Building data security operation capabilities from the perspective of Didi security incidents

I. Introduction 

On the evening of December 9, 2021, the Apache Log4j2 remote code execution vulnerability (CVE-2021-44228) detonated the world. This vulnerability can be called an epic vulnerability, with a CVSS score of 10 out of 10. It affects most of the world's Internet companies, including Baidu, Apple and other companies, which were revealed to have this vulnerability.

It has been nearly a month since the vulnerability broke out. During this month, attacks using this vulnerability emerged one after another. Some spread mining, some spread ransomware, some build botnets, and some are used to conduct APT attacks to steal data. In addition to mining, other attack activities are related to data collection. So we must speak up: After an epic breach, it’s time to get back to protecting your data! Therefore, this article will talk aboutData Securityand dataSafe operationSystem.

 

two,Data SecurityThe necessity of construction

1 Overview

Speaking of data security, the most impressive one in 2021 is none other than Didi:

 

• On July 2, the Cyberspace Administration of China launched a security review on Didi Chuxing and suspended new user registrations on the grounds of "national data security risks, safeguarding national security, and protecting public interests";
• On July 4, the Cyberspace Administration of China issued a notice saying that the “Didi Chuxing” App had serious illegal and illegal collection and use of personal information, and ordered the app store to remove its App;
• On July 9, the Cyberspace Administration of China issued another notice requiring the removal of 25 apps including Didi Enterprise Edition;
• On July 16, the Cyberspace Administration of China announced that the Cyberspace Administration of China, together with the Ministry of Public Security, the Ministry of National Security, the Ministry of Natural Resources, the Ministry of Transport, the State Administration of Taxation, the State Administration for Market Regulation and other departments, jointly stationed at Didi Chuxing Technology Co., Ltd. to carry outcyber securityreview.

At the same time, on July 5, "Yunmanman", "Wagon Gang", and "BOSS Direct Recruitment" were subject to network security review, and new user registrations were stopped during the period. On July 10, the Cyberspace Administration of China released the "Cybersecurity Review Measures (Revised Draft for Comments)" (the measures were reviewed and approved at the 20th office meeting of the Cyberspace Administration of China in 2021 on November 16, 2021, and will be Effective from February 15, 2022), operators who have more than 1 million users’ personal information are required to go public abroad and must apply for a network security review to the Cybersecurity Review Office.

Behind this series of events, it reflects the chaos that has occurred in domestic Internet platforms in recent years, such as data security vulnerabilities and data abuse. Currently, data security has become the most urgent and basic security issue in the digital economy era, and strengthening data security governance has become a strategic need to maintain national security and national competitiveness. In recent years, "Cybersecurity Law》,《data security law"and"Personal Information Protection Act"The implementation or promulgation of legal frameworks related to data security protection, such as "Data Security Protection Law", has provided institutional and legal support for data security protection.

With the introduction of national data security governance and related laws, the importance of data in economic development is increasingly reflected. As the core and most valuable production factor in the digital economy era, data is accelerating to become a new driving force and new engine for global economic growth.

In fact, on April 9, 2020, in the "Opinions of the Central Committee of the Communist Party of China and the State Council on Building a More Perfect Market-oriented Allocation System and Mechanism of Factors", "data" was written into the document as a new type of production factor, and “Data” is juxtaposed with land, labor, capital, and technology.

New ICT technologies, new models, and new applications such as 5G, artificial intelligence, cloud computing, and blockchain are all based on massive amounts of data, and the amount of data is also experiencing explosive growth. According to IDC predictions, global data volume will increase by 175ZB in 2025. Among them, China's data volume is expected to increase to 48.6ZB in 2025, accounting for 27.8% of the global data circle. China will become the world's largest data circle.

 

2. my country’s policy on data security

As the importance of data increases, data security issues have become a security issue related to national security, social security, and citizen safety. Data security governance has gradually been elevated to the strategic level of national security governance. This can be seen from the fact that in recent years, the country has repeatedly issued relevant laws and regulations, placing data security in a prominent position.

Here are some laws and regulations related to data security that the country has introduced in recent years.

