沙盒访问所述业务系统;在所述比对结果表征所述终端的环境感知得分小于所述第五访问分数的情况下,禁止所述终端访问所述业务系统。In an embodiment of the present invention, the user identity is a third-party user: the determining a preset access score of the service system for the user identity includes: determining a fifth-party user identity of the service system for the third-party user access score; the determining whether to allow the terminal to access the service system according to the comparison result includes: indicating that the environment perception score of the terminal is greater than or equal to the fifth access score in the comparison result In this case, the terminal is allowed to access the service system through the sandbox; when the comparison result indicates that the environment perception score of the terminal is less than the fifth access score, the terminal is prohibited from accessing the service system .
对于用户身份为第三方用户的用户,利用业务系统针对第三方用户的设置的预设访问分数,限定了员工用户访问业务系统的两种情况,从而更好地保证业务系统对外访问过程中的安全性。For users whose user identity is a third-party user, the preset access scores set by the business system for third-party users are used to limit the two situations in which employee users can access the business system, so as to better ensure the security of the business system during external access. sex.
图3是本发明第三实施例提供的一种数据上传方法的流程示意图,如图3所示,该方法包括:FIG. 3 is a schematic flowchart of a data uploading method according to a third embodiment of the present invention. As shown in FIG. 3 , the method includes:
步骤301:获取终端的环境评估数据。Step 301: Acquire environmental assessment data of the terminal.
该方法应用于终端。环境评估数据为影响终端对外访问的安全性的相关数据。环境评估数据可以包括:硬件数据、操作系统数据、安全基础软件数据及应用软件数据等。具体地,操作系统数据可包括:操作系统版本号、操作系统补丁升级情况等。安全基础软件数据可包括:病毒库更新情况、杀毒情况记录等。This method is applied to the terminal. The environmental assessment data is the relevant data that affects the security of the terminal's external access. The environmental assessment data may include: hardware data, operating system data, basic security software data, and application software data. Specifically, the operating system data may include: operating system version number, operating system patch upgrade status, and the like. Security basic software data may include: virus database update status, antivirus status records, etc.
步骤302:将所述环境评估数据上传给服务器。Step 302: Upload the environmental assessment data to the server.
服务器根据终端的环境评估数据,确定终端的环境感知得分。环境感知得分用于表征环境访问外部业务系统的安全程度。可以根据需求,为各业务系统预设访问分数,从而限定可以访问该业务系统的终端的最低环境感知得分,使得具有较大风险程度的终端无法访问业务系统。因此,本发明实施例可以保证业务系统对外提供服务过程中的安全性。The server determines the environment perception score of the terminal according to the environment evaluation data of the terminal. Context Awareness Score is used to characterize how secure an environment is to access external business systems. An access score can be preset for each service system according to requirements, so as to limit the minimum environment perception score of a terminal that can access the service system, so that a terminal with a relatively high degree of risk cannot access the service system. Therefore, the embodiments of the present invention can ensure the security in the process of the service system providing services to the outside world.
此外,随着终端的运行,终端的环境评估数据是不断变化的,使得终端的环境感知得分也是不断变化的,最终使终端的访问控制权限也是不断变化的。因此,本发明实施例还可以动态调整终端的访问控制权限,提升系统安全防护等级。In addition, with the operation of the terminal, the environmental assessment data of the terminal is constantly changing, so that the environmental perception score of the terminal is also constantly changing, and finally the access control authority of the terminal is also constantly changing. Therefore, the embodiment of the present invention can also dynamically adjust the access control authority of the terminal to improve the security protection level of the system.
在将所述环境评估数据上传给服务器之后,接收所述服务器下方的环境修复消息;根据所述环境修复消息,对所述终端进行环境修复处理。After the environment assessment data is uploaded to the server, an environment restoration message under the server is received; and an environment restoration process is performed on the terminal according to the environment restoration message.
如果终端的环境感知得分较低,则终端中存在影响终端访问外部业务系统安全的影响因素。服务器端向终端下发环境修复消息。环境修复消息可包括:修改用户登录密码、对病毒库进行升级、安装系统补丁等。终端依据环境修复消息对终端进行环境修复,来加强终端自身的稳定性和安全性。If the environment perception score of the terminal is low, there are influence factors in the terminal that affect the security of the terminal accessing the external service system. The server sends an environment repair message to the terminal. The environment repair message may include: modifying the user login password, upgrading the virus database, installing system patches, and the like. The terminal performs environment repair on the terminal according to the environment repair message, so as to strengthen the stability and security of the terminal itself.
