This standard specifies the security technology capability which the cloud service provider shall possess when providing cloud computing service for specific customer in a socialized method.
This standard is applicable to the security management of cloud computing service used by government departments, and may also serve as reference for the cloud computing service used by key industries and other enterprises and institutions. It is also applicable to guide the cloud service provider to establish secure cloud computing platform and provide secure cloud computing service.
2 Normative References
The following referenced documents are indispensable for the application of this document. For dated references, only the edition cited applies. For undated references, the latest edition of the normative document (including any amendments) applies.
GB/T 9361-2011 Safety Requirements for Computation Center Field
GB/T 25069-2010 Information Security Technology - Glossary
GB 50174-2008 Code for Design of Electronic Information System Room
GB/T 31167-2014 Information Security Technology - Security Guide of Cloud Computing Services
3 Terms and Definitions
For the purposes of this document, the terms and definitions specified in GB/T 25069-2010 as well as those listed below apply.
3.1
Cloud computing
Access to extensible, flexible physical or virtual sharing resource pool through the Internet, which may also conform to the self-help acquisition and management resource modes.
Note: resource examples include the server, operation system, network, software, application and storage device.
3.2
Cloud computing service
The capability to provide one or more kind(s) of resource(s) by using the defined interface and cloud computing.
3.3
Cloud service provider
The provider of cloud computing service.
Note: the cloud service provider manages, operate and supports the infrastructure and software of cloud computing, and delivers the cloud computing resources through the Internet.
3.4
Cloud service customer
The participant entering into business relationship with the cloud service provider to use the cloud computing service.
Note: the cloud service customer in this standard is referred to as the customer for short.
3.5
Cloud computing infrastructure
Infrastructure composed of hardware resource and resource abstracting and controlling module and used to support the cloud computing.
Note: hardware resources include all physical computing resources, including server (CPU and memory), memory module (hard disk), network module (router, fire wall, switch, network link and interface) and other basic elements of physical computing. Resource abstracting and controlling module carries out software abstracting for physical computing resource, and cloud service provider provides and manages the access to physical computing resource through these modules.
3.6
Cloud computing platform
The assembly of cloud infrastructure and its service software provided by the cloud service provider.
3.7
Cloud computing environment
The cloud computing platform provided by the cloud service provider, and the assembly of software and relevant modules arranged by the customer on such cloud computing platform.
3.8
Third Party Assessment Organization; 3PAO
The professional assessment organization independent from the interested parties of cloud computing service.
3.9
External Information System
The information system beyond the cloud computing platform.
Note: generally, the ownership and control power of External Information System is not possessed by the cloud service provider, and the application or effectiveness of its security measures is not directly controlled by the cloud service provider.
4 Overview
4.1 Implementation Responsibilities for the Security Measures of Cloud Computing
The cloud service provider and the customer jointly guarantee the security of cloud computing environment. In some cases, the cloud service provider still relies on other organizations for providing computing resource service, and such organizations shall also undertake security responsibilities. Thus, there are multiple executing bodies for the security measures of cloud computing, and the security responsibilities of each body are determined according to the service mode of cloud computing.
There are 3 major service modes of cloud computing, namely Software as a Service (SaaS), Platform as a Service (PaaS) and Infrastructure as a Service (IaaS). The cloud service provider and customer have different control ranges for the computing resource under different service modes; the control range determines the boundary of security responsibility. As shown in Figure 1, the arrows on both sides represent the control range of the cloud service provider and the customer, see below for detail:
- Under SaaS mode, the customer is only responsible for its own data security and client security while the cloud service provider shall undertake other security responsibilities.
- Under PaaS mode, the security responsibilities of the software platform layer are shared by the customer and the cloud service provider. The customer is responsible for the security of the applications and their operation environment developed and arranged by itself; the cloud service provider shall be responsible for other securities.