• On July 1, 2015, the National Security Law of the People's Republic of China was officially promulgated, officially incorporating data security into the scope of national security;
• On November 7, 2016, the "Cybersecurity Law of the People's Republic of China" was officially released, including "personal information protection", "data storage and cross-border security", "data (information) content security" and "data systems, platforms and facilities". "Security" and other aspects, regulating the compliance of data and personal information; this law was officially implemented on June 1, 2017;
• On May 28, 2019, the "Data Security Management Measures (Draft for Comments)" was released to refine network data security issues in recent years, including methods of collecting sensitive personal information, accurate advertising push, excessive claims of APP rights, and difficulty in account cancellation. And other issues;
• On June 13, 2019, the "Measures for Security Assessment of Personal Information Transfer Abroad (Draft for Comments)" was released, which clarified the key assessment contents of the security assessment of personal information transfer abroad, and stipulated that all personal information transfers must be reported to the Cyberspace Administration of China in accordance with the law and submitted to the Cyberspace Administration of China. The Information Office organized a security assessment; clarified the guarantees for the fulfillment of rights of personal information subjects such as the right to know in outbound scenarios; strengthened supervision of overseas recipients through a series of designs; comprehensively stipulated the terms of the contract signed between network operators and personal information recipients. details;
• On December 30, 2019, the "Methods for Determining Illegal Collection and Use of Personal Information by Apps" was released, which defined six categories of illegal and illegal collection and use of personal information by mobile apps and proposed definition standards;
• On May 28, 2020, the Civil Code of the People's Republic of China was adopted, which clarified the positioning and definition of privacy and personal information, clarified the scope of personal information processing, subject rights, requirements and principles, and clarified that data activities must comply with legal and legitimate laws and regulations. , the principle of necessity;
• On March 22, 2021, the "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications" were released, which clarified the scope of necessary personal information for 39 common types of APPs and required their operators not to provide unnecessary personal information due to users' disagreement. The purpose of denying users access to the basic functional services of the App is to effectively regulate the collection and use of personal information by the App and promote the healthy development of the App;
• On April 26, 2021, the "Interim Regulations on the Protection and Management of Personal Information in Mobile Internet Applications (Draft for Comments)" was released, establishing the two important principles of "informed consent" and "minimum necessary"; detailing the requirements for App developers and operators, distribution The responsibilities and obligations of five types of entities, including platforms, third-party service providers, terminal manufacturers, and network access service providers; four regulatory requirements including complaints and reports, supervision and inspections, disposal measures, and risk warnings are proposed;
• On June 10, 2021, the "Data Security Law of the People's Republic of China" was officially passed, establishing various basic systems for data security management; clarifying data security protection obligations and implementing data security protection responsibilities; emphasizing equal emphasis on security and development, and stipulating support Measures to promote data security and development; this law will be officially implemented on September 1, 2021;
• On August 20, 2021, the "Personal Information Protection Law of the People's Republic of China" was officially passed, which clarified personal information processing rules, individuals' rights and obligations in personal information processing activities, and the departments that perform personal information protection responsibilities. This law will officially take effect on November 1, 2021.
• On November 16, 2021, the "Cybersecurity Review Measures" were officially adopted, requiring operators who have personal information of more than 1 million users to go public abroad and must apply for a network security review to the Cybersecurity Review Office. This measure will come into effect on February 15, 2022.

In addition to relevant laws, regulations and policies at the national level, various local provinces and cities have also issued a series of regulations and guidelines related to data security, some of which are listed below:

In addition, data security-related industries, such as the financial and insurance industry, telecommunications and Internet industry, Internet of Vehicles industry, industrial Internet industry, etc., have also paid more and more attention to data and data security issues in recent years. The People's Bank of China, China Banking and Insurance Regulatory Commission, Ministry of Industry and Information Technology, etc. Departments such as the Ministry of Science and Technology and the Ministry of Science and Technology have issued corresponding regulations to standardize data security management in various industries and improve data security protection capabilities. It provides policy guidance for data classification and classification, management capability assessment, security protection and other related work. like:

 

In general, my country's current legal regulations related to data security are based on the National Security Law, the Cybersecurity Law and the Civil Code Law, and each province and city will issue corresponding local laws based on local conditions. At present, data security and data cross-border issues are actively explored. In response to the wide range of data applications, regulatory authorities in various industries should perform their own duties to manage and protect data within the industry.

3. The game between great powers around data security

In fact, data security issues are by no means unique to China, but are a common problem faced by the whole world. Governments around the world have gradually realized that data has become a major factor closely related to national security and international competitiveness, and their understanding of data security has also risen from traditional personal privacy protection to the maintenance of national security.

On May 25, 2018, the European Union officially introduced the GeneralData protectionRegulation, which is the GDPR (General Data Protection Regulation) that we are familiar with, which requires that the privacy protection measures in the company system be more detailed, the data protection agreement is more detailed, and the disclosure of company privacy and data protection practices is more user-friendly and detailed. On June 30, 2020, the European Data Protection Authority also released the "European Data Protection Authority Strategic Plan (2020-2024)", which aims to continue to strengthen data security from three aspects: forward-looking, actionable and coordinated. protection to protect personal privacy rights.

In addition to Europe, the U.S. White House Office of Management and Budget (OMB) also released the "Federal Data Strategy and 2020 Action Plan" on December 23, 2019, which established the requirements for protecting data integrity, ensuring the authenticity of circulating data, and data storage. safety and other basic principles.

As data security gradually rises to the national level, data competition among countries is gradually being taken seriously. The review of Didi this time raises the possibility of data leakage at the national level. According to U.S. laws, audit papers, user data and city data must be submitted in accordance with the Holding Foreign Companies Accountable Act. Some of the data represented by the map are core data related to national data sovereignty and may directly affect national security, public interests and social stability.

Today, as the game between great powers continues to intensify, data is an important factor of production and strategic resource for the country, and its increasingly frequent cross-border flow has brought potential national security risks. First, intelligence data transferred overseas is more likely to be obtained by foreign governments. Second, my country's strategic actions are easy to predict and fall into policy passivity. For example, the aggregate analysis of micro-data, which is vigorously promoted by the United States, can gain an advantage in the international financial game if we master my country's financial data. Third, my country’s competitive advantages in data-driven emerging technologies are gradually weakened. For example, my country has the world’s leading facial recognition company SenseTime. Once its data is obtained by other countries, it will greatly weaken my country’s competitive advantages in this field.

Some countries, especially the United States, are currently suppressing China's data, excluding my country from the global data security governance system, and may formulate data security review rules for my country, forming an "encirclement" around my country in the field of data security. . For example, in 2020, the United States, India, Australia and other countries jointly launched a crackdown on TikTok on the grounds of data security and restricted its use and development on the grounds that the security investigation results violated regulations.

According to data from Synergy Research Group, as of 2020, the world's major 20 cloud and Internet service companies operate 597 hyperscale data centers. Among them, the number of data centers in the United States far exceeds that of other countries, accounting for nearly 40%. China Although it ranks second, it only accounts for 10%:

In the information age, this overwhelming data advantage is extremely terrifying. China is not a "data center country", but it cannot be reduced to a "data satellite country". We need to fully defend data sovereignty and strengthen data security and protection.

3. Common data security threats

Data security threats affect national security, social security, citizen security, and enterprise security. They are currently a great security challenge faced by countries, enterprises, and individuals. The main security threats related to data include the following:

• Data theft and data leakage are currently the most common problems in the field of data security. National and social issues caused by data leaks are common, such as the Snowden incident, the Huazhu incident, etc.;
• Data is encrypted and extorted. Ransomware has become the biggest threat in the field of network security in recent years and for a long time to come. It is also a very big security issue faced by various state agencies, critical infrastructure industries, enterprises, etc. For example, the wannacry incident in 2017 triggered a security issue for the entire global society.
• Data is deleted and destroyed. "Deleting the database and running away" is a term we often joke about, but in fact, incidents of database deletion also happen from time to time.
• The threat of illegal data collection is mainly caused by companies or individual developers using apps and other programs to collect data necessary for the program, such as personal privacy data.

