Workload security

A cloud workload is a set of capabilities — servers, virtual machines (VMs), containers, networks, or databases — that support your IT systems. VMs and containers are the most common workload environments.

To effectively protect your VMs and containers:

• Identify workloads and maintain an inventory of asset fingerprints.

• Identify and manage vulnerabilities.

• Establish runtime protection.

• Schedule regular security inspections.

Identify and inventory basic asset security information

Before implementing security measures, inventory your cloud assets and their security-related attributes. Asset fingerprints keep this information current.

Focus on the following types of asset fingerprints:

Asset fingerprint	Purpose	Security-related actions
Basic server information	Collects server attributes (region, network access, protection status) to assess exposure risk.	Check whether the server has a public IP address. A directly accessible public IP indicates higher external exposure risk. Verify that security tools are installed (e.g., Security Center Agent) to confirm defensive coverage.
Account	Tracks privileged and standard accounts on the server.	During incident investigation, check whether new accounts were created before or after an event to trace the attack.
Port	Tracks open ports and their associated network protocols and processes on the server.	Analyze and reduce port exposure. Centrally manage policies for externally exposed ports and use them for monitoring.
Process	Tracks processes created on the server.	Review process path, start time, and launch parameters to identify malicious processes such as backdoor implants.
Middleware	Tracks application middleware deployed on the server.	When a high-risk middleware vulnerability is disclosed, use this data to count affected deployments and prioritize remediation.
Scheduled task	Tracks scheduled task commands and execution accounts.	Check for unauthorized commands or execution accounts to detect adversary persistence.
Startup item	Tracks startup item paths and their corresponding servers.	Analyze startup items to trace the source of an attack.

Automate asset information collection and analysis. This helps you determine incident severity, understand attack paths, and decide response actions.

Best practices

To inventory asset and security information:

1. Select a collection method and frequency. Use agent-based collection rather than network scanning.

2. Organize and store the collected asset fingerprints based on the seven categories outlined in the table above.

3. During a security incident or emergency response, review asset fingerprint updates to analyze for suspicious accounts, processes, scheduled tasks, or open high-risk ports.

Use Alibaba Cloud Security Center to automatically collect asset fingerprints and display them visually. Logs are stored in Simple Log Service (SLS), where you can configure alerts or use them for event context.

Asset vulnerability management

Vulnerabilities are among the most exploited weaknesses in cyberattacks. Cloud vulnerability management reduces risk exposure and improves security posture.

Create a vulnerability management plan covering detection cycles, evaluation criteria, remediation responsibilities, and emergency response.

Recommendations for vulnerability management:

Vulnerability management item	Recommendations
Vulnerability detection plan	Define the scope of vulnerability detection in the cloud. We recommend including operating systems, application components, container images, and code. Schedule regular scans for operating system and application vulnerabilities based on business system importance and internal requirements. Scan container images for vulnerabilities before deployment. Remediate high-risk images before deployment. Use static code scanning to check application source code for common issues. Consider hiring external experts to perform periodic penetration tests on critical business systems.
Vulnerability evaluation criteria	Refer to the Common Vulnerabilities and Exposures (CVE) documentation for a vulnerability's base score. In addition to the base score, assess the vulnerability's impact in your specific environment. Consider factors like the vulnerability's disclosure date, its exploitability, and the importance of the affected asset. Alibaba Cloud provides the Alibaba Cloud Vulnerability Scoring System, which evaluates vulnerability risks in real-world environments.
Vulnerability remediation process	Base the decision to remediate a vulnerability on the impact of the fix and the scheduled business maintenance window.
Responsibilities for remediation	Typically, the security team is responsible for monitoring and assessing the risk, impact, and severity of vulnerabilities, and for notifying the business team to perform the remediation.
Vulnerability emergency plan	You must have an emergency plan for high-risk or 0-day vulnerabilities to enable a rapid response before official remediation guidance is available.

Under the shared responsibility model, Alibaba Cloud is responsible for the security of the cloud platform and patching its vulnerabilities. You are responsible for security in the cloud, including managing vulnerabilities in your workloads.

Best practices

For ECS instances and containerized deployments, image security is critical at scale. Without governance, business units may build images arbitrarily, creating inconsistent security baselines.

