Page 146 - Big data - Concept and application for telecommunications
P. 146
4 Big data - Concept and application for telecommunications
9.1 Trust model
A common trust model is necessary for any system where multiple providers cooperate to provide a
trustworthy service.
Because of the highly distributed and multi-stakeholder nature of cloud computing, the cloud computing
environment will need to incorporate an overall trust model. This trust model will enable the creation of
islands and/or federations of trusted entities, such that disparate elements of the system will be able to
authenticate the identity and authorized rights of other entities and components. Each island or federation
of trust will be based on one or more trusted authorities (e.g., a public key infrastructure (PKI) certificate
authority).
Multiple trust models exist today for both cloud and non-cloud purposes. The specific trust model to be
adopted is out of the scope of this Recommendation.
9.2 Identity and access management (IAM), authentication, authorization and transaction
audit
Multiple administrators and users are involved in cloud computing services, and these cloud computing
services are accessed and used internally (CSPs) and externally (CSCs). Identity management is needed, not
only to protect identities, but also to facilitate the access management, authentication, authorization and
transaction audit processes in such a dynamic and open cloud computing infrastructure.
One or more common trust models (clause 9.1) are needed by IAM for the authentication of identities, and
by developers, hypervisors and other system components for the authentication of system components such
as downloaded software modules, applications or datasets.
IAM contributes to the confidentiality, integrity and availability of services and resources, and thus becomes
essential in cloud computing.
Furthermore, IAM may enable the implementation of single sign-on and identity federation for clouds using
different authentication mechanisms or distributed in different security domains.
Transaction audit protects against repudiation, enables forensic analysis after a security incident, and acts as
a deterrent to attacks (both intrusion and insider). Transaction audit implies more than simple logging, but
also includes active monitoring to flag up suspicious activities.
9.3 Physical security
Physical security needs to be achieved. Access to premises containing CSP equipment is restricted to
authorized persons and only to those areas directly necessary for their job functions; this is part of the IAM
process. However, the extent of physical security will depend on the value of the data and the extent to
which multiple customers are permitted access.
9.4 Interface security
This capability secures interfaces open to CSCs and/or other contracted CSPs through which various kinds of
cloud computing services are delivered, and secures communications based on these interfaces. Mechanisms
available to ensure interface security include but are not limited to: unilateral/mutual authentication,
integrity checksum, end-to-end encryption, digital signature, etc.
9.5 Computing virtualization security
Computing virtualization security refers to the security of the whole computing virtualization environment.
It protects the hypervisor from attacks, protects the host platform from threats originating in the computing
virtualization environment, and keeps VMs secure throughout the life-cycle. Specifically, this capability
enables VM isolation, and protects the VM images and suspended VM instances in storage and during
migration.
138 Security, privacy and data protection
