FAQ - support.huaweicloud.com · Security Expert Service FAQ Issue 15 Date 2020-02-21 HUAWEI TECHNOLOGIES CO., LTD

Security Expert Service

FAQ

Issue 17

Date 2020-05-20

HUAWEI TECHNOLOGIES CO., LTD.

Copyright © Huawei Technologies Co., Ltd. 2020. All rights reserved.

No part of this document may be reproduced or transmitted in any form or by any means without priorwritten consent of Huawei Technologies Co., Ltd. Trademarks and Permissions

and other Huawei trademarks are trademarks of Huawei Technologies Co., Ltd.All other trademarks and trade names mentioned in this document are the property of their respectiveholders. NoticeThe purchased products, services and features are stipulated by the contract made between Huawei andthe customer. All or part of the products, services and features described in this document may not bewithin the purchase scope or the usage scope. Unless otherwise specified in the contract, all statements,information, and recommendations in this document are provided "AS IS" without warranties, guaranteesor representations of any kind, either express or implied.

The information in this document is subject to change without notice. Every effort has been made in thepreparation of this document to ensure accuracy of the contents, but all statements, information, andrecommendations in this document do not constitute a warranty of any kind, express or implied.

Issue 17 (2020-05-20) Copyright © Huawei Technologies Co., Ltd. i

Contents

1 Product Consulting..................................................................................................................11.1 Is SES Available Outside China?......................................................................................................................................... 11.2 What Institute Carry Out SES Standard Edition?......................................................................................................... 11.3 What Organization Carries Out Compliance Edition?................................................................................................ 11.4 Why Should I Use SES?......................................................................................................................................................... 11.5 Which Regions Is SES Available In?.................................................................................................................................. 11.6 Can I Use SES for Sites off HUAWEI CLOUD?............................................................................................................... 21.7 What Is the Difference Between SES and Conventional Vulnerability Scanning Services?........................... 21.8 Which Services Does SES Provide?.................................................................................................................................... 21.9 What Is the Service Scope of SES?.................................................................................................................................... 21.10 What Communication Channels Are Available for SES?......................................................................................... 71.11 How Long Is My SES Order Valid?.................................................................................................................................. 71.12 What Are Examined in My SES Order?..........................................................................................................................81.13 What Are Examined in the Assessment Report?........................................................................................................81.14 What Is the Final Deliverable of SES?............................................................................................................................81.15 What Are the Possible Statuses of an SES Order?.................................................................................................... 91.16 Can I Download an SES Report?......................................................................................................................................91.17 Can I Get Printed Check Reports from SES?................................................................................................................ 91.18 How Can a Compliance Assessment Report Be Obtained?....................................................................................91.19 Is SES a Third-party Service?.......................................................................................................................................... 101.20 Does SES Provide On-site Services?............................................................................................................................. 101.21 What Security Services Are Required for Compliance?......................................................................................... 101.22 Does SES Support Cross-Platform and Offline Services?...................................................................................... 111.23 What Are Regions and AZs?........................................................................................................................................... 11

2 Management.......................................................................................................................... 132.1 How Do I Use SES?...............................................................................................................................................................132.2 How Do I Get My Site Authenticated?.......................................................................................................................... 14

3 Charges.................................................................................................................................... 173.1 Can I Get a Refund from SES?..........................................................................................................................................17

A Change History...................................................................................................................... 18

Security Expert ServiceFAQ Contents

Issue 17 (2020-05-20) Copyright © Huawei Technologies Co., Ltd. ii

1 Product Consulting

1.1 Is SES Available Outside China?No. SES is not available to users outside China.

Currently, SES is available only in China.

1.2 What Institute Carry Out SES Standard Edition?A professional third-party institute specialized in information security assessmentis responsible for carrying out SES Standard Edition. Both credentials and expertiseare important criteria in the selection of such an institute.

After the assessment is complete, a professional health check report will beprovided. You can make improvements based on the report.

1.3 What Organization Carries Out ComplianceEdition?

A professional organization that carries out compliance edition is the authoritativeorganization with the qualification of compliance edition assessment. HUAWEICLOUD compliance team provides considerate services throughout the entireprocess.

1.4 Why Should I Use SES?SES helps you identify, prevent, and handle security threats to hosts, websites, andsystems, and ensure compliance with governmental security requirements.