Adopt a golden image strategy: build and manage images in a central shared account, enforce security standards, and restrict which image IDs application accounts can use. Use resource sharing and automation to distribute images across regions and accounts.

Use Security Center to regularly scan your images for one-stop runtime environment security management.

For active workloads, Security Center provides robust vulnerability management capabilities.

1. Use Security Center vulnerability management to discover cloud assets automatically. Configure a scanning task for automated detection.

2. Review risk levels. Security Center scores and prioritizes vulnerabilities based on risk level, exploitability, and exposure time.

3. Use one-click remediation for OS vulnerabilities. Review repair notes and create a snapshot before patching to enable rollback.

4. For application vulnerabilities, view remediation suggestions, details, and impact scope in Security Center. One-click remediation is not available for application vulnerabilities.

5. For container image vulnerabilities, use Security Center to scan the images for vulnerabilities and other weaknesses.

6. Address emergency vulnerabilities using Security Center's self-check feature. The Alibaba Cloud security team provides intelligence on high-risk and 0-day vulnerabilities. Security Center detects affected servers and can integrate with firewall virtual patching for rapid defense.

7. Automate remediation by using Task Hub to create scheduled vulnerability-fixing tasks. You can target specific types, severity levels, or server groups. For more information, see Task hub in Security Center.

Runtime protection

Runtime protection deploys a security agent in your server or container environment to provide threat detection, analysis, and response.

Understand these runtime threats to implement appropriate defenses:

Runtime threat	Risk
Virus/Trojan	A Trojan is a program designed to infiltrate a user's server. Once disguised and implanted in a system, it typically downloads and drops other malware.
Ransomware	Ransomware is a malicious program that encrypts all critical data files on a server to demand a ransom.
Malicious modification	An upstream process attempts to move a system file. This may indicate an attacker trying to bypass detection logic by moving a system file monitored by security software.
Backdoor	This alert indicates a suspicious WebShell file, which could be a backdoor file an attacker implanted to maintain access after a successful website intrusion.
Abnormal logon	Two user logons occur on the server in a short time from distant locations, one being your usual logon location. This pattern suggests an account compromise.
Brute-force attack	An IP address successfully logs into a server after multiple failed attempts with invalid usernames.
Miner pool communication	The server is communicating with a known miner pool IP address. An attacker may have compromised your server for crypto-mining.
Internal network lateral movement	This alert indicates abnormal internal network connections. This could be an attacker moving laterally within your internal network after compromising a server.
Malicious script execution	A malicious Bash, PowerShell, Python, or other script is executing on the server.
Worm	A worm is a program that spreads from a compromised server to attack other servers. It often involves behaviors like vulnerability exploitation and brute-force attacks.
Suspicious privileged container	A suspicious privileged container starts. Privileged containers reduce the runtime security of a container, and a breach could compromise other containers and assets on the host.

Best practices

Security Center is Alibaba Cloud's native workload protection service (What is Security Center?). The Security Center Agent is installed by default when you create an ECS instance.

Security Center provides real-time protection for servers, containers, and other cloud products:

1. Enable runtime protection. Select the security hardening option when creating an ECS instance to auto-deploy the Security Center Agent. Then activate features based on your protection needs.

2. Enable anti-virus scanning. Configure a scanning policy for all or specific servers and set a schedule. Anti-virus.

3. Enable anti-ransomware protection. Configure anti-ransomware to detect threats, deploy decoy directories, and back up critical data. Anti-ransomware.

4. Enable host defense. Configure rules to block abnormal host behavior, such as brute-force attacks or suspicious processes. Host rule management.

5. Enable container defense. Block unscanned images from starting and enable container file protection. Container active defense.

6. Review runtime security alerts. Security Center categorizes alerts by the ATT&CK framework for intuitive attack path visibility. Security alerts.

Perform regular security inspections

Security is continuous and adversarial. Regularly inspect your workload security posture through defined policies.

1. Create an inspection plan. Define a schedule and assign responsibilities based on system importance and risk exposure.

2. Define inspection content. Verify agent coverage on all assets. Check workload security posture, vulnerability status, patch status, and security event resolution.

3. Automate inspections. Use automated tools for regular checks. Set monitoring metrics to help security teams extract signal from alert volumes.