The security of cloud services depends on both cloud service providers and customers. HUAWEI CLOUD is responsible for establishing and managing physical infrastructure and providing basic and application services. Customers are responsible for the secure configuration and management of the cloud services they purchase and use.
High-Level, Highly Available, and Global IT Infrastructure
High-Level Data Center (DC) Equipment Room
HUAWEI CLOUD fully considers both natural and human factors when selecting sites, and ensure that each availability zone (AZ) is physically isolated and independently maintained. Our construction of equipment rooms complies with the T3 standard in TIA 942 Telecommunications Infrastructure Standard for Data Centers.
Highly Available DC Architecture
HUAWEI CLOUD deploys multiple AZs in each region, and multiple data centres (DCs) in each AZ. DCs in each region or AZ are interconnected through high-speed optical fiber. We use data replication and all-active technologies to prevent the loss of data and ensure service continuity in AZs.
Global Infrastructure
Huawei has deployed cloud platforms for more than 270 carriers and their regions worldwide. These platforms use cloud computing solutions with the unified architecture of private cloud, public cloud, and hybrid cloud.
Comprehensive Basic Service Security Assurance
HUAWEI CLOUD has formulated 12 trustworthy design principles for cloud services.
HUAWEI CLOUD uses multiple technical means to apply design principles to full-stack cloud service R&D and implementation, covering the entire lifecycle from product design to product implementation. We also use multiple protection layers, including basic network protection, platform isolation, and application security.
Basic Cyber Security
HUAWEI CLOUD employs ITU E.408 security zone division principles and industry-leading cyber security practices to divide and isolate the security zones and network planes of the HUAWEI CLOUD network. In addition, we use technical means to clean up abnormal and super-large DDoS traffic, detect and prevent network intrusions (using IDS/IPS), and protect web security.
Platform Isolation
HUAWEI CLOUD uses a unified virtualisation platform (UVP) to virtualise physical server resources, into a group of logical resources. These resources can then be centrally managed, flexibly scheduled, and dynamically allocated. They create an environment on a single physical server for multiple isolated virtual machines (VMs) to run simultaneously. In China’s Trusted Cloud Services (TRUCS) certification, cloud hosts of the HUAWEI CLOUD platform obtain the highest level of Five Star+ Certification.
The virtual private cloud (VPC) product offered by HUAWEI CLOUD is the key to network isolation. With the VPC, tenants can control their own virtual networks, implementing Layer 2 and Layer 3 network isolation between tenants. The security group function of the VPC allows users to configure security and access rules as required, meeting tenants’ requirements for fine-grained network isolation.
Application Security
HUAWEI CLOUD services can be configured and managed through open APIs to interconnect with the existing IT management and audit systems of enterprises APIs are protected using multiple mechanisms and measures:
- HUAWEI CLOUD performs identity authentication on each API request through the integrated Identity and Access Management (IAM) system. The transmission channel is encrypted using Transport Layer Security (TLS).
- Each access request is authenticated based on the token or access key ID/ secret access key.
- Multiple advanced boundary protection mechanisms, such as anti-DDoS, IPS, and web application firewall (WAF), are used to defend against various threats and attacks.
- On the basis of advanced boundary protection, only registered APIs can be accessed by tenants, ACL rules are configured to allow only specified tenants and network segments to access the API gateway, and API traffic is controlled for highly available and continuous API-based access.
Data Security Throughout the Entire Lifecycle
Data Creation
HUAWEI CLOUD provides services by region. Without authorisation, HUAWEI CLOUD will not move a customer’s content data across regions. Access control mechanisms of different granularities ensure that customers can access only their own data.
Data Storage
HUAWEI CLOUD provides data encryption and storage protection on the cloud by using the dedicated hardware security module (DHSM), key management system (KMS), and key pair management functions of the data encryption workshop (DEW).
DHSM is a hardware encryptor that complies with the Office of the State Commercial Cryptography Administration (OSCCA) certification or FIPS 140-2 level-3 certification. It provides up to 10,000 TPS user-exclusive encryption capabilities. KMS provides encryption features and secure key management for cloud services. Customers can use KMS to manage keys securely. KMS keys are protected by the hardware security module (HSM), which has obtained FIPS 140-2 security certification (level 2 and level 3), meeting data compliance requirements.
Data Transmission
HUAWEI CLOUD uses virtual private networks (VPNs) to establish secure encrypted communication tunnels between remote users and VPCs, seamlessly extending existing data centers to HUAWEI CLOUD and ensuring end-to-end data transmission confidentiality for tenants. Through the communication tunnels established using VPNs between traditional data centers and VPCs, customers can conveniently use HUAWEI CLOUD resources.
HUAWEI CLOUD services are released in the standard RESTful format. Data transmitted over the entire network is encrypted using TLS. In addition, HUAWEI CLOUD services support target website identity authentication based on the X.509 certificate.
Data Backup and Restoration
HUAWEI CLOUD provides multiple redundancy and disaster recovery mechanisms to ensure high data durability and service availability.
Data Deletion and Destruction
After a user confirms data deletion, HUAWEI CLOUD securely deletes the user data and all copies of it. After a user deregisters a HUAWEI CLOUD account, the associated content data enters the retention period. During this period, the user cannot access or use cloud services. After the retention period expires, the content data is permanently deleted. When physical storage media need to be decommissioned, HUAWEI CLOUD permanently deletes the data in the storage media.
