AgentBay is a next-generation cloud-native operating environment designed for developing, testing, and running applications and artificial intelligence (AI) agents. It provides a secure and highly isolated sandbox environment that allows users to execute code tasks under controlled conditions. Its architecture is built on the enterprise-grade security design of Alibaba Cloud Workspace cloud desktops and cloud applications, and it inherits their mature security mechanisms and mitigation capabilities. As technology evolves rapidly, the core challenge for enterprises and developers is to drive innovation while ensuring system security. Legacy environments pose potential security risks in typical scenarios, such as executing code generated by a large language model (LLM), integrating third-party dependencies, and reviewing code from external contributors. These risks can lead to sensitive data leakage or service interruptions. AgentBay addresses these challenges by building a secure-by-default execution environment. This ensures that innovative activities occur within isolated boundaries, preventing any impact on the underlying infrastructure and other workloads. Its security framework follows zero trust, defense in depth, and secure-by-design principles. It establishes a comprehensive, multilayered technical and data security mechanism across four key dimensions: access security, management security, guest environment security, and agent security.
Shared responsibility model
Cloud security is a shared responsibility between the cloud service provider and the customer. Clearly defining the boundaries of this responsibility is fundamental to building trust and ensuring effective security. AgentBay follows the standard Alibaba Cloud shared responsibility model. This model specifies that Alibaba Cloud is responsible for the security of the cloud platform itself, while the customer is responsible for the security of their business systems on the cloud.
Alibaba Cloud platform responsibilities
Alibaba Cloud and AgentBay work together to secure the underlying infrastructure that the AgentBay service relies on. This includes the security of physical data centers, hardware, network facilities, and the virtualization layer.
As the platform provider, AgentBay's core responsibility is to provide a secure and isolated runtime environment. The platform uses sandbox technology to ensure that the behavior of agents executing code is strictly confined within specified boundaries. This prevents security threats to the underlying infrastructure or other tenants.
Customer responsibilities
Customers are fully responsible for managing the security of configurations, data, and AI agents running within the AgentBay environment. Because AgentBay is a sandbox execution environment, customers are the security principals for their AI agents that run outside the sandbox. As a tool runtime environment, AgentBay does not provide security guarantees for the logic or behavior of external AI agents.
Customer responsibilities include but are not limited to the following:
1. AI agent and application security
Agent behavior and logic: Manage the core logic and behavioral patterns of the agent. Ensure that the agent's autonomous actions, such as invoking APIs or accessing files, comply with your enterprise's security policies and compliance requirements.
Prompt attack prevention: Review and filter the prompts provided to the agent. Build your own defense mechanisms to prevent specific security threats against large language models, such as Prompt Injection and Tool-based Attacks.
Prohibit sandbox abuse: Do not use the cloud sandbox feature to build or leverage fictitious user account systems for prohibited activities such as brushing or ranking manipulation.
2. Identity and access management
Permission management: Follow the principle of least privilege. Configure appropriate access policies for users and services that access AgentBay.
Authentication information protection: Manage and protect user credentials and authentication information, such as API keys. Rotate API keys regularly. Avoid hard-coding key information in your code. Instead, manage keys using secure environment variables or a dedicated key management service.
Temporary address protection: AgentBay provides temporary links, such as cloud desktop access endpoints, temporary file download links, and getLink URLs. Avoid unauthorized distribution or public exposure of these links to reduce the risk of resource leakage.
3. Data and network security
Data protection: Manage the classification, backup, and recovery of data within the sandbox. Configure and use data protection policies such as encryption, watermarking, and data loss prevention (DLP).
Network configuration: Configure security group rules and domain name access policies to control the outbound traffic of the sandbox.
4. Configuration and cost management
Policy configuration: Configure policies appropriately, such as the maximum session duration and the auto-release timeout for stopped sessions. Settings these values too high may incur additional costs in the event of session management anomalies, while setting them too low may impact service availability.
Cost control: Set a reasonable maximum spending limit for your API key to avoid incurring higher costs in case of abnormal usage.
Security compliance statement
Alibaba Cloud's security mechanisms are recognized by authoritative organizations worldwide. Based on its long-term experience in dealing with Internet security threats, Alibaba Cloud has deeply integrated these mitigation capabilities into its cloud platform's security framework. It has also incorporated multiple compliance standards into the platform's internal controls, management processes, and product design. Alibaba Cloud actively participates in developing standards for cloud computing services, contributes its practical experience, and uses industry standards for cloud desktop computing to validate its compliance through independent third-party assessments.
