lark security 3
TRANSCRIPT
The Lark Approach toData Security
A deep dive into user protections for IT managers
2i
Table of Contents
Introduction ............................................................................................................................11. Security Team and Functions ..........................................................................................12. Compliance and Privacy...................................................................................................13. Employee Security ............................................................................................................24. App Security......................................................................................................................3
4.1 Operating Environment Security.......................................................................................3
4.2 Data Security ........................................................................................................................3
4.3 Security Vulnerability Protection.......................................................................................3
4.4 Client Security Strategy ......................................................................................................3
5. Network Security ..............................................................................................................3
5.1 Network Access Control ....................................................................................................3
5.2 DDoS and Cyber Attack Defense ......................................................................................4
5.3 Network Transmission Encryption...................................................................................4
6. Server Security ..................................................................................................................47. Application Security..........................................................................................................4
7.1 Security Development Process.........................................................................................4
7.2 User Account Security ........................................................................................................5
7.3 Vulnerabilities and Emergency Response ......................................................................58. Data Security.....................................................................................................................5
8.1 Data Transmission ..............................................................................................................5
8.2 Data Storage.........................................................................................................................5
8.3 Data Access..........................................................................................................................6
8.4 Data Disposal .......................................................................................................................6
8.5 Data Security Detection......................................................................................................7
9. Physical Infrastructure Security.......................................................................................79.1 Amazon Web Service (AWS) Infrastructure Security....................................................7
9.2 Akamai Infrastructure Security .......................................................................................710.Disaster Recovery and Service Continuity .....................................................................8
10.1 Backup and Disaster Recovery.......................................................................................8
10.2 Service Continuity Guarantee .................................................................................8
3ii
10.3 Emergency Drills.....................................................................................................8
11. Change Management.......................................................................................................811.1 Program Changes ..............................................................................................................811.2 Source Code Control............................................................................................9
11.3 IT Infrastructure Change...................................................................................................9
11.4 Monitoring Changes ..........................................................................................................9
1
IntroductionLark Technologies provides the new generation office suite SaaS – Lark Suite, which is mobile-friendly, supports real-time collaboration, and provides single access. Lark Suite helps userentities to improve work efficiency, reduce production and administrative costs, to enable themto move towards an efficient, coordinated, and more secure intelligent businesses. Meanwhile,the Company has leveraged information technology and application systems to support theimplementation of control activities related to the development and operation of Lark Suite.
Larksuite is the office suite, a SaaS service for enterprises created by Lark Technologies Pte.Ltd.(Starting now referred to as “The Company”), with functions such as instant messaging, clouddocuments, smart calendar, video conference, open platform, for example Larksuite usesindustry-leading technologies safeguards, security measures to ensure the protection ofproducts and user data throughout the data lifecycle. The design, development, and operation ofLarksuite meet the compliance and user privacy standards.
1. Security Team and FunctionsAs a SaaS service provider, The Company places the security of user services and data as itshighest priority. The Company has a complete security infrastructure and a user service anddata security protection system. Lark's security team consists of security management andcompliance, business security, data security, emergency response, and security tooldevelopment teams. Its responsibilities include security assessment of product design, codesecurity review, vulnerability scanning, penetration testing, threat intelligence, intrusiondetection, emergency response, data security, security compliance, and more.
2. Compliance and PrivacyThe Company attaches great importance to product compliance, and the Security andCompliance Department is responsible for managing compliance with the highest standards athome and abroad. Lark has a dedicated privacy team that reviews user privacy protocols,product privacy protection design, and the collection and use of user data to ensure that users'data is used correctly and processed and that users are reasonably transparent.
The Company actively follows international requirements for product compliance and workswith various levels of regulatory agencies to ensure that its products and services meet therequirements.
