Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Cloud security standardization activities in ITU-T

advertisement 
ITU Workshop on “ICT Security Standardization
for Developing Countries”
(Geneva, Switzerland, 15-16 September 2014)
Cloud security standardization
activities in ITU-T
Huirong Tian,
China
tianhuirong@catr.cn
Geneva, Switzerland, 15-16 September 2014
Contents
Work of ITU-T FG-CC
Standardization activities
in SG17 and SG13
Work of ITU-T FG-CC
Geneva, Switzerland, 15-16 September 2014
3
ITU-T Focus Group (FG) on Cloud
Computing
Objective
To collect and document information
and concepts that would be helpful for
developing Recommendations to
support cloud computing
services/applications from a
telecommunication/ICT perspective.
Geneva, Switzerland, 15-16 September 2014
4
ITU-T Focus Group (FG) on Cloud
Computing
Management team
Chair: Victor Kutukov (Russia)
Vice-Chairman: Jamil Chawki (France)
Vice-Chairman: Kangchan Lee (Korea)
Vice-Chairman: Mingdong Li (China)
Vice-Chairman: Monique Morrow (USA)
Vice-Chairman: Koji Nakao (Japan)
Vice-Chairman: Olivier Corus (France)
Geneva, Switzerland, 15-16 September 2014
5
ITU-T FG-Cloud deliveries
2010.2
FG Cloud
Eight meetings,7 deliverables
FG Cloud established
2011.
12
FG Cloud concluded
• FG Cloud TR1:Introduction to the cloud ecosystem:
definitions, taxonomies, use cases and high level
requirements
• FG Cloud TR2:Functional Requirements and Reference
Architecture
• FG Cloud TR3:Requirements and framework architecture of
Cloud Infrastructure
• FG Cloud TR4:Cloud Resource Management Gap Analysis
• FG Cloud TR5:Cloud security
• FG Cloud TR6:Overview of SDOs involved in Cloud
Computing
• FG Cloud TR7:Benefits from telecommunication perspectives
FG Cloud TR5:Cloud Security
11 study subjects on cloud
security
– Security architecture/model and
framework
– Security management and audit
technology
– Business continuity planning (BCP) and
disaster recovery
– Storage security
– Data and privacy protection
– Account/identity management
– Network monitoring and incident response
– Network security management
– Interoperability and portability security
– Virtualization security
– Obligatory predicates
Follow-up
standardiza
tion work
launched
considering
these study
subjects
Standardization activities
in SG17 and SG13
Geneva, Switzerland, 15-16 September 2014
8
Cloud computing security tasks
collaboration between SG13 and SG17
Geneva, Switzerland, 15-16 September 2014
9
SG17 cloud security related questions
1. Security architecture/model and framework
2.Security management and audit technology
Q3/17
3. BCP/disaster recovery and storage security
4.Data and privacy protection
5.Account/identity management Q10/17
6.Network monitoring and incidence response
Q4/17
7.Network security
8.Interoperability security
Q8/17
9.Service portability
Management
CyberSecurity
(Main)cloud
IdM/Bio
SG17 cloud security work items
X.1601: Security Framework for Cloud Computing
X.cc-control: Information technology – Security
techniques – Code of practice for information
security controls for cloud computing services
based on ISO/IEC 27002
X.sfcse: Security functional requirements for SaaS
application environment
X.goscc: Guideline of operational security for cloud
computin
X.Idmcc: Requirement of IdM in cloud computing
Published
in 2014.1
Common
text with
ISO/IEC
X.1601 Security framework for cloud
computing
Geneva, Switzerland, 15-16 September 2014
12
X.1601 Security framework for cloud
computing
7. Security threats for cloud
computing
8. Security challenges for cloud
computing
9. Cloud computing security
capabilities
10. Framework methodology
X.1601——7. Security threats for cloud
computing
7.1 Security threats for
cloud service customers
(CSCs)
• 7.1.1 Data loss and
leakage
• 7.1.2 Insecure service
access
• 7.1.3 Insider threats
7.2 Security threats for
cloud service providers
(CSPs)
• 7.2.1 Unauthorized
administration access
• 7.2.2 Insider threats
X.1601——8. Security challenges for
cloud computing
8.1
Security
challenges for cloud
service customers
(CSCs)
8.2
Security
challenges for cloud
service providers
(CSPs)
•8.1.1 Ambiguity in
responsibility
•8.1.2 Loss of trust
•8.1.3 Loss of
governance
•8.1.4 Loss of privacy
•8.1.5 Service
unavailability
•8.1.6 Cloud service
provider lock-in
•8.1.7 Misappropriation
of intellectual property
•8.1.8 Loss of software
integrity
•8.2.1 Ambiguity in
responsibility
•8.2.2 Shared
environment
•8.2.3 Inconsistency
and conflict of
protection mechanisms
•8.2.4 Jurisdictional
conflict
•8.2.5 Evolutionary
risks
•8.2.6 Bad migration
and integration
•8.2.7 Business
discontinuity
•8.2.8 Cloud service
partner lock-in
•8.2.9 Supply chain
vulnerability
•8.2.10
Software
dependencies
8.3
Security
challenges for cloud
service partners (CSNs)
•8.3.1 Ambiguity in
responsibility
•8.3.2 Misappropriation
of intellectual property
•8.3.3 Loss of software
integrity
X.1601 ——9.Cloud computing security
capabilities
9.1 Trust model
9.2 Identity and
access management
(IAM), authentication,
authorization, and
transaction audit
9.3 Physical security
9.4 Interface security
9.5 Computing
virtualization security
9.6 Network security
9.7 Data isolation,
protection and privacy
protection
9.8 Security coordination
9.9 Operational security
9.10 Incident
management
9.11 Disaster recovery
9.12 Service security
assessment and audit
9.13 Interoperability,
portability, and
reversibility
9.14 Supply chain security
X.1601 ——10. Framework
methodology
Step 1: Use clauses 7 and 8 to identify security threats
and security implications of the challenges in the cloud
computing service under study.
Step 2: Use clause 9 to identify the needed high level
security capabilities based on identified threats and
challenges which could mitigate security threats and
address security challenges.
Step 3: Derive security controls, policies and procedures
which could provide needed security abilities based on
identified security capabilities.
X.cc-control
Scope
This International Standard provides guidelines
supporting the implementation of Information
security controls for cloud service providers and
cloud service customers of cloud computing
services. Selection of appropriate controls and the
application of the implementation guidance
provided will depend on a risk assessment as well
as any legal, contractual, or regulatory
requirements. ISO/IEC 27005 provides
information security risk management guidance,
including advice on risk assessment, risk
treatment, risk acceptance, risk communication,
risk monitoring and risk review.
Geneva, Switzerland, 15-16 September 2014
18
X.sfcse
Scope
This Recommendation provides a generic functional
description for secure service oriented Software as
a Service (SaaS) application environment that is
independent of network types, operating system,
middleware, vendor specific products or solutions.
In addition, this Recommendation is independent of
any service or scenarios specific model (e.g., web
services, Parlay X or REST), assumptions or
solutions. This Recommendation aim to describe a
structured approach for defining, designing, and
implementing secure and manageable service
oriented capabilities in telecommunication cloud
computing environment.
Geneva, Switzerland, 15-16 September 2014
19
X.goscc
Scope
This Recommendation provides
guideline of operational security for
cloud computing, which includes
guidance of SLA and daily security
maintenance for cloud computing. The
target audiences of this
recommendation are cloud service
providers, such as traditional telecom
operators, ISPs and ICPs.
Geneva, Switzerland, 15-16 September 2014
20
X.idmcc
Scope
This Recommendation provides use-case
and requirements analysis giving
consideration to the existing industry
efforts. This Recommendation
concentrates on the requirements for
providing IdM as a Service (IdMaaS) in
cloud computing. The use of non-cloud
IdM in cloud computing, while common
in industry, is out of scope for this
Recommendation.
Geneva, Switzerland, 15-16 September 2014
21
SG17 cloud security Recommendation
structure
SG13 cloud security plans
Y.inter-cloud-sec
Y.cloudtrustmodels
Y.clouduse&req
Y.cloudSECasaservice
Geneva, Switzerland, 15-16 September 2014
23
Conclusions and Recommendations
Cloud computing
will change the ICT
industry.
The security
capabilities will
affect how cloud
computing could be
used.
Geneva, Switzerland, 15-16 September 2014
Work item
proposals on trust
models, security
controls, best
practices, etc. are
solicited.
24
Thanks for
listening!
Geneva, Switzerland, 15-16 September 2014
25
Related documents
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Slide - People
Slide - People
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
I am a tornado
I am a tornado
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Download
advertisement