Embed Size (px)
Citation preview
The Lark Approach to Data Security
A deep dive into user protections for IT managers
Table of Contents Introduction ............................................................................................................................ 1 1. Security Team and Functions .......................................................................................... 1 2. Compliance and Privacy................................................................................................... 1 3. Employee Security ............................................................................................................ 2 4. App Security ...................................................................................................................... 3 4.1 Operating Environment Security....................................................................................... 3
4.2 Data Security ........................................................................................................................ 3
4.3 Security Vulnerability Protection....................................................................................... 3
4.4 Client Security Strategy ...................................................................................................... 3 5. Network Security .............................................................................................................. 3 5.1 Network Access Control .................................................................................................... 3
5.2 DDoS and Cyber Attack Defense ...................................................................................... 4
5.3 Network Transmission Encryption................................................................................... 4 6. Server Security .................................................................................................................. 4 7. Application Security.......................................................................................................... 4 7.1 Security Development Process......................................................................................... 4
7.2 User Account Security ........................................................................................................ 5
7.3 Vulnerabilities and Emergency Response ...................................................................... 5 8. Data Security..................................................................................................................... 5 8.1 Data Transmission .............................................................................................................. 5
8.2 Data Storage......................................................................................................................... 5
8.3 Data Access.......................................................................................................................... 6
8.4 Data Disposal ....................................................................................................................... 6
8.5 Data Security Detection...................................................................................................... 7 9. Physical Infrastructure Security....................................................................................... 7 9.1 Amazon Web Service (AWS) Infrastructure Security.................................................... 7
9.2 Akamai Infrastructure Security ....................................................................................... 7 10. Disaster Recovery and Service Continuity ..................................................................... 8 10.1 Backup and Disaster Recovery....................................................................................... 8
10.2 Service Continuity Guarantee ................................................................................. 8
i2
10.3 Emergency Drills .............................................................................................................................. 8
11. Change Management ............................................................................................................................... 8
11.1 Program Changes ........................................................................................................................... 8 11.2 Source Code Control ...................................................................................................................... 9
11.3 IT Infrastructure Change .............................................................................................................. 9
11.4 Monitoring Changes ....................................................................................................................... 9
ii3
Introduction Lark Technologies provides the new generation office suite SaaS – Lark Suite, which is mobile-friendly, supports real-time collaboration, and provides single access. Lark Suite helps user entities to improve work efficiency, reduce production and administrative costs, to enable them to move towards an efficient, coordinated, and more secure intelligent businesses. Meanwhile, the Company has leveraged information technology and application systems to support the implementation of control activities related to the development and operation of Lark Suite. Larksuite is the office suite, a SaaS service for enterprises created by Lark Technologies Pte.Ltd. (Starting now referred to as “The Company”), with functions such as instant messaging, cloud documents, smart calendar, video conference, open platform, for example Larksuite uses industry-leading technologies safeguards, security measures to ensure the protection of products and user data throughout the data lifecycle. The design, development, and operation of Larksuite meet the compliance and user privacy standards.
1. Security Team and Functions As a SaaS service provider, The Company places the security of user services and data as its highest priority. The Company has a complete security infrastructure and a user service and data security protection system. Lark's security team consists of security management and compliance, business security, data security, emergency response, and security tool development teams. Its responsibilities include security assessment of product design, code security review, vulnerability scanning, penetration testing, threat intelligence, intrusion detection, emergency response, data security, security compliance, and more.
2. Compliance and Privacy The Company attaches great importance to product compliance, and the Security and Compliance Department is responsible for managing compliance with the highest standards at home and abroad. Lark has a dedicated privacy team that reviews user privacy protocols, product privacy protection design, and the collection and use of user data to ensure that users' data is used correctly and processed and that users are reasonably transparent. The Company actively follows international requirements for product compliance and works with various levels of regulatory agencies to ensure that its products and services meet the requirements. Lark has passed ISO 27001 certification, which is a set of industrywide adopted security management system standards. It is regarded as one of the most authoritative and strictest information security system certification standard in the world. The data center, management system, R&D, and functional departments of Lark have passed this certification, which means that the Company has met the international standards of information security management and has sufficient information security risk identification and control capabilities to provide safe and reliable customer service around the world. Lark has passed ISO 27018 certification, which is the international standard for the protection of personal information in public clouds. It guides implementation of security control systems for
1
personally identifiable information (PII) in public clouds. Lark's ISO27018 certification is proof that we have achieved a high standard in protecting corporate data, securing users' personal information, and preventing information leakage. Lark has passed ISO 27701 certification which is a private information management system standard with a complete closed loop of PDCA. The standard is an extension of 27001 and 27002, which specifies the requirements for establishing, implementing, maintaining, and continuously improving the privacy information management system. The privacy protections required to process personally identifiable information (PII) are taken into account on the basis of information security protection. Lark obtained this certification as a commitment to our long-term work in building a world class privacy compliance system. Lark has obtained SOC 2 Type I, SOC 2 Type II and SOC 3 service audit reports. System and Organization Controls (SOC) Reports are independent third-party examination reports about the internal control of the service organization issued by professional third-party accounting firms, based on the relevant guidelines of the American Institute of Certified Public Accountants (AICPA). SOC2, one of the types, defines standards for managing customer data based on Trust Service Principles (security, availability, processing integrity, confidentiality, and privacy). Lark is regularly audited by third parties to verify that the products meet this standard, which indicates that our systems are reliable and secure. We can securely manage customer data, and protect the interests of the organization and the privacy of our customers. The certification marks Lark's success at achieving a more standardized and normalized level of information security management, service quality management, IT service management, etc., laying a solid foundation for the improvement and perfection of the Company's overall quality system.
