Classified Protection Evaluation Guide
This document is intended for enterprise users with compliance requirements under the Classified Protection Scheme (MLPS), introducing how to use CloudBase resources to pass the classified protection evaluation.
Overview
What is Classified Protection (MLPS)?
The Classified Protection Scheme (referred to as "Classified Protection" or "MLPS") is a fundamental national policy and system in the field of cyber security in China. According to the Cybersecurity Law of the People's Republic of China, network operators shall perform security protection obligations in accordance with the requirements of the classified protection system.
The scheme classifies the security protection levels of information systems into five levels:
| Level | Name | Applicable Scenarios |
|---|---|---|
| Level 1 | User Autonomous Protection | General information systems |
| Level 2 | System Audit Protection | General enterprise information systems |
| Level 3 | Security Marking Protection | Systems involving critical information or a large volume of user data |
| Level 4 | Structured Protection | Critical national information systems |
| Level 5 | Access Verification Protection | National critical information infrastructure |
Most enterprise applications are required to satisfy either Level 2 or Level 3 classified protection requirements.
CloudBase Compliance and Certifications
As a Tencent Cloud public cloud product, CloudBase has achieved the following security certifications:
- Level 3 Classified Protection (MLPS Level 3): Certified under the national Level 3 classified protection scheme.
- Trusted Cloud Certification: Certified by the China Academy of Information and Communications Technology (CAICT).
- ISO 27001: Certified under the international information security management system standard.
- SOC Audit Report: Audited under third-party Service Organization Control (SOC) standards.
While the CloudBase platform itself is certified under Level 3 classified protection, this does not mean that applications built on top of CloudBase automatically meet the classified protection requirements. You still need to configure and use CloudBase security capabilities reasonably based on your own business characteristics to satisfy the classified protection evaluation.
Mapping Classified Protection Requirements to CloudBase Capabilities
Level 2 Classified Protection Requirements Mapping
The following table details the comparison between MLPS 2.0 Level 2 requirements and CloudBase security capabilities:
| Security Requirement Category | Evaluation Requirement | Corresponding CloudBase Capability | Configuration Recommendation |
|---|---|---|---|
| Identification & Authentication | Users log in must be identified and authenticated | Authentication Service | Enable login methods such as username/password, SMS verification code, etc. |
| Identification & Authentication | Identities must be unique | Unique user UID | Automatically guaranteed by the system |
| Access Control | Resource access should be controlled based on security policies | Database Safety Rules, Permission Management | Configure fine-grained data access permissions |
| Access Control | Administrative users should be granted the minimum required permissions | Cloud Access Management (CAM) | Use the principle of least privilege to configure sub-accounts |
| Security Audit | Security audit functionality should be enabled | Log Service | Enable operational log recording |
| Data Integrity | Verification techniques should be adopted to ensure the integrity of important data | Database Transaction | Use transactions to guarantee data consistency |
| Data Backup & Recovery | Data backup and recovery functions should be provided | Database Backup | Configure automatic backup policies |
Level 3 Classified Protection Requirements Mapping
Level 3 classified protection introduces stricter requirements on top of Level 2:
| Security Requirement Category | Evaluation Requirement | Corresponding CloudBase Capability | Configuration Recommendation |
|---|---|---|---|
| Identification & Authentication | Use combination of two or more authentication factors (e.g., password, cryptography, biometrics) | Multi-Factor Authentication (MFA) | Enable two-factor authentication (MFA): SMS code + password |
