CN-122027265-A - Unified access method, equipment, medium and product for remote cloud office

Abstract

A unified access method, equipment, medium and product for remote cloud office. The method comprises the steps of establishing an encryption connection channel between a terminal and a cloud access point, receiving an identity authentication request, transmitting the identity authentication request to an enterprise identity providing service for verification to obtain a main identity authentication result, acquiring equipment context data of the terminal when the identity authentication request passes, intercepting an application access request, extracting a target application identifier, constructing an authorization arbitration request according to the main identity authentication result, evaluating the authorization arbitration request based on a strategy matrix to generate an authorization arbitration result, determining a deployment position type of the target application according to the target application identifier when the authorization arbitration result represents permission of access, and creating a session-level encryption tunnel based on the deployment position type. By implementing the technical scheme provided by the application, the authorization decision can be self-adaptive to different risk scenes, and the overall safety protection level in a remote access scene is improved.

Inventors

• Request for anonymity
• Request for anonymity

Assignees

• 北京联池系统科技有限公司

Dates

Publication Date

20260512

Application Date

20260204

Claims (10)

1. 1. A unified access method for remote cloud office, the method comprising: Performing connectivity detection on a network environment where a terminal is currently located, determining a target transmission protocol from a preset transmission protocol set according to a detection result, and establishing an encryption connection channel between the terminal and a cloud access point based on the target transmission protocol; Receiving an identity authentication request uploaded by the terminal through the encryption connection channel, and forwarding the identity authentication request to a preconfigured enterprise identity providing service for verification to obtain a main identity authentication result; Acquiring equipment context data of the terminal when the main identity authentication result represents authentication pass; Intercepting an application access request initiated by the terminal, extracting a target application identifier from the application access request, and constructing an authorization arbitration request according to user identity information, the equipment context data and the target application identifier which are associated with the main identity authentication result; evaluating the authorization arbitration request based on a preset strategy matrix to generate an authorization arbitration result; And when the authorization arbitration result characterizes that the access is allowed, determining the deployment location type of the target application according to the target application identifier, and creating a session-level encryption tunnel based on the deployment location type.
2. 2. The method of claim 1, wherein the performing connectivity probing on the network environment in which the terminal is currently located, and determining the target transport protocol from the preset transport protocol set according to the probing result, includes: respectively constructing corresponding detection messages aiming at each transmission protocol in the transmission protocol set, wherein the detection messages comprise protocol handshake request data packets and detection sequence identifiers; Sending the detection message to the cloud access point, recording a sending time stamp corresponding to the detection message, and starting a preset overtime timer; continuously monitoring a detection response message returned by the cloud access point for the detection message in a period that the timing duration of the timeout timer does not reach a preset timeout threshold; analyzing the detection response message to obtain protocol handshake confirmation data, verifying the connection state of each transmission protocol according to the protocol handshake confirmation data, and marking the transmission protocol which successfully receives the detection response message and passes the connection state verification as an available state; Acquiring a receiving time stamp corresponding to the detection response message, and calculating round trip transmission delay of each transmission protocol marked as an available state according to the sending time stamp and the receiving time stamp; and comparing the round trip transmission delay, and selecting the transmission protocol with the minimum round trip transmission delay from the transmission protocols marked as available as the target transmission protocol.
3. 3. The method of claim 1, wherein the receiving, through the encrypted connection channel, the authentication request uploaded by the terminal, forwarding the authentication request to a preconfigured enterprise identity providing service for verification, and obtaining a primary identity authentication result, includes: Analyzing the identity authentication request to obtain a user identity, and extracting identity domain information in the user identity; Inquiring a pre-configured identity providing service mapping table according to the identity domain information, wherein the identity providing service mapping table records the corresponding relation between the identity domain and the enterprise identity providing service, and matching the identity providing service mapping table to obtain a target enterprise identity providing service corresponding to the identity domain information; redirecting the identity authentication request to an authentication endpoint of the target enterprise identity providing service for credential verification; And receiving an identity authentication token returned by the target enterprise identity providing service, carrying out signature verification and timeliness verification on the identity authentication token, and generating the main identity authentication result according to the verification result.
