Tencent Music Entertainment Group (TME), the pioneer of online music services in China, faced challenges with efficient asset management and unified access authentication as their IT infrastructure expanded. By deploying JumpServer, an open-source bastion host, TME successfully built a flexible, secure, and controllable operations audit system, enhancing the user experience for over 800 million monthly active users.
About the Customer: Tencent Music Entertainment Group (TME)
Listed in December 2018, TME is the leading online music entertainment platform in China. It provides services centered around online music and social entertainment, boasting a massive user base with over 800 million total monthly active users. TME is dedicated to using technology to create infinite possibilities for music, allowing users to engage in creation, appreciation, sharing, and interaction.
The Challenge: Scaling Security with Growth
With the continuous growth of the Chinese online music market and TME’s rapid expansion, the company faced increasing demands on its IT infrastructure. TME’s IT security team identified several pain points with their previous operations security solution:
• Poor User Experience: The legacy system only provided a CLI (Command Line Interface), making operations and connection management difficult.
• Limited Scalability: As asset scales expanded, the old system struggled to meet requirements for openness and extendibility.
• Complex Asset Environment: TME needed a solution capable of managing diverse assets beyond Linux servers, including databases, container clouds, and application systems.
Goal: To build a unified access authentication and security audit system that ensures data controllability while enabling efficient maintenance.
The Solution: Why JumpServer?
After rigorous research and verification, TME selected JumpServer as their next-generation bastion host. Key factors driving this decision included:
1. Superior Operational Experience
Unlike the legacy CLI-only system, JumpServer offers a modern Web-based interface tailored to user habits, alongside support for traditional protocol client direct connections. The intuitive view layout and rich data display significantly improved operational efficiency.
2. Comprehensive Asset Support
JumpServer goes beyond standard Linux server management. It supports a wide range of asset types, including Databases, Kubernetes (Container Clouds), and Web Applications. Features like SQL-level auditing meet the specific needs of DBAs and general IT staff.
3. Open and Integrated Architecture
Recognizing that traditional hardware-software bundled products can be restrictive, TME valued JumpServer's "Open Source Software + Professional Service" model. This approach provided a solid foundation for building a self-controllable integrated solution.
Implementation Highlights: Building a Collaborative O&M System
Granular Permission Management
To ensure security, TME implemented a strict account segregation strategy within JumpServer.
• Server Assets: Divided into "Privileged Users," "Read-Only Users," "App Users," and "High-Privilege Users."
• Database Assets: Divided into "Program Accounts" and "Personal Accounts." Administrators pre-configure authorization rules, utilizing JumpServer’s work order system for temporary privilege escalation when necessary.
Enterprise Ecosystem Integration
TME leveraged JumpServer’s API and open architecture to integrate seamlessly with their internal systems:
• Unified Authentication (SSO): Integrated with TME’s self-developed auth system via OAuth 2.0, ensuring compliance and simplifying login.
• CMDB Synchronization: Automated data synchronization for hosts, network devices, and cloud services by linking JumpServer APIs with the internal Configuration Management Database (CMDB).
• Automated Workflows: Connected with the internal ticket system to automate asset authorization, reducing cross-department communication costs.
• Custom Login Logic: Implemented a unique "Pin + Token" unified login method to mitigate risks at the source.
The Results
The deployment of JumpServer has delivered significant benefits to TME’s IT security operations:
• Enhanced User Experience: The dual mode of "Web Access + Native Client" allows administrators to manage assets easily while letting ordinary users stick to familiar native clients.
• Full Data Hosting & Auditing: By combining JumpServer with application virtualization, TME achieved centralized management and comprehensive auditing for critical operations across various software systems.
• Agile Support & Co-Creation: JumpServer’s monthly iteration cycle and responsive customer success team have allowed TME to continuously explore and refine their security solutions.
Future Outlook
TME is currently planning to upgrade its deployment architecture from a cloud host cluster to a Kubernetes cluster deployment. This move aims to prepare for future asset scale expansion, ensuring an even more stable and efficient operating environment.