1 Scope
This standard specifies the security technology capability which the cloud service provider shall possess when providing cloud computing service for specific customer in a socialized method.
This standard is applicable to the security management of cloud computing service used by government departments, and may also serve as reference for the cloud computing service used by key industries and other enterprises and institutions. It is also applicable to guide the cloud service provider to establish secure cloud computing platform and provide secure cloud computing service.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 9361-2011 Safety Requirements for Computation Center Field
GB/T 25069-2010 Information Security Technology - Glossary
GB 50174-2008 Code for Design of Electronic Information System Room
GB/T 31167-2014 Information Security Technology - Security Guide of Cloud Computing Services
3 Terms and Definitions
For the purposes of this document, the terms and definitions specified in GB/T 25069-2010 as well as those listed below apply.
3.1
Cloud computing
Access to extensible, flexible physical or virtual sharing resource pool through the Internet, which may also conform to the self-help acquisition and management resource modes.
Note: resource examples include the server, operation system, network, software, application and storage device.
3.2
Cloud computing service
The capability to provide one or more kind(s) of resource(s) by using the defined interface and cloud computing.
3.3
Cloud service provider
The provider of cloud computing service.
Note: the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
3.4
Cloud service customer
The participant entering into business relationship with the cloud service provider to use the cloud computing service.
Note: the cloud service customer in this standard is referred to as the customer for short.
3.5
Cloud computing infrastructure
Infrastructure composed of hardware resource and resource abstracting and controlling module and used to support the cloud computing.
Note: hardware resources include all physical computing resources, including server (CPU and memory), memory module (hard disk), network module (router, fire wall, switch, network link and interface) and other basic elements of physical computing. Resource abstracting and controlling module carries out software abstracting for physical computing resource, and cloud service provider provides and manages the access to physical computing resource through these modules.
3.6
Cloud computing platform
The assembly of cloud infrastructure and its service software provided by the cloud service provider.
3.7
Cloud computing environment
The cloud computing platform provided by the cloud service provider, and the assembly of software and relevant modules arranged by the customer on such cloud computing platform.
3.8
Third Party Assessment Organization; 3PAO
The professional assessment organization independent from the interested parties of cloud computing service.
3.9
External Information System
The information system beyond the cloud computing platform.
Note: generally, the ownership and control power of External Information System is not possessed by the cloud service provider, and the application or effectiveness of its security measures is not directly controlled by the cloud service provider.
4 Overview
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing
The cloud service provider and the customer jointly guarantee the security of cloud computing environment. In some cases, the cloud service provider still relies on other organizations for providing computing resource service, and such organizations shall also undertake security responsibilities. Thus, there are multiple executing bodies for the security measures of cloud computing, and the security responsibilities of each body are determined according to the service mode of cloud computing.
There are 3 major service modes of cloud computing, namely Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The cloud service provider and customer have different control ranges for the computing resource under different service modes; the control range determines the boundary of security responsibility. As shown in Figure 1, the arrows on both sides represent the control range of the cloud service provider and the customer, see below for detail:
- Under SaaS mode, the customer is only responsible for its own data security and client security while the cloud service provider shall undertake other security responsibilities.
- Under PaaS mode, the security responsibilities of the software platform layer are shared by the customer and the cloud service provider. The customer is responsible for the security of the applications and their operation environment developed and arranged by itself; the cloud service provider shall be responsible for other securities.
