Protection of Data-at-Rest

Objective

Protect data at rest by default (e.g. storage) for cloud-based workloads.

Key Considerations

• [ ] Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.
• [ ] Implement an encryption mechanism to protect the confidentiality and integrity of data when data are at rest in your solution's storage.
• [ ] Use CSE-approved cryptographic algorithms and protocols, in accordance with 40.111 and 40.062.
• [ ] Implement key management procedures.

Validation

• [ ] Confirm policy for encryption (e.g. storage and/or VM based on risk-based assessment).

Applicable Service Models

• IaaS, PaaS, SaaS

References

1. SPIN 2017-01, subsection 6.2.4
2. Refer to the cryptography guidance in 40.111 and 40.062.
3. Refer to the guidance in Considerations for Cryptography in Commercial Cloud Services.
4. Related security controls: SC‑12, SC‑13, SC‑17, SC‑28, SC‑28(1)