WeChat Work Security White Paper

WeChat Work Security

White Paper

WeChat Work Team Security Management Team

1
【Copyright Notice】

©2017-2018 WeChat Work. All Rights Reserved.

Copyright in this white paper is exclusively owned by Tencent Cloud. You must not
reproduce, modify, copy or distribute in any way, in whole or in part, the contents of
this document without Tencent Cloud's prior written consent.

【Trademark Notice】

and all other trademarks associated with WeChat Work services are
owned by Tencent. Trademarks of third parties referred to in this white paper are
owned by their respective proprietors.

【Service Statement】

This white paper is for reference only. WeChat Work does not give any guarantee,
express or implied, on the information of this white paper. This white paper is
provided as is. Information and opinions in this white paper, including URLs,
Internet websites and other references, may change without notice. You bear the risk
of using it.

This white paper does not grant you any legal entitlement to the intellectual property
of any Tencent product. You can copy and use the contents of this white paper for your
internal reference purposes.

2
 Version History

Time Version Description

Jun. 29, 2017 WeChat Work 1.0 Version creation

Jun. 21, 2018 WeChat Work 2.0 Version revision

Sep. 20, 2018 WeChat Work 2.1 Version revision

3
 Contents
Contents ............................................................................................................. 4
1 Preface ....................................................................................................................... 6

1.1 Glossary ..................................................................................................................... 6

2 Compliance ............................................................................................................... 6

2.1 Certifications ............................................................................................................. 7

2.2 Security Compliance ................................................................................................ 8

3 Data Security ............................................................................................................. 8

3.1 Data Generation ....................................................................................................... 8

3.2 Data Transmission ................................................................................................... 9

3.3 Data Use ................................................................................................................... 9

3.4 Data Storage ............................................................................................................. 9

3.5 Data Destruction ...................................................................................................... 9

3.6 Data Security Audit ................................................................................................. 10

4 Terminal Security ................................................................................................... 10
5 Access Control ......................................................................................................... 10
6 Operation Security ................................................................................................... 11

6.1 Personnel Security ................................................................................................... 11

6.2 Continuous Prevention Against Network Threats ................................................. 11

6.3 Emergency Response .............................................................................................. 12

7 Basic Security .......................................................................................................... 12

7.1 Physical and Basic Architecture Security ................................................................ 12

7.1.1 Infrastructure Security ............................................................................ 12
7.1.2 Access Control System ............................................................................ 13
7.1.3 Security Inspection and Audit ................................................................ 13

7.2 Server and Network Security .................................................................................. 14

4
 7.2.1 Network Communication Security ......................................................... 14
7.2.2 Defense Against DDoS Attacks .............................................................. 14
7.2.3 Network Access Security ........................................................................ 14
7.2.4 Network Isolation ....................................................................................15
7.2.5 Network Redundancy ..............................................................................15
8 Conclusion ................................................................................................................15

5
1 Preface

With the development of the Internet, office communication tools have become more
convenient and increasingly applied. However, Internet businesses are now exposed to
various risks, including attacks from underground industry, theft and abuse of sensitive
information, and harassment by malicious information. WeChat Work has built up a
strong information security system based on the security protection capabilities and
experiences accumulated by Tencent over years for its products such as WeChat and QQ.
WeChat Work has been widely recognized for its information security system since its
launch in 2016, and now serves more than 40,000 Tencent employees and millions of
enterprises.
This paper elaborates the information security capabilities of WeChat Work from the
aspects of compliance, data security, operation security and basic security, to help you
understand more about the security capabilities of WeChat Work. WeChat Work can
quickly respond to all types of Internet attacks and prevent information leakage, ensuring
the security of enterprise and user information.

1.1 Glossary

PII: Personally Identifiable Information

TGW: Tencent Gateway

BGP: Border Gateway Protocol

SaaS: Software as a Service

2 Compliance

To safeguard the security of national network and user information, WeChat Work
strictly abides by the People's Republic of China Network Security Law and related laws,
regulations and normative documents, and fulfills its main responsibilities for enterprise
network security. It has obtained the national cybersecurity classified protection
certification as well as international security certification and industry compliance
certification, established a full-functional internal security compliance system, and taken
the lead in acquiring all the international standard information security certifications,
ensuring the compliance, security and reliability of WeChat Work products and services.
Certifications received by WeChat Work include: National Cybersecurity Classified
6
Protection (Level 3), ISO/IEC 27001, ISO/IEC 27018, ISO/IEC 20000, SOC 2 Type I
Report.

