Page 987 - Cloud computing: From paradigm to operation
P. 987
Security 7
9.8 Security coordination
Since different cloud computing services imply different implementations of security controls, this security
capability coordinates heterogeneous security mechanisms to avoid protection conflicts.
Parties playing different roles in the cloud computing ecosystem, e.g., CSP, CSC, CSN, have different degrees
of control over the physical or virtual resources and services, including the control of security.
For each party, there will be various security mechanisms including hypervisor isolation, IAM, network
protection, etc.
One of the purposes of cloud computing is to enable a combination of these different parties to
collaboratively design, build, deploy and operate various physical and virtualized resources together.
Therefore, a CSP needs to be able to coordinate different security mechanisms across the different parties.
Security coordination depends on the interoperability and harmonization of diverse security mechanisms.
9.9 Operational security
This capability provides security protection for the daily operation and maintenance of cloud computing
services and infrastructure.
This operational security capability includes:
• defining sets of security policies and security activities such as configuration management, patch
upgrade, security assessment, incident response (see also clause 9.10 "Incident management"), and
ensuring these security measures are correctly enforced to fulfil the requirements of applicable laws
and contracts including any security SLA;
• monitoring the CSP's security measures and their effectiveness, and giving appropriate reports to
affected CSCs and applicable third-party auditors (acting as a CSN), which can enable the CSC to
measure whether a CSP is delivering on SLA security commitments.
In the event that the CSP's security measures or their effectiveness changes, all downstream CSPs and CSCs
will be alerted to such changes.
These reports and alerts enable authorized CSCs to see appropriate incidents, audit information, and
configuration data relating to their cloud computing services.
9.10 Incident management
Incident management provides incident monitoring, prediction, alerting and response. In order to know
whether the cloud computing service is operating as expected through the whole infrastructure, continuous
monitoring is necessary (e.g., monitoring the real-time performance of virtualized platform and virtualized
machine). This enables systems to capture the service security status, identify abnormal conditions, and
provide early warning of security system overloads, breaches, service discontinuity, etc. After the occurrence
of security incidents, the problem is identified and the incident is quickly responded to, either automatically
or with the intervention of a human administrator. Closed incidents are logged and analysed for possible
underlying patterns which can then be proactively addressed.
9.11 Disaster recovery
Disaster recovery represents the capability to respond to catastrophic disasters, to recover to a safe state
and to resume normal operations as quickly as possible. This capability provides continuity of provided
service with minimum interruption.
9.12 Service security assessment and audit
This capability enables the security evaluation of cloud computing services. It enables an authorized party to
verify that a cloud service complies with the applicable security requirements. Security assessment or
security audit could be performed by the CSC, CSP or a third party (CSN), and security certification could be
performed by an authorized third party (CSN).
979
