SZ.

300379

Data Security Solution

www.tongtech.com
1 Background and Demand Analysis
CATLOG

2 System Introduction

3 Feature & Highlights

4 Successful cases
1 Analysis of New Threats & Hot Spots

“Strictest " UBER

GDPR Data Leakage

1 2

In May 2018, on the first day of the official Joseph Sullivan, Uber's former chief security
GDPR, Google and Facebook were flooded officer, is accused of signing a non-disclosure
with lawsuits accusing the two companies of agreement with hackers to pay them $100,000
forcing users to share personal data. Austrian to "keep quiet" by falsely claiming that they had
privacy activist Max Schrems is seeking $3.9 no way to steal Uber data. Sullivan has been
billion in fines for Facebook and €3.7 billion for charged with obstruction of justice for trying to
Google in the lawsuit. cover up data breaches by Uber executives.
1 Risks in Data Life Cycle
Data Transmission and Data Processing and Data Collection
Exchange Storage

User
3rd Party Data
Application Cluster Server Data Storage Cluster

Data processing and

Application System Disposal

Internal Office O&M Staff Data Sharing/ Testing/Development

Data Transmission and Data Processing Data Storage Data Disposal Data Collection
Exchange
 Clear text transmission of sensitive  Abnormal data access  Sensitive data is  Incomplete data  Collection scope violation
data  Unauthorized access to data stored in clear text disposal  Acquisition component is
 Illegal data exchange (data range,  A malicious  Drag Library  Data disposal is not secure
time, etc.)  Clear text access to sensitive poorly regulated  Collected data was not
 SQL injection attack behavior data desensitized
1 Pain Points of Data Security

How to solve the The distribution of various sensitive Is there a data leakage?
existing problems data Who leaked my data

01 02 03

04 05

The overall use of the data What is the current overall data
security risk situation
2 Solution Overview
Sensitive Data
Identification &
Platform Control
Discovery Data Security
Control Platform  UEBA user behavior analysis
Data
Classification  Data lifecycle management
 Analysis of abnormal data access
behavior
 Data sharing interface management

Log Collection
Strategy Distribution Log Collection

Strategy Distribution
Strategy Distribution

Before During After

 Data carrier  Dynamic  Bypass database audit
compliance testing desensitization of data  Data sharing interface
 Static desensitization of  Database firewall audit
data  Data leak prevention  Back analysis
 Database encryption
产品整体功能规划
3 Sensitive Data Identification & Discovery
Through regular, natural language processing, knowledge base, the column name, file attributes, data, text similarity fingerprint technology with the combination of a
variety of ways, to identify the host, database, data component sensitive data in a storage medium, such as automatic classification and grading of the sensitive data,
resources of network data management capabilities

Collection
Data collection is carried out by single thread, and
the sampled data is transmitted by message queue

Sample Analysis
Due to the large amount of full collection The message data in the queue is pulled
data, the system provides and recommends for asynchronous analysis. If the analysis
the use of sampling for collection results include sensitive data, the sample
data extracted will be desensitized.

Recognition Range Storage

Acquisition databases, hosts, big data
components, middleware, Cache the results, procedures,
Connect to the business database
through JDBC to get the full scale network element devices, Web and evidence to the appropriate
information pages storage medium
产品整体功能规划
3 Data Classification & Grading

Based on the data characteristics

Data Classification
Personal
Privacy Data （A1) User identity information
（Class A） User’s Identity Data (A2) User network identity
authentication information
（Class B） Service Content Data （B1）Service content and data
Enterprise
Sensitive Data （C1）User service usage data
（Class C）Service-oriented Data
（C2）Equipment information
（D1) Enterprise management data
（Class D）Enterprise Operations （D2）Business operation data
Management Data （D3）Network O&M data
（D4）Partner data

Split Evaluation, Overall Grading

 Level 4：Extremely Sensitive
 Level 3：Sensitive
 Level 2：More Sensitive
 Level 1：Low Sensitive
3 产品整体功能规划
Data sharing interface management
 Through the implementation of interface traffic monitoring, access authentication, logging, data encryption and other technical means of control, regular
external data interface inventory, the external data interface does not meet the requirements immediately shut down
 Sensitive data can be leaked through the external interface of the business system, so it is necessary to monitor the cases of illegal transmission of
sensitive data through the external interface of the business system and the failure of sensitivity-related control measures to meet the requirements, so as to
identify and discover the risk of sensitive data leakage
 The forms of external interface include: splitting, port mirroring, FTP file, API encapsulation, message subscription and so on

Interface Recognition
Based on traffic data or virtual network card monitoring

2
technology, the AI self-learning method is adopted to analyze
the data sharing interface, so as to help the management
personnel to automatically maintain the list of shared interface

3 Interface Grading

1
By analyzing the sensitive data content transmitted by the data
interface and combining with the data classification and
grading standards, the interface sensitivity level is defined

Interface Auditing and Analysis

Audited and analyzed the interface call behavior, and found the
violation of the interface and illegal call
3 产品整体功能规划
Data Abnormal Access Analysis

Automation of Modeling Learning

The source IP, destination IP, destination port,

account and access location in the data are
Intelligent Abnormal Access
automatically modeled to form an access link
Recognition
model between business systems.

