about the author:
Vice President of Ant Basic Security, Wei Tao joined Ant Financial in 2019 and is responsible for the direction of Ant Basic Security. He is also an adjunct professor at Peking University. Prior to that, he worked at Baidu from 2015 to 2019, serving as chief security scientist and head of the security laboratory. From 2103 to 2015, he worked at FireEye as a security research scientist, leading the mobile security research team to discover mobile vulnerabilities, identify malware and prevent privacy leaks.
The whitepaper systematically analyzes the severe challenges and development dilemmas faced by security system construction in the context of digital transformation and business complexity explosion, and on the basis of combining the new requirements of security system construction in depth, proposes a next-generation native security infrastructure with business integration and decoupling - the security parallel facet system. The security parallel facet system provides accurate visibility and efficient intervention capabilities in emergency attack and defense, security governance and arming, data security governance and other scenarios, significantly improves the effectiveness of emergency attack and defense and security governance, and provides a solution path for the realization of native security and security assurance for the digital transformation of enterprises.
[Contents of "Security Parallel Section White Paper"]
Safety parallel section system (hereinafter referred to assafety aspect) is the next generation of native security infrastructure,Integrate and decouple security management and control with business through all levels of end-pipe-cloud, and rely on standardized interfaces to provide businesses with accurate insight and efficient intervention capabilities. It has strong perception coverage capabilities, fast emergency attack and defense response, efficient security governance and The core advantage of flexible security deployment.
In the context of exploding business complexity, security aspects can effectively solve the industry pain points where traditional plug-in security systems are incompetent and embedded security systems are intertwined between business and security.
The security aspect has the characteristics of "accurate perception, timely management and control, strong guarantee, and steady development"."Layered construction, multi-layer linkage, stability and security, and fragmented adaptation" are the main principles.Build a security space parallel to the business, integrate security capabilities into the business system in layers, establish various guarantee mechanisms based on security aspects, and level the differences in infrastructure environments through fragmented scenario adaptation.
The security aspect supports the construction of different levels of defense capabilities from applications and infrastructure to achieve security management and control at each level. It also supports the interaction of multi-level security aspects to form an overall defense system to achieve better security governance, protection, and confrontation effects. . Under the guidance of the construction principles, the white paper shows three main types of architectures for parallel aspects of security.
In the handling of the log4j2 vulnerability incident that broke out in December, the security aspect performed well: the log4j2 vulnerability can be quickly repaired in hours by issuing security policies, effectively cutting off the vulnerability attack path.
In the production environment, attackers can be further introduced into active network honeypots in real time to counterattack and trace their origins; in the test environment, the aspect-based IAST technology can be further used to analyze the JNDI call link, and in a larger Detect potential attacks within scope.
In addition, security aspects are also applied to "data service customs" to achieve due diligence and compliance in the data circulation process. "Data Service Customs" is a data circulation management and control infrastructure independently developed by Ant. Through the implantation of the aspect system, the traditional data gateway API forwarding is upgraded to a complete full-link compliance data from data declaration, customs clearance to auditing. service model. With the support of aspect technology, data flow control can reach field granularity, effectively supporting compliance requirements for data security and privacy protection.
After two years of exploration and practice, the security parallel aspect system has been fully implemented in Ant Group and has been widely used in business scenarios such as emergency attack and defense, security governance and deployment, data security and privacy protection, with remarkable results and excellent performance, stability and security. Outstanding.
Now, Ant Group will share the practical experience of the construction of the security parallel facet system with the industry, and in the future will also share the results with the open source community in the form of open source, as well as with authoritative security organizations such as the Information Industry Information Security Evaluation Center and other industry colleagues side by side to work together to build a more complete and intelligent security parallel facet ecosystem, to implement the core concept of native security with technological innovation, and to land on the last kilometer of the native security. We will work together with industry colleagues to build a more perfect and intelligent security parallel cut ecosystem, implement the core concept of native security with technological innovation, land on the last kilometer of native security, and move forward together to build a safe digital China!
Download the full version of Ant Security Parallel Section White Paper:http://www.itstec.org.cn/aspect_oriented_security_white_paper.pdf
Original article by batsom, if reproduced, please credit: https://www.cncso.com/en/next-generation-native-security-infrastructure.html