Foreword I
Introduction II
1 Scope
2 Normative References
3 Terms and Definitions
4 Overview
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing
4.2 Action Range for the Security Measures of Cloud Computing
4.3 Classification of Security Requirements
4.4 Expression Form of Security Requirements
4.5 Adjustment of Security Requirements
4.6 Security Plan
4.7 Structure of This Standard
5 Security of System Development and Supply Chain
5.1 Strategy and Code
5.2 Resource Distribution
5.3 System Life Cycle
5.4 Procurement Process
5.5 System Documentation
5.6 Security Engineering Principle
5.7 Critical Analysis
5.8 External Information System Service and Relevant Service
5.9 Security System Framework of Developer
5.10 Development Process, Standards and Tools
5.11 Developer Configuration Management
5.12 Security Test and Assessment of Developer
5.13 Training Provided by the Developer
5.14 Tamper Resistance
5.15 Module Factuality
5.16 Unsupported System Module
5.17 Supply Chain Protection
6 Protection of System and Communication
6.1 Strategies and Codes
6.2 Boundary Protection
6.3 Transmission Security and Integrity
6.4 Network Interruption
6.5 Trusted Path
6.6 Password Usage and Management
6.7 Coordinated Computing Device
6.8 Mobile Code
6.9 Session Certification
6.10 Physical Connection of Mobile Device
6.11 Malicious Code Protection
6.12 Memory Protection
6.13 System Virtualization Security
6.14 Network Virtualization Security
6.15 Storage Virtualization Security
7 Access Control
7.1 Strategies and Codes
7.2 User Identification and Authentication
7.3 Device Identification and Authentication
7.4 Identifier Management
7.5 Authentication Certificate Management
7.6 Feedback of Authentication Certificate
7.7 Authentication of Cryptographic Module
7.8 Account Management
7.9 Implementation of Access Control
7.10 Control of Information Flow
7.11 Minimum Privilege
7.12 Unsuccessful Log-in Try
7.13 Notice on Use of System
7.14 Notice on Last Visit
7.15 Concurrent Session Control
7.16 Session Lock-in
7.17 Actions May be Taken in Case of Lacking Identification and Authentication
7.18 Security Attribute
7.19 Remote Access
7.20 Wireless Access
7.21 Use of External Information System
7.22 Information Sharing
7.23 Content accessible to the Public
7.24 Data Excavation Protection
7.25 Medium Access and Use
7.26 Service Closure and Data Migration
8 Configuration Management
8.1 Strategies and Codes
8.2 Configuration Management Plan
8.3 Base Line Configuration
8.4 Change Control
8.5 Setting of Configuration Parameters
8.6 Minimum Functional Principle
8.7 Information System Module List
9 Maintenance
9.1 Strategies and Codes
9.2 Controlled Maintenance
9.3 Maintenance Tool
9.4 Remote Maintenance
9.5 Maintenance Personnel
9.6 Timely Maintenance
9.7 Defect Repair
9.8 Security Function Verification
9.9 Integrity of Software, Firmware and Information
10 Emergency Response and Disaster Preparation
10.1 Strategies and Codes
10.2 Event Handling Plan
10.3 Event Handling
10.4 Event Report
10.5 Event Handling Support
10.6 Security Alarm
10.7 Error Handling
10.8 Emergency Response Plan
10.9 Emergency Training
10.10 Emergency Drilling
10.11 Information System Backup
10.12 Supporting the Service Continuity Plan of the Customer
10.13 Telecommunication Service
11 Audit
11.1 Strategies and Codes
11.2 Auditable Event
11.3 Audit Record Contents
11.4 Storage Capacity of Audit Record
11.5 Response upon Audit Process Failure
11.6 Examination, Analysis and Report of Audit
11.7 Audit Treatment and Report Generation
11.8 Time Stamp
11.9 Audit Information Protection
11.10 Non-repudiation
11.11 Audit Record Retention
12 Risk Assessment and Persistent Monitoring
12.1 Strategies and Codes
12.2 Risk Assessment
12.3 Vulnerability Scanning
12.4 Persistent Monitoring
12.5 Information System Monitoring
12.6 Junk Information Monitoring
13 Security Organization and Personnel
13.1 Strategies and Codes
13.2 Security Organization
13.3 Security Resource
13.4 Security Regulations System
13.5 Post Risks and Responsibilities
13.6 Personnel Screening
13.7 Personnel Dimission
13.8 Personnel Deployment
13.9 Access Protocol
13.10 Third Party Personnel Security
13.11 Personnel Punishment
13.12 Security Training
14 Physical and Environmental Security
14.1 Strategies and Codes
14.2 Physical Facilities and Devices Site Selection
14.3 Physical and Environmental Planning
14.4 Physical Environment Access Authorization
14.5 Physical Environment Access Control
14.6 Communication Capacity Protection
14.7 Output Device Access Control
14.8 Physical Access Monitoring
14.9 Visitor Access Record
14.10 Power Device and Cable Security Assurance
14.11 Emergency Lighting Capability
14.12 Fire-fighting Capability
14.13 Temperature and Humidity Control Capabilities
14.14 Water-proof Capability
14.15 Device Transportation and Remove
Appendix A (Informative) Template for System Security Plan
Bibliography
1 Scope
This standard specifies the security technology capability which the cloud service provider shall possess when providing cloud computing service for specific customer in a socialized method.
