Updated on 2025-05-07 GMT+08:00

Security Design Principles

Huawei Cloud has summarized the following ten security design principles based on its security practices and successful projects. You can follow these principles to design effective cloud security solutions.

  • Zero Trust Principle

    Follow the "Never Trust, Always Verify" concept and assume that no one or program is trustworthy, whether it is an internal user, external user, or network device. Components in a system must be explicitly verified before any communication to reduce the attack risks. Zero Trust transforms the existing static trust model (black-and-white) based on authentication and default authorization into a dynamic trust model based on continuous risk evaluation and adaptive authorization. Zero Trust does not determine the credibility based on the network location. It focuses on protecting resources, not CIDR blocks. Compared with the traditional security concepts, Zero Trust shifts the focus of network defense from static network-based boundaries to users, devices, and resources. All resources (such as people, objects, devices, applications, networks, data, and supply chains) require continuous identity authentication and trust evaluation, and dynamic security policies must be applied globally. Zero Trust reduces the attack surface and ensures system security through dynamic and continuous risk evaluation.

  • Principle of Least Privilege

    Assign only the minimum permissions to users or applications to do their tasks based on the fine-grained authorization. This limits access and reduces the risk of attacks. If passwords or applications are hacked, attackers will not get wider access. If user or application tasks change, you need to update their permissions promptly to ensure that the tasks can be completed.

  • Defense in Depth

    Do not rely on a single security layer. Use multiple layers of security instead. If one layer fails, the rest will still provide protection. Think of it as a castle with a moat, walls, and gates working together for defense. Establish a defense-in-depth mechanism covering the entire technology stack and apply multiple types of security control measures to all technology stacks, including network edges, VPCs, cloud storage, ECSs, operating systems, application configurations, and code.

  • Balance Between Security and Cost

    The defense-in-depth mechanism is recommended, but a more comprehensive security protection solution may cost too much. To balance security and cost, design a cost-effective security protection solution based on the compliance requirements (such as classified information security protection) of service systems and sensitive data classification. Focus only on necessary protections instead of using all-round and high-level security protection solutions everywhere.

  • Cloud Native Security

    Use cloud native security services. Cloud service providers provide plenty of cloud native security services, such as Web Application Firewall (WAF), Anti-DDoS, Cloud Firewall (CFW), and Data Encryption Workshop (DEW). These services are deeply integrated with the cloud platform, and have excellent performance, elasticity, and convenience. Cloud service providers are experienced in managing security operations and consistently improve cloud-native security features. For details about the cloud native security services provided by Huawei Cloud, see Cloud Native Security Service.

  • Attacker Perspective

    Evaluate service system security by thinking like an attacker, identify vulnerabilities, and enhance defenses. In this way, you can reduce attack risks, strengthen protection, and increase the costs of attacks.

  • Continuous Security Operations

    Security depends less (30%) on technology and more (70%) on operations. Continuously improve security management processes, conduct regular security operations, and monitor and assess cloud environment compliance to maintain long-term system stability and safety.

  • Barrel Principle

    Security operates like a system where every part matters. A single weak point lowers overall protection.

  • Separation of People and Data

    Use tools and management systems to limit user access to data, minimizing human errors like accidental deletions or changes when handling sensitive information.

  • DevSecOps

    Integrate security throughout the entire software development lifecycle, including requirement analysis, design, development, testing, deployment, maintenance, and operations, to maintain system safety and reliability. To achieve this, DevSecOps is recommended. It integrates security checks into DevOps automation, enabling faster vulnerability detection and fixes while boosting software development speed and quality.