Cloud Security Solution Design

Foreword
⚫ This lesson describes how the Huawei Cloud security solution is
designed. You will learn what security services Huawei Cloud
provides and how they work for access layer, service layer, data
layer, access control, and audit security as well as tracking.

2
 Objectives
⚫ Upon completion of this course, you will:
 Be able to describe Huawei Cloud security services.
 Understand the security model of Huawei Cloud.
 Understand the functions and application scenarios of each
security cloud service.

3
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

4
Huawei Cloud Security Services
Internet

Huawei Cloud Access Layer Network

Security

Audit and
tracking
Anti-DDoS
Cloud Trace
Service
(CTS)

Advanced Anti-DDoS
(AAD)
Service layer SecMaster
security
...
Web Application
Firewall
Bare Metal Elastic Cloud (WAF)
Host Security Service Server Server

Access control
(HSS) (BMS) (ECS)

security
O&M
Cloud personnel
Bastion Host
(CBH)

Cloud Certificate Data Encryption Database Security Relational Elastic Volume Object Storage Scalable File
Manager Workshop Service Database Service Service Service Service
(CCM) (DEW) (DBSS) (RDS) (EVS) (OBS) (SFS) Identity and Access User
Management
Data layer security (IAM)

5
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

6
Systematic Security Design

Compliance standards
Network and Access control
application security

Data security Audit and tracking

Physical infrastructure security Incident response

7
Huawei Cloud Shared Responsibility Model
⚫ Huawei Cloud and customers share the responsibilities for the cloud environment. Specifically, Huawei Cloud is responsible for
providing secure cloud services, and tenants are responsible for using the cloud services securely.

Data Client-side data encryption & Server-side encryption Network traffic protection
Tenant data
security data integrity authentication (file system/data) (encryption/integrity/identity)

Custom configurations

Tenant IAM
Application Huawei Cloud Tenant
security applications applications

Virtual networks, gateways, advanced

protection, platforms, applications, data, Huawei
identity management, key management, Cloud
Platform Huawei Cloud Tenant
etc. IAM
security platform services platform services

Infrastructure services Compute Storage Database Network

Infrastructure
security
Physical infrastructure Region AZ Edge locations

Green: Huawei Cloud responsibilities for security of the cloud Blue: Customer responsibilities for security in the cloud

8
Security Compliance and Certification

ISO 27001 ISO 20000 ISO 27018 DJCP (MLPS)

SOC audit PCI DSS CAS-STAR Gold Trusted Cloud Service

Cybersecurity Review by the International Common International Common

Cyberspace Administration of Criteria EAL3+ Certification Criteria EAL3+ Certification
China (CAC)
For more information, visit https://www.huaweicloud.com/intl/en-us/securecenter/compliance.html.

9
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

10
VPC Access Control: Security Group
⚫ A security group is a collection of access control rules for ECSs that have the same security
requirements and are mutually trusted.
⚫ Security groups are stateful.
VPC ⚫ A default security group allows all outgoing data
Default security group
Allow all packets and denies all incoming data packets.
Mutual access outbound traffic.
⚫ Both Allow and Deny rules are supported. A rule
× with a deny action overrides another with an allow
ECS ECS Deny all
ECS action if the two rules have the same priority.
inbound traffic.
⚫ The source of a security group rule can be a single IP
address, an IP address range, or a security group.

11
VPC Access Control: Security Group

Website Port: 80, source: 0.0.0.0/0 ⚫ Use different security groups

security group
for different application layers.

Application Port: 8080, source: website ⚫ Allow only specific protocols,

security group security group
ports, and sources.

Database
⚫ Limit the number of security
Port: 3306, source:
security group application security group group rules.

12
VPC Access Control: Network ACL
⚫ A network ACL is an optional layer of security for your subnets. After you associate one or
more subnets with a network ACL, you can control traffic in and out of the subnets.

VPC ⚫ There is no default network ACL.

