Kingsoft Cloud Security White Paper

Last updated:2020-12-11 14:26:01

Introduction

Founded in 2012, Beijing Kingsoft Cloud Network Technology Co., Ltd. (hereinafter referred to as “Kingsoft Cloud”) is a subsidiary of Kingsoft and an industry-leading cloud computing service provider in China. Kingsoft Cloud provides highly stable and secure cloud services for users and enterprises with its leading server technologies in the cloud computing industry.

Relying on Kingsoft’s vast experience of over 20 years, Kingsoft Cloud has put cloud security first since its establishment, and has continuously increased investment in the research and development (R&D) of cloud security technologies. Kingsoft Cloud has successively launched a series of cloud security services such as Kingsoft Cloud Advanced Defense (KAD), Kingsoft Cloud Host Security (KHS), Kingsoft Cloud Security Inspector (KSI), and Web Application Firewall (WAF) to meet the needs of Kingsoft Cloud users. This whitepaper describes how Kingsoft Cloud ensures cloud security from the aspects of the shared security responsibility model, security compliance, infrastructure security, security services, data security, security organization, operations and maintenance (O&M) security, and cloud security engineering capabilities.

Shared security responsibility model

Kingsoft Cloud provides a comprehensive system to ensure cloud computing infrastructure security and user business security. Kingsoft Cloud provides comprehensive protection from the physical level to the application level. Meanwhile, users are expected to work closely with Kingsoft Cloud to protect the security of their business on the cloud. Kingsoft Cloud adopts a shared security responsibility model to ensure user business security together with its customers. Kingsoft Cloud ensures the security of its cloud computing infrastructure by using various technologies and management methods. For example, Kingsoft Cloud ensures the physical, network, virtualization architecture, data, and console security by means of Security Development Lifecycle (SDL), vulnerability scanning, monitoring, and auditing. Meanwhile, users ensure the deployment and O&M security of their business by using Kingsoft Cloud security products and services.
图片1.png

Security compliance

To provide users with highly stable and secure services and superior security experience, Kingsoft Cloud attaches strategic significance to cloud security compliance. Kingsoft Cloud has established a dedicated compliance and risk control team to actively benchmark performance against China’s and global standards.

Kingsoft Cloud has received multiple compliance certifications in China and globally, including the ISO 9001, ISO 20000, and ISO 27001 management system certifications and the Class 3 certification for the classified protection of cybersecurity (December 2015); the trusted cloud service security certification (September 2016); the C-STAR certification issued by the Cloud Security Alliance (CSA) (October 2016); the Enhanced cloud computing service capability certification, the highest level of the certification (December 2016); the first CSA STAR Tech IaaS and PaaS certification in China (December 2017); the System and Organization Controls (SOC) audit of the American Institute of Certified Public Accountants (AICPA) (December 2018); the Payment Card Industry Data Security Standard (PCI DSS) certification (June 2019); the Capability Maturity Model Integration (CMMI) certification (September 2019); the ISO 27018 certification (October 2019); the ISO 27017 certification and CSA STAR Gold certification (August 2020).

Since the European Union (EU) issued the General Data Protection Regulation (GDPR) on May 25, 2018, Kingsoft Cloud has incorporated GDPR in security compliance. Kingsoft Cloud is committed to protecting the personal data and privacy of every customer. Kingsoft Cloud only collects and uses customers’ personal data within the necessary and limited business scope while employing various security measures to guarantee the confidentiality, integrity, and accuracy of such personal data.

ISO 9001, ISO 20000, and ISO 27001 management system certifications

The ISO 9001, ISO 20000, and ISO 27001 management system certifications demonstrate that Kingsoft Cloud has achieved standardized information security management, quality management, and information technology service management. This achievement lays a solid foundation for the enhancement of Kingsoft Cloud’s management system. ISO 27001 is a management system standard widely applied in the field of information security worldwide. ISO 27001 can effectively help protect information resources and realize the healthy, orderly, and sustainable development of informatization. Kingsoft Cloud’s information security management system covers cloud computing services such as cloud hosts, cloud storage, networks, and databases. Kingsoft Cloud uses comprehensive and systematic methods to manage information security risks and ensure the continuity of the company’s business.

