Elastic Compute Service (ECS) instance, ApsaraDB for RDS MySQL database, Server Load Balancer, with Elastic IP and security group is the most common scenario for most applications hosted on the web. Although the system is functioning well, this type of deployment is deficient in terms of cyber security. This is especially true for servers used in production scenarios.
This article will focus on ECS and its security hardening requirements, which are easy to follow.
Reduce External Exposure of Alibaba Cloud Resources
As part of the design of your offering, you should have controls in place to ensure an ECS can only access their data and resources they are authorized to access. What controls can you put in place? What assurances can you offer to your ECS instance that their data can't be accessed by another ECS? This all bubbles down to the least privilege principle: the less you expose the offering to external world, the more secure design can be achieved.
In Alibaba Cloud this can be achieved through security group and network segregation of your offering.
Security group plays important role here, to segregate traffic,
Network segregation: After creating a VPC, the next logical construct is the vSwitch. vSwitch in Alibaba cloud are sub-networks within a VPC and are analogous to the subnets. One can add one or more subnets in each availability zone; however, each subnet must reside exclusively within one AZ and cannot span AZs. Here is one example how the production env is segregated in two AZ operating on different vSwitch and one staging environment which is on complete different vSwitch
Secure Bastion Hosts
A bastion host is a server whose purpose is to provide access to a private network from an external network, such as the Internet.
Some security points to be considered:
Hardening ECS OS Images
By default ECS provisioned OS images are open to world, it's security posture is not much as it's required for the production environment . This choice is left to end-user to take this responsibility of the OS hardening which is provisioned in the Alibaba ECS. The requirement should be approved by the hardening process or by leveraging an approved custom images.
The end user can benefit from the CIS benchmarking of the OS hardening process. Once the ECS OS is process by CIS benchmarking tool, the end user will be presented with the action to be taken off.
Vulnerability and Penetration Testing of ECS Instance
Before starting this activity, you need to request for permission from Alibaba to your root account. Once you permission is granted, then only you can start the Vulnerability Testing(VT) and Penetration Testing (PT) activity. Otherwise any suspected traffic spikes will be block by Alibaba Cloud Security Intelligence.
VT and PT is must perform activity of your production service, this ensure compliance and security governance of your managed resource.
Vulnerability management process ensure all the critical patch applied on the timely manner and all the required asset particularly ECS are covered.
Continuous Penetration testing process ensure, application exposed on Alibaba cloud service, are safe from black hat hackers and a continuous effort is gone to achieve the web security.
There are many resources in the Alibaba cloud which needs to be monitored performing any manual scrubbing on the logs are error prone tasks so take help of monitoring solution.
Some of the list of events which can be actively monitors for Alibaba ECS Linux Instances
Monitored from syslog events:
Monitored from system processes:
Monitored from the system:
Monitored from the file system:
For other fundamental resources , like SLB , OSS, RDS, and their security hardening requirements, please go to 11 Security Recommendations for Production Instances on Alibaba Cloud.
In this article, we will address these concerns by discussing the top 5 security considerations you should look out for in a cloud provider. The Alibaba Cloud Security team has also written a detailed security whitepaper, covering all your security concerns of deploying on Alibaba Cloud.
1. Security Architecture of Cloud Provider
The security features of Alibaba Cloud are built on top of an 11-layer security architecture dubbed the "Security Compass". The Alibaba Cloud Security Compass consists of four layers oriented at cloud platform and seven layers oriented at cloud users.
2. Security Features of Cloud Products
Obviously, one of the main considerations when it comes to ensuring security on the cloud is to make sure the products that you use are robust. This means that even without any additional security products and services, the cloud product of your choice must be able to withstand a variety of cyber-attacks.
Alibaba Cloud Elastic Compute Service (ECS) instances can achieve this by employing features such as tenant isolation. Tenant isolation is achieved by providing isolation between the virtual machine management (VMM) system and the customer's VM, and isolation between customer's VMs. On Alibaba Cloud, ECS instances that are assigned to different users are isolated, providing the needed security barriers among tenants.
3. Security Services Offered by Cloud Provider
Despite having all these security features, your IT infrastructure is still not completely immune to cyber-attacks. If you want to keep your data and applications secure, you should definitely consider investing in cyber security products offered by your cloud provider.
4. Security Compliance and Credentials
For users to operate freely across the globe, cloud providers need to adhere to domestic and international information security standards, as well as industry requirements. Cloud providers should integrate compliance requirements and standards into internal control frameworks, and implement such standards by design in their cloud platform and products.
5. Shared Security Responsibility Model
Alibaba Cloud and its customers are jointly responsible for the security of customers' applications built on Alibaba Cloud. On Alibaba Cloud, customers are responsible only for the security of applications built on top of or connected to the cloud. Alibaba Cloud, on the other hand, is responsible for the security of the underlying cloud service platform and infrastructure.
Security should be a first priority when deploying an Ubuntu 16.04 server on Alibaba Cloud. While Linux is considered secure out of the box, there is a lot more you can do to achieve adequate level of security on your system.
Alibaba Cloud offers Ubuntu 16.04 as one of the operating systems when deploying Elastic Compute Service (ECS) instances. This Ubuntu version is stable and ideal for running mission critical applications like web servers, email servers and database servers.
In this guide, we will quickly go over the Alibaba Cloud ECS instance security checklist to show you how to safeguard your Ubuntu 16.04 server.
In this document, you will get some useful information on the Operating system security hardening and Security deployment for application service software including web and database applications.
This topic describes how to manage security group rules. After you add security group rules, you can query, modify, restore, export, import, and delete them.
Uses IPsec VPN to securely connect your on premise network with Alibaba Cloud while maintaining a strong security posture mitigating the most advanced threats. Mitigate attacks targeting your VPC while gaining unprecedented visibility and control over your network traffic with Check Point's advanced threat prevention security. Simplify compliance and audits by consolidating logging and reporting across on-premise and cloud environments with Check Point SmartEvents.
Alibaba Cloud offers easy-to-use high-performance virtual machines with data transfer plan starting from $2.50 a month now.
Alibaba Clouder - July 19, 2019
Alibaba Clouder - July 18, 2019
Alibaba Clouder - July 10, 2020
Alibaba Clouder - February 14, 2020
Alibaba Clouder - April 26, 2019
Alibaba Developer - March 5, 2020
More Posts by Alibaba Clouder