At the 2020 financial security summit held on March 24, Xiao Li, vice president of Alibaba and general manager of Alibaba cloud security business department, pointed out that “in the future, the construction of security system of financial institutions needs to change from the original coincidence to the dual drive of compliance and actual combat, with equal emphasis on business development and security effect, and the dual drive of cloud and cloud.”
According to media reports, in 2019, the economic loss brought by network security to the world will be as high as $2.5 trillion. At the same time, “China Digital financial anti fraud panoramic report (2019)” also shows that at present, there are more than 100 kinds of fraud behaviors in various financial scenarios, including cash out, online loan fraud, Bill swiping, intermediary agency, telecommunication fraud, fleece collection, etc.
As financial institutions gradually go to the cloud, in the future, all financial institutions can build a high-level security system based on cloud security capabilities.
Xiao Li pointed out that based on the advantages of cloud primary security, the construction of new security system in the future will follow six laws.
01 system default native security
In the mobile era, IOS and Android operating system have established a good security baseline, and the PC era plug-in security has become the past. The cloud is also working on the operating system, which will build security into all cloud products, such as the server’s built-in security chip to be reliable, the cloud product strategy follows the principle of minimum authority, and the network cleaning and scheduling capabilities are embedded in the system, etc. The system native security will effectively improve the security capability of the enterprise.
02 identity management becomes a new boundary of enterprise security
With the diversification of business scenarios and office scenarios, the traditional security boundary is broken, and identity will become a new boundary of enterprise security. Under the new security system centered on unified identity authentication management, enterprises can achieve one key management of employee account authority, real-time control of privileged account, etc., so as to ensure that the right users can obtain access to the right assets in the enterprise under the right conditions and at the right time.
03 global threat detection and response
Under the new security system, data intelligence will drive the threat detection and response to develop to a global level, get through the logs of system, network, identity and application, change the original single point threat detection and response mode, gain insight into the threat from a global perspective, and achieve real-time detection. At the same time, under the new security system, the defense ability is more critical than detection, and enterprises need the ability of one key hemostasis.
04 business security becomes a new basic risk domain for enterprises
More and more business security has become the basic risk domain of enterprises, rather than the unique risk domain. In the process of digital transformation, financial enterprises may have business risk problems in user registration, landing, marketing promotion and other links, involving many technical risk areas, which directly determines the basic safety level of enterprises.
05 advance security with devsecops
The key to safety lies in tracing the origin. Application vulnerabilities are generally generated in the development process, and fixing vulnerabilities is only a response after the fact. The root is to reduce the generation of vulnerabilities in the development process and avoid potential security risks. For financial institutions, the supply chain is complex. With the help of devsecops to establish their own security development process, potential security risks can be fundamentally solved.
06 normalization verification to improve the real water level of attack and defense
The concept of normalization verification should run through every field of enterprise security system. Safety and compliance are audited on a regular basis, while safety is changing dynamically. Hundreds of control points and safety baseline of the enterprise are also changing constantly. Only relying on compliance audit can not guarantee safety. Only through the continuous verification of normalization can problems be found out in time, repaired in time, and the effectiveness of safety measures be ensured. In the face of emergency safety events, the company can deal with them freely.
In the future, all financial institutions will be on the cloud and will build their own security system based on cloud security. Alibaba cloud also hopes to assign its best security practices on the cloud to every user on the cloud.
In the end, Xiao Li said, “in the future, the enterprise security system will surely develop towards a more unified and intensive trend. We hope to assign high-level security capabilities such as cloud Global Threat Intelligence to every customer in the cloud, so that customers can enjoy the high-level security capabilities of the cloud not only in the public cloud, but also in the proprietary cloud and local, so as to achieve inclusive security. “