Workload security - Well-Architected Framework - Alibaba Cloud Documentation Center

A workload in the cloud is a collection of related functions or atomic capabilities, such as servers, virtual machines (VMs), containers, networks, and databases, that support your IT business systems. The most common workload environments for enterprises are VMs and containers.

To effectively protect your VMs and containers:

Effectively identify your workloads and maintain a clear inventory of their asset fingerprints in the cloud.
Identify and manage vulnerabilities within your workloads.
Establish runtime protection mechanisms to secure your workloads.
Schedule regular security inspections to ensure your workloads remain secure and compliant.

Identify and inventory basic asset security information

Before implementing any security measures, understand your cloud assets, along with their basic and security-related information. Identifying and inventorying asset fingerprints helps you maintain up-to-date information about your assets and workloads.

Focus on the following types of asset fingerprints:

Asset fingerprint	Purpose	Security-related actions
Basic server information	Gathers server attributes such as region, network access method, and protection status to assess exposure risk and security posture.	Use basic server attributes to determine if the server has a public IP address. A directly accessible public IP address indicates a higher risk of external exposure. Check server information to determine whether it is protected by security tools. For example, verify that the Security Center Agent is installed to confirm its defensive capabilities.
Account	Tracks privileged and standard user accounts created and managed on the server.	During an incident investigation, analyze account information to determine whether new standard or privileged users were created before or after an event. This helps trace and pinpoint the attack.
Port	Tracks open ports and their associated network protocols and processes on the server.	Use this information to analyze and reduce port exposure. You can also centrally manage policies for externally exposed ports and use them for monitoring.
Process	Tracks processes created on the server.	Review process attributes such as path, start time, and launch parameters to analyze and identify malicious processes, such as backdoor implants.
Middleware	Tracks application middleware deployed on the server.	When a high-risk middleware vulnerability is announced, use this information to count the number and distribution of deployed middleware. This helps you quickly assess the impact of a vulnerability and prioritize remediation.
Scheduled task	Tracks scheduled task commands, execution accounts, and other details.	Check scheduled tasks for unauthorized commands or execution accounts to detect adversary persistence.
Startup item	Tracks startup item paths and their corresponding servers.	Analyze startup items to trace the source of an attack.

You need an automated method to collect, store, and analyze basic asset information. This automation helps you determine an incident's severity, understand the attack path, and decide on the appropriate response actions.

Best practices

To identify and inventory basic asset and security information, follow these steps:

Select a collection method and frequency for asset fingerprints. We recommend using an automated, agent-based collection method rather than network scanning.
Organize and store the collected asset fingerprints based on the seven categories outlined in the table above.
During a security incident or emergency response, review asset fingerprint updates to analyze for suspicious accounts, processes, scheduled tasks, or open high-risk ports.

Alibaba Cloud provides tools to help you quickly identify and inventory your basic asset and security information. Use Alibaba Cloud Security Center to automatically collect asset fingerprints and display them visually. The logs are stored in Simple Log Service (SLS), where you can configure alerts for monitoring and analysis, or use them for event context.

Asset vulnerability management

Vulnerabilities are one of the most common weaknesses exploited in cyberattacks. Implementing vulnerability management in the cloud effectively reduces a server's weaknesses, minimizes its risk exposure, and improves overall security.

You should create a comprehensive vulnerability management plan that includes the vulnerability detection cycle, evaluation criteria, remediation processes and responsibilities, and an emergency response plan.

We offer the following recommendations for vulnerability management:

Vulnerability management item	Recommendations
Vulnerability detection plan	Define the scope of vulnerability detection in the cloud. We recommend including operating systems, application components, container images, and code. Schedule regular scans for operating system and application vulnerabilities based on business system importance and internal requirements. Scan container images for vulnerabilities before deployment. Remediate high-risk images before deployment. Use static code scanning to check application source code for common issues. Consider hiring external experts to perform periodic penetration tests on critical business systems.
Vulnerability evaluation criteria	Refer to the Common Vulnerabilities and Exposures (CVE) documentation for a vulnerability's base score. In addition to the base score, assess the vulnerability's impact in your specific environment. Consider factors like the vulnerability's disclosure date, its exploitability, and the importance of the affected asset. Alibaba Cloud provides an assessment model that evaluates vulnerability risks in real-world environments, which can serve as a reference. For details, see Alibaba Cloud Vulnerability Scoring System.
Vulnerability remediation process	Base the decision to remediate a vulnerability on the impact of the fix and the scheduled business maintenance window.
Responsibilities for remediation	Typically, the security team is responsible for monitoring and assessing the risk, impact, and severity of vulnerabilities, and for notifying the business team to perform the remediation.
Vulnerability emergency plan	You must have an emergency plan for high-risk or 0-day vulnerabilities to enable a rapid response before official remediation guidance is available.

You must also understand the cloud shared responsibility model. Under this model, Alibaba Cloud is responsible for the security of the cloud platform and patching its vulnerabilities. You are responsible for the security in the cloud, which includes managing vulnerabilities in the workloads you build.

Best practices

For both Elastic Compute Service (ECS) instances and containerized deployments, image security is critical, especially at scale. Large-scale deployments across many member accounts present several challenges: different business units may build images arbitrarily, leading to inconsistent security baselines and increased risk. Distributing images across multiple regions and accounts is also difficult.