To date, Alibaba Cloud has passed certifications and audits from dozens of authoritative organizations globally. The following table lists the compliance qualifications currently held by Alibaba Cloud.
Qualification | Description | |
Global recognition | ISO 27001 | ISO 27001 is the international certification for information security management systems and a widely adopted global security standard. As a cloud service provider that has obtained this certification, Alibaba Cloud demonstrates that it fulfills its security responsibilities in areas such as data security, network security, communications security, and operational security. |
ISO 27017 | ISO 27017 provides a set of guidelines for information security controls related to the use of cloud services. It includes additional implementation guidance for controls related to ISO/IEC 27002, along with extra controls and implementation guidance specific to the features of cloud services. | |
ISO 27018 | ISO 27018 is an international standard certification for the security protection of personal data in the cloud by cloud service providers. It provides a code of practice for processors of personally identifiable information (PII) in the cloud to protect PII in public clouds. It is currently the most authoritative, stringent, and widely accepted information security system certification in the world. | |
CSA STAR | CSA STAR was jointly launched by the British Standards Institution (BSI) and the Cloud Security Alliance (CSA), an international authority on cloud security. Alibaba Cloud has obtained the CSA STAR Gold certification for cloud security. | |
ISO 9001 | The ISO 9001 quality management system is an authoritative certification used to confirm that an organization has the ability to provide products that meet user requirements and applicable regulatory requirements. | |
ISO 20000 | ISO 20000 is the first internationally recognized standard for IT service management. Alibaba Cloud has obtained the new ISO/IEC 20000-1:2011 certification, which means that Alibaba Cloud has established standard service processes and strictly implements cloud platform service standardization to improve efficiency and reduce overall IT risks. | |
ISO 22301 | The ISO 22301 business continuity management system is the only internationally recognized standard for measuring whether an enterprise's service continuity capabilities meet social responsibilities and customer commitments. Alibaba Cloud has passed the latest ISO/IEC 22301 international certification for business continuity. | |
SOC 1/2/3 | The Service Organization Controls (SOC) reports, established by the American Institute of Certified Public Accountants (AICPA), provide a standardized reporting framework for service providers. This framework allows them to disclose compliance and operational information related to their internal controls to customers. | |
China's authoritative certifications | Cybersecurity review for cloud services by the Cyberspace Administration of China (CAC) | Alibaba Gov Cloud platform was among the first in China to pass the enhanced level of the CAC's cybersecurity review for cloud computing. |
Classified Protection of Cybersecurity 2.0 by the Ministry of Public Security | Alibaba Cloud is a demonstration unit for Classified Protection of Cybersecurity 2.0. Alibaba Finance Cloud has passed the Level 4 assessment, and Alibaba Gov Cloud has passed the Classified Protection 2.0 national standard assessment. | |
Cloud computing service capability assessment by the Ministry of Industry and Information Technology (MIIT) | Alibaba Cloud (both public cloud and Apsara Stack) was among the first cloud service providers in China to pass the Level 1 (highest level) assessment for cloud computing service capabilities by the MIIT. | |
Cloud computing service certification | Multiple Alibaba Cloud products and services, including ECS, OSS, ApsaraDB, and content delivery, were among the first to receive the Trusted Cloud Services certification in China. This certification regulates aspects such as data destructibility, data portability, data privacy, and the right to be informed about data. | |
Big data service certification | Alibaba Cloud's big data products were among the first to pass the highest-level assessment for general specifications of big data systems. They were also the first to receive the CNAS national laboratory certification for cloud products (DataWorks). Multiple products have achieved the industry's highest large-scale cluster capabilities. | |
Security service capability certification | Alibaba Cloud's series of security products have obtained sales licenses from the Ministry of Public Security for their comprehensive cloud security defense capabilities. | |
Security technology support | Alibaba Cloud has received several national honors for its contributions to network security. The company has been named a Network Security Emergency Service Support Partner by the National Computer Network Emergency Response Technical Team/Coordination Center of China (CNCERT) and a Technical Group Member of the China National Vulnerability Database (CNVD). Alibaba Cloud also serves as a Technical Support Partner for CNCERT, and has been recognized as an Excellent Technical Support Partner for multiple years. In addition, the company is a Technical Support Partner for network security during major national events. | |