图4是本发明第四实施例提供的一种业务系统对外提供服务的系统架构示意图。如图4所示,桌面终端中通过安全客户端等获取终端的环境评估数据,通过安全客户端、零信任安全代理、设和等实现安全访问。移动终端中通过安全客户端获取环境评估数据,通过安全SDK、VMD等实现安全访问。云服务平台中通过安全接入代理接收应用访问,通过访问控制引擎确定终端是否能够范围资源。信任评估引擎用于根据安全事件管控平台发送的身份认证结果,确定终端或用户的信任评级。安全事件管控平台接收来自终端、云工作平台、资源的安全日志,并根据安全日志进行漏洞情报数据等的管控。FIG. 4 is a schematic diagram of a system architecture of a business system providing external services according to a fourth embodiment of the present invention. As shown in Figure 4, in the desktop terminal, the environment assessment data of the terminal is obtained through a security client, etc., and secure access is achieved through a security client, a zero-trust security agent, and a device. In the mobile terminal, the environment assessment data is obtained through the security client, and secure access is achieved through the security SDK, VMD, etc. In the cloud service platform, application access is received through the secure access agent, and whether the terminal can scope resources is determined through the access control engine. The trust evaluation engine is used to determine the trust rating of the terminal or user according to the identity authentication result sent by the security event management and control platform. The security event management and control platform receives security logs from terminals, cloud work platforms, and resources, and manages and controls vulnerability intelligence data according to the security logs.
该系统中以身份为基石,为用户和设备赋予数字身份,为数字身份构建访问主体,为访问主体设定最小权限。全场景业务隐藏,全流量加密代理,全业务强制授权。基于身份的信任评估,基于环境的风险判定,基于行为的异常发现。基于属性的访问控制基线,基于信任等级的分级访问,基于风险感知的动态权限。The system takes identity as the cornerstone, assigns digital identities to users and devices, builds access subjects for digital identities, and sets minimum permissions for access subjects. Full-scenario business concealment, full-traffic encryption proxy, and full-service mandatory authorization. Identity-based trust assessment, context-based risk determination, and behavior-based anomaly discovery. Attribute-based access control baseline, hierarchical access based on trust level, and dynamic permissions based on risk perception.
图5是本发明第四实施例提供的一种终端运行环境的示意图。如图5所示,终端中的安全客户端实时监控终端安全运行情况,并实时发送至服务器端的安全运管平台作为信任评估指标;终端提供了虚拟化桌面(沙盒、虚机)及云桌面、VMI等安全操作平台,有效隔离敏感数据;终端环境安全运行基线需包括硬件、操作系统、安全基础软件、应用软件等信息;终端通过外设管控、病毒查杀、漏洞修复等方式进行终端安全加固;终端通过水印、DLP等工具进行数据安全防护;通过EDR、终端审计等进行终端行为监控;通过人脸识别、单点登录等手段进行用户身份认证;FIG. 5 is a schematic diagram of a terminal operating environment provided by a fourth embodiment of the present invention. As shown in Figure 5, the security client in the terminal monitors the security operation of the terminal in real time, and sends it to the security operation management platform on the server side in real time as a trust evaluation indicator; the terminal provides virtualized desktops (sandboxes, virtual machines) and cloud desktops , VMI and other security operating platforms to effectively isolate sensitive data; the terminal environment security operation baseline must include information such as hardware, operating system, security basic software, application software, etc.; Reinforcement; data security protection of terminals through watermarking, DLP and other tools; terminal behavior monitoring through EDR, terminal auditing, etc.; user identity authentication through face recognition, single sign-on and other means;
此外,终端还提供了网络安全浏览功能,通过对浏览器交互数据、缓存数据安全加固存储、进程安全插件防护、用户行为安全控制、访问策略统一管理、操作行为统一监控、多浏览器内核自动切换等安全功能全面提升桌面安全访问级别。In addition, the terminal also provides a network security browsing function, through the security reinforcement storage of browser interaction data, cached data, process security plug-in protection, user behavior security control, unified management of access policies, unified monitoring of operational behavior, and automatic switching of multi-browser kernels and other security features to comprehensively enhance the level of desktop security access.
图6是本发明第四实施例提供的一种业务系统对外提供服务的网络环境结构示意图。如图6所示,PC端通过零信任安全网关建立通讯层加密隧道保障终端与后台网络之间的通讯安全;移动终端通过VMI或安全SDK建立通讯层加密隧道及交易报文加密的方式保障终端与后台网络之间的通讯安全;安全事件管控平台与安全运营大数据平台联动,及时发现风险,并采取隔断等措施;为业务系统建立安全接入服务,统一接入入口,统一对入口流量进行安全管控和审计;安全访问控制平台、安全客户端日志信息实时上报安全事件管控平台,并通过安全事件管控平台联动网络设备及时进行自动处置。FIG. 6 is a schematic structural diagram of a network environment in which a business system provides external services according to a fourth embodiment of the present invention. As shown in Figure 6, the PC side establishes a communication layer encryption tunnel through the zero-trust security gateway to ensure the communication security between the terminal and the background network; the mobile terminal establishes a communication layer encryption tunnel and transaction message encryption through VMI or security SDK to ensure the terminal. Communication security with the back-end network; the security event management and control platform is linked with the security operation big data platform to detect risks in a timely manner, and take measures such as isolation; establish a secure access service for the business system, unified access to the entrance, and unified access to the entrance traffic. Security management, control and auditing; the security access control platform and security client log information are reported to the security event management and control platform in real time, and the network equipment is linked through the security event management and control platform for automatic disposal in a timely manner.
本发明实施例还提供的一种访问请求的处理方法。该方法能够针对业务系统动态设置访问权限。在用户或设备进行网络接入和资源访问的过程中,通过多个数据源的数据汇聚,能动态推断出分配给设备或用户的信任等级。该信任等级处于动态变化过程中,通过实时数据处理、分析、判断准确反映用户或设备实时权限状况。每个被访问或定义的资源都需定义访问所需最小信任等级,当用户或设备访问资源时,通过动态分析得到当前获得的最大信任等级,当最大信任等级大于或等于资源所需最小信任等级后,资源才允许被访问。禁止出现任何形式的特权用户、特权设备、特权应用,都需要通过定义信任等级进行权限控制。An embodiment of the present invention also provides a method for processing an access request. The method can dynamically set access rights for the business system. In the process of network access and resource access by a user or device, the trust level assigned to the device or user can be dynamically inferred through data aggregation of multiple data sources. The trust level is in the process of dynamic change, and it accurately reflects the real-time permission status of users or devices through real-time data processing, analysis, and judgment. Each accessed or defined resource needs to define the minimum trust level required for access. When a user or device accesses the resource, the currently obtained maximum trust level is obtained through dynamic analysis. When the maximum trust level is greater than or equal to the minimum trust level required by the resource After that, the resource is allowed to be accessed. To prohibit any form of privileged users, privileged devices, and privileged applications, it is necessary to control permissions by defining trust levels.
图7是本发明第四实施例提供的一种业务系统动态访问权限的设置方法的示意图。如图7所示,先根据终端的环境评估数据,确定终端的多个环境风险等级。例如,根据沙盒环境数据,确定操作环境安全等级,根据win7操作系统数据,确定操作系统的风险等级,根据合作公司人员数据,确定用户类型风险等级等。再根据多个环境风险等级,确定终端的环境感知得分。最后根据终端的环境感知得分,确定终端可访问的业务系统。例如,在环境感知得分为80的情况下,关闭邮箱访问权限,关闭OA访问权限等。FIG. 7 is a schematic diagram of a method for setting dynamic access rights of a business system according to a fourth embodiment of the present invention. As shown in FIG. 7 , first, according to the environmental assessment data of the terminal, a plurality of environmental risk levels of the terminal are determined. For example, the security level of the operating environment is determined according to the sandbox environment data, the risk level of the operating system is determined according to the win7 operating system data, and the user type risk level is determined according to the personnel data of the partner company. Then, the environmental perception score of the terminal is determined according to a plurality of environmental risk levels. Finally, according to the environment perception score of the terminal, the service system accessible by the terminal is determined. For example, in the case of an environmental awareness score of 80, turn off mailbox access, turn off OA access, etc.
本发明实施例提供的访问请求的处理方法,可应用于不同业务系统及不同终端的多种应用场景中。图8是本发明第四实施例提供的一种针对办公设备的动态访问权限的设置方式的示意图。如图8所示,根据终端环境感知得分可访问不同的业务系统(在某个分数区间可访问某个业务系统均可调整配置)。终端环境感知得分为100分时,可以访问所有业务系统;终端环境感知得分介于80到100分之间时,可访问除了OA以外的其他业务系统;终端环境感知得分介于60和80之间时,只可访问EIP;终端环境感知得分小于60分时,不允许终端接入内网,需进行终端环境修复。The access request processing method provided by the embodiment of the present invention can be applied to various application scenarios of different service systems and different terminals. FIG. 8 is a schematic diagram of a method for setting dynamic access rights for office equipment according to a fourth embodiment of the present invention. As shown in FIG. 8 , different service systems can be accessed according to the terminal environment perception score (the configuration can be adjusted if a service system can be accessed in a certain score interval). When the terminal environment perception score is 100 points, all business systems can be accessed; when the terminal environment perception score is between 80 and 100 points, other business systems except OA can be accessed; the terminal environment perception score is between 60 and 80 Only the EIP can be accessed; when the terminal environment perception score is less than 60 points, the terminal is not allowed to access the intranet, and the terminal environment needs to be repaired.
