Search result: GB/T 31167-2023 (GB/T 31167-2014 Older version)
| Standard ID | Contents [version] | USD | STEP2 | [PDF] delivered in | Standard Title (Description) | Status | PDF |
| GB/T 31167-2023 | English | 599 |
Add to Cart
|
5 days [Need to translate]
|
Information security technology - Security guidance for cloud computing services
| Valid |
GB/T 31167-2023
|
| GB/T 31167-2014 | English | 150 |
Add to Cart
|
0--9 seconds. Auto-delivery
|
Information security technology -- Security guide of cloud computing services
| Obsolete |
GB/T 31167-2014
|
| Standard ID | GB/T 31167-2023 (GB/T31167-2023) | | Description (Translated English) | Information security technology -- Security guidance for cloud computing services | | Sector / Industry | National Standard (Recommended) | | Classification of Chinese Standard | L80 | | Classification of International Standard | 35.030 | | Word Count Estimation | 29,214 | | Date of Issue | 2023-05-23 | | Date of Implementation | 2023-12-01 | | Older Standard (superseded by this standard) | GB/T 31167-2014 | | Drafting Organization | Sichuan University, University of Science and Technology of China, Beijing Information Security Evaluation Center, Huawei Technologies Co., Ltd., China Institute of Electronic Technology Standardization, Beijing Tianrongxin Network Security Technology Co., Ltd., National Information Technology Security Research Center, China Network Security Review Technology and Certification Center, China Mobile Communications Group Co., Ltd., Shaanxi Provincial Information Technology Engineering Research Institute, National Industrial Information Security Development Research Center, Inspur Cloud Information Technology Co., Ltd., Sangfor Technology Co., Ltd., China Information Security Evaluation Center (Beijing), Hangzhou Anheng Information Technology Co., Ltd., the 30th Research Institute of China Electronics Technology Group Corporation, Huaxin Consulting Design and Research Institute Co., Ltd., China Power Great Wall Internet System Application Co., Ltd., Chengdu Shudao Yixin Technology Co., Ltd., New H3C Technology Co., Ltd., | | Administrative Organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Proposing organization | National Information Security Standardization Technical Committee (SAC/TC 260) | | Issuing agency(ies) | State Administration for Market Regulation, National Standardization Management Committee |
GB/T 31167-2023: Information Security Technology Cloud Computing Service Security Guidelines
ICS 35:030
CCSL80
National Standards of People's Republic of China
Replacing GB/T 31167-2014
Information Security Technology Cloud Computing Service Security Guidelines
Released on 2023-05-23
2023-12-01 implementation
State Administration for Market Regulation
Released by the National Standardization Management Committee
table of contents
Preface III
Introduction V
1 Range 1
2 Normative references 1
3 Terms and Definitions 1
4 Abbreviations 3
5 Cloud Computing Service Security Management 3
5:1 Overview 3
5:2 Responsibilities for Security Management Using Cloud Computing Services3
5:3 Basic principles of cloud computing service security management 4
5:4 Cloud Computing Service Lifecycle Security Management 4
6 planning preparation 5
6:1 Overview 5
6:2 Data classification 5
6:3 Business Classification 5
6:4 Security capability level 6
6:5 Requirements Analysis 7
6:6 Form a decision report 10
7 Select cloud service provider and deploy 10
7:1 Cloud Service Provider Security Capability Requirements 10
7:2 Select cloud service provider 10
7:3 Security considerations in contracts 11
7:4 Deployment 12
8 Operation Supervision 13
8:1 Overview 13
8:2 Roles and Responsibilities of Cloud Service Providers and Customer Operation Supervision 13
8:3 Customer's own operational supervision 14
8:4 Operation Supervision of Cloud Service Providers 15
9 Exit service 16
9:1 Exit Requirements 16
9:2 Determining the scope of data transfer16
9:3 Verifying Data Integrity 17
9:4 Safely delete data 17
Appendix A (informative) Safety responsibility division example 18
Appendix B (Informative) Cloud Computing Security Risks 21
Reference 23
foreword