2.1 Certifications

National Cybersecurity Classified Protection (Level 3) is an authoritative certification of

network security levels, and the highest certification for non-bank organizations in China at
the supervision level. National Cybersecurity Classified Protection System is the basic
system for national cybersecurity protection, and the essential guarantee of protecting the
development of information technology and maintaining the national cyberspace security.
Obtaining National Cybersecurity Classified Protection (Level 3) means that WeChat Work
has a higher level of network security protection, and its capability of managing and
controlling the information security has been recognized by the Ministry of Public Security.

ISO/IEC 27001:2013 Information Security Management System Standard is the most

authoritative and strictest international certification standard that is most widely accepted
and applied in the field of information security. Acquisition of this certification through
audit by an authoritative organization shows that WeChat Work's security management
system meets the international standard, and it can provide more secure and reliable
services for enterprises and users.

ISO/IEC 27018:2014 International Certification for Personal Information Protection on

Public Cloud is the first international standard developed by ISO for the protection of
personal privacy data on public cloud, which has been widely recognized around the
world. WeChat Work has been certified through audit by an authoritative organization,
and become the first enterprise office product awarded this certificate in China.

ISO/IEC 20000-1:2011 Information Technology Service Management System Standard is

developed by ISO based on the best practice of IT service management, and has become
an international standard of organization's IT operation and service delivery management
level. ISO20000 has been widely recognized and adopted by the international community.
By receiving this certification through audit by an authoritative organization, WeChat
Work is capable of offering effective IT services to meet the needs of enterprises and users.

SOC (System and Organization Controls) Report is an auditing and assurance report on
the system and internal controls of a service organization, which is issued by an
international professional third-party accounting firm on the basis of relevant standards
of the American Institute of Certified Public Accountants (AICPA). WeChat Work has
passed the SOC 2 audit on the principles of security, confidentiality and privacy, and is
the first enterprise office product in China that has received the SOC 2 Type I Report on
privacy since the implementation of the People's Republic of China Network Security Law
and the Personal Information Security Specification. It also indicates that WeChat Work
7
applies the most stringent standards on privacy protection and data security to effectively
guarantee the security of enterprise and user data.

2.2 Security Compliance

WeChat Work does not process users' PII via a third-party service provider. Users that
entrust a third-party to submit PII to WeChat Work must make sure that such third party
complies with relevant regulations on confidentiality.
WeChat Work will not disclose users' PII to any third party without their consent unless
otherwise stipulated by law.
The service provided by WeChat Work is SaaS.
Users' PII is stored in Mainland China.
In case of any security incident, such as PII leakage, we will start an emergency plan to
prevent the escalation of such incident, and inform you of the relevant information by
means of email, letter, telephone call or notification push within 30 calendar days. If we
fail to inform you by the above means, we will issue an announcement in a reasonable
and effective way.

WeChat Work will fully comply with ISO27001 and ISO27018 in security practices.

3 Data Security

Over the years, laws and regulations on personal information protection have been
continuously promulgated, and governments, media and other social sectors pay great
attention to the personal information processing activities of Internet companies. WeChat
Work applies security measures on all critical steps (including data generation,
transmission, use, storage and destruction) of personal information processing, to ensure
legal compliance.

3.1 Data Generation

The data generated when users use WeChat Work will be classified based on the sensitivity
of data. The subsequent data processing will be strictly controlled and managed according
to the requirements of appropriate data categories.

8
3.2 Data Transmission

Servers and clients communicate using the SSL/TLS protocol, and the application layer
encrypts and verifies the in-transit data to ensure secure transfer.

3.3 Data Use

After passing the identity verification, end users will get user tickets issued by the system.
The access and use of data will be strictly controlled by the ticket management system to
prevent unauthorized and illegal access. Meanwhile, the server system module is
connected to the ticket management system, so that module-level tickets are also strictly
controlled to prevent internal unauthorized and illegal access.

WeChat Work puts stringent requirements and audit mechanism on third parties. Any
Apps listed in WeChat Work must meet relevant requirements and undergo rigorous
security testing. Third-party Apps must be authorized before they can use user or
enterprise data.

3.4 Data Storage

Based on data classification, WeChat Work encrypts important enterprise and user data,
including organization structure, text messages, files, and images. Different encryption
keys are used for different enterprises to ensure the confidentiality and security of data.
Keys are centrally managed by the key management system to ensure the security of key
transmission, making the encryption more secure. Data are stored on different physical
disks or in different data centers by category, and the storage environments of different
data are physically isolated to improve the security of important data.

3.5 Data Destruction

According to Tencent's security management system, WeChat Work performs data

deletion, hardware degaussing and physical destruction on storage media and devices
with storage media that are retired and discarded or taken away from IDCs, using the
strict logical deletion and physical erasure methods, so as to ensure the security and
reliability of the destruction process. All data destroyed will not be recovered illegally.

9
3.6 Data Security Audit

With malicious device detection and unauthorized ticket detection, WeChat Work can
detect abnormal actions and send alarms, so that suspicious login and unauthorized
access to data can be traced.

4 Terminal Security

WeChat Work provides terminal security protection capabilities, such as identification of

terminal device type, login protection, and malicious device identification. A variety of
methods including shelling, obfuscation and signature verification are used to prevent
programs from being decompiled and tampered. WeChat Work also provides such
detection capabilities as simulator and malicious device fingerprinting.

For terminal data encryption, keys are stored in memory to avoid risks incurred when
keys are stored locally, thus greatly improving the security of encryption processes.

5 Access Control

WeChat Work provides such security capabilities as role-based access control, account
protection, multi-factor identity verification and SSO for businesses. Access control uses
ticket technology for user access permission control to prevent unauthorized and illegal
access. Meanwhile, the server system module is connected to the ticket management
system, so that module-level tickets are also strictly controlled to prevent internal
unauthorized and illegal access.

Keys are centrally managed by a key management system, which ensures the security and
confidentiality of key transmission.

10
6 Operation Security

6.1 Personnel Security

We conduct legal background check on our employees before they join in WeChat Work,
to ensure that all employees meet our code of conduct, business ethics and information
security requirements.

The employees are required to sign confidentiality agreements upon entry. Tencent always
lays emphasis on customer information and user data protection. Leaking customer
information and user data is one of the behaviors that Tencent explicitly prohibits, which
is underlined in induction training.

Permission control is automatically implemented by the centralized operation

management portal in case of personnel changes in the WeChat Work operation
management team. New users are automatically granted default basic permissions.
Permissions of those who are transferred to other posts are automatically modified. And
permissions of those who leave the company are automatically disabled. Employees can
apply for temporary or fixed permissions in the unified operation portal. When such
application is approved after multi-level review, new permissions will be automatically
granted. Temporary permissions are automatically reclaimed after expiration.

WeChat Work provides information security training to employees from time to time to
ensure they follow prescribed security policies.

6.2 Continuous Prevention Against Network Threats

Based on its experience in security protection for WeChat's 100 million users, WeChat
Work security team provides 7*24 security monitoring to continuously fight against
network threats. The team conducts regular attack and defense drills, and engages third-
party security companies for security assessment and testing. Meanwhile, the team invites
Tencent experts in various security fields to make special discussions and research, and
scan and test possible security vulnerabilities to implement active prevention.

Tencent's professional security teams include Keen Security Lab, Xuanwu Lab, Zhanlu Lab,
Anti-Virus Lab, Anti-Fraud Lab, Mobile Security Lab, and Yunding Lab. The teams bring
together top domestic "white-hat" security experts and researchers in the security field to
provide solid backing for WeChat Work security.

11
6.3 Emergency Response

WeChat Work has established a complete emergency response procedure with detailed
segregation of duties and contacts information, and conducts regular drills in strict
accordance with requirements to ensure the timeliness and feasibility of disaster recovery
plans.

Also, WeChat Work Security Response Center has worked out the disposal procedure and
standard for unexpected security incidents in conjunction with Tencent Security Response
Center (TSRC). The disposal procedure includes forecasting, reporting, processing,
recovering and completion stages. WeChat Work tries its best to guarantee the security of
user information and data.

7 Basic

7.1 Physical and Basic Architecture Security

As an enterprise communication service provider, WeChat Work strives to provide a

secure, stable, sustainable and reliable physical architecture for every customer. WeChat
Work has established a comprehensive security management system based on relevant
international standards and regulatory requirements for IDCs. At the same time, WeChat
Work conducts strict supervision and audit on the system from policy to process
management and makes continuous improvements to ensure the physical and
environmental security of IDCs.

7.1.1 Infrastructure Security

Security of electric power, air-conditioning, fire-fighting and electrostatic protection

facilities is the most basic requirement of WeChat Work IDCs, and also one of the most
important aspects to ensure availability.

