Requirements and Challenges

Nowadays, financial enterprises increasingly rely on Internet-based open systems. However, the ICT infrastructure of these enterprises is poor and cannot ensure high security performance. Naturally, information security risks are rising at an unexpected rate. In response, financial enterprises have to take a variety of measures, such as improving their emergency handling capabilities and optimizing their information security protection mechanisms, to minimize information risks. In recent years, frequent internal information leakages and network attacks impose more challenges than ever on financial network and information security. Table 1-1 lists customer concerns on information security from various aspects.

Table 1-1 Customer concerns on information security

One single product or system may find impossible to address the preceding information security issues. Financial enterprises need to enhance control and management on the following aspects:

• Comprehensive access and authentication mechanisms to ensure terminal use security
• Efficient terminal security management measures to prevent hidden dangers on terminals from affecting internal network security
• End-to-end data protection and isolation approaches to address new challenges raised by network convergence
• Suitable IT measures to regulate document data forwarding and management and to ensure pre-event approval and post-event auditing
• Enterprise-wide coverage of information security measures, especially operation-critical and high-risk activities

Huawei Solution

Solution Overview

Huawei's desktop security solution enhances financial enterprises' capabilities to prevent external risks and to strengthen internal information control and management. This solution is designed to help customers forge a refined information control and management system, protect information assets, and ensure service continuity.

Figure 2-1 Huawei desktop security solution for the financial industry

As shown in Figure 2-1, Huawei's solution consists of three parts: access security, terminal security, and document security.

• Terminal security

Huawei's solution efficiently tackles the top six problems in terms of terminal. They are security access control, security policy management, employee behavior management, software distribution, patch management, and asset management. In addition to license control, this solution fully combines multiple control modes, such as check, isolation, hardening, and auditing, to help financial enterprises strengthen internal terminal management and prevent high information security risks.



• Data isolation and protection

Huawei's solution enables data isolation and protection for various terminals, including PCs and tablets, which provides anti-data leakage, data auditing, and centralized data management.



• Document security

Information owners can control document property in real time (specify visitors, access modes, and time), share confidential information, and record document operation logs. With this function, enterprises can build a secure platform to ensure document security whenever necessary.

To be specifically, Huawei's desktop security solution has the following key features:

• Deploys a platform that supports multiple types of applications and provides comprehensive access control functions, ensuring a controllable terminal access process.
• Uses multi-layer filtering design and refined security audit, providing all-round security management.
• Adopts Advanced Encryption Standard (AES)-based dynamic encryption and decryption technology and performs real-time document rights control, minimizing information leakage and network attack risks.

Access Security Solution

Requirements Analysis

According to statistics, 80% of enterprise information is revealed on terminals. These information leakage cases cost enterprises a huge amount of money. Therefore, financial enterprises, forced by great information security, have to efficiently management the terminals, with a large number and high information risks, to prevent information leakage.

Terminal security management covers a wide range, including illegal access and unauthorized reading control, security policy check, real-time monitoring, terminal use control, and asset management. Arranged by significance and priority, financial enterprises group their various requirements into seven aspects:

• Terminal user management
• Use of multiple authentication modes
• Access security control and security policy management
• Employee use management
• Software distribution
• Patch management
• Asset management

Solution Overview

Huawei's access security solution:

• Provides dual-authentication: authenticating both terminals and user ID and security policies used on the terminals, thereby preventing illegal terminals from accessing the network.
• Provides refined access control by terminal user role, securing the service systems.
• Monitors and manages enterprise-wide terminals, ensuring terminal security while preventing terminals casing threats to the internal network.

Huawei's access security solution improves customers' capabilities of enhancing internal terminal security by deploying a comprehensive terminal security management system that combines data checking, isolation, hardening, and management.

The access security solution has the following compelling features:

• Comprehensive network admission control solution, ensuring internal network security

Links access and convergence layers to control the access of network devices (switches and firewalls), allowing wired and wireless access.




