Protection of Data-at-Rest

Objective

Protect data at rest by default (for example, storage) for cloud-based workloads.

IaaS, PaaS, SaaS

Activity	Validation
Implement an encryption mechanism to protect the confidentiality and integrity of data when data is at rest in storage.	For IaaS and PaaS, confirm that storage service encryption is enabled for data at rest (if required based on the security risk assessment). For SaaS, confirm that the cloud service provider (CSP) has implemented encryption to protect customer data.
Use cryptographic algorithms and protocols approved by Communications Security Establishment Canada (CSE) in accordance with ITSP.40.111 and ITSP.40.062.	Cryptographic algorithms and protocols configurable by the consumer are in accordance with ITSP.40.111 and ITSP.40.062. For SaaS, confirm that the CSP has implemented algorithms that align with ITSP.40.111 and ITSP.40.062.

Activity	Validation
Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.	• Confirm that privacy is part of the departmental software development life cycle.
Leverage an appropriate key management system for the cryptographic protection used in cloud-based services, in accordance with the Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services and the Cyber Centre’s Guidance on Cloud Service Cryptography (ITSP.50.106).	Confirm that a key management strategy has been adopted for the cloud tenant.

Direction on the Secure Use of Commercial Cloud Services: Security Policy Implementation Notice (SPIN) 2017-01, subsection 6.2.4
cryptography guidance in Cryptographic Algorithms for Unclassified, Protected A and Protected B Information (ITSP.40.111) and Guidance on Securely Configuring Network Protocols (ITSP.40.062)
Guidance on Cloud Service Cryptography (ITSP.50.106)
Guidance on Defence in Depth for Cloud-Based Services (ITSP.50.104), subsection 4.5

IA-7,SC12, SC13, SC28, SC28(1)