图9是本发明第四实施例提供的一种针对终端来源的动态访问权限的设置方式的示意图。如图9所示,移动办公用户根据终端环境感知得分用户可通过不同的方式访问业务系统;当终端环境感知为办公电脑且符合业务系统可访问的分数时,可在终端上直接访问业务系统;当终端环境感知为办公电脑且分数低于终端访问业务系统的分数高于可访问沙盒的分数时,可通过沙盒访问业务系统;当终端环境感知为个人自用电脑且分数高于可访问沙盒的分数时,用户可通过沙盒访问业务系统。FIG. 9 is a schematic diagram of a method for setting dynamic access rights for terminal sources according to a fourth embodiment of the present invention. As shown in Figure 9, mobile office users can access the business system in different ways according to the terminal environment perception score; when the terminal environment perception is an office computer and meets the accessible score of the business system, they can directly access the business system on the terminal; When the terminal environment is perceived as an office computer and the score is lower than that of the terminal accessing the business system and higher than that of the accessible sandbox, the business system can be accessed through the sandbox; when the terminal environment is perceived as a personal computer and the score is higher than the accessible sandbox When the score of the box is determined, the user can access the business system through the sandbox.
图10是本发明第四实施例提供的一种针对用户身份的动态访问权限的设置方式的示意图。如图10所示,移动办公同一终端根据不同的用户身份采用不同的方式访问不同的业务系统。行内员工通过移动办公访问时可在终端直接访问业务系统;第三方用户通过移动办公访问时需通过沙盒访问业务系统,且只可访问开发测试环境的业务系统。FIG. 10 is a schematic diagram of a method for setting a dynamic access authority for a user identity according to a fourth embodiment of the present invention. As shown in Figure 10, the same terminal in mobile office uses different ways to access different service systems according to different user identities. In-house employees can directly access the business system on the terminal when accessing through the mobile office; third-party users need to access the business system through the sandbox when accessing through the mobile office, and can only access the business system in the development and testing environment.
图11是本发明的一个实施例提供的一种访问请求的处理装置的结构示意图,该装置应用于服务器端,如图11所示,该装置包括:FIG. 11 is a schematic structural diagram of an apparatus for processing an access request provided by an embodiment of the present invention. The apparatus is applied to a server. As shown in FIG. 11 , the apparatus includes:
数据接收模块1101,用于接收终端的环境评估数据;The
得分确定模块1102,用于根据所述环境评估数据,确定所述终端的环境感知得分;a
请求接收模块1103,用于接收所述终端发送的针对业务系统的访问请求;a
比对模块1104,用于获取所述业务系统的预设访问分数,并确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果;A
处理模块1105,用于根据所述比对结果,确定是否允许所述终端访问所述业务系统。The
可选地,所述比对模块1104具体用于:Optionally, the
确定所述终端的终端来源;determining the terminal source of the terminal;
确定所述业务系统针对所述终端来源的预设访问分数。A preset access score of the service system for the terminal source is determined.
可选地,所述终端的终端来源为办公设备:Optionally, the terminal source of the terminal is office equipment:
所述比对模块1104具体用于:The
确定所述业务系统针对办公设备的第一访问分数及第二访问分数,所述第一访问分数大于所述第二访问分数;determining a first access score and a second access score of the business system for office equipment, where the first access score is greater than the second access score;
所述处理模块1105具体用于:The
在所述比对结果表征所述终端的环境感知得分大于或等于所述第一访问分数的情况下,允许所述终端访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the first access score, allowing the terminal to access the service system;
在所述比对结果表征所述终端的环境感知得分在所述第二访问分数与所述第一访问分数之间的情况下,允许所述终端通过沙盒访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is between the second access score and the first access score, allowing the terminal to access the service system through the sandbox;
在所述比对结果表征所述终端的环境感知得分小于或等于所述第二访问分数的情况下,禁止所述终端访问所述业务系统,并向所述终端下发环境修复消息。In the case that the comparison result indicates that the environment perception score of the terminal is less than or equal to the second access score, the terminal is prohibited from accessing the service system, and an environment restoration message is delivered to the terminal.
可选地,所述终端的终端来源为个人设备:Optionally, the terminal source of the terminal is a personal device:
所述比对模块1104具体用于:The
确定所述业务系统针对个人设备的第三访问分数;determining a third access score for the business system for the personal device;
所述处理模块1105具体用于:The
在所述比对结果表征所述终端的环境感知得分大于或等于所述第三访问分数的情况下,允许所述终端通过沙盒访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the third access score, allowing the terminal to access the service system through the sandbox;
在所述比对结果表征所述终端的环境感知得分小于所述第三访问分数的情况下,禁止所述终端访问所述业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is lower than the third access score, the terminal is prohibited from accessing the service system.
可选地,所述比对模块1104具体用于:Optionally, the
确定所述访问请求对应的用户身份;determining the user identity corresponding to the access request;
确定所述业务系统针对所述用户身份的预设访问分数。A preset access score of the business system for the user identity is determined.
