Abstract: In order to further improve the ability of network security protection of railway cloud platform, a fine-grained access control scheme of railway cloud platform is put forward in the framework of network security protection syetem for railway cloud platform according to the basline of classified protection of information system security. By adopting zero trust access control policy, secure data trassimission is completed through the interaction of four major components including the agent, data bus, security gateway and security module. Besides, labeling technique is adopted to realize fine-grained mandatory access control in and across domains, effectively improving the security protection ability of the cloud platform while maintaining the existing deployment of security protection.