Disclaimer
The copyright for this security white paper is owned by Alibaba Cloud Computing (Beijing) Co., Ltd. (Alibaba Cloud Communications). No part of this document may be copied, modified, or distributed in any form without prior written permission from Alibaba Cloud Communications.
This white paper is for reference only. Alibaba Cloud Communications makes no express or implied warranties about the information in this document. This white paper is provided as is. The information and opinions within, including URLs and other internet references, are subject to change without notice. You bear all risks associated with any changes.
This security white paper does not grant you any legal rights to the intellectual property of any products from Alibaba Cloud Communications or its affiliates.
1. Overview
Alibaba Cloud Communications provides stable, reliable, secure, and compliant communication services. We use advanced technology, a comprehensive product system, and strict personnel management to protect the confidentiality, integrity, and availability of customer and partner data. Data security and user privacy protection are our highest priorities.
This white paper describes the security framework, product features, and operational mechanisms of Alibaba Cloud Communications Short Message Service. It covers the shared responsibility model for security, security and compliance, and the security architecture. The security architecture section details nine areas: product architecture, network security, host and container security, data security, application security, business security, content moderation, account security, and security monitoring and operations.
2. Shared responsibility model for security
In accordance with relevant laws and regulations, security responsibilities for the entire business trace are shared. Alibaba Cloud Communications ensures the security of the cloud service platform. Customers are responsible for the security of their applications, data, and business activities built on our services. Partners are responsible for the security of the services and platforms they provide to Alibaba Cloud Communications.
1) Alibaba Cloud Communications security responsibilities
Alibaba Cloud Communications is responsible for the security of its cloud services and products, including application, host, network, data, and business security. We provide customers with the technical means to protect their cloud applications and data. We are also responsible for internal identity and access control, platform security monitoring to detect threats, and security operations to handle them.
Establish security management positions, create management systems, and define incident response procedures and training programs.
Ensure the physical security of data centers for the Short Message Service platform.
Ensure the security of the Alibaba Cloud Communications cloud platform hardware, software, and network. This includes patch management for operating systems and databases, network access control, Anti-DDoS, and disaster recovery.
Promptly detect and fix security vulnerabilities on the Alibaba Cloud Communications cloud platform without affecting customer business availability.
Work with independent third-party organizations to conduct security compliance audits and assessments of the communications cloud platform.
Provide customers with security audit tools.
Provide customers with data encryption methods.
2) Customer security responsibilities
When you use Short Message Service for production notifications, marketing, or building your own cloud applications, you are responsible for securing your business systems. You must use relevant security products and establish security mechanisms and processes. Your responsibilities include application security, business security, infrastructure security, data security, and account security.
Secure your application systems, hosts, networks, and data. Promptly address and fix any issues related to security alerts from Security Center.
Protect your Alibaba Cloud account. Assign independent Resource Access Management (RAM) user accounts to each member of your operations and management staff. Grant the least privilege required to complete their tasks and use group-based authorization to separate duties.
Use the ActionTrail service to record console operations and OpenAPI calls.
Ensure the security and compliance of the data and content that you exchange with the Alibaba Cloud Communications cloud platform.
3) Partner responsibilities
Alibaba Cloud Communications partners are entities that host their software and services on our platform to serve customers. Partners must follow our security management standards, comply with national laws and regulations, and protect user information.
Partners must secure the infrastructure, physical equipment, operating systems, and service products they provide. They must promptly detect and fix system security vulnerabilities without affecting customer business availability.
Partners must establish data security capabilities in accordance with applicable data protection laws and their agreements with Alibaba Cloud Communications. They must implement the necessary management and technical measures to provide adequate security for relevant data during the partnership. These measures are designed to prevent unauthorized access, use, disclosure, destruction, or loss of data. Partners must also regularly review their protection technologies and security measures to ensure they maintain an appropriate level of security.
3. Security and compliance
3.1 Compliance
Alibaba Cloud Communications complies with legal and regulatory requirements and provides services that help enterprises use cloud computing technology to accelerate their digital, network-based, and intelligent transformation. In compliance with the Cybersecurity Law, the Personal Information Protection Law, and the Data Security Law, Alibaba Cloud Communications has established security management processes and systems for its products and services to ensure compliance.