Using machine learning technology and

established access link model combined with
real-time traffic information to complete the
Visualization of Access Relationship intelligent identification of service access link
relationship. Automatic identification of abnormal
Automatically sort out the access relationship between
data access, and output the reason for the
various business systems. Combined with the multi-
abnormal trigger system alarm.
dimensional display form, the data access relationship
is displayed. Including two dimensions of business
access relationship and network access relationship,
for users of different roles to intuitively grasp the
relevant situation.
3 产品整体功能规划
Data Lifecycle Management

Acquire Transmi Storage Usage Disposal

ssion

Clear interaction
Illegal Acquire Data Network monitoring Unauthorized access Data residual
Unauthorized use
Loopholes in the acquisition Data theft Illegal to steal Violation operation
equipment

 Comparison and analysis of  For the transmission path  Check whether sensitive  Combined with the sensitive data  Confirm the destruction
management, connection data is desensitized or identification function, sensitive process by scanning the
collection strategies to see if
relation audit. encrypted. contents for discovery;
they meet the application data identification is carried out
 For the transmission of  Analyze and audit  Through the data destruction
content. on the used data, and plaintext management process,
content management, sensitive data access
usage scenarios are discovered ensure that security
 Conduct collection equipment content audit to avoid links. Analyze the
and audited. personnel and maintenance
audit and check for sensitive data plaintext exception access personnel jointly supervise
transmission automation.  In the use of data query, analysis,
vulnerabilities, compliance, the data destruction process.
export and other links, strict
weak password
access control and intelligent
audit;
3 产品整体功能规划
Data Desensitization

Data Analysis System Development & Test Data Exchange & Sharing
To ensure the relevance of data, the Ensure the relevance of data after Selectively desensitize sensitive information,
results analyzed by data analysts on desensitization, the data after desensitization and provide masking algorithm and
the basis of desensitization data can be does not change the actual attributes of the simulation algorithm according to different
restored to real business data to meet business, can correctly pass the data validity of scenes.
the data analysis scenarios the business system.

Production DB Retrieve Data Laundry Release Testing DB

DB interface DB interface
Data Base
Discovery, Extraction, Load, Desensitization
Other interface Other interface
3 产品整体功能规划
Data Encryption

The database encryption system can block access to sensitive data through transparent encryption
technology. Through data encryption, sensitive data can be protected even in the event of physical
database files and backup files being stolen and lost.

Monitoring and Separation of Service Physical file

Early Warning powers Transparent encryption
For any non-compliant personnel Ensure that any user cannot Encryption Through sensitive data
access to encrypted sensitive data, access sensitive data without encryption, even in the case of
the system can issue a security event Transparent access to
obtaining ciphertext access through the loss of physical database files
warning, timely detection of potential applications without changing
a separate authority control, DBA, and backup files, can still protect
security risks. Provide custom business logic; Support
security administrator, and audit the security of sensitive data.
subscription sensitive event alert transparent index to ensure the
administrator authority separation
notification management, for security performance of business
mechanism. The database
managers to know who in what time, procedures.
encryption system can block its
place, with what application to do access to sensitive data through
what operations on key data transparent encryption technology

13 13
3 产品整体功能规划
Database Firewall
 Based on IP address
 Based on the time
 Based on the user
Policy Rules 

Based on the operation
Keyword based
 Based on the column
 Based on the name of the
table
Parsing SQL  Based on the number of
Operations rows

User A：Operation A Establish a whitelist of SQL statements corresponding to the

business system and the database
Block, alert, pass

User B： Operation B

User A --Block
User B --Alert
Database Firewall User C --Pass Data Base
User C： Operation C Application Server

SQL Injected Self-learning

SQL Operation User Identity SQL Whitelist
feature library model
3 Data Leak Prevention

Data Security Challenges

• Sensitive data is difficult to locate
• Sensitive data is difficult to analyze
• Leak channels are difficult to control
• Data leakage is difficult to trace
3 Data Leak Prevention

Web、
IM、
Network Mail、Library

Discover
Printer, Fax, Network Sharing,
Terminal Bluetooth, USB, DVD, U disk,
Data leakage prevention system uses
Mail Client, Browser
intelligent content identification core

Monitor
Protect

Content technology to discover, monitor and

Identification Mail Server
File Server protect sensitive data in enterprise
Storage Database Server
network, terminal, storage and

application systems

Application OA、ERP……
Web

16
3 Network DLP
Application Scenario Effect
The enterprise controls the sensitive information sent by the user terminal 1. Control the sending of sensitive information through file sharing (copy, paste,
through file sharing, instant messaging tools and FTP in the form of resource
manager, so as to prevent the leakage of enterprise sensitive information drag and drop of network sharing);
through network communication channels 2. Identify and detect the content of chat messages or files sent through IM;
3. Detect and identify sensitive contents of FTP files transmitted by resource
manager;

