Legal disclaimer
Alibaba Cloud reminds you to carefully read and fully understand the terms and conditions of this legal disclaimer before you read or use this document. By using this document, you accept this disclaimer in its entirety.
-
You may download this document only from the Alibaba Cloud website or other channels authorized by Alibaba Cloud, and you may use it only for your own lawful and compliant business activities. The content of this document is confidential information of Alibaba Cloud. You must strictly abide by your confidentiality obligations. Without prior written consent from Alibaba Cloud, you may not disclose any content of this document to any third party or provide it to any third party for use.
-
Without prior written permission from Alibaba Cloud, no organization, company, or individual may excerpt, translate, or copy all or part of this document, or disseminate it in any form or by any means.
-
The content of this document is subject to change due to product version upgrades, adjustments, or other reasons. Alibaba Cloud reserves the right to modify the content of this document without notice and to publish updated user documentation from time to time through channels authorized by Alibaba Cloud. You must monitor the version changes of user documents and download the latest version from channels authorized by Alibaba Cloud.
-
This document is a reference guide for using Alibaba Cloud products and services. Alibaba Cloud provides this document on an "as is", "with all faults", and "as available" basis. Alibaba Cloud makes its best effort to provide corresponding descriptions and operational guidance based on existing technologies, but expressly disclaims any express or implied warranties regarding the accuracy, completeness, applicability, or reliability of the content of this document. Alibaba Cloud assumes no legal liability for any errors or financial losses incurred by any organization, company, or individual due to downloading, using, or relying on this document. In no event shall Alibaba Cloud be liable for any indirect, consequential, punitive, incidental, special, or criminal damages, including loss of profits suffered by users from using or relying on this document, even if Alibaba Cloud has been advised of the possibility of such damages.
-
All content on the Alibaba Cloud website, including but not limited to works, products, images, archives, information, materials, website architecture, website layout, and webpage design, is the intellectual property of Alibaba Cloud and/or its affiliates in accordance with applicable laws, including but not limited to trademark rights, patent rights, copyrights, and trade secrets. Without prior written consent from Alibaba Cloud and/or its affiliates, no one may use, modify, copy, publicly disseminate, alter, distribute, issue, or publicly publish the Alibaba Cloud website, product programs, or content. In addition, without prior written consent from Alibaba Cloud, no one may use, publish, or copy the name of Alibaba Cloud for any marketing, advertising, promotional, or other purpose. This includes, but is not limited to, the use of "Alibaba Cloud", "Aliyun", "HiChina", and other brands of Alibaba Cloud and/or its affiliates, either alone or in combination, as well as their associated marks and logos, or any similar company name, trade name, trademark, product or service name, domain name, logo, or identifier that would enable a third party to identify Alibaba Cloud and/or its affiliates.
-
If you find any errors in this document, please contact Alibaba Cloud directly.
Security overview
This document applies to IDaaS CIAM Dedicated Edition. It does not apply to the CIAM beta version or offline versions.
The security of IDaaS CIAM Dedicated Edition consists of platform security and product security. The Alibaba Cloud platform provides platform security. Before a product is released, it must pass a commercialization release process that includes product configuration, validation testing, and security testing. The product also integrates with the platform's unified health monitoring, product monitoring, and alert management systems. This integration provides real-time security risk control and ensures compliance with Alibaba Cloud data security requirements.
Product security refers to the security measures built into the product itself, including development security, feature security, data security, and high availability. This document focuses on product security.
Development and production permission isolation
IDaaS CIAM Dedicated Edition provides a development environment, a staging environment, and a production environment. Each environment consists of distinct instances. The cloud resources for each instance, such as ECS, RDS, Redis, and OSS, are physically isolated, with no permissions shared between them.
Authentication and authorization
-
Access control
-
Management console sign-in control
The root account activates an IDaaS instance in the RAM console and can then directly access the IDaaS console by clicking the instance.
To allow other users to access the IDaaS console, use the root account to create multiple RAM users and attach an IDaaS permission policy to them. This allows RAM users to access IDaaS CIAM under specific conditions. You can also configure MFA for different administrators in IDaaS CIAM to further prevent unauthorized access and protect your data and services.
On the Select Permissions page in the RAM console, switch to the System Policy tab. Search for
IDaaSand select AliyunYundunIdaasReadOnlyAccess (grants read-only access to Application Identity Service) or AliyunYundunIdaasFullAccess (grants management access to Application Identity Service). -
Application access control
IDaaS CIAM issues a unique application key for each application and uses a key-based encryption mechanism to secure access. You can further prevent unauthorized access by defining the authorized user scope, setting IP address restrictions, and enabling anomaly detection.
-
-
API access authorization
IDaaS CIAM lets you control the scope of APIs that are exposed externally and shared between applications. This enables fine-grained permission control to prevent unauthorized access.
-
Externally exposed APIs are classified as either application-type or user-type based on their security level.
-
Application-type APIs have a higher security level. They control which IDaaS APIs an application can access, such as for sign-in, sign-up, and sending verification codes, as well as whether the application has permission to manage account information.
-
User-type APIs have a lower security level. They primarily cover user actions such as changing a phone number or email address, or deleting an account.
-
For API sharing between applications, IDaaS CIAM allows you to define custom API scopes and authorize them for specific applications. This prevents unauthorized access between applications.
-
-
Key rotation
IDaaS CIAM uses key encryption for security during authentication and authorization. It also provides key rotation to protect against key compromise and enhance the security of user information in tokens.
Additionally, IDaaS issues an application key for each application and provides key rotation for it. Only systems verified with the application key can access authorized APIs.
Data security
-
Data collection scope
By default, IDaaS CIAM collects the following personal information:
-
Account
-
Phone number
-
Email address
-
Password
All information is collected only with explicit user authorization. Any information collected beyond this default scope requires additional explicit authorization.
-
-
Data transmission security
All access to IDaaS services, whether over the internet or a private network, uses HTTPS to protect data in transit from interception and tampering.
-
Data encryption algorithms
-
IDaaS encrypts critical user information, such as phone numbers and email addresses, using AES (AES/ECB/PKCS5Padding) for storage.
-
For passwords, the system stores salted digests (SHA-256 with SALT). This significantly improves password security. Only the user knows their password, and the original password cannot be retrieved even if the database is compromised.
-
IDaaS issues tokens in JWT format. To ensure the security of user credentials, user information within the token is encrypted with AES. This prevents user information from being retrieved even if a token is stolen. Tokens are signed by using RSA asymmetric keys, ensuring that only IDaaS can verify their authenticity.
-
-
Sensitive data protection
IDaaS CIAM provides data identification, data masking, and audit monitoring to help you protect your data.
With data identification, you can automatically classify the sensitivity level of data based on predefined rules. The system includes built-in categories for account type data, user type data, and account extension type data. The security levels are ranked in descending order: account type > user type > extension type.
With data masking, you can mask sensitive data using methods such as display masking or hash encryption. The degree of masking varies based on the data's security level.
With audit monitoring, you can monitor operations performed on account type data by specific users or administrators.
Infrastructure security
The overall architecture of the IDaaS product is designed for high availability.
-
The system uses SLB, private network access, and a POP gateway that uses reverse authorization to connect the network.
-
All CIAM-related services are deployed on ECS instances that are distributed across different availability zones and support horizontal scaling.
-
Redis nodes are distributed across different availability zones. Redis stores only cached data. If data is lost, it is automatically reloaded from the database, so no backup is required.
-
RDS primarily stores tenant information, application information, and traffic package information. The database is backed up once a day, and multiple backup copies are retained.
-
The primary and secondary database servers are located in different availability zones. If the primary server fails, the secondary server automatically takes over.
