Protection of Data-at-Rest



Protect data at rest by default (for example, storage) for cloud-based workloads.

Applicable Service Models

IaaS, PaaS, SaaS

Mandatory Requirements

Activity Validation
<ul><li>Implement an encryption mechanism to protect the confidentiality and integrity of data when data is at rest in storage.</li></ul> <ul><li>For IaaS and PaaS, confirm that storage service encryption is enabled for data at rest (if required based on the security risk assessment).</li><li>For SaaS, confirm that the cloud service provider (CSP) has implemented encryption to protect customer data.</li></ul>
<ul><li>Use cryptographic algorithms and protocols approved by Communications Security Establishment Canada (CSE) in accordance with ITSP.40.111 and ITSP.40.062.</li></ul> <ul><li>Cryptographic algorithms and protocols configurable by the consumer are in accordance with ITSP.40.111 and ITSP.40.062.</li><li>For SaaS, confirm that the CSP has implemented algorithms that align with ITSP.40.111 and ITSP.40.062.</li></ul>

Additional Considerations

Activity Validation
<ul><li>Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.</li></ul> <ul><li> • Confirm that privacy is part of the departmental software development life cycle.</li></ul>
<ul><li>Leverage an appropriate key management system for the cryptographic protection used in cloud-based services, in accordance with the Government of Canada Considerations for the Use of Cryptography in Commercial Cloud Services and the Cyber Centre’s Guidance on Cloud Service Cryptography (ITSP.50.106).</li></ul> <ul><li>Confirm that a key management strategy has been adopted for the cloud tenant.</li></ul>


IA-7,SC12, SC13, SC28, SC28(1)

Page details

Date modified: