Double 11 The Biggest Deals of the Year. 40% OFF on selected cloud servers with a free 100 GB data transfer! Click here to learn more.
Often times we talk about the impressive computing power needed to support a large-scale e-commerce event such as Alibaba's annual Double 11 Shopping Festival (Singles' Day). However, you probably won't notice the challenges of protecting data, not only for the customers but also for the organization, at such a scale.
The man responsible for ensuring the security of Double 11 is Wu Hanqing, Chief Security Researcher at Alibaba Cloud, who is better known as "Brother Dao". In this article, Brother Dao will talk about Alibaba Cloud's various security measures to ensure the success of the Double 11 Shopping Festival.
About the Speaker
Wu Hanqing, also known as "Brother Dao", is a Chief Security Researcher at Alibaba Cloud. He has been involved in security technologies in 2000 and has been active in China's security community ever since. Wu joined Alibaba in 2005, becoming one of the early contributors to Alibaba security. He designed the application security systems of Alibaba.com, Taobao, Alipay, and Alibaba Cloud. From 2012 to 2014, Wu acted as a partner of Anquanbao and started his own business, committed to providing better cloud security products and services. He returned to Alibaba in 2014, becoming the lead of Alibaba Cloud Security. He wrote a book titled "Web Security Lessons by a White Hat Hacker", and opened his personal WeChat account / public Zhihu account called "Brother Dao's News".
Could you briefly introduce Alibaba Cloud Security to the readers?
Alibaba Cloud Security is a product and service designed to ensure user security. Apart from basic defense and security services against attacks, it also offers full-stack security solutions. Currently, Alibaba Cloud Security has 10+ security products, involving various aspects of network security, server security, application security, and business security. Alibaba Cloud Security business is growing very fast. It now protects more than 37% of websites in China, defending Chinese Internet against 50% of daily DDoS attacks. It verifies the feasibility of SaaS in the security sector in the true sense.
Which industry segment does Alibaba Cloud Security focus on?
Alibaba Cloud targets large, medium-sized and small enterprises in various sectors. It is an infrastructure, and I hope cloud computing can become a public service like electricity, water and coal supplies. Power plants do not differentiate their customers by industry when supplying power, and cloud computing should be the same. Alibaba Cloud Security targets all industries, no matter the size of the customer. However, different customers may have different service needs and standards, which is understandable, just like power supplies which also divide into residential electricity and industrial electricity. The service standards vary, but the products are the same.
We know that Alibaba Cloud protects the Alibaba Group ecosystem, but who will protect it in return?
Alibaba Cloud Security technology is also used to protect Alibaba Cloud. All our technologies are tested and matured internally at Alibaba before they are made available to our customers as products. So our products place special importance on practical effects. With regard to Alibaba Cloud's own security systems, we pay high attention to the confrontation ideology of "red army-blue army" and will invite white hats throughout the industry to conduct security tests on products. In this process, we will rely on the "visibility" ability of Situation Awareness to perceive each attack attempt, and ultimately limit the overall number of security events and loopholes. All these functions, such as precognition intelligence and situation awareness, are available as products and services within the Alibaba Cloud Security product ecosystem.
What is the difficulty in protecting on-cloud customers?
Cloud computing is a large-scale computing activity. Any transaction will become complicated and hard to handle once it becomes sizable. But this also opens an opportunity for innovation. A typical situation in large-scale computing scenarios is "small probability events becoming normal". For example, a regular website may not experience one DDoS attack all year round. But in Alibaba Cloud, we have to defend against thousands of DDoS attacks every day. With such an attack magnitude, it is impractical to rely on handling this problem manual. This forces us to make technical innovations. As a result, we achieved fully automated protection against DDoS attacks with no human intervention needed at all. The whole process from detection, response to defense can be completed within one second for any DDoS attack.
Can you describe what situation awareness is?
Situation awareness is different from the traditional SIEM in two critical aspects. Currently, many security manufacturers have started to tap into situation awareness, but most of them just change the name of SIEM. This is a misunderstanding of situation awareness.
The earliest application covering situation awareness in the security sector was proposed after I officially launched the Alibaba Cloud Security Situation Awareness product at the Alibaba Security Summit in July 2015. In April 2016, President Xi made a speech and clearly pointed out the priority on the situation awareness of network security. The visibility empowered by situation awareness constitutes the foundation of the entire security field.
