| Description:
|
1 Motivation
Cloud computing is a model for enabling service user's ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services), that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud computing model is defined by five essential characteristics (on-demand, delivery over a broad network access, resource pooling, rapid elasticity, self and measured services), five cloud computing service categories, i.e., software as a service (SaaS), communication as a service (CaaS), platform as a service (PaaS), infrastructure as a service (IaaS) and network as a service (NaaS), different deployment models (public, private, hybrid…), and flexible extension of service delivery types (core, regional, edge…). The advent of the cloud computing approach as the preferred vehicle for discovering, externalizing, composing, service re-use within workflows, applications, communication enabled applications places new emphasis on the need for security.
Forecasted benefits of cloud computing include flexible and dynamic resource provisioning, and simpler and automated administration of IT infrastructure. Virtualization makes possible to share of nearly unlimited resources, with scalability improvements and massive cost reductions for infrastructure management. The introduction of edge computing enables distribution of cloud capabilities to the edge of the network. This introduces cloud service implementations which have low and deterministic latency and high reliability. However, open systems, shared resources, and inherent interworking of cloud and edge raise many concerns about security, which is perhaps the most important barrier to the adoption of cloud computing. Moving to the cloud implies to shifting from safe, traditional, in-house IT systems to unsafe, "cloudified", open infrastructures. It thus requires in-depth rethinking of security.
When taking security into consideration, roles in the cloud computing ecosystem have their own responsibilities. Cloud computing was considered for several years as service-centric IT and controlled by Internet players. With the trend of network virtualization and close convergence with cloud, telecommunication players have more and more important roles to play in the emerging cloud computing market and ecosystem. As cloud services are delivered through telecommunication networks, telecommunication players should guarantee a high assurance level. Strong but flexible security protection will be a key enabler for the whole cloud market and ecosystem.
Development of cloud computing model brings new security challenges and demands for security solutions as well. For example, edge computing provides more local distribution of cloud resources, which leads to more complicated relationships between implementations of edge, regional and core implementations of the cloud. By using cloud-native, customers break the functionalities into smaller and independent microservices, which can be set up, deployed, or duplicated with the minimal computing resource in an instant. Accordingly, the microservice architecture, containerization, DevOps, and other change of computing models of cloud native brings extended attack surface and complex architecture. It is necessary to dig into security solutions to shift security left and integrates security from the beginning and throughout the development lifecycle (e.g., DevSecOps), cloud-native application protection platform (CNAPP), etc. As cloud computing and network continues to integrate and evolve, emerging computing modes based on cloud such as high-performance computing (HPC), in-network computing (INC), computing power network (CPN) are gradually explored and deployed by industry. Security requirements such as resource scheduling, service orchestration, data protection vary in these computing architectures, and built-in security mechanism in cloud computing such as unified security management, virtualized security resource pool and elastic security protection is expected to provide efficient solutions to meet the fast-growing, flexible and customized security requirements. In addition, the flexible use of rich resources in cloud computing environments will enable new security services that the current premise defences cannot provide (e.g. anti-malware services as a cloud service).
Big Data is considered as the technologies, the set of tools, the data and the analytics used in processing large amount of data. Furthermore, as data grow exponentially and become a key asset of telecommunication/ICT networks, massive datasets are analysed with the support of cloud computing to reveal patterns and relationships that would otherwise remain hidden. The core processes of big data such as data collection, storage, analysis, management and visualization are achieved on the basis of cloud computing, without which big data cannot be rapidly transferred and analysed using traditional technologies (e.g. Big Data as a Service). Thus, there is need to examine what kind of security measures cloud computing can offer in the near future.
As cloud computing and big data technology continues to develop and evolve, they have been deeply applied in various industries such as government, finance, manufacturing, energy, healthcare, etc. Each industry has its own focus on the ability of security protection of cloud computing and big data infrastructure due to different industry characteristics. For example, in the financial industry, it is important to have full life cycle security protection of massive personal financial data. In e-government cloud, different security levels should be provided for different government affairs, and data encryption and decryption services should be provided for important data/sensitive data. While in the manufacturing or energy industry, the ability to monitor and timely detect network attack and quickly respond to emergencies is very essential, so that when serious network attack occurs, enterprises can restore energy supply or production facilities to normal operation as soon as possible. Thus, it is necessary to develop best practices and guidelines to fit specific security needs of cloud computing and big data infrastructure in different industries.
