At present, my country is in the era of big data in which the network is fully integrated to cover real life. With the gradual maturity of social networks, the rapid improvement of mobile Internet, and the rapid development of applications such as cloud computing and the Internet of Things, network big data is flowing and sharing through information. Change people’s way of life, cognitive concept and thinking mode. At the same time, the massive personal information gathered by user needs and business development has become one of the most important contents in the big data environment, and has therefore become a resource that the data industry is vying for.
In recent years, there have been many typical cases caused by personal information being violated. The public’s voice for personal information protection has grown louder. The state and industry regulatory authorities have intensively issued relevant laws to regulate the behavioral boundaries of enterprises in collecting, processing and sharing personal information. However, the reality is that , personal information is still not effectively protected. What are the characteristics of personal information protection in the era of big data? What kind of problems do security protection face? How should companies meet compliance requirements after the implementation of the Personal Information Protection Law? Recently, Anniu invited Mr. Wang Wenyu, founder and CEO of Beijing Shuanxing Technology Co., Ltd., to have an in-depth discussion on the current new requirements and measures for personal information protection.
Security Bull: In the era of big data, what changes and impacts have occurred on the protection of personal information?
In the era of paper-based office, the collection of personal information is less and the scope of flow is small, and it is generally protected by signing a non-disclosure agreement. Entering the Internet era, enterprises collect personal information on a large scale based on business development demands, and individuals accept enterprises to collect personal information in order to obtain convenient services, and the value of fragmented individual personal information has not yet been highlighted. In the era of big data, when a large amount of personal information forms integrated data, the commercial value contained in it begins to be reflected. Make market adjustments and gain economic benefits. This has also caused more and more industries and enterprises to focus on the collection, mining and utilization of personal information, and criminals have even sensed business opportunities from it, using various means to illegally steal personal information and reselling it for profit.
For a long time, enterprises have established security detection and response mechanisms and deployed corresponding security products on the internal and external networks of enterprises to prevent malicious hacker attacks such as network intrusion and database dragging, and thus protect the collected personal information from being stolen. However, in the era of big data, to release the value of data, it is necessary to break the siloed data service provision method of personal information and accelerate opening and sharing. In the face of multi-dimensional personal information and the use of personal information in different industries and different needs, enterprises have complicated business lines related to personal information, which brings new challenges to personal information protection.
Among the ten typical cases of crimes against citizens’ personal information announced by the Ministry of Public Security in 2020, 2 were caused by test engineers, 2 were on the dark web, 4 were ghosts in organizations, and 2 were insiders who legally used information. Unlawful dissemination of information. From this set of data, it can be seen that insider threats account for a large proportion of personal information violations. Excessive collection, random dissemination, and disorderly misuse of personal information make personal information originally collected for business needs change hands. , it may go to competitors, or it may flow into the hands of fraudsters. If personal information is strictly guarded to completely prevent abuse and leakage, it will fall into the other extreme of putting the cart before the horse. The framed data will be “inactivated”, and the enterprise will also fall into the bottleneck of business upgrading. Therefore, in the era of big data, only by balancing open data sharing and personal information protection can we promote the healthy development of the data industry.
On the other hand, it is precisely because too much personal information has been abused and leaked that incidents such as precision marketing, big data killing, and online fraud have had a great negative impact on citizens’ personal and property safety and social stability. In order to prevent these risks, legal means must be used to strictly regulate the collection, storage, sharing and use of personal information by enterprises. At present, my country has formed a relatively complete legal system for personal information protection, covering the Civil Code, the Criminal Law, the Law on the Protection of Minors, the E-commerce Law, the Cybersecurity Law, the Advertising Law, and the Consumer Rights Protection Law. Data Security Law and Personal Information Protection Law, etc.
Whether personal information collected by an enterprise can be effectively protected depends to a certain extent on the level of data security management and control of the enterprise. Enterprises should undertake the obligation to protect users’ personal information, abide by relevant laws and regulations on personal information protection, and abide by the red line of compliance. After the law is perfected, supervision and high pressure is not a child’s play. The “Personal Information Protection Law” provides clear penalties for illegal processing of personal information. If the circumstances are serious, the illegal income will be confiscated, and the maximum penalty is 50 million or the previous year’s turnover. 5% fine, order to suspend business or suspend business for rectification; revocation of business license or business license; directly responsible person Zhigao will be fined one million yuan, and be banned from serving as director, supervisor, or person in charge of personal information protection. Such penalties have surpassed the EU GDPR, which is known for its harshness. Business suspension and huge fines will be unbearable pain for enterprises. Taking the initiative to strengthen the protection of personal information will be the new normal for enterprises in the future.
Security Bull: The existence forms and dimensions of personal information are diversified. Which links should be protected?
The “Personal Information Protection Law” clarifies the concept and scope of personal information. Personal information refers to various information related to identified or identifiable natural persons recorded electronically or in other ways, excluding anonymized information. At the same time, it also emphasized the key protection of “personal sensitive information” in personal information, including biometric identification, religious belief, specific identity, medical and health, financial accounts, whereabouts and other information, as well as the personal information of minors under the age of fourteen.
In the Personal Information Protection Law, the rules for handling personal information are clarified. The processing of personal information refers to the operation of personal information in an automated or manual manner, including the collection, storage, use, processing, transmission, provision, disclosure, deletion, etc. of personal information. Data is the form and carrier of information. In a series of processing activities for personal information, the same data will be presented in different forms such as text, tables, pictures, audio, etc. At the same time, the location of storing and using data will also change accordingly. , the circulation spreads to different databases, terminal devices, system interfaces, supply chains and other links. It is this diversity of data locations and forms in the process of data operation that drives the protection of personal information to cover the entire life cycle of data. This “full life cycle” is not limited to the general process of data “from life to death”, but also needs to be accurate to the flow of a single data throughout its life cycle, regardless of its cross-domain flow or change of form, it needs to have Consistent tracking and protection.
Security Bull: Why do enterprises still experience misuse or even leakage of personal information after deploying layers of network security and data protection products?
The existing main methods for personal information protection include traditional security, database security, data leakage prevention (DLP), terminal encryption, UEBA and so on. Traditional security methods represented by firewalls/next-generation firewalls are mainly used to defend against external attacks, with certain data security detection and control capabilities, but lack of response and protection mechanisms for internal data flow. Database security methods mainly focus on solving the security problems of structured data, such as operation and maintenance, auditing, encryption, desensitization, etc. It is difficult to effectively protect unstructured data and its flow process. Data leakage prevention (DLP) is mainly based on boundary protection, focusing on the security monitoring or protection of outgoing personal information, and cannot guarantee the safety of personal information flow between different internal terminals, different servers, and business systems.
The terminal encryption method encrypts the data landing to the terminal, focusing on the static storage protection of unstructured data, structured data such as personal information cannot be protected, and security and business cannot be balanced in the process of data flow. UEBA can detect and protect abnormal use and security threats of internal data, but it does not guarantee the flow security of data in the entire life cycle from production to operation and maintenance, from front-end to back-end.
To sum up, the existing personal information protection methods can protect personal information to a certain extent, but there are the following shortcomings: the emphasis is on protecting structured data, and there is a gap in processing unstructured data; the main problem is that data is stored in a single domain It does not protect the flow of data between different domains; it focuses on solving the security problems of data in a single period, such as data static storage security, or monitoring data retrieval and query; it protects the storage and use of front-end data. The entire operation and maintenance process of the terminal lacks supervision.
Just because traditional methods focus on solving data security problems in a single state, in a single domain, and in a single period, and lack continuous attention to the entire data flow and processing process, layers of security products have instead formed new data security islands. The product logic cannot be connected into a consistent strategy, which leads to the disorderly flow and abuse of key data such as personal information in the complex business environment where massive data flows at high speed after the entire network and system are under heavy shackles.
Security Bull: For enterprises, what are the current difficulties in personal information protection?
The characteristics of the era of big data determine that data can only exert its greatest value when it flows. When the data silos are broken and the business lines of enterprises are complicated, personal information may be used in specific business service processes, or may be used in the flow of different businesses. Therefore, the protection of personal information in the flow of data is the focus of personal information protection. This requires enterprises to establish a consistent data security policy to ensure that whether data is in the database, server, terminal, or when it is called, it can evaluate the security risks of the data processing process without leaving any dead ends and implement corresponding protective measures. At the same time, security protection should not be at the expense of the smooth development of the business. It should be embedded in the business execution for protection, and at the same time decoupled from the business, which is the goal of personal information protection in the era of big data.
Security Bull: With the growing demand for personal information protection, what new technical solutions have emerged?
In response to the current new situation of personal information protection, Shuanxing proposes a personal information protection scheme based on the concept of data operation security and combined with AI technology. The so-called data operation security, namely DataSecOps, aims to effectively protect the sensitive data assets in the organization without affecting the normal operation of the data business process. The security attributes are embedded in the data operation process, and the proliferation and abuse risks of sensitive data are prevented. Respond quickly. Integrate this concept to establish a data operation security platform of “integration of diagnosis and treatment”, manage and track various types and sources of personal information data and its use and change process, establish a panoramic view of data assets, and perceive the risk of illegal use and circulation of data in real time. The role and user risks are adaptive and precise dynamic protection. The core functions are as follows:
All types of AI personal information sorting: In-depth identification of various types of personal information, from the perspectives of personal information ontology characteristics, industry characteristics, compliance, etc., combined with machine learning to sort personal information, mainly including: 1) The user’s name , telephone, ID card and other basic attributes, as well as personal information closely related to the business, such as call data, location data, etc. in telecommunications operations; account information, property information, loan information, etc. in the financial industry. 2) Information in structured, semi-structured, unstructured and other multi-modal ways, or stored in the database, or transferred to office documents, or further format conversion, data analysis, etc. in the process of internal business flow . 3) The application of new network forms and new technologies, resulting in new data types, data production methods, and data processing methods.
Traceability of the entire operation cycle of the data chain: retrospectively manage the existing data flow paths and emerging data flows, and establish a mapping relationship between personal information and subjects; the blood relationship between the original circulation and deformation circulation of personal information in the flow; record personal information The version, status, location and trajectory of the information form a flow portrait of the entire life cycle of the personal information data flow, carry out a full-view risk situation awareness and compliance management and control of the flow and diffusion of personal information, and protect from the link of the data flow Personal information. To trace the flow of personal information in the enterprise mainly includes three aspects:
1) Broad flow. This is related to the complexity of business lines of enterprises. Some personal information is centrally processed and analyzed in a specific business system, and some personal information flows to different business systems in the network with different departments and different business needs. Through retrospective management of the flow of personal information distributed in a wide area, the risk situation of personal information can be perceived.
2) The flow of personal information based on the life cycle data chain. The flow of personal information is from generation, collection, storage, use, sharing to destruction. At each node of the data chain, the trajectory of personal information is captured. Personal information is used in different business processes, flows between different business servers, and flows between different domains. With the operation cycle of data and business as the traction, personal information can be traced back to protect the flow security of the entire data chain.
3) Traceability of multiple circulation paths of personal information under the new technology. In order to tap the value of data, enterprises themselves are further seeking ways to break down internal business barriers; at the same time, with the openness and sharing of data in the era of big data and 5G, the network environment is becoming more open, and there are more and more data flows. The flow path breaks through the traditional data boundary and ensures the controllability of the data.
Adaptive and precise protection: Personal information distributed in various businesses and domains, as well as personal information flowing in the process of data operation, will cause new problems if the protection is inappropriate. For example, if the protection is weak and cannot meet the security requirements, the security of personal information cannot be guaranteed. If the protection is too strong, it may affect the continuity of the business and cause the normal business flow to be interrupted. As a result, through the feature tracking and data analysis of the entire data operation cycle, data distribution collection and flow tracing of personal information are carried out to perceive the risk situation of personal information. Based on machine learning, various events and risks are analyzed and triaged, combined with User usage scenarios, security baselines, and risk activities, from response time to response strength, form an on-demand protection response mechanism suitable for data operation and business security.
Security Bull: Will data operation security replace traditional security protection methods, and how will personal information protection technology develop in the future?
Numerous security protection methods have their place and can solve security protection problems within a certain scope or certain requirements. It is not a relationship of mutual substitution, but a development situation of ability complementation and activation empowerment. Data operation security complies with the compliance requirements of personal information protection, and is a kind of thinking and plan under the current stage of personal information protection demands. As the protection of personal information rises to the legal stage, the security measures of enterprises will enter a normalized situation. It is the future to establish a data security system centered on data operation and provide customers with full-scenario data operation security protection solutions. Target.
For example, the ability to identify and classify sensitive data assets such as personal information, the ability to label and track the entire process of sensitive data, the situational awareness report of proliferation risks, and the protection capabilities of the adaptive toolbox can be exported to the outside world, and other types of security products and application systems. To realize the sharing and organic flow of capabilities, on the one hand, the security capabilities can be expanded and extended, and on the other hand, the user’s existing systems and products can be activated, and the protective effects of these products in data operations can be replayed.
At present, the protection of personal information is gradually crossing the rough stage of “blind man touching the elephant”, and is beginning to develop towards the path of “seeing risks, seeing risks clearly, and managing risks flexibly”. Personal information protection is no longer confined to the fragmented state of product stacking and individual formation. In the integrated solution, centering on the principle of consistent security policy, using technologies such as sensorless data security sandbox and micro-isolation storage, an adaptive data usage environment can be established for enterprises without any modification of existing networks and applications. It will not affect the business process, but will also promote the rapid flow of data and safe collaboration and sharing, so that enterprise data security construction and operation can be transformed from cost expenditure to beneficial measures to reduce costs and increase efficiency.
In the future, personal information protection needs to focus on the balance between public interests and personal privacy protection. The transfer of personal privacy should be based on the necessity of safeguarding social and public interests, and the exercise of personal rights should be restricted within a reasonable limit, but it does not mean that personal information can be used indefinitely. used irregularly. Even if it is based on the needs of social and public interests, the disclosure of personal information must be within a necessary and reasonable range. If it exceeds the necessary boundaries, personal information is leaked at will, or even maliciously spread, causing damage or other adverse consequences to the information subject, the information controller and Disseminators should also bear corresponding legal responsibilities. Further, to build a secure boundary for personal information protection, in addition to the establishment and implementation of corporate protection responsibilities, it is also inseparable from the joint promotion of regulatory requirements and user awareness. Regulatory agencies should increase supervision and punishment, and provide users with convenient channels for rights protection; users should improve their awareness of personal information protection and improve their digital literacy.
Safety Cow Review
The implementation of the “Personal Information Protection Law” has put forward legal requirements for personal information processors. The Personal Information Protection Law pays more attention to the security of the use and circulation of personal information. The characteristic of the era of big data is data flow. Therefore, personal data should not be turned into “information islands” for security reasons. Instead, it is necessary to realize the whole-process management of personal information from the perspective of management and human governance. The application value of DataSecOps began to appear.
The era of big data has brought challenges and opportunities to personal information protection. Massive data promotes the use of the advantages of model training, and also provides convenience for the application of artificial intelligence technology in the field of personal information protection. Therefore, in the future, personal information protection must be a combination of human-machine security protection, so that personal information can be safely circulated.