Page 1016 - Cloud computing: From paradigm to operation
P. 1016
7 Security
1 Scope
This Recommendation provides guidelines for cloud service customer (CSC) data security in cloud computing,
for those cases where the cloud service provider (CSP) is responsible for ensuring that the data is handled
with proper security. This is not always the case, since for some cloud services the security of the data is the
responsibility of CSCs themselves. In other cases, the responsibility may be mixed.
For example, in some cases the CSP may be responsible for restricting access to the data, while the CSC
remains responsible for deciding which cloud service users (CSUs) should have access to it, and the behaviour
of any scripts or applications with which the CSU processes the data.
This Recommendation identifies security controls for CSC data that can be used in different stages of the full
data lifecycle. These security controls can differ when the security level of the CSC data changes. Therefore,
this Recommendation provides guidelines on when each control should be used for best security practice.
2 References
The following ITU-T Recommendations and other references contain provisions which, through reference in
this text, constitute provisions of this Recommendation. At the time of publication, the editions indicated
were valid. All Recommendations and other references are subject to revision; users of this Recommendation
are therefore encouraged to investigate the possibility of applying the most recent edition of the
Recommendations and other references listed below. A list of the currently valid ITU-T Recommendations is
regularly published. The reference to a document within this Recommendation does not give it, as a stand-
alone document, the status of a Recommendation.
[ITU-T X.1601] Recommendation ITU-T X.1601 (2015), Security framework for cloud computing.
[ITU-T X.1631] Recommendation ITU-T X.1631 (2015) | ISO/IEC 27017:2015, Information
technology – Security techniques – Code of practice for information security
controls based on ISO/IEC 27002 for cloud services.
3 Definitions
3.1 Terms defined elsewhere
This Recommendation uses the following terms defined elsewhere:
3.1.1 authentication [b-NIST-SP-800-53]: Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in an information system.
3.1.2 cloud computing [b-ITU-T Y.3500]: Paradigm for enabling network access to a scalable and elastic
pool of shareable physical or virtual resources with self-service provisioning and administration on-demand.
NOTE – Examples of resources include servers, operating systems, networks, software, applications, and storage equipment.
3.1.3 cloud service [b-ITU-T Y.3500]: One or more capabilities offered via cloud computing invoked using
a defined interface.
3.1.4 cloud service customer [b-ITU-T Y.3500]: Party which is in a business relationship for the purpose of
using cloud services.
NOTE – A business relationship does not necessarily imply financial agreements.
3.1.5 cloud service customer data [b-ITU-T Y.3500]: Class of data objects under the control, by legal or
other reasons, of the cloud service customer that were input to the cloud service, or resulted from exercising
the capabilities of the cloud service by or on behalf of the cloud service customer via the published interface
of the cloud service.
NOTE 1 – An example of legal controls is copyright.
NOTE 2 – It may be that the cloud service contains or operates on data that is not cloud service customer data; this
might be data made available by the cloud service providers , or obtained from another source, or it might be publicly
available data. However, any output data produced by the actions of the cloud service customer using the capabilities
of the cloud service on this data is likely to be cloud service customer data, following the general principles of copyright,
unless there are specific provisions in the cloud service agreement to the contrary.
1008
