Enterprises are turning to the cloud to drive their businesses forward, leveraging cloud capabilities to react quicker and scale faster to meet fluid business requirements.
With cloud firmly in the mainstream, and even former detractors now using the cloud as the foundation of their digital transformation initiatives, it is unsurprising that worldwide public cloud revenue has been projected to reach US$266.4 billion in 2020 by analyst firm Gartner.
Security in the digital age
As businesses migrate existing on-premises workloads to the cloud or build cloud-native services, cybersecurity is a common consideration that is often highlighted. Given the rising prevalence of security incidents globally, how can organizations that are not specialists in the field of cybersecurity ensure that their cloud deployments are properly secured and protected against skilled hackers and other bad actors?
To deliver seamless security with minimum impact to performance, a hybrid approach that blends human and machine capabilities is essential. This calls for a blended defense strategy that leverages cutting edge capabilities to detect and mitigate new threats to security, and cloud-centric measures to proactively defend against common attack vectors.
Of course, security must be aligned with evolving compliance requirements to stay relevant and establish trust with users around the world. On this front, Alibaba Cloud has more than 70 security and compliance accreditations worldwide. The cloud powerhouse was amongst the first platforms to fulfil the additional requirements of Germany’s Cloud Computing Compliance Controls Catalog (C5). In the Asia Pacific region, it also meets and fulfils the highest level of Singapore’s Multi-Tier Cloud Security (MTCS) standard.
Securing the Alibaba Cloud
As with any cloud provider, Alibaba Cloud works hard to ensure its cloud infrastructure is properly secured. This ranges from basics such as maintaining the physical security of cloud data centers to making sure that vulnerabilities in software and hardware are patched and mitigated, respectively.
Security vulnerabilities are typically identified and rectified by Alibaba Cloud without affecting customers' service availability. This is possible because the Alibaba Cloud virtualization platform supports hotfix patching to resolve system vulnerabilities without user intervention. Below are some of the ways that Alibaba Cloud keeps its cloud secure.
• Platform security: Alibaba Cloud uses a combination of physical measures, hardware security and virtualization technology to strengthen its cloud. This extends through the various layer of the stack and begins with efforts to harden system components at the hardware level.
For instance, regular firmware scanning ensures that the hardware baseline is maintained, while GPU instance protection keeps the registers of graphics processing units from unauthorized access or its firmware from being tampered with. Moreover, Intel TPM 2.0 is leveraged to validate the underlying software stack during the bootup process, establishing a trusted environment for powering its cloud.
• Data security: To keep data secure, Alibaba Cloud manages and controls data through its entire lifecycle with encryption at every step of the way. It does so by utilizing a comprehensive range of services and capabilities that span data encryption, data recovery, and encryption key management.
Block storage devices used by virtual machines (VMs) rely on service-managed keys and customer-managed keys for encryption; database systems such as ApsaraDB for RDS uses the same approach using transparent data encryption. Before disposal of storage assets, storage media containing sensitive data are first overwritten, degaussed and physically destroyed.
• Account security: Managing identity management and resource access control with Resource Access Management (RAM) service is an important dimension in the overall cloud security architecture. In line with industry best practices, multiple independent RAM users or groups can be created to manage cloud resources on the Alibaba Cloud.
Multi-factor authentication (MFA) can also be enabled for the Alibaba Cloud console, while SAML 2.0-based Single Sign-On (SSO) is offered for enterprise integration to help users securely authorize access to resources. For short-term access to trusted entities, the Alibaba Cloud Security Token Service (STS) service can be used to assign permission tokens with an expiration time as required.
While Alibaba Cloud goes to great lengths to secure its cloud platform so that customers can focus on their core business, the onus is ultimately on users to utilize relevant security features as part of a shared responsibility model to protect themselves. This is similar to any typical IT deployments and includes ensuring accounts, data, and establishing adequate application security.
Application security has become an increasingly important consideration as pervasive digitization creates larger attack surfaces for attackers to exploit. To successfully defend against a myriad of possible attacks, security must be weaved into every aspect of an application.
To assist enterprises to secure their applications, Alibaba Cloud offers a Security Center as a unified security management system to identify, analyze and alert administrators of cybersecurity threats.
It leverages threat intelligence gathered by Alibaba Cloud to detect abnormal server behavior and malicious domains in real time. The Web Application Firewall (WAF) service can further filter out malicious access attempts through vectors such as SQL injection attacks and common vulnerabilities in Web server plug-ins.
A big part of application security stems from the ability to keep serving users during a distributed denial of service (DDoS) attack. On that front, Alibaba Cloud offers comprehensive load balancing services that span Layer 4 to Layer 7 of the OSI layer to defend against HTTP/S Flood attacks.
For large scale events such as Alibaba’s 11.11 Global Shopping Festival – the presence of security experts supported by an active defense infrastructure powered by AI was crucial in foiling malicious attacks and ensuring that systems run smoothly without glitches or downtime.
The tried-and-tested system saw Alibaba Cloud successfully defend against some 4.7 million attacks during last year’s 11.11. By analyzing over a quarter of a trillion behavior records, it protected the mega e-commerce event against over 1,900 DDoS attacks and a traffic volume that peaked at 223 Gbps.
Finally, Alibaba Cloud offers data loss prevention (DLP) capabilities to ensures that sensitive data is not lost or accessed by unauthorized users. Among others, this includes data masking algorithms to automatically generate masked data to conform to local regulatory requirements.
Organizations looking to tackle key enterprise security challenges in the cloud can stand to enjoy 40 percent off their first month of Anti-DDoS Premium Insurance Plan. Find out more about Alibaba Cloud’s security solutions and offers here.