In the hosted cluster architecture of Container Compute Service (ACS), security compliance must follow the principle of shared responsibility. ACS is responsible for ensuring the security of the infrastructure resources on which clusters are deployed and the security of control plane components. This topic describes the shared responsibility model of ACS.
Terms
The following terms are frequently used in this topic:
Platform: refers to the ACS console.
Customer: refers to the customers of ACS.
Principles for allocating security responsibilities
As a serverless platform, ACS fully hosts resources. Alibaba Cloud and customers must be aware of the boundary between their own security responsibilities. The following principles are used to allocate responsibilities.
1. Responsibilities of Alibaba Cloud
Alibaba Cloud bears the responsibility of ensuring the security and reliability of the serverless platform, guaranteeing infrastructure security, providing secure data store and processing services, and protecting the confidentiality of customer data. Alibaba Cloud must ensure the compliance of infrastructure, management, and security practices, protect the applications of customers against attacks, and guarantee the privacy and integrity of customer data.
2. Responsibilities of customers
Customers bear the responsibility of ensuring the security of serverless applications, including application data security, access control, code security, and code auditing. In addition, customers must take effective authentication and authorization measures to ensure that only authorized individuals or teams can access the applications. The principles include:
Customers are responsible for security risks posed by themselves: Customers are liable for business interruptions caused by the deployment of pods with potential security risks or excessive authorization.
Customers are responsible for the container privileges that they have applied for: By default, the platform forbids features that may severely compromise the stability and security of containers, such as the privileged mode and capabilities. However, customers can apply for using these features. If stability or security issues occur due to the use of these privileged features, such as horizontal attacks targeting other pods in the cluster, customers are liable for the consequences.
3. Responsibilities for ensuring the security of co-managed resources
Some resources on the platform cannot be managed and used by customers only, such as pod security groups created by customers. In an ideal state, these resources are fully hosted on Alibaba Cloud. Due to certain reasons, customers may want to manage or control these resources. In this case, the following principles are needed.
One is liable for the risks that they pose. If a customer created pods that have potential risks or used an image that is injected with malware, the customer is liable for any failures arising therefrom. Alibaba Cloud guarantees that all pods managed by ACS do not have potential risks and will not affect the businesses of customers.
Both parties must follow the least privilege principle. If a customer exposes an excessive amount of resources to public access, the customer is liable for any consequences or attacks arising therefrom. Alibaba Cloud guarantees that the security groups of all pods in ACS are not excessively exposed to public access and no container escape risk exists in the application pods of customers.
Security is a comprehensive and layered system that requires Alibaba Cloud and customers to bear their own responsibilities and work closely at the same time. Alibaba Cloud bears the responsibility of ensuring infrastructure security and compliance. Customers bear the responsibility of ensuring application and data security. For shared responsibilities, Alibaba Cloud proactively takes actions to mitigate potential risks and provides serverless services with enhanced security.
Understand the shared responsibility model
You must understand the shared responsibility model and the responsibility boundary between Alibaba Cloud and customers before you design and deploy your business systems. Alibaba Cloud not only hosts the infrastructure of ACS clusters but also guarantees the security of the runtime environment and relevant components. The following figure shows the responsibilities of Alibaba Cloud and customers in the serverless architecture of ACS clusters.
1. Responsibilities of Alibaba Cloud
On the control plane side, Alibaba Cloud enhances the security of control plane components in ACS clusters based on common security standards such as CIS Kubernetes Benchmarks and guarantees the security of the lifecycle of cloud-native applications based on Security system overview. The following table describes the security responsibilities of Alibaba Cloud in details.
Security item | Description |
Infrastructure security |
|
Security of elastic computing resource pools |
|
Security of control plane components and hosted components | Conducts cluster authentication, certificate management, Secret management, and assessment of ports exposed to external access, VPC isolation, and security group configurations. |
Security of non-hosted components and charts in the marketplace | Standardizes the key configurations to ensure security. |
2. Customers
On the data plane side, the security O&M engineers of customers must ensure the security of applications deployed on the cloud and are responsible for the security configuration and updates of cloud resources. The following table describes the security responsibilities of customers in details.
Security item | Description |
Application security |
|
O&M security | Manage the network configuration and storage configuration of the business cloud and the business observability configuration. |
Business component security | Strictly limit the business logic of operators and webhooks in case they compromise the security of other applications. |
Security of non-hosted components and charts in the marketplace |
|