Cloud Security Requirements -part 3

This blog series consists of detailed set of cloud security requirements that can be used for any organization who wants to implement securely cloud services. The requirements expressed below are cloud agnostic and can be applied to any public cloud or even private clouds.

The sub domain and requirement description are mapped to *ISO 27002:2013 controls and standards. The overall theme of this blog series covers all the cloud security controls stated by NIST 800-53 series.

Domain: Data Protection

Sub-DomainReq. NameReq. Description
Privacy Processes and ProceduresUser NotificationPrivacy policies and procedures and the purposes for which personal information is collected, used, retained, and disclosed shall be documented
Privacy Processes and ProceduresThird-Party UsagePolicies and procedures should be in place that include:
a. Disclosing personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the employees and customers
b. Having procedures in place to evaluate that the third parties have effective controls to meet the terms of the agreement, instructions, or requirements
c. Taking remedial action in response to misuse of personal information by a third party to whom Client has transferred such information
Data Identification and ClassificationData Ownership & InventoryAppropriate ownership to data and establish procedures to classify, monitor, and update data in accordance with its classification policies. Policies and procedures shall be in place to inventory, document, and maintain data flows to ascertain any regulatory, statutory impact, and to address any other business risks associated with the data
Data Protection and MonitoringHandling ProceduresProcedures for labeling, handling, and protecting the confidentiality and integrity of personal information, test data, production data, and data involved in online transactions to prevent contract dispute and compromise of data shall be established. Mechanisms for label inheritance shall be implemented for objects that act as aggregate containers for data
Data Protection and MonitoringLeakage MitigationAreas where potential information leakage can occur shall be identified, and appropriate controls to mitigate it shall be implemented
Data Protection and MonitoringDLP SystemData Loss Prevention (DLP) system to monitor user interactions with data, analyze data traffic over its network, and scan and inspect enterprise data repositories to identify sensitive content shall be implemented. The DLP system shall integrate with:
a. HTTP/HTTPS proxy server – for HTTP and HTTPS blocking
b. DLP SMTP agent (Message Transfer Agent [MTA]) – for blocking an email containing sensitive data
c. Security Information and Event Management (SIEM) solution – for real-time security alerting and analysis
Data Protection and MonitoringDatabase Activity MonitoringDatabase Activity Monitoring (DAM) tools to monitor and audit all access to sensitive data across heterogeneous database platforms shall be deployed
Data Protection and MonitoringFile IntegrityFile Integrity/Activity Monitoring tools to monitor files of all types and detect changes in those files that can lead to increased risk of data compromise shall be deployed
Cryptographic ControlsEncryption PoliciesPolicies and procedures for the use of strong encryption protocols (e.g., AES-256) for protection of sensitive data in storage (e.g., file servers, databases, and end-user workstations) and data in transmission (e.g., system interfaces, over public networks, and electronic messaging), as per applicable legal, statutory, and regulatory compliance obligations, shall be established
Cryptographic ControlsKey ManagementIncludes:
a. Establish policies and procedures for the management of cryptographic keys in the cryptosystem
b. Assign ownership to keys
c. Prevent storage of keys in the cloud
d. Implement segregation of duties for the responsibilities of key management and key usage
Cryptographic ControlsKey RotationAutomatic key rotation for customer-managed keys shall be enabled

Are you ready to audit and secure your cloud environment? Contact our security specialists, today!