Alibaba Cloud adheres to international information security standards and is committed to using international best practices.
Alibaba Cloud adheres to all the domestic information security standards of the countries and regions where our cloud services are deployed.
Alibaba Cloud adheres to industry standard practices, continually conducts self-assessment reviews, and has obtained the relevant industry certifications.
US FDA Regulations on Electronic Records and Electronic Signatures (ERES) Part 11 of Title 21 Code of Federal Regulations (CFR)
General Data Protection Regulation (GDPR)
Alibaba Cloud is GDPR ready by the effective date of May 25, 2018. Learn More>
Code of Practice for Protecting Personal Data in the Cloud
Extension to ISO/IEC 27001/27002 for Privacy Information Management
Code of Practice for Personally Identifiable Information Protection
Personal Information Management System
Founding Member of EU Cloud Code of Conduct
Personal Data Protection Act in Singapore
Data Protection Trustmark in Singapore
The Personal Data (Privacy) Ordinance in Hong Kong
Security Solutions & Best Practices
Shared Security Responsibilities Model
Alibaba Cloud and its customers are jointly responsible for the security of customers' applications built on Alibaba Cloud. With security responsibilities shared between Alibaba Cloud and its customers, Alibaba Cloud provides a secure infrastructure to decrease the enterprise security burden of customers. As such, customers can configure and use cloud products in a secure manner, thus relieving much of the underlying security burdens while allowing customers to focus more on their core business needs. Learn more at Alibaba Cloud Security Whitepaper - The International Version> Alibaba Cloud has newly published 2020 Alibaba Cloud Security Whitepaper - The China Gateway Version which introduces the public cloud security system of Alibaba Cloud, specifically for Alibaba Cloud’s security capabilities and offerings in Mainland China.Learn more at Alibaba Cloud Security Whitepaper - The China Gateway Version>
This whitepaper introduces the public cloud security system of Alibaba Cloud, specifically for Alibaba Cloud’s security capabilities and offerings for regions outside of Mainland China.
The China Gateway Version - introduces the public cloud security system of Alibaba Cloud, specifically for Alibaba Cloud’s security capabilities and offerings in Mainland China.
Alibaba cloud help you to thwart attacks large or small and defend against online or offline threats.
This report tells how cloud security offers the best way to protect your business from cyber threats.
This whitepaper looks at steps to protect your data center infrastructure.
Cryptocurrency value might depreciated, but mining is still popular.
The report provides the latest trends in Chinese cyberattacks discovered by our security team.
This whitepaper describes the benefits of using Sensitive Data Discovery and Protection (SDDP) system to manage and protect critical data.
Shared Security Responsibility
1. What's Alibaba Cloud’s responsibility for the security of the cloud environment?
- Alibaba Cloud must ensure a securely managed and operated infrastructure, including but not limited to data centers deployed across regions and zones, and Alibaba backbone networks, as well as physical devices, including computing, storage, and network devices, and the underlying distributed cloud OS, named Apsara, along with all the various cloud services and products running on top of the Apsara OS. At the same time, Alibaba Cloud is also responsible for identity and access control management as well as the monitoring and operation systems on the platform side, so to provide customers with a highly available and highly secure cloud service platform. Consider Alibaba Cloud's computing service, Elastic Compute Service (ECS), as an example. The underlying physical, hardware, and virtualization security capabilities of ECS services are provided directly by Alibaba Cloud. Once customers use services on Alibaba Cloud, they have gained access to the security capabilities and guarantees on the cloud platform. For information about Alibaba Cloud’s cloud platform and product security, refer to the Alibaba Cloud Security Whitepaper.
2. What's the Customer's responsibility for Security in the Cloud?
Customers shall manage their security configurations for products on the cloud, and have the responsibility to ensure the basic security and data security of their businesses on the cloud to meet their own data security requirements. They are responsible for configuring and using various cloud products in a secure manner and for building their own cloud applications and businesses in a secure and controllable way based on the security capabilities of these cloud products. They are also responsible for fully utilizing the security features of Alibaba Cloud products and security services, as well as third-party security products provided by the security ecosystem to protect their business systems. For example, customers can use Alibaba Cloud's encryption capabilities or services to encrypt sensitive data, use KMS (Key Management Service) to manage the encryption keys, enable multi-factor authentication to protect Alibaba Cloud account authentication credentials, or use ActionTrail to record management console operations and OpenAPI call logs.