Lark has passed ISO 27001 certification, which is a set of industrywide adopted securitymanagement system standards. It is regarded as one of the most authoritative and strictestinformation security system certification standard in the world. The data center, managementsystem, R&D, and functional departments of Lark have passed this certification, which meansthat the Company has met the international standards of information security management andhas sufficient information security risk identification and control capabilities to provide safe andreliable customer service around the world.
Lark has passed ISO 27018 certification, which is the international standard for the protection ofpersonal information in public clouds. It guides implementation of security control systems for
2
personally identifiable information (PII) in public clouds. Lark's ISO27018 certification is proofthat we have achieved a high standard in protecting corporate data, securing users' personalinformation, and preventing information leakage.
System and Organization Controls (SOC) Reports are independent third-party examinationreports about the internal control of the service organization issued by professional thirdaccounting firms, based on the relevant guidelines of the American Institute of Certified PublicAccountants (AICPA). SOC2, one of the types, defines standards for managing customer databased on Trust Service Principles (security, availability, processing integrity, confidentiality, andprivacy). Lark has passed the SOC 2 Type I audit and attained an appraisal report, whichindicates that our systems are reliable and secure. We can securely manage customer data andprotect the interests of the organization and the privacy of our customers.
The certification marks Lark's success at achieving a more standardized and normalized level ofinformation security management, service quality management, IT service management, etc.,laying a solid foundation for the improvement and perfection of the Company's overall qualitysystem.
3. Employee SecurityLark has established security human resource management processes:• The recruitment of new employees must be approved by the human resource (“HR”) specialistand the resource requesting department leaders. The recruitment process and results arerecorded in the human resource management system;• Before the new employee is hired, the Human Resources Department must conductbackground check subject to the laws and regulations of the country according to theimportance of the employee’s position, to ensure that the recruitment meets the Company'srules and regulations;• Newly hired employees are required to sign the employment contract and confidentialityagreement which describe the employee’s obligations and responsibilities on informationsecurity;• The Legal Department reviews the legal terms enclosed in the employee confidentialityagreement and third-party confidentiality agreement at least once a year and make updates asneeded, and publishes the updated agreements through the internal knowledge platform toensure that all employees and relevant personnel have access to the latest confidentialityagreements;• The employee's resignation is required to be initiated by the employee himself or herself or thedepartment leader in the human resource management system, and to be approved by theHuman Resources Department, the IT Department and other functional departments before theofficial resignation;
Lark has established a comprehensive training and learning system. Newly hired employees arerequired to participate in trainings on corporate culture, rules and regulations, informationsecurity, and reward and punishment mechanisms. Meanwhile, the Company organizes thefollowing trainings to enhance employees' professional knowledge and skills and informationsecurity awareness on an aperiodic basis by multiple ways:• Information security related trainings, to enhance employees' information security skills;• Information security activities, to promote information security awareness;• Preparing materials on security awareness topics and delivering to employees via emails andposters.
3
4. App Security4.1 Operating Environment Security
Lark App will stringently test the running environment, including root detection, jailbreakdetection, debugging detection, injection detection, etc. The purpose of screening is to ensurethat the client runs in a safe and trusted environment, in case the App is hacked or infected bymalware.
4.2 Data Security
Lark App uses the operating system's security mechanism to isolate the permissions betweenAPPs. Client information is encrypted for storage. Full-link communication between the clientand the server is encrypted with HTTPS or WSS.
4.3 Security Vulnerability Protection
Lark has a full-time mobile security vulnerability mining team to conduct security assessmentand vulnerability mining for android, iOS, Windows, macOS clients, as well as vulnerabilitydetection of the client’s third-party components (libraries, SDKs), to root out existingvulnerabilities in applications as much as possible to ensure the security of the client.
4.4 Client Security Strategy
Customer administrators can configure custom security policies through the managementconsole and apply them to their clients. The configurable security policies include a localmessage storage period, client login timeout and automatic exit, and so on.
5. Network Security5.1 Network Access Control
Lark uses Amazon Web Services (AWS) to provide infrastructure services, including serverrooms, networks, servers, operating systems, etc., and to provide infrastructure securityservices. Based on AWS, The Company enhances its security control in server accessing, and allservices must be operated and audited through the bastion machine.
Employees need to be authenticated to access internal resources. After confirming their identity,employees have minimal permissions by default. New permission acquisition needs to beapproved and recorded by relevant, responsible personnel. Permissions have an expiration date,and the system automatically reclaims permissions after the expiration date. Employees' onlineservice operations are performed through the bastion machine, and all operational logs areretained for audit use.
4
All employees outside the corporate network boundary need to access the company's internalresources through a VPN connection. Lark's internal audit and control department will audit theaccess log, search the records for violations of protocol, and handle corresponding reprimands.
5.2 DDoS and Cyber Attack Defense
Lark Service provides customers around the world with access to its network through CDN anddynamic acceleration and access to back-end service through AWS’s load balancing. Whenencountering DDoS attacks, attack defense will be carried out through a network cleaningservice by AWS, Akamai for example.
5.3 Network Transmission Encryption
Lark Service is transmitted via HTTPS and WSS in both internal and external networks all thetime, which ensures the security of the transmission process and prevents eavesdropping andtampering.
6. Server SecurityLark uses cloud servers of AWS to serve its customers.
Amazon provides cloud server security from the physical to the virtualization layer. For detailson cloud server security provided by AWS, please see Amazon Cloud Security White Paper:https://d1.awsstatic.com/whitepapers/Security/Security_Compute_Services_Whitepaper.pdf
7. Application SecurityLark shall take appropriate measures to protect the development process.
7.1 Security Development Process
We strive to control security risks from the source of security breaches. We produce securitycourses, and provide on-site and online training. All developers and product managers willreceive security training to understand the causes of security vulnerabilities and strengthencoding knowledge. The security team communicates with the project manager at the start ofthe project to ensure the security requirements and security testing are reflected in the projectplan. At the same time, the security team will evaluate third-party libraries and tools used by theproduct and exploit any vulnerabilities to ensure that there are no vulnerabilities introduced bythe supply chain. The security team works with the product team to conduct a security review ofthe design and coding. Before the product goes online, a penetration assessment and a securityassessment of the deployment are performed to ensure the security of the service.
5
7.2 User Account Security
The user's access to the Lark system is authenticated using a password plus a dynamicverification code, which effectively avoids account leakage caused by password loss. For loginsinitiated on unrecognized devices, the risk control strategy increases the difficulty of a user'slogin verification. At the same time, the accounting system has the defense ability againstabnormal and violent login attempts. The risk control system has anti malicious registration,anti- credential enumeration attack, and other protection functions.
7.3 Vulnerabilities and Emergency Response
The Security team receives and reviews vulnerabilities reported from the outside and assessestheir harm and urgency to fix them.
The Company uses the routine scanning service to scan its service and operating system andrepairs it after detecting a vulnerability.
The Company's security team work in close cooperation and regular communication with thetop third-party evaluation companies and the White Hat Community, and occasionally invitesoutside companies and white hats to conduct penetration testing on services with rewards fordiscovering as many security vulnerabilities as possible.
The Company's security team operates a 24/7 emergency response strategy. When a securityincident occurs, the security team will quickly classify the event according to the securityemergency plan and initiate an emergency response process to prevent the security incidentfrom expanding.
8. Data SecurityThe Company has a complete data life cycle management process with a technical guaranteefor each stage of the data life cycle, including generation, storage, usage, transmission, sharing,and destruction.
8.1 Data Transmission
The Company provides users with data transmission channels that support secure encryptionprotocols. Data transmission such as message pull, identification authentication, operationinstructions is encrypted through HTTPS and a 2048-bit RSA key. Message push uses WSSprotocol to protect the transmitted data through encryption. The cloud documents service isencrypted and transmitted, utilizing the symmetric encryption algorithm AES256.
8.2 Data Storage
The Company uses the key mechanism to support the encrypted storage of data.
