HUAWEI CLOUD Security Services

Foreword

 This chapter introduces HUAWEI CLOUD security services.

1 Huawei Confidential
 Objectives

On completion of this course, you will be able to know:

 Security concerns of in-cloud users and the security ecosystem
 HUAWEI CLOUD security service system
 Concepts, functions, and application scenarios of HUAWEI CLOUD security
services
 Principles and features of HUAWEI CLOUD security services

2 Huawei Confidential
 Contents

1. Basics of HUAWEI CLOUD Security Services

2. Overview of HUAWEI CLOUD Security Services

3 Huawei Confidential
Security Concerns of In-cloud Users
Enterprises' Security Concerns for Migrating to
CSA Top Threats
the Cloud
Data Confidentiality
• Data leaks
• Advanced persistent threats
• Lack of identity, credential, (APTs) Service Continuity Controllable O&M • Data theft
and access management prevention
• Data loss • Cyberattack • Security policy • Access control of
• Insecure interfaces and defense configuration unauthorized
• Insufficient due diligence
application programming • Anti-hacking • Risk identification employees
interfaces (APIs) • Abuse and malicious use of • Law compliance and • Access control of
cloud services quantification cloud service
• System vulnerabilities
• Denial of Service (DoS) • Operations providers
• Account hijacking auditable and
• Shared technical traceable
• Malicious insiders
vulnerabilities

4 Huawei Confidential
HUAWEI CLOUD - From "iceberg" to "inclusive security"
 When evaluating the security level of a cloud, enterprises usually focus on cloud security services and security
features of cloud services. If cloud security is likened to "icebergs", they are visible parts of "icebergs". Security
capabilities under the "iceberg" are often unknown, but they bear the security of the entire public cloud.

HUAWEI CLOUD ：

Capability 1: Security Compliance

Capability 2: Best Practices and Standardization

Capability 3: Security assurance and anytime response

5 Huawei Confidential
Security Ecosystem

Cloud Industry Solutions …… General Security Solutions

Solutions

Government Security Compliance ……

Video industry
sector solution solution
marketplace
Security

vNGFW vWAF SSL VPN

Micro-
Mobile security ……
segmentation
Security
Services

Network Application Security ……

Host security Data security
security security management
Ecosystem
Basis

QUALYS gemalto ……

6 Huawei Confidential
HUAWEI CLOUD Security Service System
With data security as its core, HUAWEI CLOUD builds a series of security services to meet the particular needs.

Security Risks and Solutions Security Services

Application Prevention of
and host Unauthorized Access
security Brute force Malicious
Data Security Host Security
attacks programs
Unauthorized
Webshell
access Data Encryption
SQL injection XSS Workshop
Host Security Service
Database Security
Service
Prevention of Unauthorized
Database View
security
Data Automatic
discovery
Dynamic
masking Application Security Network Security
Comprehensive
Precise audit
defense
Web Application Firewall Anti-DDoS

Vulnerability Scan Advanced Anti-DDoS

Prevention of Service
Unauthorized Transfer
Third-party
Key management
HSMs
Data
International Strong
encryption standard algorithms compliance

7 Huawei Confidential
HUAWEI CLOUD Security Service Family - Data Security
Security
Description Function Application Scenario
Name
Applicable to the public sector, Internet,
e-commerce, transportation,
manufacturing, medical care, and more
• Key and key pair management: KMS is a secure,
Data Encryption Workshop industries
reliable, and easy-to-use service designed to manage
(DEW) is a full-stack data • Decrypting small-size data
and protect your keys. KPS is a secure, reliable, and
encryption service. It covers • Encrypting large volumes of data
easy-to-use service designed to manage and protect
DEW Key Management Service • Encrypting data in
your key pairs.
(KMS), Key Pair Service OBS/EVS/IMS/SFS/RDS
• Dedicated HSM: It provides you with Dedicated HSM
(KPS), and Dedicated HSM. • Logging in to a Linux ECS
instances that are certified by China State
With DEW • Obtaining the password for logging
Cryptography Administration (SCA
in to a Windows ECS
• Encrypting your service system using
dedicated HSM