Deployment

• Office • Application System

Network DLP Network DLP

Terminal

Terminal Intranet Firewall Firewall Intranet

Terminal
Unified Management
Platform
3 Terminal DLP
Application Scenario Effect
The enterprise controls the peripheral port of the user terminal to prevent the user 1. Scan and monitor the files or contents transmitted through terminal
from leaking sensitive information through the peripheral port
peripheral ports (U disk, mobile hard disk, mobile phone storage, SD card,
Bluetooth, print), record, alarm or block them;
2. Support to open/close ports/peripherals (CD-ROM port, USB peripheral
port, image device port, infrared port, Bluetooth port, IEEE1394 port, PCMCIA
port, MTP protocol interface, wired network card, wireless network card, serial

Deployment (parallel) port, RS232, printing interface and file sharing).When off, all ports
and peripherals cannot be used;

DLP Proxy Desktop

Unified Management
PC
Platform

DLP Proxy Virtual

Desktop

Firewall Intranet

DLP Proxy Laptop

3 Mail DLP

Application Scenario Effect

The enterprise controls the sensitive information sent by the user terminal 1. Scan and monitor emails sent through Outlook, Fox mail and other email
through the mail client to ensure the security of the enterprise mail data
clients;
2. Conducted content detection and identification based on sensitive data of
mail envelope, body, subject and attachment;
3. Record, alert, block and other response operations according to the strategy
for sensitive information detected;
Deployment

Unified Management Email DLP

Platform
Terminal

Terminal Intranet Firewall

Terminal

Email Server
3 Product Safety Design

Sampling and collection of the scanned equipment to reduce

the impact on the performance of the collected database.
For the data conforming to the characteristics of sensitive
data, the system will only store and desensitize the data for The system adopts an asynchronous flow analysis design
the purpose of data sample to ensure that no more database resources are occupied
and only one connection is used.

Avoid business peak period, continue to scan the system

in business trough period. Avoid the risk of data scanning
consuming the performance of the scanned business
system database

The operation of the platform can be controlled or

audited in various ways, such as instruction channel,
database audit system and database log, to analyze
The system uses the account, and the scanned system only
whether the platform has illegal or abnormal behavior
provides the account with permission to read, reducing the
operation.
sensitivity of the system
3 Product Highlight

Mass Data Accurate Analysis Professional Team with Rich Experience

The "streaming processing" method is adopted to 01 03 The product has rich practical experience in landing, and
quickly complete the offline analysis of massive data. the team constantly optimizes the functions according to
Combined with semantic analysis, rule set, similarity, the actual effect of landing and user feedback, thus forming
AI and other technical means, the sensitive data can a good product iteration
be identified to the maximum extent under the
premise of ensuring the accuracy of rules

02 04 “Without Human Intervention” Design Mode

Integrate with Existing Security Product
The product adopts the modular architecture design of
Based on the "no human intervention" design mode,
micro-services, which can be quickly combined with other
combined with the AI self-learning way to actively map
security products to share existing data and related
capabilities. To avoid the waste of resources caused by the data access link relationship, interface call

repeated construction, and at the same time to form a relationship and other white lists, to minimize the
good complementary capacity with the existing system. workload of human.
4 Cases- China Mobile
Data Security Platform
Focusing on the entire life cycle of data collection, storage, transmission, sharing, use, and destruction, from threat defense, risk
management and control, data tracking and traceability, data sharing and exchange, to create a digital and intelligent data security
ecosystem. Help customers plan security systems , Comprehensively improve enterprise security defense and risk perception capabilities.
Data external sharing Handling and tracking
Sensitive data identification
interface management data security issues
Handling and tracking data security issues
Scan IP:
Semantic distribution of sensitive data

Scan Location: Number of data security issues

Conclusion: Web portal data sharing interface

Access to 18 sensitive systems such as centralized performance Automatically identify 246 external data sharing interfaces, Defined 34 data security policies, analyzed 3,048 data
management, home broadband system, online log retention, and and analyze 1431 abnormal interface calling problems security issues, and handled 2,899 issues
SS7(Signaling System Number 7)

Deployed in China Mobile Guizhou, Fujian, Shandong, Heilongjiang, Jiangsu, Guangxi, Shaanxi, Sichuan, Henan, Inner Mongolia,
Ningxia, Chongqing, No.1 share in China Mobile data security products.

5F, Block A, Beijing International Building, No. 18 ZhongGuanCun South Street, Haidian District, Beijing, 100086, China
SZ.300379

Thank You

China Leading Infrastructure Software Vendor

www.tongtech.com