|Industry||Cloud computing, Web services|
|Key people||Daniel Zhang (CEO)|
|Products||IaaS, PaaS, SaaS, DBaaS|
|Revenue||$2.71 billion (Q1 2023)|
Alibaba Cloud ( also known as Aliyun) is a Chinese cloud computing company that provides public, private, hybrid, and multicloud solutions to enterprises, organizations, governments, and individuals. Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region. The company provides more than 100 different products and services representing elastic computing, networking, content delivery, data storage, database management, security management, enterprise management, cloud communication, data analysis, media management, container and middleware management, developer support, internet of things, and artificial intelligence.
In May 2023, the company approved the spin off its cloud division, the Cloud Intelligence Group, "via a stock dividend distribution to shareholders, aiming to complete the public listing within the next 12 months."
This section uses public information to provide some answers to the 18 questions posed in Chapter 6 of the wiki-based guide Choosing and Implementing a Cloud-based Service for Your Laboratory. In some cases, public information could not be found, and a recommendation to further discuss the question with the cloud service provider (CSP) is made.
1. What experience do you have working with laboratory customers in our specific industry?
This question must be asked of the cloud provider yourself to gain a true understanding of how they may have worked with labs in your industry. However, here's a little background on Alibaba's connections with laboratories in general, based off publicly available information. According to Alibaba Cloud, their services have received "regular and stringent evaluations" by the China National Accreditation Service for Conformity Assessment (CNAS) and its accredited body the State Information Center Software Testing Center. CNAS is known to be the same accreditation body that is also responsible for the accreditation of laboratories in China. This in itself doesn't mean Alibaba has strong experience working with laboratories, but it is nonetheless encouraging—particularly if CNAS accreditation is rigorous—that Alibaba has been seemingly been vetted by CNAS. As for direct experience with laboratories, Alibaba reportedly had interactions with some laboratories as part of a COVID-19 initiative in 2020. Laboratories that do or at some point have worked off Alibaba Cloud as part of their tech stack include Anbison Laboratories and BGI Genomics.
2. Can your solution readily integrate with our other systems and business processes, making it easier for our end users to perform their tasks?
Like question one, it will ultimately be up to your organization to get an answer tailored to your systems and business processes. However, this much can be said about Alibaba integrations. The company provides a Data Integration product described as "a stable, efficient, and scalable data synchronization service. It is designed to migrate and synchronize data between various heterogeneous data sources in complex network environments at a high speed and in a stable manner." This appears to be primarily for data synchronization among supported structured, semi-structured, and unstructured data stores, not data consumption. Consult their documentation on data integration for more details. Alibaba also discusses hybrid integration of your organization's backend systems here, and the company leans on its Elastic Compute Service, Server Load Balancer, Express Connect, and Virtual Private Cloud to do this. The company also provides a one-page sheet explaining how it handles backend system integration. Again, your existing systems and business processes may need to be altered slightly to work with Alibaba's services, which is why you'll be asking this question.
3. What is the average total historical downtime for the service(s) we're interested in?
Little public information is made available about historic outages and downtime. You'll largely have to ask this of Alibaba and see what response they give you. Alibaba has demonstrated a desire to increase availability and make increases in availability in multiple areas of its services, including a push to "99.995 percent availability for services deployed across multiple availability zones within a cloud region" and "99.975 percent for single instances." You may wish to consult Alibaba Cloud's lengthy whitepaper on the architecture and availability of its solutions. That said, outages have been reported in 2015, 2019, and 2022.
4. Do we receive comprehensive downtime support in the case of downtime?
Alibaba does not make this answer clear. However, the answer is likely tied to what after-sales support plan you choose. Confirm with Alibaba what downtime support they provide based on the services your organization are interested in.
