摘要
为了设计信息物理系统中的安全架构,遵循基于模型的系统工程(Model-Based Systems Engineering,MBSE)的方法学,提出了一种基于模型的零信任网络安全架构.网络安全架构的总体策略采用纵深防御,系统划分不同安全域并采取不同的保护措施,在此基础上,零信任(Zero Trust)对纵深防御策略进行强化,采用微网段方法实施细粒度的安全域,采用基于属性的访问控制方法实施细粒度的访问控制.将基于模型的零信任网络安全架构应用到边界安全域,开发了基于系统建模语言(System Modeling Language,SysML)的模型.基于模型的零信任网络安全架构具有流程可迭代、需求可追溯、安全域细粒度、访问控制动态性的特点.
In order to design the security architecture in cyber-physical systems,a model-based zero-trust architecture of cyber security was proposed following the methodology of Model-Based Systems Engineering(MBSE).Overall strategy of the security architecture was defense in depth,in which different security zones were divided and different protection measures were taken in security zones.Further,defense-in-depth strategy was strengthened by zero trust.Fine-grained security zone was realized by using micro-segmenta-tion,and fine-grained access control was realized by using attribute-based access control.The model-based zero-trust architecture of cy-ber security was applied to the boundary security zone,in which model based on System Modeling Language(SysML)was developed.Iterative process,traceable requirements,fine-grained security zone,and dynamic access control could be achieved in the model-based zero-trust architecture of cyber security.
作者
蒋宁
范纯龙
张睿航
尹震宇
丁国辉
JIANG Ning;FAN Chun-long;ZHANG Rui-hang;YIN Zhen-yun;DING Guo-hui(School of Computer,Shenyang Aerospace University,Shenyang 110136,China;School of Software,Shenyang Normal University,Shenyang 110034,China;Shenyang Institute of Computing Technology Co.Ltd.,Chinese Academy of Sciences,Shenyang 110168,China)
出处
《小型微型计算机系统》
CSCD
北大核心
2023年第8期1819-1826,共8页
Journal of Chinese Computer Systems
基金
辽宁省教育厅青年科技人才"育苗"项目(JYT2020112)资助
沈阳市中青年科技创新人才支持计划项目(RC200576)资助。
关键词
基于模型的系统工程
纵深防御
零信任
微网段
基于属性的访问控制
系统建模语言
model-based systems engineering
defense in depth
zero trust
micro-segmentation
attribute-based access control
system modeling language