| Identification & Authentication | Login failure handling functionality should be provided | Login Protection Mechanism | Configure login failure lockout policies |
| Access Control | Set security markings for critical subjects and objects | User Roles, Permission Tags | Implement Role-Based Access Control (RBAC) |
| Security Audit | Audit records should include event types, times, users, results, etc. | Detailed Log Recording | Configure complete audit logs |
| Security Audit | Audit records should be protected | Cloud Log Service (CLS) | Deliver logs to an independent, secure log service |
| Intrusion Prevention | Be capable of discovering potential known vulnerabilities | DDoS Protection, Anti-Crawler | Enable gateway security protection |
| Data Confidentiality | Use cryptographic technologies to ensure confidentiality of important data during transmission | HTTPS/TLS Encryption | Enforce HTTPS access |
| Data Confidentiality | Use cryptographic technologies to ensure confidentiality of important data in storage | Encrypted Storage | Encrypt sensitive data before storing it |
| Data Backup & Recovery | Off-site data backup functionality should be provided | Cross-Region Backup | Configure cross-region backup policies |
In-Depth Analysis of CloudBase Security Capabilities
1. Authentication
CloudBase provides comprehensive authentication services, supporting multiple login methods:
| Login Method | Security Level | Applicable Scenarios | MLPS Support |
|---|---|---|---|
| Username/Password | Basic | General scenarios | Level 2 / Level 3 |
| SMS Verification Code | High | Scenarios requiring mobile phone verification | Level 2 / Level 3 |
| Email Verification Code | High | Enterprise applications | Level 2 / Level 3 |
| WeChat Login | High | Mini Program, Official Account | Level 2 / Level 3 |
| Custom Login | Flexible | Integration with enterprise's existing account systems | Level 2 / Level 3 |
Multi-Factor Authentication (MFA) Configuration Example:
import cloudbase from '@cloudbase/js-sdk';
const app = cloudbase.init({
env: 'your-env-id'
});
const auth = app.auth();
// Step 1: Username & Password Login
await auth.signIn({
username: 'user@example.com',
password: 'your-password'
});
// Step 2: Send SMS Verification Code (Two-Factor Verification)
await auth.sendVerification({
type: 'phone',
phone: '+8613800138000'
});
// Step 3: Verify SMS Verification Code
await auth.verifyCode({
type: 'phone',
phone: '+8613800138000',
code: '123456'
});
For more authentication configurations, please refer to the Authentication Documentation.
2. Access Control
Database Safety Rules
CloudBase supports JSON-based safety rule configuration to implement fine-grained data access control:
{
"read": "auth.uid == doc.userId",
"write": "auth.uid == doc.userId",
"create": "auth.uid != null",
"update": "auth.uid == doc.userId",
"delete": "auth.uid == doc.userId && doc.status == 'draft'"
}
Safety Rule Capabilities:
| Capability | Description | MLPS Requirement |
|---|---|---|
| Identity Authentication | auth.uid identifies the current user | Access Control |
| Data Validation | Validates the legitimacy of request data | Data Integrity |
| Field-Level Control | Controls fields that are readable or writable | Least Privilege |
| Conditional Judgment | State-based access control of data | Security Marking |
For more safety rule configurations, please refer to the Safety Rules Documentation.
Cloud Access Management (CAM)
Use Tencent Cloud CAM to implement fine-grained administrator control:
- Root Account: Has full control over all resources.
- Sub-Account: Allocated permissions for specific resources as needed.
- Role: Defines a set of permission policies that can be assumed by multiple accounts.
Least Privilege Configuration Recommendations:
| Role | Recommended Permissions | Description |
|---|---|---|
| Developer | Cloud Function Read/Write, Database Read | Daily development and debugging |
| Operations | Log View, Monitoring & Alarm | System operations |
| Auditor | Log Read-Only | Security audit |
| Admin | Full Permissions | Restricted to essential personnel only |
3. Data Security
Encryption in Transit
All external services of CloudBase enforce encrypted transmission via HTTPS/TLS:
- API Interface: Enforces HTTPS globally.
- Static Hosting: Supports HTTPS access.
- Cloud Function Invocation: Automatic HTTPS encryption.
- Database Connection: Internal network encryption.