3. Employee Security Lark has established security human resource management processes: • The recruitment of new employees must be approved by the human resource (“HR”) specialist and the resource requesting department leaders. The recruitment process and results are recorded in the human resource management system; • Before the new employee is hired, the Human Resources Department must conduct background check subject to the laws and regulations of the country according to the importance of the employee’s position, to ensure that the recruitment meets the Company's rules and regulations; • Newly hired employees are required to sign the employment contract and confidentiality agreement which describe the employee’s obligations and responsibilities on information security; • The Legal Department reviews the legal terms enclosed in the employee confidentiality agreement and third-party confidentiality agreement at least once a year and make updates as needed, and publishes the updated agreements through the internal knowledge platform to ensure that all employees and relevant personnel have access to the latest confidentiality agreements; • The employee's resignation is required to be initiated by the employee himself or herself or the department leader in the human resource management system, and to be approved by the Human Resources Department, the IT Department and other functional departments before the official resignation;
2
Lark has established a comprehensive training and learning system. Newly hired employees are required to participate in trainings on corporate culture, rules and regulations, information security, and reward and punishment mechanisms. Meanwhile, the Company organizes the following trainings to enhance employees' professional knowledge and skills and information security awareness on an aperiodic basis by multiple ways: • Information security related trainings, to enhance employees' information security skills; • Information security activities, to promote information security awareness; • Preparing materials on security awareness topics and delivering to employees via emails and posters.
4. App Security 4.1 Operating Environment Security Lark App will stringently test the running environment, including root detection, jailbreak detection, debugging detection, injection detection, etc. The purpose of screening is to ensure that the client runs in a safe and trusted environment, in case the App is hacked or infected by malware. 4.2 Data Security Lark App uses the operating system's security mechanism to isolate the permissions between APPs. Client information is encrypted for storage. Full-link communication between the client and the server is encrypted with HTTPS or WSS. 4.3 Security Vulnerability Protection Lark has a full-time mobile security vulnerability mining team to conduct security assessment and vulnerability mining for android, iOS, Windows, macOS clients, as well as vulnerability detection of the client’s third-party components (libraries, SDKs), to root out existing vulnerabilities in applications as much as possible to ensure the security of the client. 4.4 Client Security Strategy Customer administrators can configure custom security policies through the management console and apply them to their clients.
5. Network Security 5.1 Network Access Control Lark uses Amazon Web Services (AWS) to provide infrastructure services, including server rooms, networks, servers, operating systems, etc., and to provide infrastructure security services. Based on AWS, The Company enhances its security control in server accessing, and all services must be operated and audited through the bastion machine.
3
Employees need to be authenticated to access internal resources. After confirming their identity, employees have minimal permissions by default. New permission acquisition needs to be approved and recorded by relevant, responsible personnel. Permissions have an expiration date, and the system automatically reclaims permissions after the expiration date. Employees' online service operations are performed through the bastion machine, and all operational logs are retained for audit use. All employees outside the corporate network boundary need to access the company's internal resources through a VPN connection. Lark's internal audit and control department will audit the access log, search the records for violations of protocol, and handle corresponding reprimands. 5.2 DDoS and Cyber Attack Defense Lark Service provides customers around the world with access to its network through CDN and dynamic acceleration and access to back-end service through AWS’s load balancing. When encountering DDoS attacks, attack defense will be carried out through a network cleaning service by AWS, Akamai for example. 5.3 Network Transmission Encryption Lark Service is transmitted via HTTPS and WSS in both internal and external networks all the time, which ensures the security of the transmission process and prevents eavesdropping and tampering.
