A cloud service micro-isolation gateway construction method and device based on a zero-trust architecture
By constructing a cloud service micro-segmentation gateway based on a zero-trust architecture, the problem of traditional devices in cloud-based domain-based and permission-based micro-segmentation protection scenarios is solved, realizing the security and controllability of cloud service access and data flow, and improving the security protection capabilities of distributed cloud environments.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Patents(China)
- Current Assignee / Owner
- NO 30 INST OF CHINA ELECTRONIC TECH GRP CORP
- Filing Date
- 2025-12-19
- Publication Date
- 2026-07-14
AI Technical Summary
Traditional zero-trust security gateway devices are difficult to adapt to cloud-based domain-based, permission-based, and micro-segmentation protection scenarios. How to finely control the access boundaries and scope of distributed cloud services has become a challenge.
A cloud service micro-segmentation gateway construction method based on zero-trust architecture is adopted. Through the dynamic construction and identification registration of distributed cloud service identity context, the dynamic perception and interactive generation of distributed cloud service domain, and the dual-driven strategy generation of fast permission judgment and remote authorization collaboration, secure and controlled cloud service access and data flow are achieved.
It achieves fine-grained access control and security isolation for cloud services in distributed cloud scenarios, enhances the difficulty of defending against lateral movement intrusions, adapts to the elastic changes of cloud assets and services, and improves the construction of new digital infrastructure.
Smart Images

Figure CN121690789B_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of cloud computing technology, and more specifically, to a method and apparatus for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture. Background Technology
[0002] With the rapid development and scenario-based application of distributed cloud data centers and distributed cloud-native technologies, enterprises are extending their full-stack cloud-native capabilities to locations closer to their business needs (such as multi-cloud, hybrid cloud, near-field edge, and field edge). Distributed cloud deployment architecture centered on public cloud has become a new trend for enterprises moving to the cloud. Enterprise businesses are vertically deploying across cloud and edge, and horizontally deploying across different domains. Domain-based and hierarchical management of cloud services has become a common security management model. Faced with the complex cloud-native enterprise business application scenarios in the distributed environment of "endpoint"-"network"-"cloud", traditional zero-trust security gateway devices are difficult to adapt to the domain-based and hierarchical micro-segmentation protection scenarios in the cloud. How to finely control the access boundaries and access scope of distributed cloud services has become a challenge.
[0003] Existing technical solutions provide some cloud service management methods and private security systems, but do not cover cloud service identity identification, service domain construction, dynamic authorization, and zero-trust micro-segmentation policy management mechanisms. Summary of the Invention
[0004] The purpose of this invention is to overcome the shortcomings of the prior art and provide a method and device for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture. This invention achieves secure and controlled access to cloud services and data flow, strengthens the defense against internal and external penetration and intrusion in distributed clouds, and increases the difficulty of lateral movement. It has important practical significance for improving the construction of new digital infrastructure.
[0005] The objective of this invention is achieved through the following solution:
[0006] A method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture includes:
[0007] Step 1: Dynamic Construction and Identification Registration of Distributed Cloud Service Identity Context: By deploying a cloud service micro-segmentation gateway in the cloud host operating system and linking it with the cloud service micro-segmentation protection and management system, it is used for cloud service identification and context construction and dynamic updating of cloud service context information, providing basic data support for subsequent service domain awareness and policy generation.
[0008] Step 2, Dynamic Perception and Interaction Generation of Distributed Cloud Service Domains: Based on prior knowledge and group identifiers, and by integrating the cloud service context information generated in Step 1, cloud service domain information is analyzed and generated, and the communication relationships are converted into a graphical representation for the administrator.
[0009] Step 3: Generation of policies driven by both permission decision-making and remote authorization collaboration: Design a policy generation process driven by both permission decision-making and remote authorization collaboration to respond to changes in cloud services and to achieve unified and centralized authorization management, forming a model of isolated protection of local security loops and overall security loops.
[0010] Furthermore, in step one, the deployment of a cloud service micro-segmentation gateway in the cloud host operating system, in conjunction with the cloud service micro-segmentation protection and management system, for cloud service identification and context construction and dynamic updating of cloud service context information, specifically includes the following sub-steps:
[0011] S11, the cloud service micro-segmentation gateway collects basic service attribute information and service runtime environment information by calling operating system interfaces and container management tools, and reports them to the backend of the cloud service micro-segmentation protection and control system.