ISO 27017 and ISO 27018 certifications

ISO 27017 extends the security requirements for cloud computing enterprises and customers of cloud computing services. ISO 27017 demarcates the security and reliability roles and responsibilities of both providers and users of cloud services. ISO 27018 is the first international code of conduct that focuses on the protection of personal information on the cloud. ISO 27018 provides implementation guidelines for the ISO 27002 management system applicable to personally identifiable information (PII) on public clouds. The ISO 27018 certification demonstrates that Kingsoft Cloud has taken internationally recognized PII security control measures on its public cloud, allowing customers to control the storage and use of their data, and ensuring their data privacy and security.

Classified protection of cybersecurity

The evaluation authority authorized by the Ministry of Public Security conducts an annual evaluation of Kingsoft Cloud’s service platform system according to the GB/T 22240-2008 Information Security Technology - Classification Guide for Classified Protection of Information System Security, GB/T 22239-2019 Information Security Technology - Baseline for Classified Protection of Cybersecurity, and GB/T 28448-2019 Information Security Technology - Evaluation Requirement for Classified Protection of Cybersecurity. Kingsoft Cloud received the Class 3 certification for the classified protection of cybersecurity, indicating that Kingsoft Cloud meets the Class 3 security, technical, and management requirements for the classified protection of cybersecurity.

Trusted cloud service assessment

The trusted cloud service assessment system is an authoritative assessment system for cloud computing services in China. The system evaluates the business security of cloud services provided by cloud service providers from the perspective of users. Many of the services of Kingsoft Cloud have passed the trusted cloud service assessment, including Kingsoft Cloud Elastic Compute (KEC), Kingsoft Cloud Relational Database Service (KRDS), Kingsoft Cloud Standard Storage Service (KS3), Server Load Balancing (SLB), Content Delivery Network (CDN), GPU Elastic Compute, data protection for cloud service users, and public cloud services in the hybrid cloud solution. This means that the metrics about user information disclosure, such as data storage persistence, data privacy, failure recovery capability, and service availability, stipulated by Kingsoft Cloud in its Service Level Agreement (SLA) meet the requirements of trusted cloud service assessment, and that information disclosure is transparent to users. The trusted cloud service certification improves the confidence of users in choosing the secure and reliable cloud services provided by Kingsoft Cloud.

C-STAR cloud security assessment 

C-STAR is a globally recognized security certification for cloud service providers. The C-STAR certification demonstrates that Kingsoft Cloud’s security management level and technical capabilities are recognized by international authorities. The C-STAR cloud security assessment adheres to strict management and control requirements. This assessment adopts an advanced maturity evaluation model to assess the security of all control domains, including application and interface security, audit assurance and compliance, business continuity management and operational resilience, change control and configuration management, data security and information lifecycle management, encryption and key management, governance and risk management, identity and access management, infrastructure and virtualization security, security incident management, supply chain management, and threat and vulnerability management. Kingsoft Cloud adopts sound management and control mechanisms in these control domains to ensure the security compliance and sustainability of its business.

ITSS cloud computing service capability assessment

The ITSS cloud computing service capability assessment is a pilot work of Information Technology Service Sub-association of Chinese Electronics Standardization Association (ITSS Sub-association for short) in accordance with standards of China such as the Information Technology - Cloud Computing - General Operational Requirements of Cloud Services. Kingsoft Cloud was among the first recipients of the Enhanced cloud computing service capability certification, which is the highest level of the certification. The certification demonstrates Kingsoft Cloud’s superior service capabilities over other cloud service providers in terms of staff, processes, technologies, and resources.

CSA STAR

CSA developed a Cloud Controls Matrix (CCM) for cloud services, including IaaS, PaaS, and SaaS services, based on ISO 27001. CCM divides cloud security into 16 control domains, such as application and interface security, and audit assurance and compliance. CSA added a maturity assessment model to develop a targeted STAR security assessment. The certified companies are awarded the Gold, Silver, and Bronze certifications according to their cloud security levels. Kingsoft Cloud received the CSA STAR Gold certification issued by the British Standards Institution (BSI) on August 19, 2020. The certification demonstrates that Kingsoft Cloud meets the requirements of international advanced cloud security for its security capabilities and security services for customers.

