This standard specifies the security technology capability which the cloud service provider shall possess when providing cloud computing service for specific customer in a socialized method.
This standard is applicable to the security management of cloud computing service used by government departments, and may also serve as reference for the cloud computing service used by key industries and other enterprises and institutions. It is also applicable to guide the cloud service provider to establish secure cloud computing platform and provide secure cloud computing service.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 9361-2011 Safety Requirements for Computation Center Field
GB/T 25069-2010 Information Security Technology - Glossary
GB 50174-2008 Code for Design of Electronic Information System Room
GB/T 31167-2014 Information Security Technology - Security Guide of Cloud Computing Services
3 Terms and Definitions
For the purposes of this document, the terms and definitions specified in GB/T 25069-2010 as well as those listed below apply.
3.1
Cloud computing
Access to extensible, flexible physical or virtual sharing resource pool through the Internet, which may also conform to the self-help acquisition and management resource modes.
Note: resource examples include the server, operation system, network, software, application and storage device.
3.2
Cloud computing service
The capability to provide one or more kind(s) of resource(s) by using the defined interface and cloud computing.
3.3
Cloud service provider
The provider of cloud computing service.
Note: the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
3.4
Cloud service customer
The participant entering into business relationship with the cloud service provider to use the cloud computing service.
Note: the cloud service customer in this standard is referred to as the customer for short.
3.5
Cloud computing infrastructure
Infrastructure composed of hardware resource and resource abstracting and controlling module and used to support the cloud computing.
Note: hardware resources include all physical computing resources, including server (CPU and memory), memory module (hard disk), network module (router, fire wall, switch, network link and interface) and other basic elements of physical computing. Resource abstracting and controlling module carries out software abstracting for physical computing resource, and cloud service provider provides and manages the access to physical computing resource through these modules.
3.6
Cloud computing platform
The assembly of cloud infrastructure and its service software provided by the cloud service provider.
3.7
Cloud computing environment
The cloud computing platform provided by the cloud service provider, and the assembly of software and relevant modules arranged by the customer on such cloud computing platform.
3.8
Third Party Assessment Organization; 3PAO
The professional assessment organization independent from the interested parties of cloud computing service.
3.9
External Information System
The information system beyond the cloud computing platform.
Note: generally, the ownership and control power of External Information System is not possessed by the cloud service provider, and the application or effectiveness of its security measures is not directly controlled by the cloud service provider.
4 Overview
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing
The cloud service provider and the customer jointly guarantee the security of cloud computing environment. In some cases, the cloud service provider still relies on other organizations for providing computing resource service, and such organizations shall also undertake security responsibilities. Thus, there are multiple executing bodies for the security measures of cloud computing, and the security responsibilities of each body are determined according to the service mode of cloud computing.
There are 3 major service modes of cloud computing, namely Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The cloud service provider and customer have different control ranges for the computing resource under different service modes; the control range determines the boundary of security responsibility. As shown in Figure 1, the arrows on both sides represent the control range of the cloud service provider and the customer, see below for detail:
- Under SaaS mode, the customer is only responsible for its own data security and client security while the cloud service provider shall undertake other security responsibilities.
- Under PaaS mode, the security responsibilities of the software platform layer are shared by the customer and the cloud service provider. The customer is responsible for the security of the applications and their operation environment developed and arranged by itself; the cloud service provider shall be responsible for other securities.
