Portfolio:Alibaba Cloud
Research
This section uses public information to provide some answers to the 18 questions posed in Chapter 5 of the wiki-based guide Choosing and Implementing a Cloud-based Service for your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
This question must be asked of the cloud provider yourself to gain a true understanding of how they may have worked with labs in your industry. However, here's a little background on Alibaba's connections with laboratories in general, based off publicly available information. According to Alibaba Cloud, their services have received "regular and stringent evaluations" by the China National Accreditation Service for Conformity Assessment (CNAS) and its accredited body the State Information Center Software Testing Center.[1] CNAS is known to be the same accreditation body that is also responsible for the accreditation of laboratories in China.[2] This in itself doesn't mean Alibaba has strong experience working with laboratories, but it is nonetheless encouraging—particularly if CNAS accreditation is rigorous—that Alibaba has been seemingly been vetted by CNAS. As for direct experience with laboratories, Alibaba reportedly had interactions with some laboratories as part of a COVID-19 initiative in 2020.[3] Laboratories that do or at some point have worked off Alibaba Cloud as part of their tech stack include Anbison Laboratories[4] and BGI Genomics[5].
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
Like question one, it will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Alibaba integrations. The company provides a Data Integration product described as "a stable, efficient, and scalable data synchronization service. It is designed to migrate and synchronize data between a wide range of heterogeneous data stores fast and stably in complex network environments." This appears to be primarily for data synchronization among supported structured, semi-structured, and unstructured data stores, not data consumption.[6] Consult their documentation on Data Integration for more details. Alibaba also discusses hybrid integration of your organization's backend systems here, and the company leans on its Elastic Compute Service, Server Load Balancer, Express Connect, and Virtual Private Cloud to do this. The company also provides a one-page sheet explaining how it handles backend system integration. Again, your existing systems and business processes may need to be altered slightly to work with Alibaba's services, which is why you'll be asking this question.
3. What is the average total historical downtime for the service(s) we're interested in?
Little public information is made available about historic outages and downtime. You'll largely have to ask this of Alibaba and see what response they give you. Alibaba has demonstrated a desire to increase availability and make increases in availability in multiple areas of its services, including a push to "99.995 percent availability for services deployed across multiple availability zones within a cloud region" and "99.975 percent for single instances."[7] You may wish to consult Alibaba Cloud's lengthy whitepaper on the architecture and availability of its solutions. That said, outages have been reported in 2015[8] and 2019.[9]
4. Do we receive comprehensive downtime support in the case of downtime?
Alibaba does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Alibaba what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region. Alibaba uses its Content Delivery Network, which "distributes user requests to the most suitable nodes, allowing the fastest possible retrieval of requested content."[10] Alibaba addresses data transmission security in its security whitepaper on pages 133 (in regards to its cryptographic service) and 163 (in regards to the entire service), mentioning the standard trifecta of HTTPS, VPN gateways, and SSL certificates. In regards to data localization requirements, it's not clear how Alibaba honors those requirements on a superficial level; you'll have to have direct discussions with the Alibaba and review their compliance materials in regards to any data localization requirements you may have. Tangentially, a 2020 report stated that Alibaba finds data localization requirements in regulatory models such as Europe's General Data Protection Regulation (GDPR) to be too stifling and has been petitioning the Chinese government to take a more light-handed approach to data localization.[11]
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
Alibaba discusses personnel management in regards to physical data security in its security whitepaper on pages 15–18. However, it does not reference the certifications and training required for those who have permission to access your data. (Though certifications like the ACA Cloud Security Certification apparently exist.) You will have to inquire with Alibaba about these considerations when asking this question.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all Alibaba machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
It does not appear that Alibaba supports physical separation approaches to sensitive and regulated data. They cite "a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features" in regards to physical separation practices. They argue that logical separation is a better approach "via logical access controls, permission management, network traffic routing, and encryption." They add that uses needing to meet "security outcomes equivalent to physical separation" can also take advantage of a virtual private cloud "or use encryption solutions to encrypt data at-rest and in-transit."[12]
Alibaba does, however, address the concept of tenant isolation in its security whitepaper in multiple places. Tenant isolation is enabled by default on Alibaba. This is largely accomplished with virtualization methods. Reference section 5.1.3.1 of the whitepaper for more details. Further technical details, if required, may be garnered in discussion with Alibaba.
9. Do you have documented data security policies?
Alibaba documents its security practices in several places:
Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an Alibaba representative to obtain them.
10. How do you test your platform's security?
In its security whitepaper, Alibaba addresses penetration testing (page 27), noting they use "attack-and-defense drills ... designed to objectively test the defense and threat detection capabilities of Alibaba Cloud, enhance the core security capabilities of Alibaba Cloud, and improve the security defense system."[13] For more on these drills, discuss the topic with Alibaba. There are other scattered pieces of information related to non-Alibaba personnel testing the platform. For example, an Alibaba user can apply for a license to conduct penetration tests for Alibaba Cloud products.[14] Alibaba also appears to have had a Crowdsourced Security Testing program[15], but much of the documentation about the program seems to have gone missing from the Alibaba Cloud site. A page detailing how to register for the program still exists[16], but it's not clear how active the program is today. A related set of vulnerability rewards programs, encouraging people to test Alibaba's security, may also still be available through the Alibaba Security Response Center.
