特權訪問管理(PAM)之零信任特權Zero Trust Privilege(16k字PDF公號發「零信任AI反腐系統」下載)

特權訪問管理(PAM)之零信任特權Zero Trust Privilege

文|centrify，譯|秦隴紀，數據簡化DataSimp©20190126Sat

目錄

B  特權訪問管理(PAM)之零信任特權Zero Trust Privilege(13000字)

1. 零信任特權Zero Trust Privilege

2. 零信託特權的六個原則

3. 結論

參考文獻(1160字)

1. 零信任特權Zero Trust Privilege

ZeroTrust Privilege為現代企業IT威脅景觀重新定義了舊的特權訪問管理(PAM)。組織必須放棄舊的「信任但驗證」模式，這種模式依賴於明確定義的邊界。ZeroTrust要求從網絡內部或外部對特權訪問採用「永不信任，始終驗證，強制執行最小特權」的方法。

零信任權限要求基於驗證誰請求訪問權限，請求的上下文以及訪問環境的風險來授予最小權限訪問權限。通過實施最小權限訪問，組織可以最小化攻擊面，提高審計和合規性可見性，並降低現代混合企業的風險，複雜性和成本。[6]

What is Zero Trust Privilege?

ZeroTrust Privilege redefines legacy Privileged Access Management (PAM) for themodern enterprise IT threatscape. Organizations must discard the old model of「trust but verify」, which relied on well-defined boundaries. Zero Trustmandates a 「never trust, always verify, enforce least privilege」 approach toprivileged access, from inside or outside the network.

ZeroTrust Privilege requires granting least privilege access based on verifying whois requesting access, the context of the request, and the risk of the accessenvironment. By implementing least privilege access, organizations minimize theattack surface, improve audit and compliance visibility, and reduce risk,complexity and costs for the modern, hybrid enterprise.

FIGURE: The Zero TrustPrivilege Approach

傳統的PAM對於擴展的Threatscape來說還不夠

Legacy PAM已經存在了幾十年，並且是在當天所有特權訪問都限制在網絡內部的系統和資源時設計的。環境是系統管理員具有共享的「root」帳戶，他們將從密碼保險庫中檢出，通常用於訪問伺服器，資料庫或網絡設備。Legacy PAM達到了目的。

但是，今天的環境不同，特權訪問不僅包括基礎設施，資料庫和網絡設備，還擴展到雲環境。它還包括大數據項目，必須為DevOps自動化，現在需要覆蓋數百個容器或微服務來代表以前的單個伺服器。

除此之外，我們現在都生活在高級持續威脅(APT)的世界中，這些威脅為組織的金融資產，智慧財產權和聲譽帶來了不斷增長的變化風險。擴展訪問權限和獲取憑據是大多數APT的重要組成部分，特權訪問是皇冠上的寶石。Forrester(參見Forrester Wave：Privileged IdentityManagement：2016年第3季度)表示「80％安全漏洞涉及特權憑證。」

圖：從傳統特權訪問管理向雲就緒零信任特權的轉變

支持雲的零信任權限旨在處理不僅是人而且還有機器，服務和API的請求者。仍然會有共享帳戶，但為了增加保證，最佳做法現在建議個人身份，而不是共享帳戶，可以應用最小權限。所有控制項都必須是動態的和風險感知的，這需要現代機器學習和用戶行為分析。現在，PAM必須與更廣泛的生態系統集成和互操作，包括AWS和Azure等IaaS提供商，HashiCorp和Ansible等DevOps CI / CD管道工具，以及Docker，Kubernetes和CoreOS等Container解決方案。

Legacy PAM Is Not Enough for the ExpandedThreatscape

LegacyPAM has been around for decades and was designed back in the day when ALL yourprivileged access was constrained to systems and resources INSIDE your network.The environment was systems admins with a shared 「root」 account that they wouldcheck out of a password vault, typically to access a server, a database ornetwork device. Legacy PAM served its purpose.

However,today’s environment is different, privileged access not only coversinfrastructure, databases and network devices, but is extended to cloudenvironments. It also includes big data projects, it must be automated forDevOps, and it now needs to cover hundreds of containers or microservices torepresent what used to be a single server.