Industry and regional recognition | C5 | Alibaba Cloud adheres to the C5 standard, demonstrating its commitment to achieving the highest level of compliance in controls and security for cloud computing. This standard serves as a benchmark not only in the German market but also increasingly for institutions across Europe. Customers in Germany can use the C5 audit to meet strict local requirements and use Alibaba Cloud services to run secure workloads. C5 is primarily aimed at professional cloud service providers, their auditors, and their customers. It has 17 different control requirements that cloud providers must comply with or meet defined minimum standards. This is a necessary assessment for working with the German public sector and is increasingly being adopted by the private sector. |
MTCS | Certification International, a Singaporean certification body, has awarded Alibaba Cloud the Multi-Tier Cloud Security (MTCS) Level 3 (T3) certification, the highest security rating in Singapore. MTCS is a cloud security standard initiated by the Infocomm Development Authority (IDA) of Singapore and launched by SPRING Singapore. | |
NESA/ISR | National Electronic Security Authority (NESA) The National Electronic Security Authority (NESA) is the government body in the United Arab Emirates (UAE) responsible for critical information infrastructure and strengthening national cybersecurity. Alibaba Cloud has followed the series of information security guidelines established by this authority and has completed a P1-level third-party compliance audit. The Information Security Regulation (ISR) is established by the Dubai government. This regulation is similar to the international standard ISO 27001, covering several information security domains and incorporating specific local information security requirements based on the needs of the Dubai government. Alibaba Cloud has completed a compliance audit by a qualified third party, confirming that Alibaba Cloud adheres to the corresponding regulations and specific requirements of the ISR. | |
PCI DSS | The Payment Card Industry Data Security Standard (PCI DSS) is a standard for data security in the payment card industry. It assesses the ability to protect payment card data such as credit card numbers and CVV2 codes, covering security requirements for the transmission and storage of account numbers and passwords. | |
SEC Rule 17a | Alibaba Cloud has completed a compliance assessment of Object Storage Service (OSS) regarding SEC Rule 17a-4(f) and FINRA Rule 4511 for broker-dealer media retention requirements. This assessment enables Alibaba Cloud to support the compliance needs of international financial industry customers. These rules have been widely adopted by multiple jurisdictions outside the United States as an important standard for measuring the compliance capabilities of financial data storage solutions. | |
TRUSTe | The Alibaba Cloud International Website (www.alibabacloud.com) has passed the TRUSTe Enterprise Privacy Certification, which signifies Alibaba Cloud's compliance in collecting, using, managing, and destroying personal information. | |
HIPAA | Alibaba Cloud supports a Business Associate Addendum (BAA) to meet customer needs for compliance with the U.S. Health Insurance Portability and Accountability Act (HIPAA) to protect the privacy and security of protected health information. | |
MPAA | Alibaba Cloud complies with the best practice guidelines of the Motion Picture Association of America (MPAA). | |
PDPA | Alibaba Cloud has passed a third-party assessment to ensure compliance with Singapore's personal data protection requirements. | |
Trusted Cloud Member | Alibaba Cloud has become a member of Trusted Cloud, an initiative promoted by the German Federal Ministry for Economic Affairs and Energy, and is certified by Trusted Cloud. | |
Founding member of the EU Cloud Code of Conduct | As a founding member and general assembly member of the EU Cloud Code of Conduct, Alibaba Cloud actively participates in developing a code of conduct for EU cloud services that complies with GDPR Article 40. The company engages in constructive cooperation with EU data protection authorities to ensure their expectations and future guidance on GDPR are considered while drafting the code. Alibaba Cloud is committed to maintaining a high standard of data protection for the entire Alibaba Cloud ecosystem and contributing to the healthy development of the technology industry. Alibaba Cloud supports increasing transparency in the cloud computing industry and helping cloud customers understand how cloud service providers address data protection issues. |
Regulatory compliance
Alibaba Cloud actively fulfills its legal and regulatory obligations and implements relevant policies. It helps enterprises accelerate their digital, networked, and intelligent transformation using cloud computing technologies. In accordance with the requirements of the Cybersecurity Law, Alibaba Cloud has established security management processes and systems for cloud services within the enterprise, ensuring that compliance requirements are met in a systematic way.
In accordance with the "Measures for Security Assessment of Cloud Computing Services" jointly issued by the Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Industry and Information Technology, and the Ministry of Finance, the Alibaba Gov Cloud platform was among the first in China to pass the enhanced level of the cloud service review in 2016. This allows Alibaba Cloud to provide secure and controllable cloud computing services to party and government agencies and operators of critical information infrastructure.
