China Mobile Changshi: How to construct customer Information security protection system

December 12, the world's first large-scale conference to explore the industry Internet, 2014 CVW. The industry Internet conference was held in Beijing and was synchronized through the big screen of New York Times Square. The conference was made by the Asia Letter Group, the cloud base and the Chuang-Zhuang economic and Technological Development zone jointly hosted more than 5,000 global it and traditional industry leaders and elites who are concerned about the development of Internet and traditional industries, and explored the evolution of "Internet access to traditional industries", "traditional industry internet" and the technological model and business innovation of industrial Internet.

In the afternoon of the "Internet Security @ Internet" theme Forum, China Mobile Communications information security management and Operations Center General manager Changshi brought "to build a treasury model, the construction of Customer information security protection system" keynote speech.

The following is the full text of his speech:

Changshi: Very happy to participate in the industry Internet conference, my first feeling, when Lee always told us to participate in the Internet conference, my first feeling is that the internet has not been good, how to do the industrial Internet? This is the first reaction. Because of the security of the day after, the development of business at the same time the first reaction is safe and unsafe? Because we engage in business development colleagues, more from the perspective of development to see the problem, are basically positive thinking, are optimistic aspects. I've been doing mobile phones for so many years. Now that the mobile phone has got the job done, wherever you go, leaders can find you. Everything has a positive and a negative side, I am very happy today to participate in this industry Internet Conference Security Forum. At least in our whole talk about this industry is the positive, the benefits of the Internet, but also consider its disadvantages, or take into account its risk, in a sense is also a progress, in a sense is also a change in the concept of people. So I am very happy to have the opportunity to discuss safety issues with you.

Select the topic is very small, to create a vault model, the construction of Customer information security protection system, the selected topic is very small. But say that I just want to pass such a small topic, can discuss with you the safety in the end how to do? What do you think? My report is divided into several aspects, one is the overall form, one is the customer information protection challenges, the other is based on the Treasury Model customer information System, do a simple introduction. The party's 18 has clearly put forward a sound information security system, at the same time the national level has set up the National Security Committee and the Central Network letter group, and are the highest leadership of this matter. From this perspective, it is enough to see the importance and importance of information security work, we usually like to let leaders talk. It is not what a leader's speech can bring, but the degree to which the leader speaks. According to the Chinese behavior pattern, the supreme Leader assumes the security related, the group position, some kind of significance is manifests to this matter attaches great importance, the thing which attaches importance to is the most dangerous thing, is the risk biggest thing.

So this means that the State attaches great importance to information security, the rapid development of mobile internet has brought a lot of security challenges, because we all know, whether it is the intelligence of the terminal, network it or business diversification, this several in the whole process, to bring all the work and life convenience, The same brings a lot of risk and annoyance to everyone, like Terminal intelligence, the original is using silly terminals, not so much harassment phone and virus. Then he intelligently, a small mobile phone terminal becomes a small computer, he can do a lot of things on it. You can use it to pay for viruses and related people that can steal money through him on you, the same. Then the network IP is very simple, the original telecommunications network is a tool of the garden. Who our neighbors are, who the neighbors are, and who their father is, are clear and clear. After it, you don't know who your family is, you don't know who your neighbor's father is, a lot of things are not clear. But our technological progress, including our management, requires a process that is fatal to us, to make some changes. We are still in the original closed mode of management of our system, the world has changed. In this case there is the so-called telecommunications fraud, related to a series of things.

Business diversification also brings some problems, the original is very simple, that is, voice, SMS. But as the speed of transmission continues to improve, video, music, reading all aspects of business form more and more rich, more and more quickly. There are more and more problems that may arise in this midst. Some time ago online exposure, through hackers like the intelligent transportation system, remote control probes, your family all the circumstances of your community, may be on the Internet through the probe can be seen. Mobile Internet brings the positive benefit to people's development, but also brings many risks. So that means these are the challenges that are now facing them. At the same time of great challenge, the security of customer information also faces the related challenge. With the advent of the big data age, all kinds of information data have become the contention and excavation of various interest groups, a valuable asset. The disclosure of customer information has become an important area of information security, where several cases are mentioned. One is the theft of US credit card information, the theft of Oracle 800,000 customer information, and the illegal hawking of customer information by one of our famous electric dealer employees. Like The courier company this information stolen is very scary, you can use the Internet or use more than N, because it and your real life does not happen to contact.

Express Company, never use a fake name to send you courier, so his authenticity to you caused by the damage should be direct, real damage. I said that the damage is not a risk, so that domestic and international customer information leakage of frequent incidents. The state's decision to strengthen the protection of information security has been put forward by the National People's Congress. At the same time, the Ministry of Information Protection has put forward the relevant regulations. So where is the difficulty of customer information protection? The reality is relatively simple. Two difficulties, a difficult system too many customers sensitive information distribution is too wide, in addition to the normal network, in our business system, our sensitive information is ubiquitous. such as business platform, our order relationship, customer's position, then our industry application inside also have our relevant information, we own application inside, have friend list, consumption record, we have Internet record, sms MMS send record, in our communication network, no matter in the telecommunication or IMS domain, there is a large number of data.

Receive our information a lot of people, have to provide you with a line of business personnel, have back to do support processing support staff, as well as the third to do maintenance personnel, all these must do related work. So the work of these people is a big problem, so most people are good and a few are bad. But as long as there is a villain in the middle of the system, any small problem multiplied by 1.3 billion is a big problem. A bad person with any small probability multiplied by n more points is a big problem. So regardless of system management or personnel, is a big problem. We want to talk about the monitoring mode of the problem, China Mobile has always attached great importance to the network information security work, we are adhering to the general secretary, no network security there is no national security, we have in accordance with the norms of the system, support the means to ensure that there is a team, the overall work and logic Why just said customer information protection, just a face of security issues. I often like to say a word, the security problem is the ghost came. You don't know where the ghost is? You have to do system-related things, you have to have a system. This system is very important to you, this is our China Mobile planned information security, including our management and implementation, relying on this large framework of our various situations, quo do the relevant work.

Then back to the vault mode, the vault model actually uses the concept of banking. You enter the vault is very simple, two people unlock, a person unlocked, two people are present to enter. We call the Vault Model a two-person operation or a multiplayer mode, mainly refers to the company's major interests of the key operations, must be mandatory two, or have the right to control the operation of the person, through mutual supervision to ensure security, then like our business this mode, the salesperson do this operation, if it is high-risk operation , he must be authorized by his supervisor. Authorization after the two locks open at the same time, to the customer data collation. If you are looking for data in bulk, such sensitive operations may need to do related work, we monitor the overall mode of thinking is probably said, engaged in before after the operation, the formation of the whole process of operation. In advance to achieve the development and on-line to be reasonable, very simple. The developer must be saying, how easy? You're like a security code that takes a lot of effort from developers. But this tool once online, no one to its security code audit, to take care of this matter, you are very likely to have on-line software security risks, only the development and on-line separation. On the line is that I use your things, mainly considering the safety of the line, he must be a constraint on the development of people.

Things in the operation and authorization reasonable, after the maintenance of reasonable, can not say that the maintenance of the people to do, you lack of mechanism behind, this will bring risks, so this is the overall situation. The key principle of our treasury model is focus, one is focusing on key systems of key operations, focus on High-value enterprises, not all of the things are in the vault mode, there is no way to do the Treasury mode of work. Another is the key operation, and then a principle is the operation is not authorized, authorization does not operate, the control of the object is mainly High-value information, mainly the front desk staff and the maintenance staff in the background control. The first of the vault mode is the centralized mode, which is based on 4A to transform the vault model. Through the corresponding 4A system, the account is centrally managed and the log is centrally audited. Because the development of things, the operation must have a process. In the key operation, in the existing system, if 4 A can not cover, the prophase of some transformation, the early stage through this model to add authorization.

The second is to the foreground, backstage to feel, for the background maintenance account strictly authorized, when the sensitive account landing to trigger the Treasury authorization, the front desk staff in the front of the business, access to sensitive information, trigger the Treasury authorization, authorized after the relevant work can be carried out. Remote authorization, you can through the text message, approval list. The other is a variety of means to complement each other to form a protective mechanism. We can use sensitive information, such as blurring information, not seeing information, not seeing information, and not making this information appealing to everyone. Another for the DLP system, for some day-to-day activities related to the control, so as to form a whole set of systems. Through the implementation of the vault model, this problem can be solved, the main solution to the problem of personnel, another operational problem. High risk operations lack of approval and monitoring, we have this thing already submitted to form the CCSA management line, should be able to officially ISO jointly issued international standards this year. Why just say choose a vault mode, as a small topic, small topic to say a thing. I repeat, the question of security is always a fight with ghosts, and you have no idea where the security risks are? Where does it cause these risks? Frankly speaking, we all don't know, everybody is guessing. So how does this risk respond? Just as the Chinese think of the radix Isatidis as a panacea. But for us, to do security work is to have a sense of security, the second to have a set of security methodology or work norms, only in the work of the norm or work model after the establishment, then can quo. Any damage to any security risk has its own laws and characteristics, such as the discovery of security risks, business security is very simple, where others can get money, people can get benefits. You pass this thing, the hacker can get the money, he can get the stuff, and he's definitely going to go wrong here. Why didn't the mobile phone appear this kind of problem in the early years? The early fool machine does nothing, and will not do mobile payments, bring no benefits, so hackers do not play on it. Now with smartphones, this can be a lot of convenience, but hackers can do a lot of things on this. If we have a set of methodologies, there are a group of people always want to customers think, anxious customers to do this thing, so that we can do the protection of the interests of customers, our work to achieve the ultimate. I chose a small model, but it reflects the way we do anything and attitude, China Mobile is willing to actively join hands with the industry, joint innovation, cooperation and mutual benefit of customer information protection and information security work throughout the entire process, in the mobile internet era, in the industry internet age for customer information security escort. Thank you!

(Responsible editor: Mengyishan)