The main ways that cause data security threats are:

• Traditional network attacks: [Phishing]: Phishing user accounts, including machines, domains, mailboxes, IM tools, etc., so as to log into specific media (machine, mailbox, etc.) and steal specific information; [Cyberattack]: By planting Enter malicious Trojans, use the Trojans to control the target machine and steal confidential files. Attack methods include web penetration, supply chain, harpoon, APT attacks, etc.; [Ransomware]: After the attack, the ransomware is executed and the data files on the machine are encrypted. Of course, it is worth noting that before executing the ransomware, attackers often steal important files on the machine and then execute the ransomware. This can not only extort a ransom, but also destroy the attacker's operation logs on the local machine to prevent traceability.
• Program vulnerabilities: [Configuration errors]: such as exposure of sensitive file directory addresses, unset permissions for sensitive file access, API call interface permission settings, etc.; [Vulnerabilities]: arbitrary file reading vulnerabilities, no account login vulnerabilities, privilege escalation vulnerabilities, etc.; Exploit Configuration errors or vulnerabilities are used to obtain relevant data, and then use unimplemented risk controls, such as access frequency restrictions, abnormal account login prompts, etc., to steal large amounts of data through crawlers and other methods.
• Human factors [stealing]: insiders directly steal sensitive data within the enterprise and leak it; [neglect]: exposing internal system addresses, account login information, etc. to external networks, such as github; accidentally executing operations such as rm -rf.

Here is a list of some major data security incidents that have occurred in recent years:

• In May 2013, Edward Joseph Snowden, a former CIA employee and outsourced technician for the National Security Agency (NSA), leaked a large number of confidential US government documents to the United Kingdom. The Guardian and the Washington Post reported that the leaked data contained material of public interest including the NSA’s Prism surveillance program. This material contains a large amount of cyber attack materials from the U.S. government, and also includes surveillance of U.S. citizens, infringing on the personal rights of U.S. citizens. The leak caused an uproar, and Snowden himself was wanted by the U.S. government;
• In March 2016, Hillary's campaign chairman John Podesta suffered an email phishing attack. After the attacker stole Podesta's email account password, he logged into the mailbox and stole all emails, including a large number of Hillary emails. And the data was leaked to WikiLeaks and published. This incident caused Hillary's election situation to take a turn for the worse, ultimately changing the results of the US election and even the pattern of the entire world;
• On May 12, 2017, the wannacry ransomware broke out. The ransomware spread by exploiting the EternalBlue vulnerability and quickly infected more than 300,000 machines in at least 150 countries around the world. All data files on the infected machine are encrypted and cannot be decrypted until a ransom is paid. The virus paralyzed government agencies, hospitals, gas stations, manufacturing companies, etc., causing serious economic losses;
• August 28, 2018, therehackerUser data of hotel chains owned by Huazhu Group is sold on the dark web for 8 Bitcoins or 520 Monero (current price is about 370,000 yuan). The data includes guest information from more than 10 brand hotels owned by Huazhu, including Hanting, Xiyue, Orange, and Ibis. The leaked information includes Huazhu official website registration information, hotel check-in identity information and hotel room booking records, guest names, mobile phone numbers, email addresses, ID numbers, login account passwords, etc.
• On February 23, 2020, Weimob's SaaS business suddenly collapsed, and merchant mini programs based on Weimob were all down, and the business of 3 million merchants basically stopped. After investigation, it was found that the core business data on Weimeng's server had been maliciously deleted. The drama of "deleting the database and running away" happens in reality. In the end, the incident caused Weimob's market value to plummet by 1 billion. The employee who deleted the database and ran away was sentenced to 6 years in prison;
• On April 5, 2021, the personal data of approximately 533 million users of the American social media Facebook (Facebook) was leaked, including phone numbers, emails and other information. Russian media said that the phone number of Facebook founder Zuckerberg was also leaked.

4. Data Security and Network Security

In the security field, three terms are often heard:information security, network security, data security. According to the discussion in the book "Data Security Architecture Design and Practice", the order of development is information security - network security - data security.

