HUAWEI CLOUD takes into consideration security requirements that tenants (HUAWEI CLOUD users) have for the cloud environment. Tenants purchase virtual machines (VMs) from HUAWEI CLOUD, deploy applications and systems on the VMs, and take on related security responsibilities. Huawei can provide necessary security technologies and services to help tenants achieve security compliance.
The shared-responsibility model is a widely used method of clearly defining the respective responsibilities of cloud service providers and tenants, especially in terms of impact on tenant benefits. Designed based on industry conventions, the following shared-responsibility model applies to Huawei cloud computing technologies and cloud services:
Services are the core of cloud products. HUAWEI CLOUD aims to provide simple and flexible core security operations and features that help tenants increase asset security. Tenants can conveniently set security configurations and complete defense reports on the UI.
The provided security features include cyber security functions for virtual private clouds (VPCs) (security groups and VPNs) as well as value-added security services (Anti-DDoS, Vulnerability Scan Service, and Web Application Firewall). In addition, third-party security products and services are available for tenants to select in the Cloud Market.
HUAWEI CLOUD provides an isolated virtual private cloud (VPC) for each tenant, completely isolating the tenant's resources and applications from those of other tenants. Tenants can define VPC access control and security zones within a private network. To connect the VPC to an existing private data center, tenants can use self-service VPN technologies to set up a secure and reliable encrypted network connection.
VPCs allow you to define and manage a logically isolated virtual network environment. This improves the security of resources in a public cloud and simplifies network deployment.
A VPC is a secure, isolated, logical network environment in which you can create virtual networks. These virtual networks provide the same network functions as those of a physical network, along with advanced network services, such as public network IP addresses and security groups.
Security Group Overview
Security groups control internal access between VMs within a VPC and external access to VMs.
A security group is a set of rules that isolate VMs, control internal access between VMs within a VPC, or control external access to VMs. The administrator can create security groups on the management console and then define access rules for each group. The access rules of a security group protect any VM added to it.
The security group feature relies on the firewall iptables (installed by default on Linux operating systems (OSs)) to provide rules for filtering the packets entering a host OS. The filtering rules are defined based on source addresses, destination addresses, and protocols.
For each security group, you can add rules for inbound and outbound access and specify an access protocol and port range. For outbound access rules, you can specify the destination network segment or another security group that the VMs in the security group access. For inbound access rules, you can specify the source network segment or another security group that the VMs in the security group VM access. The following figure indicates an inbound access rule that allows the VM in security group 2 to access security group 1.
A virtual private network (VPN) provides an encrypted communication tunnel between remote users and their VPCs. In this way, users can use VPC service resources directly through the VPN.
HUAWEI CLOUD supports IPSec VPNs, which are used for communication between enterprise headquarters and branches. IPSec VPNs establish secure communications tunnels for enterprises in different physical regions.
IPSec provides a method for building and managing a secure transmission tunnel in which transmitted data packets can be authenticated and encrypted. This protects data from being viewed or changed by unauthorized users.
Gateway-to-gateway connection is the typical IPSec networking mode, as shown in the following figure. In this network, the VPN gateway and the remote network gateway both support IPSec, and the connection between the two gateways is encrypted. The connections between a user and the remote network gateway and between a server and the VPN gateway are not encrypted.
The remote user network is connected to the virtual router in the VPC.
Data Loss Prevention
HUAWEI CLOUD uses distributed storage technology to store service data. Data can be distributed to different servers or cabinets so that it is accessible even if a server is faulty. In addition, data is fragmented in the resource pool. If a disk is faulty, the system can automatically reconstruct data by simultaneously restoring data copies in the resource pool, without requiring a hot spare disk. The load can be automatically balanced between existing nodes during capacity expansion. You do not need to adjust application configurations to a larger capacity and higher performance.
Data Leak Prevention
Zeroing out memory: When allocating memory to a user, the HUAWEI CLOUD OS first zeros out the allocated memory to ensure that malicious memory detection tools do not detect valuable information during VM startup.
Disk data deletion: The HUAWEI CLOUD OS zeros out each physical bit in a released virtual volume. As a result, malicious users cannot recover data through data restoration software. The zeroing out operation is performed during off-peak hours to minimize adverse impacts on system performance.
Identity and Access Management (IAM)
You can use the identity and access management (IAM) function provided by Huawei to create users and groups, allocate cloud resources to them, and fully control API access. IAM also supports role-based access control (RBAC) and management by privilege and domain. Huawei is one of very few vendors in the industry that offer IAM.
HUAWEI CLOUD provides security technologies and products for multiple directions and layers by considering potential security risks, effectively strengthening security and safeguarding users’ services.
HUAWEI CLOUD's Anti-DDoS service thoroughly analyzes packets and filters them through a seven-layer structure. The respective layers are: malformed packet filtering, feature-based filtering, defense against fake sources, detecting behavior from genuine sources, session-based defense, behavior analysis, and traffic shaping. This structure can identify and defend against various types of attacks, including malformed packet attacks, scanning, sniffing, flood attacks, and application-layer attacks.
Web Application Firewall
Web Application Firewall (WAF) leverages big data analysis technology to protect tenant VMs from malicious attacks and damage. WAF blocks abnormal requests in real time, detects abnormal HTTP requests, and prevents malicious network intrusions, such as web page tampering, information leaks, and Trojans.
Vulnerability Scan Service
Vulnerability Scan Service (VSS) detects vulnerabilities in cloud servers by periodically scanning web page code, and reminds users to address the detected vulnerabilities.