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
Audits: Alibaba cooperates "with independent third-party security regulation and audit agencies to audit and evaluate the security and compliance stance of Alibaba Cloud."[13] This is demonstrated by its compliance credentials (e.g., see pages 6–10 of the company's security whitepaper or its trust center). Alibaba also provides tools to customers (e.g., Cloud Config) allowing them to run their own security audits on their own data.[13][17]
Intrusion detection and reporting: Alibaba Cloud allows users to install a small app called Security Center on their virtual machines (VMs) that can handle intrusion detection in real time. Per the security whitepaper, "intrusion detection for VMs includes remote logon detection, Webshell detection and removal, anomaly detection (detection of abnormal process behaviors and abnormal network connections), and detection of changes in key files and suspicious accounts in systems and applications. Security Center can also intelligently learn application whitelists." This same app can also be used with Alibaba's Container Service. Intrusion detection services are also found within Alibaba's Cloud Firewall.[13] In the case of Cloud Firewall, reporting is included.[18] Reporting is presumably also a component of Security Center; confirm this with Alibaba.
12. What data logging information is kept and acted upon in relation to our data?
Mentions of a "central logging platform" are made in both the company's security whitepaper and its SOC 3 report. The SOC 3 report in particular says this[19]:
Logs of activities performed on the cloud platform collected through the central logging platform are imported into real-time and offline computing platforms. Logs are processed and analysed through security monitoring algorithms in each computing platform for anomaly analysis and detection.
It's not clear, however, to what extent logging information is stored and acted upon in regards to a specific customer. Discuss this topic further with an Alibaba representative.
13. How thorough are those logs and can we audit them on-demand?
Presumably, any logging related to Cloud Config, Security Center, Cloud Firewall, etc. are available to authorized users, though the fine details of this should be confirmed with Alibaba. In regards to auditing internal operation logs, Alibaba has this to say[13]:
Although Alibaba Cloud has obtained industry-leading third-party compliance certifications, efforts must also be made to give users the confidence that their data and resources are properly protected and managed within the cloud platform. To this end, Alibaba Cloud provides the ability to make relevant internal operations transparent to the users by providing internal operation logs in selected products (such as OSS). This allows users to monitor and audit internal cloud platform operations when using Alibaba Cloud products.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
Yes, Alibaba will sign a business associate agreement.[20] Consult their HIPAA whitepaper for more details on their approach to HIPAA compliance.
15. What happens to our data should the contract expire or be terminated?
Direct your attention to the service agreement associated with the product you use. Some service agreements for particular products are available in the Alibaba Cloud Document Center, while others may be difficult to track down. If you can't find the details of a service agreement for the product you're interested in, address this with an Alibaba representative. That said, here's an example from the service agreement for Alibaba's Machine Translation product[21]
When the service period expires, the service is terminated in advance (including early termination after the Parties have so agreed, early termination due to other reasons, etc.) or when you are in arrears, except as otherwise expressly required by applicable laws and regulations, required by a competent authority or agreed to by the Parties, Alibaba Cloud will only continue to store your user business data (if any) within a certain buffer period (subject to the time limit stated in the special terms, product documentation, and service descriptions applicable to the service that you ordered). Upon expiration of the buffer period, Alibaba Cloud will delete all user business data, including all cached or backup copies, and will not retain any of your user business data ... Once the user business data is deleted, it cannot be recovered; you shall assume the consequences and responsibilities resulting from the deletion of such data. You understand and agree that Alibaba Cloud has no obligation to continue to retain, export, or return the user business data.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how Alibaba would handle your data should they go out of business; consult with an Alibaba representative about this topic. As for catastrophic events, Alibaba's Object Storage Service (OSS) is based on zone-redundant storage (ZRS). "ZRS distributes user data across three zones within the same region. Even if one zone becomes unavailable, the data is still accessible. The ZRS feature can provide data durability (designed for) of 99.9999999999% (twelve 9's) and service availability of 99.995%."[22] It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an Alibaba representative.
17. Can we use your interface to extract our data when we want, and in what format will it be?
Alibaba doesn't make it 100 percent publicly clear how data migration from Alibaba to another cloud service would work. However, they do outline several other data migration scenarios, including the scenario of migrating from Alibaba Cloud to an on-premises system. It's unclear whether or not a third-party cloud transfer service (e.g., Cloudsfer) would be required or useful when moving from Alibaba Cloud to another cloud service. In the end, if there are still questions on this topic, discuss it with an Alibaba representative.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Alibaba representative.
