foreword
In the form of tightening supervision, instant messaging scenarios will encounter many challenges in the field of security compliance. How to meet these security compliance requirements and how to protect the privacy of users is a very challenging thing.
In order to provide you with relevant experience and reference, " Soundnet Developer Entrepreneurship Lecture • Phase 4丨How can the entrepreneurial team ensure the safety and compliance of product business? " The event specially invited Zhao Liang, the head of IM SDK R&D of Huanxin, to "Instant Messaging". The practice and experience of security compliance in scenarios” will be shared.
Zhao Liang has more than ten years of experience in the telecommunications and Internet industry. He has presided over the research and development of many star projects. Currently, he is in charge of the instant messaging cloud SDK research and development work in Huanxin. This article is based on the secondary arrangement of its content in sharing.
01 Trends in Security Compliance
1. Tighter privacy regulation
In the past four or five years, the trend of security compliance has become more and more strict, and various countries have introduced relatively heavy security compliance related regulations, such as California's "Consumer Privacy Act" and "Children's Online Privacy Protection Act" , HIPPA in the field of insurance and medical care, and the more representative General Data Protection Regulation introduced by the European Union. Last year, China also promulgated the Personal Information Protection Law and the Data Security Law. Together with the previously released Cybersecurity Law, the coverage of security compliance is relatively complete.
2. APP/SDK is getting stricter
■Figure 1
Figure 1 shows the main relevant regulations and content in China. If you pay attention to industry news, you will also see many trends in this area. For example, the news or announcements of various applications released by the Ministry of Industry and Information Technology all involve personal data privacy. related content.
3. The basic framework of security compliance
The basic framework of security compliance can be summarized into two directions, one is user informed consent, and the other is security assurance obligation. Let's take the General Data Protection Regulation (GDPR) as an example. It is a legal provision that includes various regulatory measures, punitive measures, and also stipulates the user rights that should be protected. There will be some specific user rights in the following introduction. illustrate.
02 Regulatory focus at home and abroad
Next, let's take a look at the key points of domestic and foreign supervision. From the perspective of the past few years in China, it mainly includes the following aspects.
1. Domestic App Launched - Information Collection
As shown in Figure 2, we see that more and more attention is paid to the collection of user information. The national ministries and commissions have issued the "Regulations on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications", pointing out that there are 20 or 30 scenarios that can Necessary personal information collected.
For example, the map navigation class, its basic service is positioning and navigation, and the necessary personal information is location information, departure and arrival places. It is a few simple items, the others are unnecessary, so everyone must confirm this information when developing the app, otherwise the app will not be available on the shelves.
Another example is the online community category, whose basic functions are blogs, forums, etc. These personal information is relatively close to the necessary information for instant messaging, that is, the user's mobile phone number and account contact information. The phone number is also specified in the type of online car-hailing, including the place of departure, the place of arrival, the time of payment, and the payment information. You may have noticed, why do instant messaging classes need mobile phone numbers? Isn't it supposed to just need an account number? What we're going to cover next explains this.
2. The domestic app is on the shelves - in compliance with safety regulations
In addition to the constraints of the necessary information that can be collected, there are many specific constraints related to different industries or fields in my country.
During the application listing process, the app store has detailed review regulations. If it involves instant messaging, live broadcast or user public opinion, a security assessment report is required. This security assessment report adds additional requirements, such as the real identity of the user. The verification is to verify that the identity of the user in the service is true and reliable. Here is the answer to the previous question in the field of instant messaging. If you want to truly serve customers, you must be able to implement the real-name system. way of texting.
In addition, in fact, this also involves the issue of user public opinion. It is necessary to establish a complaint and report mechanism for this problem, to publish the contact information and handling of complaints and reports, and to keep relevant records for these users’ nicknames, information release, forwarding comments, etc. measures to support the tracing of such information through certain preservation mechanisms. On the one hand, this restricts the collection of necessary personal information; on the other hand, additional requirements are added in different fields, such as financial or medical fields, which are definitely higher.