Router
⚫ A subnet can only be associated with one network ACL, but a
Network ACL Network ACL
(Subnet 1) (Subnet 2) network ACL can be associated with multiple subnets.

Subnet 1 Subnet 2 ⚫ A network ACL is used until it is associated with a subnet.

⚫ A network ACL is stateful.

Security Security ⚫ Network ACL rules have priorities.
group group
⚫ Default network ACL rules deny all inbound and outbound traffic.

13
Differences Between Security Groups and
Network ACLs
Item Security Group Network ACL

Protection object ECSs Subnets

Allow rules are supported.

Action Both Allow and Deny rules are supported.
Deny rules are supported in certain regions.

If there are conflicting rules, the first security group

associated will take precedence over those associated If there are conflicting rules, only the rule with the
Priority
later, then the rule with the highest priority in that highest priority takes effect.
security group will be applied first.
You cannot select a network ACL when creating a
subnet. You must create a network ACL, associate
By default, a security group must be selected during
subnets with the network ACL, add inbound and
Operation ECS creation and the security group will be
outbound rules, and enable the network ACL. Then,
automatically applied to the ECS.
the network ACL is applied to the associated subnets
and ECSs in the subnets.
Only packet filtering based on 5-tuple (protocol,
Only packet filtering based on 3-tuple (protocol, port,
Packet source port, destination port, source IP address, and
and peer IP address) is supported.
destination IP address) is supported.

14
Common Network Attacks: DDoS
⚫ DoS (Denial of Service) attacks are also called flood attacks. They are intended to exhaust the network or system
resources on the target computer, causing service interruption or suspension. Consequently, legitimate users fail to
access network services. When an attacker controls multiple compromised computers to launch attacks on the
targeted server, this is called Distributed Denial of Service Attack (DDoS).

DDoS attack types

Network- Session
layer layer Attack Type Description Example
attacks attacks
Occupies the network bandwidth with
Network volumetric traffic, causing your service to be
NTP flood attack
layer attack unable to respond to legitimate access
requests.
Transport SYN flood attack
Transport- Application- Occupies the connection resources of the
layer DDoS ACK Flood
layer layer server, resulting in denial of services.
attack ICMP flood attack
attacks attacks
Session layer Occupies SSL session resources of the server, SSL slow
attack resulting in denial of services. connection attack
Occupies the application processing
HTTP GET flood
Application resources of the server and consumes its
attack and HTTP
layer attack processing performance, resulting in denial
POST flood attack
of services.

15
DDoS Protection Suggestions
Huawei Cloud Customers

• Minimize the attack surface.

• Blackhole policy: If a server (cloud host) is
attacked by traffic beyond the protection
capability, external network access to the
server (cloud host) is blocked. • Use detection flexibly to distinguish
attack behaviors from normal behaviors.
• The Cloud Native Anti-DDoS
Basic Edition (Anti-DDoS) of • Use Huawei Cloud anti-DDoS
Huawei Cloud provides users services to protect workloads.
with 2 Gbit/s defense
against DDoS attacks for
free. Its maximum defense • Implement detailed attack
capacity is 5 Gbit/s. response plans.

• The network is provided by

multiple carriers. • Report attack cases to the
network monitoring department
for evidence collection .

16
How Does Anti-DDoS Provide Protection?
⚫ Anti-DDoS monitors the service traffic from the Internet to public IP addresses to detect attack traffic in real time. It
scrubs attack traffic based on preset defense policies without interrupting service running.

