Powered by Google www.ChineseStandard.net Database: 189759 (21 Apr 2024)

GB/T 31167-2014 (GBT31167-2014)

GB/T 31167-2014_English: PDF (GBT 31167-2014, GBT31167-2014)
Standard IDContents [version]USDSTEP2[PDF] delivered inStandard Title (Description)StatusPDF
GB/T 31167-2014English150 Add to Cart 0--9 seconds. Auto-delivery Information security technology -- Security guide of cloud computing services Valid GB/T 31167-2014

BASIC DATA
Standard ID GB/T 31167-2014 (GB/T31167-2014)
Description (Translated English) Information security technology. Security guide of cloud computing services
Sector / Industry National Standard (Recommended)
Classification of Chinese Standard L80
Classification of International Standard 35.040
Word Count Estimation 28,225
Date of Issue 2014/9/3
Date of Implementation 2015/4/1
Quoted Standard GB/T 25069-2010; GB/T 31168-2014
Drafting Organization Sichuan University
Administrative Organization National Information Security Standardization Technical Committee
Regulation (derived from) People's Republic of China Announcement of Newly Approved National Standards No. 21 of 2014
Proposing organization National Information Security Standardization Technical Committee (SAC/TC 260)
Issuing agency(ies) General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China, Standardization Administration of the People's Republic of China
Summary This Standard specifies the main security risks of cloud computing may face, proposed government safety management and technical requirements for the basic safety requirements and lifecycle management of cloud computing services cloud computing services f

Standards related to: GB/T 31167-2014

GB/T 31167-2014
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Security guide of cloud computing services
ISSUED ON. SEPTEMBER 03, 2014
IMPLEMENTED ON. APRIL 01, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Cloud computing overview ... 8
4.1 Main features of cloud computing ... 8
4.2 Service modes ... 9
4.3 Deployment modes ... 9
4.4 Advantages of cloud computing ... 10
5 Risk management of cloud computing ... 11
5.1 General ... 11
5.2 Cloud computing security risks ... 11
5.3 Main roles and responsibilities of cloud computing service security
management ... 14
5.4 Basic requirements for cloud computing service security management
... 14
5.5 Life cycle of cloud computing services ... 15
6 Planning preparation ... 16
6.1 General ... 16
6.2 Benefit assessment ... 17
6.3 Classification of government information ... 18
6.4 Classification of government business ... 20
6.5 Priority determination ... 22
6.6 Security protection requirements ... 23
6.7 Demand analysis ... 24
6.8 Forming a decision report ... 30
7 Selecting service providers and deployment ... 31
7.1 Security capability requirements for cloud service providers ... 31
7.2 Determining the cloud service provider ... 33
7.3 Security considerations in contracts ... 34
7.4 Deployment ... 38
8 Operational supervision ... 39
8.1 General ... 39
8.2 Role and responsibilities of operational supervision ... 40
8.3 Customers’ own operational supervision ... 42
8.4 Operational supervision of cloud service providers ... 43
9 Exiting services ... 44
9.1 Exit request ... 44
9.2 Determining the scope of data handover ... 45
9.3 Verifying the integrity of data ... 46
9.4 Safely deleting data ... 46
Bibliography ... 48
Information security technology -
Security guide of cloud computing services
1 Scope
This Standard describes the main security risks that cloud computing may face,
proposes the basic requirements for the security management of cloud
computing services by government departments and the security management
and technical requirements for each phase of the life cycle of cloud computing
services.
This Standard provides safety guidance throughout the life cycle for
government departments to adopt cloud computing services, especially
socialized cloud computing services. It is applicable for government
departments to purchase and use cloud computing services, and can also be
used for reference by key industries and other enterprises and institutions.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 25069-2010 Information security technology glossary
GB/T 31168-2014 Information security technology - Security capability
requirements of cloud computing services
3 Terms and definitions
For the purpose of this document, the following terms and definitions and those
defined in GB/T 25069-2010 apply.
3.1
cloud computing
A mode of accessing scalable, flexible physical or virtual shared resource pools
via network, and acquiring and managing resources as needed by the self.
4.2 Service modes
According to the types of resources provided by the cloud service provider,
cloud service modes can be divided into three main categories.
a) Software as a Service (SaaS). In SaaS mode, the cloud service provider
provides customers with applications running on the cloud computing
infrastructure. Customers do not need to purchase or develop software.
They can use the client (such as a web browser) or program interface on
different devices to access and use the applications provided by the cloud
service provider via internet, such as email system and collaborative office
system. Customers usually cannot manage or control low-level resources,
such as networks, servers, operating systems, storage, etc., that support
the operation of applications, but they may have limited configuration
management of applications.
b) Platform as a Service (PaaS). In PaaS mode, the cloud service provider
provides customers with software development and operation platforms
running on the cloud computing infrastructure, such as standard
languages and tools, data access, general interfaces, etc. Customers can
use the platform to develop and deploy their own software. Customers
usually cannot manage or control the low-level resources, such as
networks, servers, operating systems, storage, etc., required to support
the platform, but they can configure the application's operating
environment and control the applications deployed by themselves.
c) Infrastructure as a Service (IaaS). In IaaS mode, the cloud service
provider provides computing resources such as virtual machines, storage,
and networks to customers, and provides service interfaces to access the
cloud computing infrastructure. Customers can deploy or run operating
systems, middleware, databases and applications on these resources.
Customers usually cannot manage or control the cloud computing
infrastructure, but they can control the operating systems, storage, and
applications deployed by themselves, as well as partially control the
network components they use, such as host firewalls.
4.3 Deployment modes
Depending on the range of customers using the cloud computing platform,
cloud computing is divided into four deployment modes. private cloud, public
cloud, community cloud and hybrid cloud.
a) Private cloud. The cloud computing platform is only available to a specific
customer. The cloud computing infrastructure of the private cloud can be
owned, managed and operated by the cloud service provider, this private
cloud is called off-site private cloud (or outsourced private cloud). It can
cloud service provider, and the cloud service provider has the ability to access,
utilize or manipulate the customer data.
After migrating data and business systems to the cloud computing platform,
security relies heavily on cloud service providers and the security measures
they take. Cloud service providers usually regard the security measures and
status of cloud computing platforms as intellectual property rights and trade
secrets. In the absence of the necessary right to know, it is difficult for
customers to understand and master the implementation and operation status
of cloud service providers' security measures; it is difficult to effectively
supervise and manage these security measures; it cannot effectively supervise
the unauthorized access and use of customer data by internal personnel of
cloud service providers; it increases the risk of customer data and services.
5.2.2 Responsibility between customers and cloud service providers is
difficult to define
In the traditional mode, the responsibility for information security is relatively
clear according to the principle of who is in charge of who is responsible, who
runs and who is responsible
who is responsible and who is responsible. In the cloud computing model, the
management and operation entities of the cloud computing platform are
different from the responsible entities of data security, and how the mutual
responsibilities are defined and there are no clear rules. Different service
modes and deployment modes, and the complexity of the cloud computing
environment also increase the difficulty of defining the responsibility between
cloud service providers and customers.
Cloud service providers may also purchase and use services from other cloud
service providers. For example, cloud service providers that provide SaaS
services may build their services on PaaS or IaaS of other cloud service
providers, which makes the responsibility more difficult to define.
5.2.3 Jurisdiction issues are possible
In the cloud computing environment, the actual storage location of data is often
not controlled by the customer, and the customer's data may be stored in an
oversea data center, changing the jurisdiction of the data and business.
NOTE. Governments in some countries may require cloud service providers to provide access
to these data centers in accordance with national laws, and even require cloud service
providers to provide data in other countries' data centers.
5.2.4 Data ownership protection is at risk
adopting cloud computing services, determine their own data and business
types, determine whether it is suitable to adopt cloud computing services;
determine the security capability requirements of cloud computing services
according to the types of data and business; carry out demand analysis is to
form a decision report according to the characteristics of cloud computing
services.
5.5.3 Selecting service providers and deployment
In the selecting service providers and deployment stage, customers shall select
cloud service providers according to security requirements and security
capabilities of cloud computing services, negotiate contracts with cloud service
providers (including service level agreement, security requirements,
confidentiality requirements, etc.), complete the deployment or migration of
data and business to the cloud computing platform.
5.5.4 Operational supervision
In the operational supervision stage, customers shall guide and supervise cloud
service providers to fulfill their contractual obligations and responsibilities, guide
business system users to comply with government information system security
management policies and standards, and jointly maintain data, business and
cloud computing environment security.
5.5.5 Exiting services
When exiting cloud computing services, customers shall require cloud service
providers to fulfill relevant responsibilities and obligations, and ensure that the
data and business security in the exiting cloud computing service stage, such
as safely returning customer data and completely eliminating customer data on
the cloud computing platform.
When the cloud service provider needs to be changed, the customer shall
select a new cloud service provider according to the requirements, and focus
on the data and business security during the cloud computing service migration
process; the original cloud service provider shall also be required to fulfill
related responsibilities and obligations.
6 Planning preparation
6.1 General
5.2 explains the security risks and new problems faced by cloud computing.
Cloud computing services are not suitable for all customers, and not all
applications are suitable for deployment to cloud computing environments.
measures are implemented by the cloud service provider.
b) In PaaS mode, the security measures of the software platform layer are
shared between the customer and the cloud service provider. The
customer is responsible for the security of the applications developed and
deployed by himself and the operating environment, and other security
measures are implemented by the cloud service provider.
c) In IaaS mode, the security measures of the virtualized computing resource
layer are shared by the customer and the cloud service provider. The
customer is responsible for the security of the operating system, operating
environment and applications deployed by himself. The cloud service
provider is responsible for the security of the virtual machine monitor and
the underlying resources.
The lower three layers in Figure 4 consist of the facility layer, the hardware layer
and the resource abstraction control layer. The facility layer and the hardware
layer are the physical elements of the cloud computing environment. The facility
layer mainly includes heating, ventilation, air conditioning, power and
communication. The hardware layer includes all physical computing resources,
such as. servers, networks (routers, firewalls, switches, network connections
and interfaces), storage components (hard disks) and other physical computing
components. The resource abstraction control layer implements software
abstraction of physical computing resources through virtualization or other
software technologies, and implements access control of resource based on
software components such as resource allocation, access control, and usage
monitoring. In all service modes, these three layers are under the full control of
the cloud service provider, and all security measures are implemented by the
cloud service provider.
The upper three layers in Figure 4 form the logical elements of the cloud
computing environment by the application software layer, the software platform
layer and the virtualized computing resource layer. The virtualized computing
resource layer provides customers with access to computing resources such
as virtual machines, virtual storage and virtual networks through service
interfaces. The software platform layer provides customers with compilers,
libraries, tools, middleware and other software tools and components for
application development and deployment. The application software layer
provides customers with the application software required by the business
system, and customers access these application software through clients or
program interfaces.
Customers can choose the service mode according to the characteristics of
different service modes and the security management requirements of their
own data and business systems, combined with their own technical capabilities,
pay for the resources used by the business system.
Customers shall prioritize the deployment or migration of businesses with
dynamic and periodic changes in resources to the cloud computing platform,
which may save money while meeting business performance requirements.
6.7.6 Delay
Delay is the time delay for the cloud computing environment to process a
request, including the time required for the customer request messages
transmitting to the cloud computing environment and the resulting postback,
and the processing time of the cloud computing environment. Different types of
applications have significant differences in delay requirements for cloud
computing services. For example, e-mail usually allows for short service
interruptions and large network delays, but automation and real-time
applications generally require higher requirements for delay.
Customers shall conduct a detailed analysis of the requirements for the
response speed of the business system, to determine the tolerance of the
business itself for delay and possible remedies. Before deploying or migrating
data and services to the cloud computing platform, it shall consider indicator
requirements such as response time and massive data transmission
performance.
6.7.7 Business continuity
Whether the cloud computing service will be interrupted and whether it can
continue to be accessed depends on many factors, including the network, the
cloud computing platform, and the cloud service provider.
Network dependence. Cloud computing services rely on networks such as the
Internet, where customers access services through a continuously available
network connection. Network dependence means that each application is a
web application, and the complexity of the network from the customer to the
cloud computing platform is usually higher than that of the customer's internal
local area network.
Platform dependence. Despite the high reliability of professional cloud
computing platforms, cloud computing platform failures and service
interruptions cannot be completely avoided due to human factors (such as
malicious attacks or administrator errors), natural disasters (such as floods,
typhoons, earthquakes, etc.).
Cloud service provider dependence. When using self-own systems, even if the
hardware and software provider suspends technical support, after-sales service
or business, customers may not be affected immediately and can continue to
c) Cloud computing service mode and deployment mode selection. Analyze
the security measures implementation boundaries and management
boundaries of customers and cloud service providers;
d) Risk analysis. Analyze the security threats that may be encountered after
data and business are deployed to the cloud computing environment, and
propose countermeasures;
e) Functional requirement analysis. Analyze the resource requirements in
different modes, the backup and recovery capabilities of data, the storage
location of backup data, the data transmission mode and network
bandwidth requirements, and the data interaction requirements between
the business to be deployed on the cloud computing platform and other
systems;
f) Performance requirements analysis. Mainly analyze indicators such as
availability, reliability, resilience, transaction response time and throughput
rate.
g) Security requirements. Determine the security capability requirements of
the cloud computing service based on the classification results of the
information and business to be deployed to the cloud computing platform;
h) Business continuity requirements. After the business system is migrated
to the cloud computing platform, the original system can operate in parallel
with the business system migrated to the cloud computing platform for a
period of time;
i) A preliminary plan of exiting cloud computing services or changing cloud
service providers;
j) A plan for security awareness, technical and management training for
relevant customer personnel;
k) Leaders and working departments responsible for adopting cloud
computing services of the organization and their responsibilities.
l) Other important issues that shall be considered in the procurement and
use of cloud computing services.
7 Selecting service providers and deployment
7.1 Security capability requirements for cloud service providers
Cloud service providers that provide cloud computing services to customers
shall have the following 10 aspects of security capabilities.
necessary information needed to properly perform their job duties;
d) When a third party requests disclosure of information in c) or sensitive
customer information, it shall not respond and shall report immediately;
e) Activities or practices that violate or may result in violations of agreements,
regulations, procedures, strategies, laws, shall be reported immediately
upon discovery;
f) After the contract is completed, the cloud service provider shall return the
information and customer data in c), and specify the specific requirements
and contents of the return;
g) Define the validity period of the confidentiality agreement.
7.3.5 Information security related contents in contracts
When signing a contract with a cloud service provider, the customer shall fully
consider the security risks that the cloud computing service may face, agree on
management, technology, personnel, etc. through the contract, and require the
cloud service provider to provide the customer with safe and reliable services.
The contract shall include at least the following information security related
contents.
a) The responsibility and obligations of the cloud service provider, including
but not limited to all the contents of 7.3.2. If other parties participate, the
responsibilities and obligations of other parties shall be clarified;
b) The technical and management standards that the cloud service provider
shall comply with;
c) The service level agreement, clarifying the customer's specific
performance requirements, security requirements, etc.;
d) The confidentiality clauses, including those who have access to customer
information, especially sensitive information;
e) The responsibility and obligation of the customer to protect the intellectual
property rights of the cloud service provider;
f) The conditions for the termination of the contract and the obligations and
obligations of the cloud service provider after the termination of the
contract;
g) If data interaction between the business system in the cloud computing
platform and other business systems of the customer is needed, the
a) the responsibilities and obligations specified in the contract and related
policies and regulations are implemented, and the technical standards are
effectively implemented;
b) the quality of service meets the contract requirements;
c) the security of customer data and businesses in the event of significant
changes;
d) respond to security incidents in a timely and effective manner.
8.2 Role and responsibilities of operational supervision
8.2.1 General
Customers shall strengthen the operational supervision of cloud service
providers and themselves in accordance with contracts, rules and regulations
and standards. Cloud service providers and third party assessment
organizations shall actively participate and cooperate. Customers and cloud
service providers shall clearly identify the person responsible for the operational
supervision and his contact information.
8.2.2 Supervision responsibilities of customers
The responsibilities of customers in operational supervision activities are as
follows.
a) supervise cloud service providers to strictly abide by the various
responsibilities and obligations specified in the contract, and consciously
abide by the rules and regulations and standards related to government
information security;
b) assist cloud service providers in handling major information security
incidents;
c) conduct annual security check on the cloud computing platform of cloud
service providers in accordance with the government information system
security inspection requirements;
d) under the support of cloud service providers, supervise the following
aspects.
1) service operating status;
2) performance indicators, such as resource usage;
3) special security needs;
handover of the non-generic-format files;
b) Program code. For customer-customized functions or business systems,
whether to transfer executable programs, source code and technical
materials are defined in the contract or other agreements, which may
include. executable programs, source code, functional descriptions,
design documentation, description of development and operation
environment, maintenance manual, user manual, etc.
c) Other data. According to the prior agreement and the negotiation between
the two parties, determine other data that shall be handed over, including
relevant data collected and counted during the operation of the customer's
business, such as customer behavior habit statistics and network traffic
characteristics of the cloud computing service;
d) Documentation. The various documents provided by the customer to the
cloud service provider during the use of the cloud computing service, and
relevant materials related to the customer jointly completed by the two
parties.
9.3 Verifying the integrity of data
The customer shall verify the integrity of the data returned by the cloud service
provider. In order to obtain the complete data, the customer shall take the
following measures.
a) Require the cloud service provider to completely return the customer data
according to the handover data checklist, paying special attention to
historical data and archived data;
b) Supervise the process by which the cloud service provider returns
customer data and verify the validity of the returned data. Decrypt and
verify the encrypted data; use the tool to recover the generic-format data
and verify;
c) The validity and integrity of the data can be verified by the business system,
e.g. deploy the data and business systems on a new platform for
verification.
9.4 Safely deleting data
After the customer exits the cloud computing service, the cloud service provider
shall still be required to securely process the customer data and assume
relevant responsibilities and obligations. The customer shall take the following
measures.
a) After exiting the service, the cloud service provider is required to securely
...