7                                                     Security




            1       Scope
            This Recommendation clarifies the security responsibilities between cloud service providers (CSPs) and cloud
            service customers (CSCs), and analyses the requirements and categories of security metrics of operational
            security for cloud computing. It defines sets of detailed security measures and security activities for the daily
            operation and maintenance for cloud computing services and infrastructure from the perspective of CSPs, to
            fulfil the requirements of operational security for cloud computing.

            This  Recommendation  will  be  helpful  for  CSPs  to  reduce  operational  risks.  The  target  audiences  of  this
            Recommendation are CSPs, such as traditional telecommunication operators and Internet service providers
            (ISPs).


            2       References
            None.


            3       Definitions

            3.1     Terms defined elsewhere

            This Recommendation uses the following terms defined elsewhere:
            3.1.1   cloud computing [b-ITU-T  Y.3500]: Paradigm for enabling network access to a scalable and elastic
            pool of shareable physical or virtual resources with self-service provisioning and administration on-demand.
            3.1.2   cloud service [b-ITU-T Y.3500]: One or more capabilities offered via cloud computing invoked using
            a defined interface.
            3.1.3   cloud service customer [b-ITU-T  Y.3500]: Party which is in a business relationship for the purpose
            of using cloud services.
            3.1.4   cloud service partner [b-ITU-T Y.3500]: Party which is engaged in support of, or auxiliary to, activities
            of either the cloud service provider or the cloud service customer, or both.
            3.1.5   cloud service provider [b-ITU-T Y.3500]: Party which makes cloud services available.
            3.1.6   infrastructure  as  a  service  (IaaS)  [b-ITU-T  Y.3500]:  Cloud  service  category  in  which  the  cloud
            capabilities type provided to the cloud service customer is an infrastructure capabilities type.
            3.1.7   multi-tenancy [b-ITU-T Y.3500]: Allocation of physical or virtual resources such that multiple tenants
            and their computations and data are isolated from and inaccessible to one another.
            3.1.8   network  as  a  service  (NaaS)  [b-ITU-T  Y.3500]:  Cloud  service  category  in  which  the  capability
            provided to the cloud service customer is transport connectivity and related network capabilities.
            3.1.9   party [b-ISO 27729]: Natural person or legal person, whether or not incorporated, or a group of
            either.
            3.1.10  platform as a service (PaaS) [b-ITU-T Y.3500]: Cloud service category in which the cloud capabilities
            type provided to the service customer is a platform capabilities type.
            3.1.11  security challenge [b-ITU-T X.1601]: A security "difficulty" other than a direct security threat arising
            from the nature and operating environment of cloud services, including "indirect" threats.
            3.1.12  security domain [b-ITU-T X.810]: A set of elements, a security policy, a security authority and a set
            of security-relevant activities in which the set of elements are subject to the security policy for the specified
            activities, and the security policy is administered by the security authority for the security domain.
            3.1.13  security incident [b-ITU-T E.409]: A security incident is any adverse event whereby some aspect of
            security could be threatened.
            3.1.14  service level agreement (SLA) [b-ISO/IEC 20000-1]: Documented agreement between the service
            provider and customer that identifies services and service targets.


            1020