1.5 Which Regions Is SES Available In?SES is an offline service. Therefore, you can purchase SES in any of the followingregions on HUAWEI CLOUD:

Security Expert ServiceFAQ 1 Product Consulting

Issue 17 (2020-05-20) Copyright © Huawei Technologies Co., Ltd. 1

Regions supported by SES:

● CN North-Beijing1

● CN North-Beijing4

● CN East-Shanghai2

● CN East-Shanghai1

1.6 Can I Use SES for Sites off HUAWEI CLOUD?Yes.

● Standard Edition and Compliance Edition provide services for sites offHUAWEI CLOUD.

● Enterprise Edition provides services only for sites on HUAWEI CLOUD.

1.7 What Is the Difference Between SES andConventional Vulnerability Scanning Services?

The biggest difference lies in the manual service by security experts. In SES,Huawei experts examine the ownership of your site and site assessment reports,and a professional third-party institute assesses your site. Thanks to its detectiondepth and broadness, SES detects more risks that common scanners cannot.

1.8 Which Services Does SES Provide?SES provides three editions:

● Standard

– Website security assessment

– Host security assessment

– Security hardening

– Security monitoring

– Emergency response

● Enterprise

● Compliance

1.9 What Is the Service Scope of SES?Security Expert Service (SES) is a comprehensive security service jointly providedby Huawei and information security authorities. It helps you identify, prevent, andhandle security threats to hosts, websites, and systems, and ensure compliancewith governmental security requirements.

SES provides three editions: Standard, Enterprise, and Compliance.



SES is valid for one year from the day of purchase. You need to buy SES again if you wantto use SES beyond the validity period.

Standard EditionStandard Edition provides five service categories: website security assessment, hostsecurity assessment, security hardening, security monitoring, and emergencyresponse. Table 1-1 lists the function of each service category. Table 1-2 lists theservice categories recommended in typical application scenarios.

Table 1-1 Standard edition description

ServiceCategory

Description Remarks

Websitesecurityassessment

Detects potential vulnerabilities, suchas SQL injections, XSS, file upload,download, and inclusion, sensitiveinformation leakage, and weakpasswords.

Provides website securityassessment reports.

Hostsecurityassessment

● Identifies security threats to hostsbased on vulnerability scan resultsand log analysis.

● Discovers risks such as incorrectconfigurations, non-compliantitems, and weak passwords usingbaseline inspection.

Provides host securityassessment reports.

Securityhardening

● Performs vulnerability scans onservers and middleware, andhardens baseline configurations.

● Analyzes security threats exposed toOSs and applications, and versionsof OS patches and applicationsystem components.

● Provides recommended fixes, fixesvulnerabilities, and installs patchesto harden components with yourpermission.

Provides security hardeningreports.



ServiceCategory

Description Remarks

Securitymonitoring

● Provides 24x7 security monitoringservices and sends alarms to usersby SMS or email once an event istriggered.

● Checks packets transmitted overHTTP/HTTPS.

● Monitors websites from six angles:webshells, tampering, broken links,open services, availability, andvulnerability.

● Supports web vulnerability scanningand real-time monitoring of domainname hijacking.

● Periodically pushes website securityassessment reports.

● Provides real-timewarning for securityissues.

● Provides quarterly reportsand an annual report andreports alarms valid inone year once a risk isdetected.

Emergencyresponse

● Remotely detects and handlesmalicious programs such as viruses,Trojan horses, and worms.

● Remotely detects and handlessuspicious files in web systems, suchas webshells, hijacking tools, andhidden links.

● Provides recommendations for quickresumption of services.

Provides emergency responsereports.

Table 1-2 Recommended service categories

Application Scenario Recommended Service Category

New services go online and arevulnerable to attacks from theInternet, such as ransomware,Trojan horse, and CC attack.

Website Security Assessment andSecurity Hardening● Performs a comprehensive health

assessment on your sites.● Hardens the hosts.

● Hackers implant malicious codesto launch webshell attacks.

● Your website cannot be accessedand you cannot locate the cause.

Security Monitoring and SecurityHardening● Performs security monitoring

24x7/365.● Hardens the website.



Application Scenario Recommended Service Category

● In response to security incidents,the major method is to reinstallthe system.

