Security and Monitoring Practices — Alibaba Cloud Storage Solutions — Part 1

Security with Storage

Alibaba Cloud storage products, including Object Storage Service (OSS), Block Storage, and Apsara File Storage NAS offer extensive security capabilities. Security features like server-side encryption, client-side encryption, log audit, fine-grained access control, and hot-link protection are offered as standards. Retention policies based on WORM and lifecycle policy management are also an added benefit that comes by default with Alibaba Cloud Storage solutions.

Access Control

Access Control List

The Object Storage Service (OSS), Block Storage, Apsara File Storage NAS, and Storage Capacity Unit (SCU) offer an access control list (ACL). You can use this feature to control access based on permissions. You can assign read/write access based on user type. You can select authorization based on public and private access lists. You have the option to define these policies based on specific needs.

Resource Access Control

Resource Access Management (RAM) is used for identification and access control. You can set policies based on user responsibilities and manage users by configuring RAM policies. RAM allows you to create and define policies that can control resources assigned to a particular user of a group.

Hotlink Protection

Object Storage Service provides hotlink protection to avoid unauthorized access to your buckets. You can easily set the HTTP/HTTPS referrer to configure the referrer whitelist to allow requests from specific domain names. Access is also provided if the HTTP/HTTPS referrer is included with the request to access the OSS resource. Hotlink protection prevents any hotlinking of data in public read and public read/write buckets.


Server-Side Encryption

Server-side encryption for uploaded data processes the data to encrypt it while the data is uploaded and decrypts it back when it’s downloaded. Server-side encryption is used to protect static data, which is recommended for high data security scenarios that may include online document collaboration or examples of deep learning.

Client-Side Encryption

Before the data is uploaded to OSS, client-side encryption is performed to encrypt objects. With client-side encryption, symmetric encryption is achieved by generating a random data key. This random data key is generated by the client and uploaded as a part of object metadata, which is stored on the Object Storage Service (OSS). Whenever an object is downloaded, the random data key is decrypted using the CMK, and the generated data key is used to decrypt the object.

  • Using CMK managed by yourself

CMK Managed by KMS

The illustration below is an example of CMK managed by KMS:

  • KMS returns a random data key and an encrypted data key.
  • The data key is used to encrypt the object.
  • The encrypted object and encrypted data key are uploaded to Alibaba Cloud OSS.
  • The encrypted data key is included in the object’s metadata
  • CMK ID and the encrypted data key are sent to KMS
  • KMS uses the CMK to decrypt the data key and returns it to the client

Self-Managed CMK

In this scenario, the CMKs have to be generated by the client. When an upload operation is executed, you need to perform the client-side encryption of the object. You need to upload an asymmetric or symmetric CMK.

  • Generate a random data key that is unique for each upload
  • The data key is used to encrypt the object
  • CMK is used to encrypt this data key
  • The encrypted data key is included in the metadata of the object
  • Encrypted data is included with the metadata
  • CMK is determined based on object metadata
  • The data key is generated using the CMK
  • CMK is used to decrypt the data key
  • The data key is used to decrypt the object

Wrapping Up

Data Security is an essential component of any service that is responsible for handling critical and sensitive data. Alibaba Cloud hosts a variety of services that enable and execute security parameters at the highest level. It is imperative to maintain data while at rest or while transmitting. It is the level of integration that makes any solution a reliable one. Alibaba Cloud’s line of products works in sync to maintain and extend the high-standards of data durability.

Upcoming Articles

1. Security and Monitoring Practices with Alibaba Cloud Storage Solutions — Part 2

Original Source:



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store