Alibaba Cloud adheres to the Classified Protection of Cybersecurity scheme, continuously enhancing the proactive defense, dynamic defense, overall prevention and control, and precise protection capabilities of its cloud services. After the official release of the Classified Protection 2.0 series of standards in May 2019, Alibaba Cloud became the first cloud service provider in China to pass the official standard assessment.
In addition to ensuring that its own cloud platform meets regulatory compliance requirements, Alibaba Cloud is committed to helping users meet these requirements with lower costs, faster methods, and higher security protection capabilities. Alibaba Cloud has launched a series of compliance solutions. For example, the Alibaba Cloud Classified Protection Compliance solution provides comprehensive capabilities in security protection, data auditing, data backup, data encryption, and security management as required by the classified protection scheme. It also provides one-stop, full-process compliance solutions by selecting and partnering with high-quality consulting and assessment agencies across the country. This greatly reduces the investment required by user organizations and helps them pass classified protection assessments quickly and easily.
Personal information protection
Alibaba Cloud has long been committed to protecting the personal information of every customer, ensuring that customers have ownership and control over all personal information provided to Alibaba Cloud. At the same time, Alibaba Cloud actively responds to the call from national regulatory authorities for enterprises to take responsibility for personal information protection. Alibaba Cloud continuously improves its internal personal information management and protection systems. Alibaba Cloud has a professional personal information protection team that continuously optimizes its Privacy Policy and user rights protection. Alibaba Cloud has established an overall internal data security management system and implemented core data security protection technologies to provide secure and reliable protection for users' personal information throughout its lifecycle.
Alibaba Cloud has demonstrated its personal information protection and data security capabilities through certifications from numerous authoritative organizations. For more information, see ISO 27017, PCI DSS, and Trusted Cloud service data protection certifications. Alibaba Cloud will continue to build its overall personal information protection management system. In addition to focusing on the personal information protection capabilities of the cloud platform itself when Alibaba Cloud acts as a data controller, it will further invest in building personal information protection capabilities in its products and services when it acts as a data processor.
You can view the Alibaba Cloud Privacy Policy and all its historical versions on the official Alibaba Cloud website. For more information, see Legal Statement and Privacy Policy. If you have any privacy-related questions, you can submit feedback through the Alibaba Cloud ticket system, online customer service, or phone customer service.
Transparency
Alibaba Cloud continuously enhances service transparency through various channels to disclose information related to its cloud services to customers.
Customers can submit requests for qualification documents, explanatory reports, and other materials through the Alibaba Cloud ticket system. Alibaba Cloud will respond to reasonable customer requests promptly. At the same time, Alibaba Cloud is actively exploring new mechanisms to enhance transparency. This includes proactively communicating internal operational dynamics to specific customers, reducing their concerns about the "black box" nature of internal processes. Compared to static information displays, this dynamic information sharing model will be the long-term direction for Alibaba Cloud to improve service transparency.
Access security
The first line of defense in the AgentBay security framework is to ensure that all access is authenticated, authorized, and encrypted end-to-end. AgentBay builds a robust access layer security by combining multiple layers of protocol, gateway, and network protection.
User access security
Multi-factor authentication
AgentBay supports multi-factor authentication methods such as the Alibaba Cloud app, text message verification, and email verification. This further enhances the security level of user authentication and mitigates the risks caused by single-password leaks.
Credential security
Secure credential design
AgentBay uses security designs such as short validity periods, token encryption, permission minimization, and revocability to minimize the security impact of credential leakage.
Secure credential delivery
AgentBay uses TLS encryption to deliver access credentials, ensuring that they cannot be intercepted by eavesdroppers.
Client-side credential protection
Credentials are stored in an encrypted format. This ensures that even if a credential is read by a malicious process, it cannot be used to successfully log on.
Communication security: SM algorithm support
Adaptive Streaming Protocol (ASP) is an end-to-cloud integrated protocol that provides users with an ultra-low latency and ultra-high-definition real-time interactive experience. The ASP protocol supports TLS encrypted transmission based on Tongsuo. Tongsuo (formerly BabaSSL) is an open source, fundamental cryptography library developed by Alibaba that provides modern cryptographic algorithms and secure communication protocols. It offers underlying cryptographic capabilities for numerous business scenarios, such as storage, networking, key management, and privacy-preserving computation. It ensures the confidentiality, integrity, and authenticity of data during transmission, use, and storage, providing protection for privacy and security throughout the data lifecycle. Tongsuo has received a commercial cryptography product certification from the Commercial Cryptography Testing Center of the State Cryptography Administration. This helps users meet the Chinese compliance requirements for commercial cryptography technologies more rigorously during processes such as SM algorithm upgrades, SM algorithm application security assessments, and classified protection compliance. Tongsuo provides the following main features:
Technical compliance capabilities
Complies with the "Level 1 Security for Software Cryptographic Modules" qualification of GM/T 0028 "Security Requirements for Cryptographic Modules".
