Community Blog Security and Monitoring Practices – Alibaba Cloud Storage Solutions – Part 1

Security and Monitoring Practices – Alibaba Cloud Storage Solutions – Part 1

In this article, we will describe how you can implement a secure cloud storage solution using the Alibaba Cloud Resource Access Management (RAM) service.

By Shantanu Kaushik

Cloud storage has evolved in-sync with cloud computing. Over the years, different practices and trends have set a steady pace of development for the industry and the technology that drives it. Security and access control define the two most important parameters for any technology to work correctly.

Maintaining functionality and user experience is critical. Any product that can maintain a steady delivery system can account for high data durability. This persistence of service is what sets the Alibaba Cloud Storage solutions apart. In this article, we will showcase the implementation scenarios that make your choice of cloud storage a secure one.

Integration with industry-leading tools like the Alibaba Cloud Resource Access Management (RAM) service and the latest encryption model is the key focus of this article.

Security with Storage

Alibaba Cloud storage products, including Object Storage Service (OSS), Block Storage, and Apsara File Storage NAS offer extensive security capabilities. Security features like server-side encryption, client-side encryption, log audit, fine-grained access control, and hot-link protection are offered as standards. Retention policies based on WORM and lifecycle policy management are also an added benefit that comes by default with Alibaba Cloud Storage solutions.

Access Control

Access Control List

The Object Storage Service (OSS), Block Storage, Apsara File Storage NAS, and Storage Capacity Unit (SCU) offer an access control list (ACL). You can use this feature to control access based on permissions. You can assign read/write access based on user type. You can select authorization based on public and private access lists. You have the option to define these policies based on specific needs.

Resource Access Control

Resource Access Management (RAM) is used for identification and access control. You can set policies based on user responsibilities and manage users by configuring RAM policies. RAM allows you to create and define policies that can control resources assigned to a particular user of a group.

Hotlink Protection

Object Storage Service provides hotlink protection to avoid unauthorized access to your buckets. You can easily set the HTTP/HTTPS referrer to configure the referrer whitelist to allow requests from specific domain names. Access is also provided if the HTTP/HTTPS referrer is included with the request to access the OSS resource. Hotlink protection prevents any hotlinking of data in public read and public read/write buckets.


Server-Side Encryption

Server-side encryption for uploaded data processes the data to encrypt it while the data is uploaded and decrypts it back when it's downloaded. Server-side encryption is used to protect static data, which is recommended for high data security scenarios that may include online document collaboration or examples of deep learning.

You can implement the following methods for server-side encryption:

In this method, the Customer Master Keys (CMKs) are rotated regularly to ensure better security practices and to enable regular encrypting and decrypting operations on objects. Object Storage Service uses AES-256 for encryption of objects with different data keys. The data keys are generated and managed by OSS.

  • Server-Side Encryption With CMKs Stored in the Key Management Service (KMS)

SSE-KMS enables encryption and decryption of large amounts of data using a specified CMK ID or a default key stored in KMS. This is relatively a more cost-worthy method as there is no requirement of transmitting user data to KMS through networks.

KMS is secure, can be easily managed, and uses AES-256 encryption. Alibaba Cloud KMS has high integrity, security, and availability features and offers a seamless experience. It allows you to custom-build encryption/decryption solutions to align with your business needs.

Client-Side Encryption

Before the data is uploaded to OSS, client-side encryption is performed to encrypt objects. With client-side encryption, symmetric encryption is achieved by generating a random data key. This random data key is generated by the client and uploaded as a part of object metadata, which is stored on the Object Storage Service (OSS). Whenever an object is downloaded, the random data key is decrypted using the CMK, and the generated data key is used to decrypt the object.

There are two ways to use Client-Side encryption:

  • Using CMK managed by KMS
  • Using CMK managed by yourself

CMK Managed by KMS

The illustration below is an example of CMK managed by KMS:


The basic steps included are:


  • A specified CMK ID is used to request a data key. This data key is used to encrypt the object from KMS.
  • KMS returns a random data key and an encrypted data key.
  • The data key is used to encrypt the object.
  • The encrypted object and encrypted data key are uploaded to Alibaba Cloud OSS.


  • The encrypted object is downloaded
  • The encrypted data key is included in the object's metadata
  • CMK ID and the encrypted data key are sent to KMS
  • KMS uses the CMK to decrypt the data key and returns it to the client

Self-Managed CMK

In this scenario, the CMKs have to be generated by the client. When an upload operation is executed, you need to perform the client-side encryption of the object. You need to upload an asymmetric or symmetric CMK.

The illustration below depicts this scenario:


Encrypt an Object

  • Generate a CMK (Symmetric or Asymmetric)
  • Generate a random data key that is unique for each upload
  • The data key is used to encrypt the object
  • CMK is used to encrypt this data key
  • The encrypted data key is included in the metadata of the object

Decrypt an Object

  • Encrypted Object is downloaded
  • Encrypted data is included with the metadata
  • CMK is determined based on object metadata
  • The data key is generated using the CMK
  • CMK is used to decrypt the data key
  • The data key is used to decrypt the object

Wrapping Up

Data Security is an essential component of any service that is responsible for handling critical and sensitive data. Alibaba Cloud hosts a variety of services that enable and execute security parameters at the highest level. It is imperative to maintain data while at rest or while transmitting. It is the level of integration that makes any solution a reliable one. Alibaba Cloud's line of products works in sync to maintain and extend the high-standards of data durability.

Upcoming Articles

1.  Security and Monitoring Practices with Alibaba Cloud Storage Solutions – Part 2

We will focus on Object Storage Service Sandboxing, overall monitoring, and metrics collection with Alibaba Cloud Storage Solutions.

2.  Apsara File Storage NAS – What and How?

We will discuss the complete architecture and usage scenarios with the Apsara File Storage NAS solution by Alibaba Cloud.

0 0 0
Share on

Alibaba Clouder

2,605 posts | 747 followers

You may also like