When it is necessary to emphasize the security management system, or the confidentiality, integrity, availability of information and information systems, or content compliance, or DLP (preventing internal artificial information leakage), or the protection of static information (such as storage systems, The term "information security" is often used in scenarios such as information on optical discs.

The term "network security" is often used when it is necessary to emphasize network boundaries and security domains, or network intrusion prevention, or network communication systems or transmission security, or cyberspace and other scenarios.

The term "data security" is often used when it is necessary to emphasize data protection in the entire life cycle, or when data is used as productivity, or when scenarios such as data sovereignty, data subject rights, long-arm jurisdiction, and privacy protection are emphasized.

Cyberspace provides a computing environment, and data serves as the carrier of information and becomes the object of computing. Network security emphasizes the security of the computing environment (cyberspace) to ensure the security of computing objects (data). Therefore, network security is the premise of data security, and data security is a manifestation of network security. Network security covers a wider scope, while the scope of data security is more clear and targeted.

Judging from the actual situation, the ultimate goal of network security is data security, including data theft, transfer, encryption, malicious deletion, etc. The second is mining viruses.

5. Data security construction

Data security is an extension or embodiment of network security. Data security construction and network security construction have many things in common.

The final assets or targets of network security assurance are equipment, such as traditional PCs, servers, IoT devices, etc. The assets guaranteed in the cloud era are workloads, including virtual machines, containers, cloud service serverless, etc.

In network security, security operations usually start with an inventory of assets, and then conduct risk scans on assets to establish security baselines, such as vulnerability scanning, port scanning, weak passwords and other detection items. Afterwards, we established a series of rules or used machine learning to monitor machine anomalies from multiple dimensions on the cloud and pipe end, such as the landing of suspicious files, the execution of malicious processes, suspicious network links, abnormal behaviors, etc.

When it comes to data security, the assets or targets protected in data security are data. Therefore, data security needs to take data assets as the core and carry out a series of security capability building.

The core points of building data security are: what data there is, where the data comes from, where the data is, and who is using the data. Therefore, it is necessary to build a data security operation system around these four core points. These four core points also cover the data life cycle:

1. What data is there?

Similar to asset inventory in cybersecurity. You need to know what data assets your company wants to protect. If you don’t even know what your data assets are, how can you protect the security of your data? After knowing what data there is, the data needs to be classified and graded.

From the perspective of the data subject, the data is divided into three categories: public data, personal information, and legal person data:

• Public data: data collected and generated by public management and service agencies in the process of performing public management and service responsibilities in accordance with the law, and data involving public interests collected and generated by other organizations and individuals in the provision of public services. Such as government affairs data, and the provision of data involving public interests in public services such as water supply, power supply, gas supply, heating, public transportation, elderly care, education, medical health, postal services, etc.;
• Personal data: Various information related to an identified or identifiable natural person recorded electronically or by other means, excluding anonymized information. Such as personal identity information, personal biometric information, personal property information, personal communication information, personal location information, personal health and physiological information, etc.;
• Legal person data: Data collected and generated by the organization during the production, operation and internal management process, such as business data, operation and management data, system operation and safety data, etc.

According to the degree of harm caused to national security, public interests or the legitimate rights and interests of individuals and organizations once the data is tampered with, destroyed, leaked or illegally obtained or used, the data is divided into public level (level 1) and internal level from low to high. There are five levels (Level 2), Sensitive Level (Level 3), Important Level (Level 4), and Core Level (Level 5). Among them, important data belongs to the important level (level 4), and national core data belongs to the core level (level 5).