...
Advantages:

⚫ Real-time monitoring
Internet
Data center ⚫ High-quality bandwidth
Anti-DDoS
Detection ⚫ Comprehensive and accurate IP address
Traffic Detection blacklist library
diversion center
⚫ Per-packet detection and response in seconds
Traffic
Scrubbing
Injection center ⚫ Enabled automatically

Unprotected traffic
⚫ Free of charge
Legitimate traffic
... Abnormal traffic
Detection data
Server Server

17
What Is AAD?
⚫ The Advanced Anti-DDoS (AAD) service uses high-defense IP addresses to proxy services for origin
servers. All public network traffic is diverted to the high-defense IP addresses, and therefore user
services on origin servers are protected against DDoS attacks.
AAD center architecture
ISP ISP
Connect to AAD
VIP 1 AAD center
ISP ISP
②
AAD node AAD node
User Layer-4 Layer-4
scrubbin scrubbin
AADLayer-7
node
g AAD node
Layer-7
g
scrubbin scrubbin
Layer-4gscrubbing Layer-4gscrubbing
① www.xx.com=IP 1 Route traffic to web servers
Layer-7 scrubbing Layer-7 scrubbing
③
www.xx.com=VIP 1 Load
IP address 1 Load
balancing balancing
Load Load
Cloud Cloud
balancing balancing
servers servers
DNS service Protected origin server

Cloud servers Cloud servers

18
 Anti-DDoS Layers Deploy a typical sandwich-style WAF
structure. Use security
Use the various Huawei Cloud anti- groups to protect
DDoS services. nodes.
Region

VPC

Domain Name

AZ 1
Service
(DNS)
ELB WAF server ELB Web server
Primary
database

Auto scaling Auto scaling

Content Delivery Network Subnet for Front-end Subnet for Application
(CDN) Data subnet
external access subnet external access subnet

Use Huawei Cloud hosting Protect expensive resources

services as the first layer of (RDS) using inexpensive
defense. resources (ECSs).
Object Storage
Service (Only a single AZ is displayed.)
(OBS)
cn-east-3
Push the attack pressure layer
by layer, best to CDN.

19
What Is WAF?
⚫ Web Application Firewall (WAF) examines website service traffic to identify malicious
requests and unknown threats accurately and intelligently. It protects origin servers from
attacks and intrusions and secures mission-critical data, keeping your website stable and
secure.

20
WAF Application Scenarios

Standard Protection for online Zero-Day

protection promotions vulnerabilities
• Data breaches: WAF prevents • CC attack protection: To ensure • WAF updates the preset protection
critical website data from being website availability, WAF blocks a rules instantly after disclosure of new
leaked due to injection attacks. large number of malicious vulnerabilities to ensure service
• Web shell detection: To requests. security and stability.
maintain website credibility,
WAF prevents web pages from
being tampered with by web Note: To prevent security incidents, WAF should be deployed
shells. before services are put into use.
21
How WAF Works

Huawei Cloud • For WAF work right, you need to connect

Attacker
your website to WAF on the WAF console.
WAF After that, all website access requests go
Web attack traffic
× to WAF first. Then, WAF inspects the
traffic, filters out attacks, and routes only
① Web traffic normal traffic to the origin server,
Route the website traffic keeping the origin server secure, stable,
to Huawei Cloud WAF. WAF engine
Common user ② Route traffic to cluster and available.
web servers. • The process of forwarding traffic from
WAF to origin servers is called back-to-
source. WAF uses back-to-source IP
Outside Tenant VPC
addresses to send client requests to the
Huawei Cloud
origin server. When a website is
connected to WAF, the destination IP
addresses to the client are the IP
Web server Web server addresses of WAF, so that the origin
(Non-Huawei Cloud) (Huawei Cloud)
server IP address is invisible to the client.

22
How WAF and AAD Work Together
⚫ WAF and AAD defend against different types of attacks. AAD mainly defends against DDoS
attacks (such as NTP flood and SYN flood attacks), while WAF mainly defends against web
application attacks (such as SQL injection, cross-site scripting attacks, and web shells).
AAD + WAF build two layers of protection

If you configure AAD and WAF for a website, website traffic goes to AAD
first. AAD scrubs incoming traffic and forwards clean traffic to WAF. WAF
blocks attacks and forwards only the normal traffic to the origin server. In
this way, two layers of protection are implemented for your website.

Browser/App AAD WAF Origin server

23
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

24
What Is HSS?
⚫ Host Security Service (HSS) is designed to protect server workloads in hybrid clouds and
multi-cloud data centers. It integrates server security, container security, and Web Tamper
Protection (WTP) functions.