In addition to ensuring our own cloud platform meets regulatory compliance requirements, Alibaba Cloud Communications is dedicated to helping customers meet these requirements with lower costs, faster processes, and stronger security protection.
3.2 Certifications
The security processes of Alibaba Cloud Communications products, including Short Message Service, are recognized by authoritative international and domestic organizations. We integrate our long-term experience in combating internet security threats into our cloud platform's security protection. We incorporate numerous compliance standards into our platform's internal controls and product design. We also participate in setting standards for cloud communications and cloud platform services, contributing our best practices. Independent third parties verify how our products meet these standards. To date, Alibaba Cloud Communications has passed audits and obtained three certifications.
Scope | Certification | Description |
Global recognition | ISO/IEC 27001 | This international certification for information security management systems is a widely adopted global security standard. As a product that has passed this certification in China, Alibaba Cloud Communications products demonstrate their security responsibilities in areas such as data security, network security, communication security, and operational security. |
ISO/IEC 20000 | This is the first internationally recognized standard for IT service management. Alibaba Cloud Communications products are certified under the new ISO/IEC 20000-1:2011 standard. This means we have established and strictly follow standard service processes, which standardizes our cloud platform services, improves efficiency, and reduces overall IT risk. | |
ISO 9001 | This quality management system is an authoritative certification used to confirm that an organization has the ability to provide products that meet user requirements and applicable regulatory requirements. |
3.3 Personal information protection
Alibaba Cloud Communications is committed to protecting the personal information of every customer and user. We ensure that customers retain ownership and control over the personal information they provide to us. We actively fulfill our corporate responsibility for personal information protection as called for by regulators. We continuously improve our internal personal information management system and enhance the protection of customer and user rights. We have established a comprehensive internal data security management system and implemented core data security technologies to provide reliable protection for user personal information.
3.4 Transparency
Alibaba Cloud Communications is committed to transparency. We provide customers with information about our services through various channels. You can find information about our qualifications, service usage, and product descriptions on the official Alibaba Cloud website. Our team is available 24/7 to handle your suggestions and inquiries. We respond promptly to all reasonable customer requests. We are also exploring more ways to increase transparency, such as public mailboxes, online query APIs, and DingTalk customer service groups.
4. Security architecture
4.1 Alibaba Cloud Communications product architecture
Alibaba Cloud Communications products are built on Alibaba Cloud's computing operating system. This foundation provides highly available and stable computing, storage, and security capabilities. We rely on Alibaba Cloud security products to provide end-to-end data security protection. Our professional security team provides operations and audit capabilities, creating an efficient and secure protective barrier.
Alibaba Cloud Communications product architecture diagram:
4.2 Network security
Strict security control policies are in place between Alibaba Cloud's internal and external networks. The internal network is divided into different security domains, such as production, testing, and office, which are isolated from each other by default. Applications are isolated using VPC technology, and different VPCs cannot communicate by default. Any network connection between internal and external networks, across security domains, or across VPCs is reviewed by security engineers. They provide secure communication solutions and corresponding security groups to enforce strong controls. Whitelists protect the security of communications with upstream and downstream carriers. Communications across security domains are protected by Cloud Firewall.
Alibaba Cloud Security scans all network assets using access control list (ACL) inspections. By identifying high-risk service ports and service fingerprints, we can discover unexpected security risks on the network border and issue tickets for security administration.
4.3 Host and container security
Alibaba Cloud Security Center provides comprehensive intrusion detection and anti-intrusion capabilities. It can perform unusual logon detection, web shell detection, abnormal host behavior detection (such as abnormal process behavior and suspicious network connections), key file tamper detection, and abnormal account detection. It also provides real-time interception of mainstream ransomware, mining, and DDoS Trojan viruses. Security Center supports the detection of mainstream Windows system vulnerabilities, Linux software vulnerabilities, Web-CMS vulnerabilities, and application vulnerabilities. It also provides emergency detection and repair services for newly discovered vulnerabilities on the internet.
Alibaba Cloud hosts and containers use the self-developed Aliyun Linux 2 OS. This operating system is certified against the OS Benchmark from the Center for Internet Security (CIS). It provides complete security hardening capabilities.
Alibaba Cloud Security provides 24/7 emergency response to counter intrusions. This ensures host and container security and protects Alibaba Cloud Communications.
