[Reprint] understanding of 4A (Unified Security Management Platform) system understanding of 4A (Unified Security Management Platform) system

Dandelion on snow

https://www.cnblogs.com/zjfjava/p/10674577.html

 

Understanding of 4A (Unified Security Management Platform) system

 

1. 4A system needs analysis

In recent years, business systems development business users is growing very rapidly, the number of internal systems and the number of users continues to increase, the rapid expansion of network size, in application extensions at the same time, the safety management of the business system is lagging behind, unable to meet long-term requirements of enterprise development.

Each system has a large number of network devices, host systems and applications, are attributed to different departments to maintain and manage. Each system has a separate set of authentication, authorization and auditing mechanisms are undertaken by the appropriate system administrators to maintain and manage. Many accounts, management difficulties, higher cost of management; for the user to leave or change jobs, it is difficult to completely clean, delete or disable the corresponding account; some people share an account, not only easy to accidents, difficult to locate the actual user account . Lack of centralized resource authorization management platform, not in strict accordance with the principle of least privilege assign permissions; as the number of users, permissions management tasks heavier. Users often want to switch between the various systems, each time you need to enter a user name and password to log in to the user's work inconvenience, affecting work efficiency. Existing log is too large, can not effectively audit. We need a centralized account, authentication, authorization, audit management system to address daily security management issues.

2. 4A Introduction

3. 4A system management functions

4A is a unified security management system platform solutions, refer to  certification Authentication, account Account, authorization Authorization, audit Audit , the Chinese name for  the unified security management platform solutions . About to authentication, authorization, auditing, and account number (that is, non-repudiation and data integrity) is defined as part of the four major network security, thus establishing the identity authentication across the network security system status and role.

4A-platform management features include: centralized authentication management, centralized account management, centralized rights management and centralized audit management, as follows:

Centralized authentication (authentication) management :

According to actual application needs, to provide users with a different intensity of authentication methods, either static password maintain the original way, and can provide high intensity authentication (one-time passwords, digital certificates, dynamic password) having a two-factor authentication mode , but also to integrate with other existing as new biometric authentication method and the like. Not only can achieve unified management of user authentication, and can provide users with a unified authentication gateway, single point of access to enterprise information resources login.

Centralized account number (account) management:

To provide users with centralized account management, support management of resources, including major operating systems, network devices and applications; not only to achieve the creation of managed resources account, delete and synchronize basic functions such as account management lifecycle contained, and you can also set the account password policies, password strength, life cycle through the platform.

Centralized authority (authorization) management:

Can be centralized control of user access to resources. It may be implemented to control access to the B / S, C / S system resources applications, can be achieved authority database operations, the host device and network control, resource control includes both types URL B / S is, C / S function module, including the operation command data, and records the host, the network database device, IP address and port.

Centralized audit (audit) management:

The user logs all operations centralized records management and analysis, not only can the user behavior monitoring, and data mining can be carried out by a centralized audit data in order to identify security incidents of responsibility afterwards.

4. 4A system to realize the value of

[Control] increased scope to enhance the application (business) 4 A resource management and control aspects of the system resources on the basis of the traditional bastion host host management, database wait.
[Control] can enhance the ability to provide a global view of account management for the enterprise, free to create effective control of security management problems caused by account number, account number, etc. zombies, achieve resource based on granular application authorization management role menu allows companies to clearly sort Resources the relationship between the staff and the timely detection does not comply rights of staff, account sharing and other issues, based on accurate audit analysis and early warning service scenarios.
[Upgrade] Relying on data security 4A treasury, personal folders, zero-download function, acquired from accessing data, transmission, use and destroy all stages of the life cycle to achieve full control, prevent data leakage.
[Use] to enhance the efficiency of the operation and maintenance of automation and automatic password change secret, safe operation and maintenance personnel to reduce duplication of work daily to enhance the safety of operation and maintenance efficiency. Centralized accounts, permissions, authentication, audit management, problem solving everyday decentralized management, improve management efficiency. "Single sign-on access everywhere" to enhance the efficiency of the use of personnel task registration.
[Upgrade] operation guarantee perfect emergency safeguard measures, 4A platform fault automatically switch to the emergency system, open the emergency channel, to ensure the normal use and operation of the business.