25
HSS Functions and Features (1)

1. Detects vulnerabilities in real time to

identify risks.

2. Checks all the passwords, policies, and configurations to meet

DJCP Multi-level Protection Scheme (MLPS) requirements. 3. Detects intrusions and reports alarms in real time.

26
HSS Functions and Features (2)

4. Automatically checks images and repositories

for vulnerabilities, malicious files, and risks.

Dynamic web
5. Detects web page tampering and automatically page
performs remote backup.

Note: You are advised to store static data on OBS.

Static web page

27
How HSS Works

Management
console • Console: a visualized management platform, where you
can apply configurations in a centralized manner and
Deliver configurations
Schedule scans view the status and scan results of servers in a region.
• HSS cloud protection center: 1. Uses AI, machine
learning, and in-depth algorithms to analyze security risks
on servers. 2. Integrates multiple antivirus engines to scan
HSS cloud protection center for and remove malicious programs on servers.
Report server • Agent: 1. Scans all servers at 00:00 daily. 2. Monitors
security information
server security. 3. Reports server information (including

On/Off cloud non-compliant configurations, insecure configurations,

servers intrusion traces, software list, port list, and process list) to
the cloud protection center.
HSS can be deployed on Huawei Cloud, hybrid clouds,
other public clouds, private clouds, and data centers.
Agent

28
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

29
What Is IAM?
⚫ Huawei Cloud Identity and Access Management (IAM) provides permissions management to help you
securely control access to your cloud services and resources.

After purchasing resources

on Huawei Cloud, how can IAM
I grant permissions to
team members to manage
these resources?
⚫ Basic functions:
 Identity authentication
 Access management
⚫ Refined permissions management

⚫ Huawei Cloud service authorization

⚫ Identity federation with third-party
identity providers

30
Identity Credentials
⚫ The account name and password cannot be shared within the team. Then how can team members
obtain their own credentials to access resources?

5. If the verification is successful, the IAM

user can access the cloud service.

1. IAM user created. 2. Identity credential • After an IAM user is created

issued. 3. Access. and an identity credential is
issued, other users can log in
Account IAM user
as the IAM user and manage
IAM Huawei Cloud service
Huawei Cloud resources.

4. Identity credential verified.

31
Identity Authentication
Password authentication
Key authentication

• Each IAM user can create two pairs of access keys.

• The AK contains 20 characters, and the SK contains
• Open the Huawei Cloud console login page. 40 characters.
• Use the Huawei Cloud account name, IAM • The AK/SK is used only for API access.
username, and password to log in.

32
Permissions Management

Development • An IAM user group is a

group collection of IAM users.
• An IAM user can belong to
different IAM user groups.
• User groups make it easier to
John Peter Jim manage permissions for users.

IAM policy

Test group Best practices for permissions

assignment:
Principle of least privilege (PoLP)

John Betty Lucy

33
IAM Policy
{
"Version": "1.1",
"Statement": [
{
• IAM permissions are defined "Action": [
"iam:*:get*",
in JSON documents. "iam:*:list*",
• Documents can be "iam:*:check*"
], IAM policy
embedded into policies for "Effect": "Allow"
} ⚫ System-defined policies
repeated use.
]  Maintained by Huawei
}
Cloud

Review: ⚫ Custom policies

 Maintained by users
 Principal: Whom the permissions are granted to.
 Action: A list of granted actions.
 Resource: The resources the permissions apply to.
 Condition: Additional conditions for authorization.
 Effect: Specific permissions that are allowed or denied.

34
IAM Permissions Authentication Process

Final decision: Final decision:

Deny Allow

Yes Yes

No No
Access Is there a Is there Final decision:
Filter policy
request Deny? an Allow? Deny

35
 IAM Agency

Authorization
Delegating access to other IAM agency
Huawei Cloud accounts
Resource IAM policy ⚫ Agencies do not have static
Other credentials.
accounts
⚫ Agencies inherit permissions
from the attached policies.

