Professional Documents
Culture Documents
WeChat Work Security White Paper
WeChat Work Security White Paper
1
【Copyright Notice】
【Trademark Notice】
and all other trademarks associated with WeChat Work services are
owned by Tencent. Trademarks of third parties referred to in this white paper are
owned by their respective proprietors.
【Service Statement】
This white paper is for reference only. WeChat Work does not give any guarantee,
express or implied, on the information of this white paper. This white paper is
provided as is. Information and opinions in this white paper, including URLs,
Internet websites and other references, may change without notice. You bear the risk
of using it.
This white paper does not grant you any legal entitlement to the intellectual property
of any Tencent product. You can copy and use the contents of this white paper for your
internal reference purposes.
2
Version History
3
Contents
Contents ............................................................................................................. 4
1 Preface ....................................................................................................................... 6
4
7.2.1 Network Communication Security ......................................................... 14
7.2.2 Defense Against DDoS Attacks .............................................................. 14
7.2.3 Network Access Security ........................................................................ 14
7.2.4 Network Isolation ....................................................................................15
7.2.5 Network Redundancy ..............................................................................15
8 Conclusion ................................................................................................................15
5
1 Preface
With the development of the Internet, office communication tools have become more
convenient and increasingly applied. However, Internet businesses are now exposed to
various risks, including attacks from underground industry, theft and abuse of sensitive
information, and harassment by malicious information. WeChat Work has built up a
strong information security system based on the security protection capabilities and
experiences accumulated by Tencent over years for its products such as WeChat and QQ.
WeChat Work has been widely recognized for its information security system since its
launch in 2016, and now serves more than 40,000 Tencent employees and millions of
enterprises.
This paper elaborates the information security capabilities of WeChat Work from the
aspects of compliance, data security, operation security and basic security, to help you
understand more about the security capabilities of WeChat Work. WeChat Work can
quickly respond to all types of Internet attacks and prevent information leakage, ensuring
the security of enterprise and user information.
1.1 Glossary
2 Compliance
To safeguard the security of national network and user information, WeChat Work
strictly abides by the People's Republic of China Network Security Law and related laws,
regulations and normative documents, and fulfills its main responsibilities for enterprise
network security. It has obtained the national cybersecurity classified protection
certification as well as international security certification and industry compliance
certification, established a full-functional internal security compliance system, and taken
the lead in acquiring all the international standard information security certifications,
ensuring the compliance, security and reliability of WeChat Work products and services.
Certifications received by WeChat Work include: National Cybersecurity Classified
6
Protection (Level 3), ISO/IEC 27001, ISO/IEC 27018, ISO/IEC 20000, SOC 2 Type I
Report.
2.1 Certifications
SOC (System and Organization Controls) Report is an auditing and assurance report on
the system and internal controls of a service organization, which is issued by an
international professional third-party accounting firm on the basis of relevant standards
of the American Institute of Certified Public Accountants (AICPA). WeChat Work has
passed the SOC 2 audit on the principles of security, confidentiality and privacy, and is
the first enterprise office product in China that has received the SOC 2 Type I Report on
privacy since the implementation of the People's Republic of China Network Security Law
and the Personal Information Security Specification. It also indicates that WeChat Work
7
applies the most stringent standards on privacy protection and data security to effectively
guarantee the security of enterprise and user data.
WeChat Work does not process users' PII via a third-party service provider. Users that
entrust a third-party to submit PII to WeChat Work must make sure that such third party
complies with relevant regulations on confidentiality.
WeChat Work will not disclose users' PII to any third party without their consent unless
otherwise stipulated by law.
The service provided by WeChat Work is SaaS.
Users' PII is stored in Mainland China.
In case of any security incident, such as PII leakage, we will start an emergency plan to
prevent the escalation of such incident, and inform you of the relevant information by
means of email, letter, telephone call or notification push within 30 calendar days. If we
fail to inform you by the above means, we will issue an announcement in a reasonable
and effective way.
WeChat Work will fully comply with ISO27001 and ISO27018 in security practices.
3 Data Security
Over the years, laws and regulations on personal information protection have been
continuously promulgated, and governments, media and other social sectors pay great
attention to the personal information processing activities of Internet companies. WeChat
Work applies security measures on all critical steps (including data generation,
transmission, use, storage and destruction) of personal information processing, to ensure
legal compliance.
The data generated when users use WeChat Work will be classified based on the sensitivity
of data. The subsequent data processing will be strictly controlled and managed according
to the requirements of appropriate data categories.
8
3.2 Data Transmission
Servers and clients communicate using the SSL/TLS protocol, and the application layer
encrypts and verifies the in-transit data to ensure secure transfer.
After passing the identity verification, end users will get user tickets issued by the system.
The access and use of data will be strictly controlled by the ticket management system to
prevent unauthorized and illegal access. Meanwhile, the server system module is
connected to the ticket management system, so that module-level tickets are also strictly
controlled to prevent internal unauthorized and illegal access.
WeChat Work puts stringent requirements and audit mechanism on third parties. Any
Apps listed in WeChat Work must meet relevant requirements and undergo rigorous
security testing. Third-party Apps must be authorized before they can use user or
enterprise data.
Based on data classification, WeChat Work encrypts important enterprise and user data,
including organization structure, text messages, files, and images. Different encryption
keys are used for different enterprises to ensure the confidentiality and security of data.
Keys are centrally managed by the key management system to ensure the security of key
transmission, making the encryption more secure. Data are stored on different physical
disks or in different data centers by category, and the storage environments of different
data are physically isolated to improve the security of important data.
9
3.6 Data Security Audit
With malicious device detection and unauthorized ticket detection, WeChat Work can
detect abnormal actions and send alarms, so that suspicious login and unauthorized
access to data can be traced.
4 Terminal Security
For terminal data encryption, keys are stored in memory to avoid risks incurred when
keys are stored locally, thus greatly improving the security of encryption processes.
5 Access Control
WeChat Work provides such security capabilities as role-based access control, account
protection, multi-factor identity verification and SSO for businesses. Access control uses
ticket technology for user access permission control to prevent unauthorized and illegal
access. Meanwhile, the server system module is connected to the ticket management
system, so that module-level tickets are also strictly controlled to prevent internal
unauthorized and illegal access.
Keys are centrally managed by a key management system, which ensures the security and
confidentiality of key transmission.
10
6 Operation Security
We conduct legal background check on our employees before they join in WeChat Work,
to ensure that all employees meet our code of conduct, business ethics and information
security requirements.
The employees are required to sign confidentiality agreements upon entry. Tencent always
lays emphasis on customer information and user data protection. Leaking customer
information and user data is one of the behaviors that Tencent explicitly prohibits, which
is underlined in induction training.
WeChat Work provides information security training to employees from time to time to
ensure they follow prescribed security policies.
Based on its experience in security protection for WeChat's 100 million users, WeChat
Work security team provides 7*24 security monitoring to continuously fight against
network threats. The team conducts regular attack and defense drills, and engages third-
party security companies for security assessment and testing. Meanwhile, the team invites
Tencent experts in various security fields to make special discussions and research, and
scan and test possible security vulnerabilities to implement active prevention.
Tencent's professional security teams include Keen Security Lab, Xuanwu Lab, Zhanlu Lab,
Anti-Virus Lab, Anti-Fraud Lab, Mobile Security Lab, and Yunding Lab. The teams bring
together top domestic "white-hat" security experts and researchers in the security field to
provide solid backing for WeChat Work security.
11
6.3 Emergency Response
WeChat Work has established a complete emergency response procedure with detailed
segregation of duties and contacts information, and conducts regular drills in strict
accordance with requirements to ensure the timeliness and feasibility of disaster recovery
plans.