4.4 Data security
The security of your data in the cloud is your lifeline. It is also the most important measure of our cloud security capabilities. In July 2015, Alibaba Cloud launched the "Data Protection Initiative" for Chinese cloud service providers. Our data security capabilities help you prevent data breaches and meet compliance requirements such as the Personal Information Protection Law and the Classified Protection 2.0 scheme. Alibaba Cloud Communications has strict requirements for managing the entire lifecycle of customer data and uses advanced technology to ensure its security.
1) Data ingestion security
Data ingestion security means identifying, classifying, and grading data at its source. This ensures that subsequent data protection is targeted and effective. Proper data classification and grading improve the accuracy and efficiency of security protection. The first step is to discover and detect sensitive information, such as personally identifiable information (PII). The second step is to classify and grade the data based on your scenarios, compliance needs, and security requirements. This helps you understand your data assets and apply targeted protection.
After you grant authorization, Alibaba Cloud's Sensitive Data Discovery and Protection (SDDP) can automatically scan and discover data at various levels, such as new instances, databases, tables, columns, and Object Storage Service buckets and objects. Using keywords, rules, and machine learning model algorithms, SDDP accurately identifies sensitive data in your cloud environment. Based on the identification results, SDDP can classify data by business content and grade it by sensitivity. This allows subsequent protection mechanisms to be applied to your data in the cloud.
2) Data transmission security
Data transmission security is ensured by encrypting the data transmission link. Encryption in transit means that cloud products use the SSL/TLS protocol to secure data access, including reading and uploading data.
Alibaba Cloud's gateway products also provide link encryption. The VPN Gateway service can securely connect your on-premises data center to an Alibaba Cloud VPC through an encrypted channel. Alibaba Cloud Certificate Service can issue SSL certificates from well-known third-party certification authorities (CAs). This helps you implement HTTPS for your website, making it trustworthy and protecting it from hijacking, tampering, and eavesdropping.
3) Data storage security
Data storage security is primarily ensured through encryption at rest. Alibaba Cloud provides server-side encryption for cloud products and uses Key Management Service (KMS) for unified key management. Our storage encryption uses 256 bit Advanced Encryption Standard (AES-256) keys, meeting the encryption requirements for sensitive data.
4) Data processing security
Data processing security focuses on effective isolation and protection of data while it is in use. You can achieve isolation using an encrypted computing environment. You can also use access control and other isolation measures within each product. Data masking, based on data classification and grading, can also prevent unauthorized users from accessing sensitive information, thereby meeting data isolation requirements.
5) Data destruction security
When Alibaba Cloud stops providing services to a customer, we promptly delete the customer's data assets or return them as required by the relevant agreement. Our data destruction technology meets industry standards. All purge operations are fully recorded to ensure that customer data cannot be accessed without authorization.
4.5 Application security
Alibaba Cloud Communications products, like all Alibaba Cloud products, use the internal cloud product security lifecycle platform for risk management. This platform provides security capabilities such as vulnerability operations, architecture review, code audit, penetration testing, and security solutions. It ensures security at every stage, including architecture review, development, testing, and emergency response. The platform coordinates various security teams to empower cloud products with robust security.
4.6 Business security
1) Service request
Verifying a user's identity protects the rights of the registered person or legal entity. It also meets regulatory requirements for identifying users of Short Message Service.
When you apply for a service, Alibaba Cloud Communications performs real-name registration before the service is provided. For high-risk scenarios and features, we conduct a secondary security review of the business. All real-name registrations require legitimate and compliant written proof. For key industries, such as government agencies and public institutions, we also conduct personal follow-up visits to prevent information misuse or impersonation.
2) Operational standards
Alibaba Cloud Communications has a complete product technology system and a strong operational foundation. We rely on a strict permission management mechanism and years of security operations experience. We provide users of Short Message Service with comprehensive support, including content moderation and assistance with regulatory investigations.
Following an intelligent and fine-grained management approach, Alibaba Cloud Communications has an independent Management Center. All operations that affect the production environment are subject to strict access control and monitoring. Each operations node is staffed with professionals who have different skills, ensuring the least privilege and information isolation. From their first day, every operations employee enters a comprehensive training system for information security and business skills. Their operational quality is periodically reviewed to ensure continuous improvement in security awareness and operational capabilities.
In addition to internal management, Alibaba Cloud Communications provides comprehensive business support. Based on our extensive operational experience and production trace management capabilities, our security operations team provides end-to-end support when you face regulatory investigations while using Short Message Service. This support includes event analysis, recommended actions, and feedback on collected materials. We are constantly working to make this process more compliant, efficient, and transparent.
3) Partner management
To provide better services and experiences, Alibaba Cloud Communications enhances its own capabilities and collaborates with leading partners in various fields. Together, we build a superior Short Message Service.
Alibaba Cloud Communications has clear management standards for partners, defining violations, penalties, and the rules and procedures for partner termination. We promptly handle partners who do not meet requirements or violate cooperation terms. For terminated partners, we ensure that their account permissions are promptly disabled and their data is cleared.
For partners who falsify qualifications, seriously violate principles of integrity, or cause significant loss or negative impact to Alibaba Cloud Communications and its customers due to breach of contract, we will impose corresponding penalties or add them to a cooperation blacklist, depending on the severity of the situation.
Alibaba Cloud Communications has corresponding security capability requirements for partners in different scenarios. We also encourage partners to apply for information security management qualifications such as ISO/IEC 27001 and ISO/IEC 27002, and we consider these qualifications as part of our partner security capability evaluation.
Alibaba Cloud Communications conducts security assessments for the admission of communication suppliers and manages their security and compliance throughout the partnership to ensure customer business security.
For personnel involved in cooperative projects, we have strict standards and requirements covering data security training and testing, security software installation and endpoint security configuration, permission requests and approvals, data transmission and use, data security audits and monitoring, and handover and data cleanup after the partnership ends. Violations of these regulations will result in penalties based on their severity. If a violation leads to an information leak at Alibaba Cloud Communications or affects customer and business system services, we will pursue legal action against the partner in accordance with our agreement and the extent of the damage.
For software suppliers, Alibaba Cloud Communications conducts security scans and tests on relevant components and software in accordance with relevant laws and regulations. Components and software with medium or high risks are prohibited from being published. If a risk event or threat is detected, we promptly initiate the emergency response process to quickly reduce the potential security risk to the business.
4) Product release and change management
When you implement new services or features for a product in a new iteration, you must conduct a security assessment of the technical implementation plan. Based on specific business features and scenarios, this assessment aims to ensure compliance, identify vulnerabilities early, reduce or eliminate business logic vulnerabilities, and effectively control business risks.
Alibaba Cloud Communications conducts security reviews for product releases and changes in the following scenarios:
When a new application is created or a new business scenario is added, we conduct online and offline security reviews of the code and business processes.
When an existing application undergoes routine iterative optimization, we conduct a security review of the code differences.
When sensitive business functions are involved, such as sensitive information, member logon management, business permission design and management, fund collection and transfer, and transaction process changes, we conduct an offline expert review.
The main security controls for product releases and changes are as follows:
Security training: Alibaba Cloud Communications development and testing personnel receive regular security awareness training on application security standards, social engineering, and other topics, and they must pass corresponding exams.
Requirements analysis stage: When requirements involve security or uncertain risks, the requirement owner initiates a risk assessment, and the security team participates in the review to identify risks and develop a security solution.
Architecture design stage: When there are major changes to the network environment, we conduct a system network architecture security review. When there are major changes to the business, we conduct an application-level security review.
Development stage: During application development, developers follow corresponding application security development standards and the security team's coding recommendations. They proactively use security products to find problems and complete a code audit before the application is published.
Testing stage: During application testing, tests are conducted according to relevant standards. Security testing is performed as required by the security department to identify and handle risks before the application is published.
Release and iteration stage: The application release is integrated with the security release platform and security detection capabilities. A corresponding review process is established. The change can be released only when it meets the security release requirements.
Online operation stage: After the application and its features are online, we deploy online security products to defend against online risks. For risks flagged by security products, the technical team confirms and fixes them.
4.7 Content moderation
Based on years of experience in risk control, a wealth of data on the cyber underground economy, and big data analytics and modeling capabilities, Alibaba Cloud Communications has developed reliable and trustworthy content moderation features. These features ensure the stable and secure operation of our platform and your business. Our content moderation product protects every part of Short Message Service. It combines our technologies in natural language processing, real-time computing, and big data behavior analysis to ensure the accuracy, comprehensiveness, and timeliness of threat detection.