• Database firewall: Role-based access control and

Database Security Service
minimum permission allocationSensitive data Applicable to the finance, government,
(DBSS) is a smart database
discovery and masking: Database audit: Monitors education, medical care, insurance, and
DBSS protection service. With the
behavior, data, and performance exceptions. Records gaming industries.
reverse proxy and machine
and stores local and remote logs. Provides real-time • Sensitive data leakage prevention
learning technologies.
alarms.

8 Huawei Confidential
HUAWEI CLOUD Security Service Family - Host Security

Service
Description Function Application Scenario
Name

Host Security Service Account cracking protection, check for the

(HSS) reduces intrusion password complexity policy and weak
Applicable to the governments and
risks with such functions passwords, malicious program detection,
public institutions, gaming, P2P,
as intrusion detection, remote login detection, key file change
healthcare, and more industries.
vulnerability detection, open port detection, software
HSS • Protects host security by means
management, baseline vulnerability detection, account and software
of pre-event prevention, during-
inspection, and asset information management, web directory
event defense, and post-event
management to management, process information detection,
detection.
enhance overall security webshell detection, and configuration
for hosts. detection

9 Huawei Confidential
HUAWEI CLOUD Security Service Family - Application
Security
Service
Description Function Application Scenario
Name

• Web application attack protection: With

• General protection: Data
preset powerful reputation databases,
Web Application Firewall (WAF) is leakage prevention and web
WAF defends against OWASP Top 10
WAF designed to keep web services stable tamper protection
threats, and detects and blocks
and secure. • Promotion at e-malls
malicious scanners, IP addresses, and
• Zero-day vulnerabilities
webshells.

• Full scan capabilities: Scans for website,

host, and middle vulnerabilities, as well
Applicable to industries with
as weak passwords.
vulnerability scanning requirements,
• Critical vulnerability scan: Monitors the
Vulnerability Scan Service (VSS) such as, government, finance,
latest network vulnerabilities in real
discovers security risks in your websites education, medical care, insurance,
time to provide the fastest vulnerability
VSS and servers. It also provides common transportation, e-commerce, and
scan.
vulnerability scan, vulnerability lifecycle gaming.
• Periodic risk detection: Periodically
management, and customized scanning. • Latest CVE vulnerability scan in
detects security threats to your assets.
one click
• Weak password scan: Scans for
• Weak password scan
standard web services, OSs, and
databases.

10 Huawei Confidential
HUAWEI CLOUD Security Service Family - Network
Security
Service
Description
Name
Anti-DDoS is a traffic scrubbing
service that protects resources, such
Anti-DDoS as ECSs, Elastic Load Balance (ELB)
instances, and Bare Metal Servers
(BMSs), from network and
application layer DDoS attacks
Based on anti-DDoS scrubbing
devices and a big data operation
platform, Advanced Anti-DDoS
AAD (AAD) is an advanced anti-DDoS
service that hides and protects
users' origin servers by traffic
forwarding.
11 Huawei Confidential
Function Application Scenario
• Website browsing: Websites are
• Anti-DDoS prone to DDoS attacks, which can
• Provides monitoring records for a single ultimately cause them to crash.
elastic IP address (EIP). The Anti-DDoS service can
• Provides interception reports for the withstand multi-layered (layers 4
protected EIP. to 7) attacks, which in turn
improves the browsing experience.
• Defends against massive DDoS attacks.
• Provides the function of configuring the
forward protocol.
• Adds your domain name to AAD.
• Sets alarm notifications.
Applicable to the gaming, finance, and
• Provides traffic protection, website
e-commerce industries.
protection, and security statistics for AAD
lines (China Telecom, China Unicom,
China Mobile, and BGP lines).
• Allows users to view defense reports of
AAD lines.
Purchase and Use of HUAWEI CLOUD Security Services

 Users purchase the services you

want.
 Security services can be used
independently or together.
 Cloud service operation logs can
be queried on the CTS console.
 Alarms are sent by SMS or email.