This document is in accordance with the provisions of GB/T 1:1-2020 "Guidelines for Standardization Work Part 1: Structure and Drafting Rules for Standardization Documents"
drafting:
This document replaces GB/T 31167-2014 "Information Security Technology Cloud Computing Service Security Guidelines", and is consistent with GB/T 31167-2014
In addition to structural adjustments and editorial changes, the main technical changes are as follows:
---Changed the scope of application from "government department" to "customer" (see Chapter 1, see Chapter 1 of the:2014 edition);
--- Added support for GB/T 32400-2015 (see Chapter 3), GB/T 36325-2018 (see 7:3:3), GB/T 37972-2019
(see 8:1) for normative references;
--- Added and changed some terms (see Chapter 3, Chapter 3 of the:2014 edition);
--- Added the chapter "Abbreviations" (see Chapter 4);
--- Deleted "Overview of Cloud Computing" (see Chapter 4 of the:2014 edition);
--- Added references to "cloud capability type" and "cloud service category" (full text);
--- Take "5:2 Cloud Computing Security Risks" in the:2014 edition as an informative appendix (see Appendix B);
---The content of 5:3 of the:2014 edition is included in the chapter "5:2:1 Roles and Responsibilities", and "cloud service security provider" is added as the content of the cloud
New roles for computing services security management (see 5:2:1);
--- Added guidance and examples of "division of security responsibilities" (see 5:2:2 and Appendix A);
---Change "review" to "assessment", and unify the name with the relevant documents (full text);
--- Deleted "benefit assessment" (see 6:2 of the:2014 edition);
---Changed the title and content of the:2014 edition "6:3 Government Information Classification" (see 6:2);
--- Deleted the technical content related to "sensitive information" and "public information" (see 6:3:2 and 6:3:3 of the:2014 edition);
---Change the title "Government Business Classification" to "Business Classification" to expand the scope of business (see 6:3, see 6:4 of the:2014 edition);
---Changed the conditions of key business in the business classification (see 6:3:4, see 6:4:4 of the:2014 edition);
---Deleted the content of "priority determination" (see 6:5 of the:2014 edition);
--- Changed the security protection requirements and proposed three security capability levels (see 6:4, see 6:6 of the:2014 edition);
--- Changed Figure 3 in the:2014 edition, adding key business types and advanced security capabilities (see Figure 2);
--- Deleted "6:7:1 Overview" (see 6:7:1 of the:2014 edition);
---Changed the title and content of "6:7:2 Service Mode" in the:2014 edition, and changed the scope of control from service mode division to passability
Type division control scope (see 6:5:1);
--- Changed Figure 4 in the:2014 edition, and changed the service model to the basic cloud service capability type (see Figure 3);
---Increase the consideration of business system integration requirements to guide customers during migration (see 6:5:7, see 6:7:8 of the:2014 edition);
---Changed the technical content of "6:7:9 Data storage location" of the:2014 edition (see 6:5:8);
---Changed the content of "7:1 Security Capability Requirements for Cloud Service Providers": For specific requirements, refer to GB/T 31168-2023 (see 7:1, see
7:1 of the:2014 edition);
--- Deleted chapters 7:1:1 to 7:1:10 in the:2014 edition (see 7:1:1~7:1:10 in the:2014 edition);
--- Merge the content of 7:2:2 in the:2014 edition to 7:2 (see 7:2, see 7:2 of the:2014 edition);
--- Added references to relevant documents of the service level agreement (see 7:3:3, see 7:3:3 of the:2014 edition);
---Changed the content of "8:1 Overview" and introduced GB/T 37972-2019 to provide cloud computing services for cloud service providers and operation regulators
Provide guidance on operating regulatory activities (see 8:1, see 8:1 of the:2014 edition);
---Changed the content of "8:2:1 Overview", emphasizing that the responsibility for the operation supervision of cloud service security providers should be borne by the importer (see
8:2:1, see 8:2:1 of the:2014 edition);
--- Increased the relevant responsibilities of customers in operation supervision (see 8:2:2, see 8:2:2 of the:2014 edition);
--- Increased the type of major changes (see 8:4:3, see 8:4:2 of the:2014 version);
