"Xiaohongshu's security is closely related to the evolution of business types and development stages, from content security to technical security and network security. Different from the traditional security construction ideas around preventing hacker intrusion, ensuring data security and managing access control are the key points that Xiaohongshu pays great attention to, and preventing redline data leakage is the ultimate goal. At present, with the implementation of policies and regulations such as data security, data security has become an area of great concern, and in order to achieve our core goal of protecting redline data from leakage and ensuring employee work efficiency and experience, we have selectively discarded traditional cloud desktops, sandboxes and other "heavy" tools. Based on this, we jointly create and implement a zero-trust data security system, integrate it into the internal security office system, replace the security software, and realize all-round control such as least privilege access and data classification and grading, circulation, and distribution, so as to effectively protect redline data without affecting employee efficiency and experience. ”
- Xiaohongshu security team
Customer quotes
Ten years ago, Xiaohongshu was founded in Shanghai. Users record their lives through **, short**, live broadcast, etc., share their lifestyles, and form a community based on interest interaction. Based on this, the Xiaohongshu platform has emerged a good interaction between content and commerce, and has grown into a unique one"Grass economy". After 10 years of development, Xiaohongshu layoutContent communities, commercials, and e-commerce transactionsThe three major business segments, the user scale is growing rapidly, and by the end of 2022, the Xiaohongshu community ownsOver 69 millionShared by,20 million monthly active sharers, daily average notesPublished 3 million articlesMore than 170,000brands.
Behind the rapid expansion of the user base and the rapid development of enterprises, security challenges are quietly coming. In addition to the content moderation security engraved in the bones, the construction of enterprise information security has become indispensable. Therefore, technical security, network security, data security and other aspects closely follow the pace of development!
Data security is the bottom line
With the development and expansion of business scale, Xiaohongshu is currently in Beijing, Shanghai, Wuhan, Guangzhou, etcOffices have been set up in multiple places, and remote work in multiple places has become the norm. The expansion of organizational structure, the diversification of office terminals, and the high requirements for network security and complianceAll of them have stimulated the motivation for safety innovation within Xiaohongshu.
From the inside of the business,Data security is a top priority。Not only from domestic and foreign pairsStrict implementation of data security laws and regulations and other policiesEven more out of rightThe responsible attitude of all users and employees。Compared with the threat to data security directly posed by hacker attacks, the biggest risk of data leakage lurks in the internal office network: once the internal office network is compromised, or the information leakage caused by employees, it will bring immeasurable losses and risks to the enterprise.
Xiaohongshu's Internet genes make it very forward-looking and innovative in infrastructure and office security construction, and it has been convenient since its birth"Grow on cloud-native architecture".Flexible office scenarios and a good office experience for employees are all necessary factors for security construction. Based on Xiaohongshu's own good foundation in data analysis and security risk control, therefore, how toProtecting core data while being efficient and flexible in a hybrid work environment is a key goal for security teams.
It may be used to distinguish it from traditional companiesCloud desktops and sandboxesWe think this approach may be a bit of a bit of a deploymentHeavy, and it affects office efficiency, and the employee experience is not good. The Xiaohongshu security team said. "We have researched some of the mainstream DLP (Data Leakage Prevention) products on the market, and the feedback from employees is not satisfactory. In addition, no matter how strict the data outgoing policy is, when the data is retained on the endpoint, it can still be bypassed by various means, and it cannot be effectively monitored and intercepted. ”
As a result, an innovative idea emerges within the team. Zero trust is being widely spread as one of the concepts that has continued to heat up in security circles in recent years, and the Xiaohongshu security team believes that maybeData leakage prevention solutions combined with the cutting-edge security concept of zero trust can make up for the shortcomings of traditional DLP solutions. Combined with this background, the team carried out a multi-faceted research on the cooperative manufacturers in the market:
Facing challenges
1.Multi-identity roles, diversified access users, and difficult to control access control permissions
In addition to internal employees, there are a large number of partners who need access to intranet applications. The division of access rights between different organizations and people needs to be updated in real time, which is a lot of effort.
2.Multi-terminal solutions, such as cloud desktops and sandboxes, cannot be applied to all scenarios
In addition to common PC devices such as Windows and macOS, there are also a large number of mobile devices such as iOS and Android that need to be connected to the office.
