Navigating Through China's Cybersecurity Legislation
Doing business in China is a vital part of many companies' strategy. If your company already has a presence there, you probably know that Alibaba Cloud is the country's most widely used cloud-based server hosting platform, with more than a million paying customers. If you're currently outside China and looking for server capacity within the country, then it certainly makes sense to consider using Alibaba Cloud. But for any company with servers that are based in Mainland China, you need to abide by the rules. Thankfully, Alibaba Cloud's technology and services can help smooth the process.
A New Era in IT Regulation
In June 2017, the Cybersecurity law of the People's Republic of China (the Cybersecurity Law) came into force. For the first time, it sets out clear rules about how companies should handle their users' and customers' information, and the penalties for failing to do so correctly. This new law from China, combined with the GDPR regulations in Europe, could well mark the start of a whole new era of IT regulation and compliance, which will improve safety and security for consumers, businesses and governments.
Organizations which contravene China's Cybersecurity Law face fines of up to RMB 1 million (around USD $150,000) and individuals can also be issued fines too, albeit not as high. Companies also face having income confiscated if such income is deemed to have been illegally obtained. In addition, the violator's website can be shut down or its entire business operation is suspended.
Compliance with the Cybersecurity Law is an important aspect of IT management, and it is now vital that you bear it in mind when designing systems and planning for their locations. Breaching the law, even inadvertently, can cost dearly financially and damage reputation.
We are continually being told about the benefits of moving systems to the cloud rather than hosting them in-house or on-premises. Cloud hosting often works out cheaper in the long run, especially when you take account of factors such as hardware depreciation costs and support staff, as well as capacity planning. There are no hardware depreciation costs because it's not your hardware. So when it needs replacing or upgrading, the cloud company simply gets on with the job and you shouldn't even notice it happening. And if you need some extra CPU power you can pay for it when you need it, and even remove it when you don't.
But what about legal compliance? Can cloud, rather than in-house, improve your ability to comply with the new Cybersecurity Law? Almost certainly, because its built-in features take care of many of the complexities behind the scenes. Which leaves you free to concentrate on key features such as capabilities and features of whatever you need to develop or install on your cloud-based servers.
Preventing Viruses and Network Attacks
The Cybersecurity Law sets out some key obligations for companies both foreign and local who are operating in China, so let's run down some of those key obligations and examine how hosting your services on Alibaba Cloud can help to ensure compliance.
Firstly, the Cybersecurity Law states that you need to "adopt technological measures to prevent computer viruses, network attacks, network intrusions and other actions endangering cybersecurity." This is sound advice and common-sense security, of course, whether running in the cloud or not. But Alibaba Cloud makes it easy to implement without you having to research, source, install and maintain products that may not otherwise have been tested against your particular hardware configurations.
Anti-DDoS Basic is included free of charge with all Alibaba Cloud ECS instances. Once enabled, it mitigates DDoS attacks by routing unusually heavy traffic from any single IP address away from the targeted destination before it ever reaches your servers, so your instances carry on running. This all happens automatically and in real-time with no action required on the administrator's part. It's available through the Alibaba Cloud Management Console, prevents against attacks such as SYNflood and ICMPflood, and admins receive regular notifications to keep up to date with incidents and status.
Because Anti-DDOS also checks the user agent and referrer fields, it also helps defend against so-called slow attacks, where hackers attempt to steal large amounts of information from a system or to probe its internals, but deliberately stagger their access (sometimes over many weeks) in the hope of avoiding detection.
To help guard against network intrusions, Alibaba Cloud instances can be secured with a Web Application Firewall (WAF) quickly and easily, at minimal cost. Again, this can be implemented through the Management Console and helps protect servers from known attacks. For example, hackers frequently operate by using tools that automatically attempt to access servers and websites via a battery of pre-written exploits that is widely shared among the criminal community. Alibaba Cloud WAF contains signatures for these attacks and can detect them in real-time. It can also spot many other hacker techniques, such as someone trying to submit unauthorized data via a web form or initiating a SQL injection.
