Shared Security Responsibilities
1.1 What's Alibaba Cloud’s responsibility for the security of the cloud environment?
Alibaba Cloud must ensure a securely managed and operated infrastructure, including (but not limited to) data centers deployed across regions and zones, Alibaba backbone networks, and physical devices, including computing, storage, and network devices, and Apsara, the underlying distributed cloud OS that runs on Alibaba Cloud, along with all of the various cloud services and products running on top of Apsara OS. At the same time, Alibaba Cloud is also responsible for identity and access control management as well as the monitoring and operation systems on the platform side to provide customers with a highly available and highly secure cloud service platform. Consider Alibaba Cloud's computing service, Elastic Compute Service (ECS), as an example. The underlying physical, hardware, and virtualization security capabilities of ECS services are provided directly by Alibaba Cloud. For information about Alibaba Cloud’s cloud platform and product security, please refer to the Alibaba Cloud Security Whitepaper.
1.2 What's the customer's responsibility for security on the cloud?
Customers shall manage their security configurations for products on the cloud and have the responsibility to ensure the basic security and data security of their businesses on the cloud to meet their data security requirements. They are responsible for configuring and using various cloud products securely and for building cloud applications and businesses in a secure and controllable way based on the security capabilities of these cloud products. They are also responsible for fully utilizing the security features of Alibaba Cloud products and security services, as well as third-party security products provided by the security ecosystem to protect their business systems. For example, customers can use Alibaba Cloud's encryption capabilities or services to encrypt sensitive data, use Key Management Service (KMS) to manage the encryption keys, enable multi-factor authentication to protect Alibaba Cloud account authentication credentials, or use ActionTrail to record management console operations and OpenAPI call logs.
Note: If a customer uses basic services on Alibaba Cloud, such as Elastic Computing Service (ECS), the relevant service instance is completely controlled by the customer, and the customer should manage the instance and perform security hardening, upgrade security patches, and configure security groups for network access control. However, if the customer uses more advanced services, such as a platform or cloud-native service, on Alibaba Cloud, then the customer's security responsibility will move up accordingly. The customer no longer needs to focus on how to maintain the instance, upgrade security patches or harden the configuration. Customers only need to manage accounts and authorizations for these services and use the security functions provided by these services. For example, the MaxCompute service provides customers with access control capabilities in different dimensions. Customers only need to configure security functions according to business needs.
2.1 Who owns member content (customer data)? What are the cloud provider's rights over the customer's member content?
Member content (customer data) refers to the content that customers submit or upload onto the Alibaba Cloud Services customer's account, the content running on the Alibaba Cloud Services.
Customers retain control, maintenance, and ownership of member content. Customers also determine where their content will be located and control the format, structure, and security of their content, including whether it is masked, made anonymous, or encrypted. They also determine whether they will select Alibaba Cloud services that can process, store, and host their member content and manage other access controls, such as identity management, authorization management, and security credentials management. Customers control the entire lifecycle of their content on Alibaba Cloud and manage their content according to their specific needs, including content classification, access control, retention, and deletion.
Alibaba Cloud does not access or use member content without the customer’s consent. Alibaba Cloud never uses customer member content or derive information from it for marketing, advertising, or any other unauthorized purposes
2.2 What are the customers' controls over their member content (customer data)?
As a customer, you control your member content. You control the lifecycle of your member content on Alibaba Cloud, including the creation, usage, storage period, and destruction of data. You determine where your member content will be stored, including the type of storage and the geographic region. You choose the secured state of your member content. We offer customers strong encryption for member content in transit and at rest, and we provide you with the option to manage your own encryption keys. You manage access to your member content, and access to Alibaba Cloud services and resources through users, groups, permissions, and credentials that you control.
Access to Member Content
3.1 Will Alibaba Cloud access member content (customer data)?
Member content (customer data) refers to the content that customers submit or upload onto the Alibaba Cloud Services under a customer's account, specifically the content running on Alibaba Cloud Services. Alibaba Cloud does not access or use member content without a customer's consent. For example, in the case that customers use an Elastic Computing Service (ECS) or Alibaba Cloud Relational Database Service (RDS) provided by Alibaba Cloud, the related service instances are completely controlled by the customer, and the customer's data is completely managed by the customer. Alibaba Cloud will not access any of the customer’s data.
Alibaba Cloud can access customer data only after obtaining customer permission. Alibaba Cloud can only access and use this data to the extent permitted by the customer. All of the access and usage is logged and audited. For example, when a customer uses the Intelligent Speech Interaction (ISI) product, it can only access the audio data provided by the customer after obtaining authorization from the customer to provide services, such as voice recognition, speech synthesis, and natural language understanding.
3.2. How does multi-tenant cloud protect against unauthorized third party access to their customer data (member content)?
