about the author:
Vice President of Ant Basic Security, Wei Tao joined Ant Financial in 2019 and is responsible for the direction of Ant Basic Security. He is also an adjunct professor at Peking University. Prior to that, he worked at Baidu from 2015 to 2019, serving as chief security scientist and head of the security laboratory. From 2103 to 2015, he worked at FireEye as a security research scientist, leading the mobile security research team to discover mobile vulnerabilities, identify malware and prevent privacy leaks.
The white paper systematically analyzes the severe challenges and development dilemmas faced by security system construction in the context of digital transformation and the explosion of business complexity. Based on an in-depth combination of new requirements for security system construction, it proposes a next-generation native system that is integrated and decoupled from the business. Security infrastructure - security parallel aspect system. The security parallel aspect system is used in emergency attack and defense, security management and deployment,Data SecurityIt provides precise in-view capabilities and efficient intervention capabilities in governance and other scenarios, significantly improves the efficiency of emergency attack, defense and security governance, provides a solution path for the realization of native security, and provides security guarantee for the digital transformation of enterprises.
[Contents of "Security Parallel Section White Paper"]
Safety parallel section system (hereinafter referred to assafety aspect) is the next generation of native security infrastructure,Integrate and decouple security management and control with business through all levels of end-pipe-cloud, and rely on standardized interfaces to provide businesses with accurate insight and efficient intervention capabilities. It has strong perception coverage capabilities, fast emergency attack and defense response, efficient security governance and The core advantage of flexible security deployment.
In the context of exploding business complexity, security aspects can effectively solve the industry pain points where traditional plug-in security systems are incompetent and embedded security systems are intertwined between business and security.
The security aspect has the characteristics of "accurate perception, timely management and control, strong guarantee, and steady development"."Layered construction, multi-layer linkage, stability and security, and fragmented adaptation" are the main principles.Build a security space parallel to the business, integrate security capabilities into the business system in layers, establish various guarantee mechanisms based on security aspects, and level the differences in infrastructure environments through fragmented scenario adaptation.
The security aspect supports the construction of different levels of defense capabilities from applications and infrastructure to achieve security management and control at each level. It also supports the interaction of multi-level security aspects to form an overall defense system to achieve better security governance, protection, and confrontation effects. . Under the guidance of the construction principles, the white paper shows three main types of architectures for parallel aspects of security.
In the handling of the log4j2 vulnerability incident that broke out in December, the security aspect performed well: the log4j2 vulnerability can be quickly repaired in hours by issuing security policies, effectively cutting off the vulnerability attack path.
In the production environment, attackers can be further introduced into active network honeypots in real time to counterattack and trace their origins; in the test environment, the aspect-based IAST technology can be further used to analyze the JNDI call link, and in a larger Detect potential attacks within scope.
In addition, security aspects are also applied to "data service customs" to achieve due diligence and compliance in the data circulation process. "Data Service Customs" is a data circulation management and control infrastructure independently developed by Ant. Through the implantation of the aspect system, the traditional data gateway API forwarding is upgraded to a complete full-link compliance data from data declaration, customs clearance to auditing. service model. With the support of aspect technology, data flow control can reach field granularity, effectively supporting compliance requirements for data security and privacy protection.
After two years of exploration and practice, the security parallel aspect system has been fully implemented in Ant Group and has been widely used in business scenarios such as emergency attack and defense, security governance and deployment, data security and privacy protection, with remarkable results and excellent performance, stability and security. Outstanding.
现在,蚂蚁集团将把安全平行切面体系的建设实践经验与业界分享,未来还会以开源的方式将成果分享到开源社区,并与信息产业信息安全测评中心等权威安全机构,与业界同仁并肩携手,共同构建更加完善、智能的安全平行切面生态,以技术创新落实原生安全核心理念,落地原生安全最后一公里,一同为建设平安数字中国砥砺前行!
Download the full version of Ant Security Parallel Section White Paper:http://www.itstec.org.cn/aspect_oriented_security_white_paper.pdf
Original article by batsom, if reproduced, please credit: https://www.cncso.com/en/next-generation-native-security-infrastructure.html