[0012] S12, the cloud service micro-isolation protection and management system will normalize the collected and aggregated data, and extract the fixed and dynamic attributes of cloud hosts and cloud services through correlation analysis, forming the identity context of cloud hosts and cloud services, and constructing cloud service identity profile information based on the cloud service context and cloud host identity profile information based on the cloud host identity context.
[0013] S13. Based on the cloud host identity profile information and cloud service identity profile information, register resource identity with the identity management system, apply for resource identity identifier, and establish the association between cloud service context and cloud service identity identifier, and cloud host context and cloud host identity identifier.
[0014] S14. Based on changes in cloud host and cloud service data, dynamically update the dynamic attributes in the service context to maintain the association between the changed cloud service context and cloud service identity, and between the cloud host context and cloud host identity.
[0015] Furthermore, the basic service attribute information includes process service, process instance, process socket, software program, container service, container instance, container instance IP address, and container mirror; the service runtime environment information includes cloud host specifications, resource load, network card configuration, and IP address information data.
[0016] Furthermore, in step two, the process of generating a cloud service domain based on prior knowledge and annotations, and converting communication relationships into a graphical representation for the administrator, specifically includes the following sub-steps:
[0017] S21, the backend of the cloud service micro-segmentation protection and management system, queries the trusted software management system to match the application template, parses the cloud service characteristics in the application template, matches the corresponding cloud service based on the hash value of the software program and container image, and associates the relationship between the cloud host and the cloud service based on the cloud service identity context.
[0018] S22, the backend of the cloud service micro-segmentation protection and management system uses process sockets, container instance IP addresses, and cloud host IP address information to perform correlation analysis and draw a communication topology based on process service communication relationships, and associate the relationships between cloud services.
[0019] S23, through the interactive and visual operation interface of the cloud service micro-segmentation protection and management system, the cloud host resources are displayed to the administrator. After the administrator marks the cloud host asset group attributes and submits them to the backend, the backend associates the relationship between assets, cloud hosts and cloud services.
[0020] S24, the backend of the cloud service micro-segmentation protection and management system, divides security boundaries to generate service domains based on the relationships between asset groups, cloud hosts and cloud services, as well as communication topology, and registers service domain information with the identity management system.
[0021] Furthermore, in step three, the strategy generation process, which combines design permission judgment with remote authorization collaboration, is used to respond to changes in cloud services and to achieve unified centralized authorization management, forming a pattern of isolated protection for local and overall security loops. This process specifically includes the following sub-steps:
[0022] S31, the front end of the cloud service micro-segmentation protection and management system, presents the service domain and communication topology, and prompts the administrator to configure the mutual access control policies between cloud services, between cloud services and service domains, and between service domains according to the organizational relationship. It submits the mutual access control policies between cloud service identity identifiers and between cloud service domain identity identifiers to the back end.
[0023] S32, the backend of the cloud service micro-segmentation protection and management system, determines access permissions and generates cloud service access control rules based on the locally configured cloud service and inter-domain access control policies, and sends them to the cloud service micro-segmentation gateway for execution of the access control rules.
[0024] S33, the cloud service micro-segmentation gateway, performs network traffic packet filtering, allowing, and blocking operations based on the issued access control rules through on-demand traffic interception and traffic filtering forwarding mechanisms.
[0025] S34. After configuring the mutual access authorization management policy based on cloud service identity and cloud service domain identity in the authorization management system, it is pushed to the backend of the cloud service micro-segmentation protection and control system. The backend of the cloud service micro-segmentation protection and control system dynamically determines access permissions and generates cloud service access control rules based on the locally configured mutual access control policy and the remotely configured mutual access authorization policy. It then issues the updated access control rules to the cloud service micro-segmentation gateway and repeats step S33.
[0026] Furthermore, the organizational relationship is specifically an organizational relationship of "asset group - cloud host - service domain - cloud service - container / process".
[0027] A cloud service micro-segmentation gateway construction device based on zero-trust architecture includes a processor and a memory, wherein the memory stores a computer program that, when loaded by the processor, executes the method described in any of the preceding methods.
[0028] The beneficial effects of this invention include:
[0029] This invention addresses the cross-cloud-edge collaborative deployment of cloud services in distributed cloud data centers and distributed cloud-native scenarios. It proposes a dynamic micro-segmentation control method and device for distributed cloud services based on a zero-trust architecture. The method employs a dual-driven strategy generation mechanism: dynamic construction and registration of distributed cloud service identity contexts, dynamic perception and interaction generation of distributed cloud service domains, and rapid permission judgment and remote authorization collaboration. This enables dynamic construction of cross-cloud service domain security boundaries and fine-grained access control based on cloud services. It improves the micro-service security isolation of enterprise businesses in different domains within distributed cloud scenarios. Furthermore, the adaptive application strategy, which changes with the elasticity of cloud assets and services, ensures secure and controlled access to cloud services and data flow. This strengthens the defense against internal and external penetration and intrusion in distributed clouds and increases the difficulty of lateral movement, which has significant practical implications for improving the construction of new digital infrastructure. The proposed solution can also be further extended to other similar scenarios. Attached Figure Description
[0030] To more clearly illustrate the technical solutions in the embodiments of the present invention or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present invention. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.