Ontop of this, we now all live in a world of Advanced Persistent Threats (APTs)that create a growing and changing risk to organizations』 financial assets,intellectual property and reputations. Expanding access and obtainingcredentials is an essential part of most APTs, with privileged access being thecrown jewels. Forrester (see Forrester Wave: Privileged Identity Management: Q32016) stated that 「80% of security breaches involve privilege credentials.」

FIGURE: The Shift fromLegacy Privileged Access Management to Cloud-Ready Zero Trust Privilege

Cloud-readyZero Trust Privilege is designed to handle requesters that are not only humanbut also machines, services and APIs. There will still be shared accounts, butfor increased assurance, best practices now recommend individual identities,not shared accounts, where least privilege can be applied. All controls must bedynamic and risk-aware, which requires modern machine learning and userbehavior analytics. Now PAM must integrate and interoperate with a much broaderecosystem including IaaS providers like AWS and Azure, with DevOps CI/CDPipeline tools such as HashiCorp and Ansible, and with Container solutions suchas Docker, Kubernetes and CoreOS.

2. 零信託特權的六個原則

零信任特權方法可幫助企業根據驗證請求訪問權限的人員，請求的上下文以及訪問環境的風險來授予最小權限訪問權限。通過實施最小權限訪問，ZeroTrust Privilege可最大限度地減少攻擊面，提高審計和合規性可見性，並降低現代混合企業的風險，複雜性和成本。零信任特權建立在六個原則之上，詳情如下：

The Six Tenets of Zero TrustPrivilege

AZero Trust Privilege approach helps enterprises grant least privilege accessbased on verifying who is requesting access, the context of the request and therisk of the access environment. By implementing least privilege access, ZeroTrust Privilege minimizes the attack surface, improves audit and compliancevisibility, and reduces risk, complexity and costs for the modern, hybridenterprise. Zero Trust Privilege is built on six tenets, which are covered indetail below:

2.1 驗證誰

今天，身份不僅包括人，還包括工作量，服務和機器。正確驗證世衛組織意味著利用企業目錄身份，消除本地帳戶並減少帳戶和密碼的總數，從而減少攻擊面。許多大型組織已經對Microsoft的ActiveDirectory進行了標準化，但使用ZeroTrust Privilege，您無需在任何特定目錄上進行標準化。實際上，您可以在不同的目錄中保留不同的身份群。重要的部分是通過HR審查的企業目錄標識為用戶建立身份，這意味著當該人的僱傭關係終止時，這些身份將自動禁用。您想要的最後一件事是要離開的資料庫管理員(DBA)，但仍保留其特權訪問權限。

特權訪問的最佳實踐是為每個管理員建立唯一的帳戶以用於管理目的。Microsoft建議這些是「備用管理員帳戶」(通常稱為「破折號」，因為用戶帳戶附加了典型的「-A」)與管理員用戶關聯但與管理員的最終用戶身份分開，這通常是具有電子郵件地址的公知帳戶。這樣，如果公共電子郵件帳戶遭到入侵，則不會公開其備用管理員帳戶。

要驗證誰，我們還必須在任何地方應用多重身份驗證(MFA)。在登錄期間，在密碼籤出時，在權限提升時- 任何時候都有新請求。通過特權訪問，在授予訪問權限之前，我們必須確定誰在另一端。MFA是必備的，密碼不夠好。讓我們面對現實，10％的人可能會將「admin」作為您的密碼- 這不會削減它。好消息是MFA比以前更容易，當你以前需要等待120秒才能出現新的6位數代碼並輸入它。現在用戶只需要通知他們的手機和/或只是觸摸他們的FIDO鍵。

在實施MFA時，至少對管理職能部門執行國家標準與技術研究院(NIST)保證等級2至關重要。這意味著雙重挑戰：你知道的東西，以及你擁有的東西。一個很好的例子是密碼與手機推送通知或手機生成的OTP相結合。對於大多數關鍵資產，建議儘可能進一步增加NISTAssurance Level-3。除了基於硬體的加密令牌(例如智慧卡或FIDO密鑰)之外，這還包括使用密碼的雙因素身份驗證。谷歌聲稱他們沒有一次成功的網絡釣魚攻擊，因為他們為所有用戶實施了FIDO密鑰。

Verify Who

Today,identities include not just people but workloads, services and machines.Properly verifying WHO means leveraging enterprise directory identities,eliminating local accounts and decreasing the overall number of accounts andpasswords, reducing the attack surface. Many large organizations havestandardized on Microsoft’s Active Directory, but with Zero Trust Privilege youdon’t have to standardize on any particular directory. In fact, you can keepdifferent populations of identities in different directories. The importantpart is to establish identity for users via HR-vetted enterprise directoryidentities, meaning these identities are automatically disabled when theperson’s employment is terminated. The last thing you want is a databaseadministrator (DBA) to leave, but still, retain their privileged access rights.

