Microservices Engine (MSE) - Security Protection Module Released to Simplify Security Configurations and Improve Data Protection Capabilities
Apr 11 2025
Microservices Engine (MSE)Content
Target customers: customers who have high requirements for security capabilities but lack understanding of the Nacos security system. Features released: Security threshold display: allows users to understand the security status in real time. The security protection module of MSE Nacos instances displays the security thresholds to help you quickly understand the current security configuration status. You can view the status of security features on the Basic Information page of a Nacos instance. The system highlights the security features that have not been enabled and provides redirect URLs to help users quickly understand and configure features, such as authentication, transmission encryption, and storage encryption. This reduces the learning and operation time. In most cases, the best practices for zero trust security of MSE Nacos instances include: ● Authentication between the client and the console: authentication based on the Alibaba Cloud Resource Access Management (RAM) system. ● Storage security: configuration encryption based on Alibaba Cloud Key Management Service (KMS). ● Transmission security: transmission security based on Transport Layer Security (TLS). If security thresholds are not displayed, users need to spend time learning Nacos security practices. Due to a lack of relevant security knowledge, it is difficult to understand the current security situation. The security threshold feature allows you to view the status of security features on the homepage of an instance. This improves your understanding and management of security features. Authentication module: allows you to intuitively configure custom policies. MSE Nacos authentication includes console authentication and client authentication. The authentication feature is developed based on the Alibaba Cloud RAM system. This system is highly flexible and supports multiple custom policies. However, users often encounter the following issues during the configuration process: ● Custom policies are poorly readable and difficult to configure. ● The applicable scope and limits of the authentication capability is difficult to understand. ● Registration authentication and configuration authentication make users confused. To resolve these pain points, the authentication module allows users to configure custom policies in GUIs. ● Graphical configuration: supports the configuration and export of graphical policies for console authentication and client authentication. ● Authorization granularity selection: supports authorization at the instance, namespace, group, service, or configuration granularity. ● Flexible permission configuration: allows you to grant read/write or read-only permissions on resources in a resource list. Name prefix and suffix matching are supported for services and configurations. Simulated client authentication: allows you to perform seamless traffic authentication drills. After client authentication is enabled, the Nacos server intercept traffic on all clients that do not meet the authentication requirements. However, after you enable formal authentication, the following risks may occur: ● Business interruptions: Unauthorized business clients fail to pass authentication due to missing or invalid authentication configurations, which may cause business interruptions and service unavailability. ● High troubleshooting costs: Users need to manually identify the clients for which authentication is not configured. The process is burdensome and time-consuming, which increases O&M workloads. The simulated authentication feature allows users to simulate authentication operations in advance without affecting existing services, and comprehensively detect and collect statistics on the authentication configurations of all clients. Clients that do not pass authentication are recorded. However, traffic on the clients is not intercepted. Efficient security precheck enables seamless business change and fully reduces configuration risks.
Help Document
https://www.alibabacloud.com/help/mse/user-guide/safety-protection-1