Current
⚫ Agencies enable you to
Authorization delegate permissions to:
account
 Huawei Cloud services
Delegating access to  Other Huawei Cloud
Huawei Cloud services Graph Engine IAM policy accounts
Other cloud
Service (GES)  Third-party identity
services
providers

36
Associating an Agency with an ECS
⚫ Scenario: How Do I Enable Python Applications Running on an ECS to Access
Data in OBS?
⚫ Available solutions:
 Creating an IAM user and granting OBS access permissions to the user. Store the
AK/SK of the user on the ECS.
 Creating an agency and granting OBS access permissions to the agency. Associate the
agency with the ECS. ?
Python
OBS

37
Creating an Agency

Step 1: Grant agency permissions to call Step 2: Associate the agency with an ECS so
APIs to access OBS. that applications on the ECS have
permissions granted to the agency.
38
IAM Agency Scenario

The IAM group does OBS

not have permission
Access Access
to access OBS.
3 5

2 4
Belonging to the
IAM group
Role switched Role switched
1
IAM user A-1 IAM user B-1

The IAM policy Attached

allows the cloud
account to 1
access OBS. IAM agency

Huawei Cloud account A Huawei Cloud account B

39
Identity Federation
⚫ IAM supports identity providers (IdPs) that are compatible with Security Assertion Markup
Language 2.0 (SAML 2.0) and OpenID Connect (OIDC). You can use an IdP to enable the
identities in your enterprise system to log in to Huawei Cloud using single sign-on (SSO).

Simplifying account
management

40
Identity Federation Through Agency

OBS

  Various Huawei Cloud services hosted

SMN topic
Website server

Credentials requested   Temporary AK/SK + Token

CSMS in DEW
 Temporary access key created through agency

Identity and
permissions verified
 Temporary AK/SK + Token
LDAP/AD Identity proxy IAM
server server
Self-built data center Region

41
IAM Security Best Practices
⚫ Note: The permissions of the account are not managed by IAM.
 Do not use the account for routine tasks.

 Do not create an access key for the account.

⚫ Enable login protection for all accounts for two-factor authentication by SMS, email, or
virtual MFA device.
⚫ Create an IAM user and assign the administrator permissions to the user.
⚫ Enable operation protection for sensitive operations.
⚫ Set a complex password policy.
⚫ Specify the password validity period.

42
Precautions
⚫ IAM controls the access only to Huawei Cloud services. It does not manage
server logins, database access, or application credentials.

IAM Huawei Cloud

services
  

Server logins Database access Application credentials

43
Solutions for Secure Server Logins
What Is CBH?
⚫ Cloud Bastion Host (CBH) can monitor the usage of the CBH system, monitor O&M activities
of each managed resource, and identify suspicious O&M actions in real time. This protects
resources and data from being accessed without authorization or damaged by external or
internal users. CBH reports alarms to customers, who can then more easily handle or audit
O&M issues in a timely, centralized manner.
Employees at the headquarters Operation audit
Access control Server

Employees at branch offices

Network device

Cloud server
CBH
Third-party O&M personnel

Database

Temporary O&M personnel

Application

45
CBH Application Scenario 1: Asset Management
⚫ You can manage the admin user and system users created by the admin user, enabling role-based
permissions control.
⚫ You can log in to a CBH system and then manage all assets without additional logins.

46
CBH Application Scenario 2: O&M Audit
⚫ You can monitor O&M behavior in real time to detect violations, send alerts, and block malicious
commands in a timely manner.
⚫ O&M behavior can be monitored, logged, queried, and audited with ease.

47
CBH Application Scenario 3: Security and Compliance
⚫ CBH meets the requirements stated in Cybersecurity Law and DJCP (or MLPS) standard.
⚫ CBH supports mainstream protocol types and audits fine-grained operations.

