All Products
Search
Document Center

Elastic Compute Service:Overview of security capabilities

Last Updated:Nov 15, 2023

Alibaba Cloud focuses on using technical means, such as hardware encryption, isolation, and user audit capabilities, to provide secure, reliable, isolated computing environments and provide different layers of protection to meet various security and performance requirements.

Introduction

Alibaba Cloud provides host memory encryption, virtual Trusted Platform Module (vTPM) based trusted computing capabilities, and confidential computing capabilities (Confidential VM and Enclave).

  • Host memory encryption: can protect memory data against physical attacks and increase cloud-based data security. It adds an additional layer of security without the need to modify operating systems or applications. For now, only the general-purpose g8i instance family supports memory encryption by default.

  • Trusted computing capabilities: Trusted Platform Modules (TPMs) or Trusted Cryptography Modules (TCMs) serve as trusted computing bases (TCBs) on the underlying physical servers that host trusted instances to ensure the tamper-protected, trusted boot of the instances. In addition, vTPM can be used to measure the critical components of the boot chain for instances.

  • Confidential computing capabilities: can work with CPU hardware encryption and isolation capabilities to create trusted execution environments (TEEs) where data is secure against tampering. You can also use security features such as remote attestation to verify cloud platforms and check the security of instances.

    • Enclave: Alibaba Cloud provides confidential computing capabilities based on Intel Software Guard Extensions (SGX) 2.0 and Alibaba Cloud Enclave. These capabilities help reduce TCBs, minimize attack surface and blast radius, and allow you to set up more secure, trusted confidential environments. For more information, see Build an SGX confidential computing environment and Build a confidential computing environment by using Enclave.

    • Confidential VM: allows you to run sensitive workloads in the cloud in an encrypted manner to protect your sensitive data without the need to modify application code. Alibaba Cloud provides the Confidential VM capability on top of Intel Trust Domain Extensions (TDX) and AMD Secure Encrypted Virtualization (SEV). For more information, see Build a TDX confidential computing environment.

Security capabilities

image

Best practices for security capabilities