Page 1034 - Cloud computing: From paradigm to operation
P. 1034
7 Security
7.2.2.8 Security activity documentation
CSPs can provide the security documents which show the efforts made to enhance the security of their cloud
service, such as the security measures implemented, the security management procedures, and so on. The
documents should be accessed conveniently and can be viewed or downloaded from their web portal.
8 Guidelines of daily operational security
CSPs should implement security measures and security activities for administrators and tenants in their daily
security operation. The security clause of SLA should be achieved and guaranteed by security measures and
activities implemented by CSPs. These security measures and activities include but are not limited to the
following:
1) Security measures: CSPs are required to implement sets of security measures to provide basic
capabilities and facilities to enforce the operational security of cloud computing.
a) Identity management and access control is specified in clause 8.1.
b) Data encryption and key management is specified in clause 8.2.
c) System security monitoring is specified in clause 8.3.
d) Disaster recovery is specified in clause 8.4.
e) Security configuration management is specified in clause 8.5.
2) Security activities: CSPs are required to perform routine security activities to address security
problems, securing the operation of cloud computing.
a) Security events processing is specified in clause 8.6.
b) Patch upgrade is specified in clause 8.7.
c) Securing configuration management is specified in clause 8.8.
d) Emergency response is specified in clause 8.9.
e) Backup is specified in clause 8.10.
f) Internal security audit is specified in clause 8.11.
8.1 Identity management and access control
8.1.1 Identity management
CSPs should provide unified identity management for internal administrators and external tenants, which
can furnish the raw data for unified access control, authorization and audit.
1) It should support identity federation, which can achieve account information sharing,
synchronization between different cloud applications in the same trust zone.
2) It should support life cycle management of identity, which include the whole life cycle control of
identity, such as identity register, role and privileges assignment, privileges modification, identity
deleting, etc. Furthermore, the registration and modification of identity should have the procedure
of approval by administrators.
3) The policies of identity management include identity account naming policy, identity account
application policy, etc. These sets of security policies should include:
• The name of the identity account should be unique in the same trust zone.
• The identity account should be locked when invalid passwords are input continuously.
• The identity account should be disabled when unused for a long time.
• The identity account should be forbidden when trying to log in repeatedly during a very short
time.
4) In the framework of unified user account management, the account should be accurate to be
associated with special individuals or a tenant. The users should be identified by the main account,
and each user (administrator or tenant) should have only one main account. The main account can
create a sub-account, and the sub-account can have the authorized privileges to manage the
network cells, database servers, application servers, etc.
1026
