Alibaba Cloud focuses on using technical means, such as hardware encryption, isolation, and user audit capabilities, to provide secure, reliable, isolated computing environments and different layers of protection to meet various security and performance requirements.
Introduction
Alibaba Cloud provides host memory encryption, virtual Trusted Platform Module (vTPM) based trusted computing capabilities, and confidential computing capabilities (Confidential VM and Enclave).
Host memory encryption: can protect memory data against physical attacks and improve cloud-based data security. It adds an additional layer of security without the need to modify operating systems or applications. By default, only the g8i general-purpose instance family supports memory encryption.
Trusted computing capabilities: Trusted instances use vTPMs as trusted computing bases (TCBs) to ensure the tamper-protected, trusted boot of the instances and to measure the critical components of the boot chain for instances.
Confidential computing capabilities: can work together with CPU hardware encryption and isolation capabilities to create trusted execution environments (TEEs) where data is secure against tampering. You can also use security features such as remote attestation to verify cloud platforms and check the security status of instances.
Enclave: Alibaba Cloud provides confidential computing capabilities based on Intel Software Guard Extensions (SGX) 2.0 and Alibaba Cloud Enclave. These capabilities help reduce TCBs, minimize attack surface and blast radius, and allow you to build more secure and trusted confidential environments. For more information, see Build an SGX confidential computing environment and Build a confidential computing environment by using Enclave.
Confidential VM: allows you to run sensitive workloads in the cloud in an encrypted manner to protect your sensitive data without the need to modify application code. Alibaba Cloud provides the Confidential VM capability on top of Intel Trust Domain Extensions (TDX) and AMD Secure Encrypted Virtualization (SEV). For more information, see Build a TDX confidential computing environment.
Security capabilities
