Huawei Cloud Stack

Cloud Security Service Overview

Foreword
⚫ In recent years, data leakage frequently occurs, and cloud security faces severe challenges,
especially in data security and platform security fields. Countries, regions, and organizations
attach importance to data security. Platforms and users are working together to build security
capabilities.
⚫ Why do we choose private clouds? A private cloud can help reduce costs, save time, or
reduce workloads, but its greatest benefit is data asset security.
 Hackers cannot obtain data.
 Unauthorized personnel cannot obtain data.
 Cloud service providers/O&M personnel cannot obtain data.
⚫ The key is to ensure data confidentiality, integrity, and availability.

2 Huawei Confidential
Objectives
Upon completion of this course, you will understand:
 Cloud security status
 Major cloud security requirements
 Understand cloud security solution framework
 Cloud security solutions
 SECaaS product architecture
 Security solution product list

3 Huawei Confidential
Contents
1. Cloud Security Requirement Analysis

2. Huawei Cloud Stack Security Solutions

3. Huawei Cloud Stack Security Deployment Cases and FAQs

4 Huawei Confidential
Cloud Security Challenges (1)
• Cloud computing brings new challenges and changes to security. Conventional security
technologies and experience cannot meet cloud security requirements. Dedicated cloud security
technologies and products are required.

Blurred network
Virtual resources • Cloud resource • Blurred network
borders borders
pooling
• Security threats • Difficult to detect
facing virtual virtual traffic
resources • Traditional security
devices do not
support virtual
networks

5 Huawei Confidential
Cloud Security Challenges (2)
Cloud-Based security Escalated security threats Complex security mgmt

Internet

• Traditional security • APT attack • Complex security policy

devices do not work • Zero-day vulnerability deployment
well in cloud • Unknown threat attacks • A large number of
environments security events, high
• Quick delivery of percentage of false
security capabilities alarms, and time-
• Tenants' personalized consuming O&M
security requirements • Lack of effective
analysis methods

6 Huawei Confidential
IaaS Security Challenges
Company A ⑤ How can security capabilities be adapted to cloud-based data centers?

Traditional Hardware Products

Firewall Unified threat
management

Firewall
Security gateway HIDS

Log audit
Anti-DDoS
Company B IPS Data
Traffic audit encryption
Online behavior management IPS
Company C

Secure access gateway

④ Cloud scenarios Hypervisor security directly affects

Antivirus gateway WAF the security of all VMs.
are not supported. Sharing & isolation
②

Others......
①

Public cloud ③ Where are Private cloud

Traditional DCs
the borders?

Hybrid cloud

7 Huawei Confidential
EI Security Challenges
Security risks throughout the data lifecycle ②

Collection Transmission Storage Use Sharing Destruction

Insufficient access Data leakage during

Data forgery Data tampering Unauthorized access Illegal data restoration
Phase risk

control sharing and exchange

Illegal collection Channel attack Data masking risk Lack of audit Lack of audit

Access permission risk API attack

Common risk

Sensitive information leakage (including personal privacy information leakage)

Massive data leakage

Data abuse

EI platform Incorrect Component

Network threat Malicious code
risk configuration vulnerability
①

Cloud platform Virtualization threat Server threat Network threat Application threat Data threat Management threat
risk

8 Huawei Confidential
Severe Data Security Issues
Data is aggregated on the cloud, and
Cloud platform users pay more attention to data security data leakage and abuse frequently take
place
Companies migrated
⚫ In December 2016, a large number of accounts and
Companies not Better Other
to the cloud migrated to the cloud data of a cloud storage company were leaked.
compliance 1%
Concerns about security and audit Higher user ⚫ In March 2017, 12 GB user information (5 billion
systems security records) on a cloud was leaked.
Lack of cloud migration knowledge
and skills 16% 26% ⚫ In June 2017, information about more than 200
Difficulties in integration with the million voters stored on a cloud was leaked.
existing IT environment ⚫ In March 2018, the data of more than 50 million
Cloud migration cost exceeding the
budget More users was leaked from company XX and was
professional illegally used by an analyst company.
Lack of professional solutions
cloud
Difficulties in cloud service
security
management
personnel
Governments and organizations take
System speed
16% the lead in developing data security
Poor performance laws and regulations.
Government policies Let users
have Chinese mainland:
Other Better disaster maximum
recovery and ⚫ Cybersecurity Law and DJCP Multi-level
control over
Unknown
isolation measures Protection Scheme (MLPS) 2.0 emphasize data
their data
22% 19% protection and set clear requirements on personal
information protection.
⚫ The National Information Security Standardization
Both cloud and non-cloud users are most Data security is of the highest Technical Committee released the Personal
Information Security Specifications.
concerned about cloud security. concern among all security issues.
International:
⚫ The General Data Protection Regulation (GDPR)
issued by the EU is the strictest data protection
law in history.
"Data breach" ranks No. 1 among the top 12 cloud security issues ⚫ So far, nearly 90 countries/regions have enacted
laws on personal information protection, which has
listed by Cloud Security Alliance (CSA) become an international trend.

9 Huawei Confidential
Building Data Security Capabilities
The platform and tenants jointly build multi- Build a data security protection system to
dimensional and in-depth data security capabilities. enhance data security capabilities.

Audit In addition to traditional multi-copy

Data security storage, data disaster recovery and
backup, and management technologies,
Masking cloud platform vendors enhance the
Tenant data security Platform data security
Access following:
control ⚫ Encryption: confidentiality and

Application
security
Database
security
Privacy
protection
... Full-stack
encryption
Trusted
computing
integrity;
⚫ Access control: data classification and
Encryption fine-grained IAM;
⚫ Masking: dynamic and static;
⚫ Audit: database audit and more

✓ Volume ✓ TP/CM
Data security and enhanced trust are
✓ Cloud HSM ✓ Encryption/ ✓ Data
Masking discovery encryption ✓ TPCM critical for cloud platforms.
✓ KMS ✓ Image encryption
✓ Firewall ✓ Classification ✓ ...
✓ ...
✓ Audit... ✓ DLP... ✓ Transmission • Peer vendors have released data security
encryption...
white papers.
Third-party cooperation Huawei-built • Build a data security maturity model based
on the data lifecycle.

