Title: Cloud security standardization activities in ITU-T
1Cloud security standardization activities in ITU-T
ITU Workshop on ICT Security Standardizationfor
Developing Countries (Geneva, Switzerland,
15-16 September 2014)
- Huirong Tian,
- China
- tianhuirong_at_catr.cn
2Contents
3Work of ITU-T FG-CC
4ITU-T Focus Group (FG) on Cloud Computing
- Objective
- To collect and document information and concepts
that would be helpful for developing
Recommendations to support cloud computing
services/applications from a telecommunication/ICT
perspective.
5ITU-T Focus Group (FG) on Cloud Computing
- Management team
- Chair Victor Kutukov (Russia) Vice-Chairman
Jamil Chawki (France) Vice-Chairman Kangchan
Lee (Korea)Vice-Chairman Mingdong Li
(China)Vice-Chairman Monique Morrow (USA)
Vice-Chairman Koji Nakao (Japan)
Vice-Chairman Olivier Corus (France)
6ITU-T FG-Cloud deliveries
2010.2
- FG Cloud
- Eight meetings,7 deliverables
2011. 12
FG Cloud established
FG Cloud concluded
- FG Cloud TR1Introduction to the cloud ecosystem
definitions, taxonomies, use cases and high level
requirements - FG Cloud TR2Functional Requirements and
Reference Architecture - FG Cloud TR3Requirements and framework
architecture of Cloud Infrastructure - FG Cloud TR4Cloud Resource Management Gap
Analysis - FG Cloud TR5Cloud security
- FG Cloud TR6Overview of SDOs involved in Cloud
Computing - FG Cloud TR7Benefits from telecommunication
perspectives
7FG Cloud TR5Cloud Security
- 11 study subjects on cloud security
- Security architecture/model and framework
- Security management and audit technology
- Business continuity planning (BCP) and disaster
recovery - Storage security
- Data and privacy protection
- Account/identity management
- Network monitoring and incident response
- Network security management
- Interoperability and portability security
- Virtualization security
- Obligatory predicates
8Standardization activities in SG17 and SG13
9Cloud computing security tasks collaboration
between SG13 and SG17
10SG17 cloud security related questions
1. Security architecture/model and framework
2.Security management and audit
technology 3. BCP/disaster recovery and storage
security 4.Data and privacy protection 5.Account/i
dentity management 6.Network monitoring and
incidence response 7.Network security 8.Interopera
bility security 9.Service portability
Q3/17
Q10/17
Q4/17
Q8/17
Management
CyberSecurity
(Main)cloud
IdM/Bio
11SG17 cloud security work items
Published in 2014.1
Common text with ISO/IEC
12X.1601 Security framework for cloud computing
13X.1601 Security framework for cloud computing
14X.16017. Security threats for cloud computing
15X.16018. Security challenges for cloud computing
16X.1601 9.Cloud computing security capabilities
- 9.1 Trust model
- 9.2 Identity and access management (IAM),
authentication, authorization, and transaction
audit - 9.3 Physical security
- 9.4 Interface security
- 9.5 Computing virtualization security
- 9.6 Network security
- 9.7 Data isolation, protection and privacy
protection
- 9.8 Security coordination
- 9.9 Operational security
- 9.10 Incident management
- 9.11 Disaster recovery
- 9.12 Service security assessment and audit
- 9.13 Interoperability, portability, and
reversibility - 9.14 Supply chain security
17X.1601 10. Framework methodology
18X.cc-control
- Scope
- This International Standard provides guidelines
supporting the implementation of Information
security controls for cloud service providers and
cloud service customers of cloud computing
services. Selection of appropriate controls and
the application of the implementation guidance
provided will depend on a risk assessment as well
as any legal, contractual, or regulatory
requirements. ISO/IEC 27005 provides information
security risk management guidance, including
advice on risk assessment, risk treatment, risk
acceptance, risk communication, risk monitoring
and risk review.
19X.sfcse
- Scope
- This Recommendation provides a generic functional
description for secure service oriented Software
as a Service (SaaS) application environment that
is independent of network types, operating
system, middleware, vendor specific products or
solutions. In addition, this Recommendation is
independent of any service or scenarios specific
model (e.g., web services, Parlay X or REST),
assumptions or solutions. This Recommendation aim
to describe a structured approach for defining,
designing, and implementing secure and manageable
service oriented capabilities in
telecommunication cloud computing environment.
20X.goscc
- Scope
- This Recommendation provides guideline of
operational security for cloud computing, which
includes guidance of SLA and daily security
maintenance for cloud computing. The target
audiences of this recommendation are cloud
service providers, such as traditional telecom
operators, ISPs and ICPs.
21X.idmcc
- Scope
- This Recommendation provides use-case and
requirements analysis giving consideration to the
existing industry efforts. This Recommendation
concentrates on the requirements for providing
IdM as a Service (IdMaaS) in cloud computing. The
use of non-cloud IdM in cloud computing, while
common in industry, is out of scope for this
Recommendation.
22SG17 cloud security Recommendation structure
23SG13 cloud security plans
- Y.inter-cloud-sec
- Y.cloudtrustmodels
- Y.cloudusereq
- Y.cloudSECasaservice
24Conclusions and Recommendations
- Cloud computing will change the ICT industry.
- The security capabilities will affect how cloud
computing could be used.
- Work item proposals on trust models, security
controls, best practices, etc. are solicited.
25Thanks for listening!