Elastic Desktop Service:Data security

1.1 Data transfer security

EDS Enterprise enhances file transfer security between cloud computers and on-premises devices through cloud computer policies. This feature implements controlled file transfers to mitigate potential security risks during data exchange.

1.2 Display security

EDS Enterprise enhances cloud computer content protection through cloud computer policies. The anti-screen capture and dynamic watermarking features prevent unauthorized content duplication and enable traceability, ensuring sensitive information remains secure during viewing sessions.

• You can configure the Anti-screenshot parameter to prevent data leaks due to screenshot capturing or screen recording of cloud computers.

  Example: To prevent design data leaks, the administrator of a construction company enables anti-screenshot feature for cloud computers in the company. This restricts employees from using snipping tools on local terminals to capture or record cloud computer screens.

• You can configure the Watermark parameter to prevent data leaks, and facilitate audits if a data leak does occur.

  Example: The administrator of an advertising company enables the watermarking feature. When employees take screenshots of internal files stored on cloud computers, watermarks are tiled across the images, effectively preventing data leaks. In the event of a data leak, watermarks serve as critical audit trail markers for investigation and accountability.

1.3 Peripheral security

EDS Enterprise enables administrators to enhance security by controlling peripheral device redirection for cloud computers. Through granular policy configuration, administrators can restrict specific peripheral access to cloud computers, which prevents potential security threats. Administrators can restrict access from the following peripheral devices to cloud computers:

• Printer: To enhance security and prevent potential data leaks, disable printer redirection. This measure blocks printing to external devices and prevents unauthorized printers from compromising cloud system security.

• Webcam: To mitigate security and privacy risks, disable webcam redirection. This prevents potential malware from accessing client profiles and reduces the chance of accidental data leaks through unauthorized camera access.

• USB device: EDS Enterprise provides granular USB device control, allowing administrators to enable or disable client USB devices globally or target specific devices by Vendor ID (VID) and Product ID (PID). This precise identification capability enables selective restriction of any USB device type while permitting authorized peripherals.

2.1 Use snapshots for data backup and restoration (administrators)

Snapshots provide a reliable method for backing up and restoring disk data. Before you perform high-risk operations that may compromise system stability, such as registry modifications or critical system file changes, we recommend that you create snapshots. These backups enable quick disk restoration in the event of system failures, ensuring minimal downtime and data loss. Snapshots can be manually or automatically created.

• Manual snapshots: You can create a snapshot at any specific point in time to meet your business needs. During creation, you can define the disk scope. If the local administrator permissions are granted to end users, they can create, restore, and delete snapshots through their Alibaba Cloud Workspace terminals.

• Automatic snapshots: By default, the system automatically generates snapshots for the system and data disks of each cloud computer. These snapshots are retained for three days and then automatically deleted. Additionally, you can set up an automatic snapshot policy tailored to your business requirements. The system automatically creates snapshots for cloud computers in the following scenarios:

  • For cloud computers associated with an automatic snapshot policy, snapshots are created at the times specified in the policy.

  • Snapshots are automatically generated before an administrator updates cloud computers or custom images. If the update fails, the system can roll back by using these snapshots. If the update succeeds, the system deletes the system disk snapshots but retains the data disk snapshots.

  • When changing the image for a cloud computer, a snapshot is automatically created if the image is a deleted custom image. The snapshot is deleted after the image change is complete.

  • Before an end user updates a cloud computer through an Alibaba Cloud Workspace client, the system creates a snapshot to enable automatic rollback in case of update failure. The system can create up to three snapshots for a cloud computer, each retained for a maximum of three days before being automatically deleted.

  Automatic snapshot creation times:

  • No automatic snapshot policy applied:

    • Cloud computers created on or after August 19, 2024, 12:00 (UTC+8) in all regions: 22:00 to 06:00 (UTC+8) the next day.

    • Cloud computers created between June 7, 2024, 17:42 (UTC+8) and August 19, 2024, 12:00 (UTC+8) in the China (Hangzhou) region: 02:00 daily.

    • All other cloud computers: 01:00 daily.

  • To disable automatic snapshot creation, go to the Snapshots page, navigate to the Snapshot Management tab, and then turn off the System Snapshot switch.

    Note

    This feature is in invitational preview. If you want to use the feature, submit a ticket.

  • Cloud computers associated with an automatic snapshot policy: The snapshots will be created by the system at the times specified in the policy.

2.2 Use restore points for data backup and restoration (end users)

End users can utilize restore points to safeguard and recover data on cloud computers. These restore points serve as safety checkpoints, particularly useful before end users perform high-risk operations like modifying critical system files. If a system failure or operational error occurs, end users can revert to a previously created restore point to recover their data to the saved state.

3.1 Communications security

EDS Enterprise's cloud computers utilize Alibaba Cloud's Adaptive Streaming Protocol (ASP) with TLS encryption powered by Tongsuo (formerly BabaSSL). As Alibaba's open-source cryptography library, Tongsuo delivers modern cryptographic algorithms and secure communications protocols that ensure data privacy, integrity, and authentication throughout transmission, usage, and storage. The library supports critical security features across storage, networking, key management, and privacy computing scenarios. Tongsuo holds commercial password product certification from China's State Cryptographic Authority, helping organizations comply with national cryptographic standards during technology upgrades and security evaluations.

Tongsuo cryptographic toolkit has the following features:

• Compliance: Meets the cryptographic security requirements of GM/T 0028 (Security Requirements for Cryptographic Modules).

• Zero-knowledge proofs (ZKP): Bulletproofs

• Cryptographic algorithms

  • Commercial cryptographic algorithms in China: SM2, SM3, SM4, ZUC, and others

  • Standard cryptographic algorithms: ECDSA, RSA, AES, SHA, and others

  • Homomorphic encryption algorithms: EC-ElGamal, Paillier, and others

• Secure communications protocols

  • Supports GB/T 38636-2020 TLCP standard, featuring dual-certificate national cryptographic communication protocol.

  • Supports TLS 1.3 with national cryptographic algorithms as specified in RFC 8998.

  • Supports the QUIC API.

  • Supports Delegated Credentials (RFC draft-ietf-tls-subcerts-10 implementation)

  • Supports TLS certificate compression