From Zero to Secure: How Zhaogang Built Its Information Security Operations

Preface

This article is divided into three parts: Background and challenges of Zhaogang Security operations Security‑driven initiatives

1. About Zhaogang

1.1 Development History

Zhaogang was founded at the end of 2011 in response to the national “Internet+” initiative and excess steel production capacity.

It is a full‑chain steel e‑commerce platform covering procurement, warehousing, transportation and financial services, initially a matchmaking service that later evolved into a self‑operated business.

Today the team exceeds 1,400 people, with overseas branches and a R&D center in Wuhan.

1.2 B2B Characteristics

Zhaogang is a traditional B2B internet company. Its user base is concentrated, the business volume is lower than consumer‑facing platforms, and core services run on an internal network.

1.3 Legacy Issues

Rapid growth left the physical data center chaotic, with unreasonable application deployment and incomplete monitoring. Security and operations have been built from scratch, moving toward standardization and automation.

2. Security Operations

The security program started from zero.

2.1 A Generic Formula for Security Operations

The process is divided into four stages:

Fire‑fighting stage : address urgent problems such as external attacks, high‑risk vulnerabilities, or service outages.

Construction stage : lay the foundation (network and production) and then extend to application‑level security.

Optimization stage : develop custom tools and products to meet growing business needs.

External opening stage : expose security‑related products to partners.

2.2 Fire‑fighting Series

In late 2015, high‑risk vulnerabilities were disclosed by a third‑party platform. The team patched them, performed comprehensive security testing, and delivered remediation guidelines for issues such as SQL injection and logic flaws.

Security training was provided to developers, many of whom lacked security fundamentals.

A security platform was built to track vulnerabilities, later expanded to include baseline construction, automated inspections, and log management for proactive alerts.

2.3 Traditional Security Architecture

Security is organized into five domains: basic security, application security, access control, operations security, and internal network security.

2.3.1 Basic Security

Includes network security, data security, system security, and physical security.

Network Security : design minimal‑privilege zones, separate north‑south and east‑west traffic, implement wireless access control, and mitigate DDoS with ISP filtering and traffic‑scrubbing devices.

Data Security : asset inventory, access control, backup (local, on‑host, off‑site), encryption, and storage protection.

System Security : harden databases, host access, OS, workstations; restrict server access to operations staff and reclaim admin privileges.

Physical Security : improve site management, especially for remote branches without dedicated IT staff.

2.3.2 Application Security

Focuses on security assessment during PRD review, post‑deployment risk testing, and log auditing. The STRIDE model is recommended for threat analysis.

2.3.3 Operations Security

Emphasizes standardization, automation, and informationization. Automation reduces manual work, improves incident response, and supports unified authorization using a 4A product.

2.3.4 Internal Network Security

Key controls include desktop security (process control, patch management, content filtering, asset management, file sharing, software audit), privilege reduction, and selective patch deployment based on business impact.

2.3.5 Authorization and Access Control

Identity management and single sign‑on are in place; access control is gradually expanded to cover resources and workflows.

3. Security‑Driven Initiatives

Beyond operations, the article discusses how to drive security strategy.

3.1 Resource Analysis

Assess available manpower, support, and resistance before launching security projects.

3.2 Fire‑fighting Phase

Maintain continuous monitoring, proactive response, and timely escalation to management.

3.3 Daily Operations Phase

Define owners, schedule tracking, enforce processes, and implement reward‑penalty mechanisms.

3.4 Construction Phase

Collaborate across operations, DBA, IT, and infrastructure to implement security measures despite limited staff.

3.5 Promotion and Implementation

Secure executive sponsorship, align security with development teams, and ensure policies are enforced from top‑down.

3.6 Balancing Security and Business

Security should serve business by preventing brand and financial loss; when security hinders user experience, a risk‑based trade‑off is required.