5. Application Examples

 

 reference:

https://wenku.baidu.com/view/228aaca46294dd88d0d26bad.html

https://www.venustech.com.cn/article/type/1/49.html

1. 4A system needs analysis

In recent years, business systems development business users is growing very rapidly, the number of internal systems and the number of users continues to increase, the rapid expansion of network size, in application extensions at the same time, the safety management of the business system is lagging behind, unable to meet long-term requirements of enterprise development.

各系统中有大量的网络设备、主机和应用系统，分别归属于不同的部门进行维护管理。各系统都有一套独立的认证、授权和审计机制，分别由相应的系统管理员负责维护和管理。帐号繁多，管理困难，管理成本较高；对于离职或者工作岗位变更的用户，很难干净彻底的删除或者禁止相应帐号；有些帐号多人共用，不仅易于发生安全事故，难以定位帐号的实际使用者。缺乏集中统一的资源授权管理平台，无法严格按照最小权限原则分配权限；随着用户数量的增加，权限管理任务越来越重。用户经常要在各个系统之间切换，每次都需要输入用户名和口令进行登录，给用户的工作带来不便，影响了工作效率。现有的日志量过大，无法有效审计。需要一套集中的账号、认证、授权、审计管理系统，解决日常安全管理问题。

2. 4A系统简介

3. 4A系统管理功能

4A系统是统一安全管理平台解决方案，指 认证Authentication、账号Account、授权Authorization、审计Audit，中文名称为 统一安全管理平台解决方案。即将身份认证、授权、审计和账号（即不可否认性及数据完整性）定义为网络安全的四大组成部分，从而确立了身份认证在整个网络安全系统中的地位与作用。

4A平台的管理功能包括：集中认证管理、集中账号管理、集中权限管理和集中审计管理，具体如下：

集中认证(authentication)管理：

可以根据用户应用的实际需要，为用户提供不同强度的认证方式，既可以保持原有的静态口令方式，又可以提供具有双因子认证方式的高强度认证（一次性口令、数字证书、动态口令），而且还能够集成现有其它如生物特征等新型的认证方式。不仅可以实现用户认证的统一管理，并且能够为用户提供统一的认证门户，实现企业信息资源访问的单点登录。

集中帐号(account)管理：

为用户提供统一集中的帐号管理，支持管理的资源包括主流的操作系统、网络设备和应用系统；不仅能够实现被管理资源帐号的创建、删除及同步等帐号管理生命周期所包含的基本功能，而且也可以通过平台进行帐号密码策略，密码强度、生存周期的设定。

集中权限(authorization)管理：

可以对用户的资源访问权限进行集中控制。它既可以实现对B/S、C/S应用系统资源的访问权限控制，也可以实现对数据库、主机及网络设备的操作的权限控制，资源控制类型既包括B/S的URL、C/S的功能模块，也包括数据库的数据、记录及主机、网络设备的操作命令、IP地址及端口。

集中审计(audit)管理：

将用户所有的操作日志集中记录管理和分析，不仅可以对用户行为进行监控，并且可以通过集中的审计数据进行数据挖掘，以便于事后的安全事故责任的认定。

4. 4A系统实现的价值

【管控范围提升】在传统堡垒主机管理主机、数据库等系统资源的基础上增加应用（业务）资源4个A方面管控。
【管控能力提升】可以为企业提供全局的帐号管理视图，有效控制随意创建帐号、僵尸帐号等带来的安全管理问题，实现基于角色、菜单的细粒度应用资源授权管理使得企业可以清晰地梳理资源与人员间的关系， 及时发现不符合权限的人员、帐号共用等问题，基于业务场景的精确审计分析和预警。
【数据安全提升】依托4A金库、个人文件夹、零下载功能，从数据的访问获取、传输、使用、销毁各个阶段实现全生命周期的管控，防止数据外泄。
【使用效率提升】自动化运维和自动口令改密，减少安全运维人员日常重复工作，提升安全运维效率。集中账号、权限、认证、审计管理，解决日常分散管理问题，提升管理效率。“一次登录到处通行”提升使用人员业务操作登录效率。
【运行保障提升】完善的应急保障措施，4A平台故障自动切换到应急系统，开启应急通道，保障业务的正常使用和运行。

5. 应用实例

 

 参考：

https://wenku.baidu.com/view/228aaca46294dd88d0d26bad.html

https://www.venustech.com.cn/article/type/1/49.html