Security as a service (SecaaS) is a cloud service category in which the capabilities provided to the cloud service customer are the integration of a suite of security services with the existing operating environment. During the development, delivery, use and support of SecaaS, there will be security challenges such as data eavesdropped, modified, tampered during transfer, unauthorized access to CSC’s data stored at CSP, unwanted connections between different CSC’s networks, uncontrolled service agents, API related attacks etc. To ensure the security of security as a service, the security threats need to be specified. This Recommendation will follow the structure of security requirements for virtualized services defined in Technical Report ITU-T xSTR-XAASL. Security threats in the domain of SecaaS will be identified at least in the following areas: architecture, identity and access management, software isolation and API related issues, isolation of instances, data protection, availability, incident response, management, orchestration and deployment. Therefore, this Recommendation provides the overview of security as a service and security threats in the domain of security as a service.

incubation queue