On September 2, 2021, 36Kr "WISE2021 Enterprise Service Ecology Summit" was held at the JW Marriott Hotel Shanghai New Development Asia Pacific, at the summit site, dozens of enterprise service industry leaders and investment agency representatives will focus on the "new wave of enterprise service" to jointly find new driving forces for the growth of Chinese enterprises, as well as the future trends and challenges of China's enterprise service market.
At present, China's economy has entered a critical period of transformation, the inherent development model of Chinese enterprises is changing, and cost reduction and efficiency improvement are becoming the common choice of almost all enterprises. Enterprise services have thus become a hot new track in China's commercial market, with international giants, technology companies and new forces in corporate services aiming at the enterprise market in an attempt to find a second growth curve here.
At the WISE2021 Enterprise Service Ecosystem Summit, Li Bin, General Manager of Tencent Cloud Security, shared Tencent's exploration, thinking and practice in cloud data security and enterprise data security with the theme of "Challenges and Practices of Data Security and Privacy Protection in the New Era". Li Bin said that in today's enterprise services, data has become a core element of productivity. Under the background of the interconnection of all things and the integration of digital reality, we are facing a series of new challenges brought by new environments, new technologies and new services, and the protection of data security has become a key proposition in the process of enterprise development.
Li Bin, General Manager of Tencent Cloud Security
<h3>The following is the transcript of the guest speech, compiled by 36Kr Editors:</h3>
Li Bin: Hello guests! I am Li Bin from Tencent Cloud Security, and today I bring you the exploration, thinking and practice of cloud data security and enterprise data security.
Originally my topic today was "Facing the Challenges of Data Security in the New Era", which was not ultimately output as the main title. Because the concept of the new era has been repeatedly mentioned in the past ten or twenty years, it can be said that we are in a new era every day. However, from the last five years, especially the last two or three years, everyone has gradually become clear about the concept of the new era, especially the new wave, and the impact on us has become more and more empathetic. In recent years, the party and the state have been advocating a concept, with a well-known phrase - "We are in a major change that has not occurred in a hundred years", which first appeared in 2018, and its role is not only as a propaganda slogan, but as the opening preface to the new era in the future.
In the past two years, everyone has a lot of deep feelings about the new era, so I will summarize the new era and new environment we are currently in into three sentences to explain why we are in a new era today:
First, today we are in a new environment, and the new environment has several factors, on the one hand, due to the development of science and technology and the development of the economy, which have brought about major changes in the game of the entire international situation. Changes in the international situation will have a very large and subtle impact on our economy, science and technology and daily life; second, due to the outstanding events since last year - the global epidemic, it has brought many new changes to our production and lifestyle and even all aspects of work and life; third, domestic and foreign changes in all aspects of laws and regulations in the entire economy and finance, especially in the entire field of informatization, and the overall regulation of laws and regulations is becoming increasingly strict for the entire security, data, and information management. These have some impact on the operation of our entire business, our lives, our production.
Second, the new era earlier is the emergence of some of the characteristics, the impact of new technologies. The early characteristics of the new era are the impact of technology, from five or six years ago, our cloud computing, big data began to enter the vision of our production and life, in recent years, blockchain, artificial intelligence, IoT, 5G has slowly become part of our entire financial activities. While new technologies bring convenience to business production, they also bring new challenges.
Third, due to the new environment and new technologies, we have also undergone many new changes in the industry. To sum up, the new industrial changes are two sentences: one is the Internet of Everything, including the industrial Internet, the industrial Internet are new products under this trend; the other is the integration of digital reality, in the past decade more in the stage of consumer Internet, the entire economy is biased towards the virtualization economy, pure digital economy, online economy. This era is basically alternate, and the future includes some new and more popular concepts, such as metaverse, digital twins, digital-real integration, 5G, And IoT will have a big impact on our entire production and life. In the future, in the overall production and life, the integration of digital reality will further become the main way.
Whether it is a new environment, a new technology, a new industry, the topics we talk about are SaaS, cloud computing, enterprise services, and one of the core propositions is that it cannot be bypassed in any way, that is, data.
Today, data has become the core element of productivity, and the protection of data security has also become a core key proposition that restricts or stimulates the development of enterprises. How to do a good job of data security, so that data can play a greater value in life? In today's era, from the technical, environmental, business, facing some challenges, today to summarize some challenges into three aspects:
First, there is a significant external challenge in enterprise data security. Every year, we track the attack situation in the field of information security and network security across the world, including which threat subjects will pose a threat to our corporate data or national security; analyze what means or tools they will use to attack, and what are the main targets of the attack? In response to these problems, what are the corresponding laws and regulations and standards in the world to give us guidance and make norms.
