Two way combination of business and technology to build a bank data security management system

Analysis of Yi Guan ：

Data has become an important factor of production , The digital transformation of banking industry driven by data is an important trend of financial development , The banking industry realizes business efficiency in many scenarios such as front, middle and back office through data application . However, data security is required by laws and regulations , Or the actual losses caused by security vulnerabilities , They are all objects that require the banking industry to pay attention to . Analysys analysis summarizes the three major challenges faced by the current banking data security , And put forward countermeasures against these problems , It is expected that in the future, in addition to the data security system 、 Besides the construction of full life cycle security management technology system and enterprise level data security protection system , Data security will pay more attention to the application of cutting-edge technologies , To cope with more and more diverse data security attacks , Finally, it helps to maximize the value of data .

With the acceleration of the era of digital economy , Data is not only used by banks to reflect the operating results of enterprises 、 Post event statistics to support management decisions , More is the use of data for wealth management 、 User Marketing 、 Intelligent risk control 、 Business efficiency and customer experience . Data elements have become the driving force for the reform of commercial banks and an important source of core competitiveness , In contrast , Data security has become the core of bank security .

The bank has a large amount of internal customer data 、 Trading data , And external data , But considering the significance of data for banks , And its own non entity 、 Replicable 、 Unlimited supply and demand 、 The marginal cost is small , While releasing its potential value , Also need to focus on data security , It is necessary to balance data security and data enabling services .

Laws and regulations ,《 Network security law 》《 Data security law 》 and 《 Personal information protection law 》 It has made legal provisions for data security protection and legal utilization ,《 Technical specifications for personal financial information protection 》《 Financial data security classification guide 》《 Financial data security data lifecycle security specification 》 And other standards and specifications have put forward clear requirements for data security protection in the financial industry .

overall , As a data intensive institution , We need to balance data security and value creation , While promoting data circulation and rational and legal development and utilization , Through the system 、 Technology and other means to ensure data security .

The construction of data security management system needs to be improved

In recent years , There are endless incidents of employees divulging customer privacy data and enterprise sensitive information , From that , The bank still has defects in power and responsibility management and data security culture publicity . meanwhile , The data security related systems of banks are generally formulated by the security department , However, they often do not understand the data application in specific business , Therefore, the corresponding system may be inappropriate when applied at the overall level of the bank .

Although in many industries , The digital transformation of the banking industry is relatively mature , However, its data security management organization structure and system construction are still not perfect .

It is difficult to manage the data security technology system

The acceleration of bank digital transformation , Bring about explosive growth of data volume 、 The complexity of data structure types , This increases the difficulty of data integration and data standardization , Restricting data security management , Even the construction of data governance system . From the perspective of data circulation and value creation , There are many safety management links in the whole life cycle of data , From acquisition compliance and quality assessment , To destruction verification and evaluation , There are security risks .

Besides , At present, most of the banking technology architectures are still implemented by combination and stacking , Lack of unified operation and maintenance management and linkage measures , It's hard to form a joint force . Accordingly , The data security system is also scattered in this architecture , On the one hand, it increases the technology procurement cost and sensitive data monitoring cost of the bank , On the other hand , It also increases the risk of data leakage .

It is difficult for data security to match the speed of business development

From the data itself , Its confidentiality and availability are often difficult to balance , Confidentiality means data security , And availability often means greater benefits , It can be seen that data security and business development are contradictory to some extent .

meanwhile , Many banks will invest more scientific and technological resources in business development , Through the rapid iteration of business systems to meet customer needs , Realize the value empowerment of data and technology . But how to integrate the data security system into the original complex business system , How to solve the problem of adaptability between the two , And how to keep up with the speed of business system iteration , It is a difficult problem that has not been solved yet .

Formulate a standardized data security system

Banks need to comprehensively sort out their deficiencies and blind spots in data security management , Establish a sound data security organization and management mechanism , Clarify the relationship between safety rights and responsibilities , Implement financial compliance business requirements , Formulate a standardized data security system . The following points should be paid attention to in the specific implementation ：

First of all , Corresponding to each link of data lifecycle safety management , Define data collection 、 management 、 application 、 Data security responsibility mechanism of departments at all levels such as system R & D .

second , Under the data security classification standard , according to “ Know what is necessary 、 Minimum authorization ” Equal principle , Do a good job in data classification and classification 、 Data asset management 、 Unified identity management .