6. Server Security Lark uses cloud servers of AWS to serve its customers. Amazon provides cloud server security from the physical to the virtualization layer. For details on cloud server security provided by AWS, please see Amazon Cloud Security White Paper: https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf
7. Application Security Lark shall take appropriate measures to protect the development process. 7.1 Security Development Process We strive to control security risks from the source of security breaches. We produce security courses, and provide on-site and online training. All developers and product managers will receive security training to understand the causes of security vulnerabilities and strengthen coding knowledge. The security team communicates with the project manager at the start of the project to ensure the security requirements and security testing are reflected in the project plan. At the same time, the security team will evaluate third-party libraries and tools used by the product and exploit any vulnerabilities to ensure that there are no vulnerabilities introduced by the supply chain. The security team works with the product team to conduct a security review of the design and coding. Before the product goes online, a penetration assessment and a security assessment of the deployment are performed to ensure the security of the service.
4
7.2 User Account Security The user's access to the Lark system is authenticated using a password plus a dynamic verification code, which effectively avoids account leakage caused by password loss. For logins initiated on unrecognized devices, the risk control strategy increases the difficulty of a user's login verification. At the same time, the accounting system has the defense ability against abnormal and violent login attempts. The risk control system has anti malicious registration, anti- credential enumeration attack, and other protection functions. 7.3 Vulnerabilities and Emergency Response The Security team receives and reviews vulnerabilities reported from the outside and assesses their harm and urgency to fix them. The Company uses the routine scanning service to scan its service and operating system and repairs it after detecting a vulnerability. The Company's security team work in close cooperation and regular communication with the top third-party evaluation companies and the White Hat Community, and occasionally invites outside companies and white hats to conduct penetration testing on services with rewards for discovering as many security vulnerabilities as possible. The Company's security team operates a 24/7 emergency response strategy. When a security incident occurs, the security team will quickly classify the event according to the security emergency plan and initiate an emergency response process to prevent the security incident from expanding.
8. Data Security The Company has a complete data life cycle management process with a technical guarantee for each stage of the data life cycle, including generation, storage, usage, transmission, sharing, and destruction. 8.1 Data Transmission The Company provides users with data transmission channels that support secure encryption protocols. Data transmission such as message pull, identification authentication, operation instructions is encrypted through HTTPS and a 2048-bit RSA key. Message push uses WSS protocol to protect the transmitted data through encryption. The cloud documents service is encrypted and transmitted, utilizing the symmetric encryption algorithm AES256. 8.2 Data Storage The Company uses the key mechanism to support the encrypted storage of data. Lark has developed a comprehensive data classification and management method, and strictly classified and classified the user information collected by the Lark Suite. Lark has encrypted
5
sensitive data stored in systems, which can effectively protect user information. The KMS service is responsible for the lifecycle management of keys and sensitive configuration information, including generation, storage, distribution, use, update, deletion, and more. The master key used for data encryption of Lark users and other various sensitive information of Lark service (such as database account, password, etc.) is stored in the KMS system, maintained by Lark itself, and the accessed needs to be performed through the KMS interface. When the key is initialized, the KMS system uses the Shamir's Secret sharing protocol to generate 5 pieces of critical components, and the parts are distributed to different functions of management roles. Only when providing more than 3 key components, can it finally restore the master key of the KMS system. The KMS master key will be periodically updated to improve the security of the KMS. 8.3 Data Access User data access is strictly isolated through permissions. Users cannot access each other's accounts without authorization. Access to data must be done through explicit approval by the data owner, such as sharing. The Company's employees' access to user data is strictly limited and audited, and employees do not have access to any user data by default. Special access requirements are subject to explicit authorization by the user and a strict internal approval process to obtain temporary access rights, in which permissions are immediately reclaimed after the operation is completed. The login log, operation log, server security baseline file change, and access permission change log of all servers in Lark's online environment are recorded; real-time auditing of illegal access and risk operations is performed through automatic detection, and alarms are generated. Lark has detailed log records of the activities of the data, and different operator roles are distinguished while different permissions are granted accordingly. Operations require approval and auditing. The Company and Lark will not disclose a user's information publicly unless The Company or Lark has the user's consent. However, in the event that a user's data is required in accordance with laws and regulations, mandatory administrative enforcement or judicial requirements, The Company or Lark may disclose a user's personal information to regulatory law enforcement or legal authorities in accordance with the type of personal data required and the manner in which disclosure is required. When we receive a disclosure request, as laws and regulations approve it, we will need an issuing of legal documents corresponding to the code. We will only provide data that law enforcement agencies have legal rights to obtain for specific investigation purposes. Subject to laws and regulations, the documents we disclose are protected by encryption measures. 8.4 Data Disposal When terminating service to a user, a Lark administrator will delete the user account information and will permanently delete the user's data in compliance with local laws and regulations. Unmounted disks need to be degaussed and destroyed to ensure there is no remaining information on the drive. The resigned employees of the user entity can initiate the application for account withdrawal to the tenant administrator. After the tenant administrator confirms that the group owner,
6
schedules, Docs, and other data within the resigned employee's account have been transferred, he or she contacts the Company through the Lark customer service function. The Company de-identifies the data and Docs of the requested account based on the tenant administrator's application. When the Company signs a service agreement with the user entity, it states that when the service is terminated, the corresponding data will be disposed of according to the user entity's requirements. Apart from the users from user entities' tenants, Lark Suite is also applicable to personal users. When an individual user needs to withdraw his or her account, he or she should contact the Company, which will provide the Lark Suite installation package with account withdrawal functionality through the Lark customer service function. After the installation, the user can apply for account withdrawal on the software and Lark Suite accordingly de-identifies the data and Docs of the requested account in backend databases.
