Shared responsibility model

更新时间:
复制 MD 格式

In the hosted cluster architecture of Container Compute Service (ACS), security compliance must follow the principle of shared responsibility. ACS secures the cluster infrastructure and control plane components. Learn about the shared responsibility model for ACS.

Terms

This topic uses the following terms:

  • Platform: the ACS console.

  • Customer: a customer of ACS.

Security responsibility principles

ACS is a serverless platform that fully hosts resources. The following principles define the security boundary between Alibaba Cloud and customers.

1. Responsibilities of Alibaba Cloud

Alibaba Cloud ensures the security and reliability of the serverless platform, including infrastructure security, secure data storage and processing, and customer data confidentiality. Alibaba Cloud maintains compliance of infrastructure, management, and security practices, protects customer applications from attacks, and guarantees data privacy and integrity.

2. Customer responsibilities

Customers ensure the security of their serverless applications, including data security, access control, code security, and code auditing. Customers must implement authentication and authorization to restrict access to authorized individuals or teams. Key principles:

  • Customer-initiated risks: Customers are liable for business interruptions caused by deploying pods with potential security risks or excessive authorization.

  • Requested container privileges: The platform disables features that may compromise container stability and security, such as privileged mode and capabilities. Customers can request these features, but are liable for any resulting issues, such as lateral attacks on other pods in the cluster.

3. Co-managed resource security

Some platform resources, such as pod security groups created by customers, are co-managed by Alibaba Cloud and customers. Ideally these resources are fully hosted on Alibaba Cloud, but customers may want to manage them. The following principles apply:

  • Each party owns its risks. If a customer deploys risky pods or uses malware-injected images, the customer is liable for resulting failures. Alibaba Cloud guarantees that all ACS-managed pods do not have potential risks and do not affect customer workloads.

  • Both parties follow the least privilege principle. If a customer over-exposes resources to public access, the customer is liable for any resulting attacks. Alibaba Cloud ensures that ACS pod security groups are not over-exposed and that no container escape risk exists in customer pods.

Security requires both Alibaba Cloud and customers to fulfill their responsibilities. Alibaba Cloud ensures infrastructure security and compliance. Customers ensure application and data security. For shared responsibilities, Alibaba Cloud proactively mitigates risks and provides serverless services with enhanced security.

Responsibility model overview

Understand the responsibility boundary between Alibaba Cloud and customers before you design and deploy your systems. Alibaba Cloud hosts ACS cluster infrastructure and secures the runtime environment and components. The following diagram illustrates the responsibilities of each party in the ACS serverless architecture.

image

1. Responsibilities of Alibaba Cloud

On the control plane side, Alibaba Cloud enhances the security of control plane components in ACS clusters based on common security standards such as CIS Kubernetes Benchmarks and guarantees the security of the lifecycle of cloud-native applications based on Security system overview. The following table describes Alibaba Cloud security responsibilities.

Security item

Description

Infrastructure security

  • Kubernetes continuous updates and CVE vulnerability patching.

  • Kubernetes access control, network isolation (such as VPCs or inter-VPC tunnels), and storage isolation.

Security of elastic computing resource pools

  • Sandbox technology for container OSs.

  • Vulnerability advisories and patches for node OSs.

Security of control plane components and hosted components

Cluster authentication, certificate management, Secret management, port exposure assessment, VPC isolation, and security group configuration.

Security of non-hosted components and charts in the marketplace

Standardizes key configurations for security.

2. Customers

On the data plane side, the security O&M engineers of customers must ensure the security of applications deployed on the cloud and are responsible for the security configuration and updates of cloud resources. The following table describes customer security responsibilities.

Security item

Description

Application security

  • Ensure the security of application artifact supply chains and runtimes.

  • Encrypt sensitive data, including data in transit and data at rest, and use disk encryption.

  • Follow the least privilege principle when granting permissions and assigning roles.

  • Use Cloud Security application-level protection services to identify and mitigate risks promptly.

  • Apply the least privilege principle when creating containers. Avoid requesting excessive privileges.

O&M security

Manage network, storage, and observability configurations for business workloads.

Business component security

Strictly limit operator and webhook business logic to prevent compromising the security of other applications.

Security of non-hosted components and charts in the marketplace

  • Install patches recommended by Alibaba Cloud in notices promptly.

  • Follow security best practices when configuring parameters to prevent improper settings or authorization exploitable by attackers.