Disclosure of Invention
In view of the foregoing, the present disclosure provides methods, apparatus, devices, media, and program products for managing security policies based on PaC.
According to a first aspect of the present disclosure, there is provided a method of managing security policies based on PaC, comprising determining at least one business rule according to business requirement information of an application;
generating a strategy plan according to the business rule;
matching a policy agent according to the business rule and the policy plan;
Evaluating the policy plan based on the matched policy agent test, and
And after the strategy plan is determined to be successfully tested, carrying out version management on the application program and the strategy plan.
According to an embodiment of the present disclosure, the method further comprises:
generating at least one policy agent according to the device type and the API document;
Defining a resource scope of the policy agent, forming a resource scope definition code, the resource scope including a bandwidth amount, a number of users, and a response time, and
And writing the resource range definition code into a resource configuration database.
According to an embodiment of the disclosure, the generating a policy plan according to the business rule includes:
abstracting and aggregating the business rules to form a business rule set, and
And generating a strategy planning code according to the PaC standard by the service rule set.
According to an embodiment of the present disclosure, the matching policy agent according to the business rule and the policy plan includes:
acquiring resource scope definition code, and
And matching the resource scope definition codes according to the business rules and the strategy plans to determine a strategy agent.
According to an embodiment of the present disclosure, the performing version management on the application program and the policy plan includes:
acquiring application program identification information and at least one strategy planning code corresponding to the application program;
And storing the application program identification information and the strategy planning code into a code base.
A second aspect of the present disclosure provides an apparatus for managing security policies based on a PaC, comprising:
The business rule determining module is used for determining at least one business rule according to business requirement information of the application program;
the strategy plan generating module is used for generating a strategy plan according to the business rule;
The matching module is used for matching the policy agent according to the business rule and the policy plan;
A test evaluation module for evaluating the policy plan based on the matched policy agent test, and
And the version management module is used for carrying out version management on the application program and the strategy plan after the strategy plan is determined to be successfully tested.
According to an embodiment of the present disclosure, a policy agent generation module for generating at least one policy agent from a device type and an API document;
And the resource scope definition module is used for defining the resource scope of the policy agent to form a resource scope definition code, wherein the resource scope comprises bandwidth quantity, user quantity and response time.
A third aspect of the present disclosure provides an electronic device comprising one or more processors and a memory for storing one or more programs, wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to perform the method of PaC-based management Security policy described above.
A fourth aspect of the present disclosure also provides a computer-readable storage medium having stored thereon executable instructions that, when executed by a processor, cause the processor to perform the above-described method of managing security policies based on a PaC.
A fifth aspect of the present disclosure also provides a computer program product comprising a computer program which, when executed by a processor, implements the method of managing security policies based on PaC as described above.
The method for managing the security policy based on the PaC provided by the embodiment of the disclosure obtains a plurality of policy agents by carrying out adaptation development on the conventional security equipment API or the automation script, abstracts service requirements to generate service rules, forms a policy plan from the plurality of service rules, tests the policy plan code, improves the success rate of code execution, and carries out version management on the policy plan code which is successfully tested. By utilizing code management, the system can uniformly manage the security policies, improve the efficiency of security operation and maintenance and service continuity, and reduce the failure rate and misoperation.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a convention should be interpreted in accordance with the meaning of one of skill in the art having generally understood the convention (e.g., "a system having at least one of A, B and C" would include, but not be limited to, systems having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
The terms appearing in the embodiments of the present disclosure will first be explained:
The WAF (WebApplicationFirewall, WAF) is a Web application protection wall, and is a product which specially provides protection for Web applications by executing a series of security policies aiming at HTTP/HTTPS, and based on deep understanding of Web application business and logic, the WAF detects and verifies various requests from a Web application client, ensures the security and legitimacy of the requests, and blocks illegal requests in real time, thereby effectively protecting various website sites.
IaC (Infrastructure as Code, iaC), infrastructure, i.e., code, by which infrastructure components are created, configured, and deployed by writing code. These infrastructure components include various types of cloud resources such as networks, computing, databases, security control and management tools, and the like.
The combination of personnel, flows and products enables continuous delivery of value to the end user.
PaC (Policy as Code) policies, i.e., codes, are coded and managed by a Code management method.
Based on the technical problems, the embodiment of the disclosure provides a method for managing a security policy based on PaC, which comprises the steps of determining at least one business rule according to business requirement information of an application program, generating a policy plan according to the business rule, matching a policy agency according to the business rule and the policy plan, testing and evaluating the policy plan according to the matched policy agency, and carrying out version management on the application program and the policy plan after the policy plan is determined to be successfully tested.
The method for managing the security policy based on the PaC provided by the embodiment of the disclosure obtains a plurality of policy agents by carrying out adaptation development on the conventional security equipment API or the automation script, abstracts service requirements to generate service rules, forms a policy plan from the plurality of service rules, tests the policy plan code, improves the success rate of code execution, and carries out version management on the policy plan code which is successfully tested. By utilizing code management, the system can uniformly manage the security policies, improve the efficiency of security operation and maintenance and service continuity, and reduce the failure rate and misoperation.
The application scenario of the PaC-based security policy management method provided in this embodiment may be a security operation and maintenance scenario, where a developer obtains a service requirement of an application program, for example, an application program needs to start http and https services, that is, 80 and 443 ports, and needs to prohibit ip with a source address of A from accessing 80 ports of the application in 21:20:15-22:20:15 every day, and a firewall of brand B of a manufacturer of the security device. Abstracting the business requirement into a plurality of business rules, namely opening 80 and 443 for application A, the ip with source address A needs to be forbidden to access 80 ports of the application in 21:00-22:00 every day. And aggregating the plurality of business rules into a policy plan code, distributing the policy plan code into a corresponding developed policy agent, implementing the policy plan code in a production environment after the policy plan code is successfully tested, and incorporating the application program and the policy plan into version management.
The method for managing the security policy based on the PaC in the disclosed embodiment will be described in detail with reference to FIGS. 1 to 3.
Fig. 1 schematically illustrates a flow chart of a method of managing security policies based on a PaC in accordance with an embodiment of the present disclosure.
As shown in FIG. 1, the PaC-based security policy management method of this embodiment includes operations S210-S250, which may be performed by a server or other computing device.
At least one business rule is determined according to business requirement information of the application program in operation S210.
In one example, the service requirement information of the application program is first obtained, where the service requirement information of the embodiment of the disclosure generally refers to the requirement of security by service personnel, and generally, the service requirement information of the application program may be abstracted into a plurality of service rules. In connection with application scenario description, for example, an application program needs to start http and https services, namely 80 and 443 ports, and ip with a source address a needs to be forbidden to access the 80 ports of the application in a specific time period (21:00-22:00), and a firewall of brand B of a manufacturer of the security device. And determining the service rule according to the service requirement information, namely developing 80 and 443 ports for the application A, and prohibiting the ip with the source address A from accessing the 80 ports of the application in the specific time period every day.
In operation S220, a policy plan is generated according to the business rule.
In one example, a policy plan is generated from the business rules obtained in operation S210, the policy plan typically being declarative code, represented in json format.
For example, it may be:
with_items:
-http
-deny 21:00:00-22:00:00
-https
in operation S230, the policy agent is matched according to the business rules and the policy plan.
In an actual environment, a developer develops a plurality of policy agents according to information such as equipment types, manufacturer APIs and the like, each policy agent corresponds to physical equipment of different manufacturers, security equipment of the application program is determined to be a firewall of a brand B of a manufacturer according to business rules, and further the policy agents matched with the policy plans are determined.
In operation S240, the evaluation policy plan is tested according to the matched policy agent.
In one example, the policy plans obtained in operation S230 need to be assigned to matching policy agents in the test evaluation in this operation, and each policy agent defines resource ranges in advance, where these resource ranges characterize the capabilities of the policy agent, such as capacity (amount of bandwidth, number of users), speed (response time), mac address, and so on. The resources in the policy agent are evaluated by comparing the attributes of the resources with the business rules, and the resources can be, for example, firewall rules, firewall product support, quintuple, time, statistics ratio, and other attributes. Executing the strategy plan and confirming the execution condition of the strategy plan, thereby improving the success rate of executing the strategy plan.
When it is determined that the policy plan test is successful, version management is performed on the application and the policy plan in operation S250.
In one example, when it is determined that the policy plan test is successful, the flag of the test success is based on the security device policy plan validation, that is, the current policy plan can be normally executed and validated, the application program and the policy plan are brought into the git together for version management, different applications correspond to one or more policy plans (policy codes), the policy codes and the application program are in a many-to-one relationship, when it is determined that the policy plan test fails, the current policy plan cannot be normally executed and validated, operations S210 to S240 are required to be re-executed, the policy plan and the policy agent are modified, and the test is re-performed.
The method for managing the safety strategy based on the PaC provided by the embodiment of the disclosure forms a strategy plan by abstracting the service requirements to generate service rules, tests the strategy planning codes, improves the success rate of code execution, carries out version management on the strategy planning codes which are successfully tested, can uniformly manage the safety strategy by utilizing code management, improves the efficiency of safety operation and maintenance and service continuity, and reduces the failure rate and misoperation.