Also, WeChat Work Security Response Center has worked out the disposal procedure and
standard for unexpected security incidents in conjunction with Tencent Security Response
Center (TSRC). The disposal procedure includes forecasting, reporting, processing,
recovering and completion stages. WeChat Work tries its best to guarantee the security of
user information and data.
7 Basic
All WeChat Work IDCs are located, constructed or leased in accordance with relevant
international standards and local security requirements. The electric power and the air-
conditioning systems of each IDC are highly stable and fully redundant, which can ensure
power and cooling continuity of IDCs in case of any single device failure. Each IDC is
equipped with a complete fire-fighting system, including fixed-area fire detection system,
automatic gas fire extinguishing system and manual fire extinguishing devices for
emergency use. All IDCs are equipped with anti-static floor, cabinets and slots, with
12
grounding wires installed to protect the devices from damages caused by static electricity.
In addition, WeChat Work requires all IDC admins to receive emergency drills for
business continuity regularly to ensure that the IDC infrastructure security procedures are
effectively implemented.
Based on the importance of devices, WeChat Work defines three security levels for
different areas of IDCs: general security zone, restricted security zone and highly restricted
security zone.
Each IDC establishes strict infrastructure and environment access control system
according to the security requirements for zones of different levels. WeChat Work
establishes a complete security matrix of access control based on the categories and access
permissions of personnel in IDCs to effectively control and manage the access and
operation of all personnel in IDCs. The access control authorization system adopts
different security levels for different functional areas. All visitors or staff entering and
leaving IDCs are required to receive identity check and carry-on item inspection, and their
belongings must be registered. As for environmental control, each IDC also adopts strict
regulations and control measures for vehicle access. All employees' private vehicles and
suppliers' trucks must be registered, and only authorized vehicles are allowed to enter the
surrounding areas of the IDC.
7.1.3 Security
The security personnel of all WeChat Work IDCs inspect the devices every day strictly
according to the inspection list and plan at least every 2 hours, and sign and record the
inspection time at each checkpoint. Once any security violation is found, they will start the
IDC management emergency process immediately.
All IDCs have formulated physical security emergency plans, and regularly engage IDC
staff in security drills. In case of any physical security incident, the plan takes effect
immediately, and provides guidance for relevant personnel on protecting customer assets
as far as possible.
Additionally, all WeChat Work APIs provide SSL/TLS encryption, signature verification,
status monitoring and other security capabilities, which can guarantee the security of
enterprise communication.
WeChat Work provides efficient distributed protection capabilities. Among them, Dayu
Anti-DDoS is the most powerful BGP high defense product in China. It features 21-line
BGP covering multiple mainstream ISPs at home and abroad, and a bandwidth of 4T,
providing fast and stable access experience.
All public network APIs of WeChat Work are processed via TGW, which features high
reliability, strong expansibility, high performance and robust anti-attack capability, thus
providing more efficient and secure network access.
14
7.2.4 Network
WeChat Work has formulated strict internal network isolation rules to achieve access
control and border protection between internal office network, development network, test
network and production network via physical and logical isolations. WeChat Work
prevents unauthorized personnel from accessing any internal network resources. If any
employee needs to switch from the company network to the production network for daily
operations, he/she must log in to the production system through the jump server.
Tencent network egress connects with multiple ISPs in different regions to deliver the
cross-region disaster recovery capability of WeChat Work, which effectively minimizes
the impact of ISP public network failure on business continuity.
The basic network constructed using the redundancy mode of N*N and the traffic
scheduling based on route priority and route reachability at the routing level are combined
to prevent network service from being interrupted by a single point of device failure.
Computing nodes are also deployed in the redundancy mode of N*N. Any failed single
computing node will be eliminated automatically by the scheduler in real time, which
effectively ensures the usability of user business.
8 Conclusion
Security is the core of WeChat Work. We always keep in mind Tencent's business
philosophy of "Users' needs are our first priority", and never stop strengthening security
control measures and information security construction. In conjunction with Tencent's
professional security teams, WeChat Work is dedicated to the research and application of
Internet security technologies and attack-defense systems to protect user security.
15