5. Where are your servers located, and how is data securely transferred to and from those servers?
Alibaba has data centers primarily in China but also some outside of China, including North America, Europe, the Middle East, Australia, Japan, and other parts of the Asia Pacific region. Alibaba uses its Content Delivery Network, which "distributes user requests to the most suitable nodes, allowing the fastest possible retrieval of requested content." Alibaba addresses data transmission security in its security whitepaper on pages 133 (in regards to its cryptographic service) and 163 (in regards to the entire service), mentioning the standard trifecta of HTTPS, VPN gateways, and SSL certificates. In regards to data localization requirements, it's not clear how Alibaba honors those requirements on a superficial level; you'll have to have direct discussions with the Alibaba and review their compliance materials in regards to any data localization requirements you may have. Tangentially, a 2020 report stated that Alibaba finds data localization requirements in regulatory models such as Europe's General Data Protection Regulation (GDPR) to be too stifling and has been petitioning the Chinese government to take a more light-handed approach to data localization. Despite this, China has marched ahead with its data localization requirements into 2023, causing some multinational organization to rethink their market strategy.
6. Who will have access to our data (including subcontractors), and what credentials, certifications, and compliance training do they have?
Alibaba discusses personnel management in regards to physical data security in its security whitepaper on pages 15–18. However, it does not reference the certifications and training required for those who have permission to access your data. (Though certifications like the ACA Cloud Security Certification apparently exist.) You will have to inquire with Alibaba about these considerations when asking this question.
7. Will our sensitive and regulated data be stored on a machine dedicated to complying with the necessary regulations?
Not all Alibaba machines have the same controls on them; it will depend on the region, product, and compliance requirements of your lab. That said, verify with a representative that the machine your data will land on meets all the necessary regulations affecting your data.
8. How segregated is our cloud data from another customer's, i.e., will lapses of security of another customer's cloud affect our cloud? (It typically won't, but asking the question will hopefully prompt the provider to better explain how your data is segregated.)
It does not appear that Alibaba supports physical separation approaches to sensitive and regulated data. They cite "a higher cost structure and lower utilization resulting from less efficient use of space as well as limited redundancy options and features" in regards to physical separation practices. They argue that logical separation is a better approach "via logical access controls, permission management, network traffic routing, and encryption." They add that uses needing to meet "security outcomes equivalent to physical separation" can also take advantage of a virtual private cloud "or use encryption solutions to encrypt data at-rest and in-transit."
Alibaba does, however, address the concept of tenant isolation in its security whitepaper in multiple places. Tenant isolation is enabled by default on Alibaba. This is largely accomplished with virtualization methods. Reference section 220.127.116.11 of the whitepaper for more details. Further technical details, if required, may be garnered in discussion with Alibaba.
9. Do you have documented data security policies?
Alibaba documents its security practices in several places:
Some security-related documents, like the SOC 2 report, may not be publicly available, requiring direct discussion with an Alibaba representative to obtain them.
10. How do you test your platform's security?
In its security whitepaper, Alibaba addresses penetration testing (page 27), noting they use "attack-and-defense drills ... designed to objectively test the defense and threat detection capabilities of Alibaba Cloud, enhance the core security capabilities of Alibaba Cloud, and improve the security defense system." For more on these drills, discuss the topic with Alibaba. There are other scattered pieces of information related to non-Alibaba personnel testing the platform. For example, an Alibaba user can apply for a license to conduct penetration tests for Alibaba Cloud products. Alibaba also appears to have had a Crowdsourced Security Testing program, but much of the documentation about the program seems to have gone missing from the Alibaba Cloud site. A page detailing how to register for the program also disappeared, and as such, it's not clear how active the program is today. A related set of vulnerability rewards programs, encouraging people to test Alibaba's security, may also still be available through the Alibaba Security Response Center.
11. What are your policies for security audits, intrusion detection, and intrusion reporting?
Audits: Alibaba cooperates "with independent third-party security regulation and audit agencies to audit and evaluate the security and compliance stance of Alibaba Cloud." This is demonstrated by its compliance credentials (e.g., see pages 6–10 of the company's security whitepaper or its trust center). Alibaba also provides tools to customers (e.g., Cloud Config) allowing them to run their own security audits on their own data.
