By Syed Jawad Imam Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa – As a CSP (Cloud Service Platform), Huawei Cloud’s security responsibilities include ensuring the security of our IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS (Service as a Service) services, as well as the physical environments of the Huawei Cloud data centers on which our IaaS, PaaS, and SaaS services operate.
Huawei Cloud is responsible for not only the security functions and performance of our infrastructure, cloud services, and technologies, but also the overall cloud O&M security and, in an even broader sense, the security compliance of our infrastructure and services.
- Since Huawei assumes the dual role of both a cloud technology manufacturer and a CSP, Huawei Cloud’s security responsibilities start from meeting our cloud security quality baseline requirements throughout the entire R&D (Research and Design) and O&M (Operation and Maintenance) On one hand, Huawei Cloud works to ensure the secure development, configuration, and deployment of our cloud products in order to operate our cloud infrastructure and services. On the other hand, as a CSP, Huawei Cloud is responsible for the O&M security of our cloud services, for instance, rapid security incident detection, isolation, and response in order to ensure fast recovery for our cloud services. At the same time, Huawei Cloud adopts a vulnerability management mechanism befitting cloud services to not only ensure prompt response to cloud service vulnerabilities but also support rapid release and continuous deployment of tenant-facing services. To support CSP O&M lifecycle management and avoid impact to tenant services, Huawei Cloud implements measures that not only continuously improve cloud products’ default security settings, but also front-load security patching to the development phase and simplify security patch deployment. Additionally, Huawei Cloud’s security responsibilities are also reflected in developing highly competitive value-added cloud security services for our tenants.
- Of all aspects of O&M security, Huawei Cloud attaches the highest priority to infrastructure security and privacy protection. As a CSP, Huawei Cloud takes its responsibility to ensure our infrastructure security and the security of our IaaS, PaaS, and SaaS cloud services extremely Infrastructure consists primarily of the physical environment supporting cloud services, in-house-developed software and hardware, and the systems and facilities for the O&M of computing, storage, network, database, platform, application, IAM (Identity and Access Management), and advanced security services. In addition, for third-party security technologies or services with which Huawei Cloud supports in-depth integration, Huawei Cloud is responsible for the O&M security of those technologies and services when they operate within Huawei Cloud.
- Huawei Cloud is responsible for supporting the secure configuration and version upkeep of our IaaS, PaaS, and SaaS cloud services.
- With regard to tenant data, Huawei Cloud is responsible for providing comprehensive data protection functions to achieve confidentiality, integrity, availability, durability, authentication, authorization, and non-repudiation while also being responsible for the security of related functions. However, Huawei Cloud is merely the trustee of tenant data whereas a tenant retains sole ownership of its data and controls its data usage. Huawei Cloud prohibits any O&M personnel from accessing tenant data without proper authorization. For example, only at a tenant’s formal request and with access authorization by Huawei Cloud upper management in charge of security may certain O&M personnel access the tenant’s data for the purpose of providing technical support and troubleshooting service to that tenant.
- Huawei Cloud pays close attention to changes in internal and industry security compliance requirements and is responsible for ensuring regulatory and industry compliance as required for Huawei Cloud services. Huawei Cloud shares our compliance practices with our tenants and conducts internal and independent evaluations on our compliance posture for security standards specific to the industries that Huawei Cloud serves, with evaluation results kept reasonably transparent to our tenants.
- Huawei Cloud engages and relies on our business partners to provide tenants with cloud security consulting services and assist tenants in not only the security configuration of their virtual networks and virtual systems (including virtual hosts and guest virtual machines) as well as system- and DB-level security patch management, but also the configurations of virtual firewalls, API gateways, security incident response, disaster recovery, and advanced security services such as anti-DoS/DDoS (Distributed Denial of Service) protection.
Tenants of Huawei Cloud are responsible for security inside the IaaS, PaaS, and SaaS cloud services to which they subscribe, particularly the secure and effective management of the tenant-customized configurations of cloud services. This includes but is not limited to the security configurations to protect and securely operate virtual networks, virtual hosts and guest VMs (Virtual Machine), virtual firewalls, API gateways and advanced security services, all types of cloud services, tenant data, and identity and key management.
- Tenant-specific security responsibilities are ultimately based on the Huawei Cloud services that a tenant subscribes to, with the tenant’s responsibilities tied to the specific default or customized security configurations that the tenant chooses to implement. With regards to each Huawei Cloud service, the tenant is solely responsible for the security configurations of all tenant-managed cloud service resources whereas Huawei Cloud is only responsible for providing tenants with all the cloud resources, functional capabilities, and performance capabilities required for the execution of specific security tasks by the tenant.
- The tenant is responsible for the security configurations that the tenant deems necessary inside any services that the tenant subscribes to, such as the security policy configurations of tenant-managed virtual firewalls, gateways, and advanced security services; the security configurations and management tasks (for example, software version and security patch management) for the tenant’s virtual networks, virtual hosts, and guest VMs; and the security configurations of platform-level services such as container security management and Big Data analytics. The tenant is also responsible for the security management of any application software, service or utility that it deploys and operates on Huawei Cloud.
- When configuring cloud services, the tenant is responsible for conducting adequate pre-production testing of security configurations in order to prevent adverse effects on their applications and to minimize business impact. For the security of the majority of cloud services, the tenant needs to configure only accounts and grant them the necessary permissions to access resources, and to properly manage account credentials. A small number of cloud services require executing other tasks in order to achieve desired security Taking the database service as an example, while Huawei Cloud ensures the overall security of the service, the tenant must set up user accounts and access control rules. In addition, because monitoring and management services as well as advanced security services boast numerous security configurations, tenants may seek technical support and professional service from Huawei Cloud and our partners to ensure optimal security.
- The tenant always owns and has full control of its data no matter which Huawei Cloud service it subscribes to. The tenant is responsible for security configurations that are necessary to ensure its data confidentiality, integrity, availability as well as identify authentication and authorization for data access. Because Identity and Access Management (IAM) and Key Management Service (KMS) are the most critical link to tenant data security, the tenant is responsible for properly managing its own service accounts, passwords and keys, and adhering to industry best security practices for password and key creation, reset, and renewal when using IAM and KMS. The tenant is also responsible for setting up individual user accounts and multi-factor authentication (MFA), using secure data transfer protocols as per industry standards for communication with Huawei Cloud resources, and enabling account activity logging for monitoring and audit purposes.
- The tenant is solely responsible for the regulatory and industry security compliance of any application and service that the tenant deploys and operates on Huawei Cloud that is not part of Huawei Cloud’s service offerings. Accordingly, the tenant is responsible for the evaluation of its compliance with security standards specific to the industry or industries that it serves.