Page 749 - Cloud computing: From paradigm to operation
P. 749
XaaS 3
applications consist of static security features when applications are in idle status and of dynamic security
features when applications are running.
8.2 Security requirements of CSP
Besides common security requirements, CSP has specific security requirements in the SaaS application
environment.
8.2.1 Availability
For CSP, the SaaS application environment is required to ensure that CSCs are in service all the time, which
requires the handling of hardware/software failures, denial of service attacks, etc. It is essential to ensure
the minimal downtime for CSCs.
8.2.2 Service interoperability/portability guarantee
When CSC wants to migrate all or a part of its system to another CSP, the original CSP requires the SaaS
application environment to provide service interoperability and portability guarantee to minimize the
damage to CSC's business. Besides, the SaaS application environment is required to guarantee that the
related data will be deleted permanently on the previous CSP and will not be recovered by any other party.
8.2.3 Software assets protection
Software assets (such as applications, application-internal data, scripts, macros, function code library,
software license, etc.) are required to be protected in the SaaS application environment.
CSP requires the SaaS application environment to protect the confidentiality and integrity of any software
assets provided by CSP or CSN, which implies that these software assets cannot be copied, misappropriated,
tampered with, given away, or otherwise used in an unauthorized manner.
8.2.4 Legal compliance
Though CSP can use data backup and redundancy mechanisms to ensure CSC's data reliability, the SaaS
application environment is required to ensure that data copies shall not be retained for longer time than the
permitted data retention period under the applicable data protection law.
8.2.5 Security verification for source codes
As in the SaaS application environment, CSN may provide the applications' codes, content or software to CSP,
the SaaS application environment is required to provide mechanisms that assist CSP to verify the codes and
to prevent malicious codes.
8.3 Security requirements of CSN
In the SaaS application environment, CSN can be an application developer, content provider, software
provider, system integrator and auditor. Besides common security requirements, CSN has its own security
requirements in the SaaS application environment.
8.3.1 Audit security
When CSN is an auditor, the SaaS application environment is required to provide mechanisms that assist CSN
to collect audit events, logging and reporting information at the granularity of tenant and application. These
information are used to assure that CSP's service complies with governmental regulatory requirements and
legal agreements contracted with tenants. The SaaS application environment is also required to provide
mechanisms that assist CSN to ensure that the information collected and reported by the audit components
within the CSP system are correct and not subject to tampering or manipulation.
Besides, the SaaS application environment is required to provide the capability for CSN to record the changes
of important data and monitor the data availability online, in order to send a security alarm in time and
therefore reduce losses.
741
