| 715 | 21 | 559 |
| 下载次数 | 被引频次 | 阅读次数 |
零信任安全架构是对传统边界网络安全架构进行评估和审视,要求结合多种来源的信息资源和判别机制进行认证授权访问。然而由于零信任安全架构采用控制中心的体系架构来进行系统搭建,导致单一零信任系统核心组件和数据库易遭受攻击。将内生安全体系引入零信任安全架构,通过动态异构冗余机理将系统组件异构化改造,使得零信任安全架构获得了内生安全增益。安全性分析和动态性分析表明本系统架构具有普适性,能够集约化地实现网络服务、可靠性保障与安全防御等功能。
Abstract:Zero-trust security architecture was used to evaluate and examine the security architecture of traditional border networks. It required the combination of information resources and discrimination mechanisms from multiple sources for authentication and authorization access. Due to the use of the control center architecture, the core components and databases of zero-trust system were vulnerable to attack. To solve these two problems, the endogenous security architecture was introduced into the zero-trust security architecture, and retrofitted the system components by the dynamic heterogeneous redundancy mechanism, so that the zero-trust security architecture obtained the endogenous security gain. The security analysis and dynamic analysis showed that the proposed system architecture was universal, and could intensively realize the functions of network service, assure the reliability, and increase the security defense.
[1] BARTH D,GILMAN E.Zero trust networks:building secure systems in untrusted networks[M].Sebastopol:O′Reilly Media,2017.
[2] 张宇,张妍.零信任研究综述[J].信息安全研究,2020,6(7):608-614.ZHANG Y,ZHANG Y.A survey of zero trust research[J].Journal of information security research,2020,6(7):608-614.
[3] 訾然,刘嘉.基于精益信任的风险信任体系构建研究[J].信息网络安全,2019(10):32-41.ZI R,LIU J.Research on construction of risk and trust architecture based on lean trust[J].Netinfo security,2019(10):32-41.
[4] 秦益飞,张英涛,张晓东.零信任落地路径研究[J].信息安全与通信保密,2021,19(1):84-91.QIN Y F,ZHANG Y T,ZHANG X D.Zero trust transformation research[J].Information security and communications privacy,2021,19(1):84-91.
[5] 王刚,张英涛,杨正权.基于零信任打造封闭访问空间[J].信息安全与通信保密,2020,18(8):78-86.WANG G,ZHANG Y T,YANG Z Q.Building a closed space with zero trust architecture[J].Information security and communications privacy,2020,18(8):78-86.
[6] 魏小强.基于零信任的远程办公系统安全模型研究与实现[J].信息安全研究,2020,6(4):289-295.WEI X Q.Research and implementation of security model of telecommuting system based on zero trust[J].Journal of information security research,2020,6(4):289-295.
[7] 邬江兴.网络空间拟态防御研究[J].信息安全学报,2016,1(4):1-10.WU J X.Research on cyber mimic defense[J].Journal of cyber security,2016,1(4):1-10.
[8] 扈红超,陈福才,王禛鹏.拟态防御DHR模型若干问题探讨和性能评估[J].信息安全学报,2016,1(4):40-51.HU H C,CHEN F C,WANG Z P.Performance evaluations on DHR for cyberspace mimic defense[J].Journal of cyber security,2016,1(4):40-51.
[9] 江伟玉,刘冰洋,王闯.内生安全网络架构[J].电信科学,2019,35(9):20-28.JIANG W Y,LIU B Y,WANG C.Network architecture with intrinsic security[J].Telecommunications science,2019,35(9):20-28.
[10] 张伟丽,贺磊.关于新型内生安全信息基础设施的思考[J].无线电通信技术,2020,46(4):399-404.ZHANG W L,HE L.Consideration of new endogenous security information infrastructure[J].Radio communications technology,2020,46(4):399-404.
[11] 姚文斌,杨孝宗.相异性软件组件选择算法设计[J].哈尔滨工业大学学报,2003,35(3):261-264.YAO W B,YANG X Z.Design of selective algorithm for diverse software components[J].Journal of Harbin institute of technology,2003,35(3):261-264.
[12] 刘勤让,林森杰,顾泽宇.面向拟态安全防御的异构功能等价体调度算法[J].通信学报,2018,39(7):188-198.LIU Q R,LIN S J,GU Z Y.Heterogeneous redundancies scheduling algorithm for mimic security defense[J].Journal on communications,2018,39(7):188-198.
[13] 普黎明,刘树新,丁瑞浩,等.面向拟态云服务的异构执行体调度算法[J].通信学报,2020,41(3):17-24.PU L M,LIU S X,DING R H,et al.Heterogeneous executor scheduling algorithm for mimic cloud service[J].Journal on communications,2020,41(3):17-24.
[14] 马佳乐,郭银章.云计算用户行为信任评估与访问控制策略研究[J].计算机应用研究,2020,37(S2):260-262.MA J L,GUO Y Z.Research on cloud computing user behavior trust evaluation and access control strategy[J].Application research of computers,2020,37(S2):260-262.
[15] 仝青,张铮,张为华,等.拟态防御Web服务器设计与实现[J].软件学报,2017,28(4):883-897.TONG Q,ZHANG Z,ZHANG W H,et al.Design and implementation of mimic defense web server[J].Journal of software,2017,28(4):883-897.
基本信息:
DOI:10.13705/j.issn.1671-6841.2022085
中图分类号:TP393.08
引用信息:
[1]郭军利,许明洋,原浩宇,等.引入内生安全的零信任模型[J],2022,54(06):51-58.DOI:10.13705/j.issn.1671-6841.2022085.
基金信息:
国家电网有限公司总部科技项目(5108-202224046A-1-1-ZN)