--- Added the type of security event (see 8:4:4, see 8:4:3 of the:2014 version);
--- Added the "Migration Principles" section, which is used to guide the principles that customers should require cloud service providers to follow when migrating data (see 9:2:1);
---Change the content of "9:2 Determining the scope of transfer" in the:2014 edition to "9:2:2 Scope of transfer" (see 9:2:2);
---Deleted "3) The media storing sensitive information cannot be used to store public
open information" (see 9:4 of the:2014 edition);
--- Use the footnote in measure c) of "9:4 Securely Deleting Data" in the:2014 edition as the note in measure c) (see 9:4):
Please note that some contents of this document may refer to patents: The issuing agency of this document assumes no responsibility for identifying patents:
This document is proposed and managed by the National Information Security Standardization Technical Committee (SAC/TC260):
This document was drafted by: Sichuan University, University of Science and Technology of China, Beijing Information Security Evaluation Center, Huawei Technologies Co:, Ltd:, China
Electronic Technology Standardization Research Institute, Beijing Tianrongxin Network Security Technology Co:, Ltd:, National Information Technology Security Research Center, China Network Security
Comprehensive Review Technology and Certification Center, China Mobile Communications Group Co:, Ltd:, Shaanxi Provincial Information Technology Engineering Research Institute, National Industrial Information Security Development
Exhibition Research Center, Inspur Cloud Information Technology Co:, Ltd:, Sangfor Technology Co:, Ltd:, China Information Security Evaluation Center (Beijing), Hangzhou
Anheng Information Technology Co:, Ltd:, the 30th Research Institute of China Electronics Technology Group Corporation, Huaxin Consulting Design Research Institute Co:, Ltd:, China
Electric Great Wall Internet System Application Co:, Ltd:, Chengdu Shudao Yixin Technology Co:, Ltd:, New H3C Technology Co:, Ltd:, Tencent Cloud Computing (Beijing)
limited liability company:
The main drafters of this document: Chen Xingshu, Zhou Yachao, Wang Qixu, Min Jinghua, Yang Miaomiao, Luo Yonggang, Zhang Jianjun, Yang Jianjun, Zuo Xiaodong,
Liu Haifeng, Zhang Bin, Jiang Weiqiang, Li Yuan, Yan Minrui, Wang Yan, Wang Huili, Zhang Mingming, Zhang Yong, Lu Xia, Wu Yang, Chen Xuehong, Shi Dawei, Liu Caiyun,
Zhang Min, Qiu Qin, Wu Fuwei, Zhang Xiaofei, Zhao Dandan, Wang Yalu, Liu Junhe, Zhang Jiancong, Chen Jing, Wan Xiaolan, Ma Hongjun, Zhang Ge, Dong Ping, Yu Le,
Yin Libo, Zhao Zhangjie, Zhu Yi, Qiu Yunxiang, Wang Yongxia:
The release status of previous versions of this document and the documents it replaces are as follows:
---It was first published as GB/T 31167-2014 in:2014;
--- This is the first revision:
introduction
This document and GB/T 31168-2023 "Information Security Technology Cloud Computing Service Security Capability Requirements" constitute cloud computing service security requirements:
Basic file management: GB/T 31168-2023 describes the security features that cloud service providers should have when providing cloud computing services to customers:
This document proposes security management and technical measures for customers when using cloud computing services:
This document guides customers to do a good job in the preliminary analysis and planning of cloud computing services, select the appropriate cloud service provider and deployment mode, and implement cloud computing services:
Supervise the operation of computing services to avoid the security risks of quitting cloud computing services or changing cloud service providers: This document guides customers in adopting cloud computing
According to the life cycle of computing services, corresponding security technology and management measures are adopted to ensure the security of data and business, and to use cloud computing services safely:
Information Security Technology Cloud Computing Service Security Guidelines
1 Scope
This document puts forward the basic principles of security management for customers to adopt cloud computing services, and gives the life cycle stages of cloud computing services:
