Portfolio

Alibaba Cloud: Difference between revisions

No edit summary
m (10 revisions imported: Importing my work from LIMSwiki, using the same CC license)
 
(6 intermediate revisions by the same user not shown)
Line 21: Line 21:
| products        = [[Infrastructure as a service|IaaS]], [[Platform as a service|PaaS]], [[Software as a service|SaaS]], [[Database as a service|DBaaS]]
| products        = [[Infrastructure as a service|IaaS]], [[Platform as a service|PaaS]], [[Software as a service|SaaS]], [[Database as a service|DBaaS]]
| services        =  
| services        =  
| revenue          = $6.6 billion (2020)<ref name="SunAsJack20">{{cite web |url=https://asia.nikkei.com/Business/China-tech/As-Jack-Ma-era-ends-Alibaba-sets-high-goal-for-cloud-business |title=As Jack Ma era ends, Alibaba sets high goal for cloud business |author=Sun, N. |work=Nikkei Asia |date=30 September 2020 |accessdate=25 April 2021}}</ref>
| revenue          = $2.71 billion (Q1 2023)<ref name="WulhelmAlibaba23">{{cite web |url=https://techcrunch.com/2023/05/18/alibaba-cloud-spin-off-analysis/ |title=Alibaba’s cloud spinoff may serve as a good yardstick to value other major players |author=Wulhelm, A. |work=Tech Crunch |date=18 May 2023 |accessdate=28 July 2023}}</ref>
| operating_income =  
| operating_income =  
| net_income      =  
| net_income      =  
Line 37: Line 37:
}}
}}


'''Alibaba Cloud''' ( also known as '''Aliyun''') is a Chinese [[cloud computing]] company that provides public, private, hybrid and multicloud solutions to enterprises, organizations, governments, and individuals. Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region.<ref name="AlibabaGlobal">{{cite web |url=https://www.alibabacloud.com/global-locations |title=Alibaba Cloud's Global Infrastructure |publisher=Alibaba Cloud |accessdate=25 April 2021}}</ref> The company provides more than 100 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, cloud communication, [[data analysis]], media management, container and [[middleware]] management, developer support, [[internet of things]], and [[artificial intelligence]].<ref name="AlibabaCloudProducts">{{cite web |url=https://www.alibabacloud.com/product |title=Alibaba Cloud Products & Services |publisher=Alibaba Cloud |accessdate=25 April 2021}}</ref>
'''Alibaba Cloud''' ( also known as '''Aliyun''') is a Chinese [[cloud computing]] company that provides public, private, hybrid, and multicloud solutions to enterprises, organizations, governments, and individuals. Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region.<ref name="AlibabaGlobal">{{cite web |url=https://www.alibabacloud.com/global-locations |title=Alibaba Cloud's Global Infrastructure |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref> The company provides more than 100 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, cloud communication, [[data analysis]], media management, container and [[middleware]] management, developer support, [[internet of things]], and [[artificial intelligence]].<ref name="AlibabaCloudProducts">{{cite web |url=https://www.alibabacloud.com/product |title=Alibaba Cloud Products & Services |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref>
 
In May 2023, the company approved the spin off its cloud division, the Cloud Intelligence Group, "via a stock dividend distribution to shareholders, aiming to complete the public listing within the next 12 months."<ref name="WulhelmAlibaba23" /><ref name="MehtaAlibaba23">{{cite web |url=https://www.reuters.com/business/retail-consumer/alibaba-fourth-quarter-revenue-rises-2-2023-05-18/ |title=Alibaba misses revenue estimate, approves cloud unit spinoff |author=Mahta, C.; Horwitz, J. |work=Reuters |date=18 May 2023 |accessdate=28 July 2023}}</ref>


==Provider research==
==Provider research==
This section uses public information to provide some answers to the 18 questions posed in Chapter 5 of the wiki-based guide ''[[LII:Choosing and Implementing a Cloud-based Service for your Laboratory|Choosing and Implementing a Cloud-based Service for your Laboratory]]''. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide ''[[LII:Choosing and Implementing a Cloud-based Service for Your Laboratory|Choosing and Implementing a Cloud-based Service for Your Laboratory]]''. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.




1. '''What experience do you have working with laboratory customers in our specific industry?'''
1. '''What experience do you have working with laboratory customers in our specific industry?'''


This question must be asked of the cloud provider yourself to gain a true understanding of how they may have worked with [[Laboratory|labs]] in your industry. However, here's a little background on Alibaba's connections with laboratories in general, based off publicly available information. According to Alibaba Cloud, their services have received "regular and stringent evaluations" by the China National Accreditation Service for Conformity Assessment (CNAS) and its accredited body the State Information Center Software Testing Center.<ref name="AlibabaCNAS">{{cite web |url=https://www.alibabacloud.com/trust-center/cnas |title=CNAS |publisher=Alibaba Cloud |accessdate=25 April 2021}}</ref> CNAS is known to be the same accreditation body that is also responsible for the accreditation of laboratories in China.<ref name="CNSASIntro">{{cite web |url=https://www.cnas.org.cn/english/introduction/12/718683.shtml |title=CNAS Introduction |publisher=China National Accreditation Service for Conformity Assessment |accessdate=25 April 2021}}</ref> This in itself doesn't mean Alibaba has strong experience working with laboratories, but it is nonetheless encouraging—particularly if CNAS accreditation is rigorous—that Alibaba has been seemingly been vetted by CNAS. As for direct experience with laboratories, Alibaba reportedly had interactions with some laboratories as part of a [[COVID-19]] initiative in 2020.<ref name="AlibabaCOVID20">{{cite web |url=https://www.alibabacloud.com/press-room/alibaba-cloud-ai-cloud-services-to-help-battle-covid-19 |title=Alibaba Cloud Offers AI, Cloud Services to Help Battle Covid-19 Globally |publisher=Alibaba Cloud |date=19 March 2020 |accessdate=25 April 2021}}</ref> Laboratories that do or at some point have worked off Alibaba Cloud as part of their tech stack include Anbison Laboratories<ref name="ZoomInfoAnbison">{{cite web |url=https://www.zoominfo.com/c/anbison-laboratories-co-ltd/345850572 |title=Anbison Laboratories |work=ZoomInfo |accessdate=25 April 2021}}</ref> and BGI Genomics<ref name="IntelUnleash16">{{cite web |url=https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unleashing-power-of-precision-medicine-hybrid-cloud-paper.pdf |format=PDF |title=Unleashing the Power of Precision Medicine Using the Hybrid Cloud |publisher=Intel |date=2016 |accessdate=25 April 2021}}</ref>.
This question must be asked of the cloud provider yourself to gain a true understanding of how they may have worked with [[Laboratory|labs]] in your industry. However, here's a little background on Alibaba's connections with laboratories in general, based off publicly available information. According to Alibaba Cloud, their services have received "regular and stringent evaluations" by the China National Accreditation Service for Conformity Assessment (CNAS) and its accredited body the State Information Center Software Testing Center.<ref name="AlibabaCNAS">{{cite web |url=https://www.alibabacloud.com/trust-center/cnas |title=CNAS |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref> CNAS is known to be the same accreditation body that is also responsible for the accreditation of laboratories in China.<ref name="CNSASIntro">{{cite web |url=https://www.cnas.org.cn/english/introduction/12/718683.shtml |title=CNAS Introduction |publisher=China National Accreditation Service for Conformity Assessment |accessdate=28 July 2023}}</ref> This in itself doesn't mean Alibaba has strong experience working with laboratories, but it is nonetheless encouraging—particularly if CNAS accreditation is rigorous—that Alibaba has been seemingly been vetted by CNAS. As for direct experience with laboratories, Alibaba reportedly had interactions with some laboratories as part of a [[COVID-19]] initiative in 2020.<ref name="AlibabaCOVID20">{{cite web |url=https://www.alibabacloud.com/press-room/alibaba-cloud-ai-cloud-services-to-help-battle-covid-19 |title=Alibaba Cloud Offers AI, Cloud Services to Help Battle Covid-19 Globally |publisher=Alibaba Cloud |date=19 March 2020 |accessdate=28 July 2023}}</ref> Laboratories that do or at some point have worked off Alibaba Cloud as part of their tech stack include Anbison Laboratories<ref name="ZoomInfoAnbison">{{cite web |url=https://www.zoominfo.com/c/anbison-laboratories-co-ltd/345850572 |title=Anbison Laboratories |work=ZoomInfo |accessdate=28 July 2023}}</ref> and BGI Genomics<ref name="IntelUnleash16">{{cite web |url=https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unleashing-power-of-precision-medicine-hybrid-cloud-paper.pdf |archiveurl=https://web.archive.org/web/20210409184731/https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unleashing-power-of-precision-medicine-hybrid-cloud-paper.pdf |format=PDF |title=Unleashing the Power of Precision Medicine Using the Hybrid Cloud |publisher=Intel |date=2016 |archivedate=09 April 2021 |accessdate=28 July 2023}}</ref>.




