Building an E2E Cyber Security System Security Level: James Chu, Ph.D. [email protected] Huawei Enterprise Business Group
Building an E2E Cyber Security System
Security Level:
James Chu, Ph.D.
Huawei Enterprise Business Group
Agenda
2
Build an E2E Cyber Security System1
Huawei Cyber Security Strategy2
Huawei Cyber Security Solution3
Security level3
Digital Transformation vs. Cyber Security
• Ease of copy
• Ease of spread
• Hard of right
management
• Privacy
protection
• Data security
• Break of geographical
restrictions
• No distance restrictions
• Border of nations
• Border of
departments and
enterprises
Financial security, transaction security, business
continuity
Digitalization
MobilityBig data
E-transaction
Open & all
connection
Cloud SDN/NFV AI 5GIoT Mobility
Security level4
Content of Cyber Security
National cyber security
Critical infrastructure security(Telecommunications, Finance, Electricity,
Transportation, Oil & Gas)
Enterprise cyber security
Data leakage prevention
Attack defense
Anti-privilege
Classification Work content
Security level5
Measure for Cyber Security
Personnel
Environmentinformation
Element
Operation
Management Technology
Measure
Security level6
Basic Ideas: System, Process, Hierarchy
Prior to
employment
During
Employment
Termination of
employment
Border of internal & external
network
Within the department or
enterprise
Active discovery and
processing
Full of process, all life cycle
Defe
nse o
f dep
th
Daily management and all
education
Key asset/personnel
management
Violation detection and
handling
Security level7
E2E Cyber Security System
Management
system
Technology
system
Operation
system
OrganizationPolicy &
specification
Asset
management
Personnel
management
Partner
management
Physical &
environmental
management
Security check
& audit
Security
awareness
Security
compliance
Terminal side
protection
Cloud/DC side
protection
Network
separation and
data exchange
Security
technology &
tools
Security
products
IT maintenance
security
Incident
emergency
response
Risk
assessment &
security
hardening
Attack analysis
and resistanceBCM/DR
Right/privilege
management
Cyb
er s
ec
urity
sys
tem
Agenda
8
Build an E2E Cyber Security System1
Huawei Cyber Security Strategy2
Huawei Cyber Security Solution3
Security level9
Cyber Security Is Top Priority of Huawei
"In light of the foregoing, Huawei hereby undertakes that as a crucial company strategy, based on compliance with
the applicable laws, regulations, standards of relevant countries and regions, and by reference to the industry best
practice, it has established and will constantly optimize an end-to-end cyber security assurance system… tackling
the challenges of cyber security through partnerships with governments, customers, and partners in an open and
transparent manner. In addition, Huawei guarantees that its commitment to cyber security will never be outweighed
by the consideration of commercial interests."
– Statement on Establishing a Global Cyber Security Assurance System
"As a company, cyber security and privacy protection are our top priorities. We are committed to building trust and
high quality into every ICT infrastructure product and solution we develop."
– An open letter to all Huawei employees
Over the past 30 years, Huawei has served more than 3 billion people worldwide, supporting the stable operation of more
than 1,500 carrier networks in over 170 countries and regions, we have maintained solid cyber security records worldwide,
and earned the trust of tens of thousands of customers.
Security level10
Cyber Security Strategy Is “Built-in” to Everything We Do
Carrier Network BG
Cyber Security Officer
Consumer BG
Cyber Security Office
Enterprise BG
Cyber Security Office
GSPCApprove the strategy, planning, policies, roadmap, and investment;
Resolve conflicting strategic priorities and audit.
GSPOLead the team to develop the security strategy;
Drive the implementation of cyber security assurance internally;
Support GR/PR and global accounts customers externally.
GSPO OfficeCoordinate to formulate detailed operation;
Support the strategy & implementation;
Audit and monitor the implementation.
Region/BG/BU CSOs
Develop region/BU/BG cyber security
strategy and planning, and drive the
implementation;
Work with GSPO to identify changes to
BG/BU/departmental processes to
ensure the cyber security strategy and
requirements are fully imbedded.