[0031] Figure 1 This is a flowchart illustrating the distributed cloud service domain dynamic perception and generation process according to an embodiment of the present invention.
[0032] Figure 2 This is a flowchart illustrating the dynamic identification and authentication process for distributed cloud service identity in an embodiment of the present invention.
[0033] Figure 3 This is a flowchart illustrating the strategy generation process of rapid decision-making and dynamic authorization in an embodiment of the present invention. Detailed Implementation
[0034] All features disclosed in all embodiments of this specification, or steps in all methods or processes implied in the disclosure, may be combined and / or extended or replaced in any way, except for mutually exclusive features and / or steps.
[0035] The specific implementation process of this invention is as follows:
[0036] This invention addresses the cross-cloud-edge collaborative deployment of cloud services in distributed cloud data centers and distributed cloud-native scenarios. It proposes a cloud service micro-segmentation gateway construction scheme based on a zero-trust architecture. The method employs a mechanism that dynamically constructs and registers distributed cloud service identity contexts, dynamically perceives and interacts with distributed cloud service domains, and uses a dual-driven strategy generation mechanism of rapid permission judgment and remote authorization collaboration. This enables dynamic construction of cross-cloud service domain security boundaries, fine-grained access control based on cloud services, and visualized management of cloud service micro-segmentation protection. It helps users quickly understand the current business status and security situation, improves the micro-service security isolation of enterprise businesses in different domains under distributed cloud scenarios, strengthens the defense against internal and external penetration and intrusion in distributed clouds, and increases the difficulty of lateral movement. This has significant practical implications for improving the construction of new digital infrastructure.
[0037] More specifically, as a first aspect of the present invention, in a preferred embodiment, a method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture is provided, comprising:
[0038] Step 1: Dynamic Construction and Identifier Registration of Distributed Cloud Service Identity Context
[0039] Specifically, this step involves deploying a cloud service micro-segmentation gateway in the cloud host operating system, which works in conjunction with the cloud service micro-segmentation protection and management system to achieve automatic cloud service identification and context construction, as well as dynamic updates of cloud service context information. This maintains the uniqueness of cloud service and cloud host identities, providing fundamental support for subsequent security policy adjustments that adapt to the cloud environment. The specific sub-steps are as follows:
[0040] (1) The cloud service micro-segmentation gateway collects basic service attribute information (including process service, process instance, process socket, software program, container service, container instance, container instance IP address, container image and other information data) and service operation environment information (including cloud host specifications, resource load, network card configuration, IP address and other information data) by calling the operating system interface and container management tools, and reports it to the backend of the cloud service micro-segmentation protection and control system;
[0041] (2) The cloud service micro-isolation protection and control system normalizes the collected and summarized data, and extracts the fixed and dynamic attributes of cloud hosts and cloud services through correlation analysis, forming the identity context of cloud hosts and cloud services, and constructing cloud service identity profile information based on cloud service context and cloud host identity profile information based on cloud host identity context.
[0042] (3) Based on the cloud host identity profile information and cloud service identity profile information, register resource identity with the identity management system, apply for resource identity identifier, and establish the association between cloud service context and cloud service identity identifier, and cloud host context and cloud host identity identifier;
[0043] (4) Based on the changes in cloud host and cloud service data, dynamically update the dynamic attributes in the service context to maintain the association between the changing cloud service context and cloud service identity, and between the cloud host context and cloud host identity.
[0044] Step 2: Dynamic Perception and Interaction Generation of Distributed Cloud Service Domains
[0045] Specifically, this step of generating distributed cloud service domains is based on prior knowledge and group identifiers. It integrates the cloud service context information generated in step one to analyze and generate cloud service domain information. This transforms complex communication relationships into intuitive graphical representations for administrators, simplifying the configuration of micro-segmentation policies in large-scale cloud service environments. It provides foundational data support for policy generation and auxiliary support for micro-segmentation policy formulation. The specific sub-steps are as follows:
[0046] (1) The backend of the cloud service micro-segmentation protection and control system queries the application templates from the trusted software management system, parses the cloud service features in the application templates, matches the corresponding cloud services based on the hash values of the software program and container image, and automatically associates the cloud host-cloud service relationship based on the cloud service identity context.
