Page 145 - Big data - Concept and application for telecommunications
P. 145
Big data - Concept and application for telecommunications 4
While lock-in is a business issue, it is not in itself a security threat. However, it can sometimes give rise to
security concerns. For example, if the CSN who supplies a key component goes out of business, it may be that
no further security patches are available. Where vulnerability in the component emerges, it may be very
difficult or expensive to mitigate the risk.
8.2.9 Supply chain vulnerability
A CSP is at risk if hardware or software delivered to the platform through their supply chain undermines CSC
or CSP security, for example, the accidental or deliberate introduction of malware or exploitable
vulnerabilities.
A case in point would be bad software from the CSN. This security challenge exists for CSN software running
in the CSP, such as customer facing, a virtual machine (VM) guest operating system (OS), applications,
platform components, or audit/monitoring software (e.g., for a partner providing a service audit).
Another example is when a CSP is running software provided by a partner; the CSP is at risk if the partner
fails to provide the necessary security updates in a timely manner.
8.2.10 Software dependencies
When vulnerability is detected, it may not be possible to apply updates immediately because doing so would
break other software components (though those components may not otherwise require updating). This is
particularly true if the dependency exists between components provided by one or more CSNs, rather than
the CSPs themselves.
8.3 Security challenges for cloud service partners (CSNs)
This clause considers challenges that directly affect CSNs. Such challenges might affect the ability of a CSN to
do business, to get paid, to protect their intellectual property, and to avoid legal or regulatory difficulties.
Security challenges to a given CSN will depend on their specific business and environments, such as
development, integration, audit, or otherwise.
8.3.1 Ambiguity in responsibility
Where there is a mix of CSP and CSN software running in the service, it may not be apparent to the CSC where
the responsibility for mitigation and handling of security incidents resides. It may be quite difficult to
determine the responsible entity by technical analysis. This could result in mutual finger-pointing between
the CSP and CSN(s) as to who is at fault, which could result in further breaches if the root cause is not found.
8.3.2 Misappropriation of intellectual property
When partners submit software or other assets to the CSP for execution, the security challenge exists that
this material could be leaked to third parties or misappropriated for unauthorized use. This could include a
violation of copyright or the exposure of trade secrets.
8.3.3 Loss of software integrity
Once the partner's software is running in the CSP, there is a possibility of the software being modified or
infected while it is out of the direct control of the CSN, thus causing their software to misbehave in some
way. Although this possibility exists outside the CSN's control, it could seriously affect their reputation and
thus their business.
9 Cloud computing security capabilities
This Recommendation identifies the following security capabilities against identified cloud computing
security threats and challenges. Parameters related with these security capabilities may be stipulated in the
security service level agreement (SLA), for example, an incident response time.
Security, privacy and data protection 137