Next, a policy agent generation process will be described in conjunction with fig. 2, fig. 2 schematically showing a flowchart of a policy agent generation method according to an embodiment of the present disclosure.
As shown in FIG. 2, operations S310-S330 are included.
At least one policy agent is generated from the device type and the API document in operation S310.
In one example, since existing security device manufacturers are provided with their own unique GUI, different devices and GUIs, in a large infrastructure environment, multiple security devices from multiple manufacturers form heterogeneous environments, resulting in the disadvantages of multiple and chaotic security policies, excessive management costs, and inflexibility. In this operation, therefore, a policy agent (policy agent) of the heterogeneous device is first developed by adapting according to the type of the device, the API provided by the manufacturer, or an automation tool script (for example playbook of the secure for the different devices). In a practical environment, a plurality of policy agents can be developed, each policy agent corresponding to a physical device of a different manufacturer.
In operation S320, a resource scope of the policy agent is defined, forming a resource scope definition code. In operation S330, the resource scope definition code is written into the resource configuration database.
After the policy agent in the heterogeneous environment is obtained, in operation S320, in order to enable the policy plan to operate normally, a resource scope of the policy agent is defined according to the capability of the policy agent, where the resource scope includes parameters such as a bandwidth amount, a number of users, and a response time, and a resource scope definition code is formed. And writing the resource definition code rule obtained in the steps into a resource configuration database for storage.
Fig. 3 schematically illustrates a flow chart of another method of managing security policies based on a PaC in accordance with an embodiment of the present disclosure. As shown in FIG. 3, the method mainly comprises operations S410-S470.
At least one business rule is determined according to business requirement information of the application in operation S410.
The technical scheme and principle of this operation are the same as that of operation S210 shown in fig. 1, and will not be described again here.
In operation S420, a policy plan is generated according to the business rule.
The method comprises the steps of abstracting and aggregating business rules to form a business rule set, wherein in order to achieve universality, policy call receiving codes of the embodiment of the disclosure adopt json format and accord with the main stream PaC standard in the industry, and the business rule set generates policy plan codes according to the PaC standard.
After generating the policy plan, the corresponding policy agent needs to be matched according to the policy plan for execution, specifically including operation S430 and operation S440.
In operation S430, a resource scope definition code is acquired. In operation S440, the resource scope definition codes are matched according to the business rules and the policy plan to determine a policy agent.
In one example, operations S430 and S440 are a process of matching a policy plan with a policy agent, acquiring a resource scope definition code from a resource configuration database, and determining a policy agent that can execute the policy plan according to a device type required in a business rule.
In operation S450, the policy plan is evaluated according to the matched policy agent test.
The technical scheme and principle of the present operation are the same as that of operation S240 shown in fig. 1, and will not be repeated here.
When it is determined that the policy plan test is successful, version management is performed on the application and the policy plan in operation S460.
In one example, when it is determined that the policy plan test is successful, for example, whether the firewall device supports the time dimension (21:00-22:00 prohibits the ip access 80 port with the source address a) in the above example, the test is implemented in the formal environment and is managed in the git code library after being successful, where the version management includes management of the application program and the policy code, where different application programs correspond to one or more policy codes, and where the policy code and the application program are in a many-to-one relationship. Acquiring application program identification information and at least one strategy planning code corresponding to an application program; and storing the application program identification information and the strategy planning codes into a code base. By using codes to uniformly manage the traditional physical equipment, the inefficiency and uncertainty of manual management are replaced, the safe operation and maintenance is not dependent on the personal ability and experience, and the manageability of the traditional equipment is improved by combining the current cloud computing PaC standard.
Fig. 4 schematically illustrates a block diagram of an apparatus for managing security policies based on pacs according to an embodiment of the disclosure.
As shown in fig. 4, the flow instance generating apparatus 500 based on the structured flow template of this embodiment includes a business rule determining module 510, a policy plan generating module 520, a matching module 530, a test evaluating module 540, and a version management module 550.
The business rule determining module 510 is configured to determine at least one business rule according to business requirement information of an application program. In an embodiment, the business rule determining module 510 may be configured to perform the operation S210 described above, which is not described herein.
The policy plan generation module 520 is configured to generate a policy plan according to the business rule. In an embodiment, the policy plan generating module 520 may be configured to perform the operation S220 described above, which is not described herein.
The matching module 530 is configured to match policy agents according to business rules and policy plans. In an embodiment, the matching module 530 may be configured to perform the operation S230 described above, which is not described herein.
The test evaluation module 540 is used for testing and evaluating the policy plan according to the matched policy agents. In an embodiment, the test evaluation module 540 may be used to perform the operation S240 described above, which is not described herein.