[0047] (2) The backend of the cloud service micro-segmentation protection and control system uses information such as process sockets, container instance IP addresses, and cloud host IP addresses to analyze and draw the communication topology based on the communication relationship between process services, and automatically associates the cloud service-cloud service relationship.
[0048] (3) Through the interactive and visual operation interface of the cloud service micro-segmentation protection and management system, the cloud host resources are displayed to the administrator. The administrator marks the cloud host asset group attributes and submits them to the backend. The backend automatically associates the asset group-cloud host-cloud service relationship.
[0049] (4) The backend of the cloud service micro-segmentation protection and control system automatically divides the security boundary to generate service domains based on the relationship and communication topology of asset group-cloud host-cloud service, and registers the service domain information with the identity management system.
[0050] Step 3: Strategy Generation Driven by Both Rapid Permission Decision and Remote Authorization Collaboration
[0051] Specifically, this step, from the perspective of agile response to rapid changes in cloud services and unified centralized authorization management, designs a policy generation process driven by both rapid permission judgment and remote authorization collaboration. This forms a micro-isolation protection local security closed loop and an overall security closed loop model, improving security response performance. The specific sub-steps are as follows:
[0052] (1) The front end of the cloud service micro-segmentation protection and control system presents the service domain and communication topology, and prompts the administrator to configure the mutual access control policies between cloud services, between cloud services and service domains, and between service domains according to the organizational relationship of "asset group-cloud host-service domain-cloud service-container / process". The system submits the mutual access control policies between cloud service identity identifiers and cloud service domain identity identifiers to the back end.
[0053] (2) The backend of the cloud service micro-segmentation protection and control system quickly determines access permissions and generates cloud service access control rules based on the locally configured cloud service and inter-domain access control policies, and sends them to the cloud service micro-segmentation gateway for execution of access control rules.
[0054] (3) The cloud service micro-segmentation gateway performs network traffic packet filtering, allowing, and blocking operations based on the issued access control rules through on-demand traffic interception and traffic filtering forwarding mechanisms.
[0055] (4) After configuring the mutual access authorization management policy based on cloud service identity and cloud service domain identity in the authorization management system, push it to the backend of the cloud service micro-isolation protection and control system. The backend of the cloud service micro-isolation protection and control system dynamically determines the access permissions and generates cloud service access control rules based on the locally configured mutual access control policy and the remotely configured mutual access authorization policy. It then issues the cloud service micro-isolation gateway to update the access control rules and repeats step (3).
[0056] As a second aspect of the present invention, a cloud service micro-segmentation gateway construction apparatus based on zero-trust architecture is provided, including a processor and a memory, wherein a computer program is stored in the memory, and when the computer program is loaded by the processor, the method described above is executed.
[0057] The units described in the embodiments of the present invention can be implemented in software or hardware, and the described units can also be located in a processor. The names of these units do not necessarily limit the specific unit itself.
[0058] According to one aspect of the present invention, a computer program product or computer program is provided, the computer program product or computer program including computer instructions stored in a computer-readable storage medium. A processor of a computer device reads the computer instructions from the computer-readable storage medium, and executes the computer instructions, causing the computer device to perform the methods provided in the various optional implementations described above.
[0059] In another aspect, embodiments of the present invention also provide a computer-readable medium, which may be included in the electronic device described in the above embodiments; or it may exist independently and not assembled into the electronic device. The computer-readable medium carries one or more programs, which, when executed by the electronic device, cause the electronic device to perform the methods described in the above embodiments.