Lark has developed a comprehensive data classification and management method, and strictlyclassified and classified the user information collected by the Lark Suite. Lark has encrypted
6
sensitive data stored in systems, which can effectively protect user information.
The KMS service is responsible for the lifecycle management of keys and sensitiveconfiguration information, including generation, storage, distribution, use, update, deletion, andmore. The master key used for data encryption of Lark users and other various sensitiveinformation of Lark service (such as database account, password, etc.) is stored in the KMSsystem, maintained by Lark itself, and the accessed needs to be performed through the KMSinterface. When the key is initialized, the KMS system uses the Shamir's Secret sharing protocolto generate 5 pieces of critical components, and the parts are distributed to different functionsof management roles. Only when providing more than 3 key components, can it finally restorethe master key of the KMS system. The KMS master key will be periodically updated to improvethe security of the KMS.
8.3 Data Access
User data access is strictly isolated through permissions. Users cannot access each other'saccounts without authorization. Access to data must be done through explicit approval by thedata owner, such as sharing.
The Company's employees' access to user data is strictly limited and audited, and employees donot have access to any user data by default. Special access requirements are subject to explicitauthorization by the user and a strict internal approval process to obtain temporary accessrights, in which permissions are immediately reclaimed after the operation is completed. Thelogin log,operation log, server security baseline file change, and access permission change log of allservers in Lark's online environment are recorded; real-time auditing of illegal access and riskoperations is performed through automatic detection, and alarms are generated. Lark hasdetailed log records of the activities of the data, and different operator roles are distinguishedwhile different permissions are granted accordingly. Operations require approval and auditing.
The Company and Lark will not disclose a user's information publicly unless The Company orLark has the user's consent. However, in the event that a user's data is required in accordancewith laws and regulations, mandatory administrative enforcement or judicial requirements, TheCompany or Lark may disclose a user's personal information to regulatory law enforcement orlegal authorities in accordance with the type of personal data required and the manner in whichdisclosure is required. When we receive a disclosure request, as laws and regulations approve it,we will need an issuing of legal documents corresponding to the code. We will only provide datathat law enforcement agencies have legal rights to obtain for specific investigation purposes.Subject to laws and regulations, the documents we disclose are protected by encryptionmeasures.
8.4 Data Disposal
When terminating service to a user, a Lark administrator will delete the user account informationand will permanently delete the user's data in compliance with local laws and regulations.Unmounted disks need to be degaussed and destroyed to ensure there is no remaininginformation on the drive.
The resigned employees of the user entity can initiate the application for account withdrawal tothe tenant administrator. After the tenant administrator confirms that the group owner,
7
schedules, Docs, and other data within the resigned employee's account have been transferred,he or she contacts the Company through the Lark customer service function. The Company de-identifies the data and Docs of the requested account based on the tenant administrator'sapplication.
When the Company signs a service agreement with the user entity, it states that when theservice is terminated, the corresponding data will be disposed of according to the user entity'srequirements.
Apart from the users from user entities' tenants, Lark Suite is also applicable to personal users.When an individual user needs to withdraw his or her account, he or she should contact theCompany, which will provide the Lark Suite installation package with account withdrawalfunctionality through the Lark customer service function. After the installation, the user canapply for account withdrawal on the software and Lark Suite accordingly de-identifies the dataand Docs of the requested account in backend databases.
8.5 Data Security Detection
The login behavior, operational behavior, server security baseline file changes, access rightschanges, and data access behaviors of all servers in the Lark online environment are recorded.The security team monitor and analyze abnormal behaviors by establishing user behaviorportraits and unusual behavior models, and automatically detects various anomalous dataaccess actions such as illegal access to data, malicious data crawling, abnormal login, privilegeescalation, etc. Security devices can automatically alert and block strange behavior.
9. Physical Infrastructure SecurityLark serves customers in different regions of the world through Amazon Web Service andAkamai.
9.1 Amazon Web Service (AWS) Infrastructure Security
As one of the cloud service providers of Lark, AWS provides services such as cloud servers.AWS itself operates, manages, and controls all of its hardware and software facilities from thephysical layer to the virtualization layer. As the world's leading cloud service provider, Amazonhas the industry's top security capabilities to provide users with infrastructure security. Fordetails on the protection of cloud service infrastructure provided by AWS, please refer to theAWS Security White Paper:https://d0.awsstatic.com/whitepapers/Security/AWS_Security_Whitepaper.pdf
9.2 Akamai Infrastructure Security
Akamai is the world's number one CDN service provider, providing long-term reliability, andstable acceleration services to customers across the globe. Lark delivers accelerated access tooverseas customers through Akamai. For details on Akamai's security, please see the AkamaiSecurity White Paper: https://www.akamai.com/cn/zh/about/ourthinking/white-papers.jsp
8
10. Disaster Recovery and Service Continuity
10.1 Backup and Disaster Recovery
The Company has established the Data Backup and Recovery Management Policy tostandardize backup strategies, backup data retention, and recovery testing methods, etc. forLark Suite. Business databases have regular snapshots and backups, and data is stored in twoplaces with three reserves. At the same time, the Company deployed a backup performancemonitoring mechanism to ensure the integrity of data backup. Lark team regularly performsbackup data recovery testing.
10.2 Service Continuity Guarantee
The service system access layer is accessed in a high-availability mode and through a publicgateway service provided by Lark. The back-end uses multi-instance access to ensure thereliability of the service. Through detailed monitoring, if a traffic burst or fault happens, thedegraded operation mode will be used to ensure service availability.
Lark has developed plans to provide guidelines of emergency response and recovery measuresto scenarios that may lead to business disruption. Lark conducts business impact analysis andrisk assessment once a year to identify significant business processes and threats that maycause disruptions to the Company's business and resources; defines indicators such asmaximum tolerable outage time, recovery time target, and minimum service level, etc.; developsrespective response strategies for disruption scenarios of different business lines.
10.3 Emergency Drills
The Company has a complete emergency drill mechanism and conducts fault drills regularlywith participants such as the development team, security team, operation, and maintenanceteam, etc.
11. Change Management
11.1 Program Changes
The Company has established Change Management Regulation to define the requirements andprocedures for change management, including the establishment of a change plan, changeapproval and change implementation, etc. Change has a potential risk on the stability,availability, and security of online services. Lark's development strictly controls the switch toprevent the balance of the service from being affected. Online operations must have anoperating apply and can only be operated with approval. The release needs to be tested undersmall traffic to ensure the stability and security of the service.
9
11.2 Source Code Control
Lark has developed a strict source code management process, and developers can only accessand manage the code warehouse corresponding to their team. The R&D personnel has accessto the code warehouse, which belongs to his or her group only. Owner of specific codewarehouse is required to be set for each project. If the R&D personnel apply for access to thecode warehouse belonging to another team, the application should be submitted in the codewarehouse. The code warehouse will automatically grant access to the applicant upon receivingthe approval from the applicant’s team leader and the owner of the applied code warehouse.
11.3 IT Infrastructure Change
Lark manages the network access by deploying an Access Control List (“ACL”) on the publicnetwork boundary. If changes are required to be made to the ACL configuration baseline and thenetwork access control policy, the operation personnel apply to the system workflow platform.An engineer from the System Department will implement the change after evaluating therationality of the change request. Only authorized engineers from the System Department aregranted access to change the network access configurations.
11.4 Monitoring Changes
Internal audit is performed by Lark team each year to assess the operational effectiveness ofthe Company’s internal control system, including the controls related to change management.The audit results are summarized in the internal audit report. If any exception is identified, theInternal Audit and Internal Control Department will inform the team in charge to takeremediation measures and track the remediation status. Segregation of incompatibleresponsibilities exists in the process of change management, including change development,testing, approval, migration, and monitoring.