● Attackers still repeatedly intrudeafter the system is reinstalled.

● The existing vulnerabilities ofservers cannot be detected.

Emergency Response, Host SecurityAssessment, and Security Hardening● Identifies the cause and rectifies the

fault as recommended to prevent anyloss.

● Performs an assessment on your hoststo check for any issue.

● Hardens the hosts.

Your server's CPU resources havebeen used up.

Host Security AssessmentPerforms an assessment on your hosts tocheck for any issue.

Enterprise EditionHuawei's security expert team provides a package of security services, includingsecurity consulting, security assessment, security hardening, security inspection,emergency response, and hosting. Table 1-3 lists the service scope and applicationscenarios.



Table 1-3 Enterprise edition description

Service Scope Application Scenario Description

● Security consulting:Provides a cloudsecurity system thatbest fits your cloudservices. Securityexperts offer onlinesupport (such aseSpace, QQ, andWeChat) on businessdays.

● Security assessment:Assesses the systemsecurity of your servers.

● Security hardening:Performs comprehensivebaseline hardening forservers and guide youto carry out webapplication hardening.

● Security inspection:Performs regularinspection on yourservers.

● Emergency response:Quickly handles hackerattacks to help youresume services.

● Hosting: Analyzes theprotection effect ofsecurity products, andoptimizes configurationsof these products basedon the analysis result.

● Enterprise services areexposed to various attacks.

● Lack of skilled securityoperations personnel

● Want to have 24x7 securitymonitoring withoutestablishing a SecurityOperations Center (SOC).

● The uncertainty of thesecurity solution leads tocost increase. Outsourcingcan significantly lower theexpenditure on securityoperations.

● The in-house security teamcannot quickly response toemerging threats along withrapid service development.

Providesprofessional SESreports.

Compliance EditionHuawei's security expert team develops corrective measures for your system, helpsselect and deploy security services that best fit your system, optimizes thenetwork, hosts, databases, and security management regulations to help youachieve MLPS certification. The qualified and authoritative evaluation agenciesprovide you with professional evaluations.

The basic version and advanced version are available. Table 1-4 describes theservice content and typical application scenarios.



Table 1-4 Compliance edition description

Version Description Application Scenario

Basic ● HUAWEI CLOUDsecurity experts provideremote support.

● Providesrecommendations onrectification.

● The system to beevaluated has amaximum of 10 servers.

● Evaluation fromaccredited evaluationagencies

This version applies togovernment agencies andfinancial institutions in thefollowing scenarios:● Accepted evaluation before.● Skilled security personnel

present● Know how to achieve MLPS

certification.● Common portal website

Advanced ● HUAWEI CLOUDsecurity experts provideon-site support.

● Assists in system ratingand registration, gapanalysis, planning anddesign, rectification,evaluation, and securityassurance.

● Evaluation fromaccredited evaluationagencies

This version applies togovernment agencies andfinancial institutions in thefollowing scenarios:● Accept evaluation for the

first time.● Lack of skilled security

personnel● Does not know how to

achieve MLPS certification.● Important information

systems● Want to improve the overall

security of an informationsystem.

1.10 What Communication Channels Are Available forSES?

SES provides the following communication channels:

Online: Submit a consultation service ticket.

Offline: Dial the 400 service hotline or send an email to [email protected] toconsult security experts.

1.11 How Long Is My SES Order Valid?An SES order is valid for one year from the day of purchase. You need to purchaseSES again if you require SES before the validity period expires.



1.12 What Are Examined in My SES Order?Review the test scope of the service order and the ownership of the applicationscope.

After you submit an SES order, a Huawei expert will contact you about your testscope and your ownership of the test scope.

1.13 What Are Examined in the Assessment Report?Check whether the assessment report meets the service delivery standards.

Huawei experts check the coverage of your test scope in the report submitted by athird-party organization. In addition, they check whether the tests performed bythe organization have met the delivery standards of SES.

1.14 What Is the Final Deliverable of SES?The final deliverable is a professional report that has been examined by Huaweisecurity experts. See Table 1-5.

Table 1-5 SES deliverables

Edition Service Category Deliverable

Standard Website securityassessment

Website securityassessment reports

Host security assessment Host security assessmentreports

Security hardening Security hardeningreports

Security monitoring ● Real-time warning forsecurity issues

● Quarterly reports andan annual report;warnings valid withinone year

Emergency response Emergency responsereports

Enterprise - Professional SES reports

Compliance - Evaluation reports, gapanalysis reports, orrectification schemes



1.15 What Are the Possible Statuses of an SES Order?The value can be one of the following:

● SubmittedAfter you purchase Standard Edition and pay for an order, the order statusbecomes Submitted.

● Processing– After you pay for your Enterprise Edition or Compliance Edition order, the

order status becomes Processing.– After you pay for your Standard Edition order and apply for delivery, and

Huawei experts approve the project, the order status becomesProcessing.

● Service cancellationAfter HUAWEI CLOUD terminates SES, the system changes the service orderstatus to Service cancellation.

● Pending acceptanceAfter the assessment report is approved by Huawei security experts, thesystem updates the status of your SES order to Pending acceptance.

● CompletedAfter the security expert service is complete, the system changes the serviceorder status to Completed.

● The service order list displays all service orders under your name. The precedingservice order status description is the SES status description.

● You can view the handling progress in the Operation Log area on the service orderdetails page. For details, see Viewing an SES Order.

1.16 Can I Download an SES Report?When the service process is completed, you will receive an SMS message. You canlog in to the management console and download and view the SES report on theMy Services page. For details, see Downloading the SES Report.

1.17 Can I Get Printed Check Reports from SES?SES provides printed reports, with a seal of the third-party institute.

If you need printed reports, send your requirement to [email protected].

1.18 How Can a Compliance Assessment Report BeObtained?

A compliance assessment report for the compliance service on HUAWEI CLOUD isissued by a third-party assessment organization. Customer privacy is involved in



https://support.huaweicloud.com/en-us/usermanual-ses/ses_01_0021.html


such a report. Therefore, after the assessment is complete, the third-partyassessment organization will send a paper report to you according to the addressfilled during the purchase.

● If compliance assessment is to be performed on the system deployed on HUAWEICLOUD, only the compliance certification of the HUAWEI CLOUD platform needs to beprovided to the assessment organization for the physical environment part.

● To download the compliance certificate of the HUAWEI CLOUD platform, go to TrustCenter > Security Compliance.

● To obtain the compliance assessment report, contact your customer manager or submita service ticket.

1.19 Is SES a Third-party Service?Yes. The third-party service providers are as follows:

● Standard Edition: Provided by an authoritative third-party institute.

● Enterprise Edition: Provided by Huawei and qualified third-party institutes.

● Compliance Edition: HUAWEI CLOUD provides consulting and assists inrectification. Accredited evaluation agencies provide evaluation.

1.20 Does SES Provide On-site Services?Some SES editions provide on-site services. For details, see Table 1-6.

Table 1-6 Technical support provided by SES

Edition Remote Support On-site Support

Standard Supported Not supported

Enterprise Supported Please call the servicehotline.

Compliance The basic version issupported.

The advanced versionrequiring no more than 5persons/day issupported.

1.21 What Security Services Are Required forCompliance?

HUAWEI CLOUD provides different recommended security configurations for usersbased on different system levels. You can also dial the 400 service hotline orsubmit a service ticket for consultation.



https://www.huaweicloud.com/en-us/securecenter/safetycompliance.html

https://www.huaweicloud.com/en-us/securecenter/safetycompliance.html

1.22 Does SES Support Cross-Platform and OfflineServices?

Yes. You can use your SES product for other platforms or offline services.

Security Expert Service (SES) is an all-round security service provided jointly byHuawei and third-party information security assessment agencies. It helps youprevent, monitor, and discover security risks of hosts, sites, and systems, andtimely repair the attacked system to reduce your loss based on given solutions andauthoritative reports. In addition, SES provides one-stop security regulationcompliance service.

1.23 What Are Regions and AZs?

Concept

A region and availability zone (AZ) identify the location of a data center. You cancreate resources in a specific region and AZ.

● Regions are divided from the dimensions of geographical location andnetwork latency. Public services, such as Elastic Cloud Server (ECS), ElasticVolume Service (EVS), Object Storage Service (OBS), Virtual Private Cloud(VPC), Elastic IP (EIP), and Image Management Service (IMS), are sharedwithin the same region. Regions are classified as universal regions anddedicated regions. A universal region provides universal cloud services forcommon tenants. A dedicated region provides services of the same type onlyor for specific tenants.

