Compliance with security standards and regulations has been identified as the one way to earn and maintain customer trust and also an important method of defending against malicious insiders. Obtaining certification for compliance with industry security standards and regulations helps improve the overall security capabilities, while alleviating customer concerns about compliance and data security.
Strictly adhering to the customer-centric core values, Huawei Cloud understands the importance of customers’ personal data security, respect and protect customers’ privacy rights and follows the privacy protection vision of “respect and protect privacy, and let people enjoy the fully connected, intelligent world“. Huawei Cloud solemnly and actively takes relevant responsibilities, considers cybersecurity and privacy protection as top priorities, and ensures that cybersecurity and privacy protection requirements are preferentially supported.
Security Compliance: To implement comprehensive and efficient security and privacy compliance governance, Huawei Cloud developed a cloud-native security governance framework – Cloud Service, Cybersecurity & Compliance Standard (3CS) — based on 16 mainstream global security standards in the industry and Huawei’s 30 years of experience in security operations management and technical accumulation.
The basic concept of the 3CS system is to divide security control domains based on the processes of each cloud service module, enabling security control requirements to be embedded into the cloud service management process, which in turn ensures that security management responsibilities are clear, measurable, and traceable.
Huawei Cloud leverages its compliance governance capabilities through the 3CS to ensure that its infrastructure and major cloud services pass evaluations and certification by independent, industry-recognized third-party security organizations.
Industry security evaluations and certifications demonstrate Huawei Cloud’s security strategies, policies, and risk management mechanisms in terms of policies, processes, organizations, technologies and other aspects enabling customers to fully understand Huawei Cloud’s investment.
An example of this, is the Cloud Security Alliance- a Security, Trust & Assurance and Registry (CSA STAR) Gold certification which is based on ISO/IEC 27001 and also includes the Cloud Control Matrix (CCM) and other security requirements, which cover 16 control domains. These domains include; governance and risk management, data/application/ infrastructure security, Identity and Access Management (IAM), data center security, change control and configuration management, business continuity management and operational resilience, human resources, and supply chain management, etc.
Based on the shared responsibility model, Huawei cloud continues to build and enhance its security compliance capabilities in its infrastructure (across the physical environment, network, and platform layers) to ensure the security and compliance of its services and data.
To date, it has obtained and passed the following security evaluations and certification;
- GB 50174 Code for Design of Electronic Information System Room, Section A
- TIA 942 Telecommunications Infrastructure Standard for Data Centers, T3+ Standard
- CSA-STAR Gold
- ISO/IEC 27001 (International Organization for Standardization/International Electrotechnical Commission)
- ISO/IEC 27017
- CC EAL3+1
- PCI DSS2
- BSIMM
- China Graded Information Security Protection Level-3/Level-43
- China Data Center Alliance (DCA) Trusted Cloud certification, Gold Medal for Huawei Cloud O&M, Five Star Plus certification the highest grade, for Huawei Cloud OS
- Cybersecurity Review by Cyberspace Administration of China
- ITSS Cloud Computing Service Capability Evaluation Level 1 (Enhanced Level)
- SOC1 Type2 / SOC2 Type2
- SOC 3
- ISO 27018
- ISO 20000
- ISO 22301
- MTCS Level 3 (highest level of Singapore multi-layer cloud security certification
- ISO 29151
- ISO 27701
- BS 10012
- OSPAR
- NIST CSF
Privacy Protection: On the basis of privacy protection system and industry best practices, the Cloud service has established its own privacy protection structure, which complies with Huawei’s top priorities of cybersecurity and privacy protection as well as other privacy protection laws and regulations across countries.
There has been a huge investment in professionals and other resources to support research and application of new technologies and ensure the effective operation of the privacy protection system. The goal is to be a leader in the industry and achieve the corresponding objectives of safeguarding strict service boundaries, protecting customers’ personal data security, and help customers implement privacy protection.
Huawei Cloud formulates seven privacy protection principles (lawfulness, fairness and transparency; purpose limitation; data minimization; accuracy; storage limitation; integrity and confidentiality and accountability), and adopts the industry-recognized and advanced concept Privacy by Design (PbD1) as guidance to form its own privacy protection concept based on its specific situation.
The privacy protection concept has been widely applied to various aspects of Huawei Cloud, including organization and personnel management, personal data security management on the cloud platform, and privacy services provided to customers. In addition, its uses Privacy Impact Assessment (PIA2) to identify privacy risks which are then eliminated or reduced through appropriate measures. It provides a clear privacy statement and customer feedback channels on the official website, helping customers understand the privacy protection information of its services.
The Huawei Cloud research team is committed to developing Privacy Enhancing Technologies (PETs) to accumulate privacy protection engineering technical capabilities, so as to meet different customers’ needs.