From concept to large-scale practice, uncover the “landing password” of Tencent’s zero trust IOA security scheme


With the continuous deepening of enterprise digital transformation, remote office and mobile office have gradually become the mainstream office forms. However, in the complex and changeable security environment, how to deal with the potential security risks from inside and outside has also become a compulsory topic for enterprises.

Sun fangting, senior strategic product director of Tencent security, said at the annual family banquet of TGO Kunpeng conference in Hangzhou on January 23,Zero trust represents a new generation of network security protection concept. Security defense based on zero trust principle can establish a solid security defense line in complex situations

From concept to large-scale practice, uncover the

Zero trust security“Continuous authentication and never trust”At the same time, it integrates the elements of identity equipment, equipment security, application security and link security to ensure the security of business system access. As the basis for the construction of Tencent’s office workplace, Tencent it has independently designed and developed, combined with its many years of practical experience in network security management, and formed Tencent’s IOA zero trust security management system. During the epidemic prevention and control period at the beginning of last year, Tencent IOA integrated IT services and terminal security, and successfully provided security for the cross-border and cross city remote office scenarios of 60000 employees and 100000 terminals.

Based on Tencent’s best practices, the commercialization of Tencent’s IOA zero trust security scheme focuses on building the enterprise’s next-generation security system around four elements: trusted identity, trusted terminal, trusted application and trusted link. In addition, sun fangting also shared four typical application scenarios: telecommuting, operation and maintenance, multi cloud access and global business acceleration, creating a closed-loop of borderless dynamic access control based on trusted identity for users, while sparing no effort to escort Enterprise Cloud business security.

The following is the full text of sun fangting’s speech:

In the past two years, the concept of zero trust security has become more and more popular in the field of information security. As a leading information security enterprise in China, Tencent security began to deploy zero trust security solutions within the group in 2016 and has accumulated a lot of successful experience.

The topics discussed in this paper include three aspects: first, the development and concept of zero trust security. I mainly want to talk about why zero trust security is adopted and what is the value brought by zero trust security? Second, Tencent’s practice in zero trust security. Tencent has developed and implemented the zero trust strategy since 2016, and has accumulated a lot of experience in zero trust solutions. Third, the zero trust security scheme of Tencent IOA has been commercialized. At present, the scheme has been successfully deployed in some large industry customers.

There are three key background factors why zero trust security is becoming more and more popular:

first,The diversified office environment leads to the increasingly blurred security boundary of enterprises.With the development of traditional information technology, users build their own data center and use tower defense for security defense, which can basically ensure security. Now, with the development of enterprise business, many business deployment forms have changed greatly. The key business data of users may be distributed in private cloud, public cloud or traditional data center. Various deployment forms lead to the failure of centralized data management. In this case, data security management is facing great challenges. From the perspective of terminal use scenarios, there are also great changes. Especially during the epidemic in 2020, telecommuting has become the mainstream office mode. However, in remote access, how to determine the identity of access users and the security of terminals and environment has also become a challenge for enterprises.

secondly,The rise of virtual currency has made black production more rampant.Since 2015, crypto blackmail attacks have become more and more frequent. The main reason is the development and popularity of bitcoin.

Since 2017, crypto extortion has shown a large-scale outbreak trend, including the iconic wannacry extortion virus. Since then, more and more hacker gangs have invested in encryption blackmail attacks. In December 2020, Foxconn’s factory in Brazil was attacked by hackers and extorted US $34 million; Advantech in the domestic chip industry was blackmailed 750 bitcoins by hackers. Illegal hackers have a faster way to realize and are difficult to track, so they are more unscrupulous in this regard.

Third,There are more and more devices in the enterprise, and various intelligent access devices such as IOT and byod cannot be managed effectively.With the vigorous development of the Internet of things, more and more Internet of things devices are connected to the network. These connected IOT device operating systems have a large number of security vulnerabilities and neglect of management, which brings huge risks to the security operation and maintenance of enterprises. In 2017, a casino in the United States was invaded, and illegal hackers invaded a well-known casino in the United States through the intelligent temperature control system in the water tank. Hackers use Internet of things devices to build giant botnets and launch large-scale DDoS attacks.

Overall, the security challenges we face are as follows:

First, the digital transformation of enterprises promotes the application needs of new technologies. The use of these new technologies poses new challenges to the traditional network security technology and management mode.

Second, in the process of digital transformation, great changes have taken place in the business architecture and network environment of enterprises.

Third, the separation of safety management products and technologies leads to the continuous increase of operation and maintenance management costs.

Fourth, the lack of cloud management and control in business brings new risks and challenges to enterprise security.

So, what is zero trust?

In traditional security defense, we will assume that all users connected to the intranet are secure. In this case, as long as you do a good job in border protection and access, you will be credible after you come in. Zero trust security does not trust any traffic by default, authenticates the user’s identity before all access, and dynamically authorizes according to the terminal’s use environment.

From the perspective of most security events, hackers usually infiltrate from the intranet client we think is safe, and then make horizontal translation to gradually control the key nodes in the internal network, and finally achieve the purpose of attack.

So,Zero trust is a completely different security concept。 It assumes that all access devices in the network may have been invaded, which is untrusted by default. When users access our important business systems and data through the terminal, they need to authenticate and authorize the identity of the access user, evaluate the security of the terminal and the security of the environment, and ensure the security compliance from person to device and from application to link through layers of protection, so as to allow the access request to reach the back-end application. At the same time, the user’s access behavior is continuously analyzed to find and block abnormal behavior in time.

Simple understanding,Zero trust security integrates identity device, device security, application security and link security to ensure the security of business system access through real-time behavior and environment assessment。 The core idea of zero trust is “continuous authentication and never trust”.

According to the report of Gartner zero trust network market guide, the mainstream zero trust solutions have two modes:

Service based zero trust network access and terminal based zero trust network access.

The service-based zero trust network access does not need to install the client on the terminal, realizes the business access to the back end through the web, and authenticates and authorizes the user’s identity in the process of access. This is also the main implementation of Google’s beyond Corp.

Zero trust network access based on the terminal needs to install the client on the terminal, which supports richer application modes, including applications based on B / s and C / S architecture. This is also the deployment mode adopted by Tencent. This method not only supports richer applications, but also enables more accurate evaluation and monitoring of the security status of the terminal.

From concept to large-scale practice, uncover the

Tencent developed and deployed the IOA zero trust security system in 2016, and gradually switched all systems, including OA, knowledge sharing, remote operation and maintenance, development and other systems to the zero trust access mode. During the epidemic in 2020, since all employees cannot return to the workplace and need to work remotely, we realized capacity expansion in one week, supporting the needs of daily office, operation and maintenance operation and development of the whole company.

From concept to large-scale practice, uncover the

The commercialization of Tencent’s IOA zero trust security scheme mainly focuses on the following four elements:

First,Identity trust。 In addition to the user name and password, the user identity is strongly authenticated through multi factor authentication. At the same time, the user’s login environment is dynamically analyzed. When the risk level of user login status, location and equipment is low, the user login mode will be simplified and one click login will be realized.

Second,Terminal trust。 Through virus protection, system vulnerability detection and reinforcement, terminal access, compliance detection and other measures to ensure the safety and credibility of the terminal.

Third, the application is trusted. When accessing some key sensitive applications, users are restricted from using compliant applications to effectively intercept hackers’ attacks through hidden channels or applications.

Fourth,Link trust。 Through Tencent’s self-developed NGN technology, the user’s access experience is improved while ensuring link encryption and security. At the same time, the problem of frequent tunnel reconstruction of traditional VPN tunnel technology when network switching or poor network communication quality is avoided.

In addition, in order to support more access scenarios, we provide not only terminal based zero trust access mode, but also service-based zero trust access mode.

From concept to large-scale practice, uncover the

At present, the typical application scenarios of zero trust security are as follows:

The first scenario isTelecommuting, borderless Office。 It is to solve the problem that customers need to work outside the company and remotely access internal applications during the epidemic. Borderless means no difference. When accessing applications inside and outside the company, the security intensity is the same.

The second scenario isRemote operation and maintenance。 In the zero trust security scenario, users need to authenticate their identity before remote operation and maintenance. Through prior authorization, in-process control and post audit of operation and maintenance operations, the security risks and challenges brought by remote operation and maintenance to enterprise IT management can be effectively solved.

The third scenario isSupport for cloudy。 Whether the business is in the cloud or in its own data center, it can be fully supported. At the same time, it integrates with other security and application optimization acceleration schemes on Tencent cloud to enhance the security protection of zero trust access, and solve the optimization and acceleration of overseas branch site access.

The biggest feature of Tencent cloud’s zero trust security solution is derived from Tencent’s internal practice. This is the biggest difference from other domestic products and programs. Meanwhile, Tencent zero trust security solutions continue to integrate and accelerate its own security advantages and capabilities, and establish a complete zero trust ecosystem with the industry to jointly promote the landing and development of zero trust security in China.

Recommended Today

Integrating fluent in native projects

summary It’s easy and comfortable to use fluent to develop apps from scratch, but for some mature products, it’s unrealistic to completely abandon the historical precipitation of the original app and turn to fluent. Therefore, flutter is used to unify the Android and IOS technology stack, take it as the expansion capability of existing native […]