According to a news report, there have been about 3,000 illegal apps recently removed from the shelves. Most of the problems involved are illegal collection of personal information, and a small amount is related to coercion or permission requests. The problems that may be involved in domestic apps and websites are mainly It is these aspects.
3. Overseas Concerns - User Rights
If the target customer is overseas, you will find that the focus overseas is slightly different. In addition to these common security constraints, it is more concerned with the rights of users.
We can cite a few examples, such as the user's right to know, right to information, right to modify, and right to be forgotten. The right to know is to clearly inform users what information to collect, what to do with the information and how long to keep it; the right to obtain information means that users must be able to export their own data; the right to modify means that users can modify personal information; the right to be forgotten means that users have The right to log out and delete your own data. Large overseas platforms such as Facebook support functions such as canceling accounts and exporting personal data, which are more important overseas.
■Figure 3
The case in Figure 3 is interesting. It means that the data protection regulator in the UK has issued a notice to a data analysis company in Canada, requiring it to delete all personal data related to British citizens. A penalty of 4% of the total annual global turnover. The 20 million euros and the 4% fine here are the provisions made in the General Data Protection Regulation, which is very strict.
4. Common concerns - data cross-border
There is also a common concern at home and abroad, that is, hot data cross-border. In short, personal information and important data should be within the country. Here, within the country should mean that, for example, the information and important data of Chinese citizens cannot be accessed. The data in the EU region cannot be arbitrarily stored outside the EU if it is arbitrarily stored on a server outside the EU. Other regions, such as Southeast Asia or India, also have local regulations to restrict these things. Of course, we will not expand on these topics. Here is just an example.
If it is really necessary to provide it overseas, my country's requirement is to conduct a careful evaluation through the evaluation method. The EU requires that regions that they believe have taken sufficient security protection measures can transfer data across borders, but at least China is not on this list so far, so EU data cannot be arbitrarily stored on servers in China.
03 How to assess and meet security compliance requirements
With an understanding of security compliance trends and corresponding priorities, how do we assess and meet security compliance requirements? Let’s first look back at the security compliance framework introduced earlier.
User informed consent includes full notification and rights protection. Sufficient notification is to provide user privacy agreement, and rights protection is that users can refuse and delete, and the collected data must comply with the principle of minimization (minimum necessary).
Security obligations are complex. First of all, this issue will be involved in risk assessment, internal system construction and security development process. For example, from the demand stage of products, security experts must confirm whether user data is involved, how to transmit user data, How to store user data and whether it is necessary, so from the product requirement stage to the solution design stage, to the final launch stage, there must be a necessary security assessment.
The second is technical support. The technical support here refers to that sufficient technical support should be adopted for the transmission and storage during the collection process. Converted from a technical point of view, that is to say, encryption of transmission should be carried out during the transmission process, and storage should be carried out during the storage process. encryption. Laws and regulations do not stipulate specific security measures, but only require necessary technical measures to ensure the security of user data.
Therefore, from a technical point of view, it is necessary to take relatively standard or relatively high-standard security measures in the industry. For example, HTTPS uses other transmission protocols by default, such as TCP, UDP, etc. It should also meet the security standards of the industry.
Of course, security assurance is also indispensable for auditing and supervision, which means that there must be a certain security development process or security system to meet the regulatory requirements of regulatory agencies.
1. How to assess security compliance requirements
So, how do you assess security compliance requirements? It depends on the specific business we are involved in. The requirements in different fields are different. As we mentioned earlier, the requirements in the financial and medical fields are more stringent. In some medical fields, data or processing of medical users (patients) are recorded for at least 5 years, which is a special requirement in this field. In addition, the requirements for users in different regions are also different. For example, in Southeast Asia just mentioned, at least I know that Singapore has its own special regulations, and other regions may also have their own requirements.
Customers' industries also have different security requirements. Important enterprises or institutions sometimes have special requirements for databases. For example, the requirements must be domestic databases. This is the special requirements that different industries or different customers may face. . Another important factor is to evaluate the dependent third parties.
When we develop products or services now, we inevitably have to rely on one or even multiple third parties. Whether these third parties can meet specific requirements is also particularly important, because most applications rely on multiple third parties. , it is normal for apps to be removed from the shelves due to third-party factors.
