GB/T 31167-2014 English PDF (GBT31167-2014)
GB/T 31167-2014 English PDF (GBT31167-2014)
GB/T 31167-2014: Information security technology -- Security guide of cloud computing services
NATIONAL STANDARD OF THE
PEOPLE REPUBLIC OF CHINA
Information security technology -
Security guide of cloud computing services
ISSUED ON. SEPTEMBER 03, 2014
IMPLEMENTED ON. APRIL 01, 2015
Issued by. General Administration of Quality Supervision, Inspection and Quarantine of the People's Republic of China;
Standardization Administration of the People's Republic of
Table of Contents
Foreword ... 4
Introduction ... 5
1 Scope ... 6
2 Normative references ... 6
3 Terms and definitions ... 6
4 Cloud computing overview ... 8
4.1 Main features of cloud computing ... 8
4.2 Service modes ... 9
4.3 Deployment modes ... 9
4.4 Advantages of cloud computing ... 10
5 Risk management of cloud computing ... 11
5.1 General ... 11
5.2 Cloud computing security risks ... 11
5.3 Main roles and responsibilities of cloud computing service security management ... 14
5.4 Basic requirements for cloud computing service security management
5.5 Life cycle of cloud computing services ... 15
6 Planning preparation ... 16
6.1 General ... 16
6.2 Benefit assessment ... 17
6.3 Classification of government information ... 18
6.4 Classification of government business ... 20
6.5 Priority determination ... 22
6.6 Security protection requirements ... 23
6.7 Demand analysis ... 24
6.8 Forming a decision report ... 30
7 Selecting service providers and deployment ... 31
7.1 Security capability requirements for cloud service providers ... 31 7.2 Determining the cloud service provider ... 33
7.3 Security considerations in contracts ... 34
7.4 Deployment ... 38
8 Operational supervision ... 39
8.1 General ... 39
8.2 Role and responsibilities of operational supervision ... 40
8.3 Customers?€? own operational supervision ... 42
8.4 Operational supervision of cloud service providers ... 43
9 Exiting services ... 44
9.1 Exit request ... 44
9.2 Determining the scope of data handover ... 45
9.3 Verifying the integrity of data ... 46
9.4 Safely deleting data ... 46
Bibliography ... 48
Information security technology -
Security guide of cloud computing services
This Standard describes the main security risks that cloud computing may face, proposes the basic requirements for the security management of cloud
computing services by government departments and the security management and technical requirements for each phase of the life cycle of cloud computing services.
This Standard provides safety guidance throughout the life cycle for
government departments to adopt cloud computing services, especially
socialized cloud computing services. It is applicable for government
departments to purchase and use cloud computing services, and can also be used for reference by key industries and other enterprises and institutions. 2 Normative references
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the referenced document (including any amendments) applies.
GB/T 25069-2010 Information security technology glossary
GB/T 31168-2014 Information security technology - Security capability
requirements of cloud computing services
3 Terms and definitions
For the purpose of this document, the following terms and definitions and those defined in GB/T 25069-2010 apply.
A mode of accessing scalable, flexible physical or virtual shared resource pools via network, and acquiring and managing resources as needed by the self. 4.2 Service modes
According to the types of resources provided by the cloud service provider, cloud service modes can be divided into three main categories.
a) Software as a Service (SaaS). In SaaS mode, the cloud service provider provides customers with applications running on the cloud computing
infrastructure. Customers do not need to purchase or develop software.
They can use the client (such as a web browser) or program interface on different devices to access and use the applications provided by the cloud service provider via internet, such as email system and collaborative office system. Customers usually cannot manage or control low-level resources, such as networks, servers, operating systems, storage, etc., that support the operation of applications, but they may have limited configuration
management of applications.
b) Platform as a Service (PaaS). In PaaS mode, the cloud service provider provides customers with software development and operation platforms
running on the cloud computing infrastructure, such as standard
languages and tools, data access, general interfaces, etc. Customers can use the platform to develop and deploy their own software. Customers
usually cannot manage or control the low-level resources, such as
networks, servers, operating systems, storage, etc., required to support the platform, but they can configure the application's operating
environment and control the applications deployed by themselves.
c) Infrastructure as a Service (IaaS). In IaaS mode, the cloud service
provider provides computing resources such as virtual machines, storage, and networks to customers, and provides service interfaces to access the cloud computing infrastructure. Customers can deploy or run operating
systems, middleware, databases and applications on these resources.
Customers usually cannot manage or control the cloud computing
infrastructure, but they can control the operating systems, storage, and applications deployed by themselves, as well as partially control the
network components they use, such as host firewalls.
