Page 147 - Big data - Concept and application for telecommunications
P. 147
Big data - Concept and application for telecommunications 4
For CSP, the hypervisor often provides protection for hosted VMs, for example, by providing anti-virus and
anti-spam processing inside hypervisors, so that VMs do not need to implement these functions separately.
The hypervisor will normally be configured with the minimum set of services. Unnecessary interfaces and
application programing interfaces (APIs) will normally be closed, and irrelevant service components will
normally be disabled.
VMs covered by this capability include those created by CSC in IaaS, as well as any VMs created by SaaS and
PaaS. Virtual machines will usually be well isolated when sharing memory, a central processing unit (CPU)
and storage capacities. Virtual machines will usually have intrinsic security capabilities and policy awareness
(e.g., in the guest operating system).
9.6 Network security
In a cloud computing environment, network security enables both physical and virtual network isolation, and
secures communications among all participants. It enables network security domain partition, network
border access controls (e.g., firewall), intrusion detection and prevention, network traffic segregation based
on security policies, and it protects the network from attacks in both the physical and virtual network
environments.
9.7 Data isolation, protection and confidentiality protection
This capability addresses general data protection issues which often have legal implications.
• Data isolation
In a cloud computing context, a tenant is prevented from accessing data belonging to another tenant, even
when the data is encrypted, except when explicitly authorized. Data isolation may be realized logically or
physically, depending on the required isolation granularity and the specific deployment of cloud computing
software and hardware.
NOTE 1 – In cloud computing, isolation occurs at the tenant level. A given CSC may have multiple tenants in
the cloud, for example, to separate different subsidiaries, divisions or business units.
• Data protection
Data protection ensures that CSC data and derived data held in a cloud computing environment is
appropriately protected so that it can only be accessed or changed as authorized by the CSC (or according to
applicable law). This protection may include some combination of access control lists, integrity verification,
error correction/data recovery, encryption and other appropriate mechanisms.
When a CSP provides storage encryption for CSCs, this function can be client-side encryption (e.g., within a
CSP application) or server-side encryption.
• Confidentiality protection
Private information can include PII and confidential corporate data. The collection, use, transfer, handling,
storage and destruction of private information can be subject to confidentiality regulations or laws. This
restriction applies to both CSPs and their CSCs, e.g., a CSC must be able to permanently delete a data table
containing private information, even though the CSP is not aware of the table contents. CSPs may also need
to support the handling, e.g., searching of a CSCs' data in their transformed or encrypted form.
Confidentiality protection extends to private information that may be observed or derived from CSC
activities, such as business trends, relationships or communications with other parties, activity levels and
patterns, etc.
Confidentiality protection is also responsible for ensuring that all private information (including observed or
derived data) is used only for those purposes which have been agreed between a CSC and CSP.
A risk assessment of private information (noted as "confidentiality risk assessment") can assist a CSP in
identifying the specific risks of confidentiality breaches involved in an envisaged operation. The CSP should
identify and implement capabilities to address the confidentiality risks identified by the risk assessment and
treatment of private information.
Security, privacy and data protection 139
