Data Security Construction at Qunar: Practices and Experience

1. Introduction

Information security is widely recognized, yet many still view it through the lens of movies and hacker myths. Historically, security practitioners were indistinguishable from elite programmers, but as the internet matured, security evolved from a niche hobby into a critical corporate function. In recent years, geopolitical competition has elevated information security to a strategic priority, prompting Qunar to share its security‑building experience.

2. Overview of Security Construction

Modern attackers are organized profit‑driven groups targeting valuable data. For medium‑sized companies like Qunar, data security essentially equals overall security, making data‑centric measures the core of the protection strategy.

3. Technical Aspects of Data Security

3.1 Data Classification

Qunar classifies data by business value rather than type, assigning higher security standards to data whose loss would cause significant financial damage. Interviews with data owners across business units helped define a tiered classification scheme, focusing resources on the most critical data warehouses.

3.2 Data Warehouse Control

Access rights for code repositories (GitLab/SVN), product management platforms (Jira/Redmine), and databases (MySQL, PostgreSQL, MongoDB, HDFS, HBase, Hive, Spark) are tightly audited. Automated scans and manual reviews detect unreasonable permissions, while abnormal download or SQL execution triggers alerts and automated remediation.

3.3 Data Permission Compliance

Beyond warehouse‑level controls, Qunar enforces permission policies at platform, host, and user levels. Zero‑trust principles guide the design of a unified permission‑management service, and a lightweight network‑level gatekeeper provides an additional safeguard against privilege abuse.

3.4 Sensitive Data Encryption

Critical data is encrypted both at rest and in transit. Encryption services are built to handle full‑business load with spare capacity, and decryption requests require approval from senior technical leaders. Continuous monitoring compares requested versus actual decryption volumes to spot anomalies.

3.5 Data Leakage Detection

Qunar operates both external (via a Security Response Center and collaborations with white‑hat communities) and internal leakage‑detection systems. Automated scanners periodically probe code hosting sites and vulnerability databases, feeding findings into a semi‑automatic analysis platform for rapid remediation.

4. Institutional Aspects of Data Security

Technical measures are reinforced by a three‑layer governance model: policies, standards, and detailed rules. Comprehensive security‑awareness training, role‑specific curricula, and regular examinations ensure that over 90% of staff develop a baseline security mindset. The governance framework promotes consistent data‑security practices across the organization.

5. Conclusion

Qunar's experience shows that solid data‑security foundations—classification, access control, encryption, detection, and strong governance—enable a small security team to protect large‑scale business data. While advanced topics like zero‑trust, threat‑intelligence, and AI‑driven security are future directions, mastering the basics is essential for any organization.