Claims
1. A method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture, characterized in that, include: Step 1: Dynamic Construction and Identification Registration of Distributed Cloud Service Identity Context: By deploying a cloud service micro-segmentation gateway in the cloud host operating system and linking it with the cloud service micro-segmentation protection and management system, it is used for cloud service identification and context construction and dynamic updating of cloud service context information, providing basic data support for subsequent service domain awareness and policy generation. Specifically, it includes the following sub-steps: S11, the cloud service micro-segmentation gateway collects basic service attribute information and service runtime environment information by calling operating system interfaces and container management tools, and reports them to the backend of the cloud service micro-segmentation protection and control system. S12, the cloud service micro-isolation protection and management system will normalize the collected and aggregated data, and extract the fixed and dynamic attributes of cloud hosts and cloud services through correlation analysis, forming the identity context of cloud hosts and cloud services, and constructing cloud service identity profile information based on the cloud service context and cloud host identity profile information based on the cloud host identity context. S13. Based on the cloud host identity profile information and cloud service identity profile information, register resource identity with the identity management system, apply for resource identity identifier, and establish the association between cloud service context and cloud service identity identifier, and cloud host context and cloud host identity identifier. S14. Based on the changes in cloud host and cloud service data, dynamically update the dynamic attributes in the service context to maintain the association between the changed cloud service context and cloud service identity, and between the cloud host context and cloud host identity. Step 2, Dynamic Perception and Interaction Generation of Distributed Cloud Service Domains: Based on prior knowledge and group identifiers, and by integrating the cloud service context information generated in Step 1, cloud service domain information is analyzed and generated, and the communication relationships are converted into a graphical representation for the administrator. Step 3: Generation of policies driven by both permission decision-making and remote authorization collaboration: Design a policy generation process driven by both permission decision-making and remote authorization collaboration to respond to changes in cloud services and to achieve unified and centralized authorization management, forming a model of isolated protection of local security loops and overall security loops.
2. The method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture according to claim 1, characterized in that, The basic service attribute information includes process service, process instance, process socket, software program, container service, container instance, container instance IP address, and container mirror; the service runtime environment information includes cloud host specifications, resource load, network card configuration, and IP address information.
3. The method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture according to claim 2, characterized in that, In step two, the process of generating a cloud service domain based on prior knowledge and annotations, and converting communication relationships into a graphical representation for the administrator, specifically includes the following sub-steps: S21, the backend of the cloud service micro-segmentation protection and management system, queries the trusted software management system to match the application template, parses the cloud service characteristics in the application template, matches the corresponding cloud service based on the hash value of the software program and container image, and associates the relationship between the cloud host and the cloud service based on the cloud service identity context. S22, the backend of the cloud service micro-segmentation protection and management system uses process sockets, container instance IP addresses, and cloud host IP address information to perform correlation analysis and draw a communication topology based on process service communication relationships, and associate the relationships between cloud services. S23, through the interactive and visual operation interface of the cloud service micro-segmentation protection and management system, the cloud host resources are displayed to the administrator. After the administrator marks the cloud host asset group attributes and submits them to the backend, the backend associates the relationship between assets, cloud hosts and cloud services. S24, the backend of the cloud service micro-segmentation protection and management system, divides security boundaries to generate service domains based on the relationships between asset groups, cloud hosts and cloud services, as well as communication topology, and registers service domain information with the identity management system.
4. The method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture according to claim 1, characterized in that, In step three, the policy generation process, which combines design permission judgment and remote authorization collaboration, is used to respond to changes in cloud services and to achieve unified centralized authorization management, forming a pattern of isolated protection for local and overall security loops. This process specifically includes the following sub-steps: S31, the front end of the cloud service micro-segmentation protection and management system, presents the service domain and communication topology, and prompts the administrator to configure the mutual access control policies between cloud services, between cloud services and service domains, and between service domains according to the organizational relationship. It submits the mutual access control policies between cloud service identity identifiers and between cloud service domain identity identifiers to the back end. S32, the backend of the cloud service micro-segmentation protection and management system, determines access permissions and generates cloud service access control rules based on the locally configured cloud service and inter-domain access control policies, and sends them to the cloud service micro-segmentation gateway for execution of the access control rules. S33, the cloud service micro-segmentation gateway, performs network traffic packet filtering, allowing, and blocking operations based on the issued access control rules through on-demand traffic interception and traffic filtering forwarding mechanisms. S34. After configuring the mutual access authorization management policy based on cloud service identity and cloud service domain identity in the authorization management system, it is pushed to the backend of the cloud service micro-segmentation protection and control system. The backend of the cloud service micro-segmentation protection and control system dynamically determines access permissions and generates cloud service access control rules based on the locally configured mutual access control policy and the remotely configured mutual access authorization policy. It then issues the updated access control rules to the cloud service micro-segmentation gateway and repeats step S33.
5. The method for constructing a cloud service micro-segmentation gateway based on a zero-trust architecture according to claim 4, characterized in that, The organizational relationship is specifically defined as "Asset Group - Cloud Host - Service Domain - Cloud Service - Container / Process".
6. A cloud service micro-segmentation gateway construction device based on zero-trust architecture, characterized in that, It includes a processor and a memory, wherein the memory stores a computer program that, when loaded by the processor, executes the method as described in any one of claims 1 to 5.