The last factor is the cost factor, that is, to take technical measures to ensure security compliance requirements will definitely increase the cost, so from the perspective of the program or budget, this aspect should be considered. From our own experience, for example, after enabling transmission encryption and storage encryption, the server cost will increase by about 40% to 50%. The specific number is particularly related to different industries and different technologies used. .
2. Product Architecture Dimensions
Figure 4 shows the dimensions of the product architecture. I will explain it a little here. For example, a customer's application uses our SDK. Generally speaking, the application will also have its own App server. This App server and the user's application will be related to our services. interact. Our SDK will have two channels with our server, one is TCP plus TLS, and the other is https. At the same time, the user's application server may do some management-level control through the RESTful API, such as creating a chat room or creating a group or even banning the user.
Our service also provides webhook, which is to call back the message to the user's application server, and then CC the message to the user's server, even a callback before sending. That is to say, there are some message content or configuration specific message content, which is reviewed by the user's server in advance to confirm whether these messages are delivered. Finally, the administrator user can configure these functions differently in the console developer background, and can also perform some management functions, such as managing certain groups, disbanding certain chat rooms or banning users. At the same time, the user's application will also interact with its own server, whether it is https or other protocols.
From a complete perspective, you will see which channels are involved in transmission, such as the user's application and his application server, our SDK and our service, and the server and the server. Furthermore, we must ensure that these transport channels are transported securely, whether using TLS or otherwise.
User applications will store data, such as usernames, passwords and even tokens, and some applications may also cache them. There are also some points that are easy to ignore. For example, some logs are often printed in the process of application development. In these logs, user information or sensitive information must be prevented from being leaked, and the user's token or password cannot be output in the log. At the same time, the user application server and our service may store some user message history, and these nodes and channels must be confirmed or reviewed from the perspective of security compliance. From the perspective of the developer's background, the custody of the account with the management authority level and the handling after the account is lost must be considered.
3. Dimensions of the data processing process
From the perspective of user data processing process, a data processing process mainly involves data collection, transmission, storage, processing, erasure and destruction, provision to third parties and protection of user privacy rights, as shown in Figure 5.
■Figure 5
During the collection process, a full notification should be given first. Generally, there will be a description of the collected privacy agreement on the website or application, including the purpose of collection, the scope of the collected personal user data, the collection period, etc. The collection period is easily overlooked. Transmission process and storage process are typical data processing flows, involving transmission encryption and storage encryption technology. The data processing process must be in line with the purpose of collection, follow the principles of accuracy and necessity, and cannot arbitrarily operate on user data, and data processing must have a specific purpose. The erasure and destruction process requires promptness and thoroughness.
The third-party provision process is also more critical. We often borrow third-party content review or tools similar to APM. These third-party tools need to be carefully checked to ensure that the same guarantee conditions are provided. Finally, in the process of protecting user privacy rights, in addition to clarifying that the user chooses voluntarily, it should also ensure that the user can log out or delete the account, and respond to these operations in a timely manner.
04 Experience and advice
The dimensions of meeting and evaluating security compliance are given above. Next, we will share our experience and suggestions. Of course, these experiences and recommendations are based on the realm of instant messaging.
1. What needs to be done to build the safety compliance capability
In the past period of time, we have cooperated with external consulting agencies to review our process, and then the security compliance team of Shengwang also helped us sort out relevant security content. This team includes technology, architecture, compliance , operations, privacy, development and other fields of experts.
Of course, start-ups may not need to do so much security compliance capacity building. If they are a certain or medium-sized company, they may need to do some security capacity building. For example, the GDPR mentioned that there are more than 250 employees. , the data processing needs to be documented.
We have carried out the construction of the security development process. As mentioned earlier, the company's internal development process must involve security interventions in the product requirement stage, design stage, and acceptance stage to confirm whether it involves user data, Is it necessary, whether it follows the minimum principle, etc. During these processes, an annual or even semi-annual review will be conducted to confirm whether there are any security issues and whether there are any loopholes in compliance. This is our security compliance capability building in the past two years.
