Page 1067 - Cloud computing: From paradigm to operation
P. 1067

Security                                                   7


            9.4.5   Access control to program source code

            Control 9.4.5 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply.

            10      Cryptography


            10.1    Cryptographic controls
            The objective specified in clause 10.1 of ISO/IEC 27002 applies.

            10.1.1  Policy on the use of cryptographic controls
            Control 10.1.1 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services


                          Cloud service customer                           Cloud service provider
             The cloud service customer should implement      The cloud service provider should provide information
             cryptographic controls for its use of cloud services if   to the cloud service customer regarding the
             justified by the risk analysis. The controls should be of   circumstances in which it uses cryptography to protect
             sufficient strength to mitigate the identified risks,   the information it processes. The cloud service provider
             whether those controls are supplied by the cloud service  should also provide information to the cloud service
             customer or by the cloud service provider.       customer about any capabilities it provides that can
             When the cloud service provider offers cryptography,   assist the cloud service customer in applying its own
             the cloud service customer should review any     cryptographic protection.
             information supplied by the cloud service provider to
             confirm whether the cryptographic capabilities:
             –  meet the cloud service customer's policy
                requirements;
             –  are compatible with any other cryptographic
                protection used by the cloud service customer;
             –  apply to data at rest and in transit to, from and
                within the cloud service.

            Other information for cloud services
            In some jurisdictions, it might be required to apply cryptography to protect particular kinds of information,
            such as health data, resident registration numbers, passport numbers and driver's licence numbers.

            10.1.2  Key management
            Control 10.1.2 and the associated implementation guidance and other information specified in ISO/IEC 27002
            apply. The following sector-specific guidance also applies.
            Implementation guidance for cloud services

                          Cloud service customer                          Cloud service provider

             The cloud service customer should identify the   (no additional implementation guidance)
             cryptographic keys for each cloud service, and
             implement procedures for key management.
             Where the cloud service provides key management
             functionality for use by the cloud service customer, the
             cloud service customer should request the following
             information on the procedures used to manage keys
             related to the cloud service:
             –  type of keys;




                                                                                                        1059
   1062   1063   1064   1065   1066   1067   1068   1069   1070   1071   1072