Provides multiple authentication modes, including 802.1x, Portal, and MAC authentication, enabling users to send authentication requests using multiple approaches (such as U-key and Webagent) and accommodating various authentication requirements.



• Abundant security policies, learning about real-time terminal status

Quantitative security risk management



• Scores terminal compliance and monitors terminals' real-time security status.

Expandable security policies




Provides abundant security policies and what you see is what you get (WYSIWYG) policy configuration tools, supporting customization of security policies based on actual requirements.



• Powerful desktop operation and maintenance (O&M), easily remotely managing desktop terminals

Enhances all-around desktop O&M capabilities, including asset management, software distribution, patch management, and remote assistance, facilitating users' centralized O&M




Scans non-PC network devices (such as the IP printer, IP phone, IP scanner, and servers) and frees maintenance personnel from registering and maintaining these devices one by one before and after the Network Access Control (NAC) rollout.

Figure 2-2 Huawei access security solution for the financial industry

Terminal Security Solution

Requirements Analysis

As enterprises sensitive to information security, financial enterprises are highly concerned about their information security, and they require different security protection approaches for zones of different security levels.

• Terminals of different rights and terminals in different areas must be isolated to avoid confidential data leakage and prevent data in highly confidential areas from being transmitted to less confidential areas.
• Access on multiple types of terminals must be supported, and access security and terminal security must be guaranteed.
• Mobile office must be supported while preventing internal network documents and data being copied to terminals on the external network.
• Internet use must be monitored and regulated to minimize the risks of revealing information inadvertently.
• Service applications cannot be affected during network disconnection and terminal faults.
• Data must be centrally stored, operated, and maintained.

Solution Overview

Huawei's terminal security solution for the financial industry is designed based on regulation-consistence, effectiveness, full coverage, and easy-of-use. The centralized multi-layer filtering design in this solution prevents service-critical data from being stored in the local terminals and ensures that internal open information is shared within the specified range. Additionally, this solution supports mobile office and enables unified data management. The terminal security solution for the financial industry consists of three solutions: secure desktop solution, desktop cloud solution, and security auditing solution. Each of the three solutions is ideal for certain application scenarios.

• Desktop cloud solution

Ideal for an environment with a high information confidentiality level or requesting dynamic resource allocation (such as R&D area)




Preventing data from being stored in local terminals



• Secure desktop solution

Designed for an environment with a low information confidentiality level or demanding mobile office




Ensuring high mobility while preventing data from being stored in local terminals



• Security auditing solution

Auditing document exchanges, document printing, email sending, business-sensitive operations, and O&M operations, achieving integrated monitoring and O&M

The terminal security solution has the following compelling features:

• Information leakage prevention and high reliability

Uses a centralized multi-layer filtering design, based on industry-leading virtualization technologies, to manage terminals based on rights and domains, minimizing terminal security risks.




Concentrates on active prevention and supplements the prevention with monitoring and auditing. Supports mobile office and sets up independent and controllable mobile office environment, enabling mobility and convenience without compromising security.



• Centralized management

Uniformly manages devices, data, IDs, rights, access, and accounts.




Centrally manages and maintains client devices and manages information security policies.



• Refined auditing

Audits user behaviors and user data based on security policies and records business-critical operations, document exchanges, and O&M for fast fault location and accountability division.




Provides auditing reports and original logs for third-party auditing organizations.

Figure 2-3 Huawei terminal security solution for the financial industry

Document Security Solution

Requirements Analysis

According to researches, information leakage has become one of the Top 10 security threats facing enterprises, and one important cause is that documents are read, modified, and distributed without permission. Internal information leakage is mainly caused by the following employee behaviors:

• Copy documents out of the computer by using a floppy disk, a USB flash drive, or a portable hard disk.
• Send documents by email to their mailboxes via the Internet.
• Take printed materials out without authorization.
• Bring portable corporate computers to home, or bring personal computers to the office and connect them to the LAN to obtain secret documents.
• Delete documents not in a timely manner after the office computer changes hands.
• Freely share documents with irrelevant personnel.
• Assign document permissions to irrelevant personnel incorrectly and send documents to them mistakenly.