GSPO Office
CEO
Ren Zhengfei
GSPO
John Suffolk
GSPC Ken Hu
PACD
LA
MKT
REGION
CHR
BP&IT
Audit Cyb
er
Se
cu
rity
an
d P
riva
cy
La
b
Su
pp
ly C
ha
in
Cyb
er
Se
cu
rity
Off
ice
Pro
cu
rem
en
t
Cyb
er
Se
cu
rity
Off
ice
US
A C
SO
Canada C
SO
Austr
alia
CS
O
P&
S /
20
12
La
b
Cyb
er
Se
cu
rity
Off
ice
UK
CS
O
Independent Cyber
Security Lab
Germ
any C
SO
Fra
nce C
SO
Neth
erlands C
SO
…
Cyber Security
Transparency Center
1500+ full-time security people
Security level11
Every Part Of Huawei, And Every Person, Is Included
No. Area Focus
1 Strategy, Governance and Control Having an overall strategy and the accountability to make it happen
2 Standards and ProcessesUsing the best standards and approaches to protect against threats
and risks
3 Laws and RegulationsMaking your products and operations legally compliant in every
country you operate in
4 Human ResourcesGetting the right people, in the right roles with the right behaviour to
limit insider issues
5 Research and DevelopmentDesigning, building, testing products in a secure way that builds on
the above building blocks
6Verification: Assume nothing,
believe no one, check everything
Many eyes, many hands many checks. Tiered independent
approach to security verification
7 Third-Party Supplier ManagementGetting your suppliers to take security seriously – 70% in the box is
not Huawei’s
8 Manufacturing & LogisticsManufacturing products that secure each step along the way – right
through to delivery
9 Delivering Services SecurelyEnsuring installation, service and support is secured. No
tampering, fully auditable
10Issue, Defect and Vulnerability
Resolution
As issues arise, solving them quickly and ensuring customers
technology is secured
11 Traceability
Root-cause analysis demands an ability to forward and reverse
trace every person and every component from every supplier in
every product for every customer.
12 AuditUsing rigorous audit mechanisms to ensure every part of Huawei
conform to the strategy
E2E Cyber
Security
Assurance
System
Strategy, Governance
andControl
Standards and
Processes
Laws and Regulations
HR
R&D
VerificationThird-Party Suppliers
Manufacturing and Logistics
Delivering Services Securely
Issue, Defect and
Vulnerability Resolution
Traceability
Audit
Security level12
Security activities integrated into Decision Check Points, Contract and Technical Reviews/Other Reviews or Check Points
Security
RequirementSecurity Design
Security
DevelopmentSecurity Test
Security Delivery
and Maintenance
Security requirements analysis
Security threat analysis
Security architecture/feature design
Open source & third-party software selection
Code security review
Static code security
scan
Security test solution
and cases
Security test
Security patch
development (including
open-source & third-party
software)
Configuration Management R&D Tools, Build Management Open-Source & Third-Party Software Management
Concept
TR1
Plan
TR2 TR3
Development
TR4 TR4A TR5
Qualify
TR6
Launch
GALifecycle
Charter CDCP PDCP ADCP
IPD
Reference to industry
best practices
OpenSAMM: Open
Software Assurance
Maturity Model
BSIMM: Building
Security In Maturity
Model
SDL: Security
Development Lifecycle
Security baseline, criterion, guide etc.
Huawei Adopts a Built-in Approach Through Clearly Defined and Specific Security
Activities and Requirements Within the Product Development Process, and Checks
Those Activities at DCP and TR Check Points, to Ensure Effective implementation
Security level13
Organizations and
IT platforms
Target
Method
Requirements &
processes
PET/SQE/TQC/CEGPQMD ST Procurement cyber security and privacy work team
SRM
Build a Secure Supply Chain Together with Supplier
Partners
Strict qualification Systematic prevention Rapid handling
Continuous improvement
PQMD: Procurement Qualification Mgmt Dept
PET: Procurement Engineer Technology
SQE: Supplier Qualify Engineer
CEG: Commodity Expert Group
TQC: Technical & Quality Certification
SRM: Supplier Relationship Mgmt
Platform
We have signed cyber security agreements with more than 3400 cyber security related suppliers worldwide, requiring suppliers to comply with relevant security regulations and industry security standards, and prohibiting the implantation of Trojans, backdoors, malicious code, and vicious viruses.
Supplier
sourcing
Material
sourcing
Supplier
qualification
Problem handling
& emergency
response
Supplier
selection
Supplier daily
management
Supplier portfolio
managementSupplier exit
Cyber security is a
basic requirement
and minimum
standard
Security
requirements are
incorporated into the
material sourcing
and qualification
process
Have to pass the
security assessment
and sign the security
agreement; no
security, no business
Inspection on high-
risk suppliers and
improvement on
security risk
assessment
Rectify security
vulnerabilities and
issues; version
updates or patches
Security
requirements are
incorporated in
supplier selection
process
(TQRDCESS)
Supplier security
performance
management process
(categorized into
strategic, preferred,
approved, conditional,
and phase-out
suppliers)
Security
requirements are
incorporated in
supplier exit process
(TQRDCESS); poor
security performance
suppliers will exit
Minimum
requirements for
suppliers
Material security
specifications
Technical quality
risk assessment
Security testing
and qualification
for new materials
Cyber security
system self-
assessment
Cyber security
assessment
Cyber security
agreement signing
Security system
self-assessment
Security risk level
assessment
Performance
evaluation
SCAR workflow
problem closure
CERT, Vulnerability
warning and
emergency
response
Application of
security
performance
evaluation results
in supplier selection
Supplier portfolio
management
Management of
exit of suppliers
with low
performance
Our Supplier Security System Checklist Provides a Comprehensive Assessment on How the Supplier Performs Relating to Security Policies, Procedures and Standards
Security level14
Report vulnerability to
Release security advisory to
Responsible disclosure implies that the vulnerability finder and vendor work together diligently to produce a timely
resolution to reduce user’s risks associated with the vulnerability.