It should be noted that if the customer uses basic services on Alibaba Cloud, such as Elastic Compute Service (ECS), the relevant service instance is completely controlled by the customer, and the customer should manage the instance and perform security configuration, upgrade patches, and configure security group firewalls for network access control. However, if the customer uses non-basic services, such as a platform or cloud-native service, on Alibaba Cloud, then the customer's security responsibility will move up accordingly, so the customer no longer needs to focus on how to maintain the instance, upgrade operating system patches or harden the configuration. Customers only need to manage accounts and authorizations for these services and use the security functions provided by these services. For example, the MaxCompute service provides customers with access control capabilities in different dimensions. Customers only need to appropriately configure security functions in similar products according to business needs.
1. Who owns member content (customer data)? What are the cloud provider's rights over customer's member content?
Member content (customer data) refers to the content that customers submit to or upload into the Alibaba Cloud Services under a customer's Account, the content run on the Alibaba Cloud Services.
Customers retain control, maintenance and ownership of member content. Customers also determine where their content will be located, and also control the format, structure and security of their content, including whether it is masked, made anonymous or encrypted. They also determine whether they will select Alibaba Cloud services that can process, store, and host their member content and manage other access controls, such as identity access management as well as permissions and security credentials. Customers control the entire lifecycle of their content on Alibaba Cloud, and manage their content in accordance with their own specific needs, including content classification, access control, as well as retention and deletion.
Alibaba Cloud dose not access or use member content without the customer’s consent. Alibaba Cloud never uses customer member content or derive information from it for marketing, advertising or any other unauthorized purpose of the customer.
2. What are the customers' controls over their member content (customer data)?
As a customer, you control your member content.
- You control the lifecycle of your member content on Alibaba Cloud, including the creation, usage, storage period and destruction of data.
- You determine where your member content will be stored, including the type of storage and geographic region of that storage.
- You choose the secured state of your member content. We offer customers strong encryption for your member content in transit and at rest, and we provide you with the option to manage your own encryption keys.
- You manage access to your member content, and access to Alibaba Cloud services and resources through users, groups, permissions, and credentials that you control.
Access to Member Content
1. Will Alibaba Cloud access customer data?
Member content (customer data) refers to the content that customers submit to or upload into the Alibaba Cloud Services under a customer's Account, specifically the content run on Alibaba Cloud Services. Alibaba Cloud dose not access or use member content without a customer's consent. For example, in the case that customers use an Elastic Compute Service (ECS) or Alibaba Cloud Relational Database Service (RDS) provided by Alibaba Cloud, the related service instances are completely controlled by the customer, and the customer's data is completely managed by the customer. Alibaba Cloud will not access any of the customer’s data.
Alibaba Cloud can access customer data only after obtaining customer permission in order to provide customers with Alibaba Cloud products and services, and Alibaba Cloud can only access and use this data to the extent permitted by the customer. All such access and usage is logged and audited. For example, when a customer uses the Intelligent Speech Interaction (ISI) product, the ISI product can only access the audio data provided by the customer after being authorized by the customer in order to provide services such as voice recognition, speech synthesis, and natural language understanding.
2. How does multi-tenant cloud protect against unauthorized third party access to their customer data (member content)?
Member content (customer data) refers to the content that customers submit to or upload into Alibaba Cloud Services under a customer's Account, specifically the content run on the Alibaba Cloud Services.
Firstly, Alibaba Cloud will not access or use customer data unless expressly authorized by the customer. Customers manage access to their Member content as well as Alibaba Cloud services and resources.
Secondly, Alibaba Cloud provides an advanced set of access, encryption, and logging features to help you effectively prevent unauthorized access. For example, users can use their cloud account, that is, their main account, or a RAM user password under the cloud account to log in to the cloud service console and perform operations on their cloud resources. They can also call cloud service API credentials with an Alibaba Cloud AK (Access Key) to access resources on Alibaba Cloud through an API. A customer can also manage credentials for short-term access to resources through security token service (STS), or use multi-factor authentication (MFA) to add additional protection to the username and password. For services on the cloud, after identity authentication is completed, customers can use Alibaba Cloud's RAM (Resource Access Management) resource access control service for user identity management and resource access control.
Last, all data stored by customers on Alibaba Cloud is protected by strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls to ensure strong multi-tenants isolation. For example, users can use security sandbox containers to strongly isolate items such as memory, network, or IO, thereby better isolating other multi-tenants on a single host; use a Virtual Private Cloud (VPC) to isolate the data link layer and build a secure network environment. They can also use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance, or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access and security group traffic, and analysis and blocking of active outreach behavior. Refer to Alibaba Cloud Security Whitepaper for more information about the security of specific data services.