Recommendations ITU-T X.1601, X.1602, and X.1631 provide a set of Recommendations on security service for cloud security overview, architecture, and framework, cross-layers cloud security and specific security of network services. Currently there is a strong need for securing cloud computing enabled critical voice, multi-media, identity-based services, information assurance services, identity and data services, and emergency-based services. This Question is intended to develop new Recommendations and Technical Reports for:
- best practices and guidelines development to guide on how to provide security in a cloud computing-based environment;
- responsibility clarification, and security requirements and threats definition for the main actors and related roles in the cloud computing ecosystem, guidelines to support the implementation of regulation;
- security architecture based on the reference architecture provided by QH/13, built-in security architecture and emerging security architecture brought by the evolution of cloud computing;
- security management and audit technologies for the trust management.
This Question will collaborate with related Questions such as all SG17 Questions to develop Recommendations on cloud computing security.
Recommendations and Technical Reports under responsibility of this Question as of 12 September 2024: X.1411, X.1601, X.1602, X.1603, X.1604, X.1605, X.1606, X.1631, X.1641, X.1642, X.1643, X.1644, X.1645, X.1750, X.1751, X.1752, and Technical Report TR.XAASL.
Texts under development as of 12 September 2024: X.1600 (X.sa-ec), X.1647 (X.sg-scmr), X.1648 (X.gecds), X.1631rev, X.asm-cc, X.ckrp, X.fr-msp, X.gapci, X.gdsml, X.mbaas-cs-sec, X.scr-cna, X.sfrms, X.sgcnp, X.sgmc, X.sgsc, X.sg-tc, X.soar-cc, X.srapi-cc, X.sreai-ec, and Technical Report TR.fcnsc.
2 Question
Study items to be considered include, but are not limited to:
- What new Recommendations or other type of documents should be developed for main actors like service providers, service users, and services partners, and other key industry stakeholders to comply with regulatory requirements and advance the security of the entire cloud computing ecosystem, including supplier selection for public cloud, interworking security between core and edge computing network, specific security requirements of cloud for new computing infrastructures such as CPN, INC, etc.?
- What new Recommendations should be developed for security architecture and security functionalities organization in line with the reference architecture and the evolution of cloud computing technology and service (including but not limited to hybrid cloud, cloud-native, in-network computing, etc)?
- What new Recommendations should be developed for assurance mechanisms, audit technologies, and associated risks assessment to establish trust among different actors?
- What new Recommendations should be developed for security solutions, best practices or guidelines to big data platform and infrastructure security?
- What new Recommendations should be developed for specific security solutions, best practices or guidelines to cloud and big data infrastructure in different industries such as government, finance, manufacturing, energy, etc?
- What collaboration is necessary to minimize duplication of efforts with other Questions, study groups, and SDOs?
- How security as a service should be developed to protect telecommunication/ICT systems?
3 Tasks
Tasks include, but are not limited to:
- Developing Recommendations or other type of documents to provide guidance and reference to support the implementation of regulatory policies, advance security of cloud computing and adapt to cloud computing development and future trends. (e.g., guidance for service users to select compliant and reliable service providers, and guidance for service providers to better respect the laws and regulations).
- Developing Recommendations to identify security requirements and threats to secure cloud computing services based on the general requirements of cloud computing specified by ITU-T Study Group 13.
- Developing Recommendations to define security architecture and to organize security functions based on the reference architecture specified by ITU-T Study Group 13.
- Developing Recommendations to define a strong, flexible, and elastic security architecture and implementation for cloud computing systems.
- Developing Recommendations to provide best practices and guidelines on how to improve and evaluate security of cloud and big data infrastructure in different industries to fit industry-specific security requirements.
- Developing Recommendations to identify assurance mechanisms, audit technologies, risk assessment with the objective of achieving trustworthy relationships within the cloud computing ecosystem.
- Study and develop big data platform and infrastructure security Recommendations aligned with reference architecture specified by ITU-T Study Group 13.
- Taking charge of all the Study Group 17 activities on cloud computing security and big data platform and infrastructure security.
An up-to-date status of work under this Question is contained in the SG17 work programme at https://www.itu.int/ITU-T/workprog/wp_search.aspx?sp=18&q=8/17.
4 Relationships
Recommendations:
- Y-series Recommendations on cloud computing
Questions:
- All ITU-T SG17 Questions
Study groups:
- ITU-T SG 2
- ITU-T SG 13
- ITU-T SG 20
- ITU-T SG 21
Standardization bodies:
- Internet Engineering Task Force (IETF)
- ISO/IEC JTC 1/SCs 27 and SC 38
- Organization for the Advancement of Structured Information Standards (OASIS)
Other bodies:
- Cloud Security Alliance (CSA)
- Distributed Management Task Force (DMTF)
WSIS Action Lines:
- C5
Sustainable Development Goals:
- 8, 9, 11
|
