3.2. How does multi-tenant cloud protect against unauthorized third party access to their customer data (member content)?
Member content (customer data) refers to the content that customers submit or upload onto Alibaba Cloud Services under a customer's account, specifically the content running on the Alibaba Cloud Services.
Firstly, Alibaba Cloud will not access or use customer data unless expressly authorized by the customer. Customers manage access to their Member content as well as Alibaba Cloud services and resources.
Secondly, Alibaba Cloud provides an advanced set of access, encryption, and logging features to help you effectively prevent unauthorized access. For example, users can use their cloud account, that is, their main account, or a Resource Access Management (RAM) user password under the cloud account to log in to the cloud service console and perform operations on their cloud resources. They can also call the cloud service API credentials with an Alibaba Cloud Access Key (AK) to access resources on Alibaba Cloud through an API. A customer can also manage credentials for short-term access to resources through the security token service (STS) or use multi-factor authentication (MFA) to add additional protection to the username and password. For services on the cloud, after identity authentication is completed, customers can use Alibaba Cloud's Resource Access Management (RAM) resource access control service for user identity management and resource access control.
All data stored by customers on Alibaba Cloud is protected by strong tenant isolation security and control capabilities. Alibaba Cloud provides advanced data access controls to ensure strong multi-tenant isolation. For example, users can use security sandbox containers to strongly isolate items, such as memory, network, or IO, thereby better isolating other multi-tenants on a single host. They can use a Virtual Private Cloud (VPC) to isolate the data link layer and build a secure network environment. They can also use instance-level virtualization firewall-security groups to divide the security domains of each ECS instance or use cloud firewalls to analyze north-south and east-west access network traffic. Users can also support the visualization of network-wide traffic, such as Internet access and security group traffic, and analysis and blocking of active outreach behavior. Refer to the Alibaba Cloud Security Whitepaper for more information about the security of specific data services.