+CRY-05 Encryption of Sensitive Data at Rest
---+CRY-05.01B
---+CRY-05.02B
---+CRY-05.03B
---+CRY-05.04B
---+CRY-05.05B
---+CRY-05.01AC
---+CRY-05 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
CRY-05 Encryption of Sensitive Data at Rest
-
| Bezeichnung |
Standard |
|
CRY-05.01B
|
The cloud service provider has established procedures and technical safeguards to encrypt cloud service customer data during storage (i.e. at rest).
|
|
CRY-05.02B
|
In general, the private keys (for asymmetric algorithms) or secret keys (for symmetric algorithms) used for encryption are accessible only by the cloud service customer in accordance with applicable legal and regulatory obligations and requirements. If due to the nature of the cloud service, the cloud service provider has to access the private or secret keys of the customer in order to provide the cloud service, this access is performed in accordance with IAM-07. Exceptions follow a specified procedure.
The requirement of 'accessible only by the cloud service customer' means that encryption keys remain solely within the knowledge and control of the owner. This can be addressed by implementing a secure key management system. If a key management system is used, the keys need to be protected from usage not explicitly authorised by the owner of the key and remain inaccessible in plaintext.
This criterion does not apply to data that cannot be encrypted for the provision of the cloud service for functional reasons.
Scenarios in which the cloud service provider has to access the secret or private keys of the customer include, but are not limited to, the use of provider-managed keys in a SaaS service.
The use of a master key by the cloud service provider may be an exception to the requirement that keys are accessible only by the cloud service customers.
|
|
CRY-05.03B
|
The procedures for the use of private keys, including any exceptions, are agreed with the cloud service customer.
The requirement of 'accessible only by the cloud service customer' means that encryption keys remain solely within the knowledge and control of the owner. This can be addressed by implementing a secure key management system. If a key management system is used, the keys need to be protected from usage not explicitly authorised by the owner of the key and remain inaccessible in plaintext.
This criterion does not apply to data that cannot be encrypted for the provision of the cloud service for functional reasons.
|
|
CRY-05.04B
|
If any changes of these procedures and technical safeguards may affect the confidentiality of the cloud service customer data, the cloud service provider communicates these changes to the cloud service customers.
The requirement of 'accessible only by the cloud service customer' means that encryption keys remain solely within the knowledge and control of the owner. This can be addressed by implementing a secure key management system. If a key management system is used, the keys need to be protected from usage not explicitly authorised by the owner of the key and remain inaccessible in plaintext.
This criterion does not apply to data that cannot be encrypted for the provision of the cloud service for functional reasons.
|
|
CRY-05.05B
|
If the cloud service provider uses a master key, the cloud service provider regularly tests the suitability of the design and operating effectiveness of the respective controls.
The use of a master key by the cloud service provider may be an exception to the requirement that keys are accessible only by the cloud service customers.
|
|
CRY-05.01AC
|
The cloud service provider ensures that secure encryption mechanisms are in place to prevent the recovery of cloud service customer data when resources are reallocated or physical media are recovered.
The requirement of 'accessible only by the cloud service customer' means that encryption keys remain solely within the knowledge and control of the owner. This can be addressed by implementing a secure key management system. If a key management system is used, the keys need to be protected from usage not explicitly authorised by the owner of the key and remain inaccessible in plaintext.
This criterion does not apply to data that cannot be encrypted for the provision of the cloud service for functional reasons.
|
|
CRY-05 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls for those parts of the cloud service under their responsibility (e.g. virtual machines within an IaaS solution), that their data is encrypted during storage in accordance with the respective protection needs.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|