All WeChat Work IDCs are located, constructed or leased in accordance with relevant
international standards and local security requirements. The electric power and the air-
conditioning systems of each IDC are highly stable and fully redundant, which can ensure
power and cooling continuity of IDCs in case of any single device failure. Each IDC is
equipped with a complete fire-fighting system, including fixed-area fire detection system,
automatic gas fire extinguishing system and manual fire extinguishing devices for
emergency use. All IDCs are equipped with anti-static floor, cabinets and slots, with
12
grounding wires installed to protect the devices from damages caused by static electricity.

In addition, WeChat Work requires all IDC admins to receive emergency drills for
business continuity regularly to ensure that the IDC infrastructure security procedures are
effectively implemented.

7.1.2 Access Control System

Based on the importance of devices, WeChat Work defines three security levels for
different areas of IDCs: general security zone, restricted security zone and highly restricted
security zone.

Each IDC establishes strict infrastructure and environment access control system
according to the security requirements for zones of different levels. WeChat Work
establishes a complete security matrix of access control based on the categories and access
permissions of personnel in IDCs to effectively control and manage the access and
operation of all personnel in IDCs. The access control authorization system adopts
different security levels for different functional areas. All visitors or staff entering and
leaving IDCs are required to receive identity check and carry-on item inspection, and their
belongings must be registered. As for environmental control, each IDC also adopts strict
regulations and control measures for vehicle access. All employees' private vehicles and
suppliers' trucks must be registered, and only authorized vehicles are allowed to enter the
surrounding areas of the IDC.

7.1.3 Security

The security personnel of all WeChat Work IDCs inspect the devices every day strictly
according to the inspection list and plan at least every 2 hours, and sign and record the
inspection time at each checkpoint. Once any security violation is found, they will start the
IDC management emergency process immediately.

All IDCs have formulated physical security emergency plans, and regularly engage IDC
staff in security drills. In case of any physical security incident, the plan takes effect
immediately, and provides guidance for relevant personnel on protecting customer assets
as far as possible.

Meanwhile, WeChat Work establishes a regular security audit management system to

ensure the implementation of the above measures and requirements. WeChat Work
performs a physical security audit for field operations and management on a quarterly
basis, and outputs internal audit reports to trace and promote the improvement of weak
13
points in physical security.

7.2 Server and Network Security

7.2.1 Network Communication Security

The communication between terminal/web console and WeChat Work backend is
encrypted using the SSL/TLS security protocol.

Additionally, all WeChat Work APIs provide SSL/TLS encryption, signature verification,
status monitoring and other security capabilities, which can guarantee the security of
enterprise communication.

7.2.2 Defense Against DDoS Attacks

WeChat Work provides efficient distributed protection capabilities. Among them, Dayu
Anti-DDoS is the most powerful BGP high defense product in China. It features 21-line
BGP covering multiple mainstream ISPs at home and abroad, and a bandwidth of 4T,
providing fast and stable access experience.

7.2.3 Network Access Security

All public network APIs of WeChat Work are processed via TGW, which features high
reliability, strong expansibility, high performance and robust anti-attack capability, thus
providing more efficient and secure network access.

14
7.2.4 Network
WeChat Work has formulated strict internal network isolation rules to achieve access
control and border protection between internal office network, development network, test
network and production network via physical and logical isolations. WeChat Work
prevents unauthorized personnel from accessing any internal network resources. If any
employee needs to switch from the company network to the production network for daily
operations, he/she must log in to the production system through the jump server.

7.2.5 Network Redundancy

Tencent network egress connects with multiple ISPs in different regions to deliver the
cross-region disaster recovery capability of WeChat Work, which effectively minimizes
the impact of ISP public network failure on business continuity.

The basic network constructed using the redundancy mode of N*N and the traffic
scheduling based on route priority and route reachability at the routing level are combined
to prevent network service from being interrupted by a single point of device failure.
Computing nodes are also deployed in the redundancy mode of N*N. Any failed single
computing node will be eliminated automatically by the scheduler in real time, which
effectively ensures the usability of user business.

8 Conclusion

Security is the core of WeChat Work. We always keep in mind Tencent's business
philosophy of "Users' needs are our first priority", and never stop strengthening security
control measures and information security construction. In conjunction with Tencent's
professional security teams, WeChat Work is dedicated to the research and application of
Internet security technologies and attack-defense systems to protect user security.

15