This standard is applicable to the security management of cloud computing service used by government departments, and may also serve as reference for the cloud computing service used by key industries and other enterprises and institutions. It is also applicable to guide the cloud service provider to establish secure cloud computing platform and provide secure cloud computing service.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 9361-2011 Safety Requirements for Computation Center Field
GB/T 25069-2010 Information Security Technology - Glossary
GB 50174-2008 Code for Design of Electronic Information System Room
GB/T 31167-2014 Information Security Technology - Security Guide of Cloud Computing Services
3 Terms and Definitions
For the purposes of this document, the terms and definitions specified in GB/T 25069-2010 as well as those listed below apply.
3.1
Cloud computing
Access to extensible, flexible physical or virtual sharing resource pool through the Internet, which may also conform to the self-help acquisition and management resource modes.
Note: resource examples include the server, operation system, network, software, application and storage device.
3.2
Cloud computing service
The capability to provide one or more kind(s) of resource(s) by using the defined interface and cloud computing.
3.3
Cloud service provider
The provider of cloud computing service.
Note: the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
3.4
Cloud service customer
The participant entering into business relationship with the cloud service provider to use the cloud computing service.
Note: the cloud service customer in this standard is referred to as the customer for short.
3.5
Cloud computing infrastructure
Infrastructure composed of hardware resource and resource abstracting and controlling module and used to support the cloud computing.
Note: hardware resources include all physical computing resources, including server (CPU and memory), memory module (hard disk), network module (router, fire wall, switch, network link and interface) and other basic elements of physical computing. Resource abstracting and controlling module carries out software abstracting for physical computing resource, and cloud service provider provides and manages the access to physical computing resource through these modules.
3.6
Cloud computing platform
The assembly of cloud infrastructure and its service software provided by the cloud service provider.
3.7
Cloud computing environment
The cloud computing platform provided by the cloud service provider, and the assembly of software and relevant modules arranged by the customer on such cloud computing platform.
3.8
Third Party Assessment Organization; 3PAO
The professional assessment organization independent from the interested parties of cloud computing service.
3.9
External Information System
The information system beyond the cloud computing platform.
Note: generally, the ownership and control power of External Information System is not possessed by the cloud service provider, and the application or effectiveness of its security measures is not directly controlled by the cloud service provider.
4 Overview
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing
The cloud service provider and the customer jointly guarantee the security of cloud computing environment. In some cases, the cloud service provider still relies on other organizations for providing computing resource service, and such organizations shall also undertake security responsibilities. Thus, there are multiple executing bodies for the security measures of cloud computing, and the security responsibilities of each body are determined according to the service mode of cloud computing.
There are 3 major service modes of cloud computing, namely Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The cloud service provider and customer have different control ranges for the computing resource under different service modes; the control range determines the boundary of security responsibility. As shown in Figure 1, the arrows on both sides represent the control range of the cloud service provider and the customer, see below for detail:
- Under SaaS mode, the customer is only responsible for its own data security and client security while the cloud service provider shall undertake other security responsibilities.
- Under PaaS mode, the security responsibilities of the software platform layer are shared by the customer and the cloud service provider. The customer is responsible for the security of the applications and their operation environment developed and arranged by itself; the cloud service provider shall be responsible for other securities.
