Text|Gong Lei
With the official implementation of the "Data Security Law" and "Personal Information Protection Law", data security and personal information protection related work has become the focus of supervision by the central bank and the China Banking and Insurance Regulatory Commission.
According to authoritative data, in the first half of 2022 alone, 24 financial institutions have been punished for issues related to data security and personal information protection, with a cumulative fine of over 47 million yuan ; Punishment of the hardest-hit areas. Most of these regulatory incidents stem from the fact that relevant personnel in the banking business take advantage of their work convenience, violate professional ethics and laws and regulations, and obtain personal gain by selling customer information.
01 Pain points in the industry: What difficulties need to be overcome for bank data security?
The banking industry is a typical data-intensive industry. Asset digitization and link digitization are relatively mature. Data is the foundation of the development of the banking industry. Effective use of data and the value of data have become one of the core competitiveness of banking institutions. Under strong supervision, ensuring data security is the bottom line of banking business development, but the current banking industry still faces some challenges in data security.
1. The key construction direction is not clear
Generally speaking, classification and grading are generally the foundation and premise of data security construction, but many banks are faced with the difficult problem of "what to do after classification and grading". The fields involved in data security are complex, and where should we start? How to systematically carry out data security construction has become the focus of many banks.
2. Conflict between compliance and business requirements
In relevant laws and regulations such as the "Financial Data Security Data Lifecycle Security Specification" and "Financial Data Security Data Security Assessment Specification (Draft for Comment)" issued by the People's Bank of China, the protection of different levels of data has been clearly and slightly "strict". "strict" requirements, such as "level 3 and above data export should use encryption, desensitization and other technical means to prevent data leakage, unless otherwise stipulated by the state and industry authorities." However, in actual business development, specific business personnel It is often necessary to use level 3 or higher data in plain text, which creates a conflict between security compliance and business. How to balance or whether there are good technical means to effectively solve it is also a problem that banks need to solve urgently.
3. The cost of security compliance is high and the cycle is long
In the process of realizing the regulatory requirements, it is inevitable to involve the corresponding transformation work of the system. For example, in the requirements of audit logs, the supervision clearly states that "the operation log should at least include a clear subject, object, operation time, specific operation type, operation result, etc.", but many application systems have problems with incomplete log records, especially access " Object", the specific mobile phone numbers or ID numbers that were visited are not recorded. In addition, different data desensitization requirements are also different, and a large number of customized developments are required to achieve compliance requirements. The cost and cycle of the transformation required in this way are unbearable for many banks, not to mention the uncontrollable factors of many non-bank related system suppliers involved in the process.
4. It is difficult to continuously develop data security management
The management of data security is usually a troublesome proposition, because the department responsible for management is often the security or data management team, not the real business use department. However, data permissions are often formulated based on business needs, which means that managers must have limited understanding of the business, and it is difficult for security personnel to judge whether the permission settings of the business system are reasonable, but they are also responsible for security management. , This has led to the lack of support and starting points for the work of data security operation management, and it is difficult to continue to carry out.
02 "Four-dimensional integration": the way to break the data security of the banking industry
Before discussing how to carry out data security construction, it is not difficult to find from the security framework of the "Financial Data Security Data Lifecycle Security Specification" that "data use security" is the top priority of full lifecycle protection . Then the next problem is relatively simplified. The core of data security is to solve the problem of data use security.
(1) Plan idea
To solve the problem of data use security, the core is to grasp the detailed information of "access subject", "access object" and "access behavior", and then analyze data security risks in combination with specific business scenarios.
By focusing on people, focusing on business scenarios, based on data classification and grading, based on the overall idea of user and entity behavior analysis (UEBA) based on zero trust framework and artificial intelligence model, the security monitoring of the whole process of application system data usage is constructed. system.
"People-centered": In the process of using and accessing system data, people are the main actors. By collecting "dynamic" behavioral information, environmental information and relatively "static" personnel authority, organizational structure, job department and other information, a personnel system is built. Subject portrait to identify personnel risks.