● An AZ contains one or more physical data centers. Each AZ has independentcooling, fire extinguishing, moisture-proof, and electricity facilities. Within anAZ, computing, network, storage, and other resources are logically dividedinto multiple clusters. AZs within a region are interconnected using high-speed optical fibers to allow you to build cross-AZ high-availability systems.

Figure 1-1 shows the relationship between the regions and AZs.

Figure 1-1 Region and AZ



HUAWEI CLOUD provides services in many regions around the world. You canselect a region and AZ as needed.

How to Select a Region?When selecting a region, consider the following factors:

● LocationYou are advised to select a region close to you or your target users. Thisreduces network latency and improves access rate. However, Chinesemainland regions provide basically the same infrastructure, BGP networkquality, as well as operations and configurations on resources. Therefore, ifyou or your target users are in the Chinese mainland, you do not need toconsider the network latency differences when selecting a region.– If you or your target users are in the Asia Pacific region, except the

Chinese mainland, select the AP-Hong Kong, AP-Bangkok, or AP-Singapore region.

– If you or your target users are in Africa, select the AF-Johannesburgregion.

– If you or your target users are in Europe, select the EU-Paris region.● Resource price

Resource prices may vary in different regions. For details, see Product PricingDetails.

How to Select an AZ?When determining whether to deploy resources in the same AZ, consider yourapplications' requirements on disaster recovery (DR) and network latency.

● For high DR capability, deploy resources in different AZs in the same region.● For low network latency, deploy resources in the same AZ.

Regions and EndpointsBefore using an API to call resources, specify its region and endpoint. For moredetails, see Regions and Endpoints.



https://www.huaweicloud.com/en-us/pricing.html

https://www.huaweicloud.com/en-us/pricing.html

https://developer.huaweicloud.com/en-us/endpoint

2 Management

2.1 How Do I Use SES?The service process of SES is as follows:

1. Buy SES.– Choose the service edition that best fits you.– Specify the number of sites and user information only.

2. Apply to deliver service specified in the order.You can apply for delivery and provide project information within one yearfrom the day of purchasing Standard Edition.

After you provide project information, SES will verify the ownership of your site andreview your credentials. For details, see Providing Project Information.

3. Use SES.– Standard Edition

After you provide project information and Huawei security expertsapprove the information, a third-party agency of information security willcarry out SES on your sites defined in the order.

– Enterprise EditionAfter you pay for your order, Huawei's security expert team will carry outsecurity consulting, security assessment, security hardening, securityinspection, emergency response, and hosting for enterprises.

– Compliance EditionAfter you pay for your order, Huawei's security expert team will developcorrective measures for your system according to governmental securityrequirements, guide you to select and deploy security services that bestfit your system, optimize the network, hosts, databases, and securitymanagement regulations, and select qualified and authoritativeevaluation agencies to provide professional evaluations for you.

4. Confirm acceptance.

Security Expert ServiceFAQ 2 Management



– Standard EditionThe third-party institute submits assessment reports to Huawei securityexperts who will examine the reports. The service is completed when thereports are approved.

– Enterprise EditionThe service is completed after Huawei's security expert team uploads theassessment reports.

– Compliance EditionThe service is completed after the evaluation agency uploads theevaluation reports.

2.2 How Do I Get My Site Authenticated?After you apply for delivery and provide Standard Edition order information, SESwill authenticate the ownership of your sites.

Website security assessment is used an example here. Perform the following stepsto authenticate your site:

Step 1 Log in to the management console.

Step 2 Access the page for applying for the delivery.

Figure 2-1 Accessing the page for applying for a delivery

Step 3 On the displayed Apply to Deliver page, add information about Project Nameand Site, as shown in Figure 2-2. Table 2-1 provides the parameter description.



https://console.huaweicloud.com/?locale=en-us

Figure 2-2 Apply to Deliver

Table 2-1 Parameters required

Parameter Description Example Value

Service Type Type of SES purchased Website SecurityCheck

Project Name Customizable name of a project● Enter a maximum of 32 characters.● Only the following characters are

allowed: uppercase letters, lowercaseletters, digits, underscores (_), andhyphens (-).

test

Site Site in which SES is required http(s)://www.example.com

Description Any supplementary information -

Step 4 On the right of the row where the site is located, click Authenticate toauthenticate the site ownership.

