Security and Monitoring Practices — Alibaba Cloud Storage Solutions — Part 1

By Shantanu Kaushik

Cloud storage has evolved in-sync with cloud computing. Over the years, different practices and trends have set a steady pace of development for the industry and the technology that drives it. Security and access control define the two most important parameters for any technology to work correctly.

Maintaining functionality and user experience is critical. Any product that can maintain a steady delivery system can account for high data durability. This persistence of service is what sets the Alibaba Cloud Storage solutions apart. In this article, we will showcase the implementation scenarios that make your choice of cloud storage a secure one.

Integration with industry-leading tools like the Alibaba Cloud Resource Access Management (RAM) service and the latest encryption model is the key focus of this article.

Security with Storage

Access Control

Access Control List

Resource Access Control

Hotlink Protection


Server-Side Encryption

You can implement the following methods for server-side encryption:

In this method, the Customer Master Keys (CMKs) are rotated regularly to ensure better security practices and to enable regular encrypting and decrypting operations on objects. Object Storage Service uses AES-256 for encryption of objects with different data keys. The data keys are generated and managed by OSS.

  • Server-Side Encryption With CMKs Stored in the Key Management Service (KMS)

SSE-KMS enables encryption and decryption of large amounts of data using a specified CMK ID or a default key stored in KMS. This is relatively a more cost-worthy method as there is no requirement of transmitting user data to KMS through networks.

KMS is secure, can be easily managed, and uses AES-256 encryption. Alibaba Cloud KMS has high integrity, security, and availability features and offers a seamless experience. It allows you to custom-build encryption/decryption solutions to align with your business needs.

Client-Side Encryption

There are two ways to use Client-Side encryption:

  • Using CMK managed by KMS
  • Using CMK managed by yourself

CMK Managed by KMS

The basic steps included are:


  • A specified CMK ID is used to request a data key. This data key is used to encrypt the object from KMS.
  • KMS returns a random data key and an encrypted data key.
  • The data key is used to encrypt the object.
  • The encrypted object and encrypted data key are uploaded to Alibaba Cloud OSS.


  • The encrypted object is downloaded
  • The encrypted data key is included in the object’s metadata
  • CMK ID and the encrypted data key are sent to KMS
  • KMS uses the CMK to decrypt the data key and returns it to the client

Self-Managed CMK

The illustration below depicts this scenario:

Encrypt an Object

  • Generate a CMK (Symmetric or Asymmetric)
  • Generate a random data key that is unique for each upload
  • The data key is used to encrypt the object
  • CMK is used to encrypt this data key
  • The encrypted data key is included in the metadata of the object

Decrypt an Object

  • Encrypted Object is downloaded
  • Encrypted data is included with the metadata
  • CMK is determined based on object metadata
  • The data key is generated using the CMK
  • CMK is used to decrypt the data key
  • The data key is used to decrypt the object

Wrapping Up

Upcoming Articles

We will focus on Object Storage Service Sandboxing, overall monitoring, and metrics collection with Alibaba Cloud Storage Solutions.

2. Apsara File Storage NAS — What and How?

We will discuss the complete architecture and usage scenarios with the Apsara File Storage NAS solution by Alibaba Cloud.

Original Source:

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.