The version management module 550 is configured to perform version management on the application program and the policy plan after determining that the policy plan test is successful. In an embodiment, the version management module 550 may be configured to perform the operation S250 described above, which is not described herein.
According to an embodiment of the present disclosure, further comprising:
a policy agent generation module 560 for generating at least one policy agent based on the device type and the API document. In an embodiment, the policy agent generating module 560 may be configured to perform the operation S310 described above, which is not described herein.
Resource scope definition module 570 defines a resource scope of the policy agent, forming a resource scope definition code, the resource scope including a bandwidth amount, a number of users, and a response time. In an embodiment, the resource scope definition module 570 may be configured to perform the operation S320 described above, which is not described herein.
Any of the business rule determination module 510, the policy plan generation module 520, the matching module 530, the test evaluation module 540, the version management module 550, the policy agent generation module 560, and the resource scope definition module 570 may be combined in one module to be implemented, or any of the modules may be split into a plurality of modules, according to embodiments of the present disclosure. Or at least some of the functionality of one or more of the modules may be combined with, and implemented in, at least some of the functionality of other modules. According to embodiments of the present disclosure, at least one of business rule determination module 510, policy plan generation module 520, matching module 530, test evaluation module 540, version management module 550, policy agent generation module 560, and resource scope definition module 570 may be implemented, at least in part, as hardware circuitry, such as a Field Programmable Gate Array (FPGA), programmable Logic Array (PLA), system-on-chip, system-on-substrate, system-on-package, application Specific Integrated Circuit (ASIC), or as hardware or firmware in any other reasonable manner of integrating or packaging circuitry, or as any one of or a suitable combination of three of software, hardware, and firmware. Or at least one of the business rule determination module 510, the policy plan generation module 520, the matching module 530, the test evaluation module 540, the version management module 550, the policy agent generation module 560, and the resource scope definition module 570 may be at least partially implemented as a computer program module which, when executed, may perform the corresponding functions.
Fig. 5 schematically illustrates a block diagram of an electronic device adapted to implement a method of PaC-based management of security policies, in accordance with an embodiment of the present disclosure.
As shown in fig. 5, an electronic device 900 according to an embodiment of the present disclosure includes a processor 901 that can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 902 or a program loaded from a storage portion 908 into a Random Access Memory (RAM) 903. The processor 901 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. Processor 901 may also include on-board memory for caching purposes. Processor 901 may include a single processing unit or multiple processing units for performing the different actions of the method flows according to embodiments of the present disclosure.
In the RAM 903, various programs and data necessary for the operation of the electronic device 900 are stored. The processor 901, the ROM 902, and the RAM 903 are connected to each other by a bus 904. The processor 901 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 902 and/or the RAM 903. Note that the program may be stored in one or more memories other than the ROM 902 and the RAM 903. The processor 901 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in one or more memories.
According to an embodiment of the disclosure, the electronic device 900 may also include an input/output (I/O) interface 905, the input/output (I/O) interface 905 also being connected to the bus 904. The electronic device 900 may also include one or more of an input portion 906 including a keyboard, a mouse, etc., an output portion 907 including a display such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), etc., and a speaker, etc., a storage portion 908 including a hard disk, etc., and a communication portion 909 including a network interface card such as a LAN card, a modem, etc., connected to the I/O interface 905. The communication section 909 performs communication processing via a network such as the internet. The drive 910 is also connected to the I/O interface 905 as needed. A removable medium 911 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is installed as needed on the drive 910 so that a computer program read out therefrom is installed into the storage section 908 as needed.
The present disclosure also provides a computer-readable storage medium that may be included in the apparatus/device/system described in the above embodiments, or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example, but is not limited to, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM 902 and/or RAM 903 and/or one or more memories other than ROM 902 and RAM 903 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the methods shown in the flowcharts. The program code, when executed in a computer system, is configured to cause the computer system to implement a method of managing security policies based on PaC as provided by embodiments of the present disclosure.
The above-described functions defined in the system/apparatus of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
In one embodiment, the computer program may be based on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted, distributed, and downloaded and installed in the form of a signal on a network medium, via communication portion 909, and/or installed from removable medium 911. The computer program may comprise program code that is transmitted using any appropriate network medium, including but not limited to wireless, wireline, etc., or any suitable combination of the preceding.
In such an embodiment, the computer program may be downloaded and installed from the network via the communication portion 909 and/or installed from the removable medium 911. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 901. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
According to embodiments of the present disclosure, program code for performing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, such computer programs may be implemented in high-level procedural and/or object-oriented programming languages, and/or assembly/machine languages. Programming languages include, but are not limited to, such as Java, c++, python, "C" or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of remote computing devices, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., connected via the Internet using an Internet service provider).
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be provided in a variety of combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. These examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.