Page 142 - Big data - Concept and application for telecommunications
P. 142
4 Big data - Concept and application for telecommunications
7.2.2 Insider threats
Where humans are involved, there is always a risk of individuals acting in a malicious or careless manner that
puts the security of the service at risk.
CSP employees sharing "administrator" passwords, or otherwise leaving credentials unsecure (e.g., written
on notes stuck to a screen), careless or inadequately trained users, or malicious actions by disgruntled
employees will always pose a significant threat to any business.
CSPs in particular need to seriously consider the trustworthiness of their own employees. Even with good
screening of employees, there is always the risk of a skilled intruder successfully obtaining a position on the
CSP's data centre staff. Such an intruder might be seeking to undermine the CSP itself, or may be intending
to penetrate specific CSC systems that are being supported, especially if the CSC is a high-profile corporation
or government agency.
8 Security challenges for cloud computing
Security challenges comprise difficulties other than security threats arising from the nature and operating
environment of cloud services, including "indirect" threats. An indirect threat is where a threat to one
participant of a cloud service may have adverse consequences for others.
The challenges identified in this Recommendation are the ones that when not properly addressed, may leave
the door open to threats. These challenges need to be considered when considering cloud computing
services.
8.1 Security challenges for cloud service customers (CSCs)
This clause describes security challenges associated with environmental difficulties or indirect threats that
may give rise to more direct threats to the interests of the CSC.
8.1.1 Ambiguity in responsibility
CSCs consume delivered resources through different service categories and deployment models. The
customer-built ICT system thus relies on these services. Any lack of a clear definition of responsibility among
CSCs and CSPs may introduce conceptual and operational conflicts. Any contractual inconsistency of provided
services could induce an anomaly or incidents. For example, the problem of which entity is the data controller
and which one is the data processor may be unclear at an international scale, even if the international aspect
is reduced to a minimal third party outside of a specific region such as the European Union.
Due to legal and regulatory requirements, any related doubt (e.g., whether a given CSC or CSP is a "data
controller" or "data processor") may lead to ambiguity as to which set of regulations they are required to
adhere to. If this interpretation varies in different jurisdictions, a given CSC or CSP could find themselves
subject to conflicting regulations on the same service or portion of data.
8.1.2 Loss of trust
Sometimes, it is difficult for a CSC to recognize their CSP's trust level due to the black-box feature of the cloud
computing service. If there are no means of obtaining and sharing the provider's security level in a formalized
manner, CSCs have no means to evaluate the security implementation level achieved by the provider. Such
a lack of sharing at the security level with regard to CSP could become a serious security threat for some CSCs
in their use of cloud computing services.
8.1.3 Loss of governance
The decision by CSCs to migrate a part of their own ICT system to a cloud computing infrastructure implies
giving partial control to a CSP. This could be a serious threat to a CSC's data, notably regarding the role and
privilege assignment to the provider. Coupled with a lack of transparency regarding cloud computing provider
practices, this may lead to misconfiguration, or even enable a malicious insider attack.
134 Security, privacy and data protection
