This topic describes the security responsibilities that Elastic Compute Service (ECS) and customers should assume.
Cloud security
With the rapid development of the Internet, China has perfected and introduced more than two hundred laws and regulations that are related to cybersecurity and data security in the past few decades, including the Cybersecurity Law of the People's Republic of China (recognized as the basic law on cybersecurity of China) and the Data Security Law of the People's Republic of China (recognized as the basic law on data security of China), to impose strict requirements and standards on the business security and data security of enterprises. As customers embrace cloud computing applications, they shift their focus from how to migrate to the cloud to how to continuously and securely operate business in the cloud to protect the security of both their business and user information. In this context, cloud security and compliance are receiving more attention from enterprises.
To maintain good cloud security posture, a set of policies, control means, and technical means are collectively used to safeguard cloud infrastructure, data storage, data access, and applications and protect cloud-based business from security threats. Cloud security and compliance are shared responsibilities between Alibaba Cloud and customers. As an Alibaba Cloud customer, you must familiarize yourself with the risks that are associated with your cloud-based business. You must also engineer and put in place comprehensive safeguards to relieve operational burdens and prevent asset loss that is caused by security events.
Shared security responsibility model of ECS
ECS is an IaaS offering of Alibaba Cloud. The security of ECS is a shared responsibility between Alibaba Cloud and customers. The shared security responsibility model describes ECS security as security of the cloud and security in the cloud:
Security of the cloud: Alibaba Cloud is responsible for security of the cloud. Alibaba Cloud shall protect the infrastructure that runs ECS and provide you with services and resources that you can securely use, such as physical hardware that host ECS instances, software services, network devices, and management services.
Security in the cloud: You are responsible for security in ECS. Specifically, you shall duly manage guest OSs (including updates and security patches), protect applications or tools that run in ECS, and monitor and safeguard the flow of information into and out of ECS. You shall securely configure and access ECS and the services that are hosted on ECS instances, such as performing network configurations in compliance with security rules and managing ECS permissions based on the principle of least privilege.
The following figure shows the shared security responsibility model of ECS.
Alibaba Cloud responsibility for security of the cloud
Alibaba Cloud provides the following four layers of protection to strengthen security of the cloud:
Data center security: Alibaba Cloud data centers are constructed in compliance with the Class A standards of GB50174 Code for Design of Electronic Information System Room and the Tier 3+ standards of TIA-942 Telecommunications Infrastructure Standard for Data Centers.
Disaster recovery of data centers: Alibaba Cloud data centers are installed with fire sensors, smoke sensors, and precise air-conditioning systems in hot-standby mode that maintain constant temperature and humidity. The data centers are powered by public power utilities that are backed up by a redundant power system.
Personnel management: Dual-factor authentication, such as fingerprint and identity verification, is used to access machine rooms, measurement areas, and storage rooms. Specific areas are physically isolated by using iron cages. Strict account management, identity authentication, authorization management, separation of duties, and access control are implemented.
O&M audit: Security monitoring systems are put in place in various areas of data centers. Production systems can be operated and maintained only by using bastion hosts. All operation records are logged and stored in a log platform.
Physical infrastructure security: Physical infrastructure includes physical servers, network devices, and storage devices. The security of physical infrastructure depends on the security of data centers in the cloud and adds an additional layer of security to services in the public cloud. The following measures are taken to protect Alibaba Cloud physical infrastructure:
Data destruction: Alibaba Cloud develops a mechanism based on the standards of NIST Special Publication 800-88, Guidelines for Media Sanitization to securely erase data from storage media. The mechanism allows Alibaba Cloud to delete data assets at the earliest opportunity and completely destroy data by sanitizing the data from storage media multiple times when Alibaba Cloud terminates services for customers.
Storage asset management: Alibaba Cloud provides fine-grained, storage component-level management of storage assets and allocates unique hardware identification information to facilitate the search for storage media or small devices in which storage media reside. Storage media that are not securely sanitized or physically destroyed based on specific requirements cannot leave data centers or security control areas.
Network isolation: Alibaba Cloud isolates production networks from non-production networks and uses network access control lists (ACLs) to block access from cloud service networks to physical networks. Bastion hosts are deployed at the edges of production networks, and O&M personnel from office networks can access the production networks only by performing a multi-factor authentication step with domain accounts and dynamic passwords on the bastion hosts.
Virtualized system security: Virtualization is a pillar technology in cloud computing that allows you to create virtual representations of computing, storage, and network resources to isolate tenants in cloud computing environments. Alibaba Cloud provides virtualization security techniques, including tenant isolation, security hardening, escape detection and fix, live patching, and data erasure, to secure the virtualization layer.
Live patching: The virtualization platform supports the live patching technique that allows you to apply security patches to running systems without the need to reboot or interrupt runtime.
Data erasure: After instances are released, data is completely erased from the storage media that are associated with the instances. This is a critical step towards data security.
Tenant isolation: Hardware-based virtualization technology provides operating-system-level isolation to isolate each virtual machine from other virtual machines that run on the same hardware. A tenant who has access to the guest OS of a virtual machine cannot breach this layer of isolation to access another virtual machine that the tenant does not have access.
Compute isolation: Your virtual machines are isolated from the management system and the virtual machines of other customers.
Network isolation: Each virtual network is isolated from other networks.
Storage isolation: Compute-storage isolation ensures that each virtual machine can access only the physical disks that you make available to it.
Security hardening: Virtualization management programs and host OSs or kernels are security-hardened. Virtualization software must be compiled and run in a trusted execution environment to protect the entire link.
Escape detection and fix: Advanced virtual machine layout algorithms are used to prevent malicious users from running virtual machines on specific physical machines and virtual machines from detecting the physical host environments in which the virtual machines run. Suspicious behaviors of virtual machines are probed, and vulnerabilities are hotfixed.
Cloud platform security: The cloud platform provides cloud-based account management services, including the management of Alibaba Cloud accounts and RAM users and multi-factor authentication for logons. The cloud platform also provides access control services, including fine-grained access authorization and secure access.
Customer responsibility for security in ECS
You are responsible for security in ECS and shall secure what you put in or connect to ECS. You shall duly install OS update patches on ECS instances, configure appropriate security group rules to block unauthorized access to ECS instances, and encrypt data on ECS to increase data security.
Alibaba Cloud provides a series of security management and configuration tools that help you perform security configurations based on your requirements for increased business security.
Alibaba Cloud service | Description | References |
OS security | ||
Trusted computing | Trusted Platform Modules (TPMs) or Trusted Cryptography Modules (TCMs) serve as trusted computing bases (TCBs) on the underlying physical servers that host trusted instances to ensure the tamper-protected, trusted boot of the instances. In addition, you can use virtual TPM (vTPM) to measure the critical components of the boot chain for instances. | |
Confidential computing | Confidential computing capabilities can work with CPU hardware encryption and isolation capabilities to create trusted execution environments in which data is secure against tampering. You can also use security features such as remote attestation to verify cloud platforms and check the security status of instances. | |
Security Center | Security Center provides multiple features such as cloud asset management, baseline check, proactive defense, security hardening, configuration assessment, and security status visualization. Security Center uses massive cloud logs, analysis models, and superior computing power to monitor the security status of assets in the cloud in a comprehensive manner. Security Center can efficiently detect and prevent risks, such as viruses, attacks, encryption ransomware, vulnerability exploits, AccessKey pair leaks, and mining. Security Center is an end-to-end, automated system for security operations that protects workloads on hosts, containers, and virtual machines deployed in hybrid clouds and helps meet regulatory compliance requirements. | |
ECS identity and access security | ||
SSH key pairs | An SSH key pair consists of a public key and a private key that you can use to authenticate to ECS instances when you connect to the instances. You can use SSH key pairs to log on only to Linux instances. If you configure a public key on a Linux ECS instance, you can run an SSH command or use a connection tool on an on-premises device or another instance to log on to the Linux instance with the corresponding private key, instead of a password. This way, you can log on to and manage a large number of Linux instances at the same time by using a key pair. | |
Session Manager | Session Manager is a Cloud Assistant feature that allows you to securely connect to ECS instances from Session Manager Client without the need to provide passwords or open ports for inbound access. During communication with Cloud Assistant, Session Manager Client uses the Web Socket Secure (WSS) protocol to establish persistent WebSocket connections that are SSL-encrypted to ensure end-to-end data security. | |
Security groups | A security group acts as a virtual firewall for ECS instances to control inbound and outbound traffic. Security groups provide Stateful Packet Inspection (SPI) and packet filtering capabilities. You can use security groups to define security domains in the cloud. | |
Resource Access Management (RAM) | RAM is a service provided by Alibaba Cloud that allows you to manage user identities and resource access permissions. You can create and manage RAM users and user groups and control their access to cloud resources by managing permissions. | |
Network security | ||
