Page 988 - Cloud computing: From paradigm to operation
P. 988
7 Security
Appropriate security criteria are implemented so as to provide a mutual understanding of the security level
between the CSC and CSP.
Each CSP and each of their services may have the security level regarding the CSP's security controls and their
effectiveness. Advertised security levels of the CSPs and their services will help facilitate the comparison and
selection of appropriate CSPs and cloud computing services. Independent trusted third parties may be used
to provide reliable, independent and neutral security level assessments.
To avoid a CSP conducting individual security audits for each CSC, common service audit results will be
appropriately reused. For a CSP covering a wide range of cloud computing services, security audits may be
conducted on each cloud computing service. The CSP may provide the appropriate audit results of all or part
of the cloud computing services to an authorized CSC (e.g., potential customer), and to certain other CSPs
and CSNs (e.g., third-party auditor).
For a cloud computing service chain, the security audit results of a downstream service provider will integrate
the relevant security audit results of upstream service providers.
9.13 Interoperability, portability and reversibility
This capability enables the coexistence and cooperation of heterogeneous components (interoperability), it
enables CSCs to replace one CSP with another where appropriate (portability), and enables CSCs to transfer
their ICT system from a cloud computing environment back to a non-cloud computing ICT infrastructure
(reversibility). This reversibility will also enable the "right to be forgotten" if this is required by local laws or
regulations.
NOTE 1 – This capability is only responsible for the interoperability and portability of cloud computing security functions,
not of the actual data, metadata or message formats, which are the responsibility of other cloud computing platform
functions. For example, this capability might provide transitional encryption, key management and identity information
so that data and other content can be moved between two different encryption systems without exposing either the
system(s) or the data in transit.
NOTE 2 – The "right to be forgotten" is not yet clearly defined and may in some cases be constrained by regulatory
requirements to retain certain data for a minimum period, such as call records or connection information. It may
therefore also be necessary to retain the relevant keys or other security information for the same period.
9.14 Supply chain security
A CSP uses a number of suppliers to build their services. Some of these will be cloud industry participants,
e.g., a CSN, while others will be traditional information technology (IT) equipment or service suppliers, e.g.,
hardware manufacturers with no direct relationship with cloud computing. This capability enables the
establishment of a trust relationship between the CSP and all participants in the supply chain by security
activities. These supply chain security activities involve identifying and gathering information about the CSP's
acquired components and services that are used to provide cloud computing services, and enforcing supply
chain security policies.
For example, typical supply chain security activities in a CSP may include:
• confirmation of background information about the participants in the supply chain;
• validation of hardware, software and services employed by the CSP;
• inspection of the hardware and software purchased by the CSP so as to ensure that it was not
tampered with while in-transit;
• providing mechanisms to verify the provenance of cloud service software, for example, code
provided by a CSN. Where applicable, CSNs and their host CSPs provide a process to verify the
integrity of the CSN's software component to ensure that it is exactly as delivered and has not been
modified or compromised. Some CSNs may demand the means to verify this directly by themselves.
This capability is continuous to cover ongoing system evolution and updates.
980
