| With the advent of the era of big data,converging data platforms such as data lakes are landing.These platforms are the infrastructure to centralizdly store and analyze big data.However,internal threats are the most serious security problems of hindering the development of the platforms.Privileged accounts are the key to accessing the platform.However,the platform administrators are not clear about the distribution and usage of privileged accounts.The same privileged account passwords are shared by different users and applications,which leads to the problems that it is different to trace the root cause of security incidents.The privileged accounts are needed to be centrally managed.For application-to-platform access,the problem of hard-coded credentials is the root cause of privileged account password leakage.There are the problems of large adaptation costs or the possibility of causing system crashes in existing solution.It is different to meet the actual security needs of enterprises.For human-to-machine access by RDP or VNC,video playback is often used for privileged behavior auditing,which leads to the problems of high cost and low efficiency.It is urgent to find a more intelligent auditing solution.In order to ensure the security of privileged accounts,this paper research on safe storage and safe use of privileged accounts.Based on the hierarchical encryption mechanism and secret sharing algorithm,this paper designs a password vault to ensure the high security of password storage,realize the centralized management of privileged accounts passwords,and make the distribution and usage of privileged account passwords clear.For human-to-machine access,based on proxy technology and access control technology,this paper designs a human-to-machine privileged account management system architecture to achieve the separation of users and privileged account passwords.For human-to-machine access by SSH or telnet,by setting privileged behavior control strategies and parsing user privileged operation commands,the illegal user privileged behaviors can be intercepted in real time.Experimental results show that the core functions of the architecture have been implemented normally,the performance overhead is within reasonable range,and it is more secure than the direct connection method.For application-to-database access,based on application access authentication,replacement of hard-coded credentials,and security hardening measures,this paper designs a machine-to-machine privileged account management system architecture,which can solve the problem of hard-coded credentials without modifying source code and configuration files.The experimental results show that the core functions have been implemented normally,the introduced time overhead is small,and the adaptation cost is lower and the security of our architecture is higher than others.Aiming at human-to-machine access by RDP or VNC,this paper designs an intelligent auditing system architecture of user privileged behavior,which can automatically identify illegal user privileged behavior.The architecture first collects the bitmaps corresponding to user operation,and then this paper improves the existing scene text reading algorithm to extract text information in user operation pictures and compare the text information with privileged behavior audit database.Every keyword in the database corresponds to the specific user privileged behavior.It is determined whether to allow the user operation according to the user authority policy preset by the platform administrators.This paper takes the case of privleged users stealing confidential data in real secnario as an example to show the complete functions of the architecture,the case proves that the designed architecture can be used to prevent platform data leakage.This paper offers the overall performance data of privileged behavior auditing architecture and the accuracy rate of user behavior recognition.Experimental results show that the time overhead of our behavior auditing architecture is within reasonable range. |
PDF Full Text Request