On September 8, the 2023 Bund Conference Cyber Security Sub-Forum was held in Shanghai. The forum was jointly hosted by Ant Group and Information Security Research magazine, with the theme of "Opening the Native Security Paradigm and Protecting Cyberspace Security". At the meeting, Ant Group and the School of Cyberspace Security of Zhejiang University launched a leading cybersecurity achievement "Native Security Paradigm Framework v1.0". This is an integration of technical ideas and method systems to explore the origin of network security. It mainly includes two major security paradigms: "OVTP traceability paradigm" and "NbSP zero-crossing paradigm", and a major technological innovation "security parallel aspect".
"Modern digital enterprises have become digital beings that are constantly evolving and evolving. The complexity of their architecture will explode, increasing the digital risks within the enterprise. The origin of network security still comes back to the question of whether the access is legal. We hope that through The native security paradigm framework provides guidance for the design of enterprise security architecture, allowing native security to move from macro requirements to implementable practice." Having been engaged in important network security work for many years, Wei Tao, Vice President and Chief Technology Security Officer of Ant Group, has profound insights into the new situation of network security and the nature of security work.
(Picture: Wei Tao, Vice President and Chief Technology and Security Officer of Ant Group, delivered a keynote speech)
Facing new challenges in network security, Ant Group has been exploring the native security paradigm since 2019, and has continuously improved it through iterative upgrades and practical verification, condensing it into the "native security paradigm framework v1.0". It mainly includes two major security paradigms and one major technological innovation. The two major security paradigms include "OVTP Traceable Paradigm" (Operator-Voucher-Traceable Paradigm, or OVTP) and "NbSP Zero-crossing Paradigm" (Non-bypassable Security Paradigm, or NbSP). A major technological innovation is mainly the "safety parallel aspect technology" system, which is an innovative method system based on two major safety paradigms. The two complement each other and allow the native security concept to be implemented.
(Figure: Native Security Paradigm Framework v1.0)
The two major security paradigms propose innovative solutions to network security access issues based on native security thinking. To put it simply, OVTP is to ensure that sensitive network access operations can be traced and judged, such as the service work orders that customer service personnel rely on when calling customer information, without causing unauthorized access vulnerabilities; while NbSP is similar to airport security checks, and attackers will not create vulnerabilities through various vulnerabilities. Use hidden passages (such as sewers or ventilation pipes) to bypass security checkpoints.
Ant's pioneering "security parallel aspect" can provide an efficient method system and basic platform for modern digital organizations to implement the OVTP traceability paradigm and NbSP zero-crossing paradigm, achieving a leap-forward improvement in network security governance effects and efficiency. For example, during the Double Twelve Promotion period in 2021, in response to log4j2 vulnerability attacks, Ant Group's security parallel aspect system achieved hourly site-wide hemostasis, and the security emergency manpower was reduced from 6,000 person-days during fastjson emergency response to 30 person-days, and the efficiency was improved by A hundred times better, a two-pronged approach to hemostasis and reinforcement can resolve the crisis with zero business interruption.
At the forum, guests from QiAnxin, Ping An Group, Zhijiang Laboratory, Beijing Lianshi Network, Beijing Zhiqian Technology, Certik and other units also shared industry practices around "opening the native security paradigm and protecting cyberspace security" and latest research.
Wu Yunkun, deputy director of the China Electronics Science and Technology Commission and president of Qi’anxin Group, believes that modern enterprise network security is endogenous security based on business. Such a security protection system has three key elements: First, start from focusing on business and build endogenous security. system; second, starting from focusing on “people”, build security mechanisms into the entire data chain; third, starting from focusing on operations, build a practical security operation system. These capabilities helped Qi'anxin complete the network security guarantee for the 2022 Beijing Winter Olympics with "zero incidents," Wu Yunkun said.
(Picture: Wu Yunkun, deputy director of China Electronics Science and Technology Commission and president of Qi’anxin Group, delivered a keynote speech)
Chen Jian, Chief Information Security Director of Ping An Group, shared the typical native security practice DevSecOps: Code is security. Security is regarded as a core element in the process of writing code to ensure that the developed software applications are highly reliable in terms of security. Reliability and defensibility; security means going online. Before the application goes online, it is necessary to ensure that the application has a high degree of security and reliability to reduce the cost of fixing vulnerabilities and problems later; operation means security, in the process of software systems and business operations. , treat security as an ongoing need, ensure a high level of security during the operational phase, and reduce the risk of attacks.
Bai Xiaoyong, founder and CEO of Beijing Lianshi Network, introduced that based on security parallel aspect technology, Lianshi Network reconstructs security rules from the perspective of data flow, achieving technical decoupling and capability integration of security and business. "The native data of the application that does not need to be modified is secure, has multiple compatibility, fast delivery, good protection, and saves costs," Bai Xiaoyong said.
Jin Bo, deputy director of the Third Research Institute of the Ministry of Public Security, and Tan Jianfeng, member of the 13th National Committee of the Chinese People's Political Consultative Conference and honorary president of the Shanghai Information Security Industry Association, expressed their high expectations for network security governance initiated by the native security paradigm.
The core idea of the native security paradigm is to integrate security capabilities into the capillaries of the business. This idea is also reshaping modern enterprise security governance. Forum participants agreed that the native security paradigm, a high-efficiency security practice, strongly relies on paradigm cognition and the evolution of security infrastructure. It requires more enterprises and institutions to participate in technology co-construction and application exploration to jointly create high security Horizontal cyberspace.