Alibaba Cloud Risk Identification and Detection Best Practices

Alibaba Cloud Comprehensive Risk Assessment and Identification Services

Alibaba Cloud provides enterprise customers with cloud-based comprehensive risk assessment and identification detection services, which include the following:

• Asset Identification and Analysis: Identify business and its key assets, and analyze the security attributes of core assets. Analyze the impact on business systems when critical assets are subject to leakage, interruption, damage, and other destruction.

• Threat Identification and Analysis: Identify the threat sources faced by the assessed information system through threat investigation, sampling, and other means. Analyze the capabilities and motivations of the threats employed by the threat sources.

• Vulnerability Detection and Analysis: Detect vulnerabilities in the deployment architecture, configuration, and security protection of the cloud-based workloads. Perform static analysis of the information system's design and security solutions to identify vulnerabilities in the architecture. Use security scanning, configuration auditing, and other methods to identify vulnerabilities in the cloud assets within the scope of assessment. Analyze the various aspects of vulnerabilities, including basic environment vulnerabilities, architectural vulnerabilities, technical vulnerabilities, and security management vulnerabilities, and analyze the ease of exploiting vulnerabilities and the impacts after successful exploitation.

• Security Posture Identification and Analysis: Identify the effectiveness of the security posture against risk by evaluating questionnaires, manual inspections, and other means. Analyze the effectiveness of security posture in preventing threats and reducing vulnerabilities.

• Comprehensive Risk Analysis: Analyze the threats that the workload and its key assets will face, vulnerabilities exploited, impacts on which type of assets, and describe the countermeasures taken to prevent threats, reduce vulnerabilities, and quantify risks.

Risk Assessment Principles

Critical Workload Principle: The critical workloads of the organization are the core of security risk assessment project, and the related networks and systems involved in these businesses are the focus of the assessment work.

Controllability Principle:

• Service Controllability: The assessment party should hold assessment communication meetings with users first to introduce the entire assessment service workflow, clarify the work content that users need to provide, and ensure the smooth progress of the entire security assessment service work.

• Personnel and Information Controllability: All assessment personnel should sign confidentiality agreements to ensure the security of project information. The intermediate and final result data generated during the process should be strictly managed and not disclosed to any organizations or individuals without authorization.

• Process Controllability: Establish a project implementation team and implement a project team leader responsibility system in accordance with the project management requirements to achieve process controllability.

• Tool Controllability: The assessment tools used by security assessors should be notified to users in advance and obtain user permission before project implementation, including the product itself and the testing strategy.

Minimum Impact Principle: For risk assessment of online workloads, it should be based on the minimum impact principle, which means ensuring the stability of the business workload. When conducting attack testing on the business workload, it is necessary to communicate with users and make backup for the test content. Also, avoid running tests during peak business hours.

Confidentiality Principle: Before implementing risk assessment, the assessors should sign a written confidentiality agreement with the project managers of the assessed system.

Risk Assessment Process

It is mainly divided into three stages: online assessment implementation, data analysis and organization, and risk assessment report writing:

• Online Assessment: This stage mainly completes the implementation of online assessment work, which includes understanding the security status of the business workload by conducting asset surveys, security baseline scanning, vulnerability scanning, penetration testing, personnel interviews, and other methods. The main tasks in the evaluation stage include personnel interviews, security baseline scanning, vulnerability scanning, etc.

• Data Analysis: This stage mainly analyzes and organizes the data collected in the assessment stage to provide a basis for writing the risk assessment report.

• Report Writing: This stage mainly completes the writing and revision of the risk assessment report. Write the assessment report based on the results of data analysis, and provide repair suggestions for security risks and vulnerabilities in the business workload. Communicate with the responsible person and revise the evaluation report.