Alibaba Cloud Object Storage Service (OSS) has rich security capabilities that support various security protection features, including server-side encryption, client-side encryption, hotlink protection based on Referer whitelists, fine-grained access control, log audit, and retention policies based on Write Once Read Many (WORM). OSS provides complete security protection for your data stored in Alibaba Cloud to meet your security and compliance requirements on enterprise data.

OSS is the only cloud service in China that is accredited by Cohasset Associates in audit and meets specific requirements for electronic data storage. OSS buckets configured with retention policies can be used for business that is subject to regulations such as SEC Rule 17a-4(f), CFTC Rule 1.31(c)-(d), and FINRA Rule 4511(c). In addition, OSS is certified with the following standards:
  • ISO 9001, ISO 20000, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 29151, and ISO 27701
  • BS10012
  • CSA STAR
  • PCI DSS
  • C5
  • MTCS
  • GxP
  • TPN
  • Trusted cloud service authentication
  • SOC 1, SOC 2, and SOC 3
This topic describes the security capability of OSS that contains the following features:
Access control OSS provides access control lists (ACLs), Resource Access Management (RAM) and bucket policies, and hotlink protection based on Referer whitelists to control and manage access to your OSS resources.
Data encryption OSS provides server-side encryption, client-side encryption, and encrypted transmission based on SSL or TLS to protect data from potential security risks on the cloud.
Monitoring and audit OSS allows you to store and query access logs to meet your requirements on monitoring and auditing enterprise data.
Disaster recovery OSS has disaster recovery capabilities that support zone-redundant storage (ZRS) and cross-region replication (CRR) for data centers in a same region or across multiple regions.
Data retention compliance OSS supports the WORM data storage technology mechanism that prevents users from accidentally deleting or tampering with your data. This mechanism is applicable to business under the regulations of the U.S. Securities and Exchange Commission (SEC) and Financial Industry Regulatory Authority, Inc. (FINRA).
Other features OSS provides versioning to prevent data from being accidentally deleted or overwritten. If one of your buckets is attacked or used to distribute illegal content, OSS automatically moves the bucket to the sandbox to prevent your other buckets from being affected.