Skip to main content

Classified Protection Evaluation Guide

This document is intended for enterprise users with compliance requirements under the Classified Protection Scheme (MLPS), introducing how to use CloudBase resources to pass the classified protection evaluation.

Overview

What is Classified Protection (MLPS)?

The Classified Protection Scheme (referred to as "Classified Protection" or "MLPS") is a fundamental national policy and system in the field of cyber security in China. According to the Cybersecurity Law of the People's Republic of China, network operators shall perform security protection obligations in accordance with the requirements of the classified protection system.

The scheme classifies the security protection levels of information systems into five levels:

LevelNameApplicable Scenarios
Level 1User Autonomous ProtectionGeneral information systems
Level 2System Audit ProtectionGeneral enterprise information systems
Level 3Security Marking ProtectionSystems involving critical information or a large volume of user data
Level 4Structured ProtectionCritical national information systems
Level 5Access Verification ProtectionNational critical information infrastructure

Most enterprise applications are required to satisfy either Level 2 or Level 3 classified protection requirements.

CloudBase Compliance and Certifications

As a Tencent Cloud public cloud product, CloudBase has achieved the following security certifications:

  • Level 3 Classified Protection (MLPS Level 3): Certified under the national Level 3 classified protection scheme.
  • Trusted Cloud Certification: Certified by the China Academy of Information and Communications Technology (CAICT).
  • ISO 27001: Certified under the international information security management system standard.
  • SOC Audit Report: Audited under third-party Service Organization Control (SOC) standards.
Important Note

While the CloudBase platform itself is certified under Level 3 classified protection, this does not mean that applications built on top of CloudBase automatically meet the classified protection requirements. You still need to configure and use CloudBase security capabilities reasonably based on your own business characteristics to satisfy the classified protection evaluation.

Mapping Classified Protection Requirements to CloudBase Capabilities

Level 2 Classified Protection Requirements Mapping

The following table details the comparison between MLPS 2.0 Level 2 requirements and CloudBase security capabilities:

Security Requirement CategoryEvaluation RequirementCorresponding CloudBase CapabilityConfiguration Recommendation
Identification & AuthenticationUsers log in must be identified and authenticatedAuthentication ServiceEnable login methods such as username/password, SMS verification code, etc.
Identification & AuthenticationIdentities must be uniqueUnique user UIDAutomatically guaranteed by the system
Access ControlResource access should be controlled based on security policiesDatabase Safety Rules, Permission ManagementConfigure fine-grained data access permissions
Access ControlAdministrative users should be granted the minimum required permissionsCloud Access Management (CAM)Use the principle of least privilege to configure sub-accounts
Security AuditSecurity audit functionality should be enabledLog ServiceEnable operational log recording
Data IntegrityVerification techniques should be adopted to ensure the integrity of important dataDatabase TransactionUse transactions to guarantee data consistency
Data Backup & RecoveryData backup and recovery functions should be providedDatabase BackupConfigure automatic backup policies

Level 3 Classified Protection Requirements Mapping

Level 3 classified protection introduces stricter requirements on top of Level 2:

Security Requirement CategoryEvaluation RequirementCorresponding CloudBase CapabilityConfiguration Recommendation
Identification & AuthenticationUse combination of two or more authentication factors (e.g., password, cryptography, biometrics)Multi-Factor Authentication (MFA)Enable two-factor authentication (MFA): SMS code + password
Identification & AuthenticationLogin failure handling functionality should be providedLogin Protection MechanismConfigure login failure lockout policies
Access ControlSet security markings for critical subjects and objectsUser Roles, Permission TagsImplement Role-Based Access Control (RBAC)
Security AuditAudit records should include event types, times, users, results, etc.Detailed Log RecordingConfigure complete audit logs
Security AuditAudit records should be protectedCloud Log Service (CLS)Deliver logs to an independent, secure log service
Intrusion PreventionBe capable of discovering potential known vulnerabilitiesDDoS Protection, Anti-CrawlerEnable gateway security protection
Data ConfidentialityUse cryptographic technologies to ensure confidentiality of important data during transmissionHTTPS/TLS EncryptionEnforce HTTPS access
Data ConfidentialityUse cryptographic technologies to ensure confidentiality of important data in storageEncrypted StorageEncrypt sensitive data before storing it
Data Backup & RecoveryOff-site data backup functionality should be providedCross-Region BackupConfigure cross-region backup policies

In-Depth Analysis of CloudBase Security Capabilities

1. Authentication

CloudBase provides comprehensive authentication services, supporting multiple login methods:

Login MethodSecurity LevelApplicable ScenariosMLPS Support
Username/PasswordBasicGeneral scenariosLevel 2 / Level 3
SMS Verification CodeHighScenarios requiring mobile phone verificationLevel 2 / Level 3
Email Verification CodeHighEnterprise applicationsLevel 2 / Level 3
WeChat LoginHighMini Program, Official AccountLevel 2 / Level 3
Custom LoginFlexibleIntegration with enterprise's existing account systemsLevel 2 / Level 3

Multi-Factor Authentication (MFA) Configuration Example:

import cloudbase from '@cloudbase/js-sdk';

const app = cloudbase.init({
env: 'your-env-id'
});
const auth = app.auth();

// Step 1: Username & Password Login
await auth.signIn({
username: 'user@example.com',
password: 'your-password'
});

// Step 2: Send SMS Verification Code (Two-Factor Verification)
await auth.sendVerification({
type: 'phone',
phone: '+8613800138000'
});

// Step 3: Verify SMS Verification Code
await auth.verifyCode({
type: 'phone',
phone: '+8613800138000',
code: '123456'
});

For more authentication configurations, please refer to the Authentication Documentation.

2. Access Control

Database Safety Rules

CloudBase supports JSON-based safety rule configuration to implement fine-grained data access control:

{
"read": "auth.uid == doc.userId",
"write": "auth.uid == doc.userId",
"create": "auth.uid != null",
"update": "auth.uid == doc.userId",
"delete": "auth.uid == doc.userId && doc.status == 'draft'"
}

Safety Rule Capabilities:

CapabilityDescriptionMLPS Requirement
Identity Authenticationauth.uid identifies the current userAccess Control
Data ValidationValidates the legitimacy of request dataData Integrity
Field-Level ControlControls fields that are readable or writableLeast Privilege
Conditional JudgmentState-based access control of dataSecurity Marking

For more safety rule configurations, please refer to the Safety Rules Documentation.

Cloud Access Management (CAM)

Use Tencent Cloud CAM to implement fine-grained administrator control:

  • Root Account: Has full control over all resources.
  • Sub-Account: Allocated permissions for specific resources as needed.
  • Role: Defines a set of permission policies that can be assumed by multiple accounts.

Least Privilege Configuration Recommendations:

RoleRecommended PermissionsDescription
DeveloperCloud Function Read/Write, Database ReadDaily development and debugging
OperationsLog View, Monitoring & AlarmSystem operations
AuditorLog Read-OnlySecurity audit
AdminFull PermissionsRestricted to essential personnel only

3. Data Security

Encryption in Transit

All external services of CloudBase enforce encrypted transmission via HTTPS/TLS:

  • API Interface: Enforces HTTPS globally.
  • Static Hosting: Supports HTTPS access.
  • Cloud Function Invocation: Automatic HTTPS encryption.
  • Database Connection: Internal network encryption.

Storage Security

Security MeasureDescriptionConfiguration Method
Encrypted StorageUnderling storage encryptionSupported by default by the platform
Sensitive Data MaskingApplication-layer encryptionImplemented via business code
File Access ControlCloud Storage access controlConfigure storage safety rules

Sensitive Data Encryption Storage Example:

const crypto = require('crypto');

// Encryption function
function encrypt(text, key) {
const cipher = crypto.createCipher('aes-256-cbc', key);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return encrypted;
}

// Store encrypted sensitive data
const db = app.database();
await db.collection('users').add({
username: 'user@example.com',
idCard: encrypt('110101199001011234', process.env.ENCRYPT_KEY), // Encrypted ID card
phone: encrypt('13800138000', process.env.ENCRYPT_KEY) // Encrypted phone number
});

4. Log Auditing

CloudBase provides complete log recording capabilities:

Log TypeContentUse Case
Access LogHTTP request recordsAccess audit
Cloud Function LogFunction execution recordsBusiness audit
Database LogData operation recordsData audit
Error LogException error recordsTroubleshooting

Log Delivery Configuration:

It is recommended to deliver logs to Tencent Cloud Log Service (CLS) to achieve:

  • Long-term log preservation (satisfying the MLPS requirement for audit log preservation).
  • Log search and analysis.
  • Alarm and notifications.
  • Log exporting and backup.

For more log configurations, please refer to the Log Service Documentation.

5. Network Security

CloudBase features built-in multi-layered network security:

Protection CapabilityDescriptionMLPS Requirement
DDoS ProtectionTencent Cloud basic DDoS protectionIntrusion Prevention
Anti-CrawlerGateway anti-crawler policiesIntrusion Prevention
Rate LimitingAPI call rate limitIntrusion Prevention
IP Black/White ListAccess source controlAccess Control

6. Data Backup and Recovery

CloudBase supports various data backup methods:

Backup MethodCycleRetention PeriodApplicable MLPS Level
Automatic BackupDaily7 daysLevel 2
Manual BackupOn-demandCustomLevel 2 / Level 3
Cross-Region BackupOn-demandCustomLevel 3

For more backup configurations, please refer to the Database Backup Documentation.


Best Practices for MLPS Compliance

Level 2 Compliance Checklist

Configuring according to the following checklist can meet the basic Level 2 requirements:

  • Identification & Authentication

    • Enable at least one login method.
    • Configure password complexity requirements.
    • Enable login failure restriction.
  • Access Control

    • Configure database safety rules.
    • Use CAM to manage administrator permissions.
    • Enforce the principle of least privilege.
  • Security Audit

    • Enable access log recording.
    • Configure log preservation policies.
  • Data Security

    • Force the use of HTTPS.
    • Configure automatic database backup.

Level 3 Compliance Checklist

Add the following configurations on top of Level 2:

  • Enhanced Identification & Authentication

    • Enable Multi-Factor Authentication (password + SMS verification code).
    • Configure session timeout policies.
    • Enable anomalous login detection.
  • Enhanced Access Control

    • Implement Role-Based Access Control (RBAC).
    • Configure approvals for sensitive operations.
    • Enable two-step operational confirmations.
  • Enhanced Security Audit

    • Deliver logs to an independent CLS.
    • Configure audit log retention for at least 180 days.
    • Set security alarm rules.
  • Enhanced Data Security

    • Encrypt sensitive data in storage.
    • Configure cross-region data backups.
    • Conduct regular data recovery drills.
  • Enhanced Network Security

    • Configure IP white lists (for management APIs).
    • Enable API rate limiting.
    • Configure Web Application Firewall (WAF).

Guidelines for Different Business Deployment Scenarios

Compliance strategies vary depending on your deployment. Below are detailed guidelines for two typical scenarios.

Scenario 1: All Services Deployed on CloudBase

If all your businesses run on CloudBase (including Cloud Functions, CloudBase Run, Database, Storage, etc.), MLPS compliance is relatively simple.

Architecture Example

┌─────────────────────────────────────────────────────────────┐
│ User / Client │
└─────────────────────────────────────────────────────────────┘


┌─────────────────────────────────────────────────────────────┐
│ CloudBase Environment │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Static │ │ CloudBase │ │ Cloud │ │
│ │ Hosting │ │ Run │ │ Functions │ │
│ │ (Front) │ │ (Back APIs) │ │ (Biz Logic) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ └────────────────┼────────────────┘ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Database / Cloud Storage │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘

MLPS Compliance Advantages

AdvantageDescription
✅ Infrastructure Security Managed by PlatformNo need to worry about underlying security like OS, network devices, etc.
✅ No Extra Security Products RequiredNo need for bastion hosts, host security agents, firewalls, etc.
✅ Unified Security Management PortalAll security configurations are completed in the CloudBase Console.
✅ Simplified Categorization & FilingClear boundaries, simple asset inventory.

Checklist (Pure CloudBase Architecture)

Security Physical Environment — Handled by Tencent Cloud data centers; users do not need to concern themselves.

Security Communication Network

  • Confirm all external services use HTTPS.
  • Configure domains and routes for HTTP Access Services.
  • Enable service authentication (configure public/internal/end-user authentication as needed).

Security Area Boundary

  • Configure IP black/white lists (if needed).
  • Enable API rate limiting.
  • Configure inter-service access controls (internal links).

Security Computing Environment

  • Configure database safety rules.
  • Configure storage safety rules.
  • Enable Authentication Service.
  • Configure Multi-Factor Authentication (for Level 3).

Security Management Center

  • Deliver logs to CLS (retained for 180+ days).
  • Set monitoring alarm rules.
  • Configure CAM permissions (principle of least privilege).

Data Security

  • Configure automatic database backup.
  • Configure cross-region backup (for Level 3).
  • Encrypt sensitive data in storage.

How to Address Evaluators

Address the evaluation team with:

"Our business system is completely deployed on the Tencent Cloud Base platform. CloudBase is a Serverless PaaS platform certified under Level 3 classified protection. We do not directly manage any physical servers or virtual machines; infrastructure security is handled by Tencent Cloud. We are primarily responsible for application-layer security configurations, including authentication, access controls, database safety rules, etc."


Scenario 2: Hybrid Architecture (CloudBase + Other Cloud Resources)

If your business uses CloudBase in combination with other cloud resources (such as CVM, MySQL, Redis, etc.), you need to satisfy the MLPS requirements for all different resource types.

Common Hybrid Architecture

┌─────────────────────────────────────────────────────────────┐
│ User / Client │
└─────────────────────────────────────────────────────────────┘

┌───────────────────┼───────────────────┐
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ CloudBase │ │ Cloud Servers │ │ Cloud Database │
│ ┌───────────┐ │ │ (CVM) │ │ (MySQL) │
│ │ Run / │ │ │ │ │ │
│ │ Functions │ │ │ Traditional Back│ │ Core Biz Data │
│ │ Static │ │ │ Services │ │ │
│ └───────────┘ │ └─────────────────┘ └─────────────────┘
│ │ │ │ │
│ ▼ │ │ │
│ ┌───────────┐ │ │ │
│ │ Document │◄─┼───────────┴───────────────────┘
│ │ Database │ │
│ └───────────┘ │
└─────────────────┘

Shared Responsibility Model

In a hybrid architecture, different resources carry distinct security responsibilities:

Resource TypeInfrastructure SecurityHost SecurityApplication SecurityRequired Security Products
CloudBase Run / FunctionsTencent CloudManaged by PlatformUserNo extra purchase required
Cloud Servers (CVM)Tencent CloudUserUserBastion host, Host security
Cloud Database (MySQL)Tencent CloudTencent CloudUserDatabase audit (as needed)
Cloud Storage (COS)Tencent CloudN/AUserNo extra purchase required

Checklist (Hybrid Architecture)

CloudBase Part — Configure according to Scenario 1's checklist.

Cloud Server (CVM) Part

  • Purchase and configure a bastion host.
  • Install host security agents (e.g., Cloud Workload Protection).
  • Configure security group rules.
  • Conduct regular vulnerability scanning and remediations.
  • Configure OS security baselines.
  • Enable login auditing.

Cloud Database Part

  • Configure database access white lists.
  • Enable SSL-encrypted connections.
  • Configure automatic backup policies.
  • Enable database audit as needed.
  • Configure account permissions (least privilege).

Interconnection Security

  • Configure VPC network isolation.
  • Use private networks (VPC) for connections between CloudBase, CVM, and databases.
  • Configure a unified API gateway (if needed).

Key Considerations

Common Misconceptions in Hybrid Architectures
  1. Misconception: Using CloudBase means a bastion host is not needed.

    • Correct: Only pure CloudBase architectures do not need it. If CVM is involved, a bastion host is still required for CVMs.
  2. Misconception: CloudBase's Level 3 certification can cover the entire system.

    • Correct: CloudBase's certification only covers the CloudBase portion; other resources must independently meet their respective requirements.
  3. Misconception: Data is secure as long as it resides in the same VPC.

    • Correct: Fine-grained access control rules must still be configured.

For a hybrid architecture, it is recommended to configure the following security products:

Security NeedRecommended ProductApplicabilityMandatory (Level 3 MLPS)?
O&M AuditBastion HostCVM / Lighthouse✅ Mandatory
Host SecurityCloud Workload ProtectionCVM / Lighthouse✅ Mandatory
Vulnerability ScanVulnerability Scan ServiceCVM / Lighthouse✅ Mandatory
Database AuditDatabase AuditCloud DatabaseAs needed (recommended)
Web ProtectionWAFExternal Web ServicesAs needed (recommended)
DDoS ProtectionAnti-DDoSExternal ServicesPoint of entry
Log AuditLog Service (CLS)All Resources✅ Mandatory

How to Address Evaluators

Address the evaluation team with:

"Our system adopts a hybrid architecture. Some services run on CloudBase (Serverless PaaS), while other parts run on cloud servers. For the CloudBase part, infrastructure security is handled by the platform, and we primarily configure application-layer security. For the cloud server part, we have configured a bastion host for O&M audit and host security agents for host protection, and conduct regular vulnerability scans. The two parts communicate via a private network with corresponding access control policies."


Scenario Comparison & Recommendations

Decision FactorPure CloudBase ArchitectureHybrid Architecture
Compliance Complexity⭐ Low⭐⭐⭐ High
Required Security ProductsBasically noneBastion host, Host security, etc.
O&M Complexity⭐ Low⭐⭐⭐ High
Assessment Prep Workload⭐ Small⭐⭐⭐ Large
Ideal ScenariosNew projects, small/medium systemsLegacy migration, highly complex setups

Recommendations:

  • For new projects, prioritize a pure CloudBase architecture to significantly lower MLPS compliance costs and complexity.
  • For legacy migration, migrate workloads to CloudBase progressively to reduce the number of CVMs that you need to maintain manually.
  • If specific requirements dictate the use of CVMs (e.g., custom software, GPU computing), plan according to the hybrid architecture.

Preparation Recommendations for Classified Protection Evaluation

Pre-Assessment Preparation

  1. Inventory System Assets

    • List all used CloudBase services.
    • Identify where sensitive data is stored.
    • Draw system architecture and data flow diagrams.
  2. Complete Security Configurations

    • Complete configurations according to the checklist.
    • Retain configuration screenshots as evidence.
  3. Prepare Documentations

    • Security management policy documents.
    • Incident response plans.
    • Data backup and recovery strategies.

Coordination Points During Assessment

StageCoordination PointCloudBase Support
Technical AssessmentShow security configurationsConsole screenshots, config exports
Log AuditProvide audit logsCLS exports
Vulnerability ScanCooperate with scanningProvide test environments
Penetration TestingCooperate with security testsProvide test accounts


FAQ

Do I still need a bastion host after using CloudBase Run?

In most cases, no. CloudBase Run adopts a Serverless container architecture, which is fundamentally different from traditional CVMs:

FeatureTraditional CVMCloudBase Run
Server ManagementSelf-managed by userManaged by platform
SSH LoginRequiredNo SSH login required
O&M ApproachBastion host / jump hostWebShell + Log Service
MLPS RequirementO&M audit requiredBuilt-in audit capability

Why a bastion host is not needed:

  1. Serverless Architecture: CloudBase Run is a Serverless container service. Users do not need to manage underlying servers, eliminating traditional SSH login scenarios.
  2. WebShell Alternative: CloudBase Run provides a WebShell feature to enter containers directly from the console for debugging. All operations are traceable.
  3. Log Auditing: All operational and access logs are recorded automatically, satisfying audit requirements.
  4. Access Isolation: Manage who can access WebShell via CAM to realize O&M control.

Key points for MLPS evaluation:

During the assessment, if the evaluator asks about O&M auditing, you can state:

  • CloudBase Run is Serverless and does not provide traditional SSH access.
  • O&M operations are conducted via Console WebShell, which maintains complete audit logs.
  • Access permissions are managed centrally by Tencent Cloud CAM, supporting fine-grained controls.
Special Case

If your system uses CVMs/Lighthouses alongside CloudBase Run, those traditional servers still require bastion hosts for O&M auditing. Bastion host requirements apply only to traditional servers requiring SSH logins.

Do I still need host security products when using CloudBase?

No. Host security products (such as Cloud Workload Protection) are primarily used to protect the OS layer of traditional servers (CVMs). CloudBase's Serverless architecture is fundamentally different:

Security FocusTraditional ServersCloudBase
OS SecurityUser's responsibilityManaged by platform
System PatchingSelf-managedAutomatic platform updates
Intrusion DetectionHost security agent requiredBuilt-in platform protection
Antivirus ProtectionAntivirus software requiredContainer isolation

CloudBase Safety Mechanisms:

  1. Container Isolation: Each service runs in an isolated container.
  2. Secure Base Images: Platform-provided base images are security-hardened.
  3. Automatic Updates: Underlying runtime is maintained by the platform, automatically patching vulnerabilities.
  4. Network Isolation: Inter-service network isolation by default.

Do I still need to configure firewalls/security groups for CloudBase?

In most cases, no. CloudBase's network security model is different from traditional IaaS:

FeatureTraditional CVMCloudBase
Inbound Traffic ControlSecurity group rulesHTTP Access + Authentication
Outbound Traffic ControlSecurity group rulesAllowed to public by default
Inter-Service CommunicationVPC + Security GroupsInternal Links (auto-configured)
Port ManagementManual port exposureUnified HTTP/HTTPS ports

CloudBase Network Security Capabilities:

  • HTTP Access Service: Unified entrance supporting custom domains and path routing.
  • Service Authentication: Public, internal-only, and end-user authentication modes.
  • IP Black/White List: Limit access sources at the gateway.
  • Rate Limiting: Built-in API rate limiting to prevent malicious requests.

