Data security involves protecting digital data from unauthorized access, unauthorized use, tampering, and loss throughout the data lifecycle. Data security in the cloud is the lifeline for user business and the most important manifestation of overall cloud security. As cyber threats continue to evolve and expand around the world, data protection becomes critical. Alibaba Cloud has the responsibility and obligation to secure the data of users. This topic describes how to ensure user data security on Elastic Compute Service (ECS) instances in terms of data integrity, confidentiality, and availability.
Ensure data integrity
Data integrity refers to using techniques such as verification to check data accuracy and consistency and prevent data from being accidentally or maliciously tampered with during data transmission and storage.
To ensure the integrity of data that is transferred or stored, ECS instances use the triplicate storage technology to achieve a data reliability goal of 99.9999999% (nine 9s), the secure data erasure mechanism to achieve complete data erasure, and the Cyclic Redundancy Check (CRC) feature to protect end-to-end data.
Triplicate storage
Feature description: Data that is read from or written to a cloud disk is replicated into three chunk copies that are stored on different data nodes in a storage cluster based on a specific policy. The triplicate storage feature achieves a data reliability goal of 99.9999999% (nine 9s) on ECS instances and ensures data stability during read and write operations. For more information, see Triplicate storage.
Configuration method: By default, this feature is supported by cloud disks.
Data erasure mechanism
Feature description: The deleted data in a distributed block storage system is completely erased and cannot be accessed or restored. This ensures the integrity of data.
The storage system performs sequential writes to append data to existing files at the underlying layer of cloud disks. This mechanism fully utilizes high-bandwidth and low-latency sequential writes to physical disks. If you delete a logical space from a cloud disk after data is appended at the underlying layer of the cloud disk, the delete operation is recorded as metadata. The storage system returns only zeros for all requests of reading data from the logical space. Similarly, when you overwrite the data that is stored in the logical space of a cloud disk, the storage system does not immediately overwrite the data in the corresponding physical space. Instead, the storage system modifies the mapping between the logical space and the physical space. This ensures that data that is already overwritten is no longer readable. Data fragments that result from delete or overwrite operations are forcefully and permanently deleted from the underlying physical disks.
When you release an Elastic Block Storage (EBS) device (cloud disk), the storage system immediately destroys the metadata of the device to ensure that the disk data is no longer accessible. At the same time, the physical storage space of the disk is recycled. The physical storage space must be cleared before it is re-assigned. Before data is written to a new cloud disk, the system returns only zeros for all read requests.
Configuration method: By default, this feature is supported by cloud disks.
CRC
Feature description: By default, cloud disks support the CRC feature for end-to-end data during data transmission and storage. This feature can be used in the following scenarios to ensure that disk data is intact and not corrupted during data transmission:
The full-link CRC feature is performed for data that is read and written.
The block storage system periodically performs the CRC and redundancy and consistency check for data in the persistent media.
Configuration method: By default, this feature is supported by cloud disks.
Ensure data confidentiality during data storage, transmission, and computing
Data confidentiality ensures that data can be accessed only by authorized individuals or systems to prevent unauthorized access and disclosure. Data confidentiality is achieved by using encryption technologies. Data content cannot be decrypted even if the data is intercepted during transmission or illegally accessed while stored.
ECS provides various security capabilities and solutions in the end-to-end process involving data storage, transmission, and runtime to ensure data confidentiality in the following aspects: confidentiality of data storage, confidentiality of network data transmission, and confidentiality of the computing environment for data runtime.
Confidentiality of data storage
Disk encryption
Feature description: When you create a system disk or data disks together with an ECS instance or when you separately create a data disk, enable encryption for the cloud disk. After the cloud disk is created, the data within the operating system of the ECS instance that serves as the host of the cloud disk is automatically encrypted when the data is written to the cloud disk and is automatically decrypted when the data is read from the cloud disk. You are unaware of whether data is encrypted in the operating system and do not need to build or maintain the key management infrastructure. Disk encryption protects the privacy and autonomy of data and provides a secure boundary for business data.
Configuration method: For more information, see Overview of cloud disk encryption.
ImportantFor enterprises that have high security compliance requirements, all Resource Access Management (RAM) users who belong to the Alibaba Cloud accounts of the enterprises require data encryption to ensure data confidentiality. ECS allows you to configure custom policies to allow RAM users to create only encrypted disks. For more information, see the Custom policy that grants a RAM user the permissions to create only encrypted disks section of the "Custom policies for ECS" topic.