Speech PPT
As shown in the figure, two key data can be found, this chart was refreshed in 2020 when a report from the United States was taken, and there are now about 40 hacking organizations with national-level attack forces in the world, and there are more than 40 national-level hacker attacks. Further down are anarchist hackers, commercial espionage, organized crime, the typical embodiment of the domestic "wool", black and gray production is also the mainstream of the entire commercial data attack. In terms of the entire trend of exploitation or attack targets, enterprise data has gradually become the core target of their attacks over the years.
According to the information we collect, in 2018, nearly 3 billion pieces of data were leaked worldwide, and in 2019, this data was about 5 billion pieces, and by 2020, the annual leakage of data in the world has reached more than 10 billion pieces of information. Under such a development trend, today's data security, as well as the business data of our enterprises, the personal privacy of users, etc., have become very important aspects of the company that may potentially suffer significant risks.
Secondly, in response, the governments of various regions of the world have found a grim situation in this regard, especially in China this year, since last year, a series of laws and regulations have been issued on data security and user personal information, as well as related information system security, etc. A series of laws and regulations have been issued. From the Cybersecurity Law in previous years to the Issuance of the Cryptography Law in 2019, the Data Security Law and the Personal Information Protection Law in the last two months. Basically, today, the laws and regulations on cyberspace security in the entire field of cyberspace have basically been perfected, and these laws are basically all delivered and implemented from the end of the year to the beginning of next year, and the follow-up supervision of cyberspace security and data security is in a very strict state. In addition to the domestic response status, it has also been issued abroad, the European General Data Protection Law (GDPR), the United States has corresponding laws, and Southeast Asia has also issued a series of laws last year and this year, so legal compliance in the field of data security will become another important constraint and driving force.
Here is a brief introduction to the requirements of several core laws, several laws issued in recent years, the "Data Security Law" was issued in June this year to mainly define the responsibility of data security of enterprises, data security is followed by the use of data security owned by enterprises, data leakage or loss, the enterprise itself sharing and loss, but also to bear certain legal responsibilities, this is its main definition. The Personal Information Protection Law, which was just released this month, mainly defines the responsibility of enterprises to protect users' personal information, privacy, and sensitive data. In addition, the two important laws related to enterprise services, the first is the "Cryptography Law", which was issued at the end of 2018, mainly defining the status of domestic passwords, because cryptography is in the core technology in the entire data security protection technology, from last year, the country basically began to start in the two fields of government affairs and finance, in the strong promotion of the application of localization of passwords, which will also have a relatively large impact on the future operation of enterprises. Finally, if it develops to a certain scale, large-scale enterprise services or SaaS service providers may be affected by the Critical Infrastructure Protection Regulations, which define certain responsibilities in terms of business availability and security.
Finally, the age of new technologies, the challenges of evolution brought about by new technologies and new architectures. We saw earlier that in today's era we have mentioned a lot of new technologies, such as 5G, IoT, Internet of Things, artificial intelligence, the most basic core cloud computing, big data. In the process of the introduction of these new technologies, in fact, our industry is facing very big challenges, such as cloud computing, big data brings several core challenges:
1. It poses a challenge to the management mechanism of the enterprise. Traditional IT architecture, IT asset ownership and business units are consistent, physical control, cost model are also consistent. Today's adoption of such a subscription model, a tenant model, such as a PaaS, SaaS model, will produce such a vague separation of permissions. Under today's SaaS and PaaS, all of our physical assets and information asset ownership may belong to the cloud service provider or service provider, and its data ownership is on the user side, and the user is more with his right to use and manage, which will produce a change in the more complex management model and process.
2, today's involves the amount of data is getting larger and larger, the computing power is getting higher and higher, the computing power itself is improved, the data volume is increased, and it will have a very big challenge for the protection of our data security. Previously, the amount of data was very small, only one or two databases, which may be GB-level data, can do full-text encryption, and performance will not have much impact. Now facing a lot of challenges may be hundreds of TERA or even petabytes of data, take security mechanism management, our enterprise data efficiency, production efficiency is greatly constrained, the protection mechanism can not be applied, if not protected, will cause a variety of internal and external risks are very large impact. This is the improvement of computing power and the improvement of data volume itself for the challenges and constraints brought by enterprises to carry out data security protection.
3, cloud computing, Internet of Things, edge computing new technology evolution, itself has a rapid improvement in the business, new technology will bring new risk surfaces, these risk surfaces for the traditional technical architecture thinking of some challenges. Finally, changes in the computing environment can also bring us new problems. Here are our thoughts and explorations on these issues. In today's new era, the entire enterprise faces five risk areas for data security protection:
Risks from the outside, such as hacking attacks, etc., in the past two years, more and more cases, ransomware viruses, the use of enterprise resources for mining, so that more and more potential attacks, causing very large economic losses to enterprises;
Enterprises themselves for the use of data management faces compliance and governance risks, if the enterprise has these data today, but not well managed, it will bring very large compliance governance constraints and risks;
Many enterprises, especially in the process of using or establishing and building SaaS services, will face data exchange and sharing, at this time when your data transfer to a third party, it may be that the management specifications and infrastructure are inconsistent with you, and this time will face the risk of a potential third party. For example, in the more popular cases of previous years, Facebook faced billions of dollars in fines for violating the GDPR in Europe, when his main reason was to hand over a large amount of data to a third-party analysis agency for analysis and processing, but did not fulfill the corresponding responsibility for protection, and when data interaction between enterprises and third parties also pay attention to this risk;
Risks within the enterprise, including fraud and abuse of data by insiders, internal risks caused by the negligence of the awareness of the authority control personnel, and the attack of large enterprises by ransomware viruses, resulting in the production paralysis of the entire enterprise are numerous;
The underlying infrastructure service providers pose some of these potential derivative risks.
Enterprises face such a large internal and external security risks, in fact, in the management of some of the very big difficulties, we can see here listed data in the production process of the enterprise to produce the whole life cycle of the link, from the generation or acquisition of enterprise data, to his intermediate links, including the storage, use, transmission of data, to the use of data, as well as data archiving, decommissioning, destruction, including six key links. The infrastructure of the data involved in each link is different, and at the same time, it faces complex protection mechanisms, storage security involves access control, data security, backup security, these data are more difficult for business personnel to understand, such a long link, involving so many complex mechanisms, there will be core difficulties, enterprise data security processing in the face of four core difficulties:
1. How do I know where the data is? Where to go? This is the hierarchical governance strategy for data identification and discovery classification;
2. After knowing where the data is, how to effectively protect it? Effective data protection measures in general, like access control, encryption, encryption are the core issues. However, due to the technical constraints mentioned above, encryption technology is very difficult to use today, and the efficiency is relatively low, so how to use such security mechanisms for management, this is the second technical challenge, including the management of keys and the appropriate encryption or data security processing in different production business links;
3. In the process, the data has been flowing, how do you know what problems occur in which parts of the data, and whether these behaviors are reasonable or illegal?
4. Monitoring and analysis of data access events during the whole process.
In view of such difficulties, we will provide users with some solutions, we have also accumulated some experience, this chart is focused on data flow, development and operation process will bring data security issues. At the end of 2019, we found that there is a very important leak in the entire enterprise data security management process, that is, our developers often embed very important sensitive credentials, such as database access accounts embedded in the code, using cloud mode development, casually transmitted to the cloud, even data access credentials passed out, this is a very important risk surface, we did monitoring tools, automatic linkage GIthub official, minute-level leakage events, and alarms to users, and finally came up with a data, In the whole of last year, we only in the development and testing process due to the potential risk of users on Tencent Cloud caused by the developer's leakage of keys, and we finally recovered the potential loss for users by 450 million, because of this leak of nearly a thousand.
In the whole process of enterprise data security control, in addition to the developer's environment, including direct contact with personnel, the office network environment, including the risk surface of online hacker attacks, the risk of the entire leakage is greater, and we have developed a set of data security control practices. At the earliest stage, it is necessary to establish a division of labor among the various organizations in the entire system, including the responsibilities of our clear security team, the responsibility of the application and development team, the responsibility of the compliance audit team, and the joint efforts to build organizational security. We first clarify the identification and classification of data, clearly identify through tools and methods, what data is the enterprise, what is the important level, what application systems exist, and what is the scope of diffusion? Through this, the governance strategy is formulated, including the control of the corresponding sensitive data of the relevant business, the governance strategy, and finally the corresponding technical control, where the scope of the allowed transmission is in which, where encryption, where decryption, where desensitization, and the control of information identification. In the process, a certain security mechanism and basic measures are accumulated to provide coverage of upward capabilities through the precipitation of infrastructure.
In the process, we also have some core accumulation, including the matrix of such data security capabilities that have been accumulated on Tencent Cloud, including virtual isolation of data based on VPC and network isolation, sound and isolation of data and user identities with CAM as the core, and the core is our cloud data security middle platform.
Because the previous mention of the entire data security life cycle process involves a lot of facilities, for example, in the cloud to do such a SaaS business system, may involve data acquisition services, but also involves data analysis, involving big data services, and finally involving storage. In the process of so many applications, how to simplify the deployment of our security mechanism to play the most effective, cost-effective protection? We have established such a Tencent cloud security data middle platform, here is a complete diagram of the entire middle office, the main core of the underlying security capabilities, data encryption, key hosting, data desensitization, sensitive data identification, etc. some of the core capabilities, through PaaS or SaaS service capabilities upwards, so as to ensure that our users for data security control can be opened with one key, the ability to take and use as you go. These are some of our personal insights and sharing on the exploration and practice of data security and privacy protection in the new era, thank you.
———— 36kr Corporate Service Reviews Recommended Article ————
"What is the data of the user data analyzed by CDP? 》
Modern marketing must rely on data to drive decisions.