Virtual Private Cloud (VPC) | A VPC is an isolated network environment that is built on Alibaba Cloud. VPCs are logically isolated from each other. A VPC consists of logical network devices such as vRouters and vSwitches. You can connect VPCs to on-premises networks over Express Connect circuits or VPNs to create custom network environments. This way, you can easily migrate your applications to the cloud and extend the capabilities of your on-premises environment. | |
Network ACLs | Network access control lists (ACLs) can be used to implement access control on a VPC. You can create network ACL rules and associate network ACLs with vSwitches to control inbound and outbound traffic for ECS instances that are connected to the vSwitches. | |
Application security | ||
Cloud Firewall | Cloud Firewall is a cloud security solution that provides firewalls as a service. Cloud Firewall implements centralized security isolation and traffic control for your cloud assets at the Internet, VPC, and host boundaries. Cloud Firewall is the first line of defense to protect your workloads in Alibaba Cloud. You can use the Internet firewall, internal firewalls, and VPC firewalls to manage access behaviors in a fine-grained manner and build an in-depth defense system that consists of three layers: Internet traffic protection, VPC protection, and instance protection. | |
Web Application Firewall (WAF) | WAF identifies and filters out malicious traffic that is destined for websites and applications and forwards clean, scrubbed traffic to the websites and applications. This protects web servers against intrusion and ensures the security of data and services. | |
Anti-DDoS | Anti-DDoS Origin protects the public IP addresses of Alibaba Cloud assets against Layer 3 and Layer 4 volumetric attacks. When traffic exceeds the default scrubbing threshold of Anti-DDoS Origin, traffic scrubbing is automatically triggered to mitigate DDoS attacks. Anti-DDoS Origin adopts passive scrubbing as a major protection policy and active blocking as an auxiliary policy to mitigate DDoS attacks. Anti-DDoS Origin uses conventional technologies such as reverse detection, blacklists, whitelists, and packet compliance to ensure that your asset can work as expected even when an attack is ongoing. Anti-DDoS Origin deploys a DDoS attack detection and scrubbing system in bypass mode at the egress of an Alibaba Cloud data center. Anti-DDoS Origin allows you to reinforce protection against DDoS attacks at a low cost and reduces the potential risk of DDoS attacks that target your services. | |
VPN Gateway | VPN Gateway is a network connection service that securely and reliably connects on-premises data centers, office networks, and Internet clients to Alibaba Cloud VPCs by using encrypted and private tunnels. | |
Certificate Management Service | Alibaba Cloud SSL certificates are trusted credentials that are issued by well-known certificate authorities (CAs). The CAs are certified by WebTrust. You can use SSL certificates to verify the identity of your website and encrypt data in transit. Certificate Management Service is an all-in-one platform that is provided by Alibaba Cloud for certificate issuance and management. Certificate Management Service allows you to manage your SSL certificates throughout their entire lifecycles and manage private certificates and private certificate repositories. You can install and manage certificates in different scenarios. | |
Data security | ||
Snapshot service | The Alibaba Cloud snapshot service is an agentless backup service that allows you to create crash-consistent snapshots for all disk categories to back up or restore entire disks. Crash-consistent snapshots are an effective disaster recovery solution that can be used to back up data, create images, and implement disaster recovery for applications. | |
Disk encryption | You can encrypt disks to protect the privacy, autonomy, and security of data without the need to establish or maintain key management infrastructure. You can encrypt both system disks and data disks of ECS instances. | |
Key Management Service (KMS) | KMS is a security management service that is provided by Alibaba Cloud to ensure the security, integrity, and availability of keys for certificates. KMS allows you to manage keys for multiple applications and services and meet regulatory and classified protection requirements. KMS is an end-to-end platform for key management and data encryption that provides simple, reliable, secure, and standard-compliant capabilities for encrypting and protecting data. KMS helps reduce your costs of procurement, O&M, and R&D on cryptographic infrastructure and data encryption and decryption products. This way, you can focus on the development of your business. | |
Security audit | ||
ActionTrail | ActionTrail is a service that monitors and records the actions of your Alibaba Cloud account. The actions include your access to and use of cloud services by using the Alibaba Cloud Management Console, APIs, and SDKs. ActionTrail records the actions as events. You can download the events in the ActionTrail console or configure ActionTrail to deliver the events to Simple Log Service Logstores or Object Storage Service (OSS) buckets. Then, you can perform behavior analysis, security analysis, resource change tracking, and compliance auditing on the events. | |
Identity as a Service (IDaaS) | Alibaba Cloud IDaaS is a cloud-native, cost-effective, convenient, standard identity and permission management system that is suitable for enterprise users. IDaaS provides an all-in-one platform for administrators to manage organizational structures and the lifecycle and permissions of accounts, and configure functionalities such as single sign-on (SSO) for applications. IDaaS allows users to access application portals, use independent logon systems, and manage accounts. | |