Stable and Reliable Data Migrations to the Cloud
Stable and Reliable Data Migrations to the Cloud
Cloud data security depends on a secure and reliable cloud platform. Huawei Cloud has built a secure and reliable cloud platform based on Huawei's more than 30 years of experience and best practices in cloud security.
Cloud data security depends on a secure and reliable cloud platform. Huawei Cloud has built a secure and reliable cloud platform based on Huawei's more than 30 years of experience and best practices in cloud security.
How Can We Keep Data on the Cloud Secure and Reliable?
How Can We Keep Data on the Cloud Secure and Reliable?
Huawei Cloud uses Key Management Service (KMS) in Data Encryption Workshop (DEW) to provide secure, reliable, and easy-to-use key hosting. KMS uses HSMs to protect Customer Master Keys (CMKs), helping you create and control CMKs with ease. All CMKs are protected by root keys in HSMs to avoid key leakage.
KMS can manage keys and encrypt data for object storage, cloud disks, cloud images, cloud databases, and scalable file storage.
Data reliability is a key area of focus for Huawei Cloud data security management. To guarantee the stability and reliability of your data, Huawei Cloud storage services, including Elastic Volume Service (EVS), Relational Database Service (RDS), and Object Storage Service (OBS), all use varied technical means to improve data reliability.
Huawei Cloud Service Level Agreements (SLAs) also make clear service availability commitments for products and services like EVS, RDS, and OBS. If a service fails to meet its commitments, Huawei Cloud will compensate you in accordance with the SLA.
Huawei Cloud logically divides underlying physical compute resources, such as CPUs, memory, and I/O devices, into virtualized compute resources, such as vCPUs, virtual memory, and virtual I/O devices. The virtualization platform controls VM access to virtual compute resources, allowing each VM to access only its own compute resources, ensuring data security.
Huawei Cloud uses Virtual Private Clouds (VPCs) to isolate data in the cloud. A VPC uses network isolation technologies to isolate users at Layer 3. Users can fully control how to build and configure their virtual networks.
By default, different VPCs cannot communicate with each other. This helps keep the data of different users isolated, which greatly reduces the risk of data leaks. In addition, you can configure security groups for different types of resources in your VPC. For example, you can isolate OBS resources and RDS instances by associating them with different security groups.
When you destroy data on the cloud, Huawei Cloud will delete the specified data and all its copies accordingly. After you confirm a data deletion, Huawei Cloud first deletes the index relationship between you and the data. Then, Huawei Cloud zeroes out the storage resources involved, such as memory and block storage space. This ensures that deleted data and related information cannot be restored or leaked after the storage resources are reallocated to other users.
Huawei Cloud also implements a comprehensive storage media disposal mechanism based on industry standards to ensure data security at the end of the data center media lifecycle. In compliance with the NIST Special Publication 800-88 guideline, data on the storage media that needs to be reused is overwritten with random numbers, or deleted after encryption. Storage media that does not need to be reused is degaussed or physically destroyed.
Huawei Cloud implements strict separation of duties (SoD) management. Only authorized personnel can access the production environment during the authorization period. Huawei Cloud also manages live network change activities in a standard manner.
Huawei Cloud uses role-based access control for O&M personnel and enforces the principle of least privilege (PoLP) to ensure that O&M personnel cannot access customer data without express authorization. O&M personnel access the O&M environment using two-factor authentication, and then log in to servers via a bastion host. Credentials for logging in to the servers are withdrawn by CBH once the O&M tasks complete and then periodically updated by the bastion host. In this manner, Huawei Cloud prevents O&M personnel from obtaining credentials for any reason other than O&M.
Huawei Cloud has established a comprehensive centralized log audit system. All O&M operations performed by internal personnel are logged. Huawei Cloud regularly monitors and audits activities in the O&M process, and generates alarms for and terminates abnormal operations in a timely manner. Any violations of O&M regulations will be punished in accordance with relevant company regulations.
If data is transmitted between servers or between clients and servers through public communications channels, Huawei Cloud protects the data in the following ways:
Huawei Cloud uses VPNs to establish communications tunnels between customers' legacy data centers and VPCs. With those tunnels, customers can use cloud servers and block storage resources provided by Huawei Cloud easily and securely. Customers can also migrate applications to the cloud and provision additional web servers at any time. In this way, a hybrid cloud architecture can be built while reducing risk of leakage of mission-critical data. Currently, Huawei Cloud uses the IPsec VPN together with Internet Key Exchange (IKE) to encrypt the data transmission channels to ensure security.
Huawei Cloud supports data transmission in REST and Highway modes, both supporting encrypted transmission using the latest version of the transport layer security protocol and supporting website identity authentication using X.509 certificates.
Cloud Certificate Manager (CCM) provides one-stop lifecycle management for X.509 certificates provided by Huawei Cloud and world-renowned digital certificate authorities. You can use such certificates to authenticate identities and secure data transmission for websites.
Huawei Cloud not only ensures the security of data transmission on the cloud, but also provides high-performance, high-reliability, and low-latency network transmission.
Huawei Cloud uses private lines provided by different carriers to provide disaster recovery. Your data center can be connected to different access points through different carriers' private lines. These lines are backups for each other to provide improved reliability. If a private line fails, or even the entire network of a carrier fails, traffic automatically fails over to another private line provided by another carrier, to ensure service continuity.
Huawei Cloud uses homomorphic encryption (HE) to encrypt data, so that encrypted data can be processed directly. It can be processed without the unencrypted source ever being obtained.
You can encrypt sensitive data and then send the encrypted data to the cloud for processing and subsequently decrypt the results with a secret key. This improves the usability of data while still ensuring data security.
Based on Multi-Party Computation (MPC), Huawei Cloud can perform joint processing of multi-party data across organizations or industries while protecting the security of customers' private data. In this way, a mutual trust alliance can be established between multiple parties, enabling cross-organization and cross-industry multi-party data analysis and joint learning modeling. MPC enables multi-party data convergence analysis while always maintaining privacy protection, unleashing the value of data.