12 Huawei Confidential
 Contents

1. Basics of HUAWEI CLOUD Security Services

2. Overview of HUAWEI CLOUD Security Services

13 Huawei Confidential
Data Encryption Workshop (DEW)
Dedicated HSM
HUAWEI CLOUD

on chip
Encrypti
e-Invoice e-Contract Verification Virtual
HSM
e-Policy EMR API
Verification

on chip
Encrypti
Personal privacy data system Encryption Virtual
API HSM
Public utilities system
Sensitive data
Video data system

on chip
Encrypti
Liquidation system Encryption Exclusive
Financial system HSM
API
Payment payment system

• High security: Only tenants can access and operate data.

• Exclusive chip encryption: Ensures high performance and concurrent processing, without delay.
• Compliance: Supports CSCA certified algorithms and FIPS140-2 certified Level 3 HSM protection.

14 Huawei Confidential
Database Security Service (DBSS)
Database firewall Sensitive data discovery and Database audit
masking
Database
Database Database
Non-masking DBSS
Authorized query User 1
Normal users
users 19900808 Modification
RDS
RDS Masking RDS
query User 2
DBSS

User 3 deletion
modification
User 1 query
DBSS

operation

User 2
xxxxxxxx
Unauthorized User-installed
User-installed users databases User-installed
User 3 databases
Attackers databases on ECS
on ECS
on ECS Remote log storage

• Database intrusion prevention: Blocks SQL
injection attacks in real time.
• Fine-grained access control: Role-based
and minimized permission.
• Learning mode: The security mode
generated from self-learning and can be
applied to the firewall policy.
• Automatic sensitive data discovery: Automatically
detects sensitive data based on compliance
requirements and generates masking rules with
one click.
• Dynamic masking: Original data is not modified
and columns of sensitive data are anonymized.
• Multiple masking rules: Email masking and
character string masking.
• Activity and exception monitoring:
Manages activities at the column level,
and monitors behavior, login, and access
exceptions.
• Real-time alarm: Real-time alarm
reporting on attacks such as SQL
injection.
• Audit report: Near-immediate availability
of compliance audit report.

15 Huawei Confidential
Host Security Service (HSS)

HSS Security Risk

console Management
Asset
Unified security Management
management

Vulnerability Security
Management Compliance
HSS
Agent
Baseline
Inspection
Intelligent
In-cloud/On-
Intrusion
premises
servers Detection
Intrusion
Detection

50000+ servers are running properly at the same time, reducing 90% attacks.

16 Huawei Confidential
Web Application Firewall (WAF)
Technology Innovation
• Three-engine architecture: semantic, regular, and AI engines
HUAWEI CLOUD improve the threat detection rate by over 30%.
WAF • Dynamic anti-crawler: Uses an industry-leading anti-crawler
Attack traffic
algorithm based on encryption technologies to effectively
Attacker
North China prevent data leakage.
East China
Legitimate traffic South China • CC attack protection: Precisely blocks CC attacks based on
Hong Kong
Route the traffic for
1 www.XX.com Protection engine the IP address, cookie field, and referer.
User to HUAWEI CLOUD WAF. cluster
Reliability
2 • Remote disaster recovery in China: Ensure that services are
Off-HUAWEI Back-to-source
CLOUD not interrupted.

Tenant VPC • Real-time monitoring: 24x7 monitoring by a professional

operations team.
• Privacy protection: Prevents privacy leaks.
Web server Web server
(Off-HUAWEI CLOUD) (HUAWEI CLOUD)
Easy to Use
• WAF requires no component installation and maintenance.
• The WAF console is designed in a user-friendly manner.
• Security experts available to help route operations.