Zero-Knowledge Proof (ZKP)
Bulletproofs
Cryptographic algorithms
Chinese commercial cryptography algorithms: SM2, SM3, SM4, ZUC, and more.
Mainstream international algorithms: ECDSA, RSA, AES, SHA, and more.
Homomorphic encryption algorithms: EC-ElGamal, Paillier, and more.
Secure communication protocols
Supports the GB/T 38636-2020 TLCP standard, which is a dual-certificate SM algorithm communication protocol.
Supports RFC 8998, which is TLS 1.3 with a single SM algorithm certificate.
Supports QUIC API.
Supports the Delegated Credentials feature, based on draft-ietf-tls-subcerts-10.
Supports TLS certificate compression.
Gateway security
AgentBay's network architecture uses a unified secure access gateway and stream gateway. These gateways act as trusted traffic entry points, isolating the VPC network where sandboxes are located from the public network and preventing direct external attacks.
Secure access gateway and stream gateway: All access traffic must first pass through the secure access gateway and stream gateway. These gateways act as trusted traffic entry points, isolating the VPC network where sandboxes are located from the public network. They are a key barrier against direct external attacks.
Web Application Firewall (WAF): WAF is deployed at the network edge to effectively identify and block common web attacks, such as SQL injection and cross-site scripting (XSS). This provides additional application-layer protection for APIs and services.
Environment security
The core value of AgentBay lies in the extremely secure execution environment it provides for user code. AgentBay achieves strong isolation at both the kernel and network levels through hardware virtualization, VPC networking, and fine-grained security group policies.
Kernel-level security assurance
AgentBay builds its sandbox environment on mature, enterprise-grade hardware virtualization technology. Each sandbox instance runs in a virtual machine with an independent guest operating system kernel. This architecture ensures that even if the code executed within the sandbox has a kernel-level vulnerability, its impact is strictly confined within the current virtual machine. It cannot penetrate to the host machine or other tenant environments, thereby achieving strong isolation and high security.
AgentBay's Windows and Linux sandbox environments use Alibaba Cloud Workspace's proprietary component disk mechanism. This mechanism separates core runtime components from user data, ensuring the integrity of system components through hardware-level isolation. This design effectively prevents system anomalies caused by misoperations, software compatibility conflicts, or malware. It also supports quick restarts to restore the system to a normal state, ensuring continuous and stable service operation.
Storage-level security assurance
Each sandbox has a completely independent and isolated file system. This ensures that different sandboxes cannot access each other's file systems, effectively preventing cross-session data leakage. Combined with data-at-rest encryption and in-transit encryption mechanisms, this approach provides deep security protection at the storage layer.
Network-level security assurance
While providing public bandwidth to meet users' network access needs, AgentBay employs multiple security mechanisms to prevent attacks from both external and internal sources. It also supports fine-grained control over users' network access scope through security group policies and domain name control policies, meeting the network behavior management needs of enterprise office use cases.
Sandbox network isolation (isolated by default)
AgentBay runs within a security group that is automatically created with the workspace. Sandbox instances are not assigned public IP addresses and have no network ports open to the public. By default, the security group only allows ASP protocol communication from the stream gateway, blocking all other inbound external traffic. This ensures that external network attacks cannot reach the sandbox instances. This configuration is the default security baseline for the sandbox and cannot be modified.
According to the default security group policy, different sandboxes are isolated from each other by default, and network communication between them is prohibited. This prevents malicious users from launching lateral movement from their own sandboxes and prevents risks from spreading through the internal network from a compromised sandbox. Administrators can configure rules for inter-sandbox access within the same workspace to enable internal network connectivity as needed. In this case, they should use the principle of least privilege and access control policies to strengthen network border protection and reduce potential security risks.
Security group control policies
The AgentBay console provides administrators with security group control policies to manage the network access permissions of sandboxes within an organization. This policy consists of a set of custom security group rules defined by the administrator. The rule structure is similar to that of Elastic Compute Service (ECS) security group rules. It supports configuring the direction (inbound or outbound), action (allow or deny), priority, protocol type, port range, authorization object (IP address or CIDR block), and rule description. By combining rules with different scopes and priorities, administrators can achieve fine-grained, whitelist-based network access control.