How does CloudBase satisfy "vulnerability scanning" requirements?

MLPS requires regular vulnerability scanning. CloudBase handles this at different layers:

Platform Layer (Responsibility of Tencent Cloud):

  • Underlying infrastructure vulnerability scanning.
  • Container runtime security updates.
  • Platform component hardening.

Application Layer (Your Responsibility):

  • Code security auditing.
  • Dependency package vulnerability checks.
  • API security testing.

Recommended Compliance Operations:

  1. Code Level: Use code analysis tools (such as SonarQube) to check code.
  2. Dependency Level: Regularly update dependencies and use tools like npm audit.
  3. API Level: Perform API security testing focusing on authentication and input validation.
  4. Configuration Level: Review database safety rules and storage access configurations.
MLPS Evaluation Note

Explain to the evaluator that CloudBase is a Serverless PaaS platform where underlying infrastructure security is managed by Tencent Cloud. Users focus on application-layer security and can provide code audit, dependency scan, and API test reports as supporting evidence.

How do I implement "network partitioning" in CloudBase?

Traditional MLPS requires physical or logical partitioning of network areas (such as DMZ, core zone, etc.). CloudBase achieves this via logical isolation:

Isolation DimensionImplementationDescription
EnvironmentMulti-environmentDevelopment, testing, and production environments are completely isolated.
ServiceContainer IsolationEach service runs in an independent container, isolated by default.
DataDatabase PermissionsControl data access via JSON safety rules.
AccessService AuthenticationSupport public, internal, and authenticated access modes.

Recommended Environment Planning:

┌─────────────────────────────────────────────────────┐
│ CloudBase Environments │
├─────────────────────────────────────────────────────┤
│ Production Environment (env-prod) │
│ ├── Front-End Services (Public Access) │
│ ├── API Services (End-User Auth) │
│ ├── Internal Services (Internal Only) │
│ └── Databases (Safety Rule Controls) │
├─────────────────────────────────────────────────────┤
│ Testing Environment (env-test) ← Completely Isolated│
├─────────────────────────────────────────────────────┤
│ Development Environment (env-dev) ← Completely Isolated│
└─────────────────────────────────────────────────────┘

How long are Cloud Functions/CloudBase Run logs kept? Can they meet MLPS requirements?

MLPS requires audit logs to be retained for at least 180 days (Level 3). CloudBase default retention:

Log TypeDefault RetentionExtension Plan
Cloud Function Logs7 daysDeliver to CLS
CloudBase Run Logs7 daysDeliver to CLS
Database Op Logs7 daysDeliver to CLS
Access Logs7 daysDeliver to CLS

Configuration to Satisfy MLPS Requirements:

  1. Enable Log Delivery: Deliver logs to Tencent Cloud Log Service (CLS)
  2. Configure Retention: Set log retention to 180+ days in CLS
  3. Log Backup: Export CLS logs to COS for long-term secure archiving

Does CloudBase support MFA? How do I satisfy Level 3 MLPS MFA requirements?

Yes. CloudBase supports combining multiple authentication factors to satisfy Level 3 requirements:

Authentication FactorTypeCloudBase Support
PasswordKnowledge Factor✅ Username & password login
SMS Verification CodePossession Factor✅ SMS code login/verification
Email Verification CodePossession Factor✅ Email code login/verification
WeChat AuthorizationPossession Factor✅ WeChat scan / Mini Program auth
Custom AuthenticationExtensible✅ Integration with enterprise systems

MFA Implementation Scenarios:

  • Scenario A: Password + SMS Verification Code
  • Scenario B: Password + Email Verification Code
  • Scenario C: WeChat Auth + SMS Verification Code (Two-factor verification for sensitive operations)

CloudBase is Level 3 Certified, is my app automatically compliant?

No. CloudBase's certification means the platform's security capabilities have reached Level 3. Your application's compliance depends on how you configure and use these features. You must configure authentication, access rules, log audits, and data backups reasonably according to your needs.

How do I choose between Level 2 and Level 3 Classified Protection?

  • Level 2: Suitable for general enterprise applications not involving large quantities of sensitive personal data.
  • Level 3: Mandatory for systems involving massive user data, financial transactions, health/medical records, and other highly sensitive information.

It is recommended to consult a professional MLPS evaluation agency based on your business nature and regulator requirements.

How do I obtain CloudBase's MLPS certification materials?

Obtain them through the following steps:

  1. Log in to the Tencent Cloud Console.
  2. Access the "Compliance Qualification" page.
  3. Download the relevant certificates and reports.