4.3 Deployment modes
Depending on the range of customers using the cloud computing platform, cloud computing is divided into four deployment modes. private cloud, public cloud, community cloud and hybrid cloud.
a) Private cloud. The cloud computing platform is only available to a specific customer. The cloud computing infrastructure of the private cloud can be owned, managed and operated by the cloud service provider, this private cloud is called off-site private cloud (or outsourced private cloud). It can cloud service provider, and the cloud service provider has the ability to access, utilize or manipulate the customer data.
After migrating data and business systems to the cloud computing platform, security relies heavily on cloud service providers and the security measures they take. Cloud service providers usually regard the security measures and status of cloud computing platforms as intellectual property rights and trade secrets. In the absence of the necessary right to know, it is difficult for customers to understand and master the implementation and operation status of cloud service providers' security measures; it is difficult to effectively supervise and manage these security measures; it cannot effectively supervise the unauthorized access and use of customer data by internal personnel of cloud service providers; it increases the risk of customer data and services. 5.2.2 Responsibility between customers and cloud service providers is
difficult to define
In the traditional mode, the responsibility for information security is relatively clear according to the principle of who is in charge of who is responsible, who runs and who is responsible
who is responsible and who is responsible. In the cloud computing model, the management and operation entities of the cloud computing platform are
different from the responsible entities of data security, and how the mutual responsibilities are defined and there are no clear rules. Different service modes and deployment modes, and the complexity of the cloud computing
environment also increase the difficulty of defining the responsibility between cloud service providers and customers.
Cloud service providers may also purchase and use services from other cloud service providers. For example, cloud service providers that provide SaaS services may build their services on PaaS or IaaS of other cloud service providers, which makes the responsibility more difficult to define.
5.2.3 Jurisdiction issues are possible
In the cloud computing environment, the actual storage location of data is often not controlled by the customer, and the customer's data may be stored in an oversea data center, changing the jurisdiction of the data and business. NOTE. Governments in some countries may require cloud service providers to provide access to these data centers in accordance with national laws, and even require cloud service providers to provide data in other countries' data centers.
5.2.4 Data ownership protection is at risk
adopting cloud computing services, determine their own data and business types, determine whether it is suitable to adopt cloud computing services; determine the security capability requirements of cloud computing services according to the types of data and business; carry out demand analysis is to form a decision report according to the characteristics of cloud computing services.
5.5.3 Selecting service providers and deployment
In the selecting service providers and deployment stage, customers shall select cloud service providers according to security requirements and security capabilities of cloud computing services, negotiate contracts with cloud service providers (including service level agreement, security requirements,
confidentiality requirements, etc.), complete the deployment or migration of data and business to the cloud computing platform.
5.5.4 Operational supervision
In the operational supervision stage, customers shall guide and supervise cloud service providers to fulfill their contractual obligations and responsibilities, guide business system users to comply with government information system security management policies and standards, and jointly maintain data, business and cloud computing environment security.
5.5.5 Exiting services
When exiting cloud computing services, customers shall require cloud service providers to fulfill relevant responsibilities and obligations, and ensure that the data and business security in the exiting cloud computing service stage, such as safely returning customer data and completely eliminating customer data on the cloud computing platform.
When the cloud service provider needs to be changed, the customer shall select a new cloud service provider according to the requirements, and focus on the data and business security during the cloud computing service migration process; the original cloud service provider shall also be required to fulfill related responsibilities and obligations.
6 Planning preparation
5.2 explains the security risks and new problems faced by cloud computing. Cloud computing services are not suitable for all customers, and not all applications are suitable for deployment to cloud computing environments. measures are implemented by the cloud service provider.
b) In PaaS mode, the security measures of the software platform layer are shared between the customer and the cloud service provider. The
customer is responsible for the security of the applications developed and deployed by himself and the operating environment, and other security
measures are implemented by the cloud service provider.
c) In IaaS mode, the security measures of the virtualized computing resource layer are shared by the customer and the cloud service provider. The
customer is responsible for the security of the operating system, operating environment and applications deployed by himself. The cloud service
provider is responsible for the security of the virtual machine monitor and the underlying resources.
The lower three layers in Figure 4 consist of the facility layer, the hardware layer and the resource abstraction control layer. The facility layer and the hardware layer are the physical elements of the cloud computing environment. The facility layer mainly includes heating, ventilation, air conditioning, power and communication. The hardware layer includes all physical computing resources, such as. servers, networks (routers, firewalls, switches, network connections and interfaces), storage components (hard disks) and other physical computing components. The resource abstraction control layer implements software
abstraction of physical computing resources through virtualization or other software technologies, and implements access control of resource based on software components such as resource allocation, access control, and usage monitoring. In all service modes, these three layers are under the full control of the cloud service provider, and all security measures are implemented by the cloud service provider.
