DEV Community

Man yin Mandy Wong
Man yin Mandy Wong

Posted on

Overview of Tencent Cloud COS Security Solution

Undoubtedly, all enterprises and individuals regard data security as a major consideration when choosing a cloud storage service.

This article describes how to use the pre-event protection, mid-event monitoring, and post-event tracing methods provided by Tencent Cloud COS to ensure the security of your data.

Pre-event protection

1. Permission isolation

After migrating to the cloud, you should keep account security and reasonable resource authorization in mind when building a comprehensive protection system. To manage cloud resources properly, authorization should avoid the following risks:

• Use of Tencent Cloud root accounts to perform routine operations.

• Excessive permissions granted to sub-accounts.

• No account permission management system and process.

• Failure to regularly audit and manage user permissions and login information.

• No access control over high-permission sub-accounts and risky operations.

Tencent Cloud CAM takes various measures such as account level and permission level to ensure that permissions are clear, secure, and controllable.

2. Object lock

For core sensitive data like financial transactions and medical images, the object lock feature can be used to prevent uploaded files from being deleted or altered.

After this feature is configured, all data in the bucket will become read-only and cannot be overwritten or deleted during the configured validity period. This operation will take effect for all CAM users including root accounts and anonymous users.

This feature is currently in beta test. To try it out, submit a ticket for application.

3. Data disaster recovery

COS provides diversified data management features such as data encryption, versioning, cross-region replication, and lifecycle.

• Data encryption can guarantee the data read/write security for sensitive files.

• Versioning and cross-region replication can be used to implement remote disaster recovery, guarantee data durability, and ensure that data can be recovered from the backup when deleted mistakenly or maliciously.

• The lifecycle can be used to transition and delete data to reduce storage costs.

Versioning can also protect files from being overwritten or deleted. After it is enabled, all writes to a file will create different versions of the file, and a delete marker will be added when the file is deleted. You can access data from any version and roll back data by specifying the version number, which eliminates the risks of accidental data deletion and overwriting.

Cross-region replication helps you replicate all incremental files to IDCs in other regions over a dedicated tunnel to implement remote disaster recovery. Data deleted from the primary bucket can be recovered from the backup bucket.

Mid-event monitoring

COS offers the event notification feature based on SCF.

For risky operations such as "DeleteObject", you can configure SCF functions to receive notifications by email or SMS as soon as such operations are performed. This helps you promptly detect and respond to risks.

Post-event tracing

COS allows you to easily monitor and audit logs in various ways.

Bucket access operations such as file deletion (DeleteObject), file overwriting (PutObjectCopy), and file permission modification (PutObjectACL) can be traced through the bucket access log feature, and risky operations such as deletion can also be traced and verified.

Bucket configuration and management operations such as bucket deletion (DeleteBucket), bucket ACL modification (PutBucketACL), and bucket policy modification (PutBucketPolicy) can be traced through CloudAudit logs, and permission configurations and modifications can also be traced and verified.

Read more at: https://www.tencentcloud.com/dynamic/blogs/sample-article/100389

Top comments (0)