Alibaba Cloud recommends a golden image strategy. By building and managing images in a central, shared account, you can enforce security standards and restrict which image IDs application accounts can use. This prevents the use of non-compliant images. This strategy also uses resource sharing and automation to distribute images to all application accounts quickly and efficiently.

For image security, we recommend using Security Center to regularly scan your built images. This provides one-stop management for your application runtime environment's security.

For active workloads, Security Center provides robust vulnerability management capabilities.

Use the Security Center vulnerability management feature to automatically discover servers and assets in the cloud. Configure a vulnerability scanning task to enable automated detection.
Review the risk levels assigned to vulnerabilities in Security Center. Security Center provides a comprehensive vulnerability score and priority based on dimensions such as risk level, exploitability, and exposure time.
Use Security Center for one-click remediation of operating system vulnerabilities. Before applying a patch, review the repair notes and, to enable a rollback if needed, create a snapshot of the operating system.
For application vulnerabilities, view remediation suggestions, vulnerability details, and the scope of impact in Security Center. Security Center does not provide one-click remediation for application vulnerabilities.
For container image vulnerabilities, use Security Center to scan the images for vulnerabilities and other weaknesses.
Address emergency vulnerabilities using Security Center's self-check feature. The Alibaba Cloud security team provides intelligence on high-risk and 0-day vulnerabilities. Security Center detects whether any servers in your environment are affected. It can also integrate with a firewall's virtual patching function for rapid defense, enabling both proactive prevention and in-progress response.
Automate remediation by using Task Hub to create scheduled vulnerability-fixing tasks. You can target specific types, severity levels, or server groups. For more information, see Use the playbook feature in Security Center.

Runtime protection

Workload runtime protection provides in-progress defense for environments such as servers and containers. It works by deploying a security agent within the server or container environment, delivering threat detection, analysis, and response capabilities.

You should be aware of the following runtime threats. By understanding these attack methods, you can implement appropriate security measures to protect your workloads.

Runtime threat	Risk
Virus/Trojan	A Trojan is a program designed to infiltrate a user's server. Once disguised and implanted in a system, it typically downloads and drops other malware.
Ransomware	Ransomware is a malicious program that encrypts all critical data files on a server to demand a ransom.
Malicious modification	An upstream process attempts to move a system file. This may indicate an attacker trying to bypass detection logic by moving a system file monitored by security software.
Backdoor	This alert indicates a suspicious WebShell file, which could be a backdoor file an attacker implanted to maintain access after a successful website intrusion.
Abnormal logon	Two user logons occur on the server in a short time from distant locations, one being your usual logon location. This pattern suggests an account compromise.
Brute-force attack	An IP address successfully logs into a server after multiple failed attempts with invalid usernames.
Miner pool communication	The server is communicating with a known miner pool IP address. An attacker may have compromised your server for crypto-mining.
Internal network lateral movement	This alert indicates abnormal internal network connections. This could be an attacker moving laterally within your internal network after compromising a server.
Malicious script execution	A malicious Bash, PowerShell, Python, or other script is executing on the server.
Worm	A worm is a program that spreads from a compromised server to attack other servers. It often involves behaviors like vulnerability exploitation and brute-force attacks.
Suspicious privileged container	A suspicious privileged container starts. Privileged containers reduce the runtime security of a container, and a breach could compromise other containers and assets on the host.

Best practices

Security Center is Alibaba Cloud's native workload protection service. For more information, see What is Security Center? The Security Center Agent is installed by default when you create an ECS instance, enabling runtime protection for your workloads.

Security Center provides real-time runtime protection for workloads, including servers, containers, and other cloud products.

Enable runtime protection. To automatically deploy the Security Center Agent, select the security hardening option when you create an ECS instance. Then, activate the necessary Security Center features based on your protection needs.
Enable anti-virus scanning. Configure a scanning policy for all servers or for specific business-related servers, and set a scan schedule. For details, see Anti-virus.
Enable anti-ransomware protection. To protect your servers from ransomware attacks, configure the anti-ransomware feature. Security Center provides protection by detecting ransomware, deploying decoy directories, and backing up critical data. For details, see Anti-ransomware.
Enable host defense. To identify and block abnormal behavior on the host, configure host defense rules, such as rules against brute-force attacks or custom process alerts. For details, see Host rule management.
Enable container defense. Configure proactive container defense rules, such as prohibiting the startup of container images that have not passed a security scan or enabling container file protection. For details, see Container active defense.
Review runtime security alerts. View runtime alerts in Security Center. Alibaba Cloud Security Center categorizes alerts according to the ATT&CK framework, providing a more intuitive view of the attack path, process, and details. For details, see Security alerts.

Perform regular security inspections

Security is a dynamic, continuous, and adversarial process. Regularly inspect the security posture of your workloads by creating inspection and monitoring policies.

Create an inspection plan. Define an inspection schedule and assign responsibilities based on the importance of your business systems and their risk exposure.
Define inspection content. Your inspections should verify that the runtime protection agent is active on all assets to ensure full coverage. We recommend checking the security posture of workloads, vulnerability status, patch status, and the resolution of security events.
Automate inspections. Use automated tools to perform regular security inspections on your workloads. To help your security experts extract signal from the vast volume of security alerts, set relevant security monitoring metrics.