By Syed Jawad Imam Jafri, Cyber Security and Privacy Officer (CSPO), Huawei South Africa – Huawei Cloud considers infrastructure security to be a core component of its multi-dimensional full-stack cloud security framework. Without infrastructure security that complies with security standards and regulations, cloud service security would be built on shifting sand and entirely incapable of enabling and adding value to tenant business and safeguarding tenant security.
The security compliance aspect sets a security baseline adopted industry-wide for the evaluation of CSP (Cloud Service Provider)s infrastructure security and cloud service security. To cloud service tenants, a CSPs infrastructure has a relatively low degree of transparency and openness, which directly affects the trustworthiness of the CSP’s cloud security.
With Huawei Cloud’s regulatory compliance certifications, tenants can be more confident in moving their business to Huawei Cloud and leveraging our cloud services to grow their business. Beyond security compliance, Huawei Cloud also addresses the importance of security design and practices in the physical environment, network, platform, application (specifically application programming interface) and data aspects of Huawei Cloud’s security framework.
Since Huawei Cloud was launched in 2012, Huawei has made customer trust a top priority and continues to increase investment in this area. Compliance with security standards and regulations is an absolute necessity for gaining and maintaining baseline customer trust. It is also an important measure to defend against insider attacks. Certifications for compliance with security standards and regulations not only improve Huawei Cloud’s overall security capabilities and service level, but also help mitigate customers’ concerns regarding compliance and data security. In fact, customer trust hinges on what authoritative certifications a CSP has achieved.
Huawei Cloud will continue to ensure that its infrastructure and major cloud services pass evaluations conducted by independent, authoritative, and industry-reputable third-party security organisations as well as reviews by security certification agencies. Huawei Cloud provides on its infrastructure only those cloud services that comply with mandatory security standards and regulations. Industry security evaluations and certifications demonstrate Huawei Cloud’s security strategies, policies, and risk management mechanisms in the people/organisation, process, and technology aspects throughout the R&D and O&M lifecycle of its infrastructure and cloud services. Customers can also gain an unbiased and in-depth understanding of Huawei Cloud’s capabilities and effectiveness in user data protection and cloud service security.
One example that Huawei Cloud has achieved is the CSA STAR Gold certification, which is based on ISO/IEC 27001 and also includes the Cloud Control Matrix (CCM) security requirements, which cover 16 control domains including governance and risk management, data/application/infrastructure security, IAM (Identity and Access Management), data center security, change control and configuration management, business continuity management and operational resilience, human resources, and supply chain management, among other features.
Based on Huawei Cloud’s shared responsibility model, Huawei Cloud also proactively established and continues to enhance its security compliance capabilities in its infrastructure (across the physical environment, network, and platform layers) to ensure the security and compliance of its services in supporting the business of cloud tenants. For example, Huawei Cloud is in the process of getting certified for the Payment Card Industry Data Security Standard (PCI DSS). In the near future, Huawei Cloud customers will be able to run their applications and deploy financial payment services on Huawei Cloud’s PCI DSS-compliant infrastructure, which will help customers achieve and maintain security compliance for the transmission, storage, and processing of payment card information in Huawei Cloud.
To date, Huawei Cloud has obtained the following security evaluations and certifications:
- GB 50174 Code for Design of Electronic Information System Room, Section A
- TIA 942 Telecommunications Infrastructure Standard for Data Centers, T3+ Standard
- CSA-STAR Gold
- CSA C-STAR
- ISO/IEC 27001
- ISO/IEC 27017
- CC EAL3+
- PCI DSS
- China Graded Information Security Protection Level-3
- China Data Center Alliance (DCA) Trusted Cloud Certification, Gold Medal for Huawei Cloud O&M, Five Star Plus Certification, the highest grade, for Huawei Cloud OS
- Cybersecurity Review by Cyberspace Administration of China
- Trusted Cloud Service (Germany)
In addition, Huawei Cloud proactively seeks out and adopts industry best security practices. For example, Huawei Cloud leverages the Minimum-Security Baselines set out by the Center of Internet Security (CIS) and has integrated them into the Huawei Cloud DevSecOps process. CIS security baselines are a set of industry best practices for network and system security configurations and operations, which cover people (behavior of both end users and administration personnel), processes (network and system management) and technologies (software and hardware). This reaffirms that Huawei Cloud continues to stay aligned with the industry in complying with security standards and regulations.