GB/T 31167-2023
Information Security Technology Cloud Computing Service Security Guidelines (English Version)
- Standard No.
- GB/T 31167-2023
- Language
- Chinese, Available in English version
- Release Date
- 2023
- Published By
- General Administration of Quality Supervision, Inspection and Quarantine of the People‘s Republic of China
- Latest
- GB/T 31167-2023
- Scope
- GB/T32400-2015 defines three different types of cloud capabilities: application capability type, platform capability type, and infrastructure capability type. The control scope of cloud service providers and customers is different under different cloud capability types. Customers should choose cloud service types based on the characteristics of different cloud service categories and the security management requirements of their own data and business systems, combined with their own technical capabilities, market and technology maturity and other factors. The upper three layers in Figure 3 are composed of the application software layer, software platform layer, and virtualized computing resource layer, which constitute the logical elements of the cloud computing environment. Customers should deploy or migrate businesses with dynamic and periodic demand for resources to the cloud computing platform.
- Introduction
Standard Evolution and Core Changes
GB/T 31167-2023, as the replacement standard for the 2014 version, mainly presents the following technical evolution:
Dimensions 2014 version 2023 version Scope of application Government departments Customers in all industries Division of responsibilities The role of cloud service security provider is not clarified Added responsibilities of cloud service security provider Data classification Sensitive/public two-level classification Expanded to a three-level system of general sensitive/important/core
Security Management Framework
Responsibility Matrix Model
Division of security responsibilities based on different cloud capability types:
Capability type Customer responsibility Cloud service provider responsibility Infrastructure capability type Virtual machine OS and above Virtualization layer and physical facilities Platform capability type Application code and data Middleware and underlying platform
Key points for implementation
Data lifecycle protection
In response to the data residual risk, the standard requires that when exiting the service:
- Media cleaning must be recorded and supervised
- Uncleanable media should be physically destroyed
- Verify the integrity of deletion
Business continuity assurance
Three measures to deal with cloud service provider dependence:
Risk type Mitigation plan Network dependence Multi-operator link redundancy Platform dependence Remote data center backup Service provider operating risks Regular financial health checks
Compliance recommendations
According to clause 9.5.8 of the standard, special attention should be paid to operations in China:
- Data storage must be domestic
- Cross-border data transmission requires separate approval
- Jurisdiction clauses must be clearly written into the contract
GB/T 31167-2023 Referenced Document
- GB/T 31168 Information Security Technology Cloud Computing Service Security Capability Requirements
- GB/T 36325 Information technology.Cloud computing.Basic requirements of cloud service level agreement (CSLA)
- GB/T 37972 Information security technology—Operation supervision framework of cloud computing service
GB/T 31167-2023 history
- 2023 GB/T 31167-2023 Information Security Technology Cloud Computing Service Security Guidelines
- 2014 GB/T 31167-2014 Information security technology.Security guide of cloud computing services