WIXLIB

Huawei Cloud Security White PaperIssue3.2Date2020-08-14HUAWEI TECHNOLOGIES CO., LTD.

Copyright Huawei Technologies Co., Ltd. 2020. All rights reserved.No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd.Trademarks and Permissionsand other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders.NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.Huawei Technologies Co., Ltd.Address:Huawei Industrial BaseBantian, LonggangShenzhen 518129People's Republic of uawei.comIssue 3.2 (2020-08-14)Copyright Huawei Technologies Co., Ltd.i

Huawei Cloud Security White PaperIntroductionIntroductionRecent years have seen the rapid evolution of threats to cloud security, with newthreats emerging at an alarming and increasing pace. Huawei Cloud, like mostCloud Service Providers (CSP) and cloud customers, has risen to the challenge bycontinuing to learn, explore, and mature, benefiting hugely from the process. Inearly 2017 Huawei Technologies Co., Ltd. ("Huawei") formally established itsCloud Business Unit ("Cloud BU"), raising the curtain on a new era for HuaweiCloud. Not just taking these emerging security challenges in stride, Huawei Cloudalso sees in them opportunities to offer our customers secure and trustworthycloud services through collaboration with our ecosystem partners and inaccordance with our committed lines of business, furthering our objective to bothsafeguard and add value to our customers' business.A comprehensive set of highly effective cloud security strategies and practices hasemerged through integrating leading cloud security concepts from across theindustry and established security best practices from the world's leading CSPs withHuawei's expertise from years of cybersecurity experience, including its cloudsecurity technologies and operational practices. As a result, Huawei Cloud hasimplemented multi-layered security architecture that provides in-depth defenseand complies with all relevant regulations. Moreover, Huawei Cloud builds securityinto and continues to improve the security of its most commonly usedInfrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as aService (SaaS) cloud services. Supporting all this is Huawei Cloud BU's highlyautonomous and flat organization; its highly capable research and development(R&D) and operations and maintenance (O&M) teams, which stay abreast of thelatest security developments; its cloud-optimized DevOps/DevSecOps1methodology and workflow; and its ever- flourishing cloud security ecosystem.Huawei Cloud will, together with our ecosystem partners, continue to make ourcustomers our top priority and deliver high-quality cloud services with valueadded security functions, advanced cloud security services, and security consultingservices. The goal is to not only effectively protect the interests of our tenants,helping them with their business growth, but also enhance Huawei Cloud's marketcompetitiveness and achieve long term, sustainable, and mutually beneficialresults for Huawei Cloud, our customers, and our partners.Huawei Cloud herein releases Huawei Cloud Security White Paper (the "WhitePaper"). The White Paper shares Huawei Cloud's extensive cloud securityexperience with our users and the industry at large, so as to help us all betterunderstand and learn from each other, while jointly promoting the openness andprogress of both the cloud industry and cloud security industry.This White Paper is intended for readers across a wide variety of industries andregions:Issue 3.2 (2020-08-14)Copyright Huawei Technologies Co., Ltd.ii

Huawei Cloud Security White PaperIntroduction From our tenants, ecosystem partners, and communities to general Internetusers; From small-, medium-, and large-sized enterprise customers to individualusers;From the decision-making executive level and the management level to cloudservice-related technical personnel such as employees with positions in IT, security,and privacy, and to personnel in other cloud service-related positions, includingmarketing, procurement and contracting, and compliance audit, among others.Note:1.Issue 3.2 (2020-08-14)DevOps is an end-to-end engineering process and tool chain practice fromR&D to O&M that has been created by the high-tech industry practitioners, asopposed to theorists, and matured along with the development of Web 2.0and cloud services. Cloud services and other online features entail continuousintegration and continuous deployment (CI/CD) that DevOps can support, asopposed to the traditional waterfall process and Security DevelopmentLifecycle (SDL), which are no longer suited for the new demands. Securitymust be seamlessly embedded into and highly automated throughout theentire engineering process. As a result, a new security lifecycle managementprocess called DevSecOps came into being. Based on Huawei's study onDevSecOps practices at world leading CSPs and major online servicecompanies at home and abroad, an indisputable fact is that these companiesare adopting DevOps/DevSecOps processes and tool chain practices companywide at an accelerating rate. And the positive outcome of DevOps/DevSecOpsadoption also proves that security risks that traditional IT security personnelare intuitively concerned with are unfounded. With security seamlesslyembedded into DevOps, DevSecOps will not only not weaken security, butrather, it will effectively elevate security through a high degree of automation.Copyright Huawei Technologies Co., Ltd.iii