Intrusion detection and reporting: Alibaba Cloud allows users to install a small app called Security Center on their virtual machines (VMs) that can handle intrusion detection in real time. Per the security whitepaper, "intrusion detection for VMs includes remote logon detection, Webshell detection and removal, anomaly detection (detection of abnormal process behaviors and abnormal network connections), and detection of changes in key files and suspicious accounts in systems and applications. Security Center can also intelligently learn application whitelists." This same app can also be used with Alibaba's Container Service. Intrusion detection services are also found within Alibaba's Cloud Firewall. In the case of Cloud Firewall, reporting is included. Reporting is presumably also a component of Security Center; confirm this with Alibaba.
12. What data logging information is kept and acted upon in relation to our data?
Logs of activities performed on the cloud platform collected through the central logging platform are imported into real-time and offline computing platforms. Logs are processed and analysed through security monitoring algorithms in each computing platform for anomaly analysis and detection.
It's not clear, however, to what extent logging information is stored and acted upon in regards to a specific customer. Discuss this topic further with an Alibaba representative.
13. How thorough are those logs and can we audit them on-demand?
Presumably, any logging related to Cloud Config, Security Center, Cloud Firewall, etc. are available to authorized users, though the fine details of this should be confirmed with Alibaba. In regards to auditing internal operation logs, Alibaba has this to say:
Although Alibaba Cloud has obtained industry-leading third-party compliance certifications, efforts must also be made to give users the confidence that their data and resources are properly protected and managed within the cloud platform. To this end, Alibaba Cloud provides the ability to make relevant internal operations transparent to the users by providing internal operation logs in selected products (such as OSS). This allows users to monitor and audit internal cloud platform operations when using Alibaba Cloud products.
14. For HIPAA-eligible data (e-PHI) we may have, will you sign a business associate agreement?
15. What happens to our data should the contract expire or be terminated?
Direct your attention to the service agreement associated with the product you use. Some service agreements for particular products are available in the Alibaba Cloud Document Center, while others may be difficult to track down. If you can't find the details of a service agreement for the product you're interested in, address this with an Alibaba representative. That said, here's an example from the Alibaba Terms of Service
When the service period expires, the service is terminated in advance (including early termination agreed by both parties, early termination due to other reasons, etc.) or you have arrears, unless otherwise specified by laws and regulations, required by the competent department or agreed by both parties, Alibaba Cloud will only continue to store your user business data (if any) within a certain buffer period (subject to the time limit specified in the proprietary terms, product documents, service instructions, etc. applicable to the service you ordered). At the end of the buffer period, Alibaba Cloud will delete all user business data, including all cached or backup copies, and will no longer retain any of your user business data ... Once the user's business data is deleted, it cannot be recovered; You should bear the consequences and responsibilities arising from the deletion of data. You understand and agree that Alibaba Cloud has no obligation to continue to retain, export or return user business data.
16. What happens to our data should you go out of business or suffer a catastrophic event?
It's not publicly clear how Alibaba would handle your data should they go out of business; consult with an Alibaba representative about this topic. As for catastrophic events, Alibaba's Object Storage Service (OSS) is based on zone-redundant storage (ZRS). "ZRS distributes user data across three zones within the same region. Even if one zone becomes unavailable, the data is still accessible. The ZRS feature can provide data durability (designed for) of 99.9999999999% (twelve 9's) and service availability of 99.995%." It's highly unlikely that all three zones would be affected in an catastrophic event. However, if this is a concern, discuss further data redundancy with an Alibaba representative.
