Services to Secure Your Applications
Alibaba offers an industry-leading suite of security solutions through its Alibaba Cloud platform. These solutions offer features an enterprise needs to provide a solid base for all their web and mobile applications to directly serve their customers, and enhance partner relationships.
Alibaba Cloud, as one of the largest international public cloud computing companies, has a strong focus on providing security services as part of its offerings, and has the largest market share within China.
The security services offered range from basic SSH key management to advanced DDoS protection and mobile application scanning. All of these services are available to be subscribed to and used via Alibaba Cloud’s administration console, via a single global account.
Host (Server-based) Security
The first security service that you need to be aware of is the key management service for SSH keys. These keys are used by Linux instances for authentication. Each instance of a Linux server can have a single SSH key assigned during the build and deployment of the instance. Alibaba Cloud supports all the standard encryption key formats, including RSA and SHA2. A full list of supported formats and additional information is available in the documentation.
Server Guard is another host-level security service, and is fairly unique among large cloud providers. It offers real-time monitoring of any elastic compute server (ECS) instance for known vulnerabilities, and both reports and acts on the information. Vulnerability management is crucial inside typical enterprise IT environments, so this service is a definite plus. The best part is that the cost for this service is free for all ECS instances.
Network and Website Security
When it comes to network security, the most basic building blocks are security groups. Security groups are used to control who can send and receive traffic from each port on each IP or instance. Alibaba Cloud’s security groups are stateful, so if a request can be made in one direction, it is intelligent enough to allow the packets to return for that request. Not all cloud providers have this feature.
Any service provider or enterprise with public-facing services on the modern Internet is acutely aware of the risk of DDoS attacks, and may even have contractual and regulatory requirements to keep anti-DDoS protection in place. Alibaba Cloud offers two levels of DDoS protection. The basic level is free, but only protects your site at the most basic network levels (primarily ICMP, TCP, and UDP floods). The pro tier of DDoS protection adds protection for more advanced DDoS techniques and more protocols, including at the Layer 7 level, like HTTP.
The Web Application Firewall (WAF) service is a firewall that is designed to safeguard data and increase the security and availability of a website. The WAF is capable of identifying and stopping SQL Injections, cross-site scripting (XSS), and other common attacks before hackers can access your site and cause a security breach.
Sample Scenario: Customer Information Site for a Bank
In many countries, regulated financial institutions are required to have DDoS protection and routine security scanning set up as part of any service they offer over the Internet. With Alibaba Cloud security services, this is all included in the platform, with no third-party products required.
Security would be deployed in stages.
1) Create SSH keys that will be used for authentication
2) Purchase an SSL certificate
3) Create the ECS instances required to run the site and install the SSL certificate
4) Enable anti-DDoS protection service
5) Enable the Web Application Firewall
6) Update the security group to allow incoming HTTPS access
7) Publish the customer information site to the world.
Mobile Application Service
Building a secure and stable mobile application is still a learning curve that many companies are on, and they need and want third-party validation to ensure their application is as secure as possible.
Alibaba Cloud has a world-class mobile security service for scanning and securing mobile applications built for Android. The service includes both static and dynamic application scanning (DEX, Java execution, etc), and even has the capability to add a protective layer around suspicious code to prevent exploitation.
For any enterprise that is serious about ensuring their application is secure, using this service before distributing their application to any of the Android market places popular around the world (like Google Play, MyApp, and 1Mobile) is essential.
Vince Power is a Solution Architect who has a focus on cloud adoption and technology implementations using open source-based technologies. He has extensive experience with core computing and networking (IaaS), identity and access management (IAM), application platforms (PaaS), and continuous delivery.