All Products
Search

This Product

    Elastic Compute Service:Shared security responsibility model of ECS

    Document Center

    Elastic Compute Service:Shared security responsibility model of ECS

    Last Updated:Dec 18, 2024

    This topic describes the security responsibilities that Elastic Compute Service (ECS) and customers should assume.

    Cloud security

    With the rapid development of the Internet, China has perfected and introduced more than two hundred laws and regulations that are related to cybersecurity and data security in the past few decades, including the Cybersecurity Law of the People's Republic of China (recognized as the basic law on cybersecurity of China) and the Data Security Law of the People's Republic of China (recognized as the basic law on data security of China), to impose strict requirements and standards on the business security and data security of enterprises. As customers embrace cloud computing applications, they shift their focus from how to migrate to the cloud to how to continuously and securely operate business in the cloud to protect the security of both their business and user information. In this context, cloud security and compliance are receiving more attention from enterprises.

    To maintain good cloud security posture, a set of policies, control means, and technical means are collectively used to safeguard cloud infrastructure, data storage, data access, and applications and protect cloud-based business from security threats. Cloud security and compliance are shared responsibilities between Alibaba Cloud and customers. As an Alibaba Cloud customer, you must familiarize yourself with the risks that are associated with your cloud-based business. You must also engineer and put in place comprehensive safeguards to relieve operational burdens and prevent asset loss that is caused by security events.

    Shared security responsibility model of ECS

    ECS is an IaaS offering of Alibaba Cloud. The security of ECS is a shared responsibility between Alibaba Cloud and customers. The shared security responsibility model describes ECS security as security of the cloud and security in the cloud:

    • Security of the cloud: Alibaba Cloud is responsible for security of the cloud. Alibaba Cloud shall protect the infrastructure that runs ECS and provide you with services and resources that you can securely use, such as physical hardware that host ECS instances, software services, network devices, and management services.

    • Security in the cloud: You are responsible for security in ECS. Specifically, you shall duly manage guest OSs (including updates and security patches), protect applications or tools that run in ECS, and monitor and safeguard the flow of information into and out of ECS. You shall securely configure and access ECS and the services that are hosted on ECS instances, such as performing network configurations in compliance with security rules and managing ECS permissions based on the principle of least privilege.

    The following figure shows the shared security responsibility model of ECS.

    image

    Alibaba Cloud responsibility for security of the cloud

    Alibaba Cloud provides the following four layers of protection to strengthen security of the cloud:

    • Data center security: Alibaba Cloud data centers are constructed in compliance with the Class A standards of GB50174 Code for Design of Electronic Information System Room and the Tier 3+ standards of TIA-942 Telecommunications Infrastructure Standard for Data Centers.

      • Disaster recovery of data centers: Alibaba Cloud data centers are installed with fire sensors, smoke sensors, and precise air-conditioning systems in hot-standby mode that maintain constant temperature and humidity. The data centers are powered by public power utilities that are backed up by a redundant power system.

      • Personnel management: Dual-factor authentication, such as fingerprint and identity verification, is used to access machine rooms, measurement areas, and storage rooms. Specific areas are physically isolated by using iron cages. Strict account management, identity authentication, authorization management, separation of duties, and access control are implemented.

      • O&M audit: Security monitoring systems are put in place in various areas of data centers. Production systems can be operated and maintained only by using bastion hosts. All operation records are logged and stored in a log platform.

    • Physical infrastructure security: Physical infrastructure includes physical servers, network devices, and storage devices. The security of physical infrastructure depends on the security of data centers in the cloud and adds an additional layer of security to services in the public cloud. The following measures are taken to protect Alibaba Cloud physical infrastructure:

      • Data destruction: Alibaba Cloud develops a mechanism based on the standards of NIST Special Publication 800-88, Guidelines for Media Sanitization to securely erase data from storage media. The mechanism allows Alibaba Cloud to delete data assets at the earliest opportunity and completely destroy data by sanitizing the data from storage media multiple times when Alibaba Cloud terminates services for customers.

      • Storage asset management: Alibaba Cloud provides fine-grained, storage component-level management of storage assets and allocates unique hardware identification information to facilitate the search for storage media or small devices in which storage media reside. Storage media that are not securely sanitized or physically destroyed based on specific requirements cannot leave data centers or security control areas.

      • Network isolation: Alibaba Cloud isolates production networks from non-production networks and uses network access control lists (ACLs) to block access from cloud service networks to physical networks. Bastion hosts are deployed at the edges of production networks, and O&M personnel from office networks can access the production networks only by performing a multi-factor authentication step with domain accounts and dynamic passwords on the bastion hosts.

    • Virtualized system security: Virtualization is a pillar technology in cloud computing that allows you to create virtual representations of computing, storage, and network resources to isolate tenants in cloud computing environments. Alibaba Cloud provides virtualization security techniques, including tenant isolation, security hardening, escape detection and fix, live patching, and data erasure, to secure the virtualization layer.

      • Live patching: The virtualization platform supports the live patching technique that allows you to apply security patches to running systems without the need to reboot or interrupt runtime.

      • Data erasure: After instances are released, data is completely erased from the storage media that are associated with the instances. This is a critical step towards data security.

      • Tenant isolation: Hardware-based virtualization technology provides operating-system-level isolation to isolate each virtual machine from other virtual machines that run on the same hardware. A tenant who has access to the guest OS of a virtual machine cannot breach this layer of isolation to access another virtual machine that the tenant does not have access.

        • Compute isolation: Your virtual machines are isolated from the management system and the virtual machines of other customers.

        • Network isolation: Each virtual network is isolated from other networks.

        • Storage isolation: Compute-storage isolation ensures that each virtual machine can access only the physical disks that you make available to it.

      • Security hardening: Virtualization management programs and host OSs or kernels are security-hardened. Virtualization software must be compiled and run in a trusted execution environment to protect the entire link.

      • Escape detection and fix: Advanced virtual machine layout algorithms are used to prevent malicious users from running virtual machines on specific physical machines and virtual machines from detecting the physical host environments in which the virtual machines run. Suspicious behaviors of virtual machines are probed, and vulnerabilities are hotfixed.

    • Cloud platform security: The cloud platform provides cloud-based account management services, including the management of Alibaba Cloud accounts and RAM users and multi-factor authentication for logons. The cloud platform also provides access control services, including fine-grained access authorization and secure access.

    Customer responsibility for security in ECS

    You are responsible for security in ECS and shall secure what you put in or connect to ECS. You shall duly install OS update patches on ECS instances, configure appropriate security group rules to block unauthorized access to ECS instances, and encrypt data on ECS to increase data security.

    Alibaba Cloud provides a series of security management and configuration tools that help you perform security configurations based on your requirements for increased business security. For more information, see the following topics: