Chapter II – Secured Operation of Cloud Computing Services |
| Article 2 | (Definition of cloud computing services)
Subject to shared use of computing resources enabled by online technologies, to provide users with flexible, extendable and self-service services, such as Infrastructure as a Service (IaaS), Platform as a Service (PaaS), and Software as a Service (SaaS).
- Infrastructure as a Service or IaaS: A cloud service provider provides information technology infrastructure to cloud service users via the Internet.
- Platform as a Service or PaaS: A cloud service provider provides platform tools to cloud service users.
- Software as a Service or SaaS: A cloud service provider provides application services to cloud service users via the Internet.
|
|
| Article 3 | (Scope of application for directions on cloud computing services)
- To ensure security of the cloud computing services used by an organization, the organization shall perform prior evaluations of the risks in use of cloud computing services. When the cloud services involve the core system, data or services, the suggestions on management and control under these directions should be complied with.
- The cloud services for purposes of these directions do not include the private cloud built within the organization for providing only services internally.
|
|
| Article 4 | (Selection of cloud service providers)
- A cloud service user shall perform prior evaluations of service quality of a cloud service provider (including information and communication security protection) and other risks, and take appropriate risk management and control measures. In the event of a deficiency in meeting the needs, other compensatory measures should be considered.
- A cloud service user shall evaluate whether a cloud service provider has established the cloud service backup system, and it is advised to specify in the contract the requirements on the recovery time of cloud services.
- A cloud service user shall maintain the full ownership of the data processed by the cloud service provider. A cloud service provider shall make sure not to be authorized to access client information, except for performance of requested services, and not to use this information for any purpose beyond the scope of request.
- A cloud service user shall implement regular reviews on the cloud service provider with regard to the outsourced cloud services. If a cloud service provider has received a bronze award or a higher award from Cloud Service Alliance in the STAR program (CSA-STAR), an attestation report may be requested or an on-site inspection may be conducted where necessary.
|
|
| Article 5 | (Cloud interoperability and portability)
- A cloud service provider shall meet the cloud user’s needs for interoperability and portability of applications and information processing, and should provide relevant informational documents for the user’s reference.
- A cloud service provider is advised to use the virtualized platform, virtual machine file format, and data and file format commonly seen in the industry to ensure interoperability.
- A cloud service provider shall adopt the standardized Internet protocol based on the cloud user’s needs. For transmission of sensitive information, it is advisable to adopt the encryption Internet protocol such as Hypertext Transfer Protocol Secure (HTTPS) and Secret File Transfer Protocol(SFTP).
- If the cloud services provided by a cloud service provider involve accessing via application interfaces, it is advisable to use an open or public application programming interface (API) to ensure better portability of application components.
|
|
| Article 6 | (Cloud supply chain management)
- A cloud service user that transmits and stores client data at a cloud service provider shall take effective protection measures by encrypting or codifying client data, andshall establish an adequate and suitable encryption key management system.
- A cloud service provider shallmaintain its service quality based on the service quality agreement entered with the cloud service user, and shall periodically provide the reports and operating records showing the service quality indexes under the agreement (e.g. system revision history, records of accessing the operating system images, etc.).
- A cloud service provider is responsible to monitor risks and errors of other partners in the cloud service supply chain that may potentially affect service quality.
- A cloud service provider shall promptly notify the affected cloud service users and its partners in the supply chain in the event of an information and communication security incident to the operation of the cloud services, and regularly update the information on the status of the incident.
|
|
| Article 7 | (Security of cloud infrastructure and virtualization applicable to the IaaS and PaaS services)
- A cloud service provider shall ensure the integrity of the images of a virtual machine. Important revisions to images, such as changing the memory size of the virtual machine, and changing the disk capacity of the virtual machine, should be recorded and provided to the client for review of how these changes are recorded.
- When a cloud service provider is replacing its equipment for maintenance (such as replacement of disk drives), all data containing the information about the organization shall be deleted or destroyed. Destruction should be performed by demagnetization, destruction, smashing or other appropriate method depending on the nature of its storage media, and the records for the deletion or destruction should be kept.
- A cloud service provider shall provide the information about isolation of virtual machines depending on the cloud service user’s needs, and should immediately notify the cloud service user when the isolation fails.
- A cloud service provider shall implement appropriate security control and management measures for the cloud operating system, including hypervisor and guest operation systems, such as availability of only necessary port, protocols and services, virus protection, security breach evaluation system, and monitoring of file integrity.
- The authority of the cloud service operators should be managed based on the minimization principle, with appropriate security control and management measures, such as communication management through two-factor authentication, audit trails, IP filtering, firewall, and Transport Layer Security (TLS) packet.
- When providing IaaS (Infrastructure as a Service), a could service provider shall encrypt the virtual disk drives containing sensitive information based on the cloud service user’s needs and prohibit snapshots and unauthorized accessing.
|
|
| Article 8 | (Cross-border transmission of personal data on cloud service)
For cloud services involving cross-border transmission of personal data, an organization shall have the encryption transmission system in place, and make sure to comply with the Personal Data Protection Act of the Republic of China for a cloud service provider’s collection, processing, use, international transmission and control and management of personal data. The data subject’s authorization should be obtained prior to transmission and no transmission may violate the competent authority’s restrictions on international transmission. The full audit records should be kept.
|
|
| Article 9 | (Management of interruption and termination of cloud services)
- A cloud service user shall establish an appropriate emergency response plan to reduce the risks of interruption of services in cloud operation.
- When terminating or ending a contract of operation, a cloud service user shall ensure the services can be successfully transferred to another cloud service provider or migrated back to the user for self-operation.
- After termination of services, a cloud service provider shall delete or destroy all archived data (such as images of a virtual machine, storage space, cache space, backup media, client information or sensitive information) and shall provide the proof of a full deletion of data.
|
|