48
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

49
Data Encryption Process
Envelope encryption

Data
+ DEK
CMK: A key used to
•

•
There are data encryption keys (DEKs) and
customer master keys (CMKs).
The ciphertext and DEKs are stored together
for easier management.
encrypt the DEK • The impact of losing DEKs is controllable.

Encrypted data
+ Encrypted key
?
How can we store a CMK securely?

50
DEW: Static Data Security

⚫ Key management
 CMKs can only be used in Data Encryption
Workshop (DEW), ensuring data security.
DEW
 You can generate, encrypt, and decrypt
DEKs.

⚫ Secret management
Dedicated
Cloud Secret Hardware ⚫ Centralized storage of database and server
Management Security Module
Key
Management Service
Key Pair Service
(Dedicated passwords
(CSMS) HSM)
Service (KPS)
(KMS) ⚫ Seamless access with IAM agencies

51
Using KMS to Encrypt and Decrypt a Large Amount of Data

Apply for a DEK. • CMKs can only be used in DEW.


Return the DEK and • DEW allows you to:
CMK.
✓ Create a DEK.
✓ Encrypt a DEK.

Encrypt data. ✓ Decrypt a DEK.

 +
Securely store the keys
after encryption.
52
Using CSMS to Build a Keyless Architecture

Obtain the database CSMS in DEW

password.

Authorize Access using passwords

IAM agency Relational Database

Service
Access using AKs/SKs (RDS)
 The entire system does not record any
secrets.

Cloud Eye  IAM agencies are used as the

Object Storage Log Tank
Service (OBS) Service (LTS) authorization core.

 IAM can also be used for access control.

53
Dynamic Data Security: CCM
⚫ Cloud Certificate Manager (CCM) is a cloud service that provides one-stop lifecycle management of
digital certificates. CCM includes the SSL Certificate Manager (SCM) and Private Certificate Authority
(PCA) services.

SSL Certificate Manager (SCM)

WAF
HTTPS Mobile
phone
Website
CCM server DNS
Private Certificate Authority (PCA)
Browser
ELB

54
SSL Certificate Types
Security Validation
Certificate Type Application Scenario Supported CA Review Duration
Level Requirement

• DigiCert
The CA verifies the
Domain Testing websites of individuals or • GeoTrust
Minor domain name Several hours
Validated (DV) enterprises • TrustAsia
ownership only.
• vTrus

Service websites of education

The CA follows a
agencies, government • DigiCert
standard process to
departments, Internet companies, • GeoTrust
validate the
Organization applications of small and medium- • GlobalSign
High organization 3 to 5 working days
Validated (OV) sized enterprises, and e-commerce • CFCA
identity and the
platforms • TrustAsia
domain name
For example, Apple Store and • vTrus
ownership.
WeChat applet.
The CA follows a
strict process to Websites of large enterprises, • DigiCert
validate institutions, and organizations with • GeoTrust
Extended
Highest organization strict security requirements • GlobalSign 7 to 10 working days
Validated (EV)
identity and the For example, financial institutions, • CFCA
domain name insurance agencies, and banks. • TrustAsia
ownership.

55
What Is DBSS?
⚫ Database Security Service (DBSS) is an intelligent database security service. Based on the machine
learning and big data analytics technologies, it can audit your databases, detect SQL injection attacks,
and identify high-risk operations.
 To use DBSS, you need to install an agent in
the protected database.

 DBSS audits databases in out-of-path mode.

Database audit

Remote log
 The DBSS instance and the protected
User Audit log
DBSS
architecture

request storage database with the agent installed must be

in the same VPC.

 DBSS can audit RDS databases and user-

User-built
built databases on Huawei Cloud and some
database
non-Huawei Cloud databases.

Application  When an agent is running, it consumes no

server more than 5% of your CPU resources and
RDS
no more than 300 MB of memory.

56
DBSS Functions

Anomaly monitoring Audits

Real-time alarms Logs

57
 Contents
1. Huawei Cloud Security Services

2. Security Model

3. Access Layer Network Security

4. Application Security

5. Access Control Security

6. Data Layer Security

7. Audit, Tracking, and Incident Response

58
What Is CTS?
⚫ Cloud Trace Service (CTS) records requests and results of operations (API calls) on cloud
service resources for you to query, audit, and backtrack operations.

Perform resource
operations, such as
creating an ECS.

ECS
View
traces. LTS
VPC
Transfer traces.
Report traces.

EVS View traces.

CTS OBS
59
CTS Application Scenarios (1)
• Traces generated by CTS record resource
changes and their results. Track the resource
usage using these records.

• Each trace records details about an operation to

help you identify which specific user and IP
address performed which operation. Traces also
let you perform security and user behavior
pattern analysis as well as configuring
notifications for key operations.

60
CTS Application Scenarios (2)

• In case of faults, view CTS traces to

figure out the cause and quickly
rectify the fault. For example,
quickly determine that deleting a
system volume during
configuration led to failed ECS
capacity expansion.

61
What Is SecMaster?
⚫ SecMaster is a next-generation cloud native security operations platform that enables integrated and
automatic security operations, including cloud asset, security situation, security information, and
security incident management, security orchestration, and automatic response, making it easier to
identify security risks, and detect and automatically handle incidents when they happen.

62
SecMaster Functions and Advantages (1)
Log collection and asset management: codeless, zero blind Security governance: quick
1 spots, and centralized management 2 security and compliance checks

Huawei Cloud provides global

security and compliance
Preset access to security data of experience as a service to
other security services help meet security and
compliance requirements for
your cloud services.

Automatic cloud asset

inventory and cloud
service configuration
checks to leave no assets You can generate a report in
unprotected and no a few clicks, which helps you
settings insecure. quickly comply with cloud
service security and privacy
protection regulations.

63
SecMaster Functions and Advantages (2)
Situational awareness: comprehensive Threat operations: Global analysis of
3 situation with one screen 4 threats across the cloud
Based on hundreds of millions of
SecMaster provides a visual, threat intelligence collected by
centralized platform that Huawei Cloud every day, SecMaster
enables you to learn of risks performs correlation analysis to
and incidents on the cloud precisely locate security threats,
in a timely manner. eliminate false alarms, and identify
potential sophisticated threats,
keeping operations secure.

Large Screen provides SecMaster provides a variety

powerful pre-, during-, and of threat detection models
post-incident security and security response
management so that you playbooks to automatically
can obtain a comprehensive analyze and handle alarms
view all in one place. reported for detected threats.

64
SecMaster Functions and Advantages (3)
Security orchestration: automatic handling
5 throughout the process

SecMaster has built-in playbooks to enable

automatic responses to more than 99% of
security incidents within minutes.

You can flexibly orchestrate security

response playbooks with convenient drag-
and-drop controls to support your
changing service requirements. You can
also flexibly extend and define security
operations objects and interactive pages.

65
 Summary
⚫ Huawei Cloud Security Services
⚫ Security Model
⚫ Functions of Security Cloud Services
⚫ Application Scenarios of Security Cloud Services

66
 Quiz
1. (Multiple-choice question) Huawei Cloud provides a wide range of security services, such as
HSS and WAF to help defend against risks and threats on websites, servers, and web
applications. Which of the following are functions of HSS?

A. Asset management

B. Multi-vulnerability detection

C. CC attack protection

D. Web tamper protection

67
 Acronyms and Abbreviations
⚫ IAM: Identity and Access Management
⚫ DDoS attack: Distributed denial-of-service attack
⚫ DBSS: Database Security Service
⚫ DEW: Data Encryption Workshop
⚫ HSS: Host Security Service

⚫ WAF: Web Application Firewall

⚫ CTS: Cloud Trace Service
⚫ CBH: Cloud Bastion Host

68
Thank You.
Copyright © 2024 Huawei Technologies Co., Ltd. All Rights Reserved.
The information in this document may contain predictive statements including,
without limitation, statements regarding the future financial and operating results,
future product portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially from those
expressed or implied in the predictive statements. Therefore, such information is
provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice.