Help Center/ Well-Architected Framework/ Well-Architected Framework and Practices/ Security Pillar/ Cloud Security Governance Policies/ SEC01 Cloud Security Governance Policies/ SEC01-04 Separating Workloads
Updated on 2025-05-22 GMT+08:00
View PDF
Share

SEC01-04 Separating Workloads

Workloads are separated in the architecture design. The workloads of a system are divided into smaller parts, and each part runs and is managed independently, improving system security and maintainability.

  • Risk level

    High

  • Key strategies

    An enterprise, especially a large one, usually has workloads of different types (such as those in the production environment, development environment, and test environment) or different organizational units (OUs). Multiple OUs or workloads must be isolated.

    Workload separation is important in a cloud environment. From the perspective of security governance, the reasons are as follows:

    • Security: Workload separation can reduce security risks. By isolating different workloads in independent environments, you can reduce the impact of a faulty or attacked workload on other workloads.
    • Compliance: Some industries and regulations have strict requirements on data isolation and access control. By separating workloads, you can more easily meet compliance requirements, protect sensitive data, and ensure data privacy.
    • Manageability: Workloads are separated to facilitate system management and maintenance. Each workload has independent configuration and management requirements. Separating them can simplify the management process and reduce operation risks.
    • Flexibility: Separating workloads provides greater flexibility and scalability. Organizations can adjust and scale resources for different workloads as needed without affecting other parts.

    Huawei Cloud provides the following workload separation mechanisms:

    • Separation by VPC: Workloads are deployed in different VPCs. Each VPC has an independent network separated from others.
    • Separation by enterprise project: An enterprise project is a logical collection of cloud service resources. Workloads can be deployed in different enterprise projects for group-based resource management and permission control.
    • Separation by account: Deploy different workloads in different Huawei Cloud accounts. Each account has independent identity authentication, access control, and resource isolation. In this way, you can achieve stricter isolation and security. Grant minimum necessary permissions to each account to avoid excessive permission assignment. This can reduce security risks and permission abuse. If cross-account access is required, use appropriate identity authentication and authorization mechanisms, such as cross-account delegation and resource sharing.
    • Combination of multiple workloads: Use two or more of the preceding methods to separate workloads.
  • Related cloud services and tools
    • Virtual Private Cloud (VPC)
    • Enterprise Project Management Service (EPS)
    • Identity and Access Management (IAM)
    • Huawei Cloud Landing Zone
    • Organizations
    • Resource Governance Center (RGC)
    • Resource Access Manager (RAM)