| Article 7 |
(Security of cloud infrastructure and virtualization applicable to the IaaS and PaaS services)
- A cloud service provider shall ensure the integrity of the images of a virtual machine. Important revisions to images, such as changing the memory size of the virtual machine, and changing the disk capacity of the virtual machine, should be recorded and provided to the client for review of how these changes are recorded.
- When a cloud service provider is replacing its equipment for maintenance (such as replacement of disk drives), all data containing the information about the organization shall be deleted or destroyed. Destruction should be performed by demagnetization, destruction, smashing or other appropriate method depending on the nature of its storage media, and the records for the deletion or destruction should be kept.
- A cloud service provider shall provide the information about isolation of virtual machines depending on the cloud service user’s needs, and should immediately notify the cloud service user when the isolation fails.
- A cloud service provider shall implement appropriate security control and management measures for the cloud operating system, including hypervisor and guest operation systems, such as availability of only necessary port, protocols and services, virus protection, security breach evaluation system, and monitoring of file integrity.
- The authority of the cloud service operators should be managed based on the minimization principle, with appropriate security control and management measures, such as communication management through two-factor authentication, audit trails, IP filtering, firewall, and Transport Layer Security (TLS) packet.
- When providing IaaS (Infrastructure as a Service), a could service provider shall encrypt the virtual disk drives containing sensitive information based on the cloud service user’s needs and prohibit snapshots and unauthorized accessing.
|
|