How to Secure Cloud Operations: Practical Strategies for Public Cloud Environments

After a ten‑year career in cloud security, the author emphasizes that operations security is the cornerstone of enterprise protection, distinct from merely "secure operations".

In public cloud settings, users fall into two groups: those who launch services directly on the cloud, typically new internet companies, and those migrating existing on‑premises IT environments to the cloud. Migration shifts operations from private networks to the public internet, introducing new security concerns.

While public cloud infrastructure generally surpasses private IDC in power, networking, hardware reliability, and professional security teams, it also brings fresh risks:

Operations traffic can be hijacked because management interfaces are accessed over the internet.

Exposure of management interfaces (SSH, RDP, etc.) increases the attack surface.

Shared super‑admin accounts lead to credential leakage and privilege abuse.

Lack of comprehensive operation logs makes incident investigation difficult.

To mitigate these risks, the following measures are recommended:

1. Use VPC Network Segmentation

Create an isolated virtual private cloud, define three sub‑nets (Internet, Intranet, Security Management), and enforce security‑group rules so that only the security‑management subnet can access SSH/RDP ports.

2. Build Encrypted Operations Channels

Deploy VPN devices (L2TP/IPSEC) from Alibaba Cloud Marketplace, using Site‑to‑Site for fixed offices or dial‑up VPN for mobile staff. Enable two‑factor authentication and digital certificates for added security.

3. Apply RAM (Resource Access Management) Best Practices

Separate the root account from daily operation accounts, enable MFA for both, organize users into groups with least‑privilege policies, enforce strong password rules, rotate credentials regularly, and avoid creating access keys for the root account.

4. Enforce Linux Key‑Based Login

Generate RSA key pairs and configure

# ssh-keygen -t rsa

, copy the public key to

~/.ssh/authorized_keys

, and adjust

sshd_config

to enable

PubkeyAuthentication yes

and disable password authentication.

5. Change Default Windows RDP Port (3389)

Modify the registry key

PortNumber

under

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp

(or the equivalent path for newer Windows versions) to a non‑standard port, then adjust firewall rules accordingly.

6. Install Cloud Shield (Anqi) Client

Deploy the security client to block password‑cracking attempts and detect anomalous logins.

7. Centralize Privileged Account Management

Use a bastion host or privileged‑access management solution from Alibaba Cloud Marketplace to unify account control, record all operations, and provide audit trails.

8. Enable ActionTrail Auditing

Turn on ActionTrail to capture all resource‑level actions, store logs in OSS, and facilitate security analysis, change tracking, and compliance audits.

These recommendations form a basic framework for securing cloud operations; deeper solutions can be obtained from Alibaba Cloud’s security solution team.