Security and Monitoring Practices — Alibaba Cloud Storage Solutions — Part 1

Security with Storage

Access Control

Access Control List

Resource Access Control

Hotlink Protection

Encryption

Server-Side Encryption

  • Server-Side Encryption With CMKs Stored in the Key Management Service (KMS)

Client-Side Encryption

  • Using CMK managed by KMS
  • Using CMK managed by yourself

CMK Managed by KMS

  • A specified CMK ID is used to request a data key. This data key is used to encrypt the object from KMS.
  • KMS returns a random data key and an encrypted data key.
  • The data key is used to encrypt the object.
  • The encrypted object and encrypted data key are uploaded to Alibaba Cloud OSS.
  • The encrypted object is downloaded
  • The encrypted data key is included in the object’s metadata
  • CMK ID and the encrypted data key are sent to KMS
  • KMS uses the CMK to decrypt the data key and returns it to the client

Self-Managed CMK

  • Generate a CMK (Symmetric or Asymmetric)
  • Generate a random data key that is unique for each upload
  • The data key is used to encrypt the object
  • CMK is used to encrypt this data key
  • The encrypted data key is included in the metadata of the object
  • Encrypted Object is downloaded
  • Encrypted data is included with the metadata
  • CMK is determined based on object metadata
  • The data key is generated using the CMK
  • CMK is used to decrypt the data key
  • The data key is used to decrypt the object

Wrapping Up

Upcoming Articles

Original Source:

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Alibaba Cloud

Alibaba Cloud

Follow me to keep abreast with the latest technology news, industry insights, and developer trends. Alibaba Cloud website:https://www.alibabacloud.com