Contents of GB/T 31168-2014
Foreword I
Introduction II
1 Scope
2 Normative References
3 Terms and Definitions
4 Overview
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing
4.2 Action Range for the Security Measures of Cloud Computing
4.3 Classification of Security Requirements
4.4 Expression Form of Security Requirements
4.5 Adjustment of Security Requirements
4.6 Security Plan
4.7 Structure of This Standard
5 Security of System Development and Supply Chain
5.1 Strategy and Code
5.2 Resource Distribution
5.3 System Life Cycle
5.4 Procurement Process
5.5 System Documentation
5.6 Security Engineering Principle
5.7 Critical Analysis
5.8 External Information System Service and Relevant Service
5.9 Security System Framework of Developer
5.10 Development Process, Standards and Tools
5.11 Developer Configuration Management
5.12 Security Test and Assessment of Developer
5.13 Training Provided by the Developer
5.14 Tamper Resistance
5.15 Module Factuality
5.16 Unsupported System Module
5.17 Supply Chain Protection
6 Protection of System and Communication
6.1 Strategies and Codes
6.2 Boundary Protection
6.3 Transmission Security and Integrity
6.4 Network Interruption
6.5 Trusted Path
6.6 Password Usage and Management
6.7 Coordinated Computing Device
6.8 Mobile Code
6.9 Session Certification
6.10 Physical Connection of Mobile Device
6.11 Malicious Code Protection
6.12 Memory Protection
6.13 System Virtualization Security
6.14 Network Virtualization Security
6.15 Storage Virtualization Security
7 Access Control
7.1 Strategies and Codes
7.2 User Identification and Authentication
7.3 Device Identification and Authentication
7.4 Identifier Management
7.5 Authentication Certificate Management
7.6 Feedback of Authentication Certificate
7.7 Authentication of Cryptographic Module
7.8 Account Management
7.9 Implementation of Access Control
7.10 Control of Information Flow
7.11 Minimum Privilege
7.12 Unsuccessful Log-in Try
7.13 Notice on Use of System
7.14 Notice on Last Visit
7.15 Concurrent Session Control
7.16 Session Lock-in
7.17 Actions May be Taken in Case of Lacking Identification and Authentication
7.18 Security Attribute
7.19 Remote Access
7.20 Wireless Access
7.21 Use of External Information System
7.22 Information Sharing
7.23 Content accessible to the Public
7.24 Data Excavation Protection
7.25 Medium Access and Use
7.26 Service Closure and Data Migration
8 Configuration Management
8.1 Strategies and Codes
8.2 Configuration Management Plan
8.3 Base Line Configuration
8.4 Change Control
8.5 Setting of Configuration Parameters
8.6 Minimum Functional Principle
8.7 Information System Module List
9 Maintenance
9.1 Strategies and Codes
9.2 Controlled Maintenance
9.3 Maintenance Tool
9.4 Remote Maintenance
9.5 Maintenance Personnel
9.6 Timely Maintenance
9.7 Defect Repair
9.8 Security Function Verification
9.9 Integrity of Software, Firmware and Information
10 Emergency Response and Disaster Preparation
10.1 Strategies and Codes
10.2 Event Handling Plan
10.3 Event Handling
10.4 Event Report
10.5 Event Handling Support
10.6 Security Alarm
10.7 Error Handling
10.8 Emergency Response Plan
10.9 Emergency Training
10.10 Emergency Drilling
10.11 Information System Backup
10.12 Supporting the Service Continuity Plan of the Customer
10.13 Telecommunication Service
11 Audit
11.1 Strategies and Codes
11.2 Auditable Event
11.3 Audit Record Contents
11.4 Storage Capacity of Audit Record
11.5 Response upon Audit Process Failure
11.6 Examination, Analysis and Report of Audit
11.7 Audit Treatment and Report Generation
11.8 Time Stamp
11.9 Audit Information Protection
11.10 Non-repudiation
11.11 Audit Record Retention
12 Risk Assessment and Persistent Monitoring
12.1 Strategies and Codes
12.2 Risk Assessment
12.3 Vulnerability Scanning
12.4 Persistent Monitoring
12.5 Information System Monitoring
12.6 Junk Information Monitoring
13 Security Organization and Personnel
13.1 Strategies and Codes
13.2 Security Organization
13.3 Security Resource
13.4 Security Regulations System
13.5 Post Risks and Responsibilities
13.6 Personnel Screening
13.7 Personnel Dimission
13.8 Personnel Deployment
13.9 Access Protocol
13.10 Third Party Personnel Security
13.11 Personnel Punishment
13.12 Security Training
14 Physical and Environmental Security
14.1 Strategies and Codes
14.2 Physical Facilities and Devices Site Selection
14.3 Physical and Environmental Planning
14.4 Physical Environment Access Authorization
14.5 Physical Environment Access Control
14.6 Communication Capacity Protection
14.7 Output Device Access Control
14.8 Physical Access Monitoring
14.9 Visitor Access Record
14.10 Power Device and Cable Security Assurance
14.11 Emergency Lighting Capability
14.12 Fire-fighting Capability
14.13 Temperature and Humidity Control Capabilities
14.14 Water-proof Capability
14.15 Device Transportation and Remove
Appendix A (Informative) Template for System Security Plan
Bibliography