Motivation

Cloud computing is a model for enabling service user’s ubiquitous, convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services), that can be rapidly provisioned and released with minimal management effort or service provider interaction. The cloud computing model is defined by five essential characteristics (on-demand, delivery over a broad network access, resource pooling, rapid elasticity, self and measured services), five cloud computing service categories, i.e., Software as a Service (SaaS), Communication as a Service (CaaS), Platform as a Service (PaaS), Infrastructure as a Service (IaaS) and Network as a Service (NaaS), and different deployment models (public, private, hybrid…). The advent of the cloud computing approach as the preferred vehicle for discovering, externalizing, composing, service re-use within workflows, applications, communication enabled applications places new emphasis on the need for security.

Forecasted benefits of cloud computing include flexible and dynamic resource provisioning, and simpler and automated administration of IT infrastructure. Virtualization makes possible to share of nearly unlimited resources, with scalability improvements and massive cost reductions for infrastructure management. However, open systems and shared resources of cloud computing raise many concerns about security, which is perhaps the most important barrier to the adoption of cloud computing. Moving to the cloud implies to shifting from safe, traditional, in-house IT systems to unsafe, “cloudified”, open infrastructures. It thus requires in-depth rethinking of security.

Cloud computing was considered for several years as service-centric IT and controlled by Internet players. However, telecommunication players have an important role to play in the emerging cloud computing market and ecosystem. As cloud services are delivered through telecommunication networks, telecommunication players should guarantee a high assurance level. Strong but flexible security protection will be a key enabler for the whole cloud market and eco-system.

In addition, the flexible use of rich resources in cloud computing environments will enable new security services that the current premise defences cannot provide (e.g. anti-malware services as a cloud service). Thus, there is need to examine what kind of security measures cloud computing can offer in the near future.

Draft Recommendations ITU-T X.ccsec, X.srfcts and X.sfcse provide a set of Recommendations on security service for cloud security overview, architecture and framework, cross-layers cloud security and specific security of network services. Currently there is a strong need for securing cloud computing enabled critical voice, multi-media, identity based services, information assurance services, identity and data services, and emergency based services. This Question is intended to develop new Recommendations based on the Focus Group Cloud Technical Report Part 5 for:

• best practices and guidelines development to guide on how to provide security in a cloud computing based environment;
• responsibility clarification, and security requirements and threats definition for the main actors and related roles in the cloud computing ecosystem;
• security architecture based on the reference architecture provided by Q.27/13;
• security management and audit technologies for the trust management.

Q8/17 will collaborate with related Questions such as Q2/17, Q3/17, Q4/17, Q7/17, Q10/17 and Q11/17 to develop Recommendations on cloud computing security.

Recommendations and Supplements under responsibility of this Question as of 2 March 2012: ITU-T X.ccsec, X.sfcse, X.fssvpn.

Question

Study items to be considered include, but are not limited to:

1. What new Recommendations or other type of documents should be developed for main actors like service providers, service users and services partners, and other key industry stakeholders to advance cloud computing security?
2. What new Recommendations should be developed for security architecture and security functionalities organization in line with the reference architecture?
3. What new Recommendations should be developed for security management, assurance mechanisms, audit technologies, and associated risks assessment to establish trust among different actors?
4. Under the auspices of the Joint Coordination Activity on cloud computing (JCA-cloud), what collaboration is necessary to minimize duplication of efforts with other Questions, study groups, and SDOs?
5. How security as a service should be developed to protect ICT systems?

Tasks

Tasks include, but are not limited to:

1. Developing Recommendations or other type of documents to advance cloud computing security.,
2. Developing Recommendations to identify security requirements and threats to secure cloud computing services based on the general requirements of cloud computing specified by ITU-T Study Group 13.
3. Developing Recommendations to define security architecture and to organize security functions based on the reference architecture specified by ITU-T Study Group 13.
4. Developing Recommendations to define a strong, flexible and elastic security management architecture and implementation for cloud computing systems.
5. Developing Recommendations to identify assurance mechanisms, audit technologies, risk assessment with the objective of achieving trustworthy relationships within the cloud computing ecosystem.
6. Taking charge of all the activities on cloud computing security in Study Group 17.
7. Representing the work of Study Group 17 related to cloud computing security in the Joint Coordination Activity on cloud computing (JCA-Cloud).

Relationships

Recommendations: Y-series Recommendations on cloud computing

Questions: ITU-T Qs 1/17, 2/17, 3/17, 4/17, 7/17, 10/17 and 11/17

Study groups: ITU-T SGs 2, 13, 16

Standardization bodies: ISO/IEC JTC 1/SCs 27 and SC 38; OASIS; IETF and other relevant bodies as identified

Other Bodies: DMTF; CSA (Cloud Security Alliance)