The safety management and technical measures of the section are put forward, and the principles of cloud computing service safety management and the division of related responsibilities are proposed:
This document is applicable to guide customers to safely adopt cloud computing services:
2 Normative references
The contents of the following documents constitute the essential provisions of this document through normative references in the text: Among them, dated references
For documents, only the version corresponding to the date is applicable to this document; for undated reference documents, the latest version (including all amendments) is applicable to
this document:
GB/T 25069-2022 Information Security Technical Terminology
GB/T 31168-2023 Information Security Technology Cloud Computing Service Security Capability Requirements
GB/T 32400-2015 Information Technology Cloud Computing Overview and Vocabulary
3 Terms and Definitions
The following terms and definitions defined in GB/T 25069-2022 and GB/T 32400-2015 apply to this document:
3:1
cloud computing cloudcomputing
Access scalable and flexible physical or virtual shared resource pools through the network, and self-service acquisition and management of resources on demand:
Note: Examples of resources include servers, operating systems, networks, software, applications and storage devices, etc:
[Source: ISO /IEC 17788:2014, 3:2:5]
3:2
cloud service cloudservice
capability to provide one or more resources through cloud computing (3:1) using defined interfaces
[Source: ISO /IEC 17788:2014, 3:2:8, with modifications]
3:3
Participant party
A natural or legal person or group of persons, whether registered or not:
[Source: GB/T 32400-2015, 3:1:6, modified]
3:4
cloud service provider cloudserviceprovider
cloud service provider
Participants that provide cloud computing services:
[Source: GB/T 32400-2015, 3:2:15, modified]
......
GB/T 31167-2014
GB
NATIONAL STANDARD OF THE
PEOPLE’S REPUBLIC OF CHINA
ICS 35.040
L 80
Information security technology -
Security guide of cloud computing services
ISSUED ON. SEPTEMBER 03, 2014
IMPLEMENTED ON. APRIL 01, 2015
Issued by. General Administration of Quality Supervision, Inspection and
Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
China.
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Cloud computing overview ... 8
4.1 Main features of cloud computing ... 8
4.2 Service modes ... 9
4.3 Deployment modes ... 9
4.4 Advantages of cloud computing ... 10
5 Risk management of cloud computing ... 11
5.1 General ... 11
5.2 Cloud computing security risks ... 11
5.3 Main roles and responsibilities of cloud computing service security
management ... 14
5.4 Basic requirements for cloud computing service security management
... 14
5.5 Life cycle of cloud computing services ... 15
6 Planning preparation ... 16
6.1 General ... 16
6.2 Benefit assessment ... 17
6.3 Classification of government information ... 18
6.4 Classification of government business ... 20
6.5 Priority determination ... 22
6.6 Security protection requirements ... 23
6.7 Demand analysis ... 24
6.8 Forming a decision report ... 30
7 Selecting service providers and deployment ... 31
7.1 Security capability requirements for cloud service providers ... 31
7.2 Determining the cloud service provider ... 33
7.3 Security considerations in contracts ... 34
7.4 Deployment ... 38
8 Operational supervision ... 39
8.1 General ... 39
8.2 Role and responsibilities of operational supervision ... 40
8.3 Customers’ own operational supervision ... 42
8.4 Operational supervision of cloud service providers ... 43
9 Exiting services ... 44
9.1 Exit request ... 44
9.2 Determining the scope of data handover ... 45
9.3 Verifying the integrity of data ... 46
9.4 Safely deleting data ... 46
Bibliography ... 48
Information security technology -
Security guide of cloud computing services
1 Scope
This Standard describes the main security risks that cloud computing may face,
proposes the basic requirements for the security management of cloud
computing services by government departments and the security management
and technical requirements for each phase of the life cycle of cloud computing
services.