Alibaba Cloud Communications has accumulated tens of millions of risk profile tags and hundreds of risk libraries for various scenarios. We have also developed numerous model algorithms to identify content risks. Whether it is a signature of a few words or a template or text message of dozens of words, we use our extensive experience in combating risks and our powerful machine learning capabilities. We can accurately collect intelligence, quickly detect abnormal behavior, and efficiently identify fraud scenarios. This provides you with a stable and secure service. The main risk scenarios we cover include fraud, gambling, pornography, prohibited industries, restricted industries, vulgarity, and malicious behavior.
Four types of models are used to ensure the security of your content:
Variant restoration models: These models identify the true content expressed by fraud groups by restoring variant information or interference, such as visually similar characters, phonetically similar characters, icons, symbols, Pinyin, and foreign languages.
Semantic recognition models: These models analyze the semantics of text content to identify the true intent, scenario, and other information expressed by fraud groups.
Feature extraction models: These models analyze the elements of text content to identify the key features expressed by fraud groups.
Risk identification models: These models analyze the scenarios of text content to identify potential risks that may exist in the content expressed by fraud groups.
Content security is driven by two mechanisms: active detection and passive defense.
Passive defense is based on our own business scenarios and platform experience. It promptly identifies risks that arise when you use the platform and handles them after real-time or offline analysis of related information.
Active detection proactively collects external illegal and non-compliant risk information through our threat intelligence center. It extracts content risk features and scenarios to identify potential threats and proactively improve our response capabilities.
Passive defense and active detection complement each other. The former is a necessary measure to discover security events during business operations. The latter compensates for the lag of passive discovery and introduces a wider range of risk features and scenario definitions to improve the accuracy of risk warnings. Together, they form a comprehensive, timely, and effective security identification capability.
Content security is managed in three stages: before, during, and after a message is sent.
Before a message is sent, the threat intelligence center in our active defense system promptly incorporates security variants and related risk events. It deploys defenses against risks that may be triggered by current hot topics.
During message sending, a three-layer filtering system is used for risk control. First, the data center and risk identification module assemble real-time rules in the policy center to intercept risks. Second, the identification results are routed to the system disposal module based on risk classification and grading rules, where a manual review process provides a secondary judgment. Finally, the verification result directly triggers the penalty center to take action against the risk entity. Actions can include restricting permissions or shutting down the business. At the same time, the system identifies and intervenes in the spread of similar content.
After a message is sent, Alibaba Cloud Communications continues to perform risk clustering analysis on offline data and model results. Combined with external intelligence continuously collected by the threat intelligence center, we trace and handle any missed or potential new risks.
4.8 Account security
Alibaba Cloud Communications account management is based on the Alibaba Cloud account security system. This system provides you with various tools and features to authorize resource access in different situations. It includes the Resource Access Management (RAM) service for identity management and access control. RAM supports multi-factor authentication, strong password policies, custom API access policies, and various conditions, such as IP whitelists and secure access over SSL/TLS.
4.9 Security monitoring and operations
The main purpose of security monitoring at Alibaba Cloud Communications is to promptly detect security incidents, such as attacks on our platform's applications, hosts, and networks. When an incident is detected, it triggers an internal emergency response process to eliminate the impact immediately.
Security monitoring involves log collection, anomaly detection, alerting, and response. We collect logs from the platform's hosts, network, and applications. We use real-time and offline computing with security risk control algorithms to process and analyze these logs, enabling threat detection and monitoring. If an abnormal security event is detected, an alert is generated on our internal security monitoring platform. The on-call security lead is then notified through DingTalk, text message, phone, or email to handle the incident promptly.
The Alibaba Cloud Communications emergency response process handles vulnerabilities and risk events that are discovered through internal monitoring or reported externally. External reports come from open source third-party components, third-party threat intelligence, and our internal vulnerability system. When a security incident or vulnerability is discovered, the emergency response process is immediately triggered and handled according to standard procedures. To ensure secure production, a dedicated team conducts regular drills to verify the effectiveness of the emergency response process.