Foreword I Introduction II 1 Scope 2 Normative References 3 Terms and Definitions 4 Overview 4.1 Implementation Responsibilities for the Security Measures of Cloud Computing 4.2 Action Range for the Security Measures of Cloud Computing 4.3 Classification of Security Requirements 4.4 Expression Form of Security Requirements 4.5 Adjustment of Security Requirements 4.6 Security Plan 4.7 Structure of This Standard 5 Security of System Development and Supply Chain 5.1 Strategy and Code 5.2 Resource Distribution 5.3 System Life Cycle 5.4 Procurement Process 5.5 System Documentation 5.6 Security Engineering Principle 5.7 Critical Analysis 5.8 External Information System Service and Relevant Service 5.9 Security System Framework of Developer 5.10 Development Process, Standards and Tools 5.11 Developer Configuration Management 5.12 Security Test and Assessment of Developer 5.13 Training Provided by the Developer 5.14 Tamper Resistance 5.15 Module Factuality 5.16 Unsupported System Module 5.17 Supply Chain Protection 6 Protection of System and Communication 6.1 Strategies and Codes 6.2 Boundary Protection 6.3 Transmission Security and Integrity 6.4 Network Interruption 6.5 Trusted Path 6.6 Password Usage and Management 6.7 Coordinated Computing Device 6.8 Mobile Code 6.9 Session Certification 6.10 Physical Connection of Mobile Device 6.11 Malicious Code Protection 6.12 Memory Protection 6.13 System Virtualization Security 6.14 Network Virtualization Security 6.15 Storage Virtualization Security 7 Access Control 7.1 Strategies and Codes 7.2 User Identification and Authentication 7.3 Device Identification and Authentication 7.4 Identifier Management 7.5 Authentication Certificate Management 7.6 Feedback of Authentication Certificate 7.7 Authentication of Cryptographic Module 7.8 Account Management 7.9 Implementation of Access Control 7.10 Control of Information Flow 7.11 Minimum Privilege 7.12 Unsuccessful Log-in Try 7.13 Notice on Use of System 7.14 Notice on Last Visit 7.15 Concurrent Session Control 7.16 Session Lock-in 7.17 Actions May be Taken in Case of Lacking Identification and Authentication 7.18 Security Attribute 7.19 Remote Access 7.20 Wireless Access 7.21 Use of External Information System 7.22 Information Sharing 7.23 Content accessible to the Public 7.24 Data Excavation Protection 7.25 Medium Access and Use 7.26 Service Closure and Data Migration 8 Configuration Management 8.1 Strategies and Codes 8.2 Configuration Management Plan 8.3 Base Line Configuration 8.4 Change Control 8.5 Setting of Configuration Parameters 8.6 Minimum Functional Principle 8.7 Information System Module List 9 Maintenance 9.1 Strategies and Codes 9.2 Controlled Maintenance 9.3 Maintenance Tool 9.4 Remote Maintenance 9.5 Maintenance Personnel 9.6 Timely Maintenance 9.7 Defect Repair 9.8 Security Function Verification 9.9 Integrity of Software, Firmware and Information 10 Emergency Response and Disaster Preparation 10.1 Strategies and Codes 10.2 Event Handling Plan 10.3 Event Handling 10.4 Event Report 10.5 Event Handling Support 10.6 Security Alarm 10.7 Error Handling 10.8 Emergency Response Plan 10.9 Emergency Training 10.10 Emergency Drilling 10.11 Information System Backup 10.12 Supporting the Service Continuity Plan of the Customer 10.13 Telecommunication Service 11 Audit 11.1 Strategies and Codes 11.2 Auditable Event 11.3 Audit Record Contents 11.4 Storage Capacity of Audit Record 11.5 Response upon Audit Process Failure 11.6 Examination, Analysis and Report of Audit 11.7 Audit Treatment and Report Generation 11.8 Time Stamp 11.9 Audit Information Protection 11.10 Non-repudiation 11.11 Audit Record Retention 12 Risk Assessment and Persistent Monitoring 12.1 Strategies and Codes 12.2 Risk Assessment 12.3 Vulnerability Scanning 12.4 Persistent Monitoring 12.5 Information System Monitoring 12.6 Junk Information Monitoring 13 Security Organization and Personnel 13.1 Strategies and Codes 13.2 Security Organization 13.3 Security Resource 13.4 Security Regulations System 13.5 Post Risks and Responsibilities 13.6 Personnel Screening 13.7 Personnel Dimission 13.8 Personnel Deployment 13.9 Access Protocol 13.10 Third Party Personnel Security 13.11 Personnel Punishment 13.12 Security Training 14 Physical and Environmental Security 14.1 Strategies and Codes 14.2 Physical Facilities and Devices Site Selection 14.3 Physical and Environmental Planning 14.4 Physical Environment Access Authorization 14.5 Physical Environment Access Control 14.6 Communication Capacity Protection 14.7 Output Device Access Control 14.8 Physical Access Monitoring 14.9 Visitor Access Record 14.10 Power Device and Cable Security Assurance 14.11 Emergency Lighting Capability 14.12 Fire-fighting Capability 14.13 Temperature and Humidity Control Capabilities 14.14 Water-proof Capability 14.15 Device Transportation and Remove Appendix A (Informative) Template for System Security Plan Bibliography