可选地,所述用户身份为员工用户:Optionally, the user identity is an employee user:
所述比对模块1104具体用于:The
确定所述业务系统针对员工用户的第四访问分数;determining a fourth access score of the business system for the employee user;
所述处理模块1105具体用于:The
在所述比对结果表征所述终端的环境感知得分大于或等于所述第四访问分数的情况下,允许所述终端访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the fourth access score, allowing the terminal to access the service system;
在所述比对结果表征所述终端的环境感知得分小于所述第四访问分数的情况下,禁止所述终端访问所述业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is less than the fourth access score, the terminal is prohibited from accessing the service system.
可选地,所述用户身份为第三方用户:Optionally, the user identity is a third-party user:
所述比对模块1104具体用于:The
确定所述业务系统针对第三方用户的第五访问分数;determining the fifth access score of the business system for the third-party user;
所述处理模块1105具体用于:The
在所述比对结果表征所述终端的环境感知得分大于或等于所述第五访问分数的情况下,允许所述终端通过沙盒访问所述业务系统;In the case that the comparison result indicates that the environment perception score of the terminal is greater than or equal to the fifth access score, allowing the terminal to access the service system through the sandbox;
在所述比对结果表征所述终端的环境感知得分小于所述第五访问分数的情况下,禁止所述终端访问所述业务系统。In the case that the comparison result indicates that the environment perception score of the terminal is less than the fifth access score, the terminal is prohibited from accessing the service system.
图12是本发明的一个实施例提供的一种数据上传装置的结构示意图,该装置应用于服务器端,如图12所示,该装置包括:FIG. 12 is a schematic structural diagram of a data uploading device provided by an embodiment of the present invention. The device is applied to a server. As shown in FIG. 12 , the device includes:
数据获取模块1201,用于获取终端的环境评估数据;a
数据上传模块1202,用于将所述环境评估数据上传给服务器。The
可选地,所述装置还包括:Optionally, the device further includes:
修复模块1203,用于接收所述服务器下方的环境修复消息;A repair module 1203, configured to receive an environment repair message under the server;
根据所述环境修复消息,对所述终端进行环境修复处理。According to the environment repair message, perform environment repair processing on the terminal.
可选地,所述环境评估数据包括以下至少之一:硬件数据、操作系统数据、安全基础软件数据及应用软件数据。Optionally, the environment assessment data includes at least one of the following: hardware data, operating system data, basic security software data, and application software data.
本发明实施例提供了一种电子设备,包括:An embodiment of the present invention provides an electronic device, including:
一个或多个处理器;one or more processors;
存储装置,用于存储一个或多个程序,storage means for storing one or more programs,
当一个或多个程序被一个或多个处理器执行,使得一个或多个处理器实现上述任一实施例的方法。When one or more programs are executed by one or more processors, the one or more processors implement the method of any of the above embodiments.
本发明实施例提供了一种计算机程序产品,包括计算机程序,所述计算机程序在被处理器执行时实现本发明实施例中的上述任一实施例的方法。An embodiment of the present invention provides a computer program product, including a computer program, which, when executed by a processor, implements the method of any of the foregoing embodiments in the embodiments of the present invention.
下面参考图13,其示出了适于用来实现本发明实施例的终端设备的计算机系统1300的结构示意图。图13示出的终端设备仅仅是一个示例,不应对本发明实施例的功能和使用范围带来任何限制。Referring to FIG. 13 below, it shows a schematic structural diagram of a
如图13所示,计算机系统1300包括中央处理单元(CPU)1301,其可以根据存储在只读存储器(ROM)1302中的程序或者从存储部分1308加载到随机访问存储器(RAM)1303中的程序而执行各种适当的动作和处理。在RAM 1303中,还存储有系统1300操作所需的各种程序和数据。CPU 1301、ROM 1302以及RAM 1303通过总线1304彼此相连。输入/输出(I/O)接口1305也连接至总线1304。As shown in FIG. 13, a
以下部件连接至I/O接口1305:包括键盘、鼠标等的输入部分1306;包括诸如阴极射线管(CRT)、液晶显示器(LCD)等以及扬声器等的输出部分1307;包括硬盘等的存储部分1308;以及包括诸如LAN卡、调制解调器等的网络接口卡的通信部分1309。通信部分1309经由诸如因特网的网络执行通信处理。驱动器1310也根据需要连接至I/O接口1305。可拆卸介质1311,诸如磁盘、光盘、磁光盘、半导体存储器等等,根据需要安装在驱动器1310上,以便于从其上读出的计算机程序根据需要被安装入存储部分1308。The following components are connected to the I/O interface 1305: an
特别地,根据本发明公开的实施例,上文参考流程图描述的过程可以被实现为计算机软件程序。例如,本发明公开的实施例包括一种计算机程序产品,其包括承载在计算机可读介质上的计算机程序,该计算机程序包含用于执行流程图所示的方法的程序代码。在这样的实施例中,该计算机程序可以通过通信部分1309从网络上被下载和安装,和/或从可拆卸介质1311被安装。在该计算机程序被中央处理单元(CPU)1301执行时,执行本发明的系统中限定的上述功能。In particular, the processes described above with reference to the flowcharts may be implemented as computer software programs in accordance with the disclosed embodiments of the present invention. For example, embodiments disclosed herein include a computer program product comprising a computer program carried on a computer-readable medium, the computer program containing program code for performing the method illustrated in the flowchart. In such an embodiment, the computer program may be downloaded and installed from the network via the
