Alibaba Security & Monitoring
Security Center Overview

In this course, we'll take a look at the services available to help you secure and monitor your Alibaba cloud environment and also help you prepare for the security element of Alibaba's ACA exam. We'll start by looking at Alibaba Security Center and the features that it offers.

Next, we look at Alibaba's anti-DDoS service, including a brief overview of how it works, and what versions are available. Finally, we cover Cloud Monitor, a service that allows you to monitor your cloud resources and internet applications.

Learning Objectives

  • Understand the basics of Alibaba Security Center and its offerings
  • Learn about the anti-DDoS service and how it works to protect your Alibaba cloud environments from attack
  • Learn how to monitor your resources and applications with Alibaba Cloud Monitor

Intended Audience

  • Cloud architects
  • Security engineers
  • Anyone looking to secure their Alibaba Cloud infrastructure
  • Anyone studying for the ACA exam


To get the most out of this course, you should have a basic understanding of Alibaba cloud and cloud security in general.


Hello and welcome to session one, Security Center overview. In this session, we will be looking at a high-level overview of some of the features provided by Alibaba Security Center to satisfy the requirements for the Alibaba ACA exam.

Security Center is a unified security management system that dynamically identifies and analyses security threats. It generates alerts when threats are detected and it lets you discover and block attacks as they happen. And it can also respond if an attack was successful. Alibaba Cloud has tools built in to Security Center that help you with automated root cause analysis, asset fingerprinting and a log analysis tool to help you determine where things went wrong.

The traditional method for dealing with security threats is a manual method. You collect logs into some type of security information and event management system that sends alerts to your operations personnel and then they configure firewall rules and add host rules that are designed to mitigate threats that have been discovered via log collection. This is potentially a process that can take hours or days to implement.

On the Alibaba cloud platform, you can fully automate this and it's one of the key advantages of moving into the cloud environment. A host and firewall can be connected to Security Center and Security Center itself can make decisions in seconds about how to adjust rules in order to prevent threats as they pop up.

Another big advantage of Security Center over a traditional architecture is that with a traditional security architecture security tools like antivirus software must be installed directly on the host machines, whereas in a cloud native architecture what you have on your virtual host machines is an agent. This is a lightweight process that sends information somewhere else, like for example the antivirus service, and your host machine itself then gets a response back from that service. This takes a lot of the load off the host machine which provides other benefits like lower resource consumption and less of a hit on network performance all for the same level of protection.

One of the core components of Security Center is the agent. This is a component of Security Center known as Server Guard. It contains two processes. One of them is Cloud Shield and the other one is the Updater Service.

For the Server Guard agent in a Linux system these processes run under the root account. And in a Windows system they run with the system account. This is not a resource intensive tool and when it's not doing any active scans it takes up less than 1% of CPU and around ten megabytes of memory. But when it is working it will not exceed 10% CPU utilisation or 80 megabytes of memory.

Security Center includes essentially four different types of feature. There is patch management, trojan scans, health checks, and hardening and attack interception.

With the first one, patch management, Security Center can detect common vulnerabilities in web customer relation management systems in Linux and Windows and warns you when a server needs to be patched. It also has a quick repair tool which you can use to automatically execute and update processes on some instances. And the zero day hot fix option which can be used to implement temporary protection against attacks that have no patch yet.

With trojan scan Security Center can detect web shell uploads and trojan process detection for rogue processes that have been installed on your ECS instances. And it can quarantine them for you.

With health checks and hardening Security Center lets you check the security configuration of your servers. It can warn you about changes in configuration and give suggestions for ways to improve or harden the security settings on your servers. It can also detect some types of backdoor attacks.

And finally, with attack interception Security Center can detect brute force attacks. For example, attempts to guess a password. And it can also audit login behaviour, checking for unusual logins which could be someone logging in from a new location or someone logging in at an unusual time of the day.

From within Security Center itself you can run a health status check that will give you a quick general overview of the health of all your ECS instances. One of Security Center's great features is the ability to fix vulnerabilities without downtime.

The traditional way to patch a vulnerability after you've detected it would be to figure out what you need to do to fix it and plan your system downtime accordingly, making a backup and then patching the software on the machine before rebooting to make sure everything is working, and then releasing it back into production where it can serve traffic. This is a lot of work, and all those steps must be done manually and can take time.

In Security Center, however, you can automate most of this. You identify the vulnerability you want to fix and then select the instance you want to fix. And from that point on the process is mostly automated. So, let's say you want to fix an instance, for example instance A. What you'll do is select that instance manually, say I want to patch this instance, and from that point on Security Center will automate the following tasks. It will take a snapshot of instance A. Create an instance B based on the snapshot. Detach the public IP from instance A and attach it to instance B. Validate and then start instance B. Fix the vulnerability on instance A and run automated checks on it.

If the checks are okay, detach the public IP from instance B and then reattach it to instance A. And then delete instance B. So, it goes through the entire cycle of fixing and validating instance A without having any downtime. The whole time instance A is being fixed instance B will be serving live traffic.

Security Center provides a rich monitoring dashboard with over twenty different panels or snap-ins that give you complete information about all security threats you face across all of your resources and in all Alibaba cloud regions. There are four editions of Security Center. Basic, Basic Anti-Virus, Advanced, and Enterprise.

The Basic Edition offers basic security enhancement services free of charge. You can use the services to detect unusual logons at your servers, DDoS attacks, main types of vulnerability detected on servers, and service configuration risks. If you select security enhancement when you purchase an elastic compute service, ECS instance, the Basic Edition of Security Center is automatically activated. And as well as the Basic Edition services the following editions use subscription billing to provide extra billed services.

The Basic Anti-Virus edition provides for alerting and antivirus. The Advanced edition provides alerting, antivirus, vulnerability detection, and fixing, and security reports. And the Enterprise edition provides alerting, antivirus, vulnerability detection, and fixing, baseline checks, asset fingerprints, and attack analysis. That concludes this session on Alibaba Security Center overview.

In the next session, I will introduce Alibaba's anti-DDoS service. I look forward to seeing you there.

About the Author

David’s IT career started in 1990, when he took on the role of Database Administrator as a favor for his boss. He redirected his career into the Client Server side of Microsoft with NT4, and then progressed to Active Directory and each subsequent version of Microsoft Client/Server Operating Systems. In 2007 he joined QA as a Technical Trainer, and has delivered training in Server systems from 2003 to 2016 and Client systems from XP onwards. Currently, David is a Principal Technical Learning Specialist (Cloud), and delivers training in Azure Cloud Computing, specializing in Infrastructure Compute and Storage. David also delivers training in Microsoft PowerShell, and is qualified in the Alibaba Cloud Space.