Ya Xin Xuan Xiao Lotus: How to create a unified centralized standard convenient information security management model

December 12, the world's first large-scale conference to explore the industry Internet, 2014 CVW. The industry Internet conference was held in Beijing and was synchronized through the big screen of New York Times Square. The conference was made by the Asia Letter Group, the cloud base and the Chuang-Zhuang economic and Technological Development zone jointly hosted more than 5,000 global it and traditional industry leaders and elites who are concerned about the development of Internet and traditional industries, and explored the evolution of "Internet access to traditional industries", "traditional industry internet" and the technological model and business innovation of industrial Internet.

In the afternoon of the "Internet Security @ Internet" Theme Forum, the Director of the Asia-letters group Xuan Xiao Lotus brought "to create a unified, centralized, standard, convenient information security management model" keynote speech.

The following is the full text of his speech:

Xuan Xiao Lotus: just Liu Zi Thousand said very good, we mention these questions actually refer to very clearly, the industry internet is nothing more than more enterprises open to the outside world, more cooperation with each other, more new business model, more small micro come in can do a lot of things. In this process, security is an unavoidable problem. As Asiainfo, we focus on some good practices and experiences in the information management model. Just now, the Ministry of Public Security three Dr Wang mentioned identity management, including broadband access certification, Including us going to 10086.cn, ya-letter is to help users to provide a better service, access control also helps users to provide a better experience, today I mainly from these aspects to introduce the industry in the Internet process, standing in the perspective of the letter of Asia we think the better mode is what it looks like.

Recently, if we pay attention to safety and often watch TV can see a lot of things, the most typical is to expose the three operators virtual fake business problems. May be because to the end of the dash business, this is very simple thing, but this is a violation to help users do order, you did not order, he ordered you, but the reservation immediately after the refund, but the cost has been received. Not just operators, including their illegal inquiries, we can buy online, go fishing can buy their own phone records or customer information, including the bank's home address can be bought, there are internal and external cooperation and internal and external violations of the theft of such things, but the whole driver is very simple. At present there is the dominance of value interests, which specifically refers to black production. DNS, for example, tells us about DNS in the operator, most of which have something in it. But this may be scaring me, I think it may be true. He did the other thing, including using 34 minutes to invade some of the more important systems of operators. They rarely go directly to work, unless they have an interest.

Just said such as domain name this piece, they do black production time is very simple, he will put some of your original traffic to their ads above, according to their own ads to collect money. At present, we do the industrial Internet, put more enterprises on the Internet, the value of the interest is very CHU need to consider how to circumvent this information. The other is the new technology and business, new directions, including the virtual environment mentioned just now, there is no control between the virtual machine, where large data is also faced with this problem. Like large data, we feel that the Internet is useful for the business, analysis of the faster, more accurate information. But the bigger problem is the security centralization of your information, which can rely on database control and firewall control. Different business systems are separated, not now, the entire company is in a piece, followed by files. And the file is no way to control, file all the protection control can only rely on the operating system account, operating system account developers, maintenance personnel everyone has, like this new technology for our internal maintenance brings more problems.

I think that in the process of Internet, there may be a lot of factors and considerations for security threats to be prevented. Let's see what we do in this situation. We can actually review our entire security process. I take the four stage is to take the operator, operators in the 04, 05 in the Buy equipment stage, buy a firewall, buy IDs, then sell anti-virus. Then 08 years or so operators start the security domain, 09 began here to do a unified project, including the Changshi Minister mentioned the Treasury model, which itself is in the unified control, the visit to concentrate, do a very good product. This is unified, and now we consider how to make it feel safe? Improve efficiency. Here are some quantitative metrics or data analysis, and here's a list of things to do. These stages can be considered as a kind of control mode which can be considered as a unified, centralized, standard and convenient information security, which I think big enterprises can consider. We also need to consider these several issues, the first is the management of people. In fact, China Mobile has been in the security of the organization did not, until the Changshi minister led, within two or three years to establish their own safety room security, it is a difficult job. In other enterprises may be said to mention the very fierce, but really to the safety of the few people, there are organizations, how the staff, and then how to deal with the process.

What is unified, centralized, standard, convenient control mode? I'll just give you a list. The entire industry from the Internet, nothing more than four levels. The first is human protection, where the outermost layer of its internal and external personnel access, as well as their own access control. And then to the inside is actually some platform layer, and then to the back of the data layer, and then to the back of the cloud protection. From the industrial chain of the Internet into four layers, then four levels below the words we can consider a few points. The first is unified access management, which puts our operational control, including the blurring of sensitive data this can be considered in the unified protection management, as well as unified identity management. In terms of security, we can consider centralized security management, including its full network of monitoring, compliance management and intelligent analysis, analysis of a number of security incidents, this is the entire larger map, from the technology, including identity, authentication, protection of data security, cloud desktop protection and so on. In terms of management, there are several aspects of strategy, operation and compliance.

This is the summary of the letter, the operator in the carrier this piece of thought the better model. This model can help us solve a lot of problems, the first can circumvent our strip construction, rely on a system to consider its certification, through this can provide a unified protection standards and requirements. In addition, centralized management and analysis can be achieved, and the problem is considered for the whole network. Then the 1th, I this focus on four points, the 1th is for the business and operational personnel, we consider security support, you can consider the account authority authentication, which consider several aspects. I have probably listed here, what benefits can it bring us? The first one is that we can make our work more efficient. The original time may be all access to a machine or database, or a landing. Now basically say, as long as you have permission, you enter the first door, the back point can go, soon. In the internal security monitoring, can achieve the security management centralization, visualization, these aspects, as well as the security management system, into the system of these aspects, there are about more than 10 factors to consider.

For operational personnel, the main background of operation is particularly easy to get things done. In recent years, whether operators or operators, in the internal operation to sell customer information, behind secretly change their accounts, these things emerge. File import download time, also have control, not casually put the customer information can be taken away, this can be considered for internal operational control of some means. The last point is big data, big data this piece does not have the good solution, aimed at this piece he proposed the encryption, the DRP these several ways, but this concentrates in the big environment to be difficult to fall to the ground. We now believe in the combination of their own experience, explore the new solution approach, the original operating system to circumvent the model for everyone to provide a better control mechanism. The basics are internal and business, so we're working with AWS to provide new solutions. This solution puts some of our product capabilities including account number, authority, authentication and our gateway on the AWS Cloud, this can be replicated, in any industry, IDC or cloud companies can push this model, through which we can face to the small and medium-sized enterprises to provide them with a unified, similar to operators of management services.

This is not introduced, this is the general product of the letter, we have on our table in the white paper have, you can go to see. Finally said a word, the Asian letter itself is in the big platform as well as the service aspect, will do better, we do are similar operators, like the operator this relatively big software platform, as well as the corresponding delivery service.

(Responsible editor: Mengyishan)