Shared Responsibilities

Huawei guarantees that its commitment to cyber security will never be outweighed by the consideration of commercial interests. To cope with emerging cloud security challenges and pervasive cloud security threats and attacks, Huawei Cloud builds a comprehensive cloud service security assurance system for different regions and industries based on Huawei's unique software and hardware advantages, laws, regulations, industry standards, and security ecosystem.

Unlike traditional on-premises data centers, cloud computing separates operators from users. This approach not only enhances flexibility and control for users but also greatly reduces their operational workload. For this reason, cloud security cannot be fully ensured by one party. Cloud security requires joint efforts of Huawei Cloud and you, as shown in Figure 1.

Huawei Cloud: Huawei Cloud is responsible for infrastructure security, including security and compliance, regardless of cloud service categories. The infrastructure consists of physical data centers, which house compute, storage, and network resources, virtualization platforms, and cloud services Huawei Cloud provides for you. In PaaS and SaaS scenarios, Huawei Cloud is responsible for security settings, vulnerability remediation, security controls, and detecting any intrusions into the network where your services or Huawei Cloud components are deployed.
Customer: As our customer, your ownership of and control over your data assets will not be transferred under any cloud service category. Without your explicit authorization, Huawei Cloud will not use or monetize your data, but you are responsible for protecting your data and managing identities and access. This includes ensuring the legal compliance of your data on the cloud, using secure credentials (such as strong passwords and multi-factor authentication), and properly managing those credentials, as well as monitoring and managing content security, looking out for abnormal account behavior, and responding to it, when discovered, in a timely manner.

Figure 1 Huawei Cloud shared security responsibility model

Cloud security responsibilities are determined by control, visibility, and availability. When you migrate services to the cloud, assets, such as devices, hardware, software, media, VMs, OSs, and data, are controlled by both you and Huawei Cloud. This means that your responsibilities depend on the cloud services you select. As shown in Figure 1, customers can select different cloud service types (such as IaaS, PaaS, and SaaS services) based on their service requirements. As control over components varies across different cloud service categories, the responsibilities are shared differently.

In on-premises scenarios, customers have full control over assets such as hardware, software, and data, so tenants are responsible for the security of all components.
In IaaS scenarios, customers have control over all components except the underlying infrastructure. So, customers are responsible for securing these components. This includes ensuring the legal compliance of the applications, maintaining development and design security, and managing vulnerability remediation, configuration security, and security controls for related components such as middleware, databases, and operating systems.
In PaaS scenarios, customers are responsible for the applications they deploy, as well as the security settings and policies of the middleware, database, and network access under their control.
In SaaS scenarios, customers have control over their content, accounts, and permissions. They need to protect their content, and properly configure and protect their accounts and permissions in compliance with laws and regulations.

User Identity Credential

Users use identity credentials, such as IAM AK/SK and tokens to access cloud services. If these credentials are disclosed, service security cannot be ensured. You need to use IAM to grant permissions based on the principle of least privilege to reduce the impact of attacks when identity credentials are disclosed.

User Function Code

User code and private dependencies are core assets. You need to ensure code reliability and security, avoid embedding sensitive information (such as account, password, AK/SK, token) in the code, and prevent logging sensitive information to avoid leakage.

User Function Configuration

Encrypted environment variables
Sensitive information in user code, such as the AK/SK for accessing other cloud services and the password for accessing the database, can be transferred through encrypted environment variables. FunctionGraph encrypts and stores the encrypted environment variables to prevent sensitive information leakage.

Figure 2 Encrypting environment variables
Function public access configuration
Public access: By default, a function can access the public network. All tenants share the bandwidth, which may cause external network attacks. You can configure a VPC to access the public network through the VPC and exclusively use the network bandwidth.

VPC access: To access cloud resources in a VPC, such as databases and cache services, you are advised to configure a VPC to prevent sensitive information leakage.
Minimal permissions
You need to configure an agency and permissions (for accessing other Huawei Cloud services, such as ECS and OBS) compliant with the minimum permissions to reduce security risks caused by authorization token leakage.