Download
1 / 25
250 likes | 293 Views
ITU Workshop on “ICT Security Standardization for Developing Countries” (Geneva, Switzerland, 15-16 September 2014). Cloud security standardization activities in ITU-T. Huirong Tian, China tianhuirong@catr.cn. Contents. Work of ITU-T FG-CC. ITU-T Focus Group (FG) on Cloud Computing.
E N D
ITU Workshop on “ICT Security Standardizationfor Developing Countries” (Geneva, Switzerland, 15-16 September 2014) Cloud security standardization activities in ITU-T Huirong Tian, China tianhuirong@catr.cn
ITU-T Focus Group (FG) on Cloud Computing • Objective • To collect and document information and concepts that would be helpful for developing Recommendations to support cloud computing services/applications from a telecommunication/ICT perspective.
ITU-T Focus Group (FG) on Cloud Computing • Management team • Chair: Victor Kutukov (Russia)Vice-Chairman: Jamil Chawki (France) Vice-Chairman: Kangchan Lee (Korea)Vice-Chairman: Mingdong Li (China)Vice-Chairman: Monique Morrow (USA)Vice-Chairman: Koji Nakao (Japan) Vice-Chairman: Olivier Corus (France)
ITU-T FG-Cloud deliveries 2010.2 FG Cloud Eight meetings,7 deliverables 2011. 12 FG Cloud established FG Cloud concluded • FG Cloud TR1:Introduction to the cloud ecosystem: definitions, taxonomies, use cases and high level requirements • FG Cloud TR2:Functional Requirements and Reference Architecture • FG Cloud TR3:Requirements and framework architecture of Cloud Infrastructure • FG Cloud TR4:Cloud Resource Management Gap Analysis • FG Cloud TR5:Cloud security • FG Cloud TR6:Overview of SDOs involved in Cloud Computing • FG Cloud TR7:Benefits from telecommunication perspectives
FG Cloud TR5:Cloud Security 11 study subjects on cloud security • Security architecture/model and framework • Security management and audit technology • Business continuity planning (BCP) and disaster recovery • Storage security • Data and privacy protection • Account/identity management • Network monitoring and incident response • Network security management • Interoperability and portability security • Virtualization security • Obligatory predicates
Cloud computing security tasks collaboration between SG13 and SG17
SG17 cloud security related questions 1.Security architecture/model and framework 2.Security management and audit technology 3.BCP/disaster recovery and storage security 4.Data and privacy protection 5.Account/identity management 6.Network monitoring and incidence response 7.Network security 8.Interoperability security 9.Service portability Q3/17 Q10/17 Q4/17 Q8/17 Management CyberSecurity (Main)cloud IdM/Bio
SG17 cloud security work items Published in 2014.1 Common text with ISO/IEC
X.1601 ——9.Cloud computing security capabilities 9.1 Trust model 9.2 Identity and access management (IAM), authentication, authorization, and transaction audit 9.3 Physical security 9.4 Interface security 9.5 Computing virtualization security 9.6 Network security 9.7 Data isolation, protection and privacy protection 9.8 Security coordination 9.9 Operational security 9.10 Incident management 9.11 Disaster recovery 9.12 Service security assessment and audit 9.13 Interoperability, portability, and reversibility 9.14 Supply chain security
X.cc-control • Scope • This International Standard provides guidelines supporting the implementation of Information security controls for cloud service providers and cloud service customers of cloud computing services. Selection of appropriate controls and the application of the implementation guidance provided will depend on a risk assessment as well as any legal, contractual, or regulatory requirements. ISO/IEC 27005 provides information security risk management guidance, including advice on risk assessment, risk treatment, risk acceptance, risk communication, risk monitoring and risk review.
X.sfcse • Scope • This Recommendation provides a generic functional description for secure service oriented Software as a Service (SaaS) application environment that is independent of network types, operating system, middleware, vendor specific products or solutions. In addition, this Recommendation is independent of any service or scenarios specific model (e.g., web services, Parlay X or REST), assumptions or solutions. This Recommendation aim to describe a structured approach for defining, designing, and implementing secure and manageable service oriented capabilities in telecommunication cloud computing environment.
X.goscc • Scope • This Recommendation provides guideline of operational security for cloud computing, which includes guidance of SLA and daily security maintenance for cloud computing. The target audiences of this recommendation are cloud service providers, such as traditional telecom operators, ISPs and ICPs.
X.idmcc • Scope • This Recommendation provides use-case and requirements analysis giving consideration to the existing industry efforts. This Recommendation concentrates on the requirements for providing IdM as a Service (IdMaaS) in cloud computing. The use of non-cloud IdM in cloud computing, while common in industry, is out of scope for this Recommendation.
SG13 cloud security plans • Y.inter-cloud-sec • Y.cloudtrustmodels • Y.clouduse&req • Y.cloudSECasaservice
Conclusions and Recommendations • Cloud computing will change the ICT industry. • The security capabilities will affect how cloud computing could be used. • Work item proposals on trust models, security controls, best practices, etc. are solicited.