Storage Security
| Security Measure | Description | Configuration Method |
|---|---|---|
| Encrypted Storage | Underling storage encryption | Supported by default by the platform |
| Sensitive Data Masking | Application-layer encryption | Implemented via business code |
| File Access Control | Cloud Storage access control | Configure storage safety rules |
Sensitive Data Encryption Storage Example:
const crypto = require('crypto');
// Encryption function
function encrypt(text, key) {
const cipher = crypto.createCipher('aes-256-cbc', key);
let encrypted = cipher.update(text, 'utf8', 'hex');
encrypted += cipher.final('hex');
return encrypted;
}
// Store encrypted sensitive data
const db = app.database();
await db.collection('users').add({
username: 'user@example.com',
idCard: encrypt('110101199001011234', process.env.ENCRYPT_KEY), // Encrypted ID card
phone: encrypt('13800138000', process.env.ENCRYPT_KEY) // Encrypted phone number
});
4. Log Auditing
CloudBase provides complete log recording capabilities:
| Log Type | Content | Use Case |
|---|---|---|
| Access Log | HTTP request records | Access audit |
| Cloud Function Log | Function execution records | Business audit |
| Database Log | Data operation records | Data audit |
| Error Log | Exception error records | Troubleshooting |
Log Delivery Configuration:
It is recommended to deliver logs to Tencent Cloud Log Service (CLS) to achieve:
- Long-term log preservation (satisfying the MLPS requirement for audit log preservation).
- Log search and analysis.
- Alarm and notifications.
- Log exporting and backup.
For more log configurations, please refer to the Log Service Documentation.
5. Network Security
CloudBase features built-in multi-layered network security:
| Protection Capability | Description | MLPS Requirement |
|---|---|---|
| DDoS Protection | Tencent Cloud basic DDoS protection | Intrusion Prevention |
| Anti-Crawler | Gateway anti-crawler policies | Intrusion Prevention |
| Rate Limiting | API call rate limit | Intrusion Prevention |
| IP Black/White List | Access source control | Access Control |
6. Data Backup and Recovery
CloudBase supports various data backup methods:
| Backup Method | Cycle | Retention Period | Applicable MLPS Level |
|---|---|---|---|
| Automatic Backup | Daily | 7 days | Level 2 |
| Manual Backup | On-demand | Custom | Level 2 / Level 3 |
| Cross-Region Backup | On-demand | Custom | Level 3 |
For more backup configurations, please refer to the Database Backup Documentation.
Best Practices for MLPS Compliance
Level 2 Compliance Checklist
Configuring according to the following checklist can meet the basic Level 2 requirements:
-
Identification & Authentication
- Enable at least one login method.
- Configure password complexity requirements.
- Enable login failure restriction.
-
Access Control
- Configure database safety rules.
- Use CAM to manage administrator permissions.
- Enforce the principle of least privilege.
-
Security Audit
- Enable access log recording.
- Configure log preservation policies.
-
Data Security
- Force the use of HTTPS.
- Configure automatic database backup.
Level 3 Compliance Checklist
Add the following configurations on top of Level 2:
-
Enhanced Identification & Authentication
- Enable Multi-Factor Authentication (password + SMS verification code).
- Configure session timeout policies.
- Enable anomalous login detection.
-
Enhanced Access Control
- Implement Role-Based Access Control (RBAC).
- Configure approvals for sensitive operations.
- Enable two-step operational confirmations.
-
Enhanced Security Audit
- Deliver logs to an independent CLS.
- Configure audit log retention for at least 180 days.
- Set security alarm rules.
-
Enhanced Data Security
- Encrypt sensitive data in storage.
- Configure cross-region data backups.
- Conduct regular data recovery drills.
-
Enhanced Network Security
- Configure IP white lists (for management APIs).
- Enable API rate limiting.
- Configure Web Application Firewall (WAF).
Guidelines for Different Business Deployment Scenarios
Compliance strategies vary depending on your deployment. Below are detailed guidelines for two typical scenarios.
Scenario 1: All Services Deployed on CloudBase
If all your businesses run on CloudBase (including Cloud Functions, CloudBase Run, Database, Storage, etc.), MLPS compliance is relatively simple.
Architecture Example
┌─────────────────────────────────────────────────────────────┐
│ User / Client │
└─────────────────────────────────────────────────────────────┘
│
▼
┌─────────────────────────────────────────────────────────────┐
│ CloudBase Environment │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Static │ │ CloudBase │ │ Cloud │ │
│ │ Hosting │ │ Run │ │ Functions │ │
│ │ (Front) │ │ (Back APIs) │ │ (Biz Logic) │ │
│ └─────────────┘ └─────────────┘ └─────────────┘ │
│ │ │ │ │
│ └────────────────┼────────────────┘ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────┐ │
│ │ Database / Cloud Storage │ │
│ └─────────────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
MLPS Compliance Advantages
| Advantage | Description |
|---|---|
| ✅ Infrastructure Security Managed by Platform | No need to worry about underlying security like OS, network devices, etc. |
| ✅ No Extra Security Products Required | No need for bastion hosts, host security agents, firewalls, etc. |
| ✅ Unified Security Management Portal | All security configurations are completed in the CloudBase Console. |
| ✅ Simplified Categorization & Filing | Clear boundaries, simple asset inventory. |
Checklist (Pure CloudBase Architecture)
Security Physical Environment — Handled by Tencent Cloud data centers; users do not need to concern themselves.
Security Communication Network
- Confirm all external services use HTTPS.
- Configure domains and routes for HTTP Access Services.
- Enable service authentication (configure public/internal/end-user authentication as needed).
Security Area Boundary
- Configure IP black/white lists (if needed).
- Enable API rate limiting.
- Configure inter-service access controls (internal links).
Security Computing Environment
- Configure database safety rules.
- Configure storage safety rules.
- Enable Authentication Service.
- Configure Multi-Factor Authentication (for Level 3).
Security Management Center
- Deliver logs to CLS (retained for 180+ days).
- Set monitoring alarm rules.
- Configure CAM permissions (principle of least privilege).
Data Security
- Configure automatic database backup.
- Configure cross-region backup (for Level 3).
- Encrypt sensitive data in storage.
How to Address Evaluators
Address the evaluation team with:
"Our business system is completely deployed on the Tencent Cloud Base platform. CloudBase is a Serverless PaaS platform certified under Level 3 classified protection. We do not directly manage any physical servers or virtual machines; infrastructure security is handled by Tencent Cloud. We are primarily responsible for application-layer security configurations, including authentication, access controls, database safety rules, etc."
Scenario 2: Hybrid Architecture (CloudBase + Other Cloud Resources)
If your business uses CloudBase in combination with other cloud resources (such as CVM, MySQL, Redis, etc.), you need to satisfy the MLPS requirements for all different resource types.
Common Hybrid Architecture
┌─────────────────────────────────────────────────────────────┐
│ User / Client │
└─────────────────────────────────────────────────────────────┘
│
┌───────────────────┼───────────────────┐
▼ ▼ ▼
┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐
│ CloudBase │ │ Cloud Servers │ │ Cloud Database │
│ ┌───────────┐ │ │ (CVM) │ │ (MySQL) │
│ │ Run / │ │ │ │ │ │
│ │ Functions │ │ │ Traditional Back│ │ Core Biz Data │
│ │ Static │ │ │ Services │ │ │
│ └───────────┘ │ └─────────────────┘ └─────────────────┘
│ │ │ │ │
│ ▼ │ │ │
│ ┌───────────┐ │ │ │
│ │ Document │◄─┼───────────┴───────────────────┘
│ │ Database │ │
│ └───────────┘ │
└─────────────────┘
Shared Responsibility Model
In a hybrid architecture, different resources carry distinct security responsibilities:
| Resource Type | Infrastructure Security | Host Security | Application Security | Required Security Products |
|---|---|---|---|---|
| CloudBase Run / Functions | Tencent Cloud | Managed by Platform | User | No extra purchase required |
| Cloud Servers (CVM) | Tencent Cloud | User | User | Bastion host, Host security |
| Cloud Database (MySQL) | Tencent Cloud | Tencent Cloud | User | Database audit (as needed) |
| Cloud Storage (COS) | Tencent Cloud | N/A | User | No extra purchase required |
Checklist (Hybrid Architecture)
CloudBase Part — Configure according to Scenario 1's checklist.