Abest practice for privileged access is to establish unique accounts for eachadministrator to use for admin purposes. Microsoft suggests that these be「Alternate Admin Accounts」 (commonly referred to as 「dash a」 due to the typical「-A」 appended to the user’s account) that are associated with the admin userbut are separate from the admin’s end user identity, which is typically apublicly-known account with an email address. This way, if the public emailaccount gets compromised, it does not expose their Alternate Admin Account.

Toverify who, we must also apply Multi-Factor Authentication (MFA) everywhere.During login,upon password checkout,at privilege elevation— anytimethere is a new request. With privileged access we must know with certainty whois on the other end before granting access. MFA is a must-have, passwords arenot good enough. Let’s face it, 10% of you probably have the word 「admin」 asyour password – that’s not going to cut it. The good news is MFA is way easierthan before, when you used to have to wait for 120 seconds for a new 6-digitcode to come up and type it in. Now users just get a push notification to theirphone and/or just touch their FIDO key.

Whenimplementing MFA, it is critical to enforce National Institute for Standardsand Technology (NIST) Assurance Level-2 at a minimum for admin functions. Thismeans a dual challenge: something you know, and something you have. A goodexample is a password combined with a push notification to your phone, or anOTP generated by your phone. For most critical assets it is recommended toincrease even further to NIST Assurance Level-3, where possible. This includestwo-factor authentication with a password in addition to a hardware-basedcryptographic token, such as a smart card or FIDO key. Google claims they havenot had a single successful phishing attack since they implemented FIDO keysfor all users.

2.2 語境化請求

首先，我們需要從為什麼擁有「請求和批准」訪問流程這一點開始。有意義的是，資料庫管理員(DBA)不應具有訪問所有資料庫的默認權限，只能訪問當天需要工作的資料庫。這樣，如果DBA的憑據被洩露，我們就限制了攻擊面。對於每個請求，重要的是要知道為什麼某人或某事正在執行特權活動。為此，我們必須了解訪問請求背後的背景，並根據提供的上下文審查和批准請求。

最小特權的概念是僅提供執行特定任務所需的特權級別，並且僅提供執行該任務所需的時間量。要執行最小權限，訪問權限必須了解上下文才能做出適當的訪問決策。

記錄請求上下文通常包括將請求與特定故障單相關聯並提供原因，以及請求的內容和持續時間。一旦請求被上下文化，那麼它必須被路由以獲得批准，並且此工作流程可以像您希望的那樣簡單或複雜。對於大公司來說，要最好地實現這一步驟，可能需要將PAM解決方案與企業級ITSM(IT服務管理)解決方案(如ServiceNow或IGA(IdentityGovernance Administration)平臺，如SailPointTechnologies)集成。

Contextualize Request

First,we need to start with why it is important to have a 「request and approve」access process. It makes sense that a database administrator (DBA) should nothave default rights to access all databases, only to the ones they need to workon that day. That way, if that DBA’s credentials are compromised, we havelimited the attack surface. For each request, it is important to know WHYsomebody, or something is performing privileged activity. To do this, we mustunderstand the context behind the request for access, and review and approvethe request based on the context provided.

Theconcept of least privilege is to only provide the needed level of privilege toperform a certain task and only for the amount of time necessary to performthat task. To execute least privilege, the granter of access must understandthe context to be able to make the appropriate access decision.

Recordingthe request context typically includes associating the request with a certaintrouble ticket and providing a reason, as well as what is being requested andfor how long. Once the request is contextualized, then it must be routed forapproval and this workflow can be as simple or complex as you would like tomake it. For larger companies to best achieve this step, it’s likely going toinvolve the integration of a PAM solution with an enterprise grade ITSM (ITService Management) solution like ServiceNow or IGA (Identity GovernanceAdministration) platform like SailPoint Technologies.