CSA STAR Tech IaaS and PaaS enhanced certification for security

The CSA STAR Tech certification is a security capability certification launched by CSA for cloud computing services. The assessment is in accordance with the Cloud Computing Security Technology Requirements (CSTR) issued by CSA. As a security product standard jointly drafted by CSA and major cloud service providers, CSA STAR Tech specifies the security requirements for IaaS, PaaS, and SaaS products, and serves as the most authoritative unified security capability certification standard for cloud computing products. The CSA STAR Tech certification marks the further development of Kingsoft Cloud’s security capabilities.

SOC reports

The System and Organization Controls (SOC) reports are a series of assurance reports related to the internal control of service organizations. The reports are issued by a professional third-party accounting firm in accordance with the related standards of AICPA. Kingsoft Cloud passed the SOC1 and SOC2 audits of AICPA, demonstrating that Kingsoft Cloud is recognized by third-party audit institutions on its internal controls and the security, availability, and confidentiality of its cloud service system. The SOC reports also provide valuable information for Kingsoft Cloud users, enabling them to assess the risks related to Kingsoft Cloud.

PCI DSS certification

PCI DSS is a globally unified benchmark for the technical and operational requirements for the protection of account data, which enhances the data security of cardholders. Kingsoft Cloud passed the compliance assessment conducted by atsec in accordance with PCI DSS. The certification demonstrates that Kingsoft Cloud has comprehensive and multi-level security planning and building capabilities in security management, security O&M, development lifecycle security, data security, and security vulnerability management. Kingsoft Cloud ensures the environmental security of basic cloud services. Kingsoft Cloud also provides security protection and data security services for cloud tenants to help them meet the requirements of PCI DSS.

CMMI certification

CMMI is an evaluation and certification system developed by the Software Engineering Institute (SEI) of the Carnegie Mellon University in the United States. Kingsoft Cloud passed the CMMI Level 3 assessment, indicating that Kingsoft Cloud has attained international standards in process organization, R&D, project management, and solution delivery.

Infrastructure security

To provide users with secure cloud services, Kingsoft Cloud has continuously invested in security technologies and services to improve infrastructure security, such as physical, network, application, and authentication security. Kingsoft Cloud ensures the security of its cloud service infrastructure through various systems, processes, and technical expertise.

Physical and environmental security

The physical and environmental security of an Internet data center (IDC) directly affects service availability. Kingsoft Cloud has established comprehensive standards and regulations on access control, preventive inspection, and troubleshooting to ensure the physical and environmental security of its IDCs. Access to each IDC is strictly controlled. The personnel that may access an IDC of Kingsoft Cloud are classified into four categories: Kingsoft Cloud’s O&M personnel, outsourcing O&M personnel, manufacturers’ maintenance personnel, and visitors. Each category is subject to a rigorous access and approval process. Onsite O&M personnel record the persons who enter an IDC and keep records for half a year for auditing purposes. In addition, Kingsoft Cloud adheres to strict security management requirements for the core cabinets in each IDC, including requirements for safely using the core cabinets and processes of opening and closing the cabinets. Operations related to the core cabinets are recorded in detail, and these records are kept for more than half a year. To ensure the stable operation of an IDC, Kingsoft Cloud conducts routine inspections on the IDC, including environment inspection and server inspection. When a failure occurs, O&M personnel strictly follow the emergency response process to report the failure within the specified time to authorized personnel and recover the failure. O&M personnel strictly follow all applicable regulations to ensure the stability and security of an IDC. Moreover, Kingsoft Cloud established a series of standards on equipment management, such as standards for servers arriving at an IDC and standards for receiving or delivering IDC equipment.

Network security

In the infrastructure of Kingsoft Cloud, business networks and IDC networks are strictly isolated. Kingsoft Cloud also maintains vigorously the isolation between IDC networks and tenant networks by enforcing access control policies on network boundaries. This achieves the complete isolation between overlay networks and underlay networks.

Kingsoft Cloud provides virtual private clouds (VPCs) isolated based on VXLANs. A VPC is a logically isolated network environment dedicated to a customer and over which the customer has complete control. Access to a VPC can be controlled by setting up ACLs for different subnets and setting up security groups for different servers. The configuration can be refined all the way to protocols and ports. VPCs provide stable and reliable network connections to customers’ data centers. They can meet the requirements on network security in all respects and on all levels.