Situation awareness has two important features which differentiate itself from other security products. The first is being based on raw data and maintaining full respect for the original data. Currently Alibaba Cloud Security analyzes more than 500T of incremental data every day and the data stock amounts to more than 100P. This allows us to get firsthand information by analyzing the raw data, instead of obtaining second-hand materials from third-party security devices. The most valuable information all rests in the raw data. When our algorithms are updated, we can still calculate the new values based on the old raw data.
Can you explain how full-chain monitoring and warning are achieved?
We collect data from sensors in various dimensions, including networks, servers, databases, and Layer-4 and Layer-7 data, as well as operation logs and system logs. Because Alibaba Cloud Security is deployed throughout the chain, including not only the full-network scanner, but also the traffic analysis and data analysis at the application layer, as well as server agents. Thanks to these, we can observe different phenomena from different perspectives. At the same time, Alibaba Cloud also provides APIs in various dimensions. Through RAM authorization, we can call some data provided by the cloud computing itself, and make comprehensive diagnosis by integrating all the data.
What new cutting edge technology is Alibaba Cloud Security currently working on?
We hope to bring the powerful computing capability of Alibaba Cloud to full play in our security field. We know that the liberation of computing capabilities has generated a huge opportunity for deep learning and AI.
For example, we are researching methods to replace security experts with computers to perform all manual work, including all evaluation of results analysis, strategy maintenance and responses. All these jobs requiring advanced thinking and experience can be automatically completed by the machine, while they used to need experts to perform the tasks manually. We think it is feasible to let machines handle the tasks, and in some cases, the machines can do a better job than humans.
This is a huge project on which we are stepping up our effort. We would like to call this upcoming AI project "Cloud Security Junior" and I hope it will be a star employee among us.
How do we safeguard an event such as the Double 11 Shopping Festival?
Similar to O&M, security is actually one part of support services. Despite anticipating all possible outcomes, well-performed security measures are usually not perceivable. Just like how we protected the G20 summit, the Double 11 shopping carnivals over the past several years have been smooth thanks to the support of Alibaba Cloud Security. The challenge of Double 11 shopping carnivals comes from massive amounts of access requests, posing a demanding requirement for many solutions in such scenarios.
For example, during the Double 11 shopping carnival, we need to conduct centralized statistics and analysis on the traffic per second to domestic and overseas zones for security checks and responses. This indicates a very big challenge for analyzing several TBs of traffic across regions, requiring high stability and real-timeliness. If the checking capability is disabled for just one minute, it is likely to introduce a significant stress on the back-end servers, leading to an overall failure of the Double 11 performance.
What's more, we applied the WAF technology for the first time during the last Double 11 shopping carnival, and will continue to use it this year. That is to say, every request during Double 11 will go through the WAF security check, which requires strong detection capability and elastic technical architecture. WAF supports dispatching more than 1 million policies at the same time, which has never been experienced at other security facilities
Last but not least, the customers may be able to perceive our presence in that we adopted a "lossless traffic-limiting" technology during the Double 11 shopping carnival. Since nobody can predict the peak traffic of Double 11, and there may never been enough back end servers, we adopt a "queuing mechanism" for requests that exceed the system load for security control. This mechanism will not drop your connection, but it makes you wait until it is your request's turn for system processing. This is similar to queuing up to buy an iPhone at an Apple store. People don't rush up in a crowd, but rather wait in line.
What contingency plans do you have for emergencies?
We have a professional emergency response team ready to handle all critical situations, including loopholes in products, security incidents on the cloud, problems reported by external sources, and some severe cases reported by our customers. We will collect all the information extensively beforehand, designate personnel on duty during the process to motivate all competent teams to respond, and organize postmortem observation and replays of the effect.
We often face some major security vulnerabilities with cloud computing that may influence hundreds of thousands of users. We can observe how some advanced threats sprawl and spread, or "security epidemics" as we call them internally. In fact, if we can stop the spread an hour earlier, we may save tens of thousands of users from suffering loss. So, our emergency response team is racing against hackers. All the emergency responses have a precondition: we need to observe the problems. This is where situation awareness' capability comes into play. So, the "visibility" capability of situation awareness is our core competency.