Transparency MitigationTrustworthiness Improvement
Huawei PSIRT
Vulnerability Finder Coordinator
Coordinator Other Vendors
We Adopt Responsible Disclosure Processes with Vendors, CERT Organizations and
Security Researchers; We Coordinate the Resolution of Product Vulnerabilities
Security level15
Banbury, UK
Brussels, Belgium
Bonn, Germany
Dubai, UAE
Shenzhen,China
Toronto, Canada
Global Hub
Regional Hub HCSTC Brussels:Communication, Innovation and Verification
Huawei Cyber Security Transparency Center is to Serve as an Open, Transparent and
Collaborative Exchange Platform with Key Stakeholders
Security level16
Customer requirements Cyber security statements BCG and cyber security policies
Legal requirements in various states
Huawei Cyber Security Strategy and Values
Security vetting Whistle-blowingSecurity
accountabilitySecurity education & proactive
learning
Security position management
Staff in security
positions
All staff
Staff in common positions
Pre-job: clean
background
On-job: clean behavior
Off-job: clean assets and
permission
Establish
whistle-blowing
mechanism
Cyber security
accountability
system
Identify cyber
security
positions and
define job
descriptions
and update
competence &
qualification
criteria
Off-job staff security
requirement publicity
Commitment letter signing
On-job regular
security audit
Off-job security
permission
& asset cleanup
Pre-job security
background vetting
Commitment letter & NDA
Background vetting
Staff awareness education
BCG and commitment
letter signing
Integrate cyber security into HR enabling management
HR process management Cyber security education organization Cyber security courses &case management
Proactive learning motivated by job
qualifications
Integrate cyber security into HR management elements
We Promote Employees’ Awareness and Competence to Avoid the Risks Due to Employees’
Inappropriate Behavior
Agenda
17
Build an E2E Cyber Security System1
Huawei Cyber Security Strategy2
Huawei Cyber Security Solution3
Security level18
Huawei Capability on Cyber Security/Information Security
Consulting service(Strategy & Plan, Information security system construction, Attack
resistance)
Practice & experienceCritical infrastructure security, Enterprise internal security, E2E security
guarantee to customers
Security solution & productsFirewall, VPN, IPS, Anti-DDoS, CIS(Anti-APT)
Security level19
Huawei Information Construction Practice
Virus blocked per
month
550,000
Network threat blocked
per month
492,000
SQL injection/cross-
site attack blocked per
year
3,000,000
Malicious sites blocked
per day
20,000
Employees
180,000+
Covering
countries/regions
170+
Nationalities
150+
Global office sites
1000+
Organization &
Capability
Principle & Policy
Information & Process
Awareness & Culture
Technology & platform
Security level20
Huawei Cyber Security Consulting
Cyber security
consulting
National cyber
security
strategy/whitepaper
Government cyber
security system
planning &
construction
National CIRT/CERT
planning &
construction
Enterprise cyber
security system
planning &
construction
Security level21
Huawei Security R&D History
2002
VPN
Encryption
Card
2006
2008
2010
2012
2004
Commercial
Cipher
Certificate
IPSec VPN
High-speed Card
TSM
Entered the
Enterprise Market
Security
Competenc
e Center
SRG
Box
10GE
Firewall
1TIDS
100M Firewall
NP-based
Firewall
First 40G
Anti-DDoS
100G
High-end
Firewall
Full-series UTM
Products
2013
NGFW
2017
Sandbox
Challenger
100M
FW
Anti-DDoS
CIS
2015
vNGFW
Recommended Cloud Sandbox
Security level22
Huawei Security Products Portfolio
Cloud
Security
AntiDDoS1000
Network
Security
USG6000/6000E
Mid-range and low-end NGFW IPS & IDS
NIP6000
Device
Security
CE and S
switch modules
SVN5000
Security access
gateway
USG9500
TB-level NGFW
Anti-DDoS
Software
firewall
USG6000V
Sandbox
FireHunter6000
Security plug-in Big data intelligent
analysis system
Security
MgmtUnified control
system
IoT security CIS
USG9000V
HOTHOT
SecoManager
NEW
NEW
AntiDDoS8000
Security
ServicesThreat signature database
updatesEmergency response Security consulting
Copyright©2018 Huawei Technologies Co., Ltd.
All Rights Reserved.
The information in this document may contain predictive
statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
把数字世界带入每个人、每个家庭、每个组织,构建万物互联的智能世界。
Bring digital to every person, home, and organization for a fully connected, intelligent world.
Thank you.