+PSS-01 Guidelines and Recommendations for Cloud Service Customers
---+PSS-01.01B
---+PSS-01.02B
---+PSS-01.03B
---+PSS-01.04B
---+PSS-01.01AC
---+PSS-01 Supplementary Information - Complementary Customer Criteria
|
1. Übersicht
PSS-01 Guidelines and Recommendations for Cloud Service Customers
-
| Bezeichnung |
Standard |
|
PSS-01.01B
|
The cloud service provider publishes guidelines and recommendations for cloud service customers regarding the secure use of the cloud service provided. The information contained therein is intended to assist the cloud service customer in the secure configuration and use of the cloud service, as well as the implementation of complementary customer controls, to the extent applicable to the cloud service and the responsibility of the cloud service customer.
In a cloud environment, security responsibilities are shared between the cloud service provider and the customer, varying by service type — Infrastructure as a Service (IaaS), Platform as a Service (PaaS), or Software as a Service (SaaS). Guidance on the complementary customer controls helps cloud service customers understand their roles and responsibilities within the Shared Responsibility Model, also in terms of security and operational management (cf. OIS-03). By offering detailed guidance, cloud service customers are equipped to understand and implement the necessary controls that fall under their responsibility. The level of detail and length can vary according to the type of cloud service provided.
Examples for defensive mechanisms include payload filtering, traffic shaping, load balancing, load shedding and DDoS defences.
Examples for wide-area distributed architecture mechanisms include fault tolerance through replication, avoidance of localised outages and disasters through the use of multiple cloud regions, as well as the reduction of user-facing latency through the geo-dispersion of service endpoints.
|
|
PSS-01.02B
|
The type and scope of the information in the guidelines and recommendations for the secure use of the cloud service provided will be based on the needs of subject matter experts of the cloud service customers who set information security requirements, implement them or verify the implementation (e.g. IT, Compliance, Internal Audit). The information in the guidelines and recommendations for the secure use of the cloud service address the following aspects, where applicable to the cloud service:
1. Procedures for secure configuration;
2. Information sources on known vulnerabilities and update mechanisms;
3. Malware protection for containers or virtual machines;
4. Error handling and logging mechanisms;
5. Authentication mechanisms;
6. Roles and rights framework including combinations that result in an elevated risk;
7. Services and functions for administration of the cloud service by privileged users;
8. Complementary user entity controls;
9. Encryption mechanisms and services;
10. Data leakage prevention;
11. Secure application development and operation on the cloud service;
12. Instructions for using and configuring defensive mechanisms;
13. Instructions for using and configuring wide-area distributed architecture mechanisms;
14. Methods used for client data separation (cf. OPS-30 and OPS-31);
15. How information security risks related to the use of the cloud service can be addressed through proper logging and monitoring mechanisms; and
16. Inbound and outbound interfaces through which the cloud service can be accessed by other cloud services or IT systems of cloud service customers (cf. PI-01).
|
|
PSS-01.03B
|
The cloud service provider describes in the user documentation all necessary complementary user entity controls (CUECs) and corresponding explanations of them, so that the cloud service customer has sufficient information for appropriate risk management on its side.
|
|
PSS-01.04B
|
The above-mentioned information is maintained so that it is applicable to the cloud service provided in the version intended for productive use.
|
|
PSS-01.01AC
|
The cloud service provider notifies cloud service customers in a timely manner about any planned modifications to the cloud service so that the affected cloud service customers can react appropriately with organisational and technical measures before the changes take effect.
|
|
PSS-01 Supplementary Information - Complementary Customer Criteria
|
Cloud service customers ensure with suitable controls that the cloud service provider's information is used to derive policies, frameworks and measures for the secure configuration and use (according to their own risk assessment) of the cloud service. Compliance with these policies, frameworks and measures is checked. Changes to the information are timely assessed for their impact on these documents and any necessary changes are implemented.
|
1.1 Referenzen
1.2 Identifizierte Anforderungen
1.2 Related Regulation
2. Identifizierte Anforderungen
Anforderungen
| Source |
Anforderung |
3. Related Regulations
Regulations
| Source |
Regulierung |
|