“围绕业务场景”:通过内部人员在账号、权限、访问行为、数据操作等不同客体对象纬度行为特征的挖掘,识别异常的数据使用访问风险,实现精准定位判断。
“以数据分类分级为基础”:在数据访问使用过程中基于敏感识别和分类分级规则,识别当前访问数据的重要程度和敏感程度,从而进行针对性防护。
“用户及实体行为分析为抓手”:基于零信任框架和人工智能模型的行为分析技术,高效识别数据使用的行为风险,并进行实时响应告警,在必要是联动相关业务系统对风险行为进行有效阻断和拦截。
(2)方案整体框架
数据使用安全防护系统纵深按照“四维一体”的防御的方式进行分层构建,即:数据收集、资产梳理、安全分析、安全运营四个层面的能力建设,覆盖重要系统数据使用过程实现全面防护:
1、数据采集层
负责用户行为数据的采集和增强数据的加载。采集用户行为数据,并对接人员组织架构、账号权限、在职状态等数据。
2、资产梳理层
数据预处理层主要负责对数据采集层中采集进来的用户行为数据进一步处理,识别出其中包含的各类敏感数据、API接口、用户账号等信息,并对敏感数据进行分类分级打标以及关联各类增强数据。通过该层处理后的用户行为数据将包含非常丰富的字段和上下文信息。
3、安全分析和防护层
安全分析和防护层主要负责对数据预处理层处理后的用户行为数据进行实时分析,并根据系统配置对接入的应用进行实时的安全防护。
安全防护引擎根据预先的配置和实时决策分析引擎分析发现的风险,通过网关和JS软探针,对应用进行实时防护,降权或者阻断某些用户的风险行为。
4、安全运营层
安全运营层主要负责系统自身的维护、安全模型配置、安全事件溯源和风险处置、 安全运营周报制作等。
03落地实践:为银行带来哪些成效?
在数据使用安全管控平台的实施过程中,业务调研、技术调研和数据调研缺一不可,深入理解业务痛点后才能设计出真正贴合业务需求的产品,让业务部门把数据用起来,用出数据的价值来。
例如,某商业银行通过引入“觅踪”数据使用安全管控平台,实现了数据使用行为监控及审计,并且围绕动态使用中的敏感数据实现了统一的识别以及精细化的动态脱敏。
场景1:在某信贷审批系统的监控审计过程中,发现某信贷审批人员定期高频在已审批查询页面查询已审批未通过的人员信息,偏离正常行为基线,相关的搜索行为均基于模糊匹配,调查发现该人员长期将审批未通过的客户信息泄漏给小贷公司。
场景2:某员工先导出“用户编号+姓名”,过两天又导出“用户编号+手机”,过几天又导出“用户编号+身份证”,用户编号为同一批人员,通过编号拼接用户的三要素信息,造成数据泄漏。
场景3:动态脱敏应用,针对客户信息系统,对部门为a角色为b的用户脱敏手机号,针对某个页面,对部门为c角色为d的用户脱敏手机及身份证。
04核心价值:解决哪些关键难题?
1、统一、全面的应用系统审计日志采集
行内各类应用系统层次不齐,日志采集存在不完善,不合规,标准不统一等问题。难以审计操作对象及访问内容,尤其是一些敏感数据的访问使用情况,逐个业务系统审计日志采集改造成本巨大,且涉及到大量外部供应商,落地难度高。
觅踪可以采集细颗粒度应用日志,不需要业务系统进行二次开发改造即可实现统一、完整、合规的审计日志采集。
2、全面的数据使用行为监控
当前行内应用系统不具备数据使用行为的安全分析能力,无法应对诸如账号盗用、共享,非常用环境操作、特权账号、越权操作、数据篡改、数据泄漏等风险。
通过引入觅踪平台,可以实现对各个接入系统的全面动态风险监控,结合数据类型、安全等级、人员角色、操作类型、所处环境等因素,实现更加精细的权限管控,灵活适应多种复杂场景下的数据使用风险。
3、统一实时的安全管控机制
当前行内大部分应用系统不具备安全管控能力,也未实现统一的脱敏,无法有效保护暴露的敏感数据。
通过引入觅踪平台,实现统一的脱敏、水印以及针对不同安全风险的告警和控制能力,实时响应,最大程度降低损失,管控风险。
4、动态权限梳理
行内当前系统众多,人员复杂,权限管理难度越来越高,权限梳理需要跟多个业务部门深度访谈,不同系统中各类账号及权限哪些要用哪些不用,哪些可以收回,哪些不能收回等权限情况梳理非常困难。
觅踪平台可以从业务实际使用视角进行权限梳理,比如通过统计分析账号使用低频页面排行,哪些页面最近半年都没有使用过,统计部门使用低频页面排行,对于非常低频的页面可以进行权限回收,从而实现权限最小化。
5、敏感数据流动/动态梳理
当前行内的数据资产梳理、数据分类分级等工作,更偏向于一个静态梳理的过程,可以了解银行静态数据资产中敏感数据的分类、类型、量级等。
觅踪能够近一步对敏感数据的动态流动进行梳理,在分类分级的基础上,识别哪些敏感数据在被高频使用,哪些敏感数据使用范围最广泛,暴露范围最宽,哪些部门访问的敏感数据类型最多,量级最多,低频访问的敏感数据有哪些,是否可以收缩等,从而实现动态的敏感数据梳理。