Domain name control policies
The AgentBay console provides network access control policies based on domain name granularity. It supports fine-grained management of network access permissions for sandboxes within an organization using DNS rules. Compared to security group policies, domain name control policies simplify rule configuration complexity significantly. You can control access to specific web sites and services by simply configuring domain names and access permissions (allow or deny). The policies support the wildcard character (*).
The rules for setting domain name controls are as follows:
You can set up to 300 rules. For multiple rules, the higher the rule is in the list, the higher its priority. You can adjust the order of the rules in the console.
If no rules are set, access to all domain names is allowed by default. To allow access to only a few specific domains, add a rule that denies access to "*" with the lowest priority.
This feature is currently only supported for sandboxes with a Windows operating system.
To ensure you can use AgentBay normally, AgentBay reserves the following domain names: *.gws.aliyun, *.aliyun.com, *.alicdn.com, *.aliyunpds.com, *.aliyuncds.com, and *.aliyuncs.com. Sandboxes are always allowed to access these domain names. These domain names are not constrained by DNS rules. Even if you set a policy to deny access to these domain names, the rule will not take effect in actual business operations.
Direct connection via VPC
The platform supports tools that directly invoke sandbox resources within a VPC. This means the tool calling chain can be completed within the VPC without being exposed to the public network, which greatly protects the privacy and security of user tool calls.
Management security
The AgentBay management platform is built on a strict environment isolation architecture. It implements fine-grained isolation policies and access control mechanisms to ensure the security of management operations and the controllability of the resource lifecycle. Sandbox sessions are ephemeral by design. After a session times out or is proactively terminated, its runtime environment is automatically reclaimed and destroyed. This mechanism not only releases computing resources but also ensures that data in memory and temporary storage is completely purged. This effectively prevents user data residue and leakage, enhancing overall security.
Isolation policies
The management platform is designed to achieve tenant isolation, resource isolation, and session isolation. This means that the management operations and resource views of different tenants are completely independent. Even within the same tenant, different sessions are isolated from each other, ensuring security in multitasking scenarios.
Tenant isolation provides an isolated cloud space for the management operations of each tenant.
Resource isolation provides an isolated runtime environment for each resource accessed through the sandbox, such as browsers, sandboxes, cloud phones, and code environments. This prevents multiple users from accessing the same resource.
Session isolation isolates each session task executed in the sandbox. After a session is invoked, it is automatically destroyed after a timeout to prevent the risk of user data leakage from memory and disk.
Authentication system
API key and token management: When providing services externally, the platform supports the dynamic creation and deletion of temporary API keys and tokens. This ensures that programmatic access is secure and controllable.
Security Center
The Security Center integrated with AgentBay is a unified security management platform that provides real-time security threat identification, analysis, and alerts. It has core security capabilities such as anti-ransomware, anti-virus, tamper-proofing, and compliance checks. It supports an automated security operations loop for threat detection, response, and source tracing. It comprehensively protects cloud assets and on-premises hosts and meets regulatory compliance requirements. This platform provides support for basic security scenarios such as operating system vulnerability detection, host virus detection, and trojan scans.
Combined with Alibaba Cloud's SASE capabilities, AgentBay further enhances user application and data security. It provides multiple advanced mitigation features, including data loss prevention (DLP), such as sensitive content identification, network outbound behavior auditing, high-risk application behavior auditing, email outbound behavior auditing, and auditing of peripheral device and abnormal file distribution behavior. It also supports endpoint detection and response (EDR), which covers risk software management, internal firewall, disk backup and file protection, security alerts, and virus and trojan scans. In addition, it provides network access control based on domain name blacklists and whitelists and categorization, along with application-layer control capabilities, including pirated software scanning and application blacklist and whitelist management. For more information, see the best practice topics.
Agent security
For any enterprise, data and the AI agents that run on it are critical assets. AgentBay incorporates data and agent security as core design principles, providing security protection mechanisms throughout lifecycle. For the agent services that AgentBay provides, the platform can control the security of the AI agent's interaction content.
Content Moderation (Green Web) integration
The interaction content between the agent and the user, including input prompts and model-generated results, can be connected in real-time to the Alibaba Cloud Content Moderation (Green Web) service. This service can accurately identify and automatically block illegal content such as pornography, political sensitive content, and advertisements, and retain evidence of risks to ensure that the interaction process is secure and compliant.
Session memory isolation
The platform supports memory isolation between multiple sessions within a single tenant. The context and history of one agent session will not be leaked to another session, effectively ensuring user privacy in multitasking scenarios.