2.3 安全的管理環境

訪問特權資源時，關鍵是我們不要在伺服器連接期間啟用惡意軟體訪問伺服器或引入感染。為實現這一目標，我們需要確保只通過乾淨的源來實現訪問。零信任特權意味著阻止來自也可以訪問Internet和電子郵件的用戶工作站的直接訪問，這些工作站很容易被惡意軟體感染。只能通過經過批准的特權管理控制臺授予訪問權限，這可以通過多種方式實現，包括通過管理跳轉框對基於Web的敏感系統進行訪問，例如CentrifyZero Trust Privilege Services及其連接器。

具有分布式連接器的現代雲跳盒是實現分布式組織的安全管理環境的好方法。過去，您只需要從網絡內部進行安全訪問。但正確設計的ZeroTrust Privilege Admin Environment的優點在於它不僅允許遠程員工全天候訪問資源，而且非常適合外包IT或外包開發用戶，因為它減少了對虛擬專用網絡(VPN)的需求並處理安全客戶端和分布式連接器之間的所有傳輸安全性。

分布式跳轉主機或「連接器」用於在同一網絡中進行負載平衡以及支持多個不同的專用網絡的雙重目的。這些連接器位於資源所在的位置，例如DMZ，IaaS或具有私有，相互身份驗證的連接的虛擬專用網絡。這些安全連接允許基於Web的SSH或RDP在任何位置工作。對於外包的第三方用戶，它包括聯合入站認證，這意味著認證可以依賴於合作夥伴的授權員工目錄，從而提供更高的身份保證。

Secure Admin Environment

Whenaccessing privileged resources, it is critical that we do not either enablemalware access to servers or introduce infections during our connection toservers. To achieve this, we need to make sure access is only achieved througha clean source. Zero Trust Privilege means preventing direct access from userworkstations that also have access to the Internet and email, which are tooeasily infected with malware. Access should only be granted through approvedPrivileged Admin Consoles, which can be achieved in many ways, includingweb-based access to sensitive systems via an administrative jump box, such asthe Centrify Zero Trust Privilege Services with its Connectors. 


Moderncloud jump boxes with distributed connectors are a great way to achieve asecure admin environment for distributed organizations. In the past you onlyhad to secure access from inside your network. But the beauty of a properlydesigned Zero Trust Privilege Admin Environment is it not only allows remotestaff to access resources 24x7, but it is well-suited for outsourced IT oroutsourced development users because it alleviates the need for a VirtualPrivate Network (VPN) and handles all the transport security between the secureclient and distributed connectors.


Distributedjump hosts or 「connectors」 serve the dual purpose for load balancing in thesame network and for supporting multiple, different private networks. Theseconnectors go where the resources are located, such as DMZ, IaaS, or VirtualPrivate Network with private, mutually authenticated connections. These secureconnections allow Web-based SSH or RDP that works from any location. Foroutsourced, third-party users it includes federated in-bound authentication,meaning authentication can depend on a partner’s directory of authorizedemployees, providing much higher identity assurance.

2.4 授予最少特權

作為概念的最小特權比您意識到的更為常見。考慮您辦公室的物理訪問控制：不同級別的用戶擁有不同的訪問權限，並且可以訪問您必須請求並獲得批准的某些區域。這在物理安全空間中都得到了很好的認可，同樣的邏輯適用於邏輯安全性。它在授予對特權資源的基於角色的粒度訪問時適用。

授予最小特權的另一個目標是限制網絡上的橫向移動。這是攻擊者訪問敏感數據的主要方式：它們從一個位置開始並橫向移動，直到找到他們正在尋找的內容。如果我們將他們可以訪問的內容分開，那麼我們可以阻止橫向移動。就像沒有人應該有一個訪問所有內容的密鑰/徽章一樣，你真的不想在伺服器上使用root帳戶，因為它提供了太多的訪問權限而且沒有歸屬於實際用戶，我們稱之為「鮑勃。「相反，Bob應該使用他的備用管理員權限直接登錄到目標系統，這使他可以只重新啟動一組特定的伺服器。如果他需要更改配置或訪問其他目標系統，那麼他必須通過ServiceNow之類的請求訪問指定的時間段，並且可能會要求進行多重身份驗證(MFA)。完成後，Bob的權利將減少到所需的數量。

Grant Least Privilege

Leastprivilege as a concept is more common than you realize. Think of physicalaccess control at your office: different levels of users have different accessrights, and to get access to certain areas you must request and be approved.This is all very well recognized in the physical security space, and the samelogic applies for logical security. It applies when granting granularrole-based access to privileged resources.