4. 4. The method of claim 1, wherein evaluating the authorization arbitration request based on a preset policy matrix generates an authorization arbitration result, comprising: Separating user identity dimension data, device state dimension data, application sensitive dimension data, and request context dimension data from the authorization arbitration request; Matching user role authority boundaries in an identity policy submatrix of the policy matrix according to the user identity dimension data, calculating an identity dimension evaluation score, matching equipment compliance baseline requirements in an equipment policy submatrix of the policy matrix according to the equipment state dimension data, and calculating an equipment dimension evaluation score; Matching application access right grade requirements in an application strategy sub-matrix of the strategy matrix according to the application sensitive dimension data, calculating an application dimension evaluation value, matching a context risk coefficient in a context strategy sub-matrix of the strategy matrix according to the request context dimension data, and calculating a context dimension evaluation value; carrying out weighted summation on the identity dimension evaluation score, the equipment dimension evaluation score, the application dimension evaluation score and the context dimension evaluation score according to a pre-configured dimension weight coefficient to obtain a comprehensive trust evaluation score; and comparing the comprehensive trust evaluation value with a preset arbitration threshold value set, and generating the authorization arbitration result according to the comparison result, wherein the authorization arbitration result comprises permission of access, authentication enhancement or access rejection.
5. 5. The method of claim 4, wherein comparing the integrated trust evaluation score to a set of preset arbitration thresholds, generating the authorization arbitration result based on the comparison result, comprises: Performing cross-dimension association rule detection on the identity dimension evaluation score, the equipment dimension evaluation score, the application dimension evaluation score and the context dimension evaluation score, and identifying whether a preset abnormal combination mode exists among the dimension evaluation scores; when the abnormal combination mode is detected, the comprehensive trust evaluation value is adjusted according to a risk amplification factor corresponding to the abnormal combination mode; comparing the adjusted comprehensive trust evaluation score with an allowed access threshold and an enhanced authentication threshold in the arbitration threshold set, and generating the authorized arbitration result characterizing allowed access when the adjusted comprehensive trust evaluation score is higher than the allowed access threshold; Generating the authorization arbitration result which characterizes the need of enhanced authentication when the adjusted comprehensive trust evaluation value is between the allowed access threshold and the enhanced authentication threshold; and generating the authorization arbitration result which represents refusal of access when the adjusted comprehensive trust evaluation value is lower than the enhanced authentication threshold value.
6. 6. The method of claim 1, wherein when the authorization arbitration result characterizes the permission of access, determining a deployment location type of the target application according to the target application identification, and creating a session-level encrypted tunnel based on the deployment location type, comprises: inquiring an application asset registry according to the target application identifier, and acquiring a service monitoring port and an application access endpoint address of the target application; Generating an application session identifier according to the equipment identifier of the terminal, the user identity information and the current timestamp, and constructing a session-level tunnel routing table item based on the application session identifier; When the deployment position type is public network software, namely a service type, inquiring an edge access node distribution list associated with the cloud access point, selecting a target edge access node with the minimum network delay from the application access endpoint address from the edge access node distribution list, and establishing the session-level encryption tunnel between the target edge access node and the application access endpoint address; And when the deployment position type is an enterprise intranet application type, inquiring application connector registration information associated with the target application, and establishing the session-level encryption tunnel between the cloud access point and an intranet proxy address of the application connector.
7. 7. The method of claim 6, wherein the method further comprises: Extracting flow statistics characteristics, request frequency distribution characteristics and resource access path sequence characteristics from the session-level encryption tunnel according to a preset sampling window period; Inputting the flow statistical characteristics, the request frequency distribution characteristics and the resource access path sequence characteristics into a preset historical behavior baseline model corresponding to the target application to execute similarity calculation, and respectively obtaining flow statistical deviation, request frequency deviation and access path deviation; Comparing the flow statistical deviation, the request frequency deviation and the access path deviation with a preset session risk threshold respectively, and judging that the abnormal session behavior is detected when any deviation of the flow statistical deviation, the request frequency deviation or the access path deviation exceeds the session risk threshold; and in response to detecting the abnormal session behavior, deleting the session-level tunnel routing table entry, disconnecting the network connection of the session-level encryption tunnel, and clearing the session state data associated with the application session identifier.
8. 8. An electronic device comprising a processor, a memory, a user interface, and a network interface, the memory for storing instructions, the user interface and the network interface each for communicating with other devices, the processor for executing instructions stored in the memory to cause the electronic device to perform the method of any of claims 1-7.
9. 9. A computer readable storage medium storing instructions which, when executed, perform the method of any one of claims 1-7.
10. 10. A computer program product, characterized in that the computer program product, when run on an electronic device, causes the electronic device to perform the method of any of claims 1-7.

Description

Unified access method, equipment, medium and product for remote cloud office Technical Field The application relates to the technical field of network security, in particular to a unified access method, equipment, medium and product for remote cloud office. Background In the technical field of remote office access, the existing scheme mainly adopts a virtual private network technology to realize remote access, terminal equipment is connected to gateway equipment of an enterprise data center through installing client software, and an IP address of an enterprise internal network is obtained after identity authentication is completed, so that a network layer connection channel between the terminal equipment and the enterprise intranet is established, and various resources within the IP reachable range of the intranet can be accessed by the terminal equipment. However, in the above prior art, static judgment is only performed based on the user identity when access authorization is performed, and comprehensive evaluation cannot be performed by combining the real-time security state of the terminal device, the sensitivity degree of the target application and the context environment when the access request occurs, so that the access control policy cannot dynamically adapt to the differential security requirements in different risk scenes. Disclosure of Invention In order to solve the technical problems, the application provides a unified access method, equipment, media and products for remote cloud office. The application provides a unified access method for remote cloud office, which adopts the following technical scheme: Performing connectivity detection on a network environment where a terminal is currently located, determining a target transmission protocol from a preset transmission protocol set according to a detection result, and establishing an encryption connection channel between the terminal and a cloud access point based on the target transmission protocol; Receiving an identity authentication request uploaded by the terminal through the encryption connection channel, and forwarding the identity authentication request to a preconfigured enterprise identity providing service for verification to obtain a main identity authentication result; Acquiring equipment context data of the terminal when the main identity authentication result represents authentication pass; Intercepting an application access request initiated by the terminal, extracting a target application identifier from the application access request, and constructing an authorization arbitration request according to user identity information, the equipment context data and the target application identifier which are associated with the main identity authentication result; evaluating the authorization arbitration request based on a preset strategy matrix to generate an authorization arbitration result; And when the authorization arbitration result characterizes that the access is allowed, determining the deployment location type of the target application according to the target application identifier, and creating a session-level encryption tunnel based on the deployment location type. By adopting the technical scheme, the problem of single static access control strategy is effectively solved, an authorization judging request is constructed by integrating multi-dimensional dynamic information such as terminal equipment context, user identity, target application identity and the like, and real-time risk assessment is carried out according to a preset strategy matrix. Therefore, the method and the device realize the fine dynamic access control based on the real-time security state, the application sensitivity and the access context, enable the authorization decision to be self-adaptive to different risk scenes, and improve the overall security protection level in the remote access scene. Optionally, the performing connectivity detection on the network environment where the terminal is currently located, and determining the target transmission protocol from the preset transmission protocol set according to the detection result includes: respectively constructing corresponding detection messages aiming at each transmission protocol in the transmission protocol set, wherein the detection messages comprise protocol handshake request data packets and detection sequence identifiers; Sending the detection message to the cloud access point, recording a sending time stamp corresponding to the detection message, and starting a preset overtime timer; continuously monitoring a detection response message returned by the cloud access point for the detection message in a period that the timing duration of the timeout timer does not reach a preset timeout threshold; analyzing the detection response message to obtain protocol handshake confirmation data, verifying the connection state of each transmission protocol according to the protocol handshake confirmation