Page 1042 - Cloud computing: From paradigm to operation
P. 1042
7 Security
Configuration management security involves the following measures:
1) Configuration management auditing
Configuration management auditing is to ensure that the configuration alteration and release
requirements have been implemented effectively and efficiently. It can help CSPs verify the
correctness, consistency, completeness, validity, and traceability of each configuration item.
Configuration management auditing should be executed periodically during the daily operation.
All logs of user access, modification, archive and retrieval should be recorded and archived for online
or offline audit.
Furthermore, the report of configuration management auditing related to CSCs or their services
should be appropriately visible to CSCs, to enable CSCs to supervise the security measures and the
effectiveness of CSPs.
2) Configuration management monitoring
CSPs should monitor all the alternations and other operations of configuration files of an entire
cloud computing environment, to prevent non-authorized access, leakage, illegal modification and
mis-configuration.
3) Configuration management database protecting
CSPs should do precise maintenance and management of the configuration management database,
such as role-based authority assignment, garbage removal, regular auditing, periodical backup, etc.
8.9 Emergency response plans
It is critical to ensure that the cloud computing systems are able to be operated effectively by CSPs without
excessive interruption following a security incident. An emergency response plan supports this requirement
by establishing an effective programme, procedures, and technical measures.
In order to reduce the impact of security incidents on the cloud computing platforms and services, CSPs'
emergency response plan should provide a clear guidance for operators and strike a balance between the
level of detail and degree of flexibility. The development and management of an emergency response plan is
a cycle of continuous improvement process consisting of three phases: development phase, testing and
implementation phase, and maintenance phase.
8.9.1 Development phase
Above all, the quantitative and qualitative analysis methods should be adopted to make a comprehensive
risk assessment and business impact analysis (BIA) of the cloud computing systems. After that, the key
features and components of the system could be obtained, as well as the impact of different security
incidents. On this basis, according to the security clause of SLA between CSPs and CSCs, the regulatory
requirements, and the recovery target of the emergency response can be formulated such as the scope of
RTO and RPO. Furthermore, the characters of cloud service and classification of incidents should also be
considered while developing an emergency response plan.
The emergency response plan includes:
1) Notification: A notification procedure should be developed to notify the response team,
management staff and related CSCs once a security incident occurs.
2) Classification and grading of security events: The security assessment of a security incident should
be implemented by the emergency response team to determine its category and grade.
3) Launching: After the classification and grading of the security events, it is urgent for CSPs and CSCs
to activate the correspondingly pre-established response programme.
4) Action: After activating the response programme, countermeasures should be launched
immediately to suppress the impact of security incidents. Additionally, recovery operations should
be taken right after the incidents are effectively controlled.
5) Post-disposal: After the emergency action, it is important to make a conclusion of the latest
emergency response, which includes actions to analyse and summarize the reasons for the incident,
take the assessment of the loss and make the evaluation of the effectiveness and efficiency of the
emergency response plan.
1034