To avoid possible false positives, admins can choose to have the WAF operate in reporting mode, so that notifications of suspected violations are given, but no actions are blocked. This enables the administrator to build up a picture of the particular types of threats which servers are facing in order to assist in reducing the attack surface before enabling full blocking mode.
Recording, Tracking and Monitoring
China's Cybersecurity Law now mandates the adoption of measures for recording and tracking the status of network operations, monitoring and recording cyber incidents, and preserving related log files for at least six months. Again, Alibaba Cloud has this covered.
The basic Situational Awareness feature, available as standard, notifies the admin about any abnormal behavior detected in server instances. The server log feature records information about every action that an instance takes, and all incoming requests. These comprehensive logs are invaluable not just for investigating possible incidents of cybercrime - they can also be used to track down the causes of performance problems, generate data from which to bill customers, and assist in the decision on whether a server can be resized to increase performance or reduce cost.
As with all Alibaba Cloud features, detailed advice on managing logs is available from the website or from the company's team of implementation consultants. In the case of a cyber-attack, emergency response support is normally a phone call away, helping to handle issues quickly and within the terms of legal obligations.
The Cybersecurity Law requires that companies engage in data categorization, in order to identify important information (credit card details, salaries, passwords, etc.) that must be backed up and encrypted with more care than other more insignificant data.
Alibaba Cloud includes facilities for backup and encryption to ensure data stays safe. In addition, snapshot features mean that admins can quickly set a reference point before undertaking any maintenance, patching or testing on a server instance, and subsequently revert back to that point if things don't go as planned. Developers can use the Object Storage Service to ensure that data and files (up to 48TB) will be automatically encrypted upon creation or upload, and transparently decrypted when accessed.
Fixing security issues when they are discovered, and even proactively looking for possible issues, is an important part of systems management, and Article 25 of the Cybersecurity Law requires that organizations take measures to do this. Alibaba Cloud can help here. The Server Guard facility provides real-time monitoring of servers and can automatically repair certain vulnerabilities if it finds them. In addition, Alibaba Cloud operates a Vulnerability Reward Program (think Bug Bounty) to encourage security professionals to seek and responsibly disclose potential issues within its infrastructure.
The ability to confirm a user's true identity is becoming increasingly important, and the requirement to be able to do this is covered by Article 24 of the Cybersecurity Law. Alibaba Cloud has a full set of systems in place, including verification by phone, SMS and email, to ensure that the identity of anyone attempting to access an organizations' servers is correctly verified.
Article 47 of the Cybersecurity Law requires that companies are able to quickly detect and act upon information published by users that is prohibited by law. Network operators need to be able to delete such information and prevent it from spreading, while also keeping secure logs and other records. A range of content security products and services, available to operators of servers on Alibaba Cloud's infrastructure, helps implement this by allowing systems and databases to be scanned for possible infringing content. The user organization can then decide what action needs to be taken in order to remain compliant.
Although not without its problems, cloud computing can bring significant advantages for organizations over running their own data centers. For the skeptics, it also works well in a hybrid situation, where perhaps an existing data center maintains its historical functionality but new services, or tentative steps into new markets and territories, are cloud-based from day one.
Whichever cloud provider is selected, it is always sensible to use one that is based in the country where the business is transacted to ensure optimal speed, connectivity and support. But it is also vital to ensure that the user organization complies with local regulations, and that means selecting a cloud supplier which can make this as low-cost and hassle-free as possible.
Understanding and Addressing Risks
Finally, there may always come a time when you need expert help building the compliance regime. The Cybersecurity Law requires "important data and personal information" collected by critical information infrastructure operators to be stored in Mainland China. Information classed as "sensitive and important" that are collected in Mainland China also needs to be stored there. Operators also need to conduct risk self-assessments and provide evidence of them having been done. Under certain conditions, they may also be inspected by the authorities (Articles 37-39).
Alibaba Cloud's security and public policy experts can help organizations understand and address the risks related to cross-border data transfer. They can provide an overall assessment of current cross-border data transfer activities, conduct surveys, provide risk analysis reports and offer actionable compliance recommendations. They can also assist with ongoing development with regular policy monitoring memos and information on cross-border data transfer policies and their impact on your business, in addition to regular or ad-hoc conference calls and ad-hoc meetings.