需要说明的是,本发明所示的计算机可读介质可以是计算机可读信号介质或者计算机可读存储介质或者是上述两者的任意组合。计算机可读存储介质例如可以是——但不限于——电、磁、光、电磁、红外线、或半导体的系统、装置或器件,或者任意以上的组合。计算机可读存储介质的更具体的例子可以包括但不限于:具有一个或多个导线的电连接、便携式计算机磁盘、硬盘、随机访问存储器(RAM)、只读存储器(ROM)、可擦式可编程只读存储器(EPROM或闪存)、光纤、便携式紧凑磁盘只读存储器(CD-ROM)、光存储器件、磁存储器件、或者上述的任意合适的组合。在本发明中,计算机可读存储介质可以是任何包含或存储程序的有形介质,该程序可以被指令执行系统、装置或者器件使用或者与其结合使用。而在本发明中,计算机可读的信号介质可以包括在基带中或者作为载波一部分传播的数据信号,其中承载了计算机可读的程序代码。这种传播的数据信号可以采用多种形式,包括但不限于电磁信号、光信号或上述的任意合适的组合。计算机可读的信号介质还可以是计算机可读存储介质以外的任何计算机可读介质,该计算机可读介质可以发送、传播或者传输用于由指令执行系统、装置或者器件使用或者与其结合使用的程序。计算机可读介质上包含的程序代码可以用任何适当的介质传输,包括但不限于:无线、电线、光缆、RF等等,或者上述的任意合适的组合。It should be noted that the computer-readable medium shown in the present invention may be a computer-readable signal medium or a computer-readable storage medium, or any combination of the above two. The computer-readable storage medium can be, for example, but not limited to, an electrical, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus or device, or a combination of any of the above. More specific examples of computer readable storage media may include, but are not limited to, electrical connections having one or more wires, portable computer disks, hard disks, random access memory (RAM), read only memory (ROM), erasable Programmable read only memory (EPROM or flash memory), fiber optics, portable compact disk read only memory (CD-ROM), optical storage devices, magnetic storage devices, or any suitable combination of the foregoing. In the present invention, a computer-readable storage medium may be any tangible medium that contains or stores a program that can be used by or in conjunction with an instruction execution system, apparatus, or device. In the present invention, however, a computer-readable signal medium may include a data signal propagated in baseband or as part of a carrier wave, carrying computer-readable program code therein. Such propagated data signals may take a variety of forms, including but not limited to electromagnetic signals, optical signals, or any suitable combination of the foregoing. A computer-readable signal medium can also be any computer-readable medium other than a computer-readable storage medium that can transmit, propagate, or transport the program for use by or in connection with the instruction execution system, apparatus, or device . Program code embodied on a computer readable medium may be transmitted using any suitable medium including, but not limited to, wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
附图中的流程图和框图,图示了根据本发明各种实施例的系统、方法和计算机程序产品的可能实现的体系架构、功能和操作。在这点上,流程图或框图中的每个方框可以代表一个模块、程序段、或代码的一部分,上述模块、程序段、或代码的一部分包含一个或多个用于实现规定的逻辑功能的可执行指令。也应当注意,在有些作为替换的实现中,方框中所标注的功能也可以以不同于附图中所标注的顺序发生。例如,两个接连地表示的方框实际上可以基本并行地执行,它们有时也可以按相反的顺序执行,这依所涉及的功能而定。也要注意的是,框图或流程图中的每个方框、以及框图或流程图中的方框的组合,可以用执行规定的功能或操作的专用的基于硬件的系统来实现,或者可以用专用硬件与计算机指令的组合来实现。The flowchart and block diagrams in the Figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present invention. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code that contains one or more functions for implementing the specified logical function(s) executable instructions. It should also be noted that, in some alternative implementations, the functions noted in the blocks may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It is also noted that each block of the block diagrams or flowchart illustrations, and combinations of blocks in the block diagrams or flowchart illustrations, can be implemented in special purpose hardware-based systems that perform the specified functions or operations, or can be implemented using A combination of dedicated hardware and computer instructions is implemented.
描述于本发明实施例中所涉及到的模块可以通过软件的方式实现,也可以通过硬件的方式来实现。所描述的模块也可以设置在处理器中,例如,可以描述为:数据接收模块、得分确定模块、请求接收模块、比对模块及处理模块。其中,这些模块的名称在某种情况下并不构成对该模块本身的限定,例如,数据接收模块还可以被描述为“接收终端的环境评估数据的模块”。The modules involved in the embodiments of the present invention may be implemented in a software manner, and may also be implemented in a hardware manner. The described modules can also be set in the processor, for example, can be described as: a data receiving module, a score determination module, a request receiving module, a comparison module and a processing module. Wherein, the names of these modules do not constitute a limitation of the module itself in some cases, for example, the data receiving module may also be described as "a module for receiving environmental assessment data of a terminal".
作为另一方面,本发明还提供了一种计算机可读介质,该计算机可读介质可以是上述实施例中描述的设备中所包含的;也可以是单独存在,而未装配入该设备中。上述计算机可读介质承载有一个或者多个程序,当上述一个或者多个程序被一个该设备执行时,使得该设备包括:As another aspect, the present invention also provides a computer-readable medium, which may be included in the device described in the above embodiments; or may exist alone without being assembled into the device. The above-mentioned computer-readable medium carries one or more programs, and when the above-mentioned one or more programs are executed by a device, the device includes:
接收终端的环境评估数据;Receive the environmental assessment data of the terminal;
根据所述环境评估数据,确定所述终端的环境感知得分;According to the environment evaluation data, determine the environment perception score of the terminal;
接收所述终端发送的针对业务系统的访问请求;receiving an access request for the service system sent by the terminal;
获取所述业务系统的预设访问分数,并确定所述终端的环境感知得分是否大于或等于所述业务系统的预设访问分数,以得到比对结果;Acquire the preset access score of the business system, and determine whether the environment perception score of the terminal is greater than or equal to the preset access score of the business system to obtain a comparison result;
根据所述比对结果,确定是否允许所述终端访问所述业务系统。According to the comparison result, it is determined whether to allow the terminal to access the service system.
根据本发明实施例的技术方案,根据终端的环境评估数据,确定终端的环境感知得分。环境评估数据为终端环境相关数据。环境感知得分用于表征环境访问外部业务系统的安全程度。可以根据需求,为各业务系统预设访问分数,从而限定可以访问该业务系统的终端的最低环境感知得分,使得具有较大风险程度的终端无法访问业务系统。因此,本发明实施例可以保证业务系统对外提供服务过程中的安全性。According to the technical solution of the embodiment of the present invention, the environment perception score of the terminal is determined according to the environment evaluation data of the terminal. The environmental assessment data is data related to the terminal environment. Context Awareness Score is used to characterize how secure an environment is to access external business systems. An access score can be preset for each service system according to requirements, so as to limit the minimum environment perception score of a terminal that can access the service system, so that a terminal with a relatively high degree of risk cannot access the service system. Therefore, the embodiments of the present invention can ensure the security in the process of the service system providing services to the outside world.
此外,随着终端的运行,终端的环境评估数据是不断变化的,使得终端的环境感知得分也是不断变化的。因此,本发明实施例还可以动态调整终端的访问控制权限,能够提升系统安全防护等级。In addition, with the operation of the terminal, the environmental assessment data of the terminal is constantly changing, so that the environmental perception score of the terminal is also constantly changing. Therefore, the embodiment of the present invention can also dynamically adjust the access control authority of the terminal, which can improve the security protection level of the system.
上述具体实施方式,并不构成对本发明保护范围的限制。本领域技术人员应该明白的是,取决于设计要求和其他因素,可以发生各种各样的修改、组合、子组合和替代。任何在本发明的精神和原则之内所作的修改、等同替换和改进等,均应包含在本发明保护范围之内。The above-mentioned specific embodiments do not constitute a limitation on the protection scope of the present invention. It should be understood by those skilled in the art that various modifications, combinations, sub-combinations and substitutions may occur depending on design requirements and other factors. Any modifications, equivalent replacements and improvements made within the spirit and principle of the present invention shall be included within the protection scope of the present invention.
