XiaoHongShu’s Zero Trust SASE Office Security Solution: Architecture, Challenges, and Implementation

At the 2023 IDC Global CSO Cybersecurity Summit (China), XiaoHongShu was honored as the sole internet company in the IDC China Top 20 Outstanding Security Projects (CSO20) for its "Zero‑Trust SASE Office Security Solution".

The company faces growing data‑security demands due to strict regulations, remote‑office expansion across multiple cities, and a cloud‑native architecture. Protecting core data while maintaining high‑efficiency office workflows became a key objective.

Traditional DLP and sandbox products were deemed too heavy and disruptive for office productivity. The article introduces the Zero‑Trust concept—identity‑centric security that continuously authenticates, assesses trust, and enforces least‑privilege access.

Technical challenges identified:

Complex access‑control due to multiple roles and diverse users.

Variety of endpoints (Windows, macOS, iOS, Android) making conventional DLP ineffective.

Fragmented security products requiring separate management consoles.

Low openness of traditional products, limiting custom integration.

Multiple agents (VPN, EDR, DLP, UEM) consuming resources and degrading user experience.

Hybrid‑office environments increasing exposure risk.

Compliance with data‑protection laws (e.g., Personal Information Protection Law) demanding fine‑grained data controls.

To address these, XiaoHongShu evaluated BeyondCorp and identified its limitations (protocol compatibility, exposure of HTTP(S) services, insufficient endpoint control, high HA cost). By integrating SASE capabilities, the team designed a hybrid solution that leverages distributed POP points for high availability while preserving the company’s existing gateway‑based risk controls.

Solution components:

Terminal: All‑in‑one DLP, anti‑virus, and zero‑trust access, with policies that link endpoint security to access control.

Network: Office network transformed into a non‑privileged network; global POP nodes ensure high availability.

Identity: Client devices bind to user identities; the gateway validates identity on each request, mitigating credential theft.

The gateway now collaborates with the client: it detects client‑side security information in real time, redirects unauthenticated devices to a download page, and enforces security policies directly on the endpoint.

Real‑time risk control is achieved by feeding 4/7‑layer network logs and client logs into the risk‑control engine, enabling precise anomaly detection and response.

To prevent “red‑line” data leakage, XiaoHongShu adopts a "data‑non‑landing" strategy: data classification, API security, masking, and permission management are applied early; file downloads are replaced with online file access, moving control left in the development lifecycle.

A multi‑level disaster‑recovery mechanism is built: traffic normally passes through private POP nodes; upon failure, it automatically switches to public‑cloud POPs, with an additional WireGuard fallback that degrades to VPN if zero‑trust protection fails.

The team also developed a self‑branded security client, integrating internal tools and a customized UI, achieving 100% device deployment and a smooth transition to the zero‑trust architecture.

Results after one year include 100% device control coverage, an 80% reduction in red‑line data landing, and a 70% Net Promoter Score for the internal security platform. The solution delivers unified management, full‑lifecycle data protection, and high‑availability security services.

The article concludes with recruitment notices for a Security Development Engineer and a Senior Network Security Engineer, outlining required experience, skills, and application contacts.