IDaaS CIAM secures external user identity management through layered network controls: multi-zone deployment with independent Virtual Private Cloud (VPC) isolation at the infrastructure level, Distributed Denial of Service (DDoS) and Web Application Firewall (WAF) protection at the perimeter, host-level security on every service node, and Transport Layer Security (TLS)-encrypted transmission for all data in transit. This topic covers the network security architecture, protection mechanisms, access controls, and compliance certifications for IDaaS CIAM.
Network security architecture
Deployment architecture
IDaaS CIAM uses Alibaba Cloud's multi-zone deployment to achieve high availability and disaster recovery:
ALB/CLB multi-zone load balancing: Traffic is distributed across multiple zones using Application Load Balancer (ALB) or Classic Load Balancer (CLB), with backend microservices running on Elastic Compute Service (ECS) instances in separate zones.
Independent VPC isolation: IDaaS CIAM runs in a dedicated VPC on Alibaba Cloud, using tunnel technology for data-link layer isolation.
Active-active disaster recovery
IDaaS CIAM provides active-active disaster recovery for catastrophic events:
Core components, including Distributed Relational Database Service (DRDS) and Relational Database Service (RDS), run high-availability configurations with primary and secondary instances distributed across different zones, supporting minute-level failover.
Network security protection
Host security
All IDaaS CIAM services run on Alibaba Cloud ECS and integrate with Security Center for host-level protection:
| Capability | What it does |
|---|---|
| Intrusion detection | Monitors abnormal login behavior and malicious process execution in real time. |
| Vulnerability scanning | Scans operating system and application vulnerabilities on a regular schedule and provides remediation recommendations. |
| Virus protection | Runs a built-in antivirus engine to prevent malware propagation. |
Data transmission security
Encryption protocols
All communication between clients and servers uses strong encryption:
TLS 1.2 and above: TLS encrypts sensitive data in transit.
HTTPS: All API requests and user access go through HTTPS, with no plaintext transmission.
IP access control
IDaaS CIAM supports flexible IP-based access policies:
Whitelist and blacklist: Restrict or deny access from specific IP address ranges by configuring whitelists or blacklists.
Anomaly detection: The system monitors access behavior in real time. When anomalous activity is detected, it automatically triggers secondary authentication or account lockout.
Identity authentication and authorization
Multi-factor authentication (MFA)
IDaaS CIAM supports Multi-Factor Authentication (MFA) driven by dynamic environmental factors. When any signal indicates abnormal behavior, the system initiates secondary authentication to confirm the user's identity before granting access.
| Signal | Trigger condition | Response |
|---|---|---|
| IP address | Access from an unrecognized IP range | Secondary authentication required |
| Login location | Geographic location differs from typical pattern | Secondary authentication required |
| Device | Login from an unrecognized device | Secondary authentication required |
| Access time | Login outside normal usage hours | Secondary authentication required |
These are among the core parameters monitored; additional environmental factors may also trigger secondary authentication.
API access authorization
IDaaS CIAM enforces two levels of API authorization to prevent unauthorized access:
| Level | Security level | Controls |
|---|---|---|
| Application type | Higher | Which APIs an application can call (for example, login, registration, and sending verification codes) |
| User type | Lower | Which self-service actions users can take (for example, changing phone numbers, changing email addresses, and deregistering accounts) |
API scopes define custom permission ranges for each application, preventing cross-application unauthorized access.
Security compliance
Compliance certifications
IDaaS CIAM holds the following security certifications:
| Certification | Scope |
|---|---|
| Classified Protection Level 3 | China's Classified Protection of Cybersecurity 2.0, Level 3, issued by the Ministry of Public Security |
| ISO 27001 | Information security management system |
| ISO 27018 | Protection of personally identifiable information in public cloud environments |
| PCI DSS | Payment Card Industry Data Security Standard for sensitive payment data |
To request certification documentation or verify compliance status, contact the IDaaS product team.
Data privacy protection
IDaaS CIAM includes built-in mechanisms to help meet the requirements of the Personal Information Protection Law and the Data Security Law:
AES-256 encryption: All sensitive data is encrypted at rest using the AES-256 algorithm.
Audit log: Operation logs for all users and administrators are recorded, providing full transparency and traceability for data processing activities.
To learn more about IDaaS CIAM's network security capabilities or obtain private deployment solutions, please contact the IDaaS product team for more support.