Page 1020 - Cloud computing: From paradigm to operation
P. 1020
7 Security
7 Guidelines for security controls related to data security
This clause provides guidelines for security controls related to the stages of the data security lifecycle
described in clause 6.4.
7.1 Security controls in create stage
Guidelines for security controls in the create stage include the following:
a) CSPs should define categories of data sensitivity. User tagging of data may be leveraged to help
classify the data.
b) Data should be classified according to its sensitivity when it is created.
c) CSPs should consider enterprise digital rights mechanisms or encryption to protect sensitive data
from unauthorized access.
7.2 Security controls in transmit stage
Guidelines for security controls in the transmit stage include the following:
a) CSPs should apply technological methods to ensure the security of the authentication data.
b) CSPs should support users in the maintenance of secure transmission of critical operation data and
management data.
c) Damage to data integrity should be detected promptly during transmission and necessary measures
taken to restore data integrity after errors are detected.
7.3 Security controls in storage stage
Guidelines for security controls in the storage stage include the following:
a) CSPs should identify access controls available to the CSC to use with users' data from storage
repositories, such as those defined in [ITU-T X.1631].
b) CSPs should apply encryption technology or other safeguards to ensure the storage confidentiality
of authentication data.
c) CSPs should support users in the maintenance of confidential storage of critical operation data and
management data.
d) CSPs should provide effective hard disk protection methods or adopt fragmentally storage
mechanisms to prevent unauthorized users obtaining valid user data from the hard disk, even if it is
stolen.
e) Damage to storage data integrity should be detected promptly and necessary measures taken to
restore data integrity after errors are detected.
f) A user's optional configuration of encryption parameters, such as algorithms, strength and schemas,
should be supported.
g) CSPs should support users in the selection of a third-party encryption mechanism to encrypt the key
data.
h) CSPs should support data encryption using secure keys and support storage and maintenance of the
secure keys locally.
i) CSPs should provide effective virtual machine image file loading protection methods to prevent
unauthorized users running their own computing resources from the hard disk, even if it is stolen.
7.4 Security controls in use stage
Guidelines for security controls in the use stage include the following:
a) CSPs should authorize and verify the utilization of data.
b) Utilization of sensitive data should be audited, with audit logs generated.
c) CSPs should apply malicious activity monitoring and enforcement mechanisms according to their
responsibility and rights to discover threats and control data usage.
1012
