This topic introduces Multi-Level Protection Scheme (MLPS) 2.0 and describes the managed rules that are provided in the ClassifiedProtectionPreCheck compliance package template.

What is MLPS 2.0?

MLPS 2.0 stipulates the national cybersecurity standards in China. The Chinese government officially released it on May 13, 2019, and officially implemented it on December 1, 2019. 58% of the countries and regions in the world have formulated national strategies for cybersecurity. Major countries and regions have legislated for cybersecurity.

Important changes in MLPS 2.0

  • Information systems in the cloud can be evaluated.

    On the basis of MLPS 1.0, MLPS 2.0 adds specifications for cloud computing platforms, big data platforms, IoT platforms, mobile computing systems, and industrial control systems. The specifications fully consider the diversity and complexity of the business carried by current enterprise information systems.

  • Cloud tenants are independently evaluated.

    In MLPS 1.0, the level of a cloud platform on which enterprise resources are hosted determines the level of an information system that a cloud tenant builds on the platform. As cloud services become increasingly complex and flexible, cloud tenants have increased control over hosted resources. Therefore, from MLPS 2.0 on, the information systems built by cloud tenants on cloud platforms are independently evaluated.

  • Continuous security evaluation is emphasized.
    In MLPS 1.0, the compliance of a system is evaluated only once. After the evaluation is complete, you cannot continuously monitor the system to check whether it is compliant with the specifications. MLPS 2.0 integrates the requirement for continuous compliance into the specifications to guide and supervise enterprises so that they can build information systems with sustainable security capabilities. On the basis of the policy-centered protection, detection, and response (PPDR) model, enterprises are instructed to construct a three-dimensional and in-depth defense system that is trusted, controllable, and manageable. The defense system must be constructed based on security authentication and with access control as the core.
    Characteristic Description
    Trusted Construct a trusted execution environment for business systems based on trusted computing. To prevent users from being impersonated and prevent viruses and intrusions, users, platforms, and applications must be trusted. A trusted environment ensures the security and reliability of the business systems, which always run as expected without unexpected processes.
    Controllable Enable subjects to control the access behavior of objects based on access control to make sure that all access activities are controllable. Controlled access prevents both internal and external attacks. Controlled access also protects information systems from unauthorized operations and unauthorized resource access. This ensures that information systems are secure and controllable.
    Manageable Construct a management platform that allows administrators to manage permissions in a centralized and hierarchical way and grant minimal permissions to users for better system management. Such a management platform makes up for less focus on management. This also ensures that information systems are secure and controllable.
    MLPS 2.0 adopts "one center, triple protection" as the design philosophy for cybersecurity technology. One center refers to the security management center. Triple protection refers to the secure computing environment, the security zone border, and the secure communications network.
    • The security management center must implement centralized control on system management, security management, and audit management. The protection mode must be transformed from passive to active, from static to dynamic, from single-point to all-around, and from extensive to intensive.
    • Triple protection requires enterprises to use security devices and technologies to implement security measures such as identity authentication, access control, intrusion prevention, data integrity, confidentiality, and personal information protection. Triple protection enables all-around protection for cloud platforms.
The following table describes the differences between MLPS 1.0 and MLPS 2.0.
MLPS 1.0 MLPS 2.0
In-depth defense with attack prevention, attack response, and security audit. All-around defense with active prevention, security authentication, threat detection, and comprehensive audit.
If the evaluation points are greater than zero, the official evaluation is passed. The official evaluation for MLPS 1.0 Level 3 is required every year, and that for MLPS 1.0 Level 4 is required every six months. If the evaluation points reach 75, the official evaluation is passed. Annual evaluations are required for both MLPS 2.0 Level 3 and MLPS 2.0 Level 4.

Five difficulties for information systems in the cloud to conform to MLPS 2.0

MLPS 2.0 focuses on continuous compliance supervision. Annual evaluations are required for both MLPS 2.0 Level 3 and MLPS 2.0 Level 4. Information systems in the cloud have difficulties in conforming to MLPS 2.0 because resources are hosted on the cloud. The following table describes the difficulties.
Difficulty Description
Unclear evaluation objects Some concepts of the virtualized IT infrastructure are different from those of the traditional IT infrastructure. Evaluating complex cloud configurations becomes difficult.
Non-centralized resource management If a cloud platform does not support configuration management databases (CMDBs), you have to endure a cumbersome process of providing evidence and demonstrating information systems on the cloud to authoritative agencies during the repeated evaluation and rectification.
Less control over the system data Resources are hosted on the cloud. You must obtain security audit data from the cloud platform if MLPS 2.0 requires management logs and compliance reports as evidence.
Impossible self-evaluation by writing code In the past, all enterprises had on-premises CMDBs and could write code to monitor and evaluate configurations on their own before the official evaluation. However, resources are now hosted on the cloud. Evaluating configurations on their own by writing code requires continuous configuration synchronization from the cloud, which incurs high costs.
Separated deployment of a business system In a hybrid cloud model, a business system is separately deployed on the cloud and on-premises. In this case, you must perform self-evaluation, scanning, monitoring, or detection twice, which leads to high labor costs and is time-consuming.

Continuous monitoring on cloud platforms

To resolve the preceding difficulties, Alibaba Cloud provides the classified protection precheck feature in Cloud Config free of charge. This feature facilitates the self-evaluation and remediation of your business.

Cloud Config interprets the specifications of MLPS 2.0 as rules, continuously monitors resource configuration changes, evaluates resource compliance in real time, and triggers alerts for non-compliance. This allows enterprises to continuously monitor the compliance of information systems.

ClassifiedProtectionPreCheck

Rule name Description
ecs-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each Elastic Compute Service (ECS) instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the virtual private cloud (VPC) in which ECS instances reside matches the specified setting. If yes, the evaluation result is compliant.
rds-instances-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB RDS instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB RDS instances reside matches the specified setting. If yes, the evaluation result is compliant.
actiontrail-enabled If at least one active trail exists in ActionTrail, the evaluation result is compliant.
rds-high-availability-category If high-availability ApsaraDB RDS instances are used, the evaluation result is compliant.
ecs-disk-encrypted If encryption is enabled for each ECS data disk, the evaluation result is compliant.
rds-multi-az-support If ApsaraDB RDS instances are deployed across multiple zones, the evaluation result is compliant.
sg-public-access-check If the inbound authorization policy of each security group is set to Allow and you set the port range to -1/-1 or the authorized IP address to 0.0.0.0/0, the evaluation result is compliant.
slb-listener-https-enabled If ports 80 and 8080 are used by the HTTPS listeners of each Server Load Balancer (SLB) instance, the evaluation result is compliant.
rds-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB RDS instance, the evaluation result is compliant.
ecs-instance-no-public-ip If no public IPv4 addresses are associated with each ECS instance, the evaluation result is compliant.
ram-user-mfa-check If multi-factor authentication (MFA) is enabled for each RAM user, the evaluation result is compliant.
sg-risky-ports-check If 0.0.0.0/0 is added to the IP whitelist of each security group while ports 22 and 3389 are disabled, the evaluation result is compliant.
oss-bucket-public-read-prohibited If the access control list (ACL) of each Object Storage Service (OSS) bucket denies read access from the Internet, the evaluation result is compliant.
oss-bucket-public-write-prohibited If the ACL of each OSS bucket denies read and write access from the Internet, the evaluation result is compliant.
oss-bucket-server-side-encryption-enabled If server-side encryption is enabled for each OSS bucket, the evaluation result is compliant.
slb-no-public-ip If no public IP addresses are associated with each SLB instance, the evaluation result is compliant.
rds-instance-enabled-security-ip-list If the IP whitelist is enabled for each ApsaraDB RDS instance and the whitelist does not contain 0.0.0.0/0, the evaluation result is compliant.
cdn-domain-https-enabled If HTTPS is enabled for each domain name accelerated by Alibaba Cloud Content Delivery Network (CDN), the evaluation result is compliant.
redis-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for Redis instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for Redis instances reside matches the specified setting. If yes, the evaluation result is compliant.
redis-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for Redis instance, the evaluation result is compliant.
mongodb-instance-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each ApsaraDB for MongoDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which ApsaraDB for MongoDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
mongodb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each ApsaraDB for MongoDB instance, the evaluation result is compliant.
polardb-dbcluster-in-vpc If you do not specify the vpcIds parameter, the system checks whether the network type of each PolarDB instance is set to VPC. If yes, the evaluation result is compliant. If you specify the vpcIds parameter, the system checks whether the VPC in which PolarDB instances reside matches the specified setting. If yes, the evaluation result is compliant.
oss-zrs-enabled If zone-redundant storage (ZRS) is enabled for each OSS bucket, the evaluation result is compliant.
rds-connectionmode-safe-enabled If the access mode of each ApsaraDB RDS for SQL Server database is set to proxy, the evaluation result is compliant.
slb-acl-public-access-check If the access control feature is enabled for each SLB instance and 0.0.0.0/0 is not added to the IP whitelist, the evaluation result is compliant.
eip-bandwidth-limit If the available bandwidth of an elastic IP address (EIP) is greater than or equal to the value specified by the input parameter, the evaluation result is compliant.
slb-loadbalancer-bandwidth-limit If the available bandwidth of each Server Load Balancer (SLB) instance is greater than or equal to the value specified by the input parameter, the evaluation result is compliant.
polardb-public-access-check If 0.0.0.0/0 is not added to the IP whitelist of each PolarDB instance, the evaluation result is compliant.