Help Center> Data Replication Service> Best Practices> Security Best Practices
Updated on 2024-01-02 GMT+08:00
View PDF

Security Best Practices

Security is a shared responsibility between Huawei Cloud and you. Huawei Cloud is responsible for the security of cloud services to provide a secure cloud. As a tenant, you should properly use the security capabilities provided by cloud services to protect data, and securely use the cloud. For details, see Shared Responsibilities.

This section provides actionable guidance for enhancing the overall security of using DRS for data migration. You can continuously evaluate the security status of your DRS tasks for secure data migration and enhance their overall security defense. By doing this, only the minimum permissions required for business can be assigned, and data can be protected from leakage and tampering both in transmission.

Make security configurations from the following dimensions to meet your business needs.

Using Fine-Grained Authorization to Control the Usage Scope of DRS Resources

  1. Set only the minimum permissions for IAM users with different roles to prevent data leakage or misoperations caused by excessive permissions.

    To better isolate and manage permissions, you are advised to configure an independent IAM administrator and grant them the permission to manage IAM policies. The IAM administrator can create different user groups based on your service requirements. User groups correspond to different data access scenarios. By adding users to user groups and binding IAM policies to user groups, the IAM administrator can grant different data access permissions to employees in different departments based on the principle of least privilege.

  1. Fine-grained authorization is recommended to enable fine-grained control on user permissions.

    Fine-grained policies define permissions by APIs. You are advised to create a custom policy based on your DRS operation permissions.

Using Secure and Reliable Networks and Encrypted Transmission Potocols

  1. You are advised to use a secure network, such as a VPN, for data synchronization.

    Do not use an EIP network if possible. Instead, use a secure network, such as a VPN, for data transmission. Configure firewalls, security groups, and ACL rules to reduce the attack surface and improve the network security for data synchronization.

  2. The certificate+SSL connection mode is recommended.

    The certificate+SSL mode is a secure connection mode. It protects the integrity and confidentiality of data during transmission, but slightly affects the read and write performance of the database. In certain scenarios that are sensitive to synchronization performance, you need to balance performance and security.

Using Network Access Control to Isolate the Network for Data Synchronization

Firewalls, Access Control List (ACL) rules, and security groups are used for network access control to effectively control the network range for DRS to access databases and isolate the network for data synchronization from other networks, ensuring DRS task security.

Configuring Independent Database Migration Users and Assigning the Minimum Permissions

If you migrate data as user root or other service users, permission control may be disordered and permission leakage may occur. When creating a DRS task, you are advised to create independent migration accounts for the source and destination databases and grant the minimum permissions to the migration accounts by referring to the user guide to reduce the risk of account and permission leaks.

Creating HA Tasks to Improve Service Availability

DRS provides the cross-AZ HA. If the instance in the primary AZ becomes faulty, services can be switched over to the instance in the standby AZ to continue data replication.

Properly Using Authentication Credentials to Prevent Data Leaks

When you use code or API Explorer to call APIs, you need to obtain a token using the account password or AK/SK information. You need to comply with the secure encoding rules, properly manage authentication credentials, and do not hardcode authentication information in plaintext.