about the author:
Vice President of Ant Basic Security, Wei Tao joined Ant Financial in 2019 and is responsible for the direction of Ant Basic Security. He is also an adjunct professor at Peking University. Prior to that, he worked at Baidu from 2015 to 2019, serving as chief security scientist and head of the security laboratory. From 2103 to 2015, he worked at FireEye as a security research scientist, leading the mobile security research team to discover mobile vulnerabilities, identify malware and prevent privacy leaks.
The white paper systematically analyzes the severe challenges and development dilemmas faced by security system construction in the context of digital transformation and the explosion of business complexity. Based on an in-depth combination of new requirements for security system construction, it proposes a next-generation native system that is integrated and decoupled from the business. Security infrastructure - security parallel aspect system. The security parallel aspect system is used in emergency attack and defense, security management and deployment,Data SecurityIt provides precise in-view capabilities and efficient intervention capabilities in governance and other scenarios, significantly improves the efficiency of emergency attack, defense and security governance, provides a solution path for the realization of native security, and provides security guarantee for the digital transformation of enterprises.
[Contents of "Security Parallel Section White Paper"]
Safety parallel section system (hereinafter referred to assafety aspect) is the next generation of native security infrastructure,Integrate and decouple security management and control with business through all levels of end-pipe-cloud, and rely on standardized interfaces to provide businesses with accurate insight and efficient intervention capabilities. It has strong perception coverage capabilities, fast emergency attack and defense response, efficient security governance and The core advantage of flexible security deployment.
In the context of exploding business complexity, security aspects can effectively solve the industry pain points where traditional plug-in security systems are incompetent and embedded security systems are intertwined between business and security.
The security aspect has the characteristics of "accurate perception, timely management and control, strong guarantee, and steady development"."Layered construction, multi-layer linkage, stability and security, and fragmented adaptation" are the main principles.Build a security space parallel to the business, integrate security capabilities into the business system in layers, establish various guarantee mechanisms based on security aspects, and level the differences in infrastructure environments through fragmented scenario adaptation.
The security aspect supports the construction of different levels of defense capabilities from applications and infrastructure to achieve security management and control at each level. It also supports the interaction of multi-level security aspects to form an overall defense system to achieve better security governance, protection, and confrontation effects. . Under the guidance of the construction principles, the white paper shows three main types of architectures for parallel aspects of security.
In the handling of the log4j2 vulnerability incident that broke out in December, the security aspect performed well: the log4j2 vulnerability can be quickly repaired in hours by issuing security policies, effectively cutting off the vulnerability attack path.
In the production environment, attackers can be further introduced into active network honeypots in real time to counterattack and trace their origins; in the test environment, the aspect-based IAST technology can be further used to analyze the JNDI call link, and in a larger Detect potential attacks within scope.
In addition, security aspects are also applied to "data service customs" to achieve due diligence and compliance in the data circulation process. "Data Service Customs" is a data circulation management and control infrastructure independently developed by Ant. Through the implantation of the aspect system, the traditional data gateway API forwarding is upgraded to a complete full-link compliance data from data declaration, customs clearance to auditing. service model. With the support of aspect technology, data flow control can reach field granularity, effectively supporting compliance requirements for data security and privacy protection.
After two years of exploration and practice, the security parallel aspect system has been fully implemented in Ant Group and has been widely used in business scenarios such as emergency attack and defense, security governance and deployment, data security and privacy protection, with remarkable results and excellent performance, stability and security. Outstanding.
Now, Ant Group will share its practical experience in building a security parallel aspect system with the industry. In the future, it will also share the results with the open source community in an open source manner and cooperate with the information industry.information securityAuthoritative security institutions such as the Evaluation Center work hand in hand with colleagues in the industry to jointly build a more complete and intelligent security parallel aspect ecosystem, implement the core concept of native security through technological innovation, and implement the last mile of native security, and work together to build a safe digital China. !
Download the full version of Ant Security Parallel Section White Paper:http://www.itstec.org.cn/aspect_oriented_security_white_paper.pdf
Original article by batsom, if reproduced, please credit: https://cncso.com/en/next-generation-native-security-infrastructure-html