Shared Responsibilities

Customer Responsibilities: Security in ECSs

Customers are responsible for ensuring the security of ECSs, including:

• Customer content: Encrypt, back up, and transmit data, for example, enabling OBS encryption, private image encryption, and EVS encryption.
  • Client-side encryption: Encrypt data locally before transmission to ensure data security during transmission. Customers are responsible for the security (confidentiality, integrity, and availability) of encryption keys.
  • Server-side encryption: Encrypt data during storage and processing to ensure data security. Customers are responsible for the security (confidentiality, integrity, and availability) of encryption keys.
  • Data backup: Back up data in a timely manner to prevent data loss and ensure that services can be restored at critical moments.
  • Network traffic protection: Use secure transmission channels to transmit data, enable identity authentication, and check data integrity.
• Network control: Perform security configurations on VPCs, security groups, and ACLs, for example, configure security group rules based on the principle of least privilege (PoLP).
  • VPC: Select an appropriate VPC to divide the network and perform security configurations, for example, specify the IP address range of the VPC, divide subnets in the VPC to further refine the IP address range, and configure routing tables in the VPC to control the network traffic direction.
  • Security group: Use appropriate security groups to protect instances. For example, add inbound and outbound rules based on PoLP to protect all instances in a security group.

    High-risk ports pose high risks to network security and are easily exploited maliciously. You are advised not to open high-risk ports to the public network. You are advised to use security services such as bastion hosts for remote service management.

  • ACL: Select an appropriate ACL to protect the entire subnet. For example, add inbound and outbound rules based on PoLP and associate a subnet with the network ACL. In this way, all instances in the subnet are protected by the network ACL.
  Table 1 shows differences between access control options. You can select one or more as needed.

  Table 1 Differences between access control options

  Item	Security Group	ACL
  Protection Scope	Instance level: Protects all the instances, such as ECSs, in a security group.	Subnet level: Protects subnets and all the instances in the subnets.

• Operating system (OS): Ensure the security of the OS running on the ECS.
  • Install OS updates and security patches in a timely manner.
  • Configure security settings for the OS. For example, use key pairs rather than passwords to log in to ECSs to avoid security risks caused by weak passwords. If passwords are required, set strong passwords and use Host Security Service (HSS) to improve the overall security of ECSs.
• Content compliance: Ensure that the content released on Huawei Cloud ECSs is compliant.

  For details, see Acceptable Use Policy and "Restrictions" in the Elastic Cloud Server Service Statement.

Huawei Cloud Responsibilities: Security of ECSs

Huawei Cloud is responsible for ensuring the security of ECSs, including:

• Infrastructure: Ensure the security of infrastructure resources, such as physical servers, network devices, and storage devices.
  • Infrastructure includes physical servers, network devices, and storage devices. The security of infrastructure is mainly provided by cloud data centers.
  • Huawei Cloud defines and implements a complete set of physical and environmental security policies, procedures, and measures, meeting the Class-A requirements stipulated in GB 50174 Code for Design of Electronic Information System Room and T3+ requirements stipulated in TIA-942 Telecommunications Infrastructure Standard for Data Centers. In addition to proper site selection, during design, construction, and operation of data centers, physical zones must be properly divided and information system components must be properly arranged to avoid potential physical and environmental dangers (such as fire or electromagnetic leakage) and unauthorized access. Sufficient physical space, power capacity, network capacity, and refrigeration capacity must be provided for fast infrastructure expansion. In addition, Huawei Cloud O&M team enforces stringent access control, security measures, regular monitoring and auditing, and emergency response measures to ensure the physical security and environmental safety of Huawei Cloud data centers.
• IaaS services: Ensure the security of underlying compute, storage, and networking services.
  • Technologies such as compute virtualization, storage virtualization, and network virtualization are used to provide ECSs.
  • Technologies such as CPU isolation, memory isolation, and I/O isolation are used to isolate the virtual host OS and guest VM OS.
  • The hypervisor enables the virtual host OS and guest VM OS to run with different permissions to ensure the security of platform system resources.
• ECS compliance: Ensure the compliance of ECSs.

  Huawei Cloud ECS is responsible for its own compliance and provides compliance audit reports. For details about the compliance audit reports, see Compliance Center.

  For details about Huawei Cloud security ideas and measures, see Huawei Cloud Security White Paper.

Reference

Huawei Cloud provides a series of security configuration and best practice suggestions to help you improve ECS security, as shown in Table 2.