Geneva, Switzerland, September 2014 Cloud security standardization activities in ITU-T Huirong Tian, China ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, September 2014)
Contents Work of ITU-T FG-CC Standardization activities in SG17 and SG13
Work of ITU-T FG-CC Geneva, Switzerland, September
4 ITU-T Focus Group (FG) on Cloud Computing Objective To collect and document information and concepts that would be helpful for developing Recommendations to support cloud computing services/applications from a telecommunication/ICT perspective.
Geneva, Switzerland, September ITU-T Focus Group (FG) on Cloud Computing Management team Chair: Victor Kutukov (Russia) Vice-Chairman: Jamil Chawki (France) Vice-Chairman: Kangchan Lee (Korea) Vice-Chairman: Mingdong Li (China) Vice-Chairman: Monique Morrow (USA) Vice-Chairman: Koji Nakao (Japan) Vice-Chairman: Olivier Corus (France)
ITU-T FG-Cloud deliveries FG Cloud established FG Cloud concluded FG Cloud Eight meetings,7 deliverables FG Cloud TR1:Introduction to the cloud ecosystem: definitions, taxonomies, use cases and high level requirements FG Cloud TR2:Functional Requirements and Reference Architecture FG Cloud TR3:Requirements and framework architecture of Cloud Infrastructure FG Cloud TR4:Cloud Resource Management Gap Analysis FG Cloud TR5:Cloud security FG Cloud TR6:Overview of SDOs involved in Cloud Computing FG Cloud TR7:Benefits from telecommunication perspectives
FG Cloud TR5 : Cloud Security 11 study subjects on cloud security – Security architecture/model and framework – Security management and audit technology – Business continuity planning (BCP) and disaster recovery – Storage security – Data and privacy protection – Account/identity management – Network monitoring and incident response – Network security management – Interoperability and portability security – Virtualization security – Obligatory predicates Follow-up standardiza tion work launched considering these study subjects
Standardization activities in SG17 and SG13 Geneva, Switzerland, September
9 Cloud computing security tasks collaboration between SG13 and SG17
SG17 cloud security related questions 1.Security architecture/model and framework 2.Security management and audit technology 3.BCP/disaster recovery and storage security 4.Data and privacy protection 5.Account/identity management 6.Network monitoring and incidence response 7.Network security 8.Interoperability security 9.Service portability Q8/17 Q4/17 Q10/17 Q3/17 ManagementCyberSecurity ( Main ) cloud IdM/Bio
SG17 cloud security work items X.1601: Security Framework for Cloud Computing X.cc-control: Information technology – Security techniques – Code of practice for information security controls for cloud computing services based on ISO/IEC X.sfcse: Security functional requirements for SaaS application environment X.goscc: Guideline of operational security for cloud computin X.Idmcc: Requirement of IdM in cloud computing Published in Common text with ISO/IEC
X.1601 Security framework for cloud computing Geneva, Switzerland, September
X.1601 Security framework for cloud computing 7. Security threats for cloud computing 8. Security challenges for cloud computing 9. Cloud computing security capabilities 10. Framework methodology
X.1601——7. Security threats for cloud computing 7.1 Security threats for cloud service customers (CSCs) Data loss and leakage Insecure service access Insider threats 7.2 Security threats for cloud service providers (CSPs) Unauthorized administration access Insider threats
X.1601——8. Security challenges for cloud computing 8.1Security challenges for cloud service customers (CSCs) 8.1.1Ambiguity in responsibility 8.1.2Loss of trust 8.1.3Loss of governance 8.1.4Loss of privacy 8.1.5Service unavailability 8.1.6Cloud service provider lock-in 8.1.7Misappropriation of intellectual property 8.1.8Loss of software integrity 8.2Security challenges for cloud service providers (CSPs) 8.2.1Ambiguity in responsibility 8.2.2Shared environment 8.2.3Inconsistency and conflict of protection mechanisms 8.2.4Jurisdictional conflict 8.2.5Evolutionary risks 8.2.6Bad migration and integration 8.2.7Business discontinuity 8.2.8Cloud service partner lock-in 8.2.9Supply chain vulnerability Software dependencies 8.3Security challenges for cloud service partners (CSNs) 8.3.1Ambiguity in responsibility 8.3.2Misappropriation of intellectual property 8.3.3Loss of software integrity
X.1601 ——9.Cloud computing security capabilities 9.1Trust model 9.2Identity and access management (IAM), authentication, authorization, and transaction audit 9.3Physical security 9.4Interface security 9.5Computing virtualization security 9.6Network security 9.7Data isolation, protection and privacy protection 9.8Security coordination 9.9Operational security 9.10 Incident management 9.11 Disaster recovery 9.12 Service security assessment and audit 9.13 Interoperability, portability, and reversibility 9.14 Supply chain security
X.1601 ——10. Framework methodology Step 1: Use clauses 7 and 8 to identify security threats and security implications of the challenges in the cloud computing service under study. Step 2: Use clause 9 to identify the needed high level security capabilities based on identified threats and challenges which could mitigate security threats and address security challenges. Step 3: Derive security controls, policies and procedures which could provide needed security abilities based on identified security capabilities.
X.cc-control Geneva, Switzerland, September Scope This International Standard provides guidelines supporting the implementation of Information security controls for cloud service providers and cloud service customers of cloud computing services. Selection of appropriate controls and the application of the implementation guidance provided will depend on a risk assessment as well as any legal, contractual, or regulatory requirements. ISO/IEC provides information security risk management guidance, including advice on risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
X.sfcse Geneva, Switzerland, September Scope This Recommendation provides a generic functional description for secure service oriented Software as a Service (SaaS) application environment that is independent of network types, operating system, middleware, vendor specific products or solutions. In addition, this Recommendation is independent of any service or scenarios specific model (e.g., web services, Parlay X or REST), assumptions or solutions. This Recommendation aim to describe a structured approach for defining, designing, and implementing secure and manageable service oriented capabilities in telecommunication cloud computing environment.
X.goscc Geneva, Switzerland, September Scope This Recommendation provides guideline of operational security for cloud computing, which includes guidance of SLA and daily security maintenance for cloud computing. The target audiences of this recommendation are cloud service providers, such as traditional telecom operators, ISPs and ICPs.
X.idmcc Geneva, Switzerland, September Scope This Recommendation provides use-case and requirements analysis giving consideration to the existing industry efforts. This Recommendation concentrates on the requirements for providing IdM as a Service (IdMaaS) in cloud computing. The use of non-cloud IdM in cloud computing, while common in industry, is out of scope for this Recommendation.
SG17 cloud security Recommendation structure
Geneva, Switzerland, September SG13 cloud security plans Y.inter-cloud-sec Y.cloudtrustmodels Y.clouduse&req Y.cloudSECasaservice
Conclusions and Recommendations Cloud computing will change the ICT industry. The security capabilities will affect how cloud computing could be used. Work item proposals on trust models, security controls, best practices, etc. are solicited. Geneva, Switzerland, September
Thanks for listening! Geneva, Switzerland, September