• Public level (Level 1): Public level data has public communication attributes and can be released and forwarded to the outside world. However, the amount and categories of public data must also be considered to avoid being used for correlation analysis due to too many categories or too large quantities. Once this level of data is tampered with, destroyed, leaked, or illegally obtained or used illegally, it may cause slight harm to the legitimate rights and interests of individuals and organizations, but will not endanger national security or public interests;
• Internal level (Level 2): Internal level data is usually shared and used within the organization and related parties, and can be shared outside the organization with the authorization of the related parties. Once this level of data is tampered with, destroyed, leaked, or illegally obtained or used illegally, it may cause general harm to the legitimate rights and interests of individuals and organizations, or cause slight harm to public interests, but will not endanger national security;
• Sensitive level (Level 3): Sensitive level data can only be accessed by authorized internal agencies or personnel. If you want to share the data externally, you need to meet relevant conditions and obtain authorization from the relevant parties. Once this level of data is tampered with, destroyed, leaked, or illegally obtained or used illegally, it may cause serious harm to the legitimate rights and interests of individuals and organizations, or cause general harm to public interests, but will not endanger national security;
• Important level (Level 4): Important level data is strictly managed according to the approved authorization list and can only be shared or disseminated after strict review, approval and evaluation within a controlled scope. Once this level of data is tampered with, destroyed, leaked, or illegally obtained or used, it may cause particularly serious harm to the legitimate rights and interests of individuals and organizations, may cause serious harm to public interests, or cause minor or general harm to national security. ;
• Core Level (Level 5): Core-level data is prohibited from being shared or disseminated externally. Once this level of data is tampered with, destroyed, leaked, or illegally obtained or used illegally, it may cause serious or particularly serious harm to national security, or cause particularly serious harm to public interests.

In addition, from the perspective of data dissemination, data can also be divided into public dissemination data and non-public dissemination data. Public communication data refers to data that has public communication attributes and can be publicly released and forwarded. Public-level data belongs to public communication data. Non-public communication data refers to data that does not have public communication attributes and is only disseminated within the authorized limited scope or prohibited from being disseminated, such as state secrets, important data, business secrets, personal information, public data with conditions or prohibitions on sharing, Intellectual property works without consent, etc. Internal-level, sensitive-level, important-level, and core-level data are all non-public dissemination data.

The basic framework of data classification and grading is as follows:

 

2. Where does the data come from?

You need to know where the data is collected from to address the following security issues:

• Is the collection process legal and compliant? It is necessary to strictly comply with the "Data Security Law", "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications", GDPR, etc.;
• Are the collection terminal and collection process safe? Terminal security detection, secure keyboard to ensure input security, etc.;
• When collecting data to the cloud, is the transmission safe? Encryption of transmission channels.

3. Where is the data?

It is necessary to solve where the data is stored and the security of the storage environment.

• Data storage: encryption, desensitization, watermarking;
• Security of storage media: physical media, operating systems, etc., traditional network security categories to avoid ransomware viruses, stolen passwords, etc.;
• Data backup: multiple copies, multiple data centers, etc. For rapid recovery after a disaster.

4. Who is using data?

Security issues during data use need to be addressed:

• User identity and permission verification
• Data API interface security
• DLP, prevent data leakage
• Data access scenarios and frequency
• Data reprocessing

Therefore, based on the above concepts, it is necessary to establish a data security operation system that is visible, controllable, operable, traceable, and recoverable. More details will be discussed in the next section.

6. Data security operation framework

This article proposes a data security operation framework based onZero trustand DataSecOps data security operations framework.

Let’s talk about zero trust first. Zero trust is a security concept or framework that is currently widely used in the field of network security. In fact, in the field of data security, the concept of zero trust can also be adopted. At the heart of this philosophy is this: Never trust, always verify. In the field of data security, the basic principles of zero trust remain:

• based on identity
• principle of least privilege
• Dynamic,validation of strategies and strategies

In fact, it is mentioned in the Department of Defense (DOD) Zero Trust Reference Architecture that data is one of the target pillars of zero trust:

The rest include identities, devices, networks, applications. Therefore, protecting data security is the ultimate goal of zero trust.

Therefore, the zero trust framework can be divided into the following sequences and stages:

1. Zero Trust Network Access (ZTNA, Zero Trust Network Access) is the stage where most current zero trust products are located. It is mainly used for zero trust access to business systems and mainly uses the SDP architecture;

2. Zero Trust Application Access (ZTAA, Zero Trust Application Access) is the stage where most current zero trust products are located, and is mainly built with micro-isolation as the core;

3. Zero Trust Data Access and Zero Trust Data Protection (ZTDA, Zero Trust Data Access and ZTDP, Zero Trust Data Protection) are mainly built for data security.

Therefore, data access is the next stage of networks and applications, and the corresponding framework diagram can be:

Zero Trust 1.0

Zero Trust 2.0

Several components are as follows:

• Data access proxy: All data-based access, whether direct database operation or API interface, does not directly access and operate. Instead, it is transferred through an agent. The default database access and operation permissions are prohibited. At the agency, only after identity, permissions and other policy verifications are given, access permissions can be granted, and then related database operations can be performed.
• Decision center: The decision center is the brain of the zero-trust system, deciding which users and which applications can operate on which data. The decision-making center adopts an identity-based control system. RBAC, ABAC, etc. can be used for access control. Dimensions of control can include: identity, device, network, APP, behavior, etc. In addition, dynamic strategies can be adjusted based on scenarios, time periods, etc.
• Data center: Data storage can be stored separately according to data categories, levels, etc. Make sure that each data is isolated from each other. Including storage directory, computer room, permissions, etc.

Of course, to implement a zero-trust data protection solution, it must be combined with DataSecOps. DataSecOps, as an extension of the DevSecOps concept in the data field, also emphasizes the need to embed security attributes in the process of data development, operation, and storage, rather than doing data protection afterwards.

To establish a joint team for continuous collaboration between security engineering, data engineering, and other relevant stakeholders; it is necessary to establish the principle of least privilege and conduct unit-level and row-level permission control; to simplify data access while maintaining security in process. like:

Finally, it is not enough to have equipment and architecture. You also need to have a complete data operation center with high network security flexibility. Make data visible, controllable, operable, traceable, and recoverable.

• Visible: Do a good inventory of data assets, clarify the categories and classifications of data, the permissions required by users, data usage records, etc.;
• Controllable: fine-grained identity and permission control, data desensitization, data encryption storage, media network security monitoring (terminals, firewalls, etc.), DLP, etc.;
• Operational: log auditing, behavior abnormality monitoring, etc.;
• Traceability: Add digital watermarks to the data, such as data coloring, invisible/explicit watermarks on pictures, etc.;
• Recoverable: Disaster recovery measures, such as backup, etc.

7. Summary

Currently, data security issues are still serious, and it is urgent to build a secure data center. It has become the consensus of the whole society to protect the data security of the country and citizens from infringement.

It must be pointed out that the most critical aspect of network security and data security offense and defense is still the offense and defense between people. People are always the shortest link in the barrel. The zero-trust architecture can make up for some human shortcomings through the system to the greatest extent and improve the overall security capabilities.

Of course, it must be pointed out that zero trust is not a panacea, and it still cannot solve all security problems. Therefore, a highly mature data security operation center must be built to better ensure data security.

It is worth noting that data security is currently the most popular area in the network security financing track, and there are more and more startups and security products with data security as the core:

We believe that as the country's laws and regulations on data security become more and more perfect, various agencies, units and enterprises pay more and more attention to data security and invest more and more in data security. my country's data security construction will be certain. It will get better and better.

8. Reference links

1. Escalation of data security issues: impacts, countermeasures and opportunities in key areas: http://n1.sinaimg.cn/finance/9b213f90/20210826/ShuJuAnQuanBaoGao20210823.pdf

2. Network Security Standard Practice Guide—Data Classification and Grading Guidelines: https://www.tc260.org.cn/upload/2021-09-30/1633014582064034019.pdf

3、中国网络安全产业分析报告（2021年）:http://www.mogesec.com/%e4%b8%ad%e5%9b%bd%e7%bd%91%e7%bb%9c%e5%ae%89%e5%85%a8%e4%ba%a7%e4%b8%9a%e5%88%86%e6%9e%90%e6%8a%a5%e5%91%8a%ef%bc%882021%e5%b9%b4%ef%bc%89/

4、Department of Defense (DOD) Zero Trust Reference Architecture（国防部零信任参考架构）：http://www.mogesec.com/department-of-defense-dod-zero-trust-reference-architecture%ef%bc%88%e5%9b%bd%e9%98%b2%e9%83%a8%e9%9b%b6%e4%bf%a1%e4%bb%bb%e5%8f%82%e8%80%83%e6%9e%b6%e6%9e%84%ef%bc%89/