In June, after the third instance, China’s first special law on data security “Data Security Law” was passed, and will be implemented on September 1. As a national basic and strategic resources, data security has been officially promoted to the level of national security. “Data Security Law” from the regulatory system, data security and development, data security system, data security protection obligations, government data security and opening, legal responsibility and other aspects of enterprise data processing activities to regulate. In the future, enterprises will have laws to follow in data disputes, and legal compliance will become a new threshold for enterprises to operate data business.
In the face of the “data security law” proposed new requirements, this period of industry security experts talk, we invited to Tencent security cloud tripod laboratory senior researcher Xie Can, on the data security law, how to balance the compliance requirements and business performance of enterprises to answer, and share Tencent security data security landing application.
Q1: “Data Security Law” for enterprises in data security protection on what requirements?
Xie Can: Let’s simply take the definition of the Data Security Law. It means to take necessary measures to ensure that data is effectively protected and legally used, and that it has the ability to maintain a safe state continuously. In this, we interpret three key points. The first is legal compliance, which specifically includes the legality and compliance of our data collection, data application, data exit and data security management. The second is the continuous security state, including the security of our static data flow and the data in operation; Third, in addition to data security protection, we should also have the ability of risk assessment, early warning monitoring, emergency response and security review of data.
In fact, of course, the data security law for different data participants put forward different requirements, then we need to do the corresponding division according to the specific role.
Q2: What challenges do enterprises face in meeting the requirements of the Data Security Act?
Xie Can: The first one actually comes from organizational construction. We know that the response to the data security law includes our enterprise management team, compliance, legal, business team, and security team, so it will involve the division of labor and cooperation of our corresponding team, of course, the construction of our corresponding personnel’s data security ability is also a big challenge.
The second is actually the establishment of the system process. Our data service of data acquisition of specifications, for example, the definition of sensitive data, and corresponding data security protection strategy, if our enterprise has not formed such a system, that is to say we enterprise itself is don’t know their sensitive data is stored and transfer mechanism, or when we play mark in the data without considering security dimensions, So it takes some effort to set up this system.
Challenges in technical solutions include three levels. First, the current enterprise data security governance still adopts the fragmented scheme, the lack of integrated data security governance tools, in our effect and cost has not reached the balance; Second, in some scenarios of data security governance — such as our data sharing under the privacy of computing, and we in the data risk assessment of some of the risk assessment tools, then these scenarios have not been some generalized solutions; Thirdly, there are certain thresholds in some of our common data security technologies, such as our data encryption technology, which is the last thing the business team and the security team want to touch, because it has a certain complexity.
Q3: How do organizations balance data encryption compliance requirements with performance?
Xie Can: In fact, one of the most important standards for compliance is security. When we do security, we must strike a balance with performance. For example, as we just said, there is no universal solution in the field of private computing.
If we want to achieve compliance, we need to implement some data security safeguards, such as the kind of privacy computing that I just talked about. When we use this technology, it will cause our business performance to greatly decline or even the business is not available, then security and compliance form a contradictory situation.
Under the industry common solution, the implementation of an encryption, our business performance or a performance of the database will be reduced by 20% or more.
In the design of CASB scheme, we consider the impact (conflict between compliance and performance). Our entire architecture is based on a distributed architecture. When our business expands, our entire encrypted nodes will also expand dynamically to minimize (control) the impact of our encryption on business performance. Right now our impact on business performance is probably down to 5 to 8 percent, which is a good performance indicator.
Q4: What are the common encryption schemes currently on the market?
Xie Can: Let’s take the public cloud as an example. At present, major cloud vendors mainly provide data encryption solutions in the form of key management system or cloud encryption machine. Therefore, it requires our cloud tenants to have certain technical capabilities in the design and development of cryptographic technology solutions. In fact, it has a relatively high technical threshold.
Q5: In view of this situation, Tencent security is there a good solution?
Xie Can: In data encryption, we launched the cloud access security CASB solution. Users can realize field-level encryption of sensitive data through simple configuration. At present, we are also the only cloud manufacturer in China that provides data encryption solutions based on native field-level transformation free, easy operation and maintenance, and high performance.
Of course, we have also expanded our data security capabilities on CASB, from our metadata management, to our compliance group-based classification and classification, and sensitive data discovery, to the encryption of our storage, and dynamic user role-based desensitization when we read, truly providing a one-stop shop for data security.