10 Huawei Confidential
Cloud Controls Matrix
• The CSA Cloud Controls Matrix (CCM) is a cybersecurity control framework for cloud computing.

Governance
Governance & Risk Management

Audit Assurance & Compliance

Design & Operations and maintenance Human

development resources

Configuration Management
Identity & Access Management Threat & Vulnerability Management

Change Control and

Key Management
Encryption and
Cryptography,
Application & Interface Security

Data Security & Information Lifecycle Management

Human Resources Security

Datacenter Security
Infrastructure &
Mobile Security
Virtualization Security
Business Continuity Mgmt & Sec. Incident Mgmt, E-Disc &
Interoperability &

Op Resilience Cloud Forensics

Portability

Supply chain management

Supply Chain Mgmt, Transparency & Accountability

11 Huawei Confidential
Contents
1. Cloud Security Requirement Analysis

2. Huawei Cloud Stack Security Solutions

1. Cloud Security Solutions

2. Cloud Security Services

3. Professional Security Services

3. Huawei Cloud Stack Security Deployment Cases and FAQs

12 Huawei Confidential
Huawei Cloud Comprehensive Security System
20+ Huawei-developed
security services
Sharing Huawei's security
capabilities
100+ global security & compliance
certifications
Helping 3,000+ customers quickly meet
compliance requirements
Hundreds of billions
of attacks blocked per year
High platform reliability and availability
Adhering to data neutrality
Protecting customer data
throughout the lifecycle
13 Huawei Confidential
Network security: 20+ years of security practices
Authoritative Huawei Cloud Security: Leader in IDC MarketScape: China Cloud Service Provider Security
certifications: Capability 2020 Vendor Assessment
Host Security Service (HSS): Leader in IDC MarketScape: China Endpoint Security Detection and
Response Market 2020 Vendor Assessment
Firewall: Challengers Quadrant in Global Network Firewall, Gartner
Situation Awareness (SA): Leader in China Situational Awareness Solution Market, IDC
Compliance & security: a large number of compliance certificates in service regions
Compliance certification: First ISO 27799 certification (healthcare) in the world; the first PCI 3DS certification (finance)
First in China to obtain the NIST CSF certification (security); first in the world to pass all the
five SOC 2 Type 2 audits; world's first ISO/IEC 27034 and CSA STAR V4 gold certification
Security white papers: Participated in the development of multiple industry cloud security standards and
released 30+ security compliance white papers
Load security: professional security O&M team with hundreds of engineers
Security operations: 24/7 security assurance, auto-response to 99% security events
Assurance platform: hundreds of billions of attacks, including tens of thousands of large DDoS attacks are
blocked in a year. Vulnerabilities all over the world can be monitored.
Data security: visible, controllable, and traceable data
Security R&D: 387 built-in competitive security features, millions of automatic code security reviews and privacy
scans for cloud services per year
One-click encryption: data security of 40+ cloud services assured by encryption
Huawei Cloud Stack Shared Security Responsibility Model
Customer

Huawei Cloud Stack security O&M

Customer-built application systems

Application
Huawei Cloud Stack O&M platform

EI
Huawei Cloud Stack EI services Customer-built

PaaS
AI services Big data services EI services
Huawei Cloud Stack platform services Customer-built

IaaS
Platform services platform services
EI
PaaS

Infrastructure
IaaS

Compute Storage Database Network

services

Infrastructure Infrastructure Cloud platform

Huawei
Cloud Stack

Blue: Customer responsibility (for security of physical Green: Huawei responsibility (for intrinsic security of Huawei Cloud
Legend infrastructure and cloud service use) Stack and cloud services)

Orange: Customer responsibility (Customers can purchase security O&M services provided by
Huawei Cloud Stack from Huawei to defend against external attacks and meet compliance requirements.)

14 Huawei Confidential
 Huawei Cloud Stack Platform Security
Security Solution Capability

New 1+7 Security Architecture for Intelligent Security Operations and

Systematic Security Construction
Full-coverage data security
• The solution covers three key scenarios:
100+ automated playbooks storage, databases, and data lakes.
1 center 200+ types of security data 30+ years of security
Automatic response to 99% of • Encryption, audit, classification, and data
6 types of AI algorithms experience
Intelligent events in minutes watermarking are supported for MRS, DWS,
security Real-time situational GaussDB, RDS, EVS, and OBS.
Threat detection & response
operations awareness
SecMaster

Log analysis engine Response policy management

Proven security operations in

Host and O&M security the industry
WAF
container
IAM Data security
intrusion Access • Over 200 security data sources can be
Cross-DC HSS governance
detection
disaster CBH for O&M Microsegmentation connected to SecMaster, and 99% of events
7 lines of recovery audit
CFW
System
security
Configuration
Full lifecycle
security
Tool-based &
automated can be automatically responded.
defense hardening O&M • Professional services, such as security
Physical Account hardening
isolation permissions Intrusion detection Database check and hardening, cloud security
Systematic management Security
Host isolation
audit O&M
monitoring and assessment, and compliance assessment
security CCTV access Anti-DDoS engineering
Vulnerability audit assistant, are provided to enable the full-
control Certificate Backup and
fixing
construction management Penetration DR
Change process security engineering capabilities that
testing
Hot patch management cover assessment, health check,
2. Identity configuration, and hardening.
1. Physical 3. Network 4. Application 5. Server 6. Data 7. O&M
authentication

15 Huawei Confidential
 Huawei Cloud Stack Platform Security
Security Solution Capability

Huawei Cloud Stack Security Framework: Helps with Security, Compliance,

Construction, and Operations Based on Its Trustworthiness, Security Capabilities,
and Professional Services
Standardized security operations
Security Systematic security compliance Practical security construction
SecMaster + Management system + Disaster
Solution Regulatory compliance assistance + Data security One center + Seven lines of defense
recovery and backup