Documentation and other media
External links
- Alibaba Cloud trust center
- Alibaba Cloud shared responsibility model
- Alibaba Cloud architecture framework or description
References
- ↑ "CNAS". Alibaba Cloud. https://www.alibabacloud.com/trust-center/cnas. Retrieved 09 April 2021.
- ↑ "CNAS Introduction". China National Accreditation Service for Conformity Assessment. https://www.cnas.org.cn/english/introduction/12/718683.shtml. Retrieved 09 April 2021.
- ↑ "Alibaba Cloud Offers AI, Cloud Services to Help Battle Covid-19 Globally". Alibaba Cloud. 19 March 2020. https://www.alibabacloud.com/press-room/alibaba-cloud-ai-cloud-services-to-help-battle-covid-19. Retrieved 09 April 2021.
- ↑ "Anbison Laboratories". ZoomInfo. https://www.zoominfo.com/c/anbison-laboratories-co-ltd/345850572. Retrieved 09 April 2021.
- ↑ "Unleashing the Power of Precision Medicine Using the Hybrid Cloud" (PDF). Intel. 2016. https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unleashing-power-of-precision-medicine-hybrid-cloud-paper.pdf. Retrieved 09 April 2021.
- ↑ "Data Integration: Overview". Alibaba Cloud. 21 January 2021. https://www.alibabacloud.com/help/doc-detail/137663.htm?spm=a3c0i.11348557.6020378220.1.60adb272D4vsN7. Retrieved 09 April 2021.
- ↑ Mah, P. (2 January 2020). "Alibaba Cloud upgrades SLA for multi-zone instances". Data Center Dynamics. https://www.datacenterdynamics.com/en/news/alibaba-cloud-upgrades-sla-multi-zone-instances/. Retrieved 09 April 2021.
- ↑ Mah, P. (26 June 2015). "Aliyun cloud suffers prolonged disruption in Hong Kong". Data Center Dynamics. https://www.datacenterdynamics.com/en/news/aliyun-cloud-suffers-prolonged-disruption-in-hong-kong/. Retrieved 09 April 2021.
- ↑ Fu, Y. (3 March 2019). "Alibaba Cloud Reports IO Hang Error in North China". EqualOcean. https://equalocean.com/news/201903031507. Retrieved 09 April 2021.
- ↑ "Alibaba Cloud's Global Infrastructure". Alibaba Cloud. https://www.alibabacloud.com/global-locations. Retrieved 09 April 2021.
- ↑ Lu, X. (4 June 2020). "Is China Changing Its Thinking on Data Localization?". The Diplomat. https://thediplomat.com/2020/06/is-china-changing-its-thinking-on-data-localization/. Retrieved 09 April 2021.
- ↑ "Security Compliance FAQs". Alibaba Cloud. https://www.alibabacloud.com/trust-center/faq. Retrieved 09 April 2021.
- ↑ 13.0 13.1 13.2 13.3 13.4 "Alibaba Cloud Security White Paper - International Edition, Version 2.1" (PDF). Alibaba Cloud. February 2021. https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf. Retrieved 10 April 2021.
- ↑ "Apply for a penetration test license". Alibaba Cloud. 7 March 2019. https://www.alibabacloud.com/help/doc-detail/84443.htm. Retrieved 10 April 2021.
- ↑ "Alibaba Cloud Crowdsourced Security Testing" (PDF). Alibaba Cloud. 16 May 2019. http://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/DNXIAN1846009_en-US_intl_190516194424_public_8c46d47183231dcdd2ff90881a425617.pdf. Retrieved 10 April 2021.
- ↑ "Crowdsourced security testing platform procedure for enterprises". Alibaba Cloud. 13 January 2020. https://www.alibabacloud.com/help/doc-detail/28394.html. Retrieved 10 April 2021.
- ↑ "Cloud Config". Alibaba Cloud. https://www.alibabacloud.com/product/cloud-config. Retrieved 10 April 2021.
- ↑ Kaushik, S. (27 January 2021). "Alibaba Cloud Firewall: The Next-Gen Firewall as a Service". Medium. https://alibaba-cloud.medium.com/alibaba-cloud-firewall-the-next-gen-firewall-as-a-service-836f524d8392. Retrieved 10 April 2021.
- ↑ "System and Organization Controls 3 Report Report on Alibaba Cloud’s Cloud Services System" (PDF). Alibaba Cloud. 1 November 2018. https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf. Retrieved 10 April 2021.
- ↑ "HIPAA/HITECH". Alibaba Cloud. https://www.alibabacloud.com/trust-center/hipaa. Retrieved 10 April 2021.
- ↑ "Machine Translation > Service Agreement". Alibaba Cloud. 15 May 2019. https://www.alibabacloud.com/help/doc-detail/96400.htm. Retrieved 10 April 2021.
- ↑ "Disaster recovery". Alibaba Cloud. 17 September 2020. https://www.alibabacloud.com/help/doc-detail/172497.htm?spm=a2c63.p38356.879954.7.1d2b458bXokz2K. Retrieved 10 April 2021.