2. '''Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?'''
2. '''Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?'''


Like question one, it will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Alibaba integrations. The company provides a Data Integration product described as "a stable, efficient, and scalable data synchronization service. It is designed to migrate and synchronize data between a wide range of heterogeneous data stores fast and stably in complex network environments." This appears to be primarily for data synchronization among supported structured, semi-structured, and unstructured data stores, not data consumption.<ref name="AlibabaDataInt21">{{cite web |url=https://www.alibabacloud.com/help/doc-detail/137663.htm?spm=a3c0i.11348557.6020378220.1.60adb272D4vsN7 |title=Data Integration: Overview |publisher=Alibaba Cloud |date=21 January 2021 |accessdate=25 April 2021}}</ref> Consult their documentation on [https://www.alibabacloud.com/help/doc-detail/137663.htm?spm=a3c0i.11348557.6020378220.1.60adb272D4vsN7 Data Integration] for more details. Alibaba also discusses hybrid integration of your organization's backend systems [https://www.alibabacloud.com/solutions/hybrid/backend-integration here], and the company leans on its Elastic Compute Service, Server Load Balancer, Express Connect, and Virtual Private Cloud to do this. The company also provides a one-page sheet explaining how it handles [http://alicloud-common.oss-ap-southeast-1.aliyuncs.com/Hybrid_Cloud_Solution/One%20Pager%20-%20Hybrid%20Cloud%20Backend%20System%20Integration.pdf?spm=a3c0i.9133035.7801883710.7.4a3d3441icYWXn&file=One%20Pager%20-%20Hybrid%20Cloud%20Backend%20System%20Integration.pdf backend system integration]. Again, your existing systems and business processes may need to be altered slightly to work with Alibaba's services, which is why you'll be asking this question.
Like question one, it will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Alibaba integrations. The company provides a Data Integration product described as "a stable, efficient, and scalable data synchronization service. It is designed to migrate and synchronize data between various heterogeneous data sources in complex network environments at a high speed and in a stable manner." This appears to be primarily for data synchronization among supported structured, semi-structured, and unstructured data stores, not data consumption.<ref name="AlibabaDataInt21">{{cite web |url=https://www.alibabacloud.com/help/en/dataworks/user-guide/overview-6 |title=Data Integration: Overview |publisher=Alibaba Cloud |date=10 April 2023 |accessdate=28 July 2023}}</ref> Consult their documentation on [https://www.alibabacloud.com/help/en/dataworks/user-guide/overview-6 data integration] for more details. Alibaba also discusses hybrid integration of your organization's backend systems [https://www.alibabacloud.com/solutions/hybrid/backend-integration here], and the company leans on its Elastic Compute Service, Server Load Balancer, Express Connect, and Virtual Private Cloud to do this. The company also provides a one-page sheet explaining how it handles [http://alicloud-common.oss-ap-southeast-1.aliyuncs.com/Hybrid_Cloud_Solution/One%20Pager%20-%20Hybrid%20Cloud%20Backend%20System%20Integration.pdf?spm=a3c0i.9133035.7801883710.7.4a3d3441icYWXn&file=One%20Pager%20-%20Hybrid%20Cloud%20Backend%20System%20Integration.pdf backend system integration]. Again, your existing systems and business processes may need to be altered slightly to work with Alibaba's services, which is why you'll be asking this question.




3. '''What is the average total historical downtime for the service(s) we're interested in?'''
3. '''What is the average total historical downtime for the service(s) we're interested in?'''


Little public information is made available about historic outages and downtime. You'll largely have to ask this of Alibaba and see what response they give you. Alibaba has demonstrated a desire to increase availability and make increases in availability in multiple areas of its services, including a push to "99.995 percent availability for services deployed across multiple availability zones within a cloud region" and "99.975 percent for single instances."<ref name="MahAlibabaUpg20">{{cite web |url=https://www.datacenterdynamics.com/en/news/alibaba-cloud-upgrades-sla-multi-zone-instances/ |title=Alibaba Cloud upgrades SLA for multi-zone instances |author=Mah, P. |work=Data Center Dynamics |date=02 January 2020 |accessdate=25 April 2021}}</ref> You may wish to consult Alibaba Cloud's [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20solution%20High%20availability%20solution%2020210322-updated.pdf lengthy whitepaper] on the architecture and availability of its solutions. That said, outages have been reported in 2015<ref name="MahAliyun15">{{cite web |url=https://www.datacenterdynamics.com/en/news/aliyun-cloud-suffers-prolonged-disruption-in-hong-kong/ |title=Aliyun cloud suffers prolonged disruption in Hong Kong |author=Mah, P. |work=Data Center Dynamics |date=26 June 2015 |accessdate=25 April 2021}}</ref> and 2019.<ref name="FuAlibaba19">{{cite web |url=https://equalocean.com/news/201903031507 |title=Alibaba Cloud Reports IO Hang Error in North China |author=Fu, Y. |work=EqualOcean |date=03 March 2019 |accessdate=25 April 2021}}</ref>
Little public information is made available about historic outages and downtime. You'll largely have to ask this of Alibaba and see what response they give you. Alibaba has demonstrated a desire to increase availability and make increases in availability in multiple areas of its services, including a push to "99.995 percent availability for services deployed across multiple availability zones within a cloud region" and "99.975 percent for single instances."<ref name="MahAlibabaUpg20">{{cite web |url=https://www.datacenterdynamics.com/en/news/alibaba-cloud-upgrades-sla-multi-zone-instances/ |title=Alibaba Cloud upgrades SLA for multi-zone instances |author=Mah, P. |work=Data Center Dynamics |date=02 January 2020 |accessdate=28 July 2023}}</ref> You may wish to consult Alibaba Cloud's [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20solution%20High%20availability%20solution%2020210322-updated.pdf lengthy whitepaper] on the architecture and availability of its solutions. That said, outages have been reported in 2015<ref name="MahAliyun15">{{cite web |url=https://www.datacenterdynamics.com/en/news/aliyun-cloud-suffers-prolonged-disruption-in-hong-kong/ |title=Aliyun cloud suffers prolonged disruption in Hong Kong |author=Mah, P. |work=Data Center Dynamics |date=26 June 2015 |accessdate=28 July 2023}}</ref>, 2019<ref name="FuAlibaba19">{{cite web |url=https://equalocean.com/news/201903031507 |title=Alibaba Cloud Reports IO Hang Error in North China |author=Fu, Y. |work=EqualOcean |date=03 March 2019 |accessdate=28 July 2023}}</ref>, and 2022.<ref name="LiaoAlibabaCEO22">{{cite web |url=https://techcrunch.com/2022/12/29/alibaba-reshuffle-2022/ |title=Alibaba CEO to oversee cloud arm following major server outage |author=Liao, R. |work=TechCrunch |date=29 December 2022 |accessdate=28 July 2023}}</ref>