Cloud Server (CVM) Part
- Purchase and configure a bastion host.
- Install host security agents (e.g., Cloud Workload Protection).
- Configure security group rules.
- Conduct regular vulnerability scanning and remediations.
- Configure OS security baselines.
- Enable login auditing.
Cloud Database Part
- Configure database access white lists.
- Enable SSL-encrypted connections.
- Configure automatic backup policies.
- Enable database audit as needed.
- Configure account permissions (least privilege).
Interconnection Security
- Configure VPC network isolation.
- Use private networks (VPC) for connections between CloudBase, CVM, and databases.
- Configure a unified API gateway (if needed).
Key Considerations
-
Misconception: Using CloudBase means a bastion host is not needed.
- Correct: Only pure CloudBase architectures do not need it. If CVM is involved, a bastion host is still required for CVMs.
-
Misconception: CloudBase's Level 3 certification can cover the entire system.
- Correct: CloudBase's certification only covers the CloudBase portion; other resources must independently meet their respective requirements.
-
Misconception: Data is secure as long as it resides in the same VPC.
- Correct: Fine-grained access control rules must still be configured.
Recommended Security Products
For a hybrid architecture, it is recommended to configure the following security products:
| Security Need | Recommended Product | Applicability | Mandatory (Level 3 MLPS)? |
|---|---|---|---|
| O&M Audit | Bastion Host | CVM / Lighthouse | ✅ Mandatory |
| Host Security | Cloud Workload Protection | CVM / Lighthouse | ✅ Mandatory |
| Vulnerability Scan | Vulnerability Scan Service | CVM / Lighthouse | ✅ Mandatory |
| Database Audit | Database Audit | Cloud Database | As needed (recommended) |
| Web Protection | WAF | External Web Services | As needed (recommended) |
| DDoS Protection | Anti-DDoS | External Services | Point of entry |
| Log Audit | Log Service (CLS) | All Resources | ✅ Mandatory |
How to Address Evaluators
Address the evaluation team with:
"Our system adopts a hybrid architecture. Some services run on CloudBase (Serverless PaaS), while other parts run on cloud servers. For the CloudBase part, infrastructure security is handled by the platform, and we primarily configure application-layer security. For the cloud server part, we have configured a bastion host for O&M audit and host security agents for host protection, and conduct regular vulnerability scans. The two parts communicate via a private network with corresponding access control policies."
Scenario Comparison & Recommendations
| Decision Factor | Pure CloudBase Architecture | Hybrid Architecture |
|---|---|---|
| Compliance Complexity | ⭐ Low | ⭐⭐⭐ High |
| Required Security Products | Basically none | Bastion host, Host security, etc. |
| O&M Complexity | ⭐ Low | ⭐⭐⭐ High |
| Assessment Prep Workload | ⭐ Small | ⭐⭐⭐ Large |
| Ideal Scenarios | New projects, small/medium systems | Legacy migration, highly complex setups |
Recommendations:
- For new projects, prioritize a pure CloudBase architecture to significantly lower MLPS compliance costs and complexity.
- For legacy migration, migrate workloads to CloudBase progressively to reduce the number of CVMs that you need to maintain manually.
- If specific requirements dictate the use of CVMs (e.g., custom software, GPU computing), plan according to the hybrid architecture.
Preparation Recommendations for Classified Protection Evaluation
Pre-Assessment Preparation
-
Inventory System Assets
- List all used CloudBase services.
- Identify where sensitive data is stored.
- Draw system architecture and data flow diagrams.
-
Complete Security Configurations
- Complete configurations according to the checklist.
- Retain configuration screenshots as evidence.
-
Prepare Documentations
- Security management policy documents.
- Incident response plans.
- Data backup and recovery strategies.
Coordination Points During Assessment
| Stage | Coordination Point | CloudBase Support |
|---|---|---|
| Technical Assessment | Show security configurations | Console screenshots, config exports |
| Log Audit | Provide audit logs | CLS exports |
| Vulnerability Scan | Cooperate with scanning | Provide test environments |
| Penetration Testing | Cooperate with security tests | Provide test accounts |
Related Resources
- Tencent Cloud Classified Protection Solution
- Tencent Cloud DDoS Protection
- Authentication Service
- Safety Rules Configuration
- Log Service
- Database Backup
FAQ
Do I still need a bastion host after using CloudBase Run?
In most cases, no. CloudBase Run adopts a Serverless container architecture, which is fundamentally different from traditional CVMs:
| Feature | Traditional CVM | CloudBase Run |
|---|---|---|
| Server Management | Self-managed by user | Managed by platform |
| SSH Login | Required | No SSH login required |
| O&M Approach | Bastion host / jump host | WebShell + Log Service |
| MLPS Requirement | O&M audit required | Built-in audit capability |
Why a bastion host is not needed:
- Serverless Architecture: CloudBase Run is a Serverless container service. Users do not need to manage underlying servers, eliminating traditional SSH login scenarios.
- WebShell Alternative: CloudBase Run provides a WebShell feature to enter containers directly from the console for debugging. All operations are traceable.
- Log Auditing: All operational and access logs are recorded automatically, satisfying audit requirements.
- Access Isolation: Manage who can access WebShell via CAM to realize O&M control.
Key points for MLPS evaluation:
During the assessment, if the evaluator asks about O&M auditing, you can state:
- CloudBase Run is Serverless and does not provide traditional SSH access.
- O&M operations are conducted via Console WebShell, which maintains complete audit logs.
- Access permissions are managed centrally by Tencent Cloud CAM, supporting fine-grained controls.
If your system uses CVMs/Lighthouses alongside CloudBase Run, those traditional servers still require bastion hosts for O&M auditing. Bastion host requirements apply only to traditional servers requiring SSH logins.
Do I still need host security products when using CloudBase?
No. Host security products (such as Cloud Workload Protection) are primarily used to protect the OS layer of traditional servers (CVMs). CloudBase's Serverless architecture is fundamentally different:
| Security Focus | Traditional Servers | CloudBase |
|---|---|---|
| OS Security | User's responsibility | Managed by platform |
| System Patching | Self-managed | Automatic platform updates |
| Intrusion Detection | Host security agent required | Built-in platform protection |
| Antivirus Protection | Antivirus software required | Container isolation |
CloudBase Safety Mechanisms:
- Container Isolation: Each service runs in an isolated container.
- Secure Base Images: Platform-provided base images are security-hardened.
- Automatic Updates: Underlying runtime is maintained by the platform, automatically patching vulnerabilities.
- Network Isolation: Inter-service network isolation by default.
Do I still need to configure firewalls/security groups for CloudBase?
In most cases, no. CloudBase's network security model is different from traditional IaaS:
| Feature | Traditional CVM | CloudBase |
|---|---|---|
| Inbound Traffic Control | Security group rules | HTTP Access + Authentication |
| Outbound Traffic Control | Security group rules | Allowed to public by default |
| Inter-Service Communication | VPC + Security Groups | Internal Links (auto-configured) |
| Port Management | Manual port exposure | Unified HTTP/HTTPS ports |
CloudBase Network Security Capabilities:
- HTTP Access Service: Unified entrance supporting custom domains and path routing.
- Service Authentication: Public, internal-only, and end-user authentication modes.
- IP Black/White List: Limit access sources at the gateway.
- Rate Limiting: Built-in API rate limiting to prevent malicious requests.
How does CloudBase satisfy "vulnerability scanning" requirements?
MLPS requires regular vulnerability scanning. CloudBase handles this at different layers:
Platform Layer (Responsibility of Tencent Cloud):
- Underlying infrastructure vulnerability scanning.
- Container runtime security updates.
- Platform component hardening.
Application Layer (Your Responsibility):
- Code security auditing.
- Dependency package vulnerability checks.
- API security testing.
Recommended Compliance Operations:
- Code Level: Use code analysis tools (such as SonarQube) to check code.
