Page 1031 - Cloud computing: From paradigm to operation
P. 1031

Security                                                   7


            7       Requirements of the security clause of the service level agreement

            The security clause of the service level agreement (SLA) is the critical factor for CSP to obtain the user's trust.
            The relationship between CSCs and CSPs, such as security responsibility, should be described clearly by the
            security clause of SLA. CSPs should focus their operational security measures on fulfilling the requirements
            defined by the security clause of SLA.

            7.1     Security responsibility between CSPs and CSCs
            The responsibilities of both CSPs and CSCs should be delineated in as far as the security of cloud computing
            is concerned in accordance with the various control abilities over the infrastructure and resources of cloud
            computing.

            The security responsibilities are closely related with the cloud service mode, as the cloud service mode
            reflects the resource control capability in the cloud environment for CSPs and CSCs. For instance, compared
            to platform as a service (PaaS) or infrastructure as a service (IaaS), CSPs in software as a service (SaaS) should
            undertake more security responsibilities as with a stronger resource control capability on hand.
            For the service mode of IaaS, CSPs provide the infrastructure services, such as the virtual data centre (VDC)
            which includes hosted servers, storage resource, network and management tools. The fundamental security
            responsibilities  of  CSPs  include  physical  security,  network  security,  underlying  system  security  and  the
            reliability of the whole cloud infrastructure. CSCs should be in charge of all the security issues above the level
            of the cloud infrastructure which they purchase, such as the security of the guest operating system (OS),
            application software, etc.

            For  the  service  mode  of  PaaS,  CSPs  provide  simplified,  distributed  software  development,  testing  and
            deployment  environment.  CSPs  should  be  responsible  for  the  security  of  the  application  programming
            interface (API) of the application environment, the security of middleware, the availability of cloud platform,
            etc., as well as the security of the underlying infrastructure. On the other hand, CSCs should be responsible
            for the security of the application services running over the cloud platform environment.
            For the service mode of SaaS, CSPs should guarantee the overall security from the infrastructure layer to the
            application layer, and CSCs should maintain the information security related to them, such as the security of
            identity management (IdM), password leakage proofing and so on.
            Furthermore, CSCs should consider the security issues of the terminals that they use to access the cloud.

            7.2     Requirements of the security clause of SLA

            7.2.1   General requirements
            The security clause of SLA should explicitly specify the security terms of the cloud services, as well as the
            responsibilities and liabilities of CSPs and CSCs.
            From the CSC's perspective, CSCs should be able to stipulate their requirements concerning the security
            clause of SLA. The security clause of SLA can help them ensure that their CSPs have adequate protection for
            their information assets, resources and services customized while at rest, in use and in motion, and that
            corrective mechanisms have been implemented to comply with the regulations on data privacy associated
            with their governing jurisdiction.
            From the CSP's perspective, the security clause of SLA  stipulates the requirements and measureable terms
            of the security of the cloud service provided, which can be assessed, compared and customized by CSCs. CSPs
            should  implement  a  series  of  appropriate  technological  and  management  mechanisms  to  improve  the
            reliability and security of the cloud services, and fulfil the requirements of the security clause of SLA, which
            can ultimately obtain the trust of CSCs. Cloud services may have different types of SLAs due to the content
            of the services, the service grade, and even the region where the services are provided, but the minimal
            requirements of the security clause of SLA should meet the legal and regulatory requirements as well as those
            of related public industry standards.








                                                                                                        1023
   1026   1027   1028   1029   1030   1031   1032   1033   1034   1035   1036