The security of the Elastic Compute Service (ECS) infrastructure involves protecting the security of physical machines, hardware security, and virtualization security. ECS delivers essential security measures for host protection, including unusual logon detection, Cloud Security Scanner, and baseline configuration checks, helping you promptly identify potential security threats.
Physical machine security
Alibaba Cloud data centers are constructed in compliance with the Class A standards of GB50174 Code for Design of Electronic Information System Room and the Tier 3+ standards of TIA-942 Telecommunications Infrastructure Standard for Data Centers.
Data center disaster recovery includes fire and smoke detection systems, dual utility grid power supplies, redundant power systems, and precision air conditioners with hot standby redundancy to maintain consistent temperature and humidity levels.
Personnel management involves access control with dual-factor authentication, such as fingerprints and identity verification, for segregated areas including data center rooms, electrical measurement zones, and storage areas. Physical isolation is further enforced with caged areas, complemented by stringent account, identity, authorization management, duty segregation, and access control.
O&M audit: Security monitoring systems are installed across the data center. O&M operations on production systems are exclusively conducted through Bastionhost, with comprehensive logging of all activities on the log platform.
Storage device asset management is meticulously detailed to the smallest storage component, each tagged with a unique hardware identification for precise location of storage media or devices containing them. Storage media are prohibited from leaving the data center or secure areas unless they have undergone secure erasure or physical destruction as per standards.
Data destruction protocols adhere to the NIST SP800-88 secure erasure standard. Upon termination of customer services, Alibaba Cloud promptly deletes data assets and follows strict procedures to perform multiple data purges on storage media, ensuring complete data destruction.
Network isolation is enforced between production and non-production networks. Network ACLs prevent Alibaba Cloud service networks from accessing physical networks. Bastionhost is deployed at the production network perimeter, and office network personnel can only access the production network for management operations through Bastionhost, using multi-factor authentication with domain account passwords and dynamic passwords.
Hardware security
Hardware security hardening includes firmware baseline scanning, protection of high-performance GPU-accelerated instances, device firmware signature verification, and BMC firmware protection.
Confidential computing leverages a hardware trusted execution environment, with the root of trust based on the processor chip rather than the underlying software. This ensures that encrypted data is processed exclusively within the trusted execution environment, offering robust hardware-based data protection.
Trusted computing on key servers employs TPM/TCM technology. TPM/TCM and vTPM/vTCM technologies measure the startup process of the foundational software stack on physical and virtual machines, establishing a system startup trust chain to safeguard against malware or rootkits at the startup or kernel level.
Virtualization security
Virtualization technology, a cornerstone of cloud computing, ensures multi-tenant data isolation through compute, storage, and network virtualization. Alibaba Cloud's virtualization security contains five key components: tenant isolation, security hardening, escape detection and repair, hotpatching, and data erasure, all of which fortify the security of the Alibaba Cloud hypervisor.
Tenant isolation is achieved using hardware virtualization technology to systemically separate virtual machines across multiple compute nodes, preventing tenants from accessing each other's unauthorized system resources.
Compute isolation ensures separation between management systems and customer virtual machines, as well as between different customer virtual machines.
Network isolation is maintained for each virtual network, keeping it separate from others.
Storage isolation is enforced by separating compute and storage resources, allowing virtual machines access only to their allocated physical disk space.
Security hardening involves bolstering the security of the virtualization hypervisor and host OS/kernel, with virtualization software compiled and executed within a trusted execution environment to secure the entire chain.
Escape detection and repair utilize advanced virtual machine layout algorithms to prevent malicious virtual machines from targeting specific physical machines. The system detects abnormal virtual machine behavior and promptly addresses vulnerabilities through hotpatching.
Hotpatching technology supported by the virtualization platform allows for patching without system restarts, ensuring uninterrupted user operations.
Data erasure ensures that after an instance server is decommissioned, its storage medium is securely erased to protect user data.