API and application security

Kingsoft Cloud has a dedicated professional security test team that regularly conducts security tests on all Kingsoft Cloud’s services. First, they conduct white-box security tests on all Kingsoft Cloud APIs and applications to identify service vulnerabilities. Then, they conduct black-box penetration tests from the perspective of attackers to simulate external attacks and discover the security vulnerabilities of Kingsoft Cloud. These two methods are combined to ensure the security of Kingsoft Cloud’s service APIs and application systems. In addition, Kingsoft Cloud has built a security emergency response center and recruited skilled security testing engineers to jointly maintain the security of Kingsoft Cloud.

Access control

Kingsoft Cloud has established strict authentication and authorization mechanisms to ensure information security for Kingsoft Cloud and its users. Kingsoft Cloud also has a dedicated audit team to review authentication and authorization mechanisms and ensure successful implementation of security policies.

Authentication mechanism

Every employee of Kingsoft Cloud is assigned a unique employee account for accessing the Kingsoft Cloud’s network. Moreover, Kingsoft Cloud imposes strict complexity requirements on employees’ passwords and requires employees to change their passwords regularly. All employees are also required to use two-factor authentication to access an IDC or other internal systems. This ensures the security and auditability of Kingsoft Cloud’s internal information. When an employee resigns, the system reclaims the employee’s privileges and prohibits the former employee from accessing Kingsoft Cloud’s network.

Authorization mechanism

As an important component of access control, authorization directly affects the data and business security of Kingsoft Cloud and its users. Kingsoft Cloud allocates and reclaims employee accounts based on employees’ work responsibilities by following the principle of least privilege. Authorization is controlled based on employees’ posts and titles. For example, only specific employees are authorized to access core systems such as core networks, hosts, and storage, and the authorization is conducted in strict accordance with the principles of least privilege and separation of duties. Unauthorized employees are prohibited from accessing these systems. External users can only access the resources they have applied for, and the resources of different users are strictly isolated. All employees of Kingsoft Cloud are prohibited from accessing user resources without the users’ authorization. Kingsoft Cloud has a complete application and approval process for authorizing access to confidential data. Kingsoft Cloud regularly audits the process to ensure that the authorization is reasonable and accurate.

Access control audit

To ensure the security of customers’ accounts and reduce the threat of brute-force attacks, Kingsoft Cloud has built an internal access log audit system based on big data analytics. The system can automatically identify cracked accounts to protect the interests of Kingsoft Cloud customers. To ensure the infrastructure security, Kingsoft Cloud uses bastion hosts to conduct two-factor authentication and audits on all access to IDCs. In addition, Kingsoft Cloud requires all subsystems to keep the operation logs for at least six months, as part of compliance with audit requirements.

User-oriented security services

Kingsoft Cloud Advanced Defense for EIP

Kingsoft Cloud Advanced Defense for EIP provides elastic IP addresses (EIPs) that are protected against ultra-high bandwidth distributed denial of service (DDoS) attacks. Users can associate the EIPs with Kingsoft Cloud SLB or KEC instances, eliminating the complexity involved in changing IP addresses for these instances in case of DDoS attacks. Kingsoft Cloud Advanced Defense for EIP features real-time defense, low latency, high reliability, and strong protection.

Web Application Firewall

Web Application Firewall (WAF) protects users’ websites against common web threats defined by the Open Web Application Security Project (OWASP). WAF defends against common threats defined by OWASP and regularly updates 0day patches to help users update vulnerability patches in a timely manner and protect their websites. WAF also provides precise access control and protection against malicious CC attacks and advanced web attacks. WAF uses precise access control policies to easily distinguish between trusted and malicious traffic and allows users to conveniently block all access requests from a designated region.

Kingsoft Cloud Host Security

Kingsoft Cloud Host Security (KHS) is a security service jointly developed by Kingsoft Cloud and Safedog to protect servers and websites. Through the collaboration between the KHS agent and the KHS service, security data can be synchronized in real time to support features such as login permission detection, backdoor attack detection, patch update, brute-force attack prevention, and website threat detection.

Kingsoft Cloud Security Inspector

Kingsoft Cloud Security Inspector (KSI) scans servers and web services for vulnerabilities and provides solutions for high-risk ones if detected. It covers all common types of vulnerabilities and offers comprehensive and efficient third-party PoC detection services.