Huawei Cloud Security White PaperContentsContentsIntroduction.ii1 Cloud Security Strategy.12 Shared Responsibility Model. 62.1 Huawei Cloud's Security Responsibilities. 82.2 Tenants' Security Responsibilities. 93 Security Compliance and Privacy Protection. 113.1 Security Compliance. 113.2 Privacy Protection. 134 Security Organization and Personnel.154.1 Security Organization. 154.2 Security and Privacy Protection Personnel. 164.3 Internal Audit Personnel. 164.4 Human Resource Management. 174.4.1 Security Awareness Education. 174.4.2 Security Competency. 184.4.3 Key Position Management. 184.5 Security Violation Accountability. 195 Infrastructure Security. 205.1 Physical and Environmental Security. 205.1.1 Physical Security. 215.1.2 Environmental Safety. 215.2 Network Security. 225.2.1 Security Zone Planning and Isolation.235.2.2 Service Plane Planning and Isolation. 255.2.3 Advanced Perimeter Protection. 255.3 Platform Security. 265.3.1 CPU Isolation.275.3.2 Memory Isolation. 275.3.3 I/O Isolation.275.4 API Security. 275.5 Data Security. 29Issue 3.2 (2020-08-14)Copyright Huawei Technologies Co., Ltd.iv

Huawei Cloud Security White PaperContents5.5.1 Access Isolation. 295.5.2 Transport Security.305.5.3 Storage Security. 315.5.4 Data Deletion & Destruction. 336 Tenant Services and Security. 356.1 Compute Services. 356.1.1 ECS. 356.1.2 IMS.366.1.3 AS. 376.1.4 DeH. 376.1.5 BMS. 386.2 Network Services.386.2.1 VPC. 386.2.2 ELB. 416.2.3 DNS. 436.3 Storage Services. 436.3.1 EVS. 436.3.2 CBR. 446.3.3 CDN. 446.3.4 OBS. 456.3.5 DES. 476.4 Database Services. 486.4.1 RDS. 486.4.2 DDS. 496.4.3 DCS. 506.5 Data Analytics Services. 516.5.1 MRS. 516.6 Application Services. 516.6.1 SMN. 516.6.2 DMS. 526.6.3 Workspace.536.7 Management Services. 546.7.1 CES. 546.7.2 CTS. 556.7.3 EPS. 566.7.4 TMS. 566.7.5 RTS. 576.8 Security Services. 586.8.1 IAM. 586.8.2 DEW. 596.8.3 Anti-DDoS. 616.8.4 HSS. 61Issue 3.2 (2020-08-14)Copyright Huawei Technologies Co., Ltd.v

Huawei Cloud Security White PaperContents6.8.5 CGS. 636.8.6 Cloud WAF. 636.8.7 DBSS. 647 Engineering Security.677.1 DevOps and DevSecOps Processes. 677.1.1 Dual Path Mechanism.687.2 Security Design. 697.3 Secure Coding and Security Testing. 697.4 Third-Party Software Security Management. 707.5 Configuration and Change Management.707.6 Pre-Release Security Approval. 718 Operational Security. 728.1 O&M Account Security Administration. 728.1.1 Account Authentication. 728.1.2 Permissions Management. 728.1.3 Access Security. 738.2 Vulnerability Management. 748.2.1 Vulnerability Identification. 748.2.2 Vulnerability Response & Resolution. 758.2.3 Vulnerability Disclosure. 758.3 Security Logging & Event Management. 768.3.1 Log Management and Auditing. 768.3.2 Rapid Detection and Impact Scoping. 768.3.3 Rapid Isolation and Recovery. 778.4 Disaster Recovery and Business Continuity. 788.4.1 High Availability of Infrastructure. 788.4.2 DR Among AZs. 788.4.3 Business Continuity Plan and Testing. 799 Security Ecosystem.80Issue 3.2 (2020-08-14)Copyright Huawei Technologies Co., Ltd.vi