Shulou(Shulou.com)11/24 Report--

On September 8,2023 Bund Conference Network Security Sub-Forum was held in Shanghai. The forum was jointly sponsored by Ant Group and Information Security Research magazine, with the theme of "Opening Native Security Paradigm and Protecting Cyberspace Security." At the meeting, Ant Group and School of Cyberspace Security of Zhejiang University launched a leading network security achievement "Native Security Paradigm Framework v1.0". This is the integration of technical ideas and method systems to explore the origin of network security, mainly including two security paradigms,"OVTP traceability paradigm" and "NbSP zero-crossing paradigm," and a major technological innovation,"security parallel section."

"Modern digital enterprises have become evolving and evolving digital organisms whose architectural complexity is exploding and are increasing digital risks within the enterprise. Network security, the origin or to return to the question of whether access is legal. We hope to provide guidance for enterprise security architecture design through the native security paradigm framework, so that native security can move from macro requirements to practical implementation." Engaged in important network security work for many years, Wei Tao, vice president and chief technical security officer of Ant Group, has profound insights into the new situation of network security and the nature of security work.

(Photo: Wei Tao, Vice President and Chief Technical Security Officer of Ant Group, delivered a keynote speech)

Facing the new challenges of network security, Ant Group has explored the native security paradigm since 2019, and through iterative upgrading and practical verification, it has been continuously improved and condensed into "Native Security Paradigm Framework v1.0." It mainly includes two security paradigms and one technological innovation. The two security paradigms include the Operator-Voucher-Traceable Paradigm (OVTP) and the Non-bypassable Security Paradigm (NbSP). A major technological innovation is mainly the "safety parallel section technology" system, which is a method system innovated from two safety paradigms. The two complement each other, so that the concept of native safety can be implemented.

(Figure: Native Security Paradigm Framework v1.0)

The two security paradigms propose innovative solutions to the network security access problem under the original security idea. Simply put, OVTP is to ensure that network access sensitive operations can be traced back and judged, such as customer service personnel call customer information when relying on service tickets, do not produce unauthorized vulnerabilities; and NbSP is similar to airport security, attackers will not pass through various vulnerabilities to form hidden channels (such as sewers or ventilation pipes) bypass security points.

The "security parallel section" initiated by ants can provide an efficient method system and basic platform for modern digital organizations to realize OVTP traceability paradigm and NbSP zero-crossing paradigm, and realize leapfrog improvement of network security governance effect and efficiency. For example, during the Double Twelve Promotion Period in 2021, aiming at log4j2 vulnerability attack, Ant Group's security parallel section system realized hour-level total station hemostasis, the safety emergency manpower was reduced from 6000 person-days in fastjson emergency to 30 person-days, the efficiency was improved by 100 times, hemostasis and reinforcement were carried out, and the business 0 disturbed and resolved the crisis.

On the forum, guests from Qianxin, Ping An Group, Zhijiang Laboratory, Beijing Stone Refining Network, Beijing Zhiqi 'an Technology, Certik Company and other units also shared industry practices and latest research around "opening native security paradigm and protecting cyberspace security."

Wu Yunkun, vice director of China Electronics Science and Technology Commission and president of Qianxin Group, believes that modern enterprise network security is endogenous security based on business. Such security protection system has three key elements: first, construct endogenous security system from paying attention to business; Second, starting from paying attention to "people," the security mechanism is built into the whole chain of data; Third, starting from paying attention to operation, construct actual combat safety operation system. These capabilities helped Qianxin "Zero Accidents" complete the network security guarantee for the 2022 Beijing Winter Olympics, Wu Yunkun said.

(Photo: Wu Yunkun, Vice Director of China Electronic Science and Technology Commission and President of Qianxin Group, delivered a keynote speech)

Chen Jian, Chief Information Security Director of Ping An Group, shared the typical practice of native security DevSecOps: code is security, security is regarded as a core element in the process of writing code, so as to ensure that the developed software application has high credibility and defensiveness in terms of security; On-line is security. Before the application goes online, it must ensure that the application has high security and reliability, so as to reduce the cost of later fixing vulnerabilities and problems; Operations is security, which is seen as an ongoing requirement during software systems and business operations to ensure that a high level of security is maintained during the operational phase and that the risk of attack is degraded.

Bai Xiaoyong, founder and CEO of Beijing Stone Refining Network, introduced that based on the security parallel section technology, the stone refining network reconstructs the security rules on the section of data flow, realizing the technical decoupling and capability integration of security and business. "Transformation-free application landing native data security, compatibility, fast delivery, good protection, cost savings," Bai Xiaoyong said.

Jin Bo, deputy director of the Third Research Institute of the Ministry of Public Security, Tan Jianfeng, member of the 13th CPPCC National Committee and honorary president of Shanghai City Information Security Industry Association, expressed ardent expectations for network security governance initiated by the original security paradigm.

The core idea of the native security paradigm is to integrate security capabilities into the capillaries of the business, and this idea is also reshaping modern enterprise security governance. Participants at the forum agreed that the native security paradigm, a high-efficiency security practice, strongly depends on paradigm cognition and the evolution of security infrastructure, requiring more enterprises and institutions to participate in technology co-construction and application exploration to jointly create a high-security cyberspace.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.