Kingsoft Cloud Certificate Management

Kingsoft Cloud Certificate Management (KCM) cooperates with major digital certificate authorities and agencies around the world to issue certified digital certificates on cloud platforms to help users realize HTTPS and provide data security for their websites.

Data security

Kingsoft Cloud manages data throughout its entire lifecycle. A data security team strictly manages user data from the aspects of access control, data usage auditing, data flow monitoring, data storage encryption, data transmission security, and data security training and education.

Identity and Access Management

The Identity and Access Management (IAM) service helps users avoid potential misuse, excessive privileges, and failure to isolate resources due to the use of shared passwords. IAM reduces the information security risks and management challenges of enterprises.

Transmission protection

To ensure data security during transmission, Kingsoft Cloud transmits data over the Internet through HTTPS-encrypted channels. Core data is only transmitted on the internal network of Kingsoft Cloud after encryption. This effectively prevents data from being intercepted during transmission. In addition, KS3 uses Secure Sockets Layer (SSL) to encrypt data during transmission and ensure transmission security.

Storage protection

Kingsoft Cloud provides multiple services for storing user data, such as KS3, KRDS, Kingsoft Cloud Redis (Redis), and Kingsoft Cloud MongoDB. Each storage service is equipped with a comprehensive security solution. KS3 provides EB-level data verification and AES-256 online banking-level encryption. KS3 uses public and private keys for signature verification and keeps multiple backups of data to ensure data security and reliability. KS3 also supports data transmission through HTTPS-encrypted channels. KRDS is a stable, reliable, and scalable online database service. Equipped with an excellent performance monitoring system and multiple security measures, KRDS provides a professional solution for database backup, recovery, and optimization. With KRDS, enterprises can focus on application and business development. Redis is an out-of-the-box, stable, and reliable service for online caching and key-value storage. Redis supports active/standby hot backup and provides features such as automatic failover, instance monitoring, and online scaling to ensure service reliability and stability. Developed based on a three-node replica architecture, Kingsoft Cloud MongoDB provides features such as failover, disaster recovery migration, and online backup. Kingsoft Cloud MongoDB provides over 20 service monitoring and alarm features to help users detect various issues that may occur during the use of the service. Kingsoft Cloud MongoDB also supports database backup and recovery. All data storage services of Kingsoft Cloud support user-level data isolation, access control, and privilege management to ensure data security with multiple measures.

Data destruction

When a user actively deletes data or the data of a user needs to be destroyed after a service expires, Kingsoft Cloud automatically clears the data from the disks and memory on the physical server so that the data cannot be recovered. In addition, before a data storage device is discarded or sent to a third party for repair or resale, Kingsoft Cloud performs a low-level disk formatting to completely delete all user data from the device so that the data cannot be recovered.

Privacy protection

Kingsoft Cloud attaches great importance to the security of user information. To ensure the security of users’ privacy data, Kingsoft Cloud has taken appropriate physical, electronic, and management measures to protect user information against unauthorized access, public disclosure, misuse, malicious modification, damage, or loss. Kingsoft Cloud adopts encryption technologies to improve the security of user information, and uses a trusted protection mechanism to prevent malicious attacks against user information. An access control system is deployed to allow only authorized personnel to access user information. In addition, Kingsoft Cloud conducts data security training to strengthen employees’ awareness of protecting user data. When users store data in Kingsoft Cloud’s services, Kingsoft Cloud isolates the data of different users. Without legal authorization, users cannot access each other’s data, and Kingsoft Cloud has no right or means to view users’ data.

Security organization

Kingsoft Cloud has always put network security first, and has established a professional security team to ensure network security. The security team plans and manages security actions according to the overall strategy of Kingsoft Cloud. This ensures that the cloud services and security services provided by Kingsoft Cloud meet security requirements to protect the interests of Kingsoft Cloud users. Moreover, the security team has organized a security committee in cooperation with multiple internal departments to promote security work from the top down. The security committee greatly improves the efficiency of cross-departmental collaboration and effectively manages security risks.

O&M security

Vulnerability management

Kingsoft Cloud has a complete vulnerability management system. Kingsoft Cloud’s threat intelligence and emergency response team responds to, rates, and disposes vulnerabilities 24/7. Vulnerabilities are usually discovered by Kingsoft Cloud in routine service scanning and penetration testing or reported by third parties. Kingsoft Cloud keeps close contact with various security communities to learn the security vulnerabilities they discover as soon as possible.

Security incident management

Similar to the vulnerability management system, Kingsoft Cloud also established a mature system for security incident management. Upon learning of an incident, Kingsoft Cloud traces and immediately resolves the incident in accordance with Kingsoft Cloud’s security incident handling process. If the incident is related to a user, Kingsoft Cloud notifies the user at the first opportunity. After the incident is resolved, Kingsoft Cloud employs countermeasures to prevent similar security incidents.

Business continuity management

Business continuity represents an enterprise’s ability to quickly respond to risks and automatically make adjustments that ensure the continuous operation of an enterprise’s business. Cloud service providers manage the operation of cloud services on which customers run their businesses. Therefore, business continuity is more vital to cloud service providers. Kingsoft Cloud’s business continuity system ensures the high availability, continuous operation, and disaster recovery of its cloud services with comprehensive business continuity plans, regular drills, and remote data backup and storage.

Business continuity plans

Kingsoft Cloud’s core services, such as KEC, KS3, and networking services, have mature business continuity plans to deal with causes of service interruption, including natural disasters, carrier network failures, network security incidents, hardware failures, and misuse. The plans provide a comprehensive response mechanism in terms of the recovery time objective (RTO), recovery point objective (RPO), service interruption impact, service recovery plan, service recovery process, and service backup plan. During a service interruption or failure, the business continuity plans ensure information availability and accuracy for key services within the required time frame.

Exercises and training

Each core business line of Kingsoft Cloud has a business continuity plan that is regularly updated and audited. Kingsoft Cloud also regularly exercises business continuity plans, records the exercise results, and reports the results to ensure the effective implementation of the plans. Moreover, to improve employees’ security awareness, Kingsoft Cloud regularly conducts trainings on security awareness and information security. After completing a series of security training, employees can obtain comprehensive security knowledge, which substantially reduces the risks of service interruption and improves the overall security level of Kingsoft Cloud.

Business security management

In addition to technical approaches, management approaches are also required to ensure the security of Kingsoft Cloud in a comprehensive and in-depth manner. Kingsoft Cloud has built a comprehensive business security management system that is continuously improved to provide a response procedure and management approach for every security issue. Kingsoft Cloud is also continuously expanding security requirements on services to manage the network environment with increasing security threats, and ensure data security for Kingsoft Cloud as well as its services and users.

Cloud security engineering capabilities

Design security

Most system security issues result from insecure design. Prior to development, Kingsoft Cloud evaluates the design of a system according to the core principles of secure design. Kingsoft Cloud analyzes system design from aspects such as attack points, access privileges, and basic privacy to avoid system development that is based on an insecure design.

Coding security

During the development of a system, Kingsoft Cloud strictly abides by a secure development-based lifecycle management process. In the development stage, security personnel provide secure coding specifications for various programming languages to avoid insecure code in the system. In the testing and auditing stage, security personnel provide security test points and manually review code to eliminate vulnerabilities before the system is put into use. In the system release stage, security personnel provide findings of the overall security assessment, and the security, R&D, and O&M departments must jointly decide whether to release the system.

Change control

Change operations are operations that cause known or potential impacts on the stability, availability, and security of online services. Kingsoft Cloud strictly controls change operations to prevent them from affecting the stability of services. Kingsoft Cloud classifies the change operations into two types: upgrades that are transparent to users and operations that are perceived by users or affect the SLA. The latter operations affect the availability, stability, and security of services. Kingsoft Cloud imposes different control procedures on these two types of change operations. Kingsoft Cloud strictly follows the canary release method to roll out changes and ensure the stability and security of services.

Did you find the above information helpful?

Unhelpful
Mostly Unhelpful
A little helpful
Helpful
Very helpful

What might be the problems?

Insufficient
Outdated
Unclear or awkward
Redundant or clumsy
Lack of context for the complex system or functionality

More suggestions

0/200

Please give us your feedback.

Submitted

Thank you for your feedback.

问题反馈