Data confidential information protection system based on zero-trust network

Abstract

The invention discloses a data confidential information protection system based on a zero-trust network, and belongs to the technical field of communication. The system comprises a control plane module, a confidential information storage module, a configuration center, a configuration agent, a sidecar main module and an external system, the control plane module is used for adding, deleting, modifying and checking confidential information, verifying authority information of operators, storing configuration information into a configuration center, and sending a configuration updating signal to the configuration center; the confidential information storage module is used for storing confidential information; receiving and storing the configuration updating signal by using the configuration center; calling an update signal and actual configuration from a configuration center by using a configuration agent, applying the configuration, and communicating with a sidecar main module; management and verification of confidential information are realized by using the sidecar main module; an external system is used for receiving micro-service calling, and a checking request is initiated for confidential information content.

Description

technical field [0001] The invention relates to the field of communication technology, in particular to a data confidential information protection system based on a zero-trust network. Background technique [0002] In a zero-trust network, some sensitive information of microservices, especially passwords, secret keys, and tokens used to authenticate external systems, are usually stored in configuration files or environment variables. On the one hand, these locations are insecure and easy to be obtained by attackers, and information is usually circulated between systems in plain text. Insecurity in any link may cause leakage, making protection difficult. On the other hand, ordinary development or operation and maintenance personnel can access it, so it is easy to maliciously delete the database and other phenomena. Some solutions have realized this problem and started to store these sensitive information in confidential storage components, but this information also requires ...

AI Technical Summary

Problems solved by technology

On the one hand, these locations are insecure and easy to be obtained by attackers, and information is usually circulated between systems in plain text. Any insecurity in any link may cause leakage, and the protection is difficult

On the other hand, ordinary development or operation and maintenance personnel can access it, which is prone to malicious deletion of databases and other phenomena.

Some solutions have realized this problem and started to store these sensitive information in confidential storage components, but this information also requires a very effective management system to manage which services / personnel can view which information

Moreover, when the service connects to this information, it usually needs to import the corresponding SDK for different confidential storage components for development, which will lead to the addition of a large number of template codes that are not related to the actual business logic in the project.

Existing solutions are difficult to fine-grained quasi-real-time control of these information and permissions. When the configuration of data and permissions is changed, the service cannot effectively and timely obtain the changed data or apply the changed permissions.

[0003] On this basis, there are still some security risks in some scenarios. One is that zero trust protection is not added to the communication loop, which may lead to man-in-the-middle attacks or illegal clients stealing confidential information. The other is that the service There will still be confidential information in the memory, and the operator or maintenance party of the service may still be able to intercept the actual content of the confidential information

Images