基于4A管控平台的金库管理系统的设计与实现

发布时间：2017-12-27 02:12

本文关键词：基于4A管控平台的金库管理系统的设计与实现　出处：《北京交通大学》2017年硕士论文　论文类型：学位论文

【摘要】：随着企业级支撑系统的迅速发展,各种支撑应用和用户数量的不断增加,网络规模迅速扩大,信息安全问题愈见突出,对系统之间的整合也提出了更高的要求。4A管控平台将账号(Account)管理、认证(Authentication)管理、授权(Authorization)管理和安全审计(Audit)进行集中整合,为企业提供集中安全服务,提升了业务支撑系统的安全性和可管理能力。但是4A管控平台缺乏对内部人员事中行为的有效监管,存在内部人员高权限账号被滥用的风险。为了弥补4A管控平台在这一环节的缺失,金库管理系统借鉴银行金库管理中开关库房必须由两名管库员在场共同进行的方式,以多人制衡的手段实现了对高权限账号的使用进行监督和控制。在具体实现上,本系统充分利用4A管控平台已有的对账号及设备的集中管理,采用SSH框架技术,结合LDAP及PostgreSQL数据库完成了系统的实现。通过对B公司业务流程的调查和分析,金库管理系统按照"基于账号登录"和"基于特定操作"两种触发模式合理地设计了五种应用场景,并通过场景的"触发—申请—授权"来管理内部人员的行为。为此,系统前台部分设计了场景触发模块和授权审批模块。其中场景触发模块用来实现场景的自动触发。即当操作人员的行为符合某项场景触发条件时,该场景就会被自动触发从而限制操作人员的行为,直到其取得相应授权为止。授权审批模块则实现了每个场景对多种授权模式的支持。这使得内部人员的行为在得到监管的同时减少对其正常工作效率产生的影响。同时,为了方便地管理场景以适应不断变化的业务,后台设计了场景管理模块、敏感数据管理模块和策略管理模块,以实现场景的快速搭建和修改。其中敏感数据管理模块和策略管理模块是为了支撑场景管理模块而设计。在系统的设计与实现过程中,作者参与了所有的过程,并完成了系统概要设计、关系型数据库设计、五个功能模块的详细设计及实现,以及系统测试等工作。系统上线后,各个功能模块运行正常,性能表现稳定,基本上满足了相关要求。随着金库系统应用的不断深入,敏感数据查询量显著下降,有效遏制了权限滥用的情况,降低了客户敏感信息泄露的风险。
[Abstract]:With the rapid development of enterprise support system, the number of supporting applications and users is increasing, and the scale of network is expanding rapidly. The information security problem is more and more prominent, and the integration between systems is also put forward higher request. 4A management platform integrates centralized account management (Account) management, authentication (Authentication) management, authorization (Authorization) management and security audit (Audit) to provide centralized safety services for enterprises, and improves the security and management capabilities of business support systems. However, the 4A management control platform lacks the effective supervision of the behavior in the internal personnel, and the risk of the abuse of the high authority accounts of the internal personnel. In order to make up for the lack of 4A management and control platform in this link, the vault management system must learn from the way of two banks' Librarians in the joint management of bank vault management, and supervise and control the use of high authorized accounts by means of multiple checks and balances. On the specific implementation, the system makes full use of the centralized management of account and equipment existing in 4A management and control platform, and implements the system implementation with SSH framework technology combined with LDAP and PostgreSQL database. Based on the investigation and analysis of B business process, the gold warehouse management system designed five application scenarios reasonably according to the two triggering modes based on "account login" and "specific operation", and managed the behavior of the insiders through the trigger, application and authorization of the scene. For this reason, the front desk of the system has designed the scene trigger module and the authorization examination and approval module. The scene triggering module is used to automatically trigger the scene. That is, when the operator's behavior accords with the triggering condition of a scenario, the scene will be triggered automatically, so that the operator's behavior can be limited until the corresponding authorization is obtained. The authorization approval module implements the support of each scenario for a variety of authorization patterns. This allows insider behavior to be regulated while reducing the impact on its normal work efficiency. At the same time, in order to manage scenes conveniently to adapt to changing business, we design scene management module, sensitive data management module and policy management module to achieve rapid building and modification of scenes. The sensitive data management module and the policy management module are designed to support the scene management module. During the design and implementation of the system, the author took part in all the processes, and completed the system outline design, relational database design, detailed design and implementation of the five functional modules, and system testing. After the system is on-line, the function modules run normally, the performance is stable, and the related requirements are basically met. With the deepening of the application of the treasury system, the querying quantity of sensitive data has significantly decreased, which effectively curbed the abuse of authority and reduced the risk of sensitive information leakage.
【学位授予单位】：北京交通大学
【学位级别】：硕士
【学位授予年份】：2017
【分类号】：TP311.52

【相似文献】