Line 65: Line 67:
5. '''Where are your servers located, and how is data securely transferred to and from those servers?'''
5. '''Where are your servers located, and how is data securely transferred to and from those servers?'''


Alibaba has [https://www.alibabacloud.com/global-locations data centers] primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region. Alibaba uses its Content Delivery Network, which "distributes user requests to the most suitable nodes, allowing the fastest possible retrieval of requested content."<ref name="AlibabaGlobal" /> Alibaba addresses data transmission security in its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] on pages 133 (in regards to its cryptographic service) and 163 (in regards to the entire service), mentioning the standard trifecta of HTTPS, VPN gateways, and SSL certificates. In regards to data localization requirements, it's not clear how Alibaba honors those requirements on a superficial level; you'll have to have direct discussions with the Alibaba and review their compliance materials in regards to any data localization requirements you may have. Tangentially, a 2020 report stated that Alibaba finds data localization requirements in regulatory models such as Europe's [[General Data Protection Regulation]] (GDPR) to be too stifling and has been petitioning the Chinese government to take a more light-handed approach to data localization.<ref name="LuIsChina20">{{cite web |url=https://thediplomat.com/2020/06/is-china-changing-its-thinking-on-data-localization/ |title=Is China Changing Its Thinking on Data Localization? |author=Lu, X. |work=The Diplomat |date=04 June 2020 |accessdate=25 April 2021}}</ref>
Alibaba has [https://www.alibabacloud.com/global-locations data centers] primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region. Alibaba uses its Content Delivery Network, which "distributes user requests to the most suitable nodes, allowing the fastest possible retrieval of requested content."<ref name="AlibabaGlobal" /> Alibaba addresses data transmission security in its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] on pages 133 (in regards to its cryptographic service) and 163 (in regards to the entire service), mentioning the standard trifecta of HTTPS, VPN gateways, and SSL certificates. In regards to data localization requirements, it's not clear how Alibaba honors those requirements on a superficial level; you'll have to have direct discussions with the Alibaba and review their compliance materials in regards to any data localization requirements you may have. Tangentially, a 2020 report stated that Alibaba finds data localization requirements in regulatory models such as Europe's [[General Data Protection Regulation]] (GDPR) to be too stifling and has been petitioning the Chinese government to take a more light-handed approach to data localization.<ref name="LuIsChina20">{{cite web |url=https://thediplomat.com/2020/06/is-china-changing-its-thinking-on-data-localization/ |title=Is China Changing Its Thinking on Data Localization? |author=Lu, X. |work=The Diplomat |date=04 June 2020 |accessdate=28 July 2023}}</ref> Despite this, China has marched ahead with its data localization requirements into 2023, causing some multinational organization to rethink their market strategy.<ref name="ClineChina22">{{cite web |url=https://www.pwc.com/us/en/tech-effect/cybersecurity/security-assessments-for-china-cross-border-data-transfers.html |title=China’s new data-transfer mandate prompting multinationals to rethink market strategy |author=Cline, J. |publisher=PwC |date=25 October 2022 |accessdate=28 July 2023}}</ref>




Line 80: Line 82:
8. '''How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)'''
8. '''How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)'''


It does not appear that Alibaba supports physical separation approaches to sensitive and regulated data. They cite "a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features" in regards to physical separation practices. They argue that logical separation is a better approach "via logical access controls, permission management, network traffic routing, and encryption." They add that uses needing to meet "security outcomes equivalent to physical separation" can also take advantage of a virtual private cloud "or use [[encryption]] solutions to encrypt data at-rest and in-transit."<ref name="AlibabaTrustFAQ">{{cite web |url=https://www.alibabacloud.com/trust-center/faq |title=Security Compliance FAQs |publisher=Alibaba Cloud |accessdate=25 April 2021}}</ref>
It does not appear that Alibaba supports physical separation approaches to sensitive and regulated data. They cite "a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features" in regards to physical separation practices. They argue that logical separation is a better approach "via logical access controls, permission management, network traffic routing, and encryption." They add that uses needing to meet "security outcomes equivalent to physical separation" can also take advantage of a virtual private cloud "or use [[encryption]] solutions to encrypt data at-rest and in-transit."<ref name="AlibabaTrustFAQ">{{cite web |url=https://www.alibabacloud.com/trust-center/faq |title=Security Compliance FAQs |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref>


Alibaba does, however, address the concept of tenant isolation in its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] in multiple places. Tenant isolation is enabled by default on Alibaba. This is largely accomplished with [[virtualization]] methods. Reference section 5.1.3.1 of the whitepaper for more details. Further technical details, if required, may be garnered in discussion with Alibaba.
Alibaba does, however, address the concept of tenant isolation in its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] in multiple places. Tenant isolation is enabled by default on Alibaba. This is largely accomplished with [[virtualization]] methods. Reference section 5.1.3.1 of the whitepaper for more details. Further technical details, if required, may be garnered in discussion with Alibaba.
Line 98: Line 100:
10. '''How do you test your platform's security?'''
10. '''How do you test your platform's security?'''