During the Double 11 shopping carnival, we have a dedicated support team to design dozens of pre-plans for various security emergencies. They started rehearsals of these pre-plans as early as several months before "Double 11" to ensure these plans are effective. They are on duty around the clock throughout the entire "Double 11" carnival.
Could you explain how Alibaba Cloud eradicates threats during the Double 11 Shopping Festival?
For example, during the Double 11 shopping festival, some mobile manufacturers will launch large promotions (for example, flash sales). Many scalpers usually exploit these promotions to purchase and stockpile goods, leading to market order disturbances. Therefore, we will get an overall situation perspective through threat intelligence and some black market analysis. This task is done by our dedicated intelligence teams and data analysis teams. During the Double 11 shopping festival, collected information will be applied on WAF to intercept these behaviors in critical processes. Meanwhile, the attackers often change their attack sources and tools and confront our policies. So, we must observe the effectiveness of our policies in real time. This task is done by our support teams and data analysis teams.
Can you recall any emergencies experienced during the previous editions of Double 11?
During last year's Double 11, many scalpers tried to snap up the flash sales products. However, through threat intelligence, we managed to analyze the rough distribution of scalpers nationwide, and the tools and resources they used. Before the Double 11 shopping carnival, we made quick launches of policies to block the tools and resources of the scalpers on primary websites with high traffic, ensuring normal business services. Our risk control strategies have met very frequent confrontations. It is common that an algorithm has to be updated once every half an hour.
We heard that live broadcasting has been added to this year's Double 11 Shopping Festival. Does Alibaba Cloud offer additional service support for this feature?
The live broadcasting business faces two major security issues: one is the live broadcasting interruptions by DDoS attacks, which may render all previous marketing efforts moot. Therefore we need to prepare anti-DDoS plans and exclude network quality vibrations. The other issue is that bullet screens in some live videos may contain some illegal and illicit information and cause negative social influences. So, live videos' UGC content needs to be checked. Alibaba Cloud Security's AliGreenNet was created to provide these checking and blocking services.
Apart from the Alibaba Group ecosystem, who else are responsible for making the Double 11 Shopping Carnival possilbe?
Alibaba is a large ecosystem. Throughout the Double 11 shopping festival, apart from Tmall and Alipay under Alibaba, the express delivery industry and ISVs that provide support for e-commerce also need to handle the direct traffic growth stress.
Our Aliexpress is an international C2C service and the biggest e-commerce platform in Russia. An Aliexpress promo activity even resulted in Russian Post being unable to handle the surging demand on delivery services. Similar issues also happen in China, which is also why Alibaba Group launched the Cainiao logistics service. We hope to optimize the global logistics system.
Businesses on Taobao and Tmall may need to handle dozens of times more orders during the Double 11 shopping carnival, which brings heavy pressure on their ISVs (such as CRM systems, stock management systems, and commenting systems). Jushita provided by Alibaba aims to relocate these ISVs on Alibaba Cloud to provide more powerful security protection. In fact, 90% of orders during the Alibaba Double 11 shopping festival will flow to these ISVs.
This year, Alibaba Cloud Security will work with Jushita to provide integrated security support for these e-commerce ISVs so as to ensure the smooth Double 11 shopping festival.
Double 11 is just around the corner. Do you have any messages to our readers?
Double 11 is a miracle not only for China but also for the world. Behind every Double 11 transaction lies large-scale computing resources and verification as well as several big data applications and security technologies. This is not only a business success but also a great technological feat. For all the shopaholics out there, I do wish you an enjoyable Double 11, but I also want you to take a moment to marvel at this technological miracle.
Alibaba Clouder - December 6, 2019
Alibaba Clouder - January 22, 2020
Alibaba Clouder - April 6, 2021
Alibaba Clouder - March 5, 2019
Alibaba Cloud Security - December 5, 2019
Alibaba Clouder - July 14, 2020
A cloud firewall service utilizing big data capabilities to protect against web-based attacksLearn More
Security Center is a flagship security product that integrates both Server Guard and Threat Detection Service. It is a unified security management system that recognizes, analyzes, and alerts of security threats in real-time.Learn More
A powerful and accessible data visualization toolLearn More
More Posts by Alibaba Clouder