Ali Cloud senior security expert Huang Ruirui
The goal of this solution is to provide users with data security from the bottom cloud platform to the upper cloud environment protection, and identify each layer of modules, so that users can build layer by layer credible data security protection on the cloud, just like building a house. Besides horizontal modules, data security on the cloud also requires vertical authentication, authorization, access control, and log audit functions to provide controllable and compliant solutions for data security on the cloud.
Cloud data protection solutions
Generally speaking, the data security protection scheme on the cloud needs to achieve three principles: credibility, controllable and compliance. In other words, only in a trusted and controlled cloud environment, providing compliant data security protection solutions can truly provide customers with the highest level of data protection. At the meeting, Huang Ruirui made a targeted technical introduction and discussion for these three principles.
Ali Cloud provides customers with infrastructure capability of default high security level at the cloud platform level, so that customers can safely store data and calculate on a trusted cloud platform. It is worth noting that Ali Cloud will reinforce and scan the security of hardware and firmware at the cloud platform level, and use PM2.0 technology to provide reliable measurement and prove the secure computing environment at the bottom of the cloud platform. At the same time, Ali Cloud has security computing capability based on hardware encryption machine (HSM) and chip level (SGX).
Ali Cloud infrastructure security capabilities
At the level of cloud products, data security is mainly reflected in the trusted data encryption, backup, and verification capabilities provided by cloud products. At the meeting, Huang Ruirui gave a targeted explanation of the encryption ability of cloud products, and specially introduced the full-link encryption ability of Ali Cloud to the participants. Full-link encryption, as its name implies, is a pointer to encrypting data on transmission links, as well as computing and storage nodes providing corresponding industry high-level encryption capabilities. Transport encryption relies on SSL/TLS encryption and provides AES256-strength encryption protection. Among computing nodes, Ali Cloud began to provide chiplevel SGX encryption computing environment in 2017 (Among cloud vendors providing SGX capability, Ali Cloud ranks first in Asia and second in the world in providing this capability). In storage encryption, Aliyun not only provides high intensity (AES256) data encryption capability, but also provides user’s own key (BYOK) function through key Management Service (KMS). Combined with KMS key management, Ali Cloud can provide users with full-link data encryption protection.
Data full-link encryption
Generally speaking, the data encryption operation process is that the plaintext data is calculated by the internationally recognized security algorithm to obtain the ciphertext. In the operation of encryption, the secured and managed key is a sufficient and necessary condition for encryption protection. In other words, control the key, also control the overall encryption operation of the initiative. As early as 2015, Ali Cloud launched the first “data protection Initiative” in the industry, in which it made clear that the ownership of user data belongs to users, and the cloud computing platform should not be used for other purposes without authorization. Therefore, user-generated key (BYOK) is an important technical means for Aliyun to protect user privacy and further hand over data control to customers. Since the user’s own master key is the user’s resource, and any call needs to be authorized by the user (through Ali Cloud RAM service), the user has completely independent control and initiative over the use of encrypted data. At the same time, any calls to user resources are fully shown in the log audit, so there is a better guarantee of transparency in the use of encrypted data in the cloud.
In terms of data security protection on the cloud, Huang Ruirui proposed three technical points for sensitive data protection, including classification and classification (sensitive data identification), access control and anti-leakage capability. In terms of classification and grading technology, although normal rule engines today can recognize sensitive data formats of rules, artificial intelligence (AI) engines must also be efficiently utilized in response to increasingly strict user privacy protection requirements and laws and regulations. Today’s AI engines can be paired with rule engines to take advantage of the low false positives rate of rule engines to reduce their false positives rate and provide more intelligent data identification capabilities on top of rule engines. When sensitive data is identified, cloud services should provide fine-grained access control, especially for sensitive attributes of the data itself based on user attributes. Finally, leakproof capabilities for sensitive data must be fully provided at the network, terminal, and application levels. Overall, data security protection on the cloud should provide comprehensive protection from the ability to identify data, control data access, and prevent leaks.
Three technical points of sensitive data protection
On the premise that Ali Cloud provides credible and controllable data protection technology, it has further obtained the major authoritative compliance certification in China and internationally. At present, ali cloud has become the most fully qualified cloud service provider in the asia-pacific region. It is the first enterprise in the asia-pacific region to obtain the German C5 and ISO27001 certifications, and the first enterprise in China to obtain MTCS Level3 and ISO 20000 certifications. Provide high-level network security escort.
Compliance certification obtained by Ali Cloud
The security mission of Ali Cloud is to achieve the ultimate security on the cloud, provide stronger and stronger security capabilities for users to provide a solid backing, and liberate users to focus on their own business problems. Especially at the data protection level, users must be provided with the most powerful comprehensive security protection capabilities. “Our goal is that when people think about going to the cloud, they no longer think about whether they can go to the cloud because of security, but confirm that they have to go to the cloud because of security.” Huang Rui rui finally said.
The original link
This article is the original content of the cloud habitat community, shall not be reproduced without permission.