Anotherobjective to granting least privilege is to limit lateral movement across thenetwork. This is the primary way attackers get access to sensitive data: theystart in one location and move laterally until they find what they are lookingfor. If we zone off what they have access to then we can stop lateral movement.Just like nobody should have a single key/badge that accesses everything, youreally don’t want to use the root account on a server, as it gives too muchaccess and has no attribution to the actual user, who we』ll call 「Bob.」 InsteadBob should login directly to the target system with his alternate adminentitlements that give him access to restart only a particular set of servers.If he needs to change the configuration or access a different target system,then he must request access for a specified period of time through somethinglike ServiceNow and may be asked for Multi-Factor Authentication (MFA). Oncecomplete, Bob’s entitlements will reduce back to just what is needed.

2.5 審核一切

對於特權會話，最佳做法是審核所有內容。通過記錄所執行的所有操作的記錄，審計日誌不僅可以用於取證分析，以準確找到問題，還可以將操作歸因於特定用戶。由於這些會議非常重要，因此最佳做法是保留會話的視頻錄製內容，以便審核或用作最關鍵資產或高度監管行業的證據。有多種規定，包括支付卡數據的PCI-DSS，特別需要此級別的審核。

監控和會話記錄可以通過基於網關和/或主機的技術來實現。基於主機確保不會繞過會話，也可以提供流程啟動和文件系統更改審核，這對於您最關鍵的資源來說是一種非常需要的技術。

如果您有安全部門，最好將此審計數據與現有的安全信息和事件管理(SIEM)系統或雲訪問安全代理(CASB)服務集成，以進行自動挖掘，從而可以識別風險活動並發出警報。

Audit Everything

Forprivileged sessions, it is of course best practice to audit everything. With adocumented record of all actions performed, audit logs not only can be used inforensic analysis to find exactly the issue, but also to attribute actionstaken to a specific user. Because these sessions are so critical it is alsobest practice to keep a video recording of the session that can be reviewed orused as evidence for your most critical assets or in highly regulatedindustries. There are multiple regulations including PCI-DSS for payment carddata that specifically requires this level of auditing.

Monitoringand session recording can be achieved through either a gateway- and/or host-basedtechnique. Host-based ensures that sessions cannot be bypassed, as well as toalso provide process launch and file system change auditing, which is a highlydesired technique for your most critical resources.

Ifyou have a security department, a good practice is to integrate this audit datawith your existing Security Information and Event Management (SIEM) system orCloud Access Security Broker (CASB) service for automated mining where riskyactivities can be identified and alerts raised.

2.6 自適應控制

零信任權限控制需要適應風險上下文。Gartner推動CARTA- 持續，適應，風險和信任評估- 這也是PrivilegedAccess絕對必需的。零信任特權意味著即使用戶輸入了正確的憑證，但請求來自潛在風險的位置，也需要更強的驗證才能允許訪問。現代機器學習算法現在用於仔細分析特權用戶的行為並識別「異常」或「非正常」(因此有風險)的活動並提醒或通知安全性。

自適應控制不僅意味著實時通知風險活動，而且還能夠通過切斷會話，增加額外監控或標記法醫跟進來積極響應事件。

機器學習使公司能夠在持續不斷的基礎上，通過數百萬個事件進行掃描，並在大海撈針中掃描該指針，這是手動取證所無法實現的。更有價值的是在線和實時執行基於機器學習的分析，從而能夠實施真正的自適應預防控制而不僅僅是事後檢測控制。

Adaptive Control

ZeroTrust Privilege controls need to be adaptive to the risk-context. Gartnerpromotes CARTA – Continuous, Adaptive, Risk and Trust Assessment – and it’sabsolutely required for Privileged Access too. Zero Trust Privilege meansknowing that even if the right credentials have been entered by a user, but therequest comes in from a potentially risky location, then a strongerverification is needed to permit access. Modern machine learning algorithms arenow used to carefully analyze a privileged user’s behavior and identify「anomalous」 or 「non-normal」 (and therefore risky) activities and alert ornotify security.

Adaptivecontrol means not only notifying of risky activity in real time, but also beingable to actively respond to incidents by cutting off sessions, addingadditional monitoring or flagging for forensic follow up.

