In recent years, with the accelerated innovation and application of technologies such as cloud computing, big data, and the Internet of Things, a digital transformation has begun to sweep across all walks of life. Demands such as telecommuting, business collaboration, and branch interconnection have emerged, and more complex and diverse advanced cyber attacks have followed. In this context, the traditional perimeter-based network security protection concept is difficult to effectively resist the endless threats and attacks, and the zero-trust technology model based on the concept of "borderless security" has gradually become the focus of attention of enterprises.
On April 13, the 6th Cloud Security Alliance Greater China Conference (CSA GCR Congress) was successfully held in Shanghai. At the meeting, the "Intranet Zero Trust Construction" case jointly created by Tencent Security iOA and SF Technology was unanimously recognized by the judges and experts, and successfully won the CSA 2022 Security Innovation Award.
SF Technology has always paid more attention to the construction of traditional network security, and has a relatively complete security product defense plan and completed the deployment. However, in terms of "office access security construction" , due to the lack of systematic best practice guidelines and supporting mature products, there have always been pain points that cannot be solved. These pain points are mainly concentrated in the following three business scenarios:
- Remote office access: In the past, employees established a tunnel with the company network through a VPN for remote access. However, under the wave of borderless office driven by the epidemic, the demand for telecommuting of company employees has surged, and the performance pressure of VPN and the exposed business surface are increasing. " and "VPN has many vulnerabilities and lacks security considerations at the architectural level" have brought huge challenges to the IT team .
- Branch access: With the continuous deepening of the consumer Internet, the logistics industry has fallen into fierce competition, and "service sinking" has become a very important strategy for SF Express's business side. This has led to more and more service outlets of SF Express, and faster and faster branch expansion. And such changes in business requirements have also brought huge challenges to the IT team. The first is the challenge of operation and maintenance support. The branch network based on ipsec is too heavy to support the flexible changes of the branch, and sslvpn has problems such as performance upper limit bottlenecks, unstable continuous office access, and poor experience; secondly, security challenges. There is a switch adaptation problem in the access, so some branch devices have historically lacked security access verification. At the same time, branch access involves a large number of business scenarios that need to interact with sensitive systems on the intranet, making branches a link that needs to be improved in the company's security architecture .
- Intranet access in the workplace: As a leading company in the logistics industry, confrontation with internal and external threats has always been an important project for the company. In recent years, with the trend of "increased openness of digital business" and "borderless and light-constrained office", the intranet has gradually become flatter, and intranet assets need to face more and more "unknown devices " access . From the perspective of "result-oriented data security assurance", the risk profile of SF's intranet assets needs to be restrained urgently.
In detail, SF Technology mainly faces in attack protection: large exposure to the Internet; frequent attacks; failure to quickly respond to 0day/1day attacks; social worker phishing, malicious files, covert channels and other attack methods are diverse and difficult to detect, which requires construction More advanced defense system for efficient response.
Based on this, SF Technology has increased investment in security construction and adopted Tencent iOA zero trust solution , opening up the idea of industry compound security construction. From the perspective of planning , SF Technology, from the perspective of overall planning, focuses on the fine-grained management and control system of data security and identity, the classified and hierarchical management of business, and the management across different networks. On the basis of regulations, the balance between safety and efficiency is achieved.
Through the construction of the zero-trust solution, the two parties have completed the innovation of the traditional island-style terminal security and access security construction with its features such as office security integration and security management ease of use, bringing enterprise IT management and application to a new level , realizing security risk convergence, security intelligence linkage, and multi-scenario security.
In terms of security risk convergence, the iOA zero trust solution innovatively proposes a "three-tier minimal authorization architecture" while avoiding the security risks of traditional VPN products in the wild :
The first layer (isolation of attack requests): Through the "zero intrusion SPA technology", the "0 port exposure" of the entire network access infrastructure has been successfully implemented, and the convergence of the network exposure surface and the attack surface has been realized.
The second layer (on-demand minimization of authorization): through the "identity-based whole network access behavior mapping" technology, the real access needs of users on the whole network are collected, and based on this, "RBAC intelligent optimization" and " The ability to "automatically recycle zombie permissions" breaks the impossible triangle of "operation and maintenance efficiency, user experience, and authorization fineness" in permission operation scenarios .
The third layer ( "adaptive" & " scenario-based " dynamic access isolation control): through the deep integration of "access" and "security" capabilities, the access control platform has a more powerful " Security status awareness” and more flexible “security risk control capabilities”. This provides SF Technology with the ability to implement " precise access risk prevention and control " , realize "adaptive" & "scenario-based" isolation strategy control, so that security strategy operations do not need to be "too strict" or "too loose" Dilemma, resolve the contradictory relationship between security and business , use business as the starting point, and let security serve business.
In terms of security and intelligent linkage, the iOA zero-trust solution realizes the integration of office security . One client can solve the functions that can only be realized by multiple clients, and various modules such as anti-virus, management and control, zero-trust access, and access can also be used. Intelligent linkage breaks the traditional isolated terminal security construction mode and maximizes the benefits of security construction.
In terms of multi-scenario security, the deployment of the iOA zero trust solution supports multiple modes such as private cloud, public cloud, and hybrid cloud, which greatly adapts to the business needs of SF Express, and has withstood the load test of horizontal expansion and home office during the epidemic , In terms of security, ease of use, and stability, it can improve the quality and efficiency of enterprise security construction.
In the future, SF Security will continue to refine its own technology, enrich practical experience, provide support and reference for the implementation of zero trust in various industries, and help the healthy development of the "new normal" of hybrid office.