New security concepts
ICT technology is changing rapidly, and in this mobile, cloud-based world of infinite connections, technology providers need to think long and hard about how to best protect our networks. For years, security efforts have focused on setting a hard perimeter: a "great wall", basically a sophisticated firewall. However, as new technology emerges, traditional sharp boundaries are becoming increasingly blurred. It is no longer clear where the control points should be; and when we do set up controls, there are now many more ways to circumvent them. The "perimeter defense" concept is no longer effective. So Huawei will have more immersive focus to the concept of "defense in depth", and combine this concept thoroughly with new technologies. In this approach you have to assume that at some point your firewall will be breached, so you have to consider how to identify, contain, and eradicate a given threat at every level of an ICT system.
- Defense in depth requires big data technologies, to compare current system data to known benign and malicious behaviors.
- It also requires the use of sophisticated AI to assess what processes should be allowed to continue, and what needs isolating for further examination.
- When dynamic blocks are imposed, all hardware and systems that might have been infected need to be isolated as well. Policies need to be updated in real time to prevent further spread and fully eradicate the threat.
To build these security concepts into Huawei's products and solutions, from 2012, Huawei has adopted the following three security practices into our security framework:
In the early stages of product planning, Huawei first considers all the available security technologies, relevant security standards, legal requirements, and the customer's cyber security needs. As part of the initial product specification, we include our security positioning and target security features. This allows us to determine what resources will be required in the later development phases. From product design and coding to testing, Huawei embeds strict security requirements into every product development process.
We follow the fundamental security principles during the design phase, including least privilege, defense in depth, and complete mediation. Huawei has a Security Competence Center which sets security standards. This center has over 300 people, and is responsible for improving the security skills of our nearly 80,000 R&D engineers. The Competence Center also coordinates with R&D teams working on new technologies to develop comprehensive security solutions. Two examples are our cloud and IoT security solutions:
Cloud: Huawei's cloud technology is predicated on effective data protection. Big data analytics dynamically assess the security status of a Huawei cloud network, identify major risks and threats, then take defensive action to mitigate and remediate. Multi-dimensional, multi-layer defenses and analytics support secure cloud operations by delivering swift identification, containment, and recovery.
IoT: The Huawei IoT security framework encompasses endpoint security, network layer security, platform and application security, and security situational awareness. In IoT endpoints (sensors and devices), chipsets incorporate Trusted Platform Module (TPM) and Trusted Execution Environment (TEE) techniques, and secure boot and secure upgrade processes. At the network level, security is assured through mutual authentication, security zone isolation, and encryption of transmitted data. For platforms and applications, there is sandboxing, web application firewalls, DDOS defense, etc. Together, these individual measures form a deep, layered defense. Over the top runs security situational awareness: monitoring, big data analytics, and policy management. The system is constantly sensing and analyzing the network and its behavior to detect potential risks and threats.
- Independent security verification
Huawei has an independent cyber security lab, led by a dedicated Global Cyber Security Officer. This lab carries out a completely independent verification of all products before launch. No product which fails to meet security standards can be released onto the market, and faulty development processes are carefully investigated.