Sensitive data access control security vendor "Zhongtu Shiren" raises tens of millions of RMB in Pre-A funding led by Linear Capital | Linear News

线性资本线性资本·September 16, 2022·1·0

The goal is to securely link every digital identity to business and digital assets.

The goal is to securely link every digital identity to business operations and digital assets.

36Kr has learned that Zhongtu Shiren (众图识人), a security vendor focused on sensitive data access control, recently completed a Pre-A round of funding worth tens of millions of RMB. According to sources, this round was led by Linear Capital, with Chixing Venture Capital participating, and Hangxing Capital serving as financial advisor.

Founded in November 2018, Zhongtu Shiren currently focuses on sensitive data access control, with the goal of securely linking every digital identity to business operations and digital assets. When asked why they chose this direction, the founding team explained that with data security incidents becoming increasingly frequent and relevant laws, regulations, and industry supervision policies being introduced one after another, enterprise business personnel are gradually paying more attention to addressing compliance and leakage issues in data access during business processes.

Taking banking scenarios as a specific example, customers' sensitive information may be leaked by employees during business operations rather than through deliberate hacker attacks. In Zhongtu Shiren's view, such problems must be solved through security measures that penetrate deeply into business operations. "Traditional security products typically operate on the IT architecture side, such as networks and databases. They can't go deep into the business itself," the founding team told 36Kr. Zhongtu Shiren's approach, by contrast, couples sensitive data security with business operations, minimizing data access permissions within business processes to reduce the possibility of data leakage.

Specifically, Zhongtu Shiren provides large organizations that need to process massive amounts of sensitive data with a lightweight, convenient dynamic policy management platform. The platform enables relevant departments responsible for sensitive data management and security compliance — including business units, risk control departments, and security departments — to make simple configurations based on business logic and their respective needs, simultaneously satisfying both business and security requirements.

Going further, Zhongtu Shiren explained that this product can provide financial industry users with scenario-based sensitive data access permission templates, and its platform's dynamic policy engine autonomously matches access control policies for mid-platform data. In terms of implementation, the company stated that it started with domestic top-tier banks, taking inventory of core internal systems with high volumes of sensitive information (i.e., core business systems accessible to employees) by mapping out business systems and business logic. It then matches data with permissions according to the specific circumstances of various business segments.

The main processes involved include customer business process mapping and asset surveying. First, in the customer business mapping phase, Zhongtu Shiren collaborates with top-tier banks to reorganize their business logic based on accumulated experience, forming access permission templates. In the asset surveying phase, it identifies interfaces through scanning and then discovers sensitive data within them. Once data assets are clearly mapped, relevant access control permissions are matched.

On the business side, the company stated that based on its low-code development platform, the platform can reduce current business transformation costs to 1/10 during adaptation with business applications, compressing deployment cycles from several months to within one week, thereby improving business operations management efficiency. Regarding data processing methods such as data permission approval and desensitization needed to complete the security loop, the company noted that due to top-tier financial clients' requirements for high concurrency and low latency, other products on the market lack the capability to enter production-side business environments in such scenarios. Therefore, Zhongtu Shiren is currently developing such products in-house to create a closed-loop effect with its platform.

In summary, the Zhongtu Shiren team aims to address the following pain points in privacy data access permission management for users:

  1. Traditional cybersecurity and business development are often in conflict, with security constraining and limiting business development in multiple aspects. But under the premise of digital transformation, business and security need to form a "native relationship." Achieving this "native" state — satisfying both security compliance requirements and business unit production needs — has become a new topic. In other words, data protection methods and approaches also need to evolve accordingly.

  2. Business developers are unfamiliar with policies and regulations, making it difficult to effectively implement access control requirements for applications and data as stipulated by laws and regulations such as the Data Security Law, Personal Information Protection Law, Personal Financial Information Protection Technical Specification, and Financial Data Security — Data Security Classification Guide;

  3. Already-deployed business systems carry high transformation costs, requiring substantial "person-day" expenses for system redevelopment and upgrading relevant data processing modules to ensure compliance in management when application systems call mid-platform data, impacting business uptime and operational efficiency;

In terms of deployment, the company stated that this product is currently deployed at large financial enterprises, supporting data access control for over 100 million daily transactions. In other product lines, Zhongtu Shiren also offers products including IAM on a unified platform satisfying hybrid cloud architectures spanning online and offline environments, and terminal authentication for replacing AD domains in domestic innovation (xinchuang) environments. Additionally, the company is planning to expand into industries such as telecommunications operators and public security.

On the team side, the company's core management members come from enterprises including Oracle, PingCAP, OSCGC, and Ant Group, with years of product and engineering experience in data management, large-scale data processing, and transaction processing.