Data Residency and Transfer
1. Where will the customer data reside?
- Alibaba Cloud data centers (Regions and Zones) are built in clusters in various global regions. Customers can choose Alibaba Cloud region(s) or Zone(s) where their content will be located. (For a complete list of regions and zones, see https://www.alibabacloud.com/global-locations?spm=a2796.7919406.1389040.1.72d82d23x57l4m). Customers can maintain effective control over their content, regardless of what Region(s) or Zone(s) they use for their content. The customer should consider whether they should disclose to individuals (data subjects) the locations in which they store or process their personal data and obtain any required consents relating to such locations from the relevant individuals if necessary. As between the customer and Alibaba Cloud, the customer has a relationship with the individuals whose personal data the customer stores on Alibaba Cloud, and therefore the customer is able to communicate directly with them about such matters.
2. Will Alibaba Cloud move my data (member content) without my permission? (including across country borders transmission)
Alibaba Cloud only stores and processes each customer's content in the Alibaba Cloud Region(s), chosen by the customer. Other than these processes, Alibaba Cloud will not move customer content without the customer's consent. If a customer chooses to store content in more than one Region, or copy or move content between Regions, that is solely the customer's choice, and the customer will need to consider the legal requirements that apply to such operations, wherever content is moved and processed.
If a customer needs to use Alibaba Cloud Services provided in other regions, Alibaba Cloud will take measures as are necessary to ensure the cross-border transfer is in compliance with applicable Data Protection Legislation. For example, Alibaba Cloud provides a GDPR Addendum that includes the Standard Contractual Clauses that are approved by European Commission Decision 2010/87/EU (or any subsequent decisions) or as referred to in Article 46 GDPR to Alibaba Cloud customers transferring content containing personal data (as defined in the GDPR) from the EU to a country outside of the European Economic Area.
Data Isolation and Separation
1. Does Alibaba cloud as a provider adequately isolate customer data (member content)?
- All data stored by customers on Alibaba Cloud has strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls. For example, users can use security sandbox containers to strongly isolate items such as memory, network, or IO, thereby better isolating other multi-tenants on a single host, and use a virtual private cloud (VPC) to isolate the data link layer and build a secure network environment. They can use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance, or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access or security group traffic, and the analysis and blocking of active outreach behavior. Refer to Alibaba Cloud Security Whitepaper for more information about the security of specific data services.
2. What are the shortcomings of physical separation requirements and Why logical separation is more effective than physical separation?
Requirements of physical separation cloud offerings are primarily driven by concerns about third-party or other unauthorized access to applications, content or data. However, for systems that are accessible over a network or the Internet, physical separation of those systems does not provide added security or control over access. Simply put, all access controls for connected systems are managed via logical access controls, permission management, network traffic routing and encryption. Alibaba Cloud addresses any physical separation concerns through the logical security capabilities we provide to all of our customers and the security controls we have in place to protect customer data. Disadvantages also include a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features compared with the geo-diversity of commercial data center regions.
Customers can leverage several different security approaches to meet the security outcomes equivalent to physical separation. For example, they can use a Virtual Private Cloud (VPC) to create the equivalent of completely separate network domains for each tenant or use encryption solutions to encrypt data at-rest and in-transit. Refer to Alibaba Cloud Security Whitepaper for more information about the security of specific data services.
EU General Data Protection Regulation (EU GDPR)
1. When does Alibaba Cloud act as a Data Controller?
- When Alibaba Cloud collects personal data and determines the purposes and means of processing that personal data, it acts as a data controller. For example, Alibaba Cloud collects business contact information, such as a name, phone number, email address, or billing address, to create and store account information, such as a login account and account ID, as a data controller for account registration, administration, service access, as well as customer contact and support.
2. When does Alibaba Cloud act as a Data Processor?
- When customers use Alibaba Cloud products or services to process personal data in their content, Alibaba Cloud acts as a data processor. Customers can use the controls available in Alibaba Cloud services, including security configuration controls, to process personal data. Under these circumstances, the customer may act as a data controller or a data processor, and Alibaba Cloud acts as a data processor or sub-processor. The GDPR Addendum to Alibaba Cloud International Website Membership Agreement incorporates the commitments of Alibaba Cloud as a data processor. If you have more questions about GDPR, you can refer to this page: https://www.alibabacloud.com/trust-center/gdpr
3. What personal information does Alibaba Cloud collect when using Alibaba Cloud products and services? When is this information collected and for what purpose?
When a customer uses Alibaba Cloud products or services to process their customer data (member content), this customer data may contain an individual’s personal information. Alibaba Cloud can access customer data only after obtaining customer permission in order to provide customers with Alibaba Cloud products and services, and Alibaba Cloud can only access and use this data to the extent permitted by the customer.