17. Can we use your interface to extract our data when we want, and in what format will it be?
Alibaba doesn't make it 100 percent publicly clear how data migration from Alibaba to another cloud service would work. However, they do outline several other data migration scenarios, including the scenario of migrating from Alibaba Cloud to an on-premises system. It's unclear whether or not a third-party cloud transfer service would be required or useful when moving from Alibaba Cloud to another cloud service. In the end, if there are still questions on this topic, discuss it with an Alibaba representative.
18. Are your support services native or outsourced/offshored?
It is unclear if support personnel are local to the customer or if support is outsourced to another business and country. Discuss this with an Alibaba representative.
Managed security services
Alibaba Cloud Managed Security Service is described by Alibaba as "a security technology and consulting service designed to establish, and optimize, security protection systems so that users can ensure the security of their business on the cloud." The company primarily touts managed detection and response, security assessment, and security hardening as part of its MSS. This includes:
- Managed detection and response: overall security consulting, security monitoring and inspection, incident response, and cloud application and hardware configuration
- Security assessment: online assessment and scanning of current security system, data analysis from that assessment and scanning, and reporting of data and recommendations
- Security hardening: reinforcement range confirmation, hardening plan development, and plan implementation and testing
Documentation and other media
- Alibaba Cloud architecture framework or description
- Alibaba Cloud Managed Security Service
- Alibaba Cloud shared responsibility model
- Alibaba Cloud trust center
- Wulhelm, A. (18 May 2023). "Alibaba’s cloud spinoff may serve as a good yardstick to value other major players". Tech Crunch. https://techcrunch.com/2023/05/18/alibaba-cloud-spin-off-analysis/. Retrieved 28 July 2023.
- "Alibaba Cloud's Global Infrastructure". Alibaba Cloud. https://www.alibabacloud.com/global-locations. Retrieved 28 July 2023.
- "Alibaba Cloud Products & Services". Alibaba Cloud. https://www.alibabacloud.com/product. Retrieved 28 July 2023.
- Mahta, C.; Horwitz, J. (18 May 2023). "Alibaba misses revenue estimate, approves cloud unit spinoff". Reuters. https://www.reuters.com/business/retail-consumer/alibaba-fourth-quarter-revenue-rises-2-2023-05-18/. Retrieved 28 July 2023.
- "CNAS". Alibaba Cloud. https://www.alibabacloud.com/trust-center/cnas. Retrieved 28 July 2023.
- "CNAS Introduction". China National Accreditation Service for Conformity Assessment. https://www.cnas.org.cn/english/introduction/12/718683.shtml. Retrieved 28 July 2023.
- "Alibaba Cloud Offers AI, Cloud Services to Help Battle Covid-19 Globally". Alibaba Cloud. 19 March 2020. https://www.alibabacloud.com/press-room/alibaba-cloud-ai-cloud-services-to-help-battle-covid-19. Retrieved 28 July 2023.
- "Anbison Laboratories". ZoomInfo. https://www.zoominfo.com/c/anbison-laboratories-co-ltd/345850572. Retrieved 28 July 2023.
- "Unleashing the Power of Precision Medicine Using the Hybrid Cloud" (PDF). Intel. 2016. Archived from the original on 09 April 2021. https://web.archive.org/web/20210409184731/https://www.intel.com/content/dam/www/public/us/en/documents/white-papers/unleashing-power-of-precision-medicine-hybrid-cloud-paper.pdf. Retrieved 28 July 2023.
- "Data Integration: Overview". Alibaba Cloud. 10 April 2023. https://www.alibabacloud.com/help/en/dataworks/user-guide/overview-6. Retrieved 28 July 2023.
- Mah, P. (2 January 2020). "Alibaba Cloud upgrades SLA for multi-zone instances". Data Center Dynamics. https://www.datacenterdynamics.com/en/news/alibaba-cloud-upgrades-sla-multi-zone-instances/. Retrieved 28 July 2023.
- Mah, P. (26 June 2015). "Aliyun cloud suffers prolonged disruption in Hong Kong". Data Center Dynamics. https://www.datacenterdynamics.com/en/news/aliyun-cloud-suffers-prolonged-disruption-in-hong-kong/. Retrieved 28 July 2023.
- Fu, Y. (3 March 2019). "Alibaba Cloud Reports IO Hang Error in North China". EqualOcean. https://equalocean.com/news/201903031507. Retrieved 28 July 2023.
- Liao, R. (29 December 2022). "Alibaba CEO to oversee cloud arm following major server outage". TechCrunch. https://techcrunch.com/2022/12/29/alibaba-reshuffle-2022/. Retrieved 28 July 2023.
- Lu, X. (4 June 2020). "Is China Changing Its Thinking on Data Localization?". The Diplomat. https://thediplomat.com/2020/06/is-china-changing-its-thinking-on-data-localization/. Retrieved 28 July 2023.
- Cline, J. (25 October 2022). "China’s new data-transfer mandate prompting multinationals to rethink market strategy". PwC. https://www.pwc.com/us/en/tech-effect/cybersecurity/security-assessments-for-china-cross-border-data-transfers.html. Retrieved 28 July 2023.
- "Security Compliance FAQs". Alibaba Cloud. https://www.alibabacloud.com/trust-center/faq. Retrieved 28 July 2023.
- "Alibaba Cloud Security White Paper - International Edition, Version 2.1" (PDF). Alibaba Cloud. February 2021. https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/2021/Whitepaper/Alibaba%20Cloud%20Security%20Whitepaper%20-%20International%20Edition%20V2.1%20%282021%29.pdf. Retrieved 28 July 2023.
- "Apply for a penetration test license". Alibaba Cloud. 6 March 2019. https://www.alibabacloud.com/help/en/security-control/latest/apply-for-a-penetration-test-license. Retrieved 28 July 2023.
- "Alibaba Cloud Crowdsourced Security Testing" (PDF). Alibaba Cloud. 16 May 2019. http://static-aliyun-doc.oss-cn-hangzhou.aliyuncs.com/download/pdf/DNXIAN1846009_en-US_intl_190516194424_public_8c46d47183231dcdd2ff90881a425617.pdf. Retrieved 28 July 2023.
- "Crowdsourced security testing platform procedure for enterprises". Alibaba Cloud. 13 January 2020. Archived from the original on 10 April 2021. https://web.archive.org/web/20210101000000*/https://www.alibabacloud.com/help/doc-detail/28394.html. Retrieved 28 July 2023.
- "Cloud Config". Alibaba Cloud. https://www.alibabacloud.com/product/cloud-config. Retrieved 28 July 2023.
- Kaushik, S. (27 January 2021). "Alibaba Cloud Firewall: The Next-Gen Firewall as a Service". Medium. https://alibaba-cloud.medium.com/alibaba-cloud-firewall-the-next-gen-firewall-as-a-service-836f524d8392. Retrieved 28 July 2023.
- "System and Organization Controls 3 Report Report on Alibaba Cloud’s Cloud Services System" (PDF). Alibaba Cloud. 1 November 2018. https://alicloud-common.oss-ap-southeast-1.aliyuncs.com/video/Alibaba%20Cloud_%20SOC3_Report%20_EN_Final.pdf. Retrieved 28 July 2023.
- "HIPAA/HITECH". Alibaba Cloud. https://www.alibabacloud.com/trust-center/hipaa. Retrieved 28 July 2023.
- "Terms of Services". Alibaba Cloud. 20 January 2023. https://www.alibabacloud.com/help/en/advisor/latest/terms-of-service. Retrieved 28 July 2023.
- "Disaster recovery". Alibaba Cloud. 17 May 2023. https://www.alibabacloud.com/help/en/oss/support/disaster-recovery. Retrieved 28 July 2023.
- "Managed Security Service". Alibaba Cloud. https://www.alibabacloud.com/product/mss. Retrieved 28 July 2023.