According to Gartner, cloud services are as secure as or even more secure than the data centers of most enterprises. Security must no longer be regarded as a major obstacle to use public cloud services. Compared to the traditional data centers, by 2020 the public cloud will provide security capabilities that help enterprises reduce security events by at least 60%.
At the 2nd Data Security Summit held on June 29, Xiao Li, General Manager of Alibaba Cloud Intelligent Security Business Unit, addressed one of the most critical questions — How can we build an advanced off-premises data security system?
According to Xiao Li, off-premises data security development is a systematic project that constitutes six key elements, including attack scope reduction, correct configuration of product security policies, central authentication and authorization, data encryption, data breach protection, and log audit.
Xiao Li, General Manager, Alibaba Cloud Intelligent Security BU
Attack Scope Reduction
Reducing the scope of enterprise-targeted attacks is the primary method to ensure cloud data security. The extensive functional experience of Alibaba Cloud proves that reducing the attack scope is crucial for the entire security system.
You can reduce the attack scope by monitoring real-time traffic in all directions via an off-premises firewall, and safeguarding and converging the network ingress through an Intrusion Prevention System (IPS).
Correct Product Security Policies Configuration
Security is a continuous process. Alibaba Cloud periodically reviews compliance systems to ensure persistent compliance and provide security policies and configurations that are compliant and effective.
Products and technical capabilities must ensure that all security policies are effectively implemented. Many security incidents occur when the attackers exploit the accidentally opened ports to steal data. Alibaba Cloud provides tools to help you check security configurations and policies of all products to ensure persistent security compliance and effective implementation of security policies.
Central Authentication and Authorization
Every enterprise needs a comprehensive authentication and authorization system. Traditionally, enterprises deploy all their application systems in on-premises data centers and ensure data security through simple authentication and authorization systems. However, with the development of the mobile Internet, cloud computing, and software as a service (SaaS), enterprises now deploy different application systems in IDCs, cloud, and online storage, which requires data flows between these deployment locations.
Therefore, enterprises encounter a great challenge to centrally implement authentication and authorization. For instance, a common data security event such as failure to promptly delete the system permissions of former employees may result in a data breach.
Alibaba Cloud’s advanced research in permission management ensures one-click permission updates concerning employees who get transfers or who exit from the organization. Such proactive mechanism ensures that there is no data loss due to irregular internal permission management.
Comprehensive Data Encryption and Log Audit
The Alibaba Cloud platform is the only platform in China that supports the SGX trusted encryption environment, with end-to-end data encryption to ensure user data security. At the user layer, Alibaba Cloud Security provides Resource Access Management
The Alibaba DAMO Academy has left no stone unturned to advance in data encryption technologies. It facilitates encryption of user data across all cloud products, by default and allows users to manage AccessKey pairs. Moving forward, Alibaba Cloud endeavors to maximize the performance and stability of data encryption and minimize costs, to free users from data security apprehensions following cloud migration.
Data Breach Prevention
Alibaba Cloud provides a complete set of capabilities related to Sensitive Data Discovery and Protection, ranging from data identification and data breach prevention to abnormal behavior detection and analysis. Now, users have complete information about various security aspects such as specific data storage location in the cloud, a list of access rights to the data, and whether the data is exposed to security threats. This increases the data security level in the cloud and reduces the risk of data breaches.
A Data Security System Supported by Cloud-native Technology
The changes to the infrastructure as a service (IaaS) cloud technologies lead to different security systems. Security capabilities developed on the basis of cloud-native technology solve many thorny problems. For example, Alibaba Cloud provides a snapshot function that allows users to restore data by using a previous snapshot in the wake of a ransomware attack, without requiring any anti-attack measures or decrypting data.
Taobao and Tmall have multiple IDCs in China. According to actual data analysis, service operations are never affected by the power failure of a single IDC. Xiao Li said, “We conduct practice tests to continuously verify the effective implementation of disaster recovery, and provide such high-security capability to help users build more robust security systems in the cloud.”