This Standard provides safety guidance throughout the life cycle for
government departments to adopt cloud computing services, especially
socialized cloud computing services. It is applicable for government
departments to purchase and use cloud computing services, and can also be
used for reference by key industries and other enterprises and institutions.
2 Normative references
The following referenced documents are indispensable for the application of
this document. For dated references, only the edition cited applies. For undated
references, the latest edition of the referenced document (including any
amendments) applies.
GB/T 25069-2010 Information security technology glossary
GB/T 31168-2014 Information security technology - Security capability
requirements of cloud computing services
3 Terms and definitions
For the purpose of this document, the following terms and definitions and those
defined in GB/T 25069-2010 apply.
3.1
cloud computing
A mode of accessing scalable, flexible physical or virtual shared resource pools
via network, and acquiring and managing resources as needed by the self.
4.2 Service modes
According to the types of resources provided by the cloud service provider,
cloud service modes can be divided into three main categories.
a) Software as a Service (SaaS). In SaaS mode, the cloud service provider
provides customers with applications running on the cloud computing
infrastructure. Customers do not need to purchase or develop software.
They can use the client (such as a web browser) or program interface on
different devices to access and use the applications provided by the cloud
service provider via internet, such as email system and collaborative office
system. Customers usually cannot manage or control low-level resources,
such as networks, servers, operating systems, storage, etc., that support
the operation of applications, but they may have limited configuration
management of applications.
b) Platform as a Service (PaaS). In PaaS mode, the cloud service provider
provides customers with software development and operation platforms
running on the cloud computing infrastructure, such as standard
languages and tools, data access, general interfaces, etc. Customers can
use the platform to develop and deploy their own software. Customers
usually cannot manage or control the low-level resources, such as
networks, servers, operating systems, storage, etc., required to support
the platform, but they can configure the application's operating
environment and control the applications deployed by themselves.
c) Infrastructure as a Service (IaaS). In IaaS mode, the cloud service
provider provides computing resources such as virtual machines, storage,
and networks to customers, and provides service interfaces to access the
cloud computing infrastructure. Customers can deploy or run operating
systems, middleware, databases and applications on these resources.
Customers usually cannot manage or control the cloud computing
infrastructure, but they can control the operating systems, storage, and
applications deployed by themselves, as well as partially control the
network components they use, such as host firewalls.
4.3 Deployment modes
Depending on the range of customers using the cloud computing platform,
cloud computing is divided into four deployment modes. private cloud, public
cloud, community cloud and hybrid cloud.
a) Private cloud. The cloud computing platform is only available to a specific
customer. The cloud computing infrastructure of the private cloud can be
owned, managed and operated by the cloud service provider, this private
cloud is called off-site private cloud (or outsourced private cloud). It can
cloud service provider, and the cloud service provider has the ability to access,
utilize or manipulate the customer data.
After migrating data and business systems to the cloud computing platform,
security relies heavily on cloud service providers and the security measures
they take. Cloud service providers usually regard the security measures and
status of cloud computing platforms as intellectual property rights and trade
secrets. In the absence of the necessary right to know, it is difficult for
customers to understand and master the implementation and operation status
of cloud service providers' security measures; it is difficult to effectively
supervise and manage these security measures; it cannot effectively supervise
the unauthorized access and use of customer data by internal personnel of
cloud service providers; it increases the risk of customer data and services.
5.2.2 Responsibility between customers and cloud service providers is
difficult to define
In the traditional mode, the responsibility for information security is relatively
clear according to the principle of who is in charge of who is responsible, who
runs and who is responsible
who is responsible and who is responsible. In the cloud computing model, the
management and operation entities of the cloud computing platform are
different from the responsible entities of data security, and how the mutual
responsibilities are defined and there are no clear rules. Different service
modes and deployment modes, and the complexity of the cloud computing
environment also increase the difficulty of defining the responsibility between
cloud service providers and customers.
Cloud service providers may also purchase and use services from other cloud
service providers. For example, cloud service providers that provide SaaS
services may build their services on PaaS or IaaS of other cloud service
providers, which makes the responsibility more difficult to define.
5.2.3 Jurisdiction issues are possible
In the cloud computing environment, the actual storage location of data is often
not controlled by the customer, and the customer's data may be stored in an
oversea data center, changing the jurisdiction of the data and business.
NOTE. Governments in some countries may require cloud service providers to provide access
to these data centers in accordance with national laws, and even require cloud service
providers to provide data in other countries' data centers.
5.2.4 Data ownership protection is at risk
adopting cloud computing services, determine their own data and business
types, determine whether it is suitable to adopt cloud computing services;
determine the security capability requirements of cloud computing services
according to the types of data and business; carry out demand analysis is to
form a decision report according to the characteristics of cloud computing
services.
5.5.3 Selecting service providers and deployment
In the selecting service providers and deployment stage, customers shall select
cloud service providers according to security requirements and security
capabilities of cloud computing services, negotiate contracts with cloud service
providers (including service level agreement, security requirements,
confidentiality requirements, etc.), complete the deployment or migration of
data and business to the cloud computing platform.
5.5.4 Operational supervision
In the operational supervision stage, customers shall guide and supervise cloud
service providers to fulfill their contractual obligations and responsibilities, guide
business system users to comply with government information system security
management policies and standards, and jointly maintain data, business and
cloud computing environment security.
5.5.5 Exiting services
When exiting cloud computing services, customers shall require cloud service
providers to fulfill relevant responsibilities and obligations, and ensure that the
data and business security in the exiting cloud computing service stage, such
as safely returning customer data and completely eliminating customer data on
the cloud computing platform.
When the cloud service provider needs to be changed, the customer shall
select a new cloud service provider according to the requirements, and focus
on the data and business security during the cloud computing service migration
process; the original cloud service provider shall also be required to fulfill
related responsibilities and obligations.
6 Planning preparation
6.1 General
5.2 explains the security risks and new problems faced by cloud computing.
Cloud computing services are not suitable for all customers, and not all
applications are suitable for deployment to cloud computing environments.
measures are implemented by the cloud service provider.
b) In PaaS mode, the security measures of the software platform layer are
shared between the customer and the cloud service provider. The
customer is responsible for the security of the applications developed and
deployed by himself and the operating environment, and other security
measures are implemented by the cloud service provider.
c) In IaaS mode, the security measures of the virtualized computing resource
layer are shared by the customer and the cloud service provider. The
customer is responsible for the security of the operating system, operating
environment and applications deployed by himself. The cloud service
provider is responsible for the security of the virtual machine monitor and
the underlying resources.
The lower three layers in Figure 4 consist of the facility layer, the hardware layer
and the resource abstraction control layer. The facility layer and the hardware
layer are the physical elements of the cloud computing environment. The facility
layer mainly includes heating, ventilation, air conditioning, power and
communication. The hardware layer includes all physical computing resources,
such as. servers, networks (routers, firewalls, switches, network connections
and interfaces), storage components (hard disks) and other physical computing
components. The resource abstraction control layer implements software
abstraction of physical computing resources through virtualization or other
software technologies, and implements access control of resource based on
software components such as resource allocation, access control, and usage
monitoring. In all service modes, these three layers are under the full control of
the cloud service provider, and all security measures are implemented by the
cloud service provider.
