New infrastructure.jpg” alt=”New infrastructure.jpg”/>
1. Digitization has changed from optional to mandatory
Starting in 2020, a sudden new type of coronavirus has virtually accelerated the global embrace of digitalization. From epidemic prevention and control to remote office work, human society has felt the efficiency improvement brought about by digital transformation on a large scale for the first time. Digitization has become a necessary part of the modernization of the governance system and governance capabilities. On March 4, the Politburo meeting emphasized speeding up the construction of new infrastructure such as 5G networks and data centers, pressing the accelerator key for my country’s digital transformation. “New infrastructure” will drive high-quality economic growth, but the application of new technologies also introduces new security risks. Once a major cybersecurity incident occurs, the benefits of digitization will be “zero lost”. How to ensure the stable, orderly and efficient operation of digital business is a big test in the process of “new infrastructure”.
2. Safety has changed from auxiliary to basic
Since the Politburo meeting emphasized speeding up the construction of new infrastructure, local governments in my country have announced investment plans for “new infrastructure”. Up to now, 31 provinces across the country have launched an investment blueprint of more than 40 trillion yuan. Network security is the foundation of the “new infrastructure”. In the past, network security was an auxiliary project, but in the “new infrastructure” it was a basic project. The “new infrastructure” will further accelerate the integration of the cyber world and the physical world. This means that the border between the two will basically disappear, and an attack on the network is equivalent to an attack on the physical world, directly affecting people’s lives, social stability, and national security. For example, a network attack on 5G remote surgery may threaten people’s lives; an attack on the Internet of Vehicles may directly cause car crashes and deaths. In the future, most of the security issues will be concentrated on application scenarios, so security upgrades need to be built as infrastructure. Take charging piles for new energy vehicles as an example. In the future, every charging pile will be connected to the Internet. When there are loopholes in the protocol, new attack methods will appear, and security issues will change rapidly. The traditional solution is to deploy safety facilities for each charging pile, but in the future, charging piles will be spread all over the city and rural areas, and a distributed solution will not work. Only through hierarchical decoupling, heterogeneous compatibility, resource-based, catalog-based, and cloud-based security capabilities, and network scheduling to increase or decrease security measures can the normal operation of the system be ensured. US Federal Chief Information Officer Kent (Suzette Kent) recently stated that cyber security must be a “high priority” and must be “embedded” into all aspects of technology. She believes that every technological project carried out from now on must be based on network security.
3. “New infrastructure” requires a new generation of cybersecurity framework
In the past 20 years, domestic and foreign informatization construction has a set of effective frameworks and methodology, that is, adopting the EA (Enterprise Architecture) methodology that combines system engineering ideas with IT to form the TOGAF framework (Open Organization Architecture Framework The Open Group). Architecture Framework), guided and promoted large-scale, systematic, and highly integrated information construction, and well supported the business operations of various industries. The network security industry has been looking forward to a framework that matches the engineering methods of information systems to guide the construction of future network security systems. This is because the network security industry has always adopted a security construction model based on “partial rectification”, which has resulted in the lack of network security systemization and serious fragmentation, and the network security defense capabilities are seriously mismatched with the guarantee requirements of digital business operations. To upgrade network security to the basic project of “new infrastructure”, there must be an effective framework as a guide. Qi Anxin’s strategic department began to concentrate on research in 2019, and recently released a new generation of network security framework. This is a network security construction framework that is oriented to the construction of “new infrastructure” and oriented to digital business, combining the methodology of system engineering with the concept of “endogenous security”. From a top-level perspective, this framework helps various industries to build ubiquitous “immunity” within the digital environment, build a dynamic and comprehensive network security defense system, and ensure business security in all aspects.
Four, the five tasks of the ten major projects
The new generation of network security framework is divided into “ten major projects” and “five major tasks” in the two dimensions of physical engineering and supporting tasks. It is suitable for almost all security requirements in various application scenarios of cyberspace, and can guide different industries to output network security architectures that conform to their business characteristics.
