Big data - Concept and application for telecommunications                       4


            9.12    Service security assessment and audit

            This capability enables the security evaluation of cloud computing services. It enables an authorized party to
            verify  that  a  cloud  service  complies  with  the  applicable  security  requirements.  Security  assessment  or
            security audit could be performed by the CSC, CSP or a third party (CSN), and security certification could be
            performed by an authorized third party (CSN).
            Appropriate security criteria are implemented so as to provide a mutual understanding of the security level
            between the CSC and CSP.

            Each CSP and each of their services may have the security level regarding the CSP's security controls and their
            effectiveness. Advertised security levels of the CSPs and their services will help facilitate the comparison and
            selection of appropriate CSPs and cloud computing services. Independent trusted third parties may be used
            to provide reliable, independent and neutral security level assessments.

            To avoid a CSP conducting individual security audits for each CSC, common service audit results will be
            appropriately reused. For a CSP covering a wide range of cloud computing services, security audits may be
            conducted on each cloud computing service. The CSP may provide the appropriate audit results of all or part
            of the cloud computing services to an authorized CSC (e.g., potential customer), and to certain other CSPs
            and CSNs (e.g., third-party auditor).
            For a cloud computing service chain, the security audit results of a downstream service provider will integrate
            the relevant security audit results of upstream service providers.

            9.13    Interoperability, portability and reversibility

            This capability enables the coexistence and cooperation of heterogeneous components (interoperability), it
            enables CSCs to replace one CSP with another where appropriate (portability), and enables CSCs to transfer
            their ICT system from a cloud computing environment back to a non-cloud computing ICT infrastructure
            (reversibility). This reversibility will also enable the "right to be forgotten" if this is required by local laws or
            regulations.
            NOTE 1 – This capability is only responsible for the interoperability and portability of cloud computing security
            functions, not of the actual data, metadata or message formats, which are the responsibility of other cloud
            computing  platform  functions.  For  example,  this  capability  might  provide  transitional  encryption,  key
            management and identity information so that data and other content can be moved between two different
            encryption systems without exposing either the system(s) or the data in transit.
            NOTE 2 – The "right to be forgotten" is not yet clearly defined and may in some cases be constrained by
            regulatory requirements to retain certain data for a minimum period, such as call records or connection
            information. It may therefore also be necessary to retain the relevant keys or other security information for
            the same period.


            9.14    Supply chain security
            A CSP uses a number of suppliers to build their services. Some of these will be cloud industry participants,
            e.g., a CSN, while others will be traditional information technology (IT) equipment or service suppliers, e.g.,
            hardware  manufacturers  with  no  direct  relationship  with  cloud  computing.  This  capability  enables  the
            establishment of a trust relationship between the CSP and all participants in the supply chain by security
            activities. These supply chain security activities involve identifying and gathering information about the CSP's
            acquired components and services that are used to provide cloud computing services, and enforcing supply
            chain security policies.

            For example, typical supply chain security activities in a CSP may include:
            •       confirmation of background information about the participants in the supply chain;
            •       validation of hardware, software and services employed by the CSP;
            •       inspection of the hardware and software purchased by the CSP so as to ensure that it was not
                    tampered with while in-transit;



                                                                   Security, privacy and data protection   141