The upper three layers in Figure 4 form the logical elements of the cloud
computing environment by the application software layer, the software platform
layer and the virtualized computing resource layer. The virtualized computing
resource layer provides customers with access to computing resources such
as virtual machines, virtual storage and virtual networks through service
interfaces. The software platform layer provides customers with compilers,
libraries, tools, middleware and other software tools and components for
application development and deployment. The application software layer
provides customers with the application software required by the business
system, and customers access these application software through clients or
program interfaces.
Customers can choose the service mode according to the characteristics of
different service modes and the security management requirements of their
own data and business systems, combined with their own technical capabilities,
pay for the resources used by the business system.
Customers shall prioritize the deployment or migration of businesses with
dynamic and periodic changes in resources to the cloud computing platform,
which may save money while meeting business performance requirements.
6.7.6 Delay
Delay is the time delay for the cloud computing environment to process a
request, including the time required for the customer request messages
transmitting to the cloud computing environment and the resulting postback,
and the processing time of the cloud computing environment. Different types of
applications have significant differences in delay requirements for cloud
computing services. For example, e-mail usually allows for short service
interruptions and large network delays, but automation and real-time
applications generally require higher requirements for delay.
Customers shall conduct a detailed analysis of the requirements for the
response speed of the business system, to determine the tolerance of the
business itself for delay and possible remedies. Before deploying or migrating
data and services to the cloud computing platform, it shall consider indicator
requirements such as response time and massive data transmission
performance.
6.7.7 Business continuity
Whether the cloud computing service will be interrupted and whether it can
continue to be accessed depends on many factors, including the network, the
cloud computing platform, and the cloud service provider.
Network dependence. Cloud computing services rely on networks such as the
Internet, where customers access services through a continuously available
network connection. Network dependence means that each application is a
web application, and the complexity of the network from the customer to the
cloud computing platform is usually higher than that of the customer's internal
local area network.
Platform dependence. Despite the high reliability of professional cloud
computing platforms, cloud computing platform failures and service
interruptions cannot be completely avoided due to human factors (such as
malicious attacks or administrator errors), natural disasters (such as floods,
typhoons, earthquakes, etc.).
Cloud service provider dependence. When using self-own systems, even if the
hardware and software provider suspends technical support, after-sales service
or business, customers may not be affected immediately and can continue to
c) Cloud computing service mode and deployment mode selection. Analyze
the security measures implementation boundaries and management
boundaries of customers and cloud service providers;
d) Risk analysis. Analyze the security threats that may be encountered after
data and business are deployed to the cloud computing environment, and
propose countermeasures;
e) Functional requirement analysis. Analyze the resource requirements in
different modes, the backup and recovery capabilities of data, the storage
location of backup data, the data transmission mode and network
bandwidth requirements, and the data interaction requirements between
the business to be deployed on the cloud computing platform and other
systems;
f) Performance requirements analysis. Mainly analyze indicators such as
availability, reliability, resilience, transaction response time and throughput
rate.
g) Security requirements. Determine the security capability requirements of
the cloud computing service based on the classification results of the
information and business to be deployed to the cloud computing platform;
h) Business continuity requirements. After the business system is migrated
to the cloud computing platform, the original system can operate in parallel
with the business system migrated to the cloud computing platform for a
period of time;
i) A preliminary plan of exiting cloud computing services or changing cloud
service providers;
j) A plan for security awareness, technical and management training for
relevant customer personnel;
k) Leaders and working departments responsible for adopting cloud
computing services of the organization and their responsibilities.
l) Other important issues that shall be considered in the procurement and
use of cloud computing services.
7 Selecting service providers and deployment
7.1 Security capability requirements for cloud service providers
Cloud service providers that provide cloud computing services to customers
shall have the following 10 aspects of security capabilities.
necessary information needed to properly perform their job duties;
d) When a third party requests disclosure of information in c) or sensitive
customer information, it shall not respond and shall report immediately;
e) Activities or practices that violate or may result in violations of agreements,
regulations, procedures, strategies, laws, shall be reported immediately
upon discovery;
f) After the contract is completed, the cloud service provider shall return the
information and customer data in c), and specify the specific requirements
and contents of the return;
g) Define the validity period of the confidentiality agreement.