Claims (15)
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210234421.5A CN114615055B (en) | 2022-03-10 | 2022-03-10 | Access request processing method, data upload method and device |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210234421.5A CN114615055B (en) | 2022-03-10 | 2022-03-10 | Access request processing method, data upload method and device |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN114615055A true CN114615055A (en) | 2022-06-10 |
| CN114615055B CN114615055B (en) | 2024-12-27 |
Family
ID=81862249
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210234421.5A Active CN114615055B (en) | 2022-03-10 | 2022-03-10 | Access request processing method, data upload method and device |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN114615055B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094803A (en) * | 2023-01-10 | 2023-05-09 | 中国联合网络通信集团有限公司 | Login method, login device and storage medium |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190081954A1 (en) * | 2017-09-12 | 2019-03-14 | International Business Machines Corporation | Permission management |
| CN111131235A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111371738A (en) * | 2020-02-10 | 2020-07-03 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
| CN111950040A (en) * | 2019-05-15 | 2020-11-17 | 北京奇安信科技有限公司 | Environment sensing method and device of terminal equipment, computer equipment and storage medium |
| CN111953633A (en) * | 2019-05-15 | 2020-11-17 | 北京奇安信科技有限公司 | Access control method and access control device based on terminal environment |
| CN112165461A (en) * | 2020-09-10 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Zero-trust dynamic authorization method and device and computer equipment |
| CN114124556A (en) * | 2021-11-29 | 2022-03-01 | 深信服科技股份有限公司 | Network access control method, device, equipment and storage medium |
-
2022
- 2022-03-10 CN CN202210234421.5A patent/CN114615055B/en active Active
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20190081954A1 (en) * | 2017-09-12 | 2019-03-14 | International Business Machines Corporation | Permission management |
| CN111950040A (en) * | 2019-05-15 | 2020-11-17 | 北京奇安信科技有限公司 | Environment sensing method and device of terminal equipment, computer equipment and storage medium |
| CN111953633A (en) * | 2019-05-15 | 2020-11-17 | 北京奇安信科技有限公司 | Access control method and access control device based on terminal environment |
| CN111131235A (en) * | 2019-12-23 | 2020-05-08 | 杭州安恒信息技术股份有限公司 | Safety maintenance method, device, equipment and storage medium of business system |
| CN111371738A (en) * | 2020-02-10 | 2020-07-03 | 深信服科技股份有限公司 | Access control method, device, equipment and readable storage medium |
| CN112165461A (en) * | 2020-09-10 | 2021-01-01 | 杭州安恒信息技术股份有限公司 | Zero-trust dynamic authorization method and device and computer equipment |
| CN114124556A (en) * | 2021-11-29 | 2022-03-01 | 深信服科技股份有限公司 | Network access control method, device, equipment and storage medium |
Non-Patent Citations (1)
| Title |
|---|
| 杜薇: "基于终端环境量化评估的PMI访问控制模型的研究与实现", 中国优秀硕士学位论文全文数据库信息科技辑(月刊)2009 年第12期, 15 December 2009 (2009-12-15), pages 2 - 3 * |
Cited By (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN116094803A (en) * | 2023-01-10 | 2023-05-09 | 中国联合网络通信集团有限公司 | Login method, login device and storage medium |
| CN116094803B (en) * | 2023-01-10 | 2024-06-11 | 中国联合网络通信集团有限公司 | Login method, login device and storage medium |
Also Published As
| Publication number | Publication date |
|---|---|
| CN114615055B (en) | 2024-12-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| JP7091354B2 (en) | Systems and methods for context-based mitigation of computer security risks | |
| US9092616B2 (en) | Systems and methods for threat identification and remediation | |
| JP5961638B2 (en) | System and method for application certification | |
| US11245704B2 (en) | Automatically executing responsive actions based on a verification of an account lineage chain | |
| CN103716785B (en) | A kind of mobile Internet safety service system | |
| US20110167479A1 (en) | Enforcement of policies on context-based authorization | |
| US20110247074A1 (en) | Metadata-based access, security, and compliance control of software generated files | |
| CN116821869B (en) | Resource access control method, device, medium and electronic device | |
| WO2020181841A1 (en) | Method for automatically testing horizontal over-permission vulnerabilities and related device | |
| US20200053051A1 (en) | Application signature authorization | |
| US20140373110A1 (en) | Mobile device identify factor for access control policies | |
| CN106357807B (en) | A kind of data processing method, device and system | |
| CN114553571A (en) | Server management method, device, electronic device and storage medium | |
| US20210211517A1 (en) | Automatically Executing Responsive Actions Upon Detecting an Incomplete Account Lineage Chain | |
| US9268917B1 (en) | Method and system for managing identity changes to shared accounts | |
| US20250094608A1 (en) | Techniques for providing security-related information | |
| CN114615055A (en) | Access request processing method, data uploading method and device | |
| CN113158149A (en) | Method and device for processing operation authority | |
| US20200336371A1 (en) | Single user device staging | |
| CN117216783A (en) | Access control method, device, electronic equipment and storage medium | |
| CN117061368A (en) | Automatic recognition method, device, equipment and medium for bypassing fort machine behaviors | |
| CN119884439B (en) | Cross-domain query method, device and storage medium of database | |
| CN120639339A (en) | Intranet data access method, system, equipment, storage medium and product | |
| CN119835025A (en) | Management method, device, system, equipment and storage medium | |
| CN119249478A (en) | Data warehouse security management system, method and electronic equipment |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |