Protect data at rest by default (e.g. storage) for cloud-based workloads.
- Seek guidance from privacy and access to information officials within institutions before storing personal information in cloud-based environments.
- Implement an encryption mechanism to protect the confidentiality and integrity of data when data are at rest in your solution's storage.
- Use CSE-approved cryptographic algorithms and protocols, in accordance with 40.111 and 40.062.
- Implement key management procedures.
- Confirm policy for encryption (e.g. storage and/or VM based on risk-based assessment).
- IaaS, PaaS, SaaS
- SPIN 2017-01, subsection 6.2.4
- Refer to the cryptography guidance in 40.111 and 40.062.
- Refer to the guidance in Considerations for Cryptography in Commercial Cloud Services.
- Related security controls: SC‑12, SC‑13, SC‑17, SC‑28, SC‑28(1)