HSS Security Best Practices

Managing Your Identity Authentication Information to Prevent Data Leaks

No matter whether you access HSS resources through the console or APIs, you are required to provide identity credentials for validity verification. In addition, login and login authentication policies are provided to enhance identity authentication security. With IAM, HSS provides three identity authentication methods: username and password, access key, and temporary access key. It also provides login protection and login authentication policies.

1. Using a temporary AK/SK

   When you use HSS APIs or SDKs to manage HSS resources, identity authentication is required to ensure the confidentiality, integrity, and correctness of requests. You are advised to configure an IAM agency to obtain a temporary access key, or directly configure temporary AK/SKs for your applications or cloud services. Temporary AK/SKs will expire after a short period, which reduces data leakage risks. For details, see Temporary Access Key and Obtaining Temporary Access Keys and Security Tokens of an Agency.

2. Periodically changing a permanent AK/SK

   If you use a permanent AK/SK, change it regularly and encrypt it for storage to prevent data leakage. For details, see Access Keys.

3. Regularly changing your username and password and avoiding weak passwords

   Regularly resetting passwords is an important measure to enhance system and application security. This practice lowers the chances of password exposure and helps you meet compliance requirements, mitigate internal risks, and boost security awareness. You are advised to configure password complexity to disallow weak passwords. For details, see Password Policy.

Enhancing Permissions Management and Improving Access Control

To assign different permissions to the employees in your company to access HSS resources, IAM is a good choice for fine-grained permissions management. IAM provides identity authentication, permissions management, and access control, helping you efficiently manage access to your HSS resources. For details, see HSS Permissions Management.

Using CTS to Record HSS Operations

Cloud Trace Service (CTS) is a professional log audit service for Huawei Cloud security solutions. It enables you to collect, store, and query resource operation records (traces). You can use these traces to perform security analysis, track resource changes, audit compliance, backtrack problems, and locate faults.

CTS records operations on HSS resources. The records include the operation requests sent by users from the management console or via open APIs, and the results of each request. For details, see Operations Recorded by CTS. You can query, audit, and backtrack the operations. For details, see Viewing CTS Traces in the Trace List.

Use Cloud Eye to Monitor the Servers Protected by HSS

Cloud Eye provides multi-dimensional monitoring for your resources on the cloud. It allows you to view the resource usage and service running status, and respond to exceptions in a timely manner to ensure smooth running of services.

HSS uses Cloud Eye to perform monitoring over resources and operations, helping you monitor server security and receive alarms and notifications in real time. You can check the numbers of unprotected servers, unsafe servers, and the servers where the agent is offline or not installed in real time.

For details about HSS metrics and how to create alarm rules, see Monitoring.

Using the Latest SDKs for Better Experience and Security

Use the latest HSS SDKs to better protect your data. For details, see HSS SDK.

Enabling HSS Self-Protection

HSS self-protection protects Windows servers from the malicious programs that may uninstall the agent, tamper with HSS files, or stop HSS processes. It also protects Linux servers from malicious the programs that may stop HSS processes or uninstall the agent. For details, see How Do I Enable or Disable HSS Self-Protection?