7.3.5 Information security related contents in contracts
When signing a contract with a cloud service provider, the customer shall fully
consider the security risks that the cloud computing service may face, agree on
management, technology, personnel, etc. through the contract, and require the
cloud service provider to provide the customer with safe and reliable services.
The contract shall include at least the following information security related
contents.
a) The responsibility and obligations of the cloud service provider, including
but not limited to all the contents of 7.3.2. If other parties participate, the
responsibilities and obligations of other parties shall be clarified;
b) The technical and management standards that the cloud service provider
shall comply with;
c) The service level agreement, clarifying the customer's specific
performance requirements, security requirements, etc.;
d) The confidentiality clauses, including those who have access to customer
information, especially sensitive information;
e) The responsibility and obligation of the customer to protect the intellectual
property rights of the cloud service provider;
f) The conditions for the termination of the contract and the obligations and
obligations of the cloud service provider after the termination of the
contract;
g) If data interaction between the business system in the cloud computing
platform and other business systems of the customer is needed, the
a) the responsibilities and obligations specified in the contract and related
policies and regulations are implemented, and the technical standards are
effectively implemented;
b) the quality of service meets the contract requirements;
c) the security of customer data and businesses in the event of significant
changes;
d) respond to security incidents in a timely and effective manner.
8.2 Role and responsibilities of operational supervision
8.2.1 General
Customers shall strengthen the operational supervision of cloud service
providers and themselves in accordance with contracts, rules and regulations
and standards. Cloud service providers and third party assessment
organizations shall actively participate and cooperate. Customers and cloud
service providers shall clearly identify the person responsible for the operational
supervision and his contact information.
8.2.2 Supervision responsibilities of customers
The responsibilities of customers in operational supervision activities are as
follows.
a) supervise cloud service providers to strictly abide by the various
responsibilities and obligations specified in the contract, and consciously
abide by the rules and regulations and standards related to government
information security;
b) assist cloud service providers in handling major information security
incidents;
c) conduct annual security check on the cloud computing platform of cloud
service providers in accordance with the government information system
security inspection requirements;
d) under the support of cloud service providers, supervise the following
aspects.
1) service operating status;
2) performance indicators, such as resource usage;
3) special security needs;
handover of the non-generic-format files;
b) Program code. For customer-customized functions or business systems,
whether to transfer executable programs, source code and technical
materials are defined in the contract or other agreements, which may
include. executable programs, source code, functional descriptions,
design documentation, description of development and operation
environment, maintenance manual, user manual, etc.
c) Other data. According to the prior agreement and the negotiation between
the two parties, determine other data that shall be handed over, including
relevant data collected and counted during the operation of the customer's
business, such as customer behavior habit statistics and network traffic
characteristics of the cloud computing service;
d) Documentation. The various documents provided by the customer to the
cloud service provider during the use of the cloud computing service, and
relevant materials related to the customer jointly completed by the two
parties.
9.3 Verifying the integrity of data
The customer shall verify the integrity of the data returned by the cloud service
provider. In order to obtain the complete data, the customer shall take the
following measures.
a) Require the cloud service provider to completely return the customer data
according to the handover data checklist, paying special attention to
historical data and archived data;
b) Supervise the process by which the cloud service provider returns
customer data and verify the validity of the returned data. Decrypt and
verify the encrypted data; use the tool to recover the generic-format data
and verify;
c) The validity and integrity of the data can be verified by the business system,
e.g. deploy the data and business systems on a new platform for
verification.
9.4 Safely deleting data
After the customer exits the cloud computing service, the cloud service provider
shall still be required to securely process the customer data and assume
relevant responsibilities and obligations. The customer shall take the following
measures.
a) After exiting the service, the cloud service provider is required to securely
......
|