Secure communications Security operations

Access control Border isolation Network traffic audit Security
network
system Security management system
technology
Security zone border Web application protection Intrusion prevention Network antivirus system
Security analysis Equipment room environment
Secure compute Vulnerability
Server security Container security Anti-tampering
environment discovery
Manual response Asset/Personnel
Cloud Two-factor Situational
Log audit Database audit
security Security management authentication awareness
Security assessment Vulnerability and risk
capabilities center
O&M audit Intelligent security analysis Security incident handling
Security monitoring Network and system
Browsers supporting SSL-secured
UKey IPsec connections
SM series algorithms access
Password security
Cloud platform Cloud platform Key Baseline check Malicious code defense
Encryptor
cryptography system certificate issuance management

Sensitive data Emergency response Configuration changes

Data classification Data masking Data watermarking Access control
Data security identification
construction Data asset Data security
Data encryption Data audit Data backup ... ...
management governance

Cloud
platform Security Resilience Reliability Availability Privacy Security Compliance Transparency
trustworthiness
Trustworthy cloud (basic)

17 Huawei Confidential
 Huawei Cloud Stack Platform Security
Security Solution Capability

End-to-end Data Security Solution

Building an end-to-end data security solution based on the DSC service

Identification Protection Detection

DSC Sensitive data Permission policy Protection policy Abnormal behavior
Data asset map Data access audit
distribution suggestion suggestion detection
Security configuration Data protection Permission Data leakage source
Data egress overview Data risk alarm
view workflow modification workflow tracing
SecMaster

Cloud management

EIP APIG
WAF
DEW CBR CCM Data lake Production database Test database
ROMA API access audit

Privacy-preserving Network leakage Email leakage

Database audit IAM OBS SFS EVS
computation Gateway prevention prevention

Device Edge

Device leakage
CBH HSS Office device O&M terminal R&D device IoT Edge IEF Dedicated HSM Database audit
prevention

Professional Risk evaluation Data security operations

System construction Data security evaluation
services

Security products and functions

18 Huawei Confidential
 Huawei Cloud Stack Platform Security
Security Solution Capability

SecMaster: Safeguarding Enterprise Cloud Services with Huawei's 30+

Years of Experience
Government cloud Industry NAs SMB

① Managed Detection Response (MDR)

Daily operations support | Key event assurance | Protection drills | Security assessment | System hardening

Situational awareness
Visible
Large screen ② Operations report
protection

Threat operations
Asset management Risk prevention (threats + intelligence)
Huawei Asset counting Baseline compliance Alerts and incidents reporting Threat detection models
experience
Asset data connections Vulnerability management Attack chain tracing Response playbooks
③
Asset operation connections Protection policies Threat intelligence Threat hunting analysis

Workspaces
Flexible SIEM SOAR
integrations
Data integrations Model building Playbook orchestration Service integrations
④

Cloud Service Security services Reuse and management of legacy DCs

OBS | IAM | DNS | APIG... HSS | WAF | CFW | DBSS ... Asset mapping | Traffic probes | Service integrations...

19 Huawei Confidential
 Huawei Cloud Stack Platform Security
Security Solution Capability

Huawei Cloud Stack Platform Security: Meeting Regulatory Compliance

Requirements Egress PE Egress PE
Mirrored traffic NDR engine
Technical forwarding (PM) Cloud management zone Cloud
support (Cloud platform security services) management
center NDR zone
Egress switch SecMaster
management
. Anti-DDoS
TSC Engine
Anti-DDoS engine
(PM) PBH
Optical splitter Anti-DDoS (non-connection NDR engine
management scenario)
TAP Traffic splitter
Optical splitter Switch
TAP Cloud
IPsec VPN Two-factor
CSP server authentication platform
Vulnerability
scan Encryptor security
Management Air gap (government scenarios)
service
firewall Platform KMS
WAF
O&M firewall
Layer 3 reachability

Vulnerability
PBH scan Platform
Honeypot
Persistent connection database audit
scenario Encryptor
Independent resource Core switch
deployment

VPC Compute resource pool

VDC tenant Cloud service management VM

Compute resource Unified

VM VM VM VM VM VM VM DB pool backup
CSP CSP DBAS
.

Cloud platform infrastructure security (system hardening, VM isolation, and API security)

CSP CSP CSP CSP CSP CSP CSP CSP

20 Huawei Confidential
Production region Remote DR region
 Huawei Cloud Stack Platform Security
Security Solution Capability

Huawei Cloud Stack Platform Security: Meeting Regulatory Compliance

Requirements (Continued)
Category Product/Service Function Description Remarks
Management firewall Controls access to the management plane through the border firewall None
Secure
Provides IPsec VPN and client certificate authentication capabilities, supports identity authentication of O&M terminals, and establishes
Communications O&M firewall None
secure connections with the remote TSC.
network
Air gap Network isolation can be integrated with security to meet government customers' requirements. None
Defends against DDoS attacks from the Internet, including detecting and intercepting devices and managing center. This service is
Anti-DDoS New service
recommended when there is an Internet egress in the service system.
Checks egress traffic (including the management plane) for web attacks. Analyzes traffic, decode traffic content, and analyze high-risk
NDR New service
behavior to detect possible data leakage.
Secure
Region border Components
Splits egress traffic and distributes the traffic to security services for analysis and threat detection.
Egress switch
Egress switches are deployed at the egress border for optical splitting and traffic splitting and work with the Anti-DDoS and NDR for border None
Optical splitter
access control and network attack blocking.
Traffic splitter
Cloud platform WAF Provides application-layer protection for the cloud platform API Gateway and console. New service
Provides security capabilities for servers on the management plane, including intrusion prevention, malicious code interception, and VM
Host Security Service (HSS) None
escape detection.
Vulnerability scanning Identifies vulnerabilities and all assets. None
Database audit Uses audit logs of the management plane for tracing security issues. New service
Key Management Service (KMS) Provides key creation and management capabilities for the cloud platform to protect encrypted data security. None
Supported in the
Secure compute OS two-factor authentication Supports two-factor authentication for logging in to the host OS on the management plane.
new version
environment
A honeypot is used to trick attackers into thinking they are hacking real servers and then capture intrusion attempts, stop further attacks,
Honeypot New product
and discover unknown threats.
Huawei Cloud Stack Disaster
Huawei Cloud Stack has a remote disaster recovery region to implement real-time disaster recovery switchovers. None
Recovery
Unified backup Leverages the unified backup capability in ManageOne to backs up management data centrally. None
Basic platform security Provides built-in platform functions, such as system hardening, VM isolation, and API security. None
Provides a unified access portal for standardized management of O&M operations, including managing privileged accounts, auditing O&M
Secure Cloud Bastion Host (CBH) None
operations, intercepting invalid names of hosts and network devices. Supports MFA for logging.
management
center Collects and manages cloud service, network, and host logs in a centralized manner, analyzes and detects network attacks, monitors and
SecMaster None
generates alarms for security events, and responds to and handles the events.

21 Huawei Confidential
 Huawei Cloud Stack Platform Security
Security Solution Capability

Huawei Cloud Stack Basic Services and Operations/O&M Security

VDC tenant User authentication
Operations Process management
isolation management ① Intrinsic security capability
• The virtualization kernel provides basic security
O&M

Administrator Unified certificate and functions, such as resource isolation, image security,
O&M Operation/run logs
permissions password management and MAC/ARP anti-spoofing.
• The platform provides security capabilities such as
Tenant security

Project/Product Role permission

Management Audit operation logs authentication, SSL encryption between access, and
management definition
API call control.
② Basic service security
Compute VM security
Image security Server HA • Compute services: HA capabilities such as VM
hardening
IaaS services

security hardening, image access permission control,

Storage Access control and and VHA.
Encrypted storage Data backup
authentication • Network services: VPC network isolation, network
ACLs, security groups, and secure access channels
Network VPC Network ACL Security group VPN
such as VPNs and VPCEPs
VPCEP
• Storage services: security capabilities such as
storage encryption, access authentication, and data
backup
③ O&M security
• Operations: tenant plane isolation, authentication,
Intrinsic security

Cloud service HTTPS transmission and processes

Authentication API security Security log
security encryption
• O&M: role-based permissions, unified management
of certificates and passwords, analysis of operations
Resource Image MAC/ARP DHCP logs and audit logs
Host and Security logs Hot patch
isolation security security security • Management: permission roles for VDCs, projects,
virtualization
security and products, and user operation log audits
Host (secure OS)

22 Huawei Confidential
 Huawei Cloud Stack Security Solution Platform Security Capability

CCE Cloud Native (Container) Security Capabilities

Build security Deployment security Runtime security

Node
7 App
3
App Guest OS
Image
Security signature Security services
5 Docker Kata
practice guide 1 Image KMS, certificate service, container
Hardening OS
repository Image security, and data encryption
Reference authentication
TPM/TEE
8
and
authorization Container
Node
network firewall
6 Node
Image scan
User
3
Upload Storage
Build
9
Deployment

Authentication 2 Kubernetes

Authentication
Public storage
1 master node Storage

IAM Container
Security Border firewall Network Security container 7
RBAC network firewall
image policy
Escape detection
PSP Basic security
2 policy management isolation Cluster audit

Audit logs 3 4 Data encryption

Event monitoring IaaS services VPC
Firewall
+ source tracing isolation

23 Huawei Confidential
 Huawei Cloud Stack Security Solution Platform Security Capability

ROMA Application Integration Security Capabilities

Enabling partners and developing industry suites
Industry
applications Smart campus Smart city Taxation Electric power XXX industry

Asset and operations center

ROMA Exchange
API, application, integration, Registration Release Review Publish Subscription Provisioning Deployment Metering Operations ...
data assets, and more

Common Service Core (application enablement services)

Blockchain service (BCS) Mobile app enablement IDaaS ...

Application Application full lifecycle management platform

platform ROMA Connect: application and data integration Integration and capability openness
ROMA 2.0 ② ④ ③
APIC FDI MQS Link

ROMA Factory: application factory Development, operations, maintenance

AOM
Cluster management SWR TRM PSM ①
Service
Application scheduling and resource management (Kubernetes)
Stage
Resource management and scheduling Application management Container network Container storage IaaS access

Cloud-edge- Certificate
device Public cloud Hybrid cloud Edge cloud Devices
infrastructure

24 Huawei Confidential
 Huawei Cloud Stack Security Solution Platform Security Capability

Intrinsic Security Capabilities of the EI Data Platform

①
②
Data security ③ Security
management
Ingestion Transmission Storage Use Share Destruction Unified
authentication
Classification Transmission Storage

Data destruction and clearing

Sensitive data masking
encryption encryption
Whitelist Unified
VPN Data watermarking authorization ① One center
Password security Key
management Operation
Centralized security management
Unified audit
Sensitive data audit API
② Three-layered protection
discovery and DLP protection
Tenant resource isolation Status
protection
monitoring ⚫ Infrastructure security
Identity authentication ⚫ EI platform security
Data breach ⚫ Data security
Access control detection

Data verification Data lineage analysis Data masking ③ Six phases

Full-lifecycle security protection

②
EI platform System Vulnerability Malicious code
Data backup
security hardening management defense

② Cloud platform Border

Virtualization Networks Hosts Applications Management
security security

25 Huawei Confidential
Contents
1. Cloud Security Requirement Analysis

2. Huawei Cloud Stack Security Solutions

1. Cloud Security Solutions
2. Cloud Security Services

3. Professional Security Services

3. Huawei Cloud Stack Security Deployment Cases and FAQs

26 Huawei Confidential
Full-link Security of Cloud Services Based on Cloud Native Security
Capabilities
R&D and O&M
External user PC Mobile app
Suitable for the cloud native network environment
Huawei Cloud
Traditional security services cannot be deployed in VPCs
Stack security Anti-DDoS NDR EdgeFW/CFW
and require complex configurations. Security services,
such as WAF and CFW, can interconnect with network
Security Web Application Firewall (WAF) services, such as VPC, EIP, and Direct Connect.
management
Elastic IP Elastic Load Cloud Bastion
Address Balance Host (CBH)
SecMaster Suitable for the cloud native computing
(EIP) (ELB)
environment
Vulnerability scan
CFW
Traditional security services are deployed separately
VPC1 VPC2 from other services. HSS can interconnect with
Accounts audit Network
Service Network
ACL
computing services such as ECS, BMS, and CCE to
server ACL Host security
Security Container better protect them.
Security
group Container group security
Cloud backup ECS group
Data
encryption
Cloud Eye Suitable for the cloud native data environment

Security services such as DSC, DBAS, and DEW

Key management Elastic
Volume Cloud seamlessly interconnect with data services such as OBS,
Database audit
Service storage RDS, and MRS, providing capabilities such as data
Data Security Cloud
database
(EVS) governance, data encryption, and data audit. Data
Center (DSC)
security capabilities are all delivered through a single
platform.

27 Huawei Confidential
Cloud Firewall 2.0 (Cloud Firewall for HCS, CFWforHCS): All-Scenario
and All-Traffic Protection
Threat and risk detection Business elasticity Difficult to configure

Customer benefits
and use Cloud native
• Zombie, Trojan, and worm
Challenges

• Complex manual protection

Scenario

attacks capabilities in all- On-demand O&M is more efficient,

• Support for ultra-high traffic installation and deployment
• purchase, costing and O&M OPEX is
&

Unauthorized connections • Difficult to trace scenario that are

• Adapted to tenant asset and 30% less. reduced by 50%.
from the internal to the unauthorized external updated in real
VPC changes
external network connections
• Service reliability time
• Inter-VPC threat • Complex problem locating
penetration operations

Service architecture Advantage

North-south • The intrusion prevention engine detects

VPC 1 traffic detection VPC 2 and blocks malicious traffic in real time
Intelligent
based on Huawei Cloud intelligence.
defense
BR CFW BR • Protection for inbound traffic and
SLB outbound traffic

ELB ELB • No upper limit on key performance and

High specifications
FW FW FW scalability • Automatic synchronization of tenant assets
• Cluster deployment achieving high reliability

• One-click provisioning, deployment

Easy-to-use within minutes
application • Graphical web UI, simplified asset
management, O&M management, and
ECS ECS ECS ECS threat source tracing

28 Huawei Confidential
Host Security Service (HSS): Protecting Cloud Servers Against
Ransomware and Other Viruses
Malicious programs Virus infection Vulnerabilities Website tampering
Malicious program samples captured Servers infected with viruses in China Vulnerabilities recorded by CNVD Tampered websites in China
More than 23.07 million About 4.46 million 13,083 About 34,000
Challenges

Data source: Analysis Report on China's Internet Network Security Monitoring Data in the First Half of 2021 issued by the National Computer
CNVD: China National Vulnerability Database
Network Emergency Response Technical Coordination Center

Service architecture Customer benefits

Huawei Cloud HSS Other Anti-virus and anti-ransomware: Engines + Third-party

Huawei Cloud
Stack Management platform clouds intelligence library, virus detection, and AI-based ransomware
behavior detection
Unified O&M Unified O&M
Vulnerability management: detection on 100,000+
Unified management Unified management
vulnerabilities and one-click vulnerability fix

Agent Agent Agent Web Tamper Protection (WTP): Static + Dynamic WTP

DJCP MLPS compliance: server intrusion detection,

malware detection, vulnerability management, and DJCP
MLPS compliance baseline check

Cloud Cloud Cloud Cloud Cloud Cloud Cloud

server server server server server server server

29 Huawei Confidential
Web Application Firewall (WAF): The Optimal Protection for Websites
and Applications
Web security is mandatory for 75% of cyber security attacks are targeted at Are the following security issues
regulatory compliance. web applications. bothering you too?
✓
Challenges

Cybersecurity Law High availability risk

Explosive traffic attacks ➢ High-risk zero-day vulnerabilities failed to be fixed in time,
✓ Compliance requirements and your business system was attacked.
✓ PCI-DSS certification ➢ Your service bandwidth was mysteriously used up, and
✓ Routine checks by government normal requests could not be processed.
High security risks ➢ Your business system is frequently subject to IP scans.
cybersecurity departments for
Sophisticated attacks ➢ Sensitive business data was accessed and stolen by bots.
website content moderation
➢ A large number of APIs are released every day, too many
✓ Security compliance requirements of for all potential threats to be identified before the APIs are
the specific industry DDoS Robots
Common Business layer Logic flaw Application Targeted
released.
attacks access control attacks model attacks

Service architecture Customer benefits

API check (JSON and XML)
Injection attack check
Bot mitigation Cross-site attack check
Web shell check
• WAF is a must-have for enterprises to comply with global
IP address blacklist or whitelist
Geographical location check
Payload content
decoding
Custom CC attack Middleware vulnerability check regulatory standards, such as DJCP in China.
protection rules protection Web page tampering detection
Sensitive data scanning • WAF helps fix security vulnerabilities in workloads and defend
against high-risk zero-day vulnerabilities within as little as 2 hours.
• WAF protects workloads from abnormal traffic attacks and ensures
Normal traffic Normal traffic
Intelligent parsing of
multi-layer encoding

Custom protection

tampering check
Access behavior

24/7 stable service continuity.

OWASP threat

Injection and cross-site attacks

security check

security check
Network-layer

Sensitive data
Web page

Web shell upload attacks scanning • WAF mitigates security risks caused by botnets, such as credential
check
rules

Data breaches
Server vulnerability attacks Source code leakage and stuffing attacks, brute-force attacks, data breaches, and bonus
directory leakage

CC attacks
ID card and mobile phone hunting behaviors.
number
Bank account number • WAF identifies all the APIs, scans for vulnerabilities, and reports
alarms when anomalies are discovered.
With patented technologies,
Huawei Cloud WAF can give
best security for websites.

30 Huawei Confidential
Data Security Center (DSC): Cloud Native Data Security Management
Platform
Frequent data Punishment from Difficulties in
Precise identification and

Customer benefits
breaches regulators tracing data leaks
Challenges

classification of data on the cloud

Minimized data security risks

The data breaches cost an
Improper collecting and Data leaks cannot be
increasing amounts of money year
processing of personal data may
by year, with a global average
be punished by the regulators.
accurately traced. Comprehensive data protection
US$4.24 million in 2021.

Service Architecture Competitiveness

Intuitive data security status, distribution,

Visualization
and risks
OBS RDS DWS ECS DLI

Lifecycle Data You can manage data by levels and

Destruction
Unified
Data Data Data classifications, adjust encryption methods,
Storage Use Exchange Management
and control data exchanges.

Sensitive data Privacy protection Data risk

Data tracing Both structured and unstructured data
detection management
Sensitive data
can be traced.
Data masking Risk identification
identification
Data security levels Data watermarking Alarms
You can call DSC APIs to use our data
Open capabilities
Data classification Data encryption Risk handling security functions.

31 Huawei Confidential
Data Encryption Workshop (DEW): Guarding Cloud Data Migration with
Cloud-native Encryption Capabilities
Secure and Secure and reliable
Wide controllable

Customer benefits
Dedicated HSM Keys and random
integration Hold Your Own Key numbers are generated
Challenges

Dedicated HSMs (HYOK): Customer by the third-party

Higher data breach risks
Privacy data leakage has
become the most serious
security incident in recent
years. About 85% sensitive
data leakage incidents are
caused by insiders.
High data breach cost
In 2021, the global average
cost of data breach is US$4.24
million, a year-on-year increase
DJCP MLPS L4 standards all
of nearly 10%, and the largest
single-year cost growth in the
past seven years.
KMS is integrated
comply with the keys are stored in validated HSMs. Access
Legal compliance with a range of
State Cryptography Dedicated HSMs. to keys is controlled and
cloud services.
Cybersecurity Law, DJCP Administration (SCA) KMS enables cloud all operations involving
KMS manages the
MLPS L3 standards, and or FIPS 140-2 L3 services to encrypt keys are traceable by
keys of these
standards, ensuring data resources. This logs, compliant with
require that critical services and
data security and mode is secure and national and international
infrastructure data be encrypts local data
avoiding risks. convenient. laws and regulations.
encrypted for protection. using SDK.

Service architecture Highlights

Many services
Storage, big data, database, IoT
Computing Storage Database interconnected with
KMS

Fully controlled by customer

SFS
FACS SQL Server

CSBS
Encryption
Decryption
3000 TPS KMS The API invoking performance of a single
GACS
PostgreSQL
Integration Signature performance per customer is four times that of competitors.
Verification
VBS customer
IMS
MySQL
Key Management Hardware and software
EVS
Service (KMS) HSM cluster Symmetric algorithm: SM1 and SM4;
ECS
OBS DDS
compliant with CSA asymmetric algorithm: SM2
Hash algorithm: SM3
requirements
32 Huawei Confidential
Database Audit Service (DBAS): Cloud-native Database Audit System
Fine-grained Security Multi-dimensional Fine-grained
reports

Core functions
behavior audit alarms analysis
Pain points
Scenario &

Laws and regulations Record and Detect database Behaviors Session behavior report
Risks in cloud databases correlate access risks and report Sessions Risk distribution report
According to the Cybersecurity Law in
China, organizations should adopt technical The audit module of a database behaviors at the alarms based on Statements Compliance report
measures for monitoring and recording affects performance during application and SQL command
network operational statuses and running. Logs will probably be lost database layers. characteristics
cybersecurity incidents, and retain network if the database system is faulty.
and risk levels.
logs for at least six months.

Service architecture Competitiveness

Easy The database audit service is easy to use, and is deployed in out-
deployment of-path mode to avoiding risks caused by O&M misoperations.
User requests + Hacker attacks (injection attacks and unauthorized access)

VPC You can import tens of thousands of data records per second,
Efficient
store mass data, and process hundreds of millions of data
analysis records within seconds.

Quick You can perform correlation audits for 99%+ applications,

Agent Agent recognition comprehensive SQL parsing, and accurate protocol analysis.
Agent

Compliance Database audit complies with DJCP level 3.

DBSS audit instance ECS/BMS user- DBSS audit
with a range Database audit complies with laws in and outside China, such as
built database instance of standards the cybersecurity law and SOX.

33 Huawei Confidential
Network Detection Response (NDR)
Scenarios
Internet ① Threat visualization: Visualizes cloud
asset exposure to threats and risks.
5 Attack blocking ② O&M management: Detects abnormal
traffic on the live network to enable the
North-south traffic
1 mirroring O&M team to help the O&M team respond
3
quickly.

APT attack detection

Third-party detection
Application protocol
③

Network attack
External connection control: Detects

User behavior
External service A

identification

detection

auditing
and blocks suspicious external

rules
connections, and locates and isolates
ECS ECS compromised hosts.
VPC: external service A ④ Micro-segmentation: Protect north-south
External traffic
services
NDR detection engine Technical advantages
2 (Aurora)
① Heavy traffic: NDR supports visualized
detection and protection of up to 100
4 5 Gbit/s traffic.
②
Internal service B
Multiple scenarios: NDR protects your
network against 26 types of attacks, such
Alarm response

Third-party threat
collaboration
backtracking
as zombies, mining, CC, and brute force

intelligence
ATT&CK
ECS ECS

Audit

API
VPC: internal service B cracking
Internal ③ High reliability: NDR is deployed out-of-
services path in dual-AZ active-active mode, which
has zero impact on your services
④ Strong team: The NDR team is a
Mirrored traffic Blocking traffic Alarms/Logs professional network security team that is
continuously advancing with the
technology development.
34 Huawei Confidential
Anti-DDoS Service: Scrubbing DDoS Traffic and
Ensuring Network Security
Application scenario

Internet • The Anti-DDoS Service is applicable to all industries. It is widely

used in industries such as finance, government, and
Huawei Cloud Anti- transportation.
DDoS Service • The Anti-DDoS Service monitors the service traffic from the
Internet to public IP addresses to detect attack traffic in real time.
Anti-DDoS
scrubbing
center
Key Technologies and Specifications
Management center

Anti-DDoS helps users mitigate the following attacks:

• Web server attacks, such as SYN flood attacks, HTTP flood attacks,
connection attacks, and reflection attacks
• Game attacks, such as User Datagram Protocol (UDP) flood attacks,
SYN flood attacks, Transmission Control Protocol (TCP) attacks, and
fragment attacks
• HTTPS server attacks, such as SSL DoS/DDoS attacks

36 Huawei Confidential
Cloud Secret Management Service (CSMS): Secret Lifecycle
Management Within the Cloud
Cloud Secret Management Service (CSMS) is a secure, reliable, and easy-to-use secret hosting service. Users or applications can use
CSMS to create, retrieve, update, and delete secrets with ease, making it easier to centrally manage secrets throughout their lifecycle.

Scenarios
Database OS API key
password • Centralized secret management: CSMS can centrally store, retrieve,
password
and use secrets throughout their lifecycles.
• Secure secret retrieval: With CSMS, APIs instead of hard-coded code
are used to retrieve secrets.
Save/Obtain Save/Obtain Save/Obtain
• Protected secret rotation: CSMS enables multi-version secret
management so that applications can call CSMS APIs or SDKs to
securely update secrets.

Key technologies and specifications

Secret management • Secret encryption: Secrets are encrypted by KMS before storage.
Encryption keys are generated and secured by Hardware Security
Use a key in KMS to Use a key in KMS to Modules (HSMs) that are authenticated by third-parties.
encrypt data. decrypt data.
• Secret access control: Identity and Access Management (IAM)
ensures only authorized users can retrieve and modify secrets. CTS
KMS monitors access to secrets.

37 Huawei Confidential
Cloud Bastion Host (CBH): Enabling Remote O&M Anytime, Anywhere
Cloud Bastion Host (CBH) helps with fine-grained management of users, User Resource Access Operation

Core functions
resource accounts, and access processes by establishing one-on-one management management control audit
overview

mappings between administrator accounts and resource accounts. It helps

Service

✓ User ✓ Password ✓ Single sign-on ✓ Real-time

establish a security management system that features pre-event planning, management hosting ✓ Command monitoring
in-event control, and post-event audit, reducing the risks of data leakage ✓ Role ✓ Password rules interception ✓ Operation
and IT accidents caused by internal threats. management ✓ O&M ✓ Two-level recordings
✓ MFA authorization authorization ✓ Command audit
Platform Bastion Host (PBH) provides the same functions as CBH does. ✓ Access policies ✓ Application ✓ Service ticket ✓ Reports and
PBH is used for the Huawei Cloud Stack solution and deployed on the release management analysis
management plane.

Service architecture Competitiveness

Access control
CBH makes it possible for users to perform O&M
Support for H5
anytime, anywhere, using any devices using
MFA
User Resource O&M using a web
Common user
Server mainstream browsers without installing clients or
account 1 account A browser plug-ins.
Resource
MFA
User account B
System account 2 Authorization Database CBH gives you the ability to use a single point of
administrator Resource entry to manage different application resources,
Permissions account C
MFA Application release such as databases, web applications, and client
User
account 3 extension programs. It also supports OCR-based O&M
Resource
Third-party O&M account D audit, enabling you to convert graphical
Cloud server
personnel operations into text files for audit.
MFA User Resource
account 4 account E
You can set strict access permissions for
Temporary user Operation and audit Network device Abundant resources such as ECSs to ensure that only
permission control authorized users can gain access.
Pre-event planning In-event control Post-event audit

38 Huawei Confidential
Contents
1. Cloud Security Requirement Analysis

2. Huawei Cloud Stack Security Solutions

1. Cloud Security Solutions

2. Cloud Security Services

3. Professional Security Services

3. Huawei Cloud Stack Security Deployment Cases and FAQs

39 Huawei Confidential
Huawei Cloud Stack 8.2.1 Professional Security Services
1 Security assistant and assessment 2 Security operations support

DJCP MLPS assistant and assessment Security auxiliary operation

DJCP MLPS assistant Solution design Security configuration Security hardening guide Security service deployment

DJCP level 2 assessment service

Security warning Vulnerability management Policy configuration change Website security assessment
DJCP level 3 assessment service
Security check Key event security assurance Protection drills

Cryptography test assistant and assessment Asset exposure evaluation Dedicated security detection Security solutions design
Cloud platform cryptography test assistant
Attack path detection Security hardening Drills
Platform password assessment service
Tenant application cryptography test Security risk evaluation Onsite attendance assurance 24/7 attendance monitoring
assistant
Tenant password assessment service
3 Security training and consulting

Cloud computing service security assessment Security training Data security consulting
Cloud computing service security Security & compliance Security regulations
assessment assistant Data classification consulting Data security regulations consulting
training training

4 Security technical support subscription

Technical support for security services Development support for security services

WAF HSS Database audit CBH ... Development support for SecMaster

5 Cloud security planning, design, and implementation

Cloud security software planning, design, and implementation service (software) Cloud security integration service (hardware)

CFW Database audit DSC CBH ... DJCP MLPS/cryptography hardware

40 Huawei Confidential
Professional Security Service - Security Assurance Service

Help companies and organizations monitor security risks and events, and take effective
measures in a timely manner to continuously reduce security risks.

Website security Security Vulnerability Vulnerability

assessment configuration alerting management

Security
Security Security service Security Key event Protection DDoS Security
Security warning check and
monitoring deployment hardening guide assurance drills mitigation assessment
hardening

Emergency Device Host security

Policy change
response maintenance assessment

Establish a security risk control system with management,

technology, and O&M features for customers.

WAF HSS VSS CBH DBSS SOC CFW

Based on Huawei Cloud security services

41 Huawei Confidential
Contents
1. Cloud Security Requirement Analysis

2. Huawei Cloud Stack Security Solutions

3. Huawei Cloud Stack Security Deployment Cases and FAQs

42 Huawei Confidential
e-Government Cloud Technical Architecture Case (1)
e-Government cloud trend
◼ Cloud service procurement: Purchase more cloud services, improve cloud
service procurement policies, and implement resource sharing and service
collaboration.
◼ Network integration: Unify e-Government services, improve the extranet,
integrate private networks, and promote data sharing.
◼ Data sharing: Promote data resource sharing and openness between
government departments and external organizations and between
government departments.
Objectives
The Shanghai Municipal Government expected to use e-Government cloud to
integrate service applications, software, and hardware resources of different
departments to meet the government's requirements for streamlining,
optimization, coordination, and sharing.
43 Huawei Confidential
Collaboration with Huawei
The XX municipal e-Government cloud project chose Huawei's full set
of cloud platform software and hardware to build an active-active e-
Government cloud. This project is the largest provincial e-Government
cloud project in China and Huawei has been chosen for project
integration. The project involved two other cloud service providers: XX
Mobile and XX Telecom, and 4 data centers. Huawei provided
professional services such as application cloudification evaluation and
migration consulting, cloud platform planning, design, and
implementation, security integration, DR integration, and ITO
consulting. Huawei also provided a full series of software and
hardware infrastructure, including ManageOne, FusionSphere,
network products, SDN, high-end storage, servers, cloud DR, cloud
backup, eSight, OceanStor DJ, and firewalls.
The value of this project exceeds 100 million yuan, and the involved
cloud services are more than 10 million yuan.
e-Government Cloud Technical Architecture Case (2)
Vulnerability Two-factor
Configuration check Log audit Bastion host
management authentication

Data layer DJCP

Database audit Encrypted data storage DR and backup solution
MLPS
certification
assistance
service
Application WAF Web tampering protection Web security scanning
layer
DJCP MLPS
security and
Cloud
compliance security
Host Host security Antivirus
hardening software evaluation
and
hardening

Virtualization Virtual resource Cloud platform

Virtual firewall VPC VDC Security group
isolation hardening

Security
policy
deployment
Network Security exchange Firewall Anti-DDoS
Intrusion
VPN Network audit
Antivirus
platform detection gateway

44 Huawei Confidential
Ensuring Tenant Service Data Security from Multiple
Dimensions
VDCs isolate tenant
Access layer VM VM VM VM VM resources.
Https/Http
User SG1 SG2 VPC and SG isolate the
2 service network.
WAF VDC1
vRoute vFW1 VPC1 vFW protects VPC borders.
5
Application layer WTP
Application
4 VDC administrator Security service
DBAS
portfolio
1

abc 1 DBAS
123

Data layer Database 2 WAF

SSA

3 HSS
3
Resource isolation
Platform layer VM VM VM HSS
System hardening 4 SSA

Storage
layer DR and backup 5 WTP

45 Huawei Confidential
Q&A
1. (True or false) HSS supports virus scanning and killing. ( )

46 Huawei Confidential
Q&A
2. (Single-answer question) Which of the following security areas does SSA
belong to? ( )
A. Application security

B. Data security

C. Host security

D. Security management

E. Cyber security

47 Huawei Confidential
Q&A
3. (Multiple-answer question) Which of the following functions are provided by
HSS of the current version? ( )
A. Antivirus

B. Host firewall

C. Intrusion prevention

D. Baseline inspection

48 Huawei Confidential
Summary
⚫ In this section, we have learned the overall security architecture of Huawei
Cloud Stack cloud security services, functions and application scenarios of
different security services, and use cases of Huawei Cloud Stack.

49 Huawei Confidential
Recommendations

• Huawei ICT academy

• http://www.ictxuetang.com

• Huawei iLearning

• https://e.huawei.com/en/talent/portal/#/

50 Huawei Confidential
Acronyms and Abbreviations
• Anti-DDoS: Anti-Distributed Denial of Service

• AOM: Application Operations Management

• APM: Application Performance Management

• AS: Auto Scaling

• AV: Antivirus

• AZ: Availability Zone

• BMS: Bare Metal Server

• CBH: Cloud Bastion Host

51 Huawei Confidential
Acronyms and Abbreviations
• CCE: Cloud Container Engine

• CFW: Cloud Fire Wall

• CSE: Cloud Service Engine

• DBAS: Database Audit Service

• DEW: Data Encryption Workshop

• DC: Direct Connect

• ECS: Elastic Cloud Server

• EdgeFW: Edge Fire Wall

• EIP: Elastic IP Address

52 Huawei Confidential
Acronyms and Abbreviations
• ELB: Elastic Load Balancer

• EVS: Elastic Volume Service

• HSS: Host Security Service

• IAM: Identity and Access Management

• IMS: Image Management Service

• k8s: Kubernetes

• KMS: Key Management Service

• L2BR: Layer 2 Bridge

• NAT-GW: Network Address Translation - GateWay

53 Huawei Confidential
Acronyms and Abbreviations
• OBS: Object Storage Service

• PPO: Recovery Point Object

• RTO: Recovery Time Object

• SFS: Scalable File Service

• SG: Security Group

• SIS: Security Index Service

• SSA: Security Situation Awareness

• SWR: Software Repository for Container

• VBS: Volume Backup Service

54 Huawei Confidential
Acronyms and Abbreviations
• VFW: Virtual Firewall

• VIP: Virtual IP Address

• VPC: Virtual Private Cloud

• VPC-peering: VPC Peering

• VPN: Virtual Private Network

• VSS: Vulnerability Scan Service

• WAF: Web Application Firewall

55 Huawei Confidential
Thank You
www.huawei.com