Elastic Desktop Service Enterprise protects your data through transfer encryption, display controls, peripheral restrictions, snapshot backups, disk encryption, and secure communication protocols.
Data protection
Transfer security
Cloud computer policies control file transfers between cloud computers and local devices to minimize security risks.
EDS Enterprise encrypts all data between cloud computers and client terminals using Alibaba Cloud's proprietary Adaptive Streaming Protocol (ASP) by default. ASP supports TLS encryption via the Tongsuo cryptographic library and encrypts all in-transit data, including image, audio, video streams, and input events.
|
Display security
Configure anti-screen capture and watermark policies to protect cloud computer display security.
The Anti-screenshot feature helps prevent data leaks from screen captures or recordings.
Example: An architectural design firm enables the anti-screenshot rule for its cloud computers to prevent unauthorized copying of design drawings. As a result, no one can use screen capture tools on their local devices to take screenshots or record the cloud computer screen.
The Watermark feature is used for data loss prevention, serving as both a deterrent and an audit tool.
Example: An advertising company enables watermarks on its cloud computers. When an employee takes a screenshot of an internal document, the image is overlaid with an administrator-defined watermark. This effectively discourages internal file leaks and provides a crucial audit trail if a data breach occurs.
|
Peripheral security
Administrators can restrict device redirection to prevent client peripherals from accessing the cloud computer environment. The following peripherals can be controlled:
-
Printer: Disable printer redirection to prevent data leakage and block unauthenticated printers.
-
Webcam: Disable webcam redirection to prevent unauthorized image capture and privacy leaks.
-
USB device: Enable or disable all client USB devices, or control access at device level using Vendor IDs (VID) and Product IDs (PID).
|
Data availability
Snapshot backup and restoration (administrators)
A snapshot is a point-in-time disk backup. Create a snapshot before high-risk operations such as modifying the registry or critical system files. If a failure occurs, restore the disk from the snapshot.
Manual creation: You can create a snapshot at any time based on your business needs and specify which disks to back up. If you grant local administrator permissions to end users, they can create, restore, and delete snapshots from the WUYING Terminal interface.
Automatic creation: By default, the system automatically creates a snapshot for the system disk and data disk of each cloud computer. This default snapshot is retained for only three days and is then automatically deleted. You can also configure an automatic snapshot policy to meet your requirements. The system automatically creates snapshots in the following scenarios:
ImportantIf you do not configure a custom snapshot policy and use only the default snapshot policy for Elastic Desktop Service Enterprise, the system-generated snapshots are deleted when the instance is released and cannot be recovered.
If a cloud computer is associated with an automatic snapshot policy, the system automatically creates snapshots at the times specified in the policy.
Before an administrator upgrades a cloud computer or a custom image, the system automatically creates a snapshot in case of an upgrade failure. If the upgrade fails, the system automatically rolls back the changes. If the upgrade succeeds, the system disk snapshot of the original cloud computer is deleted, but the data disk snapshot is retained.
When you change the image for a cloud computer that uses a custom image, if the custom image has been deleted, the system automatically creates a snapshot. After the image is successfully changed, the system automatically deletes this snapshot.
Before an end user upgrades a cloud computer from the client, the system automatically creates a snapshot in case of an upgrade failure. In this case, a maximum of three snapshots can be created for a cloud computer, and are retained for only three days, after which they are automatically deleted.
The schedule for automatic snapshot creation is as follows:
If no automatic snapshot policy is associated:
For cloud computers in all regions created at or after 12:00 (UTC+8) on August 19, 2024: daily between 22:00 and 06:00 the next day.
For cloud computers in the China (Hangzhou) region created between 17:42 (UTC+8) on June 7, 2024, and 12:00 (UTC+8) on August 19, 2024: daily at 02:00.
For all other cloud computers: daily at 01:00.
To stop automatic snapshot creation, go to the Snapshots page, click the Snapshot Management tab, and turn off the System Snapshot switch.
If an automatic snapshot policy is associated: Snapshots are created at the times specified in the policy.
|
Restore point backup and restoration (end users)
End users can create restore points to back up cloud computer data before high-risk operations such as modifying critical system files. If a failure or error occurs, users can restore the cloud computer from a restore point.
|
Data confidentiality
Communication security
Elastic Desktop Service Enterprise cloud computers use Alibaba Cloud's proprietary Adaptive Streaming Protocol (ASP) by default. ASP supports TLS encryption via Tongsuo, encrypting all data between cloud computers and client terminals, including image, audio, video streams, clipboard data, and input events. Tongsuo (formerly BabaSSL) is an open-source cryptographic library by Alibaba that provides modern algorithms and secure communication protocols, protecting data privacy, integrity, and authenticity during transmission, use, and storage. Tongsuo holds a commercial cryptographic product certification from the Commercial Cryptography Testing Center of the State Cryptography Administration of China, supporting compliance with commercial cryptographic requirements including state-secret transformation and classified protection assessments.
Tongsuo provides:
-
Technical compliance: Compliant with GM/T 0028 Level 1 Security for Software Cryptographic Modules.
-
Zero-Knowledge Proofs (ZKP): Bulletproofs
-
Cryptographic algorithms
-
Chinese commercial cryptographic algorithms: SM2, SM3, SM4, ZUC, and more.
-
Mainstream international algorithms: ECDSA, RSA, AES, SHA, and more.
-
Homomorphic encryption algorithms: EC-ElGamal, Paillier, and more.
-
-
Secure communication protocols
-
Supports GB/T 38636-2020 TLCP, the dual-certificate national cryptographic communication protocol.
-
Supports RFC 8998 (TLS 1.3 with a single national cryptographic certificate).
-
Supports the QUIC API.
-
Supports Delegated Credentials (draft-ietf-tls-subcerts-10).
-
Supports TLS certificate compression
-
|