Page 1038 - Cloud computing: From paradigm to operation
P. 1038

7                                                     Security


            8.5     Security configuration management

            Security configuration includes security rules configured in the cloud platform, network, virtual machines and
            various  application  components.  It  is  different  from  a  high-level  security  policy,  which  sets  out  the
            organization's approach to achieve its information security objectives.

            CSPs should execute the integrated security configuration management to provide efficient implementation
            and fast deployment of the security configuration.

            In security configuration management, it is suggested that CSPs set security policy configuration templates
            and  security  configuration  policy  baselines.  Furthermore,  CSPs  should  take  measures  to  ensure  the
            consistency and efficiency of security configuration when cloud environment changes and to isolate the
            security configuration between CSCs in a multi-tenancy environment.
            Security  configuration  templates  include  main  templates  of  security  configuration  that  the  current  cloud
            computing environment needs, such as account management, authentication, access control policies, audit
            policies, dynamic response policies, application and software update policies, backup and recovery policies, etc.

            Security configuration baselines provide a criterion for the security configuration requirements of the entire
            cloud computing environment, which can help CSPs evaluate whether the current security configuration
            meets the fundamental security level or not, and further provide detailed guidance to reinforcement. The
            categories of security configuration baselines should include but are not limited to the following: OS security
            configuration baselines, database security configuration baselines, firewall security configuration baselines,
            switch security configuration baselines, router security configuration baselines, etc.

            Security configuration management involves the following measures:
            1)      Security configuration template management
                    CSPs should set the main security templates for the demands of cloud environment to make security
                    configuration  deployment  faster  and  more  convenient.  Security  configuration  template
                    management should support customized templates, update and optimize templates continuously
                    according to the changes of cloud platform, network status, service requirements, and so on.
                    Furthermore, CSPs should provide CSCs with the capability to customize new security configuration
                    templates according to their own requirements. Additionally, CSCs should be responsible for the
                    effectiveness of the security configuration which they customized.
            2)      Security configuration process management
                    CSPs should testify the effectiveness of the security configuration. Security configuration can be
                    configured  according  to  CSCs'  and  cloud  services'  requirements.  The  main  process  of  security
                    configuration  management  involves  configuration  request,  configuration  approval,  testing  and
                    technical validation, implementing, configuration archiving and output report.
            3)      Security configuration baseline management
                    CSPs should develop security configuration baseline by comprehensively considering the security
                    requirements of cloud computing platform, cloud service, CSCs, the security clause of SLA, etc.
                    The main process of security configuration baseline management involves security configuration
                    checking  request  and  record,  approval,  checking  implementing,  checking  report  output,
                    reinforcement  implementing,  and  reinforcement  report  output.  Security  configuration  checking
                    should  be  executed  periodically  during  daily  operations,  and  can  be  implemented  through
                    configuration collecting and baseline security analysis.
            4)      Security configuration conflict management
                    In a resource sharing cloud environment, due to faults caused by either the security administrator
                    or  by  other  reasons,  the  security  configuration  might  be  compromised  which  may  result  in
                    vulnerabilities in the cloud computing environment. CSPs should implement efficient measures to
                    detect  security  configuration  conflicts,  and  establish  a  security  configuration  conflict  handling
                    process and retrieval mechanisms.
                    The handling process of security configuration conflict should involve conflict alarm, conflict analysis
                    (which includes reasons and influences analysis), conflict handling and output report.


            1030
   1033   1034   1035   1036   1037   1038   1039   1040   1041   1042   1043