Machinelearning allows companies to pore through millions of events and scan for thatneedle in the haystack on an ongoing and continuous basis, which would never beachievable by manual forensics. Even more valuable is performing machinelearning-based analytics inline and in real time and thus being able to enforcetruly adaptive preventive controls and not just after-the-fact detectivecontrols.

3. 結論

為了提供ZeroTrust，今天的特權訪問管理(PAM)解決方案不能僅僅依賴於快速離開共享帳戶。它們必須詳細介紹特權帳戶和會話管理以及權限提升和委派管理。但顯然這還不夠。為了充分驗證請求者是誰(或什麼)，今天的雲就緒特權訪問管理(PAM)必須包括特權身份和訪問管理，多重身份驗證以及權限威脅分析。

傳統特權訪問管理(PAM)在服務昨天的威脅情景方面做得很好，但在現代企業IT領域，為了保護自己，公司，客戶和投資者，應採用零信任特權方法。

©2019Centrify公司版權所有。

Conclusion

Todeliver Zero Trust, today’s Privileged Access Management (PAM) solutions cannotrely on simply vaulting away shared accounts. They must cover, in detail, bothPrivileged Account and Session Management as well as Privilege Elevation andDelegation Management. But clearly that is not enough. To sufficiently verifywho (or what) a requester is, today’s cloud-ready Privileged Access Management(PAM) must include Privileged Identity and Access Management, Multi-FactorAuthentication as well as Privilege Threat Analytics.

LegacyPrivileged Access Management (PAM) did a great job of serving yesterday’sthreatscape, but in a modern enterprise IT world, to protect yourself, yourcompany, your customers, and your investors, a Zero Trust Privilege approachshould be applied.

©2019Centrify Corporation. All Rights Reserved.

—END—

免責說明：資料來自公開期刊媒體資料，文章只為學術新聞信息傳播，註明出處參考文獻可溯源。本公號不持有任何傾向性，亦不表示認可其觀點或其所述。

中科院ZeroTrust零信任AI反腐系統效率太高被關閉(16k字)

(PDF公號發「零信任AI反腐系統」下載)

秦隴紀2010-2019©科學Sciences

Sciences220中科院ZeroTrust零信任AI反腐系統效率太高被關閉SP20190208FriQinDragon.docx

簡介：中科院ZeroTrust零信任AI反腐系統效率太高被關閉。作者：秦隴紀。素材：南華早報/知識簡化/數據簡化社區NC非商業授權/秦隴紀微信群聊公眾號，參考文獻附引文出處。下載：如需本文21k字10圖10頁PDF資料，讚賞支持後，公號輸入欄發送關鍵字「零信任AI反腐系統」或「零信任特權ZTP」獲取連結；關注「科學Sciences」文章分類菜單。版權：科普文章僅供學習研究，公開資料©版權歸原作者，請勿用於商業非法目的。數據簡化社區保留相應版權，若有引文/譯註/出處不明或遺漏/版權問題等，請給公號留言或郵件諮詢QinDragon2010@qq.com。轉載：請寫明並保留作者、出處、時間等信息，如「此文出自：©科學Sciences，作者：秦隴紀，時間：20190504Sat©秦隴紀2010-2019匯譯編」等字樣。

「科學Sciences」公眾科普分享

跋：科學傳入我國整整一百年過去了，還是沒有普及、被國人普遍接受。科學精神是假設和質疑，科學方法是實驗和測量，科學理論的本質是科學家用數學工具對自然社會做從出定性定量解釋。近卌百年，有些民族對自然社會的思考，最膚淺地就是盲信盲從情感型表達的模糊不清的簡單語言；而理性之人分析具體的現象，直到以數學等工具為主的科學思維。科學實驗、科學假說，均需工程技術支撐，理論和技術均豐富了科學之軀，切不可止步於語文工具之表象思維。更不可把科技當成語文來對待，拿書本文字代替實驗設計工程實踐。科學是璀璨的人類文明之一，但有其範圍並非萬能。科學Sciences公號不持有任何傾向性，只提供大家的學術觀點。感謝您的閱讀！《科學Sciences》倡導"理性之思想，自主之精神"，專注於學者、學界、學術的發展進步，不定期向您推薦人類優秀學者及其文章。歡迎科學、工程、技術、教育、傳媒等業界專家投稿、加入數據簡化社區！歡迎大家分享、讚賞、支持科普~~

如需下載PDF請讚賞支持