- Dependency Level: Regularly update dependencies and use tools like
npm audit. - API Level: Perform API security testing focusing on authentication and input validation.
- Configuration Level: Review database safety rules and storage access configurations.
Explain to the evaluator that CloudBase is a Serverless PaaS platform where underlying infrastructure security is managed by Tencent Cloud. Users focus on application-layer security and can provide code audit, dependency scan, and API test reports as supporting evidence.
How do I implement "network partitioning" in CloudBase?
Traditional MLPS requires physical or logical partitioning of network areas (such as DMZ, core zone, etc.). CloudBase achieves this via logical isolation:
| Isolation Dimension | Implementation | Description |
|---|---|---|
| Environment | Multi-environment | Development, testing, and production environments are completely isolated. |
| Service | Container Isolation | Each service runs in an independent container, isolated by default. |
| Data | Database Permissions | Control data access via JSON safety rules. |
| Access | Service Authentication | Support public, internal, and authenticated access modes. |
Recommended Environment Planning:
┌─────────────────────────────────────────────────────┐
│ CloudBase Environments │
├─────────────────────────────────────────────────────┤
│ Production Environment (env-prod) │
│ ├── Front-End Services (Public Access) │
│ ├── API Services (End-User Auth) │
│ ├── Internal Services (Internal Only) │
│ └── Databases (Safety Rule Controls) │
├─────────────────────────────────────────────────────┤
│ Testing Environment (env-test) ← Completely Isolated│
├───────────────────────────────── ────────────────────┤
│ Development Environment (env-dev) ← Completely Isolated│
└─────────────────────────────────────────────────────┘
How long are Cloud Functions/CloudBase Run logs kept? Can they meet MLPS requirements?
MLPS requires audit logs to be retained for at least 180 days (Level 3). CloudBase default retention:
| Log Type | Default Retention | Extension Plan |
|---|---|---|
| Cloud Function Logs | 7 days | Deliver to CLS |
| CloudBase Run Logs | 7 days | Deliver to CLS |
| Database Op Logs | 7 days | Deliver to CLS |
| Access Logs | 7 days | Deliver to CLS |
Configuration to Satisfy MLPS Requirements:
- Enable Log Delivery: Deliver logs to Tencent Cloud Log Service (CLS)
- Configure Retention: Set log retention to 180+ days in CLS
- Log Backup: Export CLS logs to COS for long-term secure archiving
Does CloudBase support MFA? How do I satisfy Level 3 MLPS MFA requirements?
Yes. CloudBase supports combining multiple authentication factors to satisfy Level 3 requirements:
| Authentication Factor | Type | CloudBase Support |
|---|---|---|
| Password | Knowledge Factor | ✅ Username & password login |
| SMS Verification Code | Possession Factor | ✅ SMS code login/verification |
| Email Verification Code | Possession Factor | ✅ Email code login/verification |
| WeChat Authorization | Possession Factor | ✅ WeChat scan / Mini Program auth |
| Custom Authentication | Extensible | ✅ Integration with enterprise systems |
MFA Implementation Scenarios:
- Scenario A: Password + SMS Verification Code
- Scenario B: Password + Email Verification Code
- Scenario C: WeChat Auth + SMS Verification Code (Two-factor verification for sensitive operations)
CloudBase is Level 3 Certified, is my app automatically compliant?
No. CloudBase's certification means the platform's security capabilities have reached Level 3. Your application's compliance depends on how you configure and use these features. You must configure authentication, access rules, log audits, and data backups reasonably according to your needs.
How do I choose between Level 2 and Level 3 Classified Protection?
- Level 2: Suitable for general enterprise applications not involving large quantities of sensitive personal data.
- Level 3: Mandatory for systems involving massive user data, financial transactions, health/medical records, and other highly sensitive information.
It is recommended to consult a professional MLPS evaluation agency based on your business nature and regulator requirements.
How do I obtain CloudBase's MLPS certification materials?
Obtain them through the following steps:
- Log in to the Tencent Cloud Console.
- Access the "Compliance Qualification" page.
- Download the relevant certificates and reports.