Step 5 Upload the file as prompted and then click Submit.

Huawei security experts will authenticate the site on a one-to-one basis.



Figure 2-3 Site authentication

● After you apply to deliver the service, a Huawei security expert will contact you withinone working day to determine your test scope and review your credentials. After yourcredentials pass review, your order will be sent to a third-party agency, which will assessyour site defined in the order. After the assessment is completed, the third-party agencysends an assessment report to the Huawei expert team which will examine the report.

● For details about how to view the progress of the service order, see Viewing an SESOrder.

----End





3 Charges

3.1 Can I Get a Refund from SES?Sorry, SES cannot be refunded.

To file a complaint or give advice, click Word Order in the upper right corner ofthe console to submit a work order. Alternatively, contact customer service.

Security Expert ServiceFAQ 3 Charges


A Change History

Released On Description

2020-04-01 This issue is the sixteenth official release.Updated some screenshots.

2020-02-21 This issue is the fifteenth official release.● Updated the service order status in What Are

the Possible Statuses of an SES Order?.● Optimized descriptions in How Do I Get My

Site Authenticated?.

2020-01-20 This issue is the fourteenth official release.Added the description about regions where youcan use SES in Which Regions Is SES AvailableIn?

2019-11-18 This issue is the thirteenth official release.● Modified Which Regions Is SES Available In?● Modified What Are the Statuses of a Service

Order?

2019-11-12 This issue is the twelfth official release.Modified How Can a Compliance AssessmentReport Be Obtained?

2019-10-30 This issue is the eleventh official release.Modified What Are the Statuses of a ServiceOrder?

2019-09-25 This issue is the tenth official release.Modified How Can a Compliance AssessmentReport Be Obtained?

Security Expert ServiceFAQ A Change History



2019-09-06 This issue is the ninth official release.● Modified How Can a Compliance Assessment

Report Be Obtained?● Added "What Security Services Are Required

for Compliance?"

2019-07-31 This issue is the eighth official release.Modified the following FAQs:● What Are Examined in the Assessment

Report?● What Are Examined in My SES Order?

2019-07-11 This issue is the seventh official release.Modified the following FAQs:● Is SES Available Outside China?● What Organization Carries Out Compliance

Edition?● Which Regions Is SES Available In?● Can I Use SES for Sites off HUAWEI CLOUD?● What Communication Channels Are

Available for SES?● How Long Is My SES Order Valid?

2019-06-28 This issue is the sixth official release.Added scenarios in How Can a ComplianceAssessment Report Be Obtained?

2019-05-10 This issue is the fifth official release.● Added the following FAQs:

– How Do I Obtain the ComplianceEvaluation Report?

– Is SES a Third-party Service?– Does SES Provide On-site Services?

● Modified the following FAQs:– What Organization Carries Out

Compliance Edition?– Can I Use SES for Sites off HUAWEI

CLOUD?– What Is the Final Deliverable of SES?




2018-06-06 This issue is the fourth official release.Modified the following FAQs:● Which Services Does SES Provide?● What Is the Final Deliverable of SES?● What Is the Service Scope of SES?● How Long Is My SES Order Valid?● What Are the Possible Statuses of an SES

Order?● How Do I Use SES?● How Do I Get My Site Authenticated?

2018-01-30 This issue is the third official release.Added the following FAQs:● How Long Is My SES Order Valid for in Pre-

order Mode?● Is SES Available Outside China?

2017-11-30 This issue is the second official release.Added the following FAQs:● What Institute Performs the Security

Checks?● Which Regions Is SES Available In?● What Items Do Preliminary Assessment and

Accurate Assessment Cover?● What Are the Possible Statuses of an SES

Order?● Can I Download a SES Check Report?● Can I Get Printed Check Reports from SES?● How Do I Get My Site Authenticated?● Can I Get a Refund from SES?

2017-09-26 This issue is the first official release.



Documents

FAQ - support.huaweicloud.com · Security Expert Service FAQ Issue 15 Date 2020-02-21 HUAWEI TECHNOLOGIES CO., LTD