Security Compliance and Privacy Protection | Description |
ISO/IEC 27001: 2013 Information security management standard | ISO/IEC 27001: 2013 is a fundamental, internationally recognized standard for information security management systems. TRTC is certified to ISO 27001:2013, which reflects enterprise commitment to security and demonstrates that a set of scientific and effective systems for enterprise information security management is in place to provide reliable information services. |
ISO/IEC 27017: 2015 Guidelines for information security controls applicable to the provision and use of cloud services | ISO/IEC 27017: 2015 is a practical standard for the information security of cloud services which provides specific security controls and their implementation guidelines for cloud service providers and customers. ISO 27017 is a supplementary standard to ISO 27002. It is designed to provide a security specification for cloud-based development and Ops for cloud vendors. TRTC is certified to ISO/IEC 27017, demonstrating sufficient information security management and protection capabilities. |
ISO/IEC 27018: 2019 Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors | ISO/IEC 27018: 2019 is a code of practice for protection of personally identifiable information in public clouds. Based on the ISO/IEC 27001 information security standard, it provides supplementary controls applicable to the protection of personally identifiable information in public clouds and strengthens public cloud capabilities for protection of personally identifiable information. TRTC has passed ISO 27018 certification, which demonstrates that enterprises have reached a high standard of industry best practices in protecting the security of enterprise data, intellectual property, documentation, and cloud IT systems. |
CSA STAR Certification | Based on the Cloud Control Matrix (CCM) of Cloud Security Alliance (CSA), an international not-for-profit organization, CSA Security Trust Assurance and Risk (STAR) is a global cloud computing security certification which validates that cloud computing vendors meet the specific requirements in the field of cloud computing security. As an enhanced version of ISO/IEC 27001 for information security management systems, it visualizes cloud security issues and provides an intuitive framework for cloud vendors to assess their security management capabilities. TRTC has received CSA STAR Certification, demonstrating its cloud service protection capabilities. |
SOC Audit | SOC reports are a series of reports related to internal controls of a service organization issued by professional third-party accounting firms in compliance with the applicable guidelines of the American Institute of Certified Public Accountants (AICPA).
As a leading cloud service provider, Tencent Cloud adopted the 2017 version of the trust service criteria during the SOC audit in 2017, becoming the first provider in China to follow the 2017 version. The service certification report validates that TRTC has established and implemented effective internal controls and will regularly submit to third-party audits to ensure compliance with the requirements of the certification report. |
Cybersecurity Classified Protection Certification | Cybersecurity Classified Protection 2.0 (CCP 2.0) came into force as of December 1, 2019. CCP 2.0 focuses more on active protection as well as the security and reliability, dynamic perception, and full audit from passive protection to the entire pre-event, mid-event, and post-event process, fully covering traditional information systems, basic information networks, cloud computing, mobile internet, IoT, big data, and industrial control systems. In line with CCP 2.0 and applicable regulations, Tencent Cloud public cloud TRTC PaaS service platform has been registered and evaluated for compliance with Cybersecurity Classified Protection Level 3, indicating that it provides services required for CCP compliance for enterprise users engaging in varied industries and businesses on the cloud platform. |
Security Control of Transfer Network | Description |
Encrypted transfer | To ensure the confidentiality of audio/video data during transfer, TRTC provides built-in encryption and custom encryption for the transfer linkage. By default, built-in encryption is enabled globally for TRTC PaaS, covering the entire data linkage. This ensures the encryption security of data transfer. |
Resource isolation | TRTC allocates dedicated resources for each TRTC application (SdkAppId) to ensure its independence of other projects and provide a secure and reliable guarantee of computational resources. After registering in the TRTC console, developers and users only need to perform simple operations in the console to create TRTC applications (SdkAppId) and allocate corresponding resources. |
Room isolation | TRTC creates an independent isolation channel (Roomid) for the transfer of each type of audio, video, or message data. All rooms are logically separate, and only if a user uses the TRTC application with the same SdkAppid and the same room name can the user join the same channel. A room is created when a session starts and terminated when the session ends (when the last user leaves). In this way, transfer isolation is implemented at the room level. |
Identity verification | When a user uses a TRTC application and connects to the TRTC PaaS services, TRTC will use the authentication information generated based on the SdkAppid and key to perform authentication for room entry, so as to help developers and users authenticate their users through strong authentication. |
SDK Security Support | Description |
SDK security and compliance | The reliability and security of TRTC SDKs are one of the guarantees of basic TRTC capabilities. During feature iteration, TRTC will fully assess the reasonableness of feature requirements in terms of compliance and privacy and their security risks, so as to ensure compliance with Tencent Cloud's compliance and privacy policy.
During feature implementation, TRTC will perform adequate and necessary quality security tests and perform security checks where third-party SDKs or library files are imported or integrated, particularly compliance verification. |
SDK content encryption | TRTC SDKs can use AES-128 symmetric keys to encrypt all audio/video data streams and messages at the data level. The encrypted data is sent to the nodes in the TRTC room over the Tencent Cloud private transfer protocol and eventually decrypted by the receiving terminal for rendering, ensuring data security and confidentiality during transfer. |
Benefits of SDK security and compliance to developers | TRTC is dedicated to providing high-quality, secure, and lawful audio/video PaaS services for developers. TRTC SDKs come with built-in secure encryption to help developers and users improve the data security and privacy compliance of TRTC, meet customers' security and privacy requirements to the greatest extent, and reduce the development costs. |
Security of Computing Resources | Description |
Security management of devices in IDCs | TRTC has developed a complete specification for the day-to-day management of devices in its IDCs. This specification defines detailed management measures and service implementation standards, which are fully reflected in the physical environment security, routine inspection, exception monitoring and reporting, and power resource support in the IDCs and meet the security compliance and basic security development requirements of TRTC. |
Security of computing resources such as servers, databases, and middleware | Resources necessary for the operation of TRTC such as CPU, memory, and disks will be reasonably scheduled and allocated based on the business load. In actual security operations, TRTC develops appropriate security baselines and vulnerability management guidelines and implements in-depth threat detection to fully ensure the load security of basic computational resources in basic service scenarios. |
DDoS mitigation | Given the significant impact of DDoS attacks on the system and business availability of TRTC PaaS services, TRTC leverages Tencent Cloud public cloud capabilities to deploy a DDoS mitigation scheme on core services. This scheme can detect and defend against DDoS attacks from the network and transport layers in real time. It monitors network traffic in real time, promptly cleanses the traffic as soon as an attack is detected, and enables protection in seconds for TRTC. |
Security protection | Description |
Authentication | Before using TRTC RESTful APIs, developers need to first log in to the Tencent Cloud console and create their dedicated SecretId and SecretKey to ensure the uniqueness of the service provider's identity. |
Input verification | The validity of developer request parameters will be verified on the TRTC server backend to filter out invalid parameters, so as to avoid common attack-prone vulnerabilities. |
Transfer security | RESTful APIs only support the HTTPS protocol to ensure encryption of all API communications with SSL/TLS. This helps protect API credentials and transferred data. |
API rate limit | There is a limit on the API request rate on the server, restricting API requests from malicious users while ensuring responses to normal user requests. |
Emergency Response Mechanism | Description |
Business monitoring and alarming | TRTC has a 24/7 efficient monitoring mechanism in place to monitor the business service and system operation status. It has set up a complete set of unified monitoring tools to implement event monitoring and automated alarming for metrics such as the running status and resource load of system components involved in the business services such as applications, middleware, computational loads, databases, and network devices. In addition, a bot is leveraged to promptly notify the personnel on duty of any problems, so as to ensure prompt problem discovery and service recovery and availability. |
Disaster recovery and redundancy | TRTC has developed solutions for the redundant architecture development of its core IDCs, taking into account the disaster recovery security of devices as well as the infrastructure layer, computational load, and network structure for various extreme business scenarios. Tencent Cloud public cloud servers are utilized to further guarantee the availability of the basic resources of TRTC in unexpected situations. |
Continuity drill | To safeguard the continuous and efficient operation of important business systems and constantly improve its stability, TRTC regularly conducts security emergency disaster recovery drills for the IDC network, middleware, and business systems, carries out a review based on the data from each emergency drill, and improves the technical architecture, operation management process, and emergency plan. |
Process | Description |
Recruitment | In the early stages of the employee recruitment process, TRTC assigns professional human resources specialists to verify the education and work experience of candidates to ensure that they are competent. |
Onboarding | New employees must study the employee security policy to meet Tencent Cloud's requirements for security compliance awareness. In addition, an appropriate level of confidentiality agreement is entered into with each employee. Employees in a position exposed to important data are required to complete a detailed study of the security compliance policy and pass the exam before they can participate in the daily development of TRTC. |
Employment | Employees are required to regularly attend security and privacy protection training and pass required examinations. Furthermore, TRTC irregularly organizes internal security- and privacy-related activities to constantly raise employees' security awareness. |
Separation | Before departing the team, employees must complete the handover according to the established separation process and disable their access. TRTC will audit their performance during the advance notice period as specified in the confidentiality agreement and inform the employees of their information security and confidentiality responsibilities after separation. Employees may be separated on approval only after the work handover and data cleanup. |
Was this page helpful?