The upper three layers in Figure 4 form the logical elements of the cloud computing environment by the application software layer, the software platform layer and the virtualized computing resource layer. The virtualized computing resource layer provides customers with access to computing resources such as virtual machines, virtual storage and virtual networks through service interfaces. The software platform layer provides customers with compilers, libraries, tools, middleware and other software tools and components for application development and deployment. The application software layer
provides customers with the application software required by the business system, and customers access these application software through clients or program interfaces.
Customers can choose the service mode according to the characteristics of different service modes and the security management requirements of their own data and business systems, combined with their own technical capabilities, pay for the resources used by the business system.
Customers shall prioritize the deployment or migration of businesses with dynamic and periodic changes in resources to the cloud computing platform, which may save money while meeting business performance requirements.
Delay is the time delay for the cloud computing environment to process a request, including the time required for the customer request messages
transmitting to the cloud computing environment and the resulting postback, and the processing time of the cloud computing environment. Different types of applications have significant differences in delay requirements for cloud computing services. For example, e-mail usually allows for short service interruptions and large network delays, but automation and real-time
applications generally require higher requirements for delay.
Customers shall conduct a detailed analysis of the requirements for the response speed of the business system, to determine the tolerance of the business itself for delay and possible remedies. Before deploying or migrating data and services to the cloud computing platform, it shall consider indicator requirements such as response time and massive data transmission
6.7.7 Business continuity
Whether the cloud computing service will be interrupted and whether it can continue to be accessed depends on many factors, including the network, the cloud computing platform, and the cloud service provider.
Network dependence. Cloud computing services rely on networks such as the Internet, where customers access services through a continuously available network connection. Network dependence means that each application is a web application, and the complexity of the network from the customer to the cloud computing platform is usually higher than that of the customer's internal local area network.
Platform dependence. Despite the high reliability of professional cloud computing platforms, cloud computing platform failures and service
interruptions cannot be completely avoided due to human factors (such as malicious attacks or administrator errors), natural disasters (such as floods, typhoons, earthquakes, etc.).
Cloud service provider dependence. When using self-own systems, even if the hardware and software provider suspends technical support, after-sales service or business, customers may not be affected immediately and can continue to c) Cloud computing service mode and deployment mode selection. Analyze
the security measures implementation boundaries and management
boundaries of customers and cloud service providers;
d) Risk analysis. Analyze the security threats that may be encountered after data and business are deployed to the cloud computing environment, and
e) Functional requirement analysis. Analyze the resource requirements in different modes, the backup and recovery capabilities of data, the storage location of backup data, the data transmission mode and network
bandwidth requirements, and the data interaction requirements between
the business to be deployed on the cloud computing platform and other
f) Performance requirements analysis. Mainly analyze indicators such as availability, reliability, resilience, transaction response time and throughput rate.
g) Security requirements. Determine the security capability requirements of the cloud computing service based on the classification results of the
information and business to be deployed to the cloud computing platform; h) Business continuity requirements. After the business system is migrated to the cloud computing platform, the original system can operate in parallel with the business system migrated to the cloud computing platform for a period of time;
i) A preliminary plan of exiting cloud computing services or changing cloud service providers;
j) A plan for security awareness, technical and management training for relevant customer personnel;
k) Leaders and working departments responsible for adopting cloud
computing services of the organization and their responsibilities.
l) Other important issues that shall be considered in the procurement and use of cloud computing services.
7 Selecting service providers and deployment
7.1 Security capability requirements for cloud service providers
Cloud service providers that provide cloud computing services to customers shall have the following 10 aspects of security capabilities.
necessary information needed to properly perform their job duties;
d) When a third party requests disclosure of information in c) or sensitive customer information, it shall not respond and shall report immediately; e) Activities or practices that violate or may result in violations of agreements, regulations, procedures, strategies, laws, shall be reported immediately upon discovery;
f) After the contract is completed, the cloud service provider shall return the information and customer data in c), and specify the specific requirements and contents of the return;
g) Define the validity period of the confidentiality agreement.
7.3.5 Information security related contents in contracts
When signing a contract with a cloud service provider, the customer shall fully consider the security risks that the cloud computing service may face, agree on management, technology, personnel, etc. through the contract, and require the cloud service provider to provide the customer with safe and reliable services. The contract shall include at least the following information security related contents....