Ten major projects
Engineering One: A new generation of identity security. Corresponding to changes in identity management and usage patterns in new scenarios, an attribute-based identity management and access control system is constructed to fully manage digital identities, laying the foundation for network security and business operations.
Engineering Two: Reconstructing enterprise-level network defense in depth. In response to more network exits and more complex management challenges arising from the application of new technologies, standardized and modular network security protection clusters are adopted to adapt network node access modes to build a multi-level network defense-in-depth system.
Project Three: Digital terminal and access environment are safe. Corresponding to the risks of various terminal types, access and control, and data security in the digital age, an integrated terminal security technology stack is built on the terminal and access environment, and a digital terminal security management system covering multiple scenarios is built.
Engineering Four: Cloud-oriented data center security protection. Corresponding to the complex application scenarios of the cloud data center, the security capabilities are deeply integrated into the multi-level network depth and components of the cloud data center, while meeting the traditional data center security and cloud computing security requirements.
Project Five: Data security protection for big data applications. Responding to the security challenges in data concentration, circulation and application scenarios, based on data security governance, the data life cycle is combined with data application scenarios to strictly control data circulation and use, strengthen behavior monitoring and auditing, and ensure data security.
Engineering Six: A global situational awareness system oriented to actual combat. Corresponding to the current situation where the emphasis is on presentation and analysis is not enough, and the actual support is insufficient, comprehensive real-time security monitoring covering all information assets, continuous verification of the effectiveness of security defense mechanisms, dynamic analysis of security threats and timely disposal.
Engineering Seven: System security for assets/vulnerabilities/configurations/patches. Corresponding to the shortest board of the current security systems of major institutions, aggregate IT assets, configurations, vulnerabilities, patches and other data, improve the certainty of vulnerability repair, and realize timely, accurate and sustainable system security protection.
Engineering Eight: Safety protection of industrial production network. Corresponding to the long-term lack of security protection in the industrial production network of enterprises, the construction of multi-level security measures for the internal industrial control network, the boundary of industrial control and IT network, data collection and operation and maintenance, and the data center of the group headquarters, strengthen the defense in depth, and fully grasp the industrial production network Security posture.
Engineering Nine: Internal threat prevention and control system. Responding to the huge threat of serious business losses caused by internal personnel, based on operational monitoring, access control, behavior analysis and other means, combined with management control measures, awareness training and other management measures, the internal threat protection capability is improved.
Engineering ten: Password special item. Corresponding to the legal requirements and business needs related to passwords, we plan and design the password system based on the concept of “endogenous security”, and realize the close integration of passwords with information systems, data and business applications.
Task one: Building the capability of actual combat and safe operation. The safety inspection and evaluation model carried out on a time-by-time basis cannot meet the requirements of business safety assurance. The security team, security operation procedures, security operation procedures, security operation support platforms and security tools shall be comprehensively covered, and shall be continuously evaluated and optimized, and the security operation maturity shall be continuously improved to achieve the lasting protection of the information system.
Task two: Application security capability support. In the process of application system construction, security has been absent for a long time, security and information construction are generally separated, the system goes online with problems, and subsequent rectification is difficult. Combining the development and operation integration (DevOps) model, promote the continuous integration of security capabilities and information systems, make security attributes endogenous to the information system, maintain agility while meeting compliance, and make the information system naturally immune.
Task three: Security personnel capacity support. Human ability determines the ability to build and operate the safety system. Design corporate network security teams, set positions and capabilities requirements, carry out capability training, build network security actual combat training ranges, improve personnel’s actual combat capabilities, and form an organizational security team.
Mission Four: Support for IoT security capabilities. The characteristics of IoT device type fragmentation, network isomerization, and ubiquitous deployment have introduced a lot of security risks. Combining with the “end-side cloud” architecture of the Internet of Things, build an IoT security support system with flexibility, adaptability and edge-cloud collaboration capabilities.
Task five: Support for business security capabilities. Digital business has increased sharply, and business risks caused by malicious operations and misoperations have increased significantly. Aggregate business and behavioral data, use big data analysis technology to protect customer privacy, transaction security, strengthen fraud prevention, combat pornographic and political-related behaviors, and ensure business operations.