Best practices for detecting risks in default cloud platform and product configurations

Review common cloud products and their usage

List and classify the cloud product resources activated for your Alibaba Cloud account, and investigate how they are used. From a security perspective, focus on whether a service uses public or private network access, shared or dedicated resources, and the type and importance of data it processes and stores. This helps you tailor risk recommendations in future security assessments to each product's actual application scenario.

Classify your cloud resources as follows:

Resource category	Examples	Usage	Involves important data?
Network	SLB, EIP, VPC, CEN...	Private and public network access	No
Database and storage	RDS, OSS	Private and public network access	Yes
Compute	ECS, ACK	Private network access	Yes
Security	WAF, Cloud Firewall (CFW)	Public network access	No

Select security assessment standards

Security assessment standards for cloud platforms and services consist of two layers: baselines and policies. A policy is a detection method used to satisfy a set of baselines. Although assessment policies may differ slightly across cloud platforms, they can share the same baseline to execute the relevant detection policies. This is the approach most multicloud customers take.

Recommended baseline templates include the following:

• ISO 27001

• Alibaba Cloud Security Best Practices

Combine the recommended baseline templates with your business requirements. For example, the finance industry can add baselines such as the Payment Card Industry Data Security Standard (PCI DSS), classified protection, and General Data Protection Regulation (GDPR). This creates a unified security assessment baseline tailored to your cloud environment.

Use tools to automatically scan for configuration risks

After you establish a security assessment baseline, use policies to check whether the necessary security controls are enabled. The detection results provide an overall security risk assessment and recommendations for your cloud platform.

• Use the Cloud Security Posture Management feature of Security Center to check default configurations and security controls for your Alibaba Cloud account.

• View the detection policies in the cloud platform configuration checklist. These policies cover identity and permission management, cloud product configuration best practices, and compliance.

Set a security score for cloud resources

Use a quantitative security score system to assess the overall security risk of your cloud resources. The score reflects the completeness of your security controls against the assessment baseline. In a multi-account architecture, the security score also helps you manage the secure use of cloud resources across business teams.

After you run an automated scan with the cloud platform configuration check feature in Security Center, a score is calculated based on the pass rate of your subscribed assets. You can view the details of each policy, its associated assets, and accounts. For more information, see the security score feature in Security Center.

Track risks and perform regular assessments

Perform regular risk assessments of your cloud service environment. Cloud resources have shorter lifecycles than traditional Internet Data Center (IDC) resources, and each change can introduce new security risks. Follow the best practices in this topic to create a regular assessment plan. Use the security score to track the security risk level of your Alibaba Cloud services.