In its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper], Alibaba addresses penetration testing (page 27), noting they use "attack-and-defense drills ... designed to objectively test the defense and threat detection capabilities of Alibaba Cloud, enhance the core security capabilities of Alibaba Cloud, and improve the security defense system."<ref name="AlibabaSecurityWhite21">{{cite web |url=https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf |format=PDF |title=Alibaba Cloud Security White Paper - International Edition, Version 2.1 |publisher=Alibaba Cloud |date=February 2021 |accessdate=25 April 2021}}</ref> For more on these drills, discuss the topic with Alibaba. There are other scattered pieces of information related to non-Alibaba personnel testing the platform. For example, an Alibaba user can apply for a license to conduct penetration tests for Alibaba Cloud products.<ref name="AlibabaApply19">{{cite web |url=https://www.alibabacloud.com/help/doc-detail/84443.htm |title=Apply for a penetration test license |publisher=Alibaba Cloud |date=07 March 2019 |accessdate=25 April 2021}}</ref> Alibaba also appears to have had a Crowdsourced Security Testing program<ref name="AlibabaCrowd19">{{cite web |url=http://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/DNXIAN1846009_en-US_intl_190516194424_public_8c46d47183231dcdd2ff90881a425617.pdf |format=PDF |title=Alibaba Cloud Crowdsourced Security Testing |publisher=Alibaba Cloud |date=16 May 2019 |accessdate=25 April 2021}}</ref>, but much of the documentation about the program seems to have gone missing from the Alibaba Cloud site. A page detailing how to register for the program still exists<ref name="AlibabaCrowd20">{{cite web |url=https://www.alibabacloud.com/help/doc-detail/28394.html |title=Crowdsourced security testing platform procedure for enterprises |publisher=Alibaba Cloud |date=13 January 2020 |accessdate=25 April 2021}}</ref>, but it's not clear how active the program is today. A related set of vulnerability rewards programs, encouraging people to test Alibaba's security, may also still be available through the [https://security.alibaba.com/ Alibaba Security Response Center].
In its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper], Alibaba addresses penetration testing (page 27), noting they use "attack-and-defense drills ... designed to objectively test the defense and threat detection capabilities of Alibaba Cloud, enhance the core security capabilities of Alibaba Cloud, and improve the security defense system."<ref name="AlibabaSecurityWhite21">{{cite web |url=https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf |format=PDF |title=Alibaba Cloud Security White Paper - International Edition, Version 2.1 |publisher=Alibaba Cloud |date=February 2021 |accessdate=28 July 2023}}</ref> For more on these drills, discuss the topic with Alibaba. There are other scattered pieces of information related to non-Alibaba personnel testing the platform. For example, an Alibaba user can apply for a license to conduct penetration tests for Alibaba Cloud products.<ref name="AlibabaApply19">{{cite web |url=https://www.alibabacloud.com/help/en/security-control/latest/apply-for-a-penetration-test-license |title=Apply for a penetration test license |publisher=Alibaba Cloud |date=06 March 2019 |accessdate=28 July 2023}}</ref> Alibaba also appears to have had a Crowdsourced Security Testing program<ref name="AlibabaCrowd19">{{cite web |url=http://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/DNXIAN1846009_en-US_intl_190516194424_public_8c46d47183231dcdd2ff90881a425617.pdf |format=PDF |title=Alibaba Cloud Crowdsourced Security Testing |publisher=Alibaba Cloud |date=16 May 2019 |accessdate=28 July 2023}}</ref>, but much of the documentation about the program seems to have gone missing from the Alibaba Cloud site. A page detailing how to register for the program also disappeared<ref name="AlibabaCrowd20">{{cite web |url=https://www.alibabacloud.com/help/doc-detail/28394.html |archiveurl=https://web.archive.org/web/20210101000000*/https://www.alibabacloud.com/help/doc-detail/28394.html |title=Crowdsourced security testing platform procedure for enterprises |publisher=Alibaba Cloud |date=13 January 2020 |archivedate=10 April 2021 |accessdate=28 July 2023}}</ref>, and as such, it's not clear how active the program is today. A related set of vulnerability rewards programs, encouraging people to test Alibaba's security, may also still be available through the [https://security.alibaba.com/ Alibaba Security Response Center].




11. '''What are your policies for security audits, intrusion detection, and intrusion reporting?'''
11. '''What are your policies for security audits, intrusion detection, and intrusion reporting?'''


''Audits'': Alibaba cooperates "with independent third-party security regulation and audit agencies to audit and evaluate the security and compliance stance of Alibaba Cloud."<ref name="AlibabaSecurityWhite21" /> This is demonstrated by its compliance credentials (e.g., see pages 6–10 of the company's [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] or its [https://www.alibabacloud.com/trust-center trust center]). Alibaba also provides tools to customers (e.g., Cloud Config) allowing them to run their own security audits on their own data.<ref name="AlibabaSecurityWhite21" /><ref name="AlibabaCloudConfig">{{cite web |url=https://www.alibabacloud.com/product/cloud-config |title=Cloud Config |publisher=Alibaba Cloud |accessdate=25 April 2021}}</ref>
''Audits'': Alibaba cooperates "with independent third-party security regulation and audit agencies to audit and evaluate the security and compliance stance of Alibaba Cloud."<ref name="AlibabaSecurityWhite21" /> This is demonstrated by its compliance credentials (e.g., see pages 6–10 of the company's [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] or its [https://www.alibabacloud.com/trust-center trust center]). Alibaba also provides tools to customers (e.g., Cloud Config) allowing them to run their own security audits on their own data.<ref name="AlibabaSecurityWhite21" /><ref name="AlibabaCloudConfig">{{cite web |url=https://www.alibabacloud.com/product/cloud-config |title=Cloud Config |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref>


''Intrusion detection and reporting'': Alibaba Cloud allows users to install a small app called Security Center on their virtual machines (VMs) that can handle intrusion detection in real time. Per the security whitepaper, "intrusion detection for VMs includes remote logon detection, Webshell detection and removal, anomaly detection (detection of abnormal process behaviors and abnormal network connections), and detection of changes in key files and suspicious accounts in systems and applications. Security Center can also intelligently learn application whitelists." This same app can also be used with Alibaba's Container Service. Intrusion detection services are also found within Alibaba's Cloud Firewall.<ref name="AlibabaSecurityWhite21" /> In the case of Cloud Firewall, reporting is included.<ref name="KaushikAlibaba20">{{cite web |url=https://alibaba-cloud.medium.com/alibaba-cloud-firewall-the-next-gen-firewall-as-a-service-836f524d8392 |title=Alibaba Cloud Firewall: The Next-Gen Firewall as a Service |author=Kaushik, S. |work=Medium |date=27 January 2021 |accessdate=25 April 2021}}</ref> Reporting is presumably also a component of Security Center; confirm this with Alibaba.
''Intrusion detection and reporting'': Alibaba Cloud allows users to install a small app called Security Center on their virtual machines (VMs) that can handle intrusion detection in real time. Per the security whitepaper, "intrusion detection for VMs includes remote logon detection, Webshell detection and removal, anomaly detection (detection of abnormal process behaviors and abnormal network connections), and detection of changes in key files and suspicious accounts in systems and applications. Security Center can also intelligently learn application whitelists." This same app can also be used with Alibaba's Container Service. Intrusion detection services are also found within Alibaba's Cloud Firewall.<ref name="AlibabaSecurityWhite21" /> In the case of Cloud Firewall, reporting is included.<ref name="KaushikAlibaba20">{{cite web |url=https://alibaba-cloud.medium.com/alibaba-cloud-firewall-the-next-gen-firewall-as-a-service-836f524d8392 |title=Alibaba Cloud Firewall: The Next-Gen Firewall as a Service |author=Kaushik, S. |work=Medium |date=27 January 2021 |accessdate=28 July 2023}}</ref> Reporting is presumably also a component of Security Center; confirm this with Alibaba.