8.5 Data Security Detection The login behavior, operational behavior, server security baseline file changes, access rights changes, and data access behaviors of all servers in the Lark online environment are recorded. The security team monitor and analyze abnormal behaviors by establishing user behavior portraits and unusual behavior models, and automatically detects various anomalous data access actions such as illegal access to data, malicious data crawling, abnormal login, privilege escalation, etc. Security devices can automatically alert and block strange behavior.
9. Physical Infrastructure Security Lark serves customers in different regions of the world through Amazon Web Service and Akamai. 9.1 Amazon Web Service (AWS) Infrastructure Security As one of the cloud service providers of Lark, AWS provides services such as cloud servers. AWS itself operates, manages, and controls all of its hardware and software facilities from the physical layer to the virtualization layer. As the world's leading cloud service provider, Amazon has the industry's top security capabilities to provide users with infrastructure security. For details on the protection of cloud service infrastructure provided by AWS, please refer to the AWS Security White Paper: https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf 9.2 Akamai Infrastructure Security Akamai is the world's number one CDN service provider, providing long-term reliability, and stable acceleration services to customers across the globe. Lark delivers accelerated access to overseas customers through Akamai. For details on Akamai's security, please see the Akamai Security White Paper: https://www.akamai.com/cn/zh/about/ourthinking/white-papers.jsp
7
10. Disaster Recovery and Service Continuity 10.1 Backup and Disaster Recovery The Company has established the Data Backup and Recovery Management Policy to standardize backup strategies, backup data retention, and recovery testing methods, etc. for Lark Suite. Business databases have regular snapshots and backups, and data is stored in two places with three reserves. At the same time, the Company deployed a backup performance monitoring mechanism to ensure the integrity of data backup. Lark team regularly performs backup data recovery testing. 10.2 Service Continuity Guarantee The service system access layer is accessed in a high-availability mode and through a public gateway service provided by Lark. The back-end uses multi-instance access to ensure the reliability of the service. Through detailed monitoring, if a traffic burst or fault happens, the degraded operation mode will be used to ensure service availability. Lark has developed plans to provide guidelines of emergency response and recovery measures to scenarios that may lead to business disruption. Lark conducts business impact analysis and risk assessment once a year to identify significant business processes and threats that may cause disruptions to the Company's business and resources; defines indicators such as maximum tolerable outage time, recovery time target, and minimum service level, etc.; develops respective response strategies for disruption scenarios of different business lines. 10.3 Emergency Drills The Company has a complete emergency drill mechanism and conducts fault drills regularly with participants such as the development team, security team, operation, and maintenance team, etc.
11. Change Management
11.1 Program Changes The Company has established Change Management Regulation to define the requirements and procedures for change management, including the establishment of a change plan, change approval and change implementation, etc. Change has a potential risk on the stability, availability, and security of online services. Lark's development strictly controls the switch to prevent the balance of the service from being affected. Online operations must have an operating apply and can only be operated with approval. The release needs to be tested under small traffic to ensure the stability and security of the service.
8
11.2 Source Code Control Lark has developed a strict source code management process, and developers can only access and manage the code warehouse corresponding to their team. The R&D personnel has access to the code warehouse, which belongs to his or her group only. Owner of specific code warehouse is required to be set for each project. If the R&D personnel apply for access to the code warehouse belonging to another team, the application should be submitted in the code warehouse. The code warehouse will automatically grant access to the applicant upon receiving the approval from the applicant’s team leader and the owner of the applied code warehouse. 11.3 IT Infrastructure Change Lark manages the network access by deploying an Access Control List (“ACL”) on the public network boundary. If changes are required to be made to the ACL configuration baseline and the network access control policy, the operation personnel apply to the system workflow platform. An engineer from the System Department will implement the change after evaluating the rationality of the change request. Only authorized engineers from the System Department are granted access to change the network access configurations. 11.4 Monitoring Changes Internal audit is performed by Lark team each year to assess the operational effectiveness of the Company’s internal control system, including the controls related to change management. The audit results are summarized in the internal audit report. If any exception is identified, the Internal Audit and Internal Control Department will inform the team in charge to take remediation measures and track the remediation status. Segregation of incompatible responsibilities exists in the process of change management, including change development, testing, approval, migration, and monitoring.
9
larksuite.com