3.Security Product Fragmentation:
In order to solve different security problems, multiple sets of products need to be deployed. Different products have different management platforms, and O&M personnel need to adapt to the design logic and operation Xi habits of different products, and frequently switch between consoles of different products, resulting in high Xi learning costs and high maintenance pressureIn addition, there is no linkage between individual products.
4.Traditional security products have low openness:
In terms of OpenAPI and custom analysis capabilities, it cannot flexibly match Xiaohongshu's business, resulting in 1+1 2;In addition, the traditional standardized delivery model of security products cannot match Xiaohongshu's business in some segmentation scenarios, and the response to co-creation and customization needs is slow or even cannot be fully met.
5.Installing multiple agents on a terminal takes up a lot of resources by default, resulting in a poor office experience for employees
Traditional office security solutions require the installation of multiple agents such as VPN, EPP, EDR, DLP, and UEM, which will occupy a large amount of device resources and affect the office experience of employees.
6.Remote work in hybrid work scenarios increases the data exposure surface
With the rapid development of Xiaohongshu, flexible office scenarios can be seen everywhere. In hybrid office scenarios, the security level of each access point is inconsistent, making it easy for attackers to target.
7.Data security laws and regulations have been released, and it is difficult to control sensitive data of enterprises
With the issuance of laws and regulations such as the "Personal Information Protection", enterprises' sensitive data is facing regulatory pressure, but now sensitive data is widely distributed, obtained in various ways, and the outgoing channels are difficult to control, which brings challenges to enterprises.
Co-create zero trust data security
All-in-one integration of the "internal secure office system".
After researching and testing the products of a number of related vendors, the Xiaohongshu security team finally chose Yige Cloud as a partner to create a zero-trust data security solution. The security team said: "We have a lot of ideas that need to be co-created and implemented, and we need oneChangeable and adaptableStrongMany vendors are unable to provide flexible and diverse deployment models and delivery components, which will take up a lot of internal R&D resources. After a comprehensive evaluation of technical and service support, we believe that the current level of Yige CloudThe technology and products are relatively leading in China, and suitable for the status quo of Xiaohongshu. ”
In the eyes of the security team, the partner'sTechnical competence is certainly paramountI also look forward to the other party's offerThe ability to cooperate and co-create in the true sense. Therefore, Xiaohongshu and Yige Cloud are based on SASECo-create an integrated solution for zero trust data security:
1. The combination of Beyondcorp and SASE capabilities
Xiaohongshu investigated the zero trust solution represented by Google's beyondcorp in the early days, and its unprovoked access method did bring the ultimate user experience. Security teams can implement various risk control capabilities on the gateway, but Beyondcorp also has major drawbacks:
The protocol is not compatible and only supports Layer 7 traffic
The HTTP(S) service needs to be exposed to the outside world, and there is a large attack surface
Lack of terminal security management and control means to cover terminal security issues
Achieving high availability requires a significant investment of time, effort, and cost
Xiaohongshu is paying attention to the new trend of zero trust in recent years, that is, the SASE architecture, which naturally makes up for the above shortcomings, and the distributed POP points ensure the natural high availability of the system, and also supplement the security management and control capabilities of the client. However, there are also drawbacks to using SASE directly, as it cannot take advantage of Xiaohongshu's own business gateway, and it is necessary to give up the risk control capabilities accumulated by Xiaohongshu on the gateway, which is disconnected from the internal data management of the enterprise.
After comprehensively investigating various solutions, Xiaohongshu put forward an innovative idea based on the characteristics of its own network architecture, combining Beyondcorp and SASE capabilities, which perfectly satisfies the requirementsEndpoints, Networks, and Identitiessecurity needs.
Endpoint - DLP, antivirus, zero trust access and other functions are all in one, and support the linkage between terminal security and access control policies
Network - Transform the office network into an unprivileged network;Global POP access points are highly available
Identity - The client is bound to the identity and matched to the requesting identity at the gateway to resolve identity theft
2. The gateway is linked with the client
In the previous risk control solutions that relied on gateways, gateways could not obtain terminal security information. Xiaohongshu innovatively willThe gateway is linked to the clientThe gateway risk control can identify whether the request contains client information in real time and detect the client status to ensure the credibility of the terminal. At the same time, various security compliance policies can be implemented on the terminal. For access requests that do not have a client installed, the gateway risk control can jump the user to the client page to:Achieve full client coverage at a low cost
3. Real-time risk control and anomaly analysis
Xiaohongshu has continuously invested in risk control infrastructure for many years, and has established a comprehensive data security and risk control system. This zero-trust access system can:4 Layer 7 logs and client logsAccess to the risk control system to achieve seamless integration with the risk control system. The security information collected by the client adds more dimensions of data to the risk control system to achieve more accurate and complete anomaly analysis.
4. The redline data does not land
Xiaohongshu starts from data security lifecycle managementDo not fall to the ground"Achieve redline data without leakage. Internally, Xiaohongshu strictly enforcesData classification and grading, API security, desensitization, permission managementand other measures, taking data marking and API marking as the starting point of data leakage prevention management. For internal production data, the data control means are shifted to the left, and the documents generated by the business system are converted and the files are replaced by files.
Compared to traditional sandbox isolation and file encryption solutions, this approach is not only more secure, but also has a better user experience for employees.
5. Multi-level disaster recovery mechanism
The entire access control system is connected in series in the access process, and once there is a failure, it will affect the normal office of all employees, soStability of the systemIt is the top priority of Xiaohongshu's consideration, and for this reason, Xiaohongshu and Yige Cloud have innovatively created oneMulti-level disaster recovery solution
By default, traffic passes through Xiaohongshu's self-built private POP nodes to ensure that traffic and data are in its controllable network environment. When the local POP node fails, the system can automatically switch to the public cloud POP node of Yige Cloud. This disaster recovery solution can be guaranteedUltra-high availabilityHowever, Xiaohongshu is not satisfied with this, and also implements a layer of WireGuard solution on top of this, downgrading to VPN mode when the zero trust protection mode fails, so as to achieve higher availability.
6. Self-developed client
Xiaohongshu presents its own branded office security platform to employees to increase their recognition of security software, while also integrating more commonly used office functions on the client. Xiaohongshu is based on Yige CloudClient-side SDK,It has created a client UI that matches Xiaohongshu's own style, coupled with a convenient office experience, to realize its "grass planting" for employees.
Internal security office system platform client display).
Within a year, Xiaohongshu was completed100% pavement-end deployment, the overall smooth transition to a zero trust office security architecture. Intranet access is switched to the enterprise at the same timeImplement hierarchical classification of sensitive datato control the outgoing channels of different departments and employees in a fine-grained manner. This ensuresAccess security, to achieve the requirements of minimizing permissions and not landing sensitive data, and establishing all-round and three-dimensional data full-cycle protection.
Since its implementation, it has achieved remarkable results, with the proportion of network access equipment controlled from 0% to 100%, and the convergence of redline data landing scenarios by 80%
Efficiency first, multiple values
It is worth mentioning that thisLightweight, stable, simple and efficientThe value that the integrated "internal secure office system" brings to Xiaohongshu has been revealed. In internal surveys, the system was also obtainedUp to 70% NPS(Word of Mouth):
1. Ability integration and more refined management
Integrated design ideas, namely:Platform function management integration,Dramatically reduce the complexity of building, operating, and scaling endpoint security systems. The management and control are more refined, the permissions can be automatically sorted out, and the operation and maintenance difficulty is lowerEndpoints, Identities, Behaviors, and DataCarry out refined access control throughout the life cycle to ensure that the terminal meets the relevant internal and external access requirements, so as to achieve legal compliance and credible access.
2. Security empowers each other
It not only realizes the data exchange between different modules of the product platform itself, but also seamlessly connects the existing security capabilities. Docking with the existing risk control system through the zero trust platform, according to where the employee isNetwork environment, identity, and device ownership(Company Equipment or BYOD).Device security and access timeand other dimensions to dynamically adjust access control policies in real time.
3. Global data security control
The system realizes data security protection based on data-centric, classification and grading, and provides data assets for XiaohongshuProactive defense in advance, real-time monitoring during the event, and tracking and tracing after the eventwithSituational awareness throughout the process。Provide all-round and three-dimensional protection based on the whole life cycle of data.
In the next phase of deployment, the Xiaohongshu security team said that it will add more security features on this basis, such as EDR, to ensure the security of internal office networks. Yige Cloud will also continue to work with Xiaohongshu to explore the development of functions in the field of office security
We believe that the safety outlet may be constantly changing, but only self-driven, in order to have a direction, keep pace with the times and continue to innovate, in order to maintain an upward self-innovation ability!We also look forward to more innovative iterations of Xiaohongshu in the future.