12. '''What data logging information is kept and acted upon in relation to our data?'''
12. '''What data logging information is kept and acted upon in relation to our data?'''


Mentions of a "central logging platform" are made in both the company's [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] and its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf SOC 3 report]. The SOC 3 report in particular says this<ref name="AlibabaSystemAnd18">{{cite web |url=https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf |format=PDF |title=System and Organization Controls 3 Report Report on Alibaba Cloud’s Cloud Services System |publisher=Alibaba Cloud |date=01 November 2018 |accessdate=25 April 2021}}</ref>:
Mentions of a "central logging platform" are made in both the company's [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf security whitepaper] and its [https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf SOC 3 report]. The SOC 3 report in particular says this<ref name="AlibabaSystemAnd18">{{cite web |url=https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf |format=PDF |title=System and Organization Controls 3 Report Report on Alibaba Cloud’s Cloud Services System |publisher=Alibaba Cloud |date=01 November 2018 |accessdate=28 July 2023}}</ref>:


<blockquote>Logs of activities performed on the cloud platform collected through the central logging platform are imported into real-time and offline computing platforms. Logs are processed and analysed through security monitoring algorithms in each computing platform for anomaly analysis and detection.</blockquote>
<blockquote>Logs of activities performed on the cloud platform collected through the central logging platform are imported into real-time and offline computing platforms. Logs are processed and analysed through security monitoring algorithms in each computing platform for anomaly analysis and detection.</blockquote>
Line 126: Line 128:
14. '''For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?'''
14. '''For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?'''


Yes, Alibaba will sign a business associate agreement.<ref name="AlibabaHIPAA">{{cite web |url=https://www.alibabacloud.com/trust-center/hipaa |title=HIPAA/HITECH |publisher=Alibaba Cloud |accessdate=25 April 2021}}</ref> Consult their [https://files.alicdn.com/tpsservice/ed492ff176c48b0a0beda7728c19c0d7.pdf?spm=a3c0i.148033.7266455040.1.f6c753e7QUUR4K&file=ed492ff176c48b0a0beda7728c19c0d7.pdf HIPAA whitepaper] for more details on their approach to [[HIPAA]] compliance.
Yes, Alibaba will sign a business associate agreement.<ref name="AlibabaHIPAA">{{cite web |url=https://www.alibabacloud.com/trust-center/hipaa |title=HIPAA/HITECH |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref> Consult their [https://files.alicdn.com/tpsservice/ed492ff176c48b0a0beda7728c19c0d7.pdf?spm=a3c0i.148033.7266455040.1.f6c753e7QUUR4K&file=ed492ff176c48b0a0beda7728c19c0d7.pdf HIPAA whitepaper] for more details on their approach to [[HIPAA]] compliance.




15. '''What happens to our data should the contract expire or be terminated?'''
15. '''What happens to our data should the contract expire or be terminated?'''


Direct your attention to the service agreement associated with the product you use. Some service agreements for particular products are available in the Alibaba Cloud Document Center, while others may be difficult to track down. If you can't find the details of a service agreement for the product you're interested in, address this with an Alibaba representative. That said, here's an example from the service agreement for Alibaba's Machine Translation product<ref name="AlibabaMachine19">{{cite web |url=https://www.alibabacloud.com/help/doc-detail/96400.htm |title=Machine Translation > Service Agreement |publisher=Alibaba Cloud |date=15 May 2019 |accessdate=25 April 2021}}</ref>
Direct your attention to the service agreement associated with the product you use. Some service agreements for particular products are available in the Alibaba Cloud Document Center, while others may be difficult to track down. If you can't find the details of a service agreement for the product you're interested in, address this with an Alibaba representative. That said, here's an example from the Alibaba Terms of Service<ref name="AlibabaMachine19">{{cite web |url=https://www.alibabacloud.com/help/en/advisor/latest/terms-of-service |title=Terms of Services |publisher=Alibaba Cloud |date=20 January 2023 |accessdate=28 July 2023}}</ref>


<blockquote>When the service period expires, the service is terminated in advance (including early termination after the Parties have so agreed, early termination due to other reasons, etc.) or when you are in arrears, except as otherwise expressly required by applicable laws and regulations, required by a competent authority or agreed to by the Parties, Alibaba Cloud will only continue to store your user business data (if any) within a certain buffer period (subject to the time limit stated in the special terms, product documentation, and service descriptions applicable to the service that you ordered). Upon expiration of the buffer period, Alibaba Cloud will delete all user business data, including all cached or backup copies, and will not retain any of your user business data ... Once the user business data is deleted, it cannot be recovered; you shall assume the consequences and responsibilities resulting from the deletion of such data. You understand and agree that Alibaba Cloud has no obligation to continue to retain, export, or return the user business data.</blockquote>
<blockquote>When the service period expires, the service is terminated in advance (including early termination agreed by both parties, early termination due to other reasons, etc.) or you have arrears, unless otherwise specified by laws and regulations, required by the competent department or agreed by both parties, Alibaba Cloud will only continue to store your user business data (if any) within a certain buffer period (subject to the time limit specified in the proprietary terms, product documents, service instructions, etc. applicable to the service you ordered). At the end of the buffer period, Alibaba Cloud will delete all user business data, including all cached or backup copies, and will no longer retain any of your user business data ... Once the user's business data is deleted, it cannot be recovered; You should bear the consequences and responsibilities arising from the deletion of data. You understand and agree that Alibaba Cloud has no obligation to continue to retain, export or return user business data.</blockquote>




16. '''What happens to our data should you go out of business or suffer a catastrophic event?'''
16. '''What happens to our data should you go out of business or suffer a catastrophic event?'''


It's not publicly clear how Alibaba would handle your data should they go out of business; consult with an Alibaba representative about this topic. As for catastrophic events, Alibaba's Object Storage Service (OSS) is based on zone-redundant storage (ZRS). "ZRS distributes user data across three zones within the same region. Even if one zone becomes unavailable, the data is still accessible. The ZRS feature can provide data durability (designed for) of 99.9999999999% (twelve 9's) and service availability of 99.995%."<ref name="AlibabaDisaster20">{{cite web |url=https://www.alibabacloud.com/help/doc-detail/172497.htm?spm=a2c63.p38356.879954.7.1d2b458bXokz2K |title=Disaster recovery |publisher=Alibaba Cloud |date=17 September 2020 |accessdate=25 April 2021}}</ref> It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an Alibaba representative.  
It's not publicly clear how Alibaba would handle your data should they go out of business; consult with an Alibaba representative about this topic. As for catastrophic events, Alibaba's Object Storage Service (OSS) is based on zone-redundant storage (ZRS). "ZRS distributes user data across three zones within the same region. Even if one zone becomes unavailable, the data is still accessible. The ZRS feature can provide data durability (designed for) of 99.9999999999% (twelve 9's) and service availability of 99.995%."<ref name="AlibabaDisaster20">{{cite web |url=https://www.alibabacloud.com/help/en/oss/support/disaster-recovery |title=Disaster recovery |publisher=Alibaba Cloud |date=17 May 2023 |accessdate=28 July 2023}}</ref> It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an Alibaba representative.  