Third , Pay attention to the training of data security technicians , In data transmission 、 Storage 、 Handle 、 Exchange and other links give full play to the role of technology , And regularly monitor data security through technical means such as situation awareness .

Fourth , Enhance the data security awareness of all employees of the bank , Avoid data security problems caused by employees' illegal operations .

Improve the life cycle safety management technology system

From the perspective of data lifecycle security management technology , Identity Authentication 、 Data encryption 、 Data desensitization 、 Data watermark 、API Security and other technologies run through the entire life cycle of data . Besides , Each link also has targeted technology to ensure data security .

In the current market context , For the above main technical links , Analysys analysis divides the major manufacturers into categories and grades 、 Log management 、 Encryption market 、 Data desensitization 、 Identity authentication and access management 、 database security 、 Backup and recovery 、 Leak proof 、 Privacy computing 、 And data security （ operating ） Center, etc .

Build an enterprise level data security protection system

To realize the combination of business scenarios and data security related technologies , Data security management can be driven by business scenarios , Build an enterprise level data security protection system , Simultaneous business innovation and data security construction . Data security lifecycle management involves six links 、 Dozens of technologies , Every link 、 The combination of each technology , And its separate integration with the business , This will cause a waste of resources , For example, repeated access to an external database , Second, it may cause management confusion , Increase security risks , Third, the development progress of data security will be difficult to keep up with the process of business innovation . therefore , In order to maximize the effect of technology enabled business , And ensure data security from all levels of data asset management , We need to focus on building an enterprise level data security protection system from a business perspective , Put data security protection throughout the entire life cycle of the business .

Respond to increasingly diverse attack paths through technical means

In addition to personnel management 、 Cultural construction and other institutional measures , Banks will pay more attention to coping with more and more diverse hacker attacks through technical means . In addition to attacks against traditional distributed architectures , cryptographic algorithm 、 Vulnerabilities in the logic of smart contracts are also the main breakthrough for attacks . for example API It provides convenience for program calling , But its characteristics also determine that it is aimed at API The attack of has gradually become the main target of malicious attackers ,API Our authorization and certification system has been relatively perfect , However, access control after authorization is still relatively weak .

Make good use of innovative technologies to achieve data security applications

On the one hand, in order to deal with these data security attacks , On the other hand, in order to keep pace with business innovation , The field of data security needs corresponding technological innovation and Application , Dynamic desensitization with data is required 、 Situational awareness 、 Privacy computing and other technologies . Take privacy computing as an example , At present, it mainly focuses on scenarios such as bank intelligent risk control and intelligent marketing , Based on cryptographic theory such as security protocol , Combined with artificial intelligence and other technologies , On the premise that the data does not leave the domain , Compliance uses multi-party data , Maximize the potential value of data in specific scenarios , And in the whole process, the data can be “ Available not visible ”. before , Everbright Bank launched an enterprise level multi-party secure computing platform , Effectively improve the effect of joint marketing of high net worth customers ; ICBC provides a data base for expanding inclusive financial services through the federal learning platform ; China Merchants Bank takes the lead , Cooperate with multiple head privacy computing vendors to explore the cross platform interconnection of privacy computing .

The ultimate significance of data security is to maximize the value of data

From the perspective of the big data system of the banking industry , The seemingly contradictory relationship between data security and business value-added actually has a dialectical and unified relationship . First of all , Both are brought about by the digital transformation of banks ; second , The two are mutually integrated in specific scenes ; Third , Data security related technologies can enable businesses , for example , Privacy computing technology can release data or have value on the premise of ensuring data security ; Fourth , The value of data comes from information asymmetry , Only data security issues such as ensuring data ownership , In order to avoid its value disappearing in the transmission of no cost or low cost . All in all , Data security through security system and security technology , In fact, it will become an important part of the data governance system , Work with other levels such as the business application of data to maximize the value of data .

Notice of declaration ：

The third-party data and other information cited by Analysys in this article are from public sources , Analysys analysis assumes no responsibility for this . In any case , This article is for reference only , Not as any basis . The copyright of this article belongs to the publisher , Without authorization from Analysys , It is strictly prohibited to reprint 、 Reference or in any way use Analysys to analyze any content published . Any media authorized 、 When using the website or individual, the original text should be quoted and the source should be indicated , And the analysis point of view is based on the official content of Yiguan analysis , No form of deletion shall be made 、 Add 、 Splicing 、 deductive 、 Distortion, etc . Disputes over improper use , Yi Guan analysis does not assume any responsibility for this , And reserve the right to investigate the responsibility of the relevant subject .