Member content (customer data) refers to the content that customers submit or upload onto Alibaba Cloud Services under a customer's account, specifically the content running on the Alibaba Cloud Services.
Firstly, Alibaba Cloud will not access or use customer data unless expressly authorized by the customer. Customers manage access to their Member content as well as Alibaba Cloud services and resources.
Secondly, Alibaba Cloud provides an advanced set of access, encryption, and logging features to help you effectively prevent unauthorized access. For example, users can use their cloud account, that is, their main account, or a Resource Access Management (RAM) user password under the cloud account to log in to the cloud service console and perform operations on their cloud resources. They can also call the cloud service API credentials with an Alibaba Cloud Access Key (AK) to access resources on Alibaba Cloud through an API. A customer can also manage credentials for short-term access to resources through the security token service (STS) or use multi-factor authentication (MFA) to add additional protection to the username and password. For services on the cloud, after identity authentication is completed, customers can use Alibaba Cloud's Resource Access Management (RAM) resource access control service for user identity management and resource access control.
All data stored by customers on Alibaba Cloud is protected by strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls to ensure strong multi-tenant isolation. For example, users can use security sandbox containers to strongly isolate items, such as memory, network, or IO, thereby better isolating other multi-tenants on a single host. They can use a Virtual Private Cloud (VPC) to isolate the data link layer and build a secure network environment. They can also use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access and security group traffic, and analysis and blocking of active outreach behavior. Refer to the Alibaba Cloud Security Whitepaper for more information about the security of specific data services.
Data Residency and Cross-Border Transfer
4.1 Where will the customer data reside?
Alibaba Cloud data centers (Regions and Zones) are built in clusters in various global regions. Customers can choose the Alibaba Cloud Region(s) or Zone(s) where their content will be located. (For a complete list of regions and zones, please visit https://www.alibabacloud.com/global-locations).
Customers can maintain effective control over their content, regardless of which Region(s) or Zone(s) they use for their content. The customer should consider whether they should disclose to individuals (data subjects) the locations where they store or process their personal data and obtain consent relating to such locations from the relevant individuals if necessary.
4.2 Will Alibaba Cloud move my data (member content) without my permission (including cross-border transmission)?
Alibaba Cloud only stores and processes each customer's content in the Alibaba Cloud Region(s) that is chosen by the customer. Alibaba Cloud will not move customer content without the customer's consent. If a customer chooses to store content in more than one Region or copy or move content between Regions, that is solely the customer's choice. The customer will need to consider the legal requirements that apply to such operations, wherever content is moved and processed.
If a customer needs to use Alibaba Cloud Services provided in other Regions, Alibaba Cloud will take the necessary measures to ensure the cross-border transfer is in compliance with the applicable Data Protection Legislation. For example, Alibaba Cloud provides a GDPR Addendum that includes the Standard Contractual Clauses that are approved by the European Commission Decision 2010/87/EU (or any subsequent decisions) or as referred to in Article 46 GDPR to Alibaba Cloud customers transferring content containing personal data (as defined in the GDPR) from the EU to a country outside of the European Economic Area.
Data Isolation and Separation
5.1. Does Alibaba Cloud as a provider adequately isolate customer data (member content)?
All data stored by customers on Alibaba Cloud has strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls. For example, users can use security sandbox containers to strongly isolate items, such as memory, network, or IO, thereby better isolating other multi-tenants on a single host, and use a Virtual Private Cloud (VPC) to isolate the data link layer and build a secure network environment. They can use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance, or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access or security group traffic, and the analysis and blocking of active outreach behavior. Please refer to the Alibaba Cloud Security Whitepaper for more information about the security of specific data services.
5.2. What are the shortcomings of physical separation requirements? Why is logical separation more effective than physical separation?
Requirements of physical separation cloud offerings are primarily driven by concerns about third-party or other unauthorized access to applications, content, or data. However, for systems that are accessible over a network or the Internet, physical separation of those systems does not provide added security or control over access. Simply put, all access controls for connected systems are managed via logical access controls, permission management, network traffic routing, and encryption. Alibaba Cloud addresses any physical separation concerns through the logical security capabilities we provide to all of our customers and the security controls we have in place to protect customer data. Disadvantages also include a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features compared with the geo-diversity of commercial data center regions.
Customers can leverage several different security approaches to meet the security outcomes equivalent to physical separation. For example, they can use a Virtual Private Cloud (VPC) to create the equivalent of completely separate network domains for each tenant or use encryption solutions to encrypt data at-rest and in-transit. Please refer to the Alibaba Cloud Security Whitepaper for more information about the security of specific data services.
Still have questions?
For requests related to security compliance and privacy, please contact the Trust Center
Contact Trust Center