17. '''Can we use your interface to extract our data when we want, and in what format will it be?'''
17. '''Can we use your interface to extract our data when we want, and in what format will it be?'''


Alibaba doesn't make it 100 percent publicly clear how data migration from Alibaba to another cloud service would work. However, they do outline [https://www.alibabacloud.com/help/doc-detail/125233.htm?spm=a2c65.11461447.0.0.795e3458wkZ4BB several other data migration scenarios], including the scenario of [https://www.alibabacloud.com/blog/trouble-free-cloud-migration-4-migrate-data-from-alibaba-cloud-to-on-premises-systems_594528 migrating from Alibaba Cloud to an on-premises system]. It's unclear whether or not a third-party cloud transfer service (e.g., [https://www.cloudsfer.com/supported-systems/alibaba-cloud/ Cloudsfer]) would be required or useful when moving from Alibaba Cloud to another cloud service. In the end, if there are still questions on this topic, discuss it with an Alibaba representative.
Alibaba doesn't make it 100 percent publicly clear how data migration from Alibaba to another cloud service would work. However, they do outline [https://www.alibabacloud.com/help/en/dts/user-guide/overview-of-data-migration-scenarios several other data migration scenarios], including the scenario of [https://www.alibabacloud.com/blog/trouble-free-cloud-migration-4-migrate-data-from-alibaba-cloud-to-on-premises-systems_594528 migrating from Alibaba Cloud to an on-premises system]. It's unclear whether or not a third-party cloud transfer service would be required or useful when moving from Alibaba Cloud to another cloud service. In the end, if there are still questions on this topic, discuss it with an Alibaba representative.




Line 149: Line 151:


It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Alibaba representative.
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Alibaba representative.
==Managed security services==
Alibaba Cloud Managed Security Service is described by Alibaba as "a security technology and consulting service designed to establish, and optimize, security protection systems so that users can ensure the security of their business on the cloud."<ref name="AlibabaMSS">{{cite web |url=https://www.alibabacloud.com/product/mss |title=Managed Security Service |publisher=Alibaba Cloud |accessdate=28 July 2023}}</ref> The company primarily touts managed detection and response, security assessment, and security hardening as part of its MSS. This includes<ref name="AlibabaMSS" />:
* '''Managed detection and response''': overall security consulting, security monitoring and inspection, incident response, and cloud application and hardware configuration
* '''Security assessment''': online assessment and scanning of current security system, data analysis from that assessment and scanning, and reporting of data and recommendations
* '''Security hardening''': reinforcement range confirmation, hardening plan development, and plan implementation and testing


==Additional information==
==Additional information==
Line 159: Line 169:
===External links===
===External links===
* [https://www.alibabacloud.com/architecture/index Alibaba Cloud architecture framework or description]
* [https://www.alibabacloud.com/architecture/index Alibaba Cloud architecture framework or description]
* [https://www.alibabacloud.com/product/mss Alibaba Cloud Managed Security Service]
* [https://www.alibabacloud.com/solutions/security Alibaba Cloud shared responsibility model]
* [https://www.alibabacloud.com/solutions/security Alibaba Cloud shared responsibility model]
* [https://www.alibabacloud.com/trust-center Alibaba Cloud trust center]
* [https://www.alibabacloud.com/trust-center Alibaba Cloud trust center]
Line 164: Line 175:
==References==
==References==
{{Reflist|colwidth=30em}}
{{Reflist|colwidth=30em}}
<!---Place all category tags here-->
[[Category:Cloud computing services]]
[[Category:Managed security services]]

Latest revision as of 14:37, 19 June 2024

Template:Infobox company

Alibaba Cloud ( also known as Aliyun) is a Chinese cloud computing company that provides public, private, hybrid, and multicloud solutions to enterprises, organizations, governments, and individuals. Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region.[1] The company provides more than 100 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, cloud communication, data analysis, media management, container and middleware management, developer support, internet of things, and artificial intelligence.[2]

In May 2023, the company approved the spin off its cloud division, the Cloud Intelligence Group, "via a stock dividend distribution to shareholders, aiming to complete the public listing within the next 12 months."[3][4]

Provider research

This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.


1. What experience do you have working with laboratory customers in our specific industry?

This question must be asked of the cloud provider yourself to gain a true understanding of how they may have worked with labs in your industry. However, here's a little background on Alibaba's connections with laboratories in general, based off publicly available information. According to Alibaba Cloud, their services have received "regular and stringent evaluations" by the China National Accreditation Service for Conformity Assessment (CNAS) and its accredited body the State Information Center Software Testing Center.[5] CNAS is known to be the same accreditation body that is also responsible for the accreditation of laboratories in China.[6] This in itself doesn't mean Alibaba has strong experience working with laboratories, but it is nonetheless encouraging—particularly if CNAS accreditation is rigorous—that Alibaba has been seemingly been vetted by CNAS. As for direct experience with laboratories, Alibaba reportedly had interactions with some laboratories as part of a COVID-19 initiative in 2020.[7] Laboratories that do or at some point have worked off Alibaba Cloud as part of their tech stack include Anbison Laboratories[8] and BGI Genomics[9].


2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?

Like question one, it will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Alibaba integrations. The company provides a Data Integration product described as "a stable, efficient, and scalable data synchronization service. It is designed to migrate and synchronize data between various heterogeneous data sources in complex network environments at a high speed and in a stable manner." This appears to be primarily for data synchronization among supported structured, semi-structured, and unstructured data stores, not data consumption.[10] Consult their documentation on data integration for more details. Alibaba also discusses hybrid integration of your organization's backend systems here, and the company leans on its Elastic Compute Service, Server Load Balancer, Express Connect, and Virtual Private Cloud to do this. The company also provides a one-page sheet explaining how it handles backend system integration. Again, your existing systems and business processes may need to be altered slightly to work with Alibaba's services, which is why you'll be asking this question.


3. What is the average total historical downtime for the service(s) we're interested in?

Little public information is made available about historic outages and downtime. You'll largely have to ask this of Alibaba and see what response they give you. Alibaba has demonstrated a desire to increase availability and make increases in availability in multiple areas of its services, including a push to "99.995 percent availability for services deployed across multiple availability zones within a cloud region" and "99.975 percent for single instances."[11] You may wish to consult Alibaba Cloud's lengthy whitepaper on the architecture and availability of its solutions. That said, outages have been reported in 2015[12], 2019[13], and 2022.[14]


4. Do we receive comprehensive downtime support in the case of downtime?

Alibaba does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Alibaba what downtime support they provide based on the services your organization are interested in.


5. Where are your servers located, and how is data securely transferred to and from those servers?

Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region. Alibaba uses its Content Delivery Network, which "distributes user requests to the most suitable nodes, allowing the fastest possible retrieval of requested content."[1] Alibaba addresses data transmission security in its security whitepaper on pages 133 (in regards to its cryptographic service) and 163 (in regards to the entire service), mentioning the standard trifecta of HTTPS, VPN gateways, and SSL certificates. In regards to data localization requirements, it's not clear how Alibaba honors those requirements on a superficial level; you'll have to have direct discussions with the Alibaba and review their compliance materials in regards to any data localization requirements you may have. Tangentially, a 2020 report stated that Alibaba finds data localization requirements in regulatory models such as Europe's General Data Protection Regulation (GDPR) to be too stifling and has been petitioning the Chinese government to take a more light-handed approach to data localization.[15] Despite this, China has marched ahead with its data localization requirements into 2023, causing some multinational organization to rethink their market strategy.[16]


6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?

Alibaba discusses personnel management in regards to physical data security in its security whitepaper on pages 15–18. However, it does not reference the certifications and training required for those who have permission to access your data. (Though certifications like the ACA Cloud Security Certification apparently exist.) You will have to inquire with Alibaba about these considerations when asking this question.


7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?

Not all Alibaba machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.


8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)

It does not appear that Alibaba supports physical separation approaches to sensitive and regulated data. They cite "a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features" in regards to physical separation practices. They argue that logical separation is a better approach "via logical access controls, permission management, network traffic routing, and encryption." They add that uses needing to meet "security outcomes equivalent to physical separation" can also take advantage of a virtual private cloud "or use encryption solutions to encrypt data at-rest and in-transit."[17]

Alibaba does, however, address the concept of tenant isolation in its security whitepaper in multiple places. Tenant isolation is enabled by default on Alibaba. This is largely accomplished with virtualization methods. Reference section 5.1.3.1 of the whitepaper for more details. Further technical details, if required, may be garnered in discussion with Alibaba.


9. Do you have documented data security policies?

Alibaba documents its security practices in several places:

Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an Alibaba representative to obtain them.


10. How do you test your platform's security?

In its security whitepaper, Alibaba addresses penetration testing (page 27), noting they use "attack-and-defense drills ... designed to objectively test the defense and threat detection capabilities of Alibaba Cloud, enhance the core security capabilities of Alibaba Cloud, and improve the security defense system."[18] For more on these drills, discuss the topic with Alibaba. There are other scattered pieces of information related to non-Alibaba personnel testing the platform. For example, an Alibaba user can apply for a license to conduct penetration tests for Alibaba Cloud products.[19] Alibaba also appears to have had a Crowdsourced Security Testing program[20], but much of the documentation about the program seems to have gone missing from the Alibaba Cloud site. A page detailing how to register for the program also disappeared[21], and as such, it's not clear how active the program is today. A related set of vulnerability rewards programs, encouraging people to test Alibaba's security, may also still be available through the Alibaba Security Response Center.


11. What are your policies for security audits, intrusion detection, and intrusion reporting?

Audits: Alibaba cooperates "with independent third-party security regulation and audit agencies to audit and evaluate the security and compliance stance of Alibaba Cloud."[18] This is demonstrated by its compliance credentials (e.g., see pages 6–10 of the company's security whitepaper or its trust center). Alibaba also provides tools to customers (e.g., Cloud Config) allowing them to run their own security audits on their own data.[18][22]

Intrusion detection and reporting: Alibaba Cloud allows users to install a small app called Security Center on their virtual machines (VMs) that can handle intrusion detection in real time. Per the security whitepaper, "intrusion detection for VMs includes remote logon detection, Webshell detection and removal, anomaly detection (detection of abnormal process behaviors and abnormal network connections), and detection of changes in key files and suspicious accounts in systems and applications. Security Center can also intelligently learn application whitelists." This same app can also be used with Alibaba's Container Service. Intrusion detection services are also found within Alibaba's Cloud Firewall.[18] In the case of Cloud Firewall, reporting is included.[23] Reporting is presumably also a component of Security Center; confirm this with Alibaba.


12. What data logging information is kept and acted upon in relation to our data?

Mentions of a "central logging platform" are made in both the company's security whitepaper and its SOC 3 report. The SOC 3 report in particular says this[24]:

Logs of activities performed on the cloud platform collected through the central logging platform are imported into real-time and offline computing platforms. Logs are processed and analysed through security monitoring algorithms in each computing platform for anomaly analysis and detection.

It's not clear, however, to what extent logging information is stored and acted upon in regards to a specific customer. Discuss this topic further with an Alibaba representative.


13. How thorough are those logs and can we audit them on-demand?

Presumably, any logging related to Cloud Config, Security Center, Cloud Firewall, etc. are available to authorized users, though the fine details of this should be confirmed with Alibaba. In regards to auditing internal operation logs, Alibaba has this to say[18]:

Although Alibaba Cloud has obtained industry-leading third-party compliance certifications, efforts must also be made to give users the confidence that their data and resources are properly protected and managed within the cloud platform. To this end, Alibaba Cloud provides the ability to make relevant internal operations transparent to the users by providing internal operation logs in selected products (such as OSS). This allows users to monitor and audit internal cloud platform operations when using Alibaba Cloud products.


14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?

Yes, Alibaba will sign a business associate agreement.[25] Consult their HIPAA whitepaper for more details on their approach to HIPAA compliance.


15. What happens to our data should the contract expire or be terminated?

Direct your attention to the service agreement associated with the product you use. Some service agreements for particular products are available in the Alibaba Cloud Document Center, while others may be difficult to track down. If you can't find the details of a service agreement for the product you're interested in, address this with an Alibaba representative. That said, here's an example from the Alibaba Terms of Service[26]

When the service period expires, the service is terminated in advance (including early termination agreed by both parties, early termination due to other reasons, etc.) or you have arrears, unless otherwise specified by laws and regulations, required by the competent department or agreed by both parties, Alibaba Cloud will only continue to store your user business data (if any) within a certain buffer period (subject to the time limit specified in the proprietary terms, product documents, service instructions, etc. applicable to the service you ordered). At the end of the buffer period, Alibaba Cloud will delete all user business data, including all cached or backup copies, and will no longer retain any of your user business data ... Once the user's business data is deleted, it cannot be recovered; You should bear the consequences and responsibilities arising from the deletion of data. You understand and agree that Alibaba Cloud has no obligation to continue to retain, export or return user business data.


16. What happens to our data should you go out of business or suffer a catastrophic event?

It's not publicly clear how Alibaba would handle your data should they go out of business; consult with an Alibaba representative about this topic. As for catastrophic events, Alibaba's Object Storage Service (OSS) is based on zone-redundant storage (ZRS). "ZRS distributes user data across three zones within the same region. Even if one zone becomes unavailable, the data is still accessible. The ZRS feature can provide data durability (designed for) of 99.9999999999% (twelve 9's) and service availability of 99.995%."[27] It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an Alibaba representative.


17. Can we use your interface to extract our data when we want, and in what format will it be?

Alibaba doesn't make it 100 percent publicly clear how data migration from Alibaba to another cloud service would work. However, they do outline several other data migration scenarios, including the scenario of migrating from Alibaba Cloud to an on-premises system. It's unclear whether or not a third-party cloud transfer service would be required or useful when moving from Alibaba Cloud to another cloud service. In the end, if there are still questions on this topic, discuss it with an Alibaba representative.


18. Are your support services native or outsourced/offshored?

It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Alibaba representative.

Managed security services

Alibaba Cloud Managed Security Service is described by Alibaba as "a security technology and consulting service designed to establish, and optimize, security protection systems so that users can ensure the security of their business on the cloud."[28] The company primarily touts managed detection and response, security assessment, and security hardening as part of its MSS. This includes[28]:

  • Managed detection and response: overall security consulting, security monitoring and inspection, incident response, and cloud application and hardware configuration
  • Security assessment: online assessment and scanning of current security system, data analysis from that assessment and scanning, and reporting of data and recommendations
  • Security hardening: reinforcement range confirmation, hardening plan development, and plan implementation and testing


Additional information

Documentation and other media

External links

References

  1. 1.0 1.1 "Alibaba Cloud's Global Infrastructure". Alibaba Cloud. https://www.alibabacloud.com/global-locations. Retrieved 28 July 2023. 
  2. "Alibaba Cloud Products & Services". Alibaba Cloud. https://www.alibabacloud.com/product. Retrieved 28 July 2023. 
  3. Cite error: Invalid <ref> tag; no text was provided for refs named WulhelmAlibaba23
  4. Mahta, C.; Horwitz, J. (18 May 2023). "Alibaba misses revenue estimate, approves cloud unit spinoff". Reuters. https://www.reuters.com/business/retail-consumer/alibaba-fourth-quarter-revenue-rises-2-2023-05-18/. Retrieved 28 July 2023. 
  5. "CNAS". Alibaba Cloud. https://www.alibabacloud.com/trust-center/cnas. Retrieved 28 July 2023. 
  6. "CNAS Introduction". China National Accreditation Service for Conformity Assessment. https://www.cnas.org.cn/english/introduction/12/718683.shtml. Retrieved 28 July 2023. 
  7. "Alibaba Cloud Offers AI, Cloud Services to Help Battle Covid-19 Globally". Alibaba Cloud. 19 March 2020. https://www.alibabacloud.com/press-room/alibaba-cloud-ai-cloud-services-to-help-battle-covid-19. Retrieved 28 July 2023. 
  8. "Anbison Laboratories". ZoomInfo. https://www.zoominfo.com/c/anbison-laboratories-co-ltd/345850572. Retrieved 28 July 2023. 
  9. "Unleashing the Power of Precision Medicine Using the Hybrid Cloud" (PDF). Intel. 2016. Archived from the original on 09 April 2021. https://web.archive.org/web/20210409184731/https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unleashing-power-of-precision-medicine-hybrid-cloud-paper.pdf. Retrieved 28 July 2023. 
  10. "Data Integration: Overview". Alibaba Cloud. 10 April 2023. https://www.alibabacloud.com/help/en/dataworks/user-guide/overview-6. Retrieved 28 July 2023. 
  11. Mah, P. (2 January 2020). "Alibaba Cloud upgrades SLA for multi-zone instances". Data Center Dynamics. https://www.datacenterdynamics.com/en/news/alibaba-cloud-upgrades-sla-multi-zone-instances/. Retrieved 28 July 2023. 
  12. Mah, P. (26 June 2015). "Aliyun cloud suffers prolonged disruption in Hong Kong". Data Center Dynamics. https://www.datacenterdynamics.com/en/news/aliyun-cloud-suffers-prolonged-disruption-in-hong-kong/. Retrieved 28 July 2023. 
  13. Fu, Y. (3 March 2019). "Alibaba Cloud Reports IO Hang Error in North China". EqualOcean. https://equalocean.com/news/201903031507. Retrieved 28 July 2023. 
  14. Liao, R. (29 December 2022). "Alibaba CEO to oversee cloud arm following major server outage". TechCrunch. https://techcrunch.com/2022/12/29/alibaba-reshuffle-2022/. Retrieved 28 July 2023. 
  15. Lu, X. (4 June 2020). "Is China Changing Its Thinking on Data Localization?". The Diplomat. https://thediplomat.com/2020/06/is-china-changing-its-thinking-on-data-localization/. Retrieved 28 July 2023. 
  16. Cline, J. (25 October 2022). "China’s new data-transfer mandate prompting multinationals to rethink market strategy". PwC. https://www.pwc.com/us/en/tech-effect/cybersecurity/security-assessments-for-china-cross-border-data-transfers.html. Retrieved 28 July 2023. 
  17. "Security Compliance FAQs". Alibaba Cloud. https://www.alibabacloud.com/trust-center/faq. Retrieved 28 July 2023. 
  18. 18.0 18.1 18.2 18.3 18.4 "Alibaba Cloud Security White Paper - International Edition, Version 2.1" (PDF). Alibaba Cloud. February 2021. https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf. Retrieved 28 July 2023. 
  19. "Apply for a penetration test license". Alibaba Cloud. 6 March 2019. https://www.alibabacloud.com/help/en/security-control/latest/apply-for-a-penetration-test-license. Retrieved 28 July 2023. 
  20. "Alibaba Cloud Crowdsourced Security Testing" (PDF). Alibaba Cloud. 16 May 2019. http://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/DNXIAN1846009_en-US_intl_190516194424_public_8c46d47183231dcdd2ff90881a425617.pdf. Retrieved 28 July 2023. 
  21. "Crowdsourced security testing platform procedure for enterprises". Alibaba Cloud. 13 January 2020. Archived from the original on 10 April 2021. https://web.archive.org/web/20210101000000*/https://www.alibabacloud.com/help/doc-detail/28394.html. Retrieved 28 July 2023. 
  22. "Cloud Config". Alibaba Cloud. https://www.alibabacloud.com/product/cloud-config. Retrieved 28 July 2023. 
  23. Kaushik, S. (27 January 2021). "Alibaba Cloud Firewall: The Next-Gen Firewall as a Service". Medium. https://alibaba-cloud.medium.com/alibaba-cloud-firewall-the-next-gen-firewall-as-a-service-836f524d8392. Retrieved 28 July 2023. 
  24. "System and Organization Controls 3 Report Report on Alibaba Cloud’s Cloud Services System" (PDF). Alibaba Cloud. 1 November 2018. https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf. Retrieved 28 July 2023. 
  25. "HIPAA/HITECH". Alibaba Cloud. https://www.alibabacloud.com/trust-center/hipaa. Retrieved 28 July 2023. 
  26. "Terms of Services". Alibaba Cloud. 20 January 2023. https://www.alibabacloud.com/help/en/advisor/latest/terms-of-service. Retrieved 28 July 2023. 
  27. "Disaster recovery". Alibaba Cloud. 17 May 2023. https://www.alibabacloud.com/help/en/oss/support/disaster-recovery. Retrieved 28 July 2023. 
  28. 28.0 28.1 "Managed Security Service". Alibaba Cloud. https://www.alibabacloud.com/product/mss. Retrieved 28 July 2023.