From May 29th to June 1st, 2023, the National Information Security Standardization Technical Committee (hereinafter referred to as "Xinan Standardization Committee") will hold the first "Standards Week" in 2023 in Kunming, Yunnan. The event gathered the country's top cyber security standards experts, scholars and industry leaders to discuss cutting-edge issues and best practices in the field of cyber security standards to provide a solid security guarantee for the digital economy.
At the "Network Security Standards Escorting the High-Quality Development of the Digital Economy" summit forum, Dong Zhiqiang, vice president of Tencent Security and head of Yunding Lab, delivered a keynote speech on "High Security Level Architecture of Cloud Platform", sharing with the participants Tencent's security in the cloud platform Innovative practices and technical achievements in the security field, as well as practical experience and work suggestions in participating in standard formulation.
Dong Zhiqiang believes that the security risks brought by security threats such as data leakage and supply chain are becoming more and more prominent, which has become a constraint factor for enterprises to carry out digital operations. The digital transformation of enterprises requires a high-level security architecture to protect the business, especially for critical infrastructure, whose safe and stable operation is related to the national economy, the people's livelihood, public interests, and national security, and a higher-level security architecture is urgently needed to provide support.
Based on years of experience in cloud platform security construction, Dong Zhiqiang systematically shared the practice of Tencent Cloud Platform's high-level security architecture, with a view to providing reference for large enterprises, especially the "Guanji" platform. Dong Zhiqiang also proposed in his speech that the security work at the cloud platform architecture level should be promoted in the form of standard formulation to promote the formation of industry consensus and coordinated development.
Dong Zhiqiang said that enterprise security is facing endless new security threats. Digital transformation requires a high-level security architecture to protect the business. Cloud-native IT infrastructure triggers underlying trustworthy requirements. Product service-oriented default security requirements that users can perceive. Intelligence triggers the need for the integration of security, data, intelligence, and architecture to realize a business immune system. Tencent Security builds high-level security of the cloud platform through the following aspects:
1. Data center security: ensure data center security from the aspects of data center, physical network, hardware, host, and tenant;
2. Server hardware security: Build a trusted hardware system from aspects such as firmware security audit and penetration testing, hardware/firmware security design, firmware refresh protection, server component optimization and tailoring;
3. Cloud default security framework: guarantee the default security of the cloud platform from the aspects of base security reinforcement, base security capabilities, anti-intrusion, etc., from security design, multi-tenant isolation, identity authentication, access control, application security, security configuration, auditing, data security and other aspects to ensure the default security of cloud products;
4. Responsibility sharing model: Multi-party linkage, each performing its duties, cooperate with each other to build a high-level security system, thereby forming a security community and working together to resist high-threat level confrontation.
5. Digital security immunity and value model: comprehensively consider from 7 dimensions of border security, endpoint security, application development security, security operation and governance, data security governance, and business risk governance to form a systematic capability model that will serve the future of the enterprise Escort the development of digital intelligence innovation.
Dong Zhiqiang mentioned that Tencent Security has been actively participating in the formulation of network security standards and sharing Tencent Security's experience and methods with the industry. Since 2016, Tencent Cloud has actively participated in the construction of national standards for cloud computing security, including but not limited to national standards and research topics such as key information infrastructure security, national standard research on big data business risk control, and cloud computing service security. The GB/T 31167-2023 was officially released on May 23 not long ago.
In view of the security characteristics and security risks of cloud computing platforms, Dong Zhiqiang suggested that relevant standards for cloud service security should be formulated at the national standard level to ensure the security of cloud platforms at the architectural level. At the management level, promote standards such as the responsibility-sharing model; at the technical level, promote standards such as cloud-native security and hardware trusted security; and at the data level, promote standards such as anonymization. At the same time, he also called on the upstream and downstream of the industry to work together to better escort the digital development of the industry based on the standards of joint construction.
At the event site, relevant leaders of the Central Cyberspace Affairs Commission and the National Security Standardization Committee inspected the exhibition "Application Cases of Cloud Computing Security Series Standards Supporting National Cloud Service Security Evaluation" jointly implemented by Tencent Cloud, Sichuan University, and National Information Technology Security Research Center. The case won the first prize of the National Network Security National Standard Excellent Practice Case last year.
Established in April 2002, the "Certificate Security Standardization Committee" is the highest standard and most authoritative official organization in the field of information security standardization technology in China. It has 6 working groups and 1 special working group. Since 2016, "Conference Week" activities have been held twice a year. The "Conference Week" activity refers to its innovative and beneficial exploration of the organization model of China's network security standardization work by drawing on the international standardization work model and experience, and has built a highly authoritative and influential network security standardization work exchange, discussion, communication platform.