Case: Secure Cloud Migration of Financial Customer Data

Financial customers have strict requirements on data security. Based on the best practices accumulated by Huawei Cloud in the cloud security solution for financial customers, we propose a reference framework for financial customers to migrate data to the cloud.

Figure 1 Financial customer data security on the cloud

• Objective 1: Core sensitive data only processed within the TEE confidential perimeter

  All persistent data on the cloud is encrypted by default. For example, OBS bucket encryption, EVS volume encryption, and RDS database encryption are enforced through organization guardrails. Applications use an additional layer of encryption for core sensitive data. Data keys are protected by customer-controlled KMS master keys. IAM condition-based access control policies ensure that data keys can be decrypted and used only in the expected QingTian Enclave environment. Huawei Cloud KMS supports the QingTian Enclave Attestation protocol integration. It securely transmits data keys, random numbers, and decryption results from KMS to the Enclave environment, so that core sensitive data can be decrypted and processed only in the TEE environment.

• Objective 2: Data boundary guardrails built in the production environment

  Network boundaries are built based on VPC network configurations to prevent unexpected Internet inbound and outbound traffic, unexpected cross-VPC traffic, and unexpected cloud service traffic. In addition to network boundary control, the following identity and access control methods are used to build data boundary guardrails for the organization:

  • Identity-oriented data boundary guardrails: Use SCPs to define the permission boundaries of all IAM identities in an organization account to ensure that IAM identity credentials in the organization account can only use the VPC endpoints within the organization (public networks and other access paths are prohibited) and can only access cloud resources that belong to the organization account. After identity guardrails are built, even if IAM identity credentials are leaked, attackers cannot use the identity credentials to initiate access from the Internet or from other VPC endpoints. This design reduces the risk of credential leakage.
  • VPC endpoint-oriented data boundary guardrails: Use VPC endpoint policies to define permission boundaries to ensure that cloud service API requests passing through VPC endpoints only come from IAM identities in the organization account and can only access cloud resources that belong to the organization account.
  • Resource-oriented data boundary guardrails: Use resource authorization policies to define permission boundaries to ensure that all API requests for resources only come from IAM identities in the organization account and must pass through the organization's VPC endpoints (public network access paths are prohibited).

• Objective 3: Secure identity access and credential leakage prevention
  • A federated identity login solution is built based on the standard identity federation protocol. The solution prohibits employees from bypassing the local enterprise login system to use cloud accounts. To control tenant logins, the system restricts the network locations that allow for SSO logins and console access, and uses the local enterprise security gateway to enforce these restrictions. As a result, employees can access enterprise cloud accounts only from the enterprise intranet and cannot log in to personal accounts.
  • Application identity federation is built to allow tenant applications to use SAML and OIDC to securely exchange external tokens with Huawei Cloud IAM tokens. All IAM users are disabled. They are replaced by IAM agencies to eliminate the risk of long-term credentials leakage (such as AK/SK and login password). ECS IMDSv2 is forcibly used to access ECS instance identity signatures and IAM agency identity tokens. SCP policies are used to restrict the identity boundary guardrails of IAM tokens, eliminating risks caused by IAM token leakage outside VMs or VPCs.