Page 143 - Big data - Concept and application for telecommunications
P. 143
Big data - Concept and application for telecommunications 4
When adopting cloud computing services, some CSCs may have concerns over a lack of control over their
information and assets hosted in CSPs, over data storage, reliability of data backup (data retention issues),
countermeasures for business continuity plans (BCPs) and disaster recovery, etc.
For example:
• A CSC wishes to delete a file for legal reasons, but the CSP retains a copy that the CSC does not know
about.
• A CSP gives the CSC's administrator privileges that go beyond the CSC's policy.
• Some CSCs may have concerns regarding the exposure of data by a CSP to foreign governments
which could impact the CSC's compliance with confidentiality laws, such as the European Union data
protection directives.
8.1.4 Loss of confidentiality
When a CSP processes confidential information, there is a possibility of there being a violation of
confidentiality, which could also include a violation of applicable data protection regulations, certifications
or laws. This includes the leakage of confidential information, or the processing of personally identifiable
information (PII) for a purpose that is not authorized by the CSC and/or the data subject.
8.1.5 Service unavailability
Availability is not specific to the cloud computing environment. However, because of the service-oriented
design principle, service delivery may be impacted when upstream cloud computing services are not
completely available. Moreover, the dynamic dependency of cloud computing offers more possibilities to an
attacker. For example, a denial-of-service attack on one upstream service may affect multiple downstream
services in the same cloud computing system.
8.1.6 Cloud service provider lock-in
High dependency on a single CSP could make it more difficult to replace a CSP by another. This could be the
case where a CSP relies on non-standard functions or formats and does not provide interoperability. This
could become a security threat if the locked-in CSP fails to address known security vulnerabilities, thus leaving
the CSC vulnerable but unable to migrate to another CSP.
8.1.7 Misappropriation of intellectual property
When the CSC's software is run or other assets are stored by the CSP, the challenge exists that this material
could be leaked to third parties or misappropriated for unauthorized use. This could include a violation of
copyright or the exposure of trade secrets.
8.1.8 Loss of software integrity
Once the CSC's software is running in the CSP, there is the possibility of the software being modified or
infected while it is out of the direct control of the CSC, thus causing their software to misbehave in some way.
Although this possibility exists outside the CSC's control, it could seriously affect their reputation and thus
their business.
8.2 Security challenges for cloud service providers (CSPs)
This clause describes security challenges associated with environmental difficulties or indirect threats that
may give rise to more direct threats to the interests of the CSP.
8.2.1 Ambiguity in responsibility
Different roles (CSP, CSC, and CSN) may be defined in a cloud computing system. Ambiguity of the definition
of responsibilities related to issues such as data ownership, access control or infrastructure maintenance may
impact business or legal disputes (especially when dealing with third parties, or when the CSP is also a CSC
or a CSN). This ambiguity risk increases when the CSP is operating and/or offering services across multiple
jurisdictions where contracts and agreements may exist in different languages or legal frameworks. See also
clause 8.2.4, "Jurisdictional conflict" below.
Security, privacy and data protection 135
