For customer workloads on Alibaba Cloud, security and compliance is a shared responsibility between Alibaba Cloud and the customer: Alibaba Cloud is responsible for ensuring the security of the cloud platform itself and providing security services and capabilities to cloud customers, while customers are responsible for the security of the application systems built on Alibaba Cloud services.
The security responsibility model is illustrated in the following figure:
Alibaba Cloud is responsible for the physical and hardware security of the infrastructure (including data centers deployed across regions and multiple availability zones, as well as computing, storage, and network devices), as well as the security of the virtualization layer and cloud services layer running on the Feitian distributed cloud operating system. Alibaba Cloud also takes responsibility for identity management, access control, monitoring, and operations on the platform side to provide customers with highly available and secure cloud service platforms. Customers are responsible for configuring and using various cloud services securely, and building their own secure workloads based on the security capabilities provided by these cloud products to ensure cloud security. Alibaba Cloud leverages years of attack and defense technology accumulation from Alibaba Group to provide customers with cloud-native security services to protect their workloads and businesses.