Abstract

Huawei Technologies commissioned Tolly to validate the Huawei Multilayer Ransomware Protection Solution for Cloud Scenario, or C-MRP. The main focus of the project was to assess how the solution coordinates cloud security and storage to prevent intrusion, limit ransomware spread, stop data leakage, and protect cloud data from tampering through automated detection, response, backup protection, and recovery mechanisms.  

The report presents C-MRP as a multilayer anti-ransomware architecture aligned with the NIST Identify, Protect, Detect, Respond, and Recover framework. In the tested cloud deployment, Huawei combined SecMaster, Cloud Firewall, Web Application Firewall, Host Security Service, Network Detection and Response, Database Protection, Data Security Center, EVS, Cloud Server Backup Service, and a data security appliance with OceanStor Dorado production storage, OceanProtect backup storage, OceanStor Pacific storage, and BCManager-controlled AirGap replication in an isolation zone. As shown in the solution overview diagram on page 2 and the topology on page 5, the design links security controls with storage actions so that detected threats can trigger secure snapshots, incremental backups, anti-tamper controls, and AirGap disconnection to isolate recovery copies.  

Tolly states that the solution was tested in 20 typical scenarios spanning intrusion prevention, spread prevention, leakage prevention, and tampering prevention, and that Huawei C-MRP passed all of them. In intrusion prevention, the solution successfully detected and blocked 100% of simulated attacks, including vulnerability exploitation, brute-force cracking, database penetration, malware delivery, and common web attacks such as SQL injection, XSS, and command or code injection. Spread-prevention testing verified east-west access policy enforcement, east-west virus blocking, ransomware isolation and killing, and horizontal host connection detection to contain lateral movement inside the cloud.  

Leakage-prevention testing validated data classification using built-in templates, database watermarking for traceability, risky database operation auditing, and sensitive information leakage prevention for web applications. Tampering-prevention testing then verified low-, medium-, and high-risk event handling on single hosts and multi-host ransomware linkage detection. Associated playbooks automatically created snapshots, launched incremental backups, applied anti-tamper protections, and, for multi-host high-risk events, disconnected the AirGap link. The report says recovery point objectives were within minutes and that backup copies could not be tampered with, positioning C-MRP as a tightly integrated ransomware defense framework for cloud environments.  

See Tolly Report #225119 for more details.