Page 140 - Big data - Concept and application for telecommunications
P. 140

4                                Big data - Concept and application for telecommunications



            are usually delivered in certain service categories, e.g., infrastructure as a service (IaaS), platform as a service
            (PaaS), software as a service (SaaS), network as a service (NaaS), and many others. These service categories
            enable cloud computing customers to launch or change their business quickly and easily without establishing
            new information and communication technology (ICT) infrastructure and systems and provide opportunities
            to provision resources elastically, as needed. For example, some cloud service providers (CSPs) might provide
            abstracted hardware and software resources which may be offered as a service (e.g., IaaS or NaaS). Other
            cloud  service  providers  may  provide  cloud  specific  platforms  (PaaS)  or  applications  (SaaS)  to  enable
            customers and partners to rapidly develop and deploy new applications which can be configured and used
            remotely.
            There are security threats and challenges in adopting cloud computing, and security requirements vary to a
            great  extent  for  different  cloud  computing  service  deployment  models  and  service  categories.  The
            distributed and multi-tenant nature of cloud computing, the prevalence of remote access to cloud computing
            services  and  the  number  of  entities  involved  in  each  process  make  cloud  computing  inherently  more
            vulnerable to both internal and external security threats than other paradigms. Many of the security threats
            can be mitigated with the application of traditional security processes and mechanisms. Security touches
            upon and impacts many parts of a cloud computing service. Therefore, the security management of the cloud
            computing services, as well as the associated resources, is a critical aspect of cloud computing.
            Before the migration of the ICT system to cloud computing, a potential cloud service customer (CSC) should
            identify their security threats (see clause 7 below) and security challenges (see clause 8).

            Based on these threats and challenges, a set of high-level security capabilities (see clause 9) are identified.
            Specific requirements for these capabilities are out of the scope of this Recommendation, but they will need
            to be identified for specific implementations of cloud computing services, based on risk assessment against
            the identified threats and challenges.

            Based  on  the  risk  assessment,  a  CSC  can  determine  whether  to  adopt  cloud  computing,  and  can  make
            informed decisions over service providers and architecture. The above risk assessment should be performed
            by using an information security risk management framework (e.g., the risk management framework defined
            in [b-ISO/IEC 27005]). See also clause 10 below for a suggested framework methodology.
            This Recommendation distinguishes between security threats and security challenges. Security threats are
            those associated with attacks (both active and passive), and also environmental failures or disasters. Security
            challenges comprise difficulties arising from the nature and operating environment of cloud services. When
            not properly addressed, security challenges may leave doors open for threats.
            Based on these identified security threats and challenges, the security capabilities are described to mitigate
            security threats and address security challenges for cloud computing.


            7       Security threats for cloud computing
            Threats  have  the  potential  to  harm  assets  such  as  information,  processes  and  systems  and  therefore
            organizations. Threats may be of a natural or human origin, and could be accidental or deliberate. A threat
            may arise from within or from outside the organization. Threats can be classified as accidental or intentional
            and may be active or passive.

            The specific threats encountered are highly dependent on the chosen specific cloud service. For example, for
            a public cloud, threats can arise from the split responsibilities between the CSC and CSP: complexities of
            specifying  jurisdiction  over  data  and  processes,  consistency  and  adequacy  of  data  protection,  and
            maintenance of confidentiality, etc. However, for a private cloud, the threats are simpler to address because
            the  CSC  controls  all  the  tenants  hosted  by  the  CSP.  Even  though  some  of  the  threats  identified  in  this
            Recommendation are also covered by existing industry documents (e.g., Recommendation ITU-T X.800), all
            the threats are relevant to cloud computing. The applicability of individual threats will depend on the specific
            cloud service.

            This clause describes the various security threats that can arise in a cloud computing environment.




            132      Security, privacy and data protection
   135   136   137   138   139   140   141   142   143   144   145