Alibaba Cloud uses technical measures, such as hardware encryption, isolation, and user auditing, to provide a secure and reliable isolated computing environment. It also offers multiple levels of security protection to meet various security and performance requirements.
Overview
Alibaba Cloud provides default memory encryption, trusted computing (vTPM), and confidential computing capabilities that include Confidential VMs and enclaves.
Default memory encryption: Memory encryption protects memory data against physical attacks and improves data security in the cloud. You can benefit from this high level of security protection without modifying your operating system or applications. The g8i, general-purpose instance family, c8i, compute-optimized instance family, and other instance families support memory encryption by default.
Trusted computing capability: Trusted instances use the virtual Trusted Platform Module (vTPM) at the hypervisor layer as a Root of Trust. This enables trusted boot for Elastic Compute Service (ECS) servers and verifies core components during instance startup to ensure that they have not been tampered with.
Confidential computing capability: This capability uses CPU hardware encryption and isolation to provide a trusted execution environment (TEE). TEE protects data from unauthorized modification. You can also use remote attestation to verify that the cloud platform and instances are in the expected secure state.
Enclave security: Alibaba Cloud provides confidential computing capabilities based on Intel SGX 2.0 and Alibaba Cloud virtualization enclaves. This capability significantly reduces the Trusted Computing Base (TCB), which minimizes the potential attack surface for your services. This lets you build a more secure and trusted confidential environment. For more information, see Build an SGX confidential computing environment and Build an enclave confidential computing environment.
Confidential VM security: Confidential VMs allow you to run your sensitive workloads in the cloud using encrypted computing. This requires no code changes to your applications and helps protect your sensitive data. Alibaba Cloud provides Confidential VM capabilities based on Intel TDX. For more information, see Build a TDX confidential computing environment.
In addition, Alibaba Cloud deploys the self-developed Ali-PRoT (Platform Root-of-Trust) hardware security chip on ECS hosts. This provides out-of-the-box underlying hardware and firmware security without extra configuration. Its core capabilities include the following:
Proactive firmware measurement: Before the host starts, PRoT verifies the integrity of firmware such as BIOS and BMC. Unlike traditional passive recording methods, PRoT can proactively detect and block potential threats before the firmware executes. It only allows verified servers to start, ensuring host security at the source.
Runtime tamper-proofing: While the host is running, it continuously monitors firmware reads and writes. It blocks unauthorized access and modifications in real time to ensure the business environment remains trusted.
Hardware identity authentication: It uses the unique hardware identity provided by the chip, along with the cloud platform's security control system, to securely authenticate physical servers. This effectively prevents unauthorized devices from accessing the cloud platform and enhances the overall security level of the platform.
Security capabilities overview diagram