To monitor and control these unauthorized behaviors, enterprises raise the following specific requirements to enhance document security.

• Confidential documents must be encrypted and saved in hard disks. Document information cannot be revealed even hard disks are lost or stolen.
• Rights of confidential documents, including offline reading rights, must be strictly controlled. Documents can be read only when employees with document rights open the documents on devices that are connected to internal servers.
• Employees with common document rights are not allowed to print confidential documents.
• People without document rights cannot read confidential documents in encrypted format.
• Documents must be encrypted using powerful encryption algorithms in case of document loss.
• Rights and right validity of confidential documents configured for each user must be strictly controlled.
• Document rights that have been assigned must be collected in real time to minimize loss.

Solution Overview

Huawei's document security management (DSM) system is a powerful, ease-of-use document rights management software product. DSM provides an authorized mechanism for sharing confidential information through real-time right control. DSM allows document owners to define the visitor, access mode, and access time for the documents and logs file operations. The access right is permanently attached to the document, regardless of whether the document is sent to the internal or external network (network of the cooperators and customers). The document right is permanently under control. The stable, reliable, and extensible system meets the requirements for encrypting and authorizing the documents of other application systems in enterprises. The system helps enterprises to construct a secure and controllable document security management platform.

The document security solution has the following compelling features:

• Dynamic encryption technology and document rights control for document security

Adopts industry-leading 128-bit AES encryption technology on drivers and stable document encryption and decryption operations to protect sensitive information.




Ensures that the access right is permanently attached to the document, regardless of whether the document is sent to the internal or external network (network of the cooperators and customers) and that document rights are permanently under control.




Enables document owners to dynamically change and retrieve document rights and ensures that the document right changes take effect immediately.



• Comprehensive and flexible document rights management

Manages an array of document permissions, including read, modify, copy, full control, distribute, print and validity period control.




Allows a variety of group rights-based policies and policy templates (including enterprise-based, system-based, and client-based right policies) to achieve unified document rights management.



• Support for multiple document formats for diverse service requirements
• Supports mainstream document formats, including MS Office and Adobe Reader.
• Comprehensive log auditing and user management for locating the channels in which documents are revealed.
• Supports account and department management and traces and logs file operations (create read, modify, and print) of all documents.

Figure 2-4 Huawei document security solution for the financial industry

Customer Benefits

• Minimized internal information leakage risks

Divides the intranet into various areas by referring to the service classification and the required security level and configures these areas with different security policies, thereby isolation areas from each other




Integrated, multi-layer, and all-round terminal security management, allowing the enterprise intranet to transform the defense mode from passive to active




Highly secure, reliable, flexible, and efficient document management, guaranteeing internal document security



• Ease-of-use, secure, and convenient mobile office using remote access

Secure access to enterprise intranet resources without installing any client software




Multiple types of application access, such as the Web Server security access, file sharing access, Notes, Exchange, FTP, Oracle, Telnet, SSH, RDP, and VNC




User authentication by user name and password




Mainstream authentication methods and external authentication platforms




Multiple encryption and decryption algorithms, such as 3DES and AES to deliver end-to-end remote access security



• Easy and efficient security management without security silos

Up to 160 types of log identification for devices, particularly the rapid customized identification for the logs of non-common devices




Powerful event association analysis for identification and warning for common security threats




End-to-end security consultation, solution design, and security policy formulation and implementation



• Complete O&M auditing for efficient enterprise security management and compliance with industry regulations

Uniform access portal and centralized authority control for standardized O&M




All-around internal control and auditing mechanism for passing the IT auditing




Minimized impact on core service systems due to misoperations, abusing operations, and unauthorized access




Quick fault diagnosis, improved troubleshooting efficiency, accurate responsibility identification, and post-event review



• Optimized all-round ICT security management mechanism