Snapshot encryption
Snapshot encryption encrypts snapshots to back up data stored on encrypted cloud disks, including system disks and data disks. If a cloud disk is encrypted, its snapshots inherit the encryption attribute of the cloud disk, which allows the snapshot data to remain encrypted during storage or transmission. The snapshot data remains encrypted even if the snapshots are copied to another region or used to restore the cloud disk.
Image encryption
Image encryption uses encryption algorithms to encrypt images and protect data stored in images from unauthorized access and disclosure. The image data cannot be read or decrypted even if an unauthorized user attempts to access the data. This secures the data stored in images. You can create an encrypted image from an ECS instance equipped with an encrypted system disk or from an encrypted snapshot. You can use the Copy Image feature to copy a non-encrypted image to an encrypted image.
Confidentiality of network data transmission
ECS provides security capabilities in terms of data transmission confidentiality. You can access instance metadata in one of the following modes: security hardening mode, secure access by using a VPN gateway, and access to ECS resources by using HTTPS.
Access instance metadata in security hardening mode
Feature description: You can access Metadata Service in normal mode to view instance metadata without authentication. If the instance metadata contains sensitive information, eavesdropping or leakage over transmission links may occur. If ECS has a Server-Side Request Forgery (SSRF) vulnerability, attackers can use the data of Metadata Service to obtain Security Token Service (STS) tokens, which leads to risks similar to AccessKey leaks. Compared with the normal mode, the security hardening mode provides better protection against SSRF attacks by using token-based authentication to access instance metadata.
Configuration method: We recommend that you select security hardening mode to access Metadata Service and obtain metadata. For more information, see Obtain instance metadata.
Secure access by using a VPN gateway
Feature introduction: A VPN gateway allows you to establish encrypted tunnels to connect on-premises enterprise data, office networks, and Internet clients to Alibaba Cloud virtual private clouds (VPCs) in a secure and reliable manner. The VPN gateway provides two network connection methods: IP Security (IPsec) VPN and Secure Sockets Layer (SSL) VPN. The VPN gateway uses Internet Key Exchange (IKE) and IPsec to encrypt transmitted data to ensure the security of data transmission.
IPsec-VPN connection: Each data packet is encrypted by IPsec before the data packet is transmitted over an IPsec-VPN connection. IPsec is a collection of protocols used for data encryption and data authentication to ensure data integrity.
SSL-VPN connection: An SSL client certificate is installed on the client to establish an SSL-VPN connection between the client and the VPN gateway. The traffic transmitted over the SSL-VPN connection is encrypted by using SSL to perform data encryption and identity authentication, and ensure data integrity.
For more information, see What is VPN Gateway?
Configuration method: By default, this feature is supported.
Access ECS resources by using HTTPS
Feature description: On the basis of HTTP, HTTPS encrypts data during transmission by using Transport Layer Security (TLS) and SSL. This prevents data from being monitored, intercepted, and tampered with by third parties. ECS supports HTTPS for encrypted transmission and provides keys of 256 bits in length to meet the transmission encryption requirements for sensitive information. TLS 1.2 encryption is used when you connect to an instance by using Session Manager, connect to an instance by using a password or key, or use Cloud Assistant to access instances.
Configuration method: By default, this feature is supported.
ImportantAlibaba Cloud provides the
acs:SecureTransportconfiguration. The configuration allows you to access ECS resources only over HTTPS to protect the confidentiality of transmitted data. We recommend that you configure a custom policy that references the configuration and attach the custom policy to RAM users to grant RAM users the permissions to access ECS resources only over HTTPS. For more information, see Custom policies for ECS.
Confidentiality of the computing environment for data runtime
Feature description: In addition to the confidentiality of data storage and transmission, the confidentiality of the computing environment for data runtime is important. Compute- and security-optimized ECS instances use technical methods, such as hardware encryption, isolation, and user audit capabilities, to provide secure, reliable, and isolated computing environments and different layers of protection to meet various security and performance requirements. The instance types of compute- and security-optimized ECS instances cover host memory encryption, trusted computing, and confidential computing. For more information, see Overview of security capabilities.
Configuration methods: For more information, see Trusted computing capabilities, Confidential computing capabilities, and Best practices for security capabilities.
Ensure data availability by using backup and restoration solutions
Feature description: Data availability ensures that data remains in a complete, consistent, and accurate state throughout the data lifecycle. Data availability is ensured by data backup and restoration capabilities. ECS provides various security capabilities for data backup and restoration to meet data availability requirements, including snapshot-based backup and restoration, image-based backup and restoration, data restoration for data disk partitions, and multi-zone deployment architecture for data disaster recovery and restoration.
Configuration methods: For more information, see Disaster recovery solutions.