2. Current security compliance capabilities
After these constructions, we have a sufficient security foundation to carry out full-process transmission encryption and storage encryption; we also have the ability to isolate resources, support multiple data centers, and support compliance requirements in different domestic and international regions. For privacy compliance, according to the principles of minimization and openness and transparency, it meets the requirements of network security and data security in different regions, and can desensitize necessary user data; the API aspect of user rights supports the export and control of user data. delete.
3. Development Suggestions - Instant Messaging
Whether it is with the help of third-party capabilities or self-developed capabilities, if you have a certain number of users in the field of instant messaging or education, you will definitely encounter some problems. I have given some suggestions. First of all, if you use a third party, you will generally register some information. At this time, it is best to send it from your server instead of being built into the application, otherwise the information will be easily leaked.
The second is more critical information, which is to protect the user list. For example, after a certain number of users are already available, if the library is dragged or the website is attacked at this time, the user may receive advertisements or some gray product information, so the user list is more critical, no matter whether the user is registered with a mobile phone number, The user ID is to be hashed and not visible to the user.
In addition, our server has a function similar to full notification. For this function, we have added a corresponding whitelist function. After configuration, only a specific server can send notifications to all employees. If your business can turn on restrictions on messaging between friends, it's best to do so, so that even if user IDs are leaked, they can't casually message each other.
It is also a very important function for the server to verify the legitimacy of the user. If it is a user registered directly on a third-party platform, he may bypass your server directly to send and receive messages to other users. In this case, it is recommended that your server issue the token, and then ensure that the token is time-sensitive and not too long, so that even if a user has a problem, your server can detect and ban the user in time.
If there are further security requirements, it can even be verified at the message level. For example, if the message has a specific key to issue a key, the sender and receiver of the message must perform corresponding verification, even end-to-end message encryption.
Of course, now we also support the function of content auditing, and you can configure the corresponding auditing rules in our background. In addition to the previous protection measures, some internal precautions must be taken, and key data such as developer certificates or internal user lists must be protected accordingly, such as backing up the information of these databases, so as not to be inadvertently placed by developers Go to GitHub or a tech blog.
question Time
1. Many developers have such an idea. For example, after I access a third-party security audit function, can I rest easy?
This is obviously not the case. Even the current Jianhuang, there is no 100% ability to do this completely. We must still take some measures, such as being able to supervise, so that he can be managed or even banned after there is a record, instead of just throwing it to a third party.
2. You mentioned in your speech that encryption will increase the cost of the server, so which encryption methods do you recommend to be enabled, and which one do you recommend to use, MD 5 and AES 256?
For symmetric encryption, AES 256 or higher is recommended. There is no clear answer in terms of cost, which is related to the data block, if our messages are relatively small, then the data increase may be more obvious. For larger messages, such as file-level or even larger, the data increase may be less. So this is not a very clear rule, but it will definitely increase your cost.
3. If an individual requests to delete personal data, should it be processed mainly with the App operator, or with a platform that provides PaaS services?
Our PaaS platform is generally to provide capabilities, but we also observed that some major PaaS providers are not directly to users, but to application developers. We have user-level tokens and administrator-level tokens. Our current user privacy-related API designs are all administrator-level, which means that when a user requests to cancel an account or delete data, it usually goes through the application owner and the application server. This is done using these third-party platforms, otherwise the processing of data deletion may be incomplete. Third-party platforms generally provide this part of the capabilities.
4. How should startups conduct product or technical compliance reviews?
I actually mentioned this issue in the process of introduction. For different industries and fields, the requirements are not the same. Generally speaking, for example, if you put an app on the app store of Huawei or Apple, you will choose different app categories. After selecting a specific category, there will be some specific requirements, some will require your qualifications, and some will require security assessment. Report.
In other words, it should be determined according to the industry of the application or your business attributes. As long as these requirements are met, there will generally not be too many problems. Moreover, you have a basic understanding of the field and industry to which your application belongs. You can have a general understanding of these requirements and prepare in advance before listing. Otherwise, if you are called back and re-modified and put on the shelves, it will also affect the product launch plan.
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。