Data security refers to the comprehensive protection of users’ data and information assets through security measures spanning many aspects such as confidentiality, integrity, availability, durability, non-repudiation, authentication, and authorization. Huawei Cloud attaches great importance to the security of users’ data and information assets, and its security strategy and policy include a strong focus on data protection. Huawei Cloud will continue to embrace industry-leading standards for data security lifecycle management and adopt best-of-breed security technologies, practices, and processes across a variety of aspects, including identity authentication, privilege management, access control, data isolation, transmission, storage, deletion, and physical destruction of storage media. In short, Huawei Cloud will always strive toward the most practical and effective data protection possible in order to best safeguard the privacy, ownership, and control of our tenants’ data against data breaches and impacts on their business.
Access Isolation
- Identity Authentication and Access Control: The access control capabilities of Huawei Cloud are facilitated through its Identity and Access Management (IAM) service. The IAM service is a security management service optimized for enterprise tenants. Through the IAM service, tenants can manage users and security credentials (such as access keys) in a centralized manner and control users’ administrative privileges and cloud resource access permissions.
The IAM service allows tenant administrators to manage user accounts (such as employee, system, and application accounts) and privileges to access resources within the corresponding tenant space. If an enterprise tenant requires resource access by multiple users for collaborative purposes, the IAM service can be used to prevent users from sharing account and password information, as well as assign permissions to users based on the least privilege principle. In addition, the IAM service supports security policy configuration for login authentication, passwords, and access control lists (ACL) to ensure user account and access security. In summary, the IAM service helps mitigate the security risks associated with enterprise tenant information.
- Data Isolation: Huawei Cloud facilitates data isolation in the cloud through the Virtual Private Cloud (VPC) service, which supports in-depth network segregation of different tenants’ networks and prevents unauthorized data access across tenant networks. The VPC service allows a tenant to achieve layer 2 and layer 3 network segregation, ensuring full control of its own virtual network. On the one hand, a tenant’s VPC can be connected to the tenant’s enterprise network traditional data center using VPN or Direct Connect service such that tenant’s applications and data residing in its internal network can be seamlessly migrated to the tenant’s VPC. On the other hand, the security group function of the VPC can be used to configure network security and access rules as per the tenant’s specific requirements for finer-grained network segregation.
Transport Security
Data is transmitted between clients and servers, between servers of the Huawei Cloud as well as between Huawei Cloud and tenant internal networks via common information channels. Therefore, it is particularly important to protect data in transit.
- VPN: The Virtual Private Network (VPN) service is used to establish a secure encrypted communication channel that complies with industry standards between a remote user and a tenant VPC such that a tenant’s existing traditional data center seamlessly extends to Huawei Cloud while ensuring end-to-end data confidentiality. With a VPN-based communication channel established between the traditional data center and the VPC, a tenant can utilize Huawei Cloud resources such as cloud servers and block storage at one’s convenience. Applications can be migrated to the cloud, additional web servers can be launched, and the compute capacity within a tenant space can be expanded so as to establish enterprise hybrid cloud architecture and also lower risks of unauthorized dissemination of a tenant’s core business data.
Currently, Huawei Cloud uses IPSec VPN together with Internet Key Exchange (IKE) to encrypt data in transit and ensure transport security.
- Application-Layer Security: TLS and Certificate Management: Huawei Cloud supports data transmission in REST and Highway modes. In REST mode, a service is published to the public as a RESTful service and the initiating party directly uses an HTTP client to initiate the RESTful API for data transmission. In Highway mode, a communication channel is established using a high-performing Huawei-proprietary protocol, which is best suited for scenarios requiring especially high performance. Both REST and Highway modes support TLS 1.2 for data in transit encryption and X.509 certificate-based identity authentication of destination websites.
The SSL Certificate Management service is a one-stop-shop type of X.509 certificate full lifecycle management service provided to our tenants by Huawei Cloud together with world-renowned public certificate authorities (CA). It ensures the identity authentication of destination websites and secure data transmission.
Storage Security
- Key Protection and Management: The Key Management Service (KMS) is a secure, reliable, and easy-to-use key escrow service that facilitates centralized key management in order for users to achieve better key security. The KMS employs Hardware Security Module (HSM) technology for key generation and management, preventing the disclosure of plaintext keys outside the HSM and ensuring key security. The KMS enforces access control of all crypto key-related operations with logging enabled for audit trail of all crypto key usage records, which meets audit and compliance requirements. Huawei Cloud’s in-house-developed KMS already supports integration with the following Huawei Cloud services:
- Elastic Volume Service (EVS)
- Object Storage Service (OBS)
- Volume Backup Service (VBS)
- Image Management Service (IMS)
In addition, Huawei Cloud has also introduced FIPS140-2 validated third-party HSMs in order to meet tenants’ security audit and compliance requirements.
HSM is a hardware device that provides cryptographic capability and securely generates, stores, manages, and uses crypto keys. To protect tenants’ crypto keys and mitigate the risks of crypto key leakage to the public, Huawei Cloud provides cloud HSM service using different HSM vendors in different specifications (such as industry standard encryption algorithms, and country-specific encryption algorithms.) and cipher suite strengths, which allows tenants to select the options suitable for their real-world requirements.
- Data Confidentiality and Reliability Assurance: Huawei Cloud offers data protection functions and recommendations for each cloud storage service.
Data Deletion & Destruction
Huawei Cloud protects tenant data against unauthorized disclosure during and after data deletion.
- Memory erasure: Before the cloud operating system reallocates memory space to new users, Huawei Cloud performs a zero-fill data wipe procedure in the memory space to be reallocated. This procedure ensures that malware detection software cannot detect valuable information in the memory on a newly-initiated VM and prevents data leakage that would otherwise result from the restoration of deleted data from the physical memory.
- Secure (logical) data deletion: Huawei Cloud offers a one-click feature for the logical deletion of discarded data, which gives tenants the flexibility to delete data (for example, data stored in cloud storage services such as RDS) from the management console with a single click whenever needed.
- Hard disk data deletion: Huawei Cloud performs a zero-fill data wipe procedure on virtual volumes of both deleted accounts and disabled accounts, ensuring that deleted data cannot be restored and preventing data leakage that would otherwise result from malicious tenants retrieving valuable data on the hard disk using data restoration software.
- Encryption-based data leakage prevention: Huawei Cloud advises tenants to encrypt their high value data prior to uploading to Huawei Cloud as well as configure encryption for data in transit and data in storage. When data in the cloud needs to be discarded, the tenant may simply perform the “secure delete” operation on the data-encrypting key(s) in order to prevent data leakage. Moreover, before physical disks and memories are reassigned, Huawei Cloud performs a routine zero-fill data wipe operation.
- Physical disk destruction: When a physical disk needs to be decommissioned, Huawei Cloud permanently deletes the data present on the disk by means of physical disk degaussing and/or shredding as needed to ensure user privacy and avoid unauthorized data access. In addition, Huawei Cloud adheres industry standard practices and keeps a complete data deletion activity log for chain of custody and audit purposes.
By Jawad Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa
