Alibaba Cloud secures the infrastructure, while customers secure their ECS instances, including OS patches, security groups, and data encryption.
Importance of cloud security
China has introduced more than 200 laws and regulations on network and data security, including the Cybersecurity Law and the Data Security Law, imposing strict requirements on enterprise data security. As cloud computing grows, enterprises are shifting focus from how to move to the cloud to how to operate their business securely and continuously in the cloud, making security and compliance a top priority.
Cloud security uses policies, controls, and technologies to protect infrastructure, data, and applications from internal and external threats. Building a secure cloud business is a shared responsibility between Alibaba Cloud and customers. Customers must understand the risks of their cloud business and proactively implement security controls to reduce operational burdens and minimize potential asset loss from security incidents.
ECS shared security responsibility model
ECS is an IaaS offering by Alibaba Cloud. Security is a shared responsibility between Alibaba Cloud and customers, with the following boundaries:
-
Alibaba Cloud is responsible for the security "of" the cloud: Alibaba Cloud secures the underlying infrastructure and services that run ECS, including physical hardware, software services, network devices, and management control services.
-
Customers are responsible for security "in" the cloud: Customers secure their ECS instances by applying OS upgrades and patch updates, securing applications and tools, and configuring access controls. Examples include configuring network parameters based on security best practices and assigning permissions based on the principle of least privilege.
The following figure shows the ECS shared security responsibility model.
Alibaba Cloud's responsibility: secure the cloud
Alibaba Cloud secures the cloud from the bottom up across four layers:
-
Data center security: Alibaba Cloud data centers meet Class A standards of GB 50174 and T3+ standards of TIA-942.
-
Disaster recovery: Data centers use fire and smoke detectors, dual power supplies with redundant power systems, and precision air conditioners in hot standby mode for constant temperature and humidity.
-
Personnel management: Access to areas such as server rooms, power measurement zones, and storage rooms requires two-factor authentication (such as identity and fingerprint verification). Specific areas use cages for physical isolation. Strict account management, identity authentication, authorization management, separation of duties, and access management are enforced.
-
O&M audit: Security monitoring systems cover all data center areas. O&M operations on production systems require a Bastionhost. All operation records are logged on a centralized log platform.
-
-
Physical infrastructure security: Physical infrastructure covers physical servers, network devices, and storage devices. Its security relies on the data center itself, plus additional measures for the public cloud model:
-
Data destruction: Following the NIST SP 800-88 standard, Alibaba Cloud securely erases data from storage media. When a customer's cloud service ends, data assets are promptly deleted and storage media is purged multiple times.
-
Storage device asset management: Each storage component is assigned a unique hardware device identifier for precise tracking. Storage media cannot leave the data center or secure control areas unless securely erased or physically destroyed per established standards.
-
Network isolation: Production networks are isolated from non-production networks. Network ACLs prevent cloud service networks from accessing the physical network. Bastionhosts are deployed at the production network border. O&M engineers access the production network only through a Bastionhost with multi-factor authentication (domain account password and dynamic password).
-
-
Virtualization system security: Virtualization uses compute, storage, and network virtualization for multi-tenant resource isolation. Alibaba Cloud secures the hypervisor with five components: tenant isolation, security hardening, escape detection and repair, hotpatching, and data erasure.
-
Hotpatching: The virtualization platform supports hotpatching, applying patches without a system restart.
-
Data erasure: After an instance is released, data on the underlying storage media is securely erased.
-
Tenant isolation: Hardware virtualization isolates VMs on different compute nodes at the system level. Tenants cannot access each other's resources without authorization.
-
Compute isolation: The management system is isolated from customer VMs, and customer VMs are isolated from each other.
-
Network isolation: Each virtual network is isolated from other networks.
-
Storage isolation: With a compute-storage decoupled architecture, a VM can only access its allocated physical disk space.
-
-
Security hardening: The hypervisor and host OS/kernel are hardened. Virtualization software is compiled and run in a trusted execution environment for end-to-end security.
-
Escape detection and repair: Advanced VM layout algorithms prevent a malicious VM from targeting a specific physical machine. VMs cannot probe their physical host environment. Abnormal behavior is detected, and vulnerabilities are fixed with hotpatches.
-
-
Cloud service platform security: The cloud platform provides account management and service access, including management of main accounts and RAM users, multi-factor authentication for logon, fine-grained access authorization, and secure access to platform services.
Customer's responsibility: secure resources in ECS
Customers secure their ECS instances by applying OS patches, setting appropriate security group rules to prevent unauthorized access, and using data encryption.
Alibaba Cloud provides the following security management and configuration tools: