hi,
Comprehensive and unified security policies
The centralized management of computing resources makes it easier to deploy border protection. Comprehensive security management measures, such as security policies, unified data management, security patch management, and unexpected event management, can be taken to manage computing resources. In addition, professional security expert teams can protect resources and data for users.
Low costs of security measures
Because security measures are taken for all computing resources shared among many users, security costs paid by each user are low.
On-demand security protection services
Based on fast and elastic resource allocation, security is offered to users as services. Users can use the services on demand. In addition, this approach improves computing resource utilization of the cloud computing system.
Enhanced protection capability
In a data center, network traffic is classified into two types:
One is the traffic between external users of a data center and internal servers. Such traffic is called north-south or vertical traffic.
The other is the traffic exchanged between internal servers in the data center, which is also called east-west traffic or horizontal traffic. The east-west traffic includes traffic between VMs of the same subnet of the same tenant, traffic between different subnets of the same tenant, and traffic between different tenants.
The traditional security protection solution based on fixed physical boundaries only protects north-south traffic. However, the solution is incapable of protecting east-west traffic. SDN or host-based security protection measures can effectively cope with security issues of east-west traffic, thereby improving the security protection capabilities of the entire data center.
Shared responsibility and varied duties
The security responsibilities of applications deployed in the cloud data center are jointly borne by the platform and tenants. The platform ensures the security of the cloud service platform while tenants are responsible for the security of application systems that are deployed in the cloud data center.
The cloud platform is responsible for the security of physical infrastructure, cloud OSs, and cloud service products, and provides customers with technical measures to protect cloud applications and data.
The security assurance of the cloud platform includes hardware, software, and network security, such as system and database patch management, vulnerability fixing, network access control, and disaster recovery. It also includes third-party supervision and audit organizations' evaluation of the compliance of the cloud platform. The technical measures provided for tenants include Identity and Access Management (IAM), basic services (built-in security functions), security services, security audit methods, and industry security solutions provided by third-party security vendors.
Tenants are responsible for constructing their own cloud application systems based on cloud infrastructure and services, and protecting their service systems by properly using security functions of cloud products, security services, and third-party security products. For example, tenants can use IAM for user identity management, logs for operation audit, and Elastic Cloud Server (ECS) and Virtual Private Cloud (VPC) for VM management and security configurations to ensure O&M security. For other applications, such as the cloud database (RDS), Big Data services, and microservices, customers do not need to consider instance maintenance as well as patch upgrade and configuration hardening of OSs and databases. They only need to manage the accounts and authorization of these services, and use security functions provided by those services.