17 Huawei Confidential
Vulnerability Scan Service (VSS)
Major Function
Description
Scanning for over 30 types of vulnerabilities,
including but not limited to OWASP Top 10, web
Vulnerability
Online assessment
injection, file inclusion, configuration error,
information disclosure, and backdoor
implantation vulnerabilities.
Detects threats to website services, including but
Detection to not limited to sensitive information, unsolicited
 Intelligent scanning and service service threats advertisements, malicious codes, and malicious
 Out-of-the-box
analysis links.
 Easy-to-use
 Real-time monitoring and dynamic
frequency adjustment Baseline In compliance with governmental security
compliance requirements, discovers non-compliant items and
check generates professional reports.

Vulnerability Generation of detailed reports viewable and

report downloadable online.

 Custom scan settings  Collaboration with other cloud Critical CVE Security experts analyze the latest critical
 Multi-scenario applicability security services to build a three- vulnerability vulnerabilities and update rules to provide the
dimensional security system. scan fastest and most complete CVE vulnerability scan.

18 Huawei Confidential
Anti-DDoS
Anti-DDoS is a highly reliable and secure DDoS protection service with on-demand and scalable features,
thereby ensuring the stable running of resources such as ECS, ELB, and BMS on HUAWEI CLOUD.

Architecture Attack types supported

1. Malformed and probe packet filtering
2. Defense against network transmission-based
Anti-DDoS devices are deployed attacks: Effectively defends against attacks
at network ingress and egress. such as SYN, SYN-ACK, FIN, RST, UDP, ICMP
Flood, and TCP connection exhaustion.
Internet 3. Application layer threat prevention:
Effectively prevents attacks such as HTTP
The detecting center detects GET/POST Flood, CC, HTTP Slow
Data center Traffic Anti-DDoS network access traffic based Header/POST, and HTTPS Flood.
diversion on user-configured security
policies.
Traffic Scrubbing
retrieval center
Detection
If an attack is detected, the Attack scale supported
Detection center detecting center diverts traffic 1. Free defense for 5 Gbit/s DDoS attacks
to the scrubbing center to 2. Attack defense response in seconds
cleanse abnormal traffic, and
then forwards normal traffic.
Detection data
Normal traffic Remarks: HUAWEI CLOUD continuously improves
IP address IP address Abnormal traffic service performance according to customer
1 2 requirements.
Unprotected traffic

19 Huawei Confidential
Advanced Anti-DDoS (AAD)
AAD is a value-added service to protect Internet servers (both HUAWEI CLOUD and
other hosts) against bandwidth-consuming DDoS attacks. It diverts attack traffic to
high-defense IP addresses for scrubbing, keeping your businesses stable and reliable.

High-defense
 Connection to IP address High-defense 1. Change the DNS or service
AAD
data center IP address.
Users
 Domain name access IP address access
www.example.com= Origin server IP address
Origin server IP address access from the client
2. Traffic is diverted to the
Traffic
retrieval
high-defense center.
www.example.com= High-defense IP address Origin server IP
High-defense CNAME access from the client  address

3. Service traffic is retrieved to

DNS service Client Protected origin the origin server.
server

20 Huawei Confidential
 Quiz

1. Which of the following security services can be used to protect websites? (Multi-
choice)
A. WAF

B. VSS

C. SCM

D. Anti-DDoS

21 Huawei Confidential
 Summary

 Describes HUAWEI CLOUD security services.

 Explains the concepts, functions, application scenarios, and principles of
these security services.
 Presents something users need to know before purchasing and using the
services.

22 Huawei Confidential
 Recommendations

 HUAWEI CLOUD website: https://intl.huaweicloud.com/

 HUAWEI CLOUD Help Center: https://support-intl.huaweicloud.com

23 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2020 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.
 Revision Record Do Not Print this Page

Course Code Product Product Version Course Version

HUAWEI Cloud V2.2

Author/ID Date Reviewer/ID New/ Update

weihuanjie 2020.7 wentao 00490186 updata

25 Huawei Confidential