Cloud computing

This publication provides a catalog of security and privacy controls for federal information systems and organizations and a process for selecting controls to protect organizational operations (including mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation from a diverse set of threats including hostile cyber attacks, natural disasters, structural failures, and human errors. The controls are customizable and implemented as part of an organization-wide process that manages information security and privacy risk. The controls address a diverse set of security and privacy requirements across the federal government and critical infrastructure, derived from legislation, Executive Orders, policies, directives, regulations, standards, and/or mission/business needs. The publication also describes how to develop specialized sets of controls, or overlays, tailored for specific types of missions/business functions, technologies, or environments of operation. Finally, the catalog of security controls addresses security from both a functionality perspective (the strength of security functions and mechanisms provided) and an assurance perspective (the measures of confidence in the implemented security capability). Addressing both security functionality and security assurance ensures that information technology products and the information systems built from those products using sound systems and security engineering principles are sufficiently trustworthy.

The purpose of this document is to define a NIST Cloud Computing Security Reference Architecture (NCC-SRA)--a framework that: i) identifies a core set of Security Components that can be implemented in a Cloud Ecosystem to secure the environment, the operations, and the data migrated to the cloud; ii) provides, for each Cloud Actor, the core set of Security Components that fall under their responsibilities depending on the deployment and service models; iii) defines a security-centric formal architectural model that adds a security layer to the current NIST SP 500-292, "NIST Cloud Computing Reference Architecture"; and iv) provides several approaches for analyzing the collected and aggregated data.

Cloud interoperability for web applications refers to the interaction between the cloud service customer (CSC) and the cloud service provider (CSP) to obtain predictable results, collaboration among different web applications and consistency and interoperability of a management interface across different web applications.
 
Recommendation ITU-T Q.4042.1, which is part 1, specifies the cloud interoperability test objectives for web applications between the CSC and CSP.
 
These test objectives are developed on the basis of cloud computing interoperability testing objectives specified in Recommendation ITU-T Q.4040. The test cases for cloud interoperability testing for web applications are also introduced in the appendices.

Recommendation ITU-T Q.4041.1 specifies the cloud computing infrastructure capabilities type interoperability testing between the CSC and CSP, including interoperability testing of computing services, storage services, network services and related management functions, based on the functional requirements specified in Recommendation ITU-T Y.3513. The test cases of cloud computing infrastructure capabilities type interoperability testing between the CSC and CSP have also been introduced.

Recommendation ITU-T Q.4040 describes the framework and provides an overview of cloud computing interoperability testing. According to the identified target areas of testing, this framework Recommendation includes an overview of cloud computing interoperability testing with common confirmed items, infrastructure capabilities type, platform capabilities type and application capabilities type interoperability testing. This Recommendation describes the overview target areas of testing for interoperability testing of cloud computing.

The purpose of this Recommendation is to describe the overview of multi-cloud and the functional requirements of cloud service partner for supporting multi-cloud by identifying the various use cases related with usage of multi-cloud in terms of cloud service customer, cloud service provider and cloud service partner. It also provides the cloud computing activities to support multi-cloud as sub-role of cloud service partner by identifying the relationships and interactions among cloud service customer, cloud service provider and other cloud service partner.

Recommendation ITU-T X.1603 analyses data security requirements for the monitoring service of cloud computing which includes monitoring data scope requirements, monitoring data lifecycle, security requirements of monitoring data acquisition and security requirements of monitoring data storage. Monitoring data scope requirements include the necessary monitoring scope that cloud service providers (CSPs) should provide to maintain cloud security and the biggest monitoring scope of CSPs. Monitoring data lifecycle includes data creation, data store, data use, data migrate, data present, data destroy and data backup. Monitoring acquisition determines security requirements of the acquisition techniques of monitoring service. Monitoring data storage determines security requirements for CSPs to store the monitoring data.

Recommendation ITU-T X.1642 provides generic operational security guidelines for cloud computing from the perspective of cloud service providers (CSPs). It analyses the security requirements and metrics for the operation of cloud computing. A set of security measures and detailed security activities for the daily operation and maintenance are provided to help CSPs mitigate security risks and address security challenges for the operation of cloud computing.

Recommendation ITU-T X.1641 provides generic security guidelines for the cloud service customer (CSC) data in cloud computing. It analyses the CSC data security lifecycle and proposes security requirements at each stage of the data lifecycle. Furthermore, Recommendation ITU-T X.1641 provides guidelines on when each control should be used for best security practice.

This Standard specifies the minimum requirements for telecommunications infrastructure of data centers and computer rooms, including single tenant enterprise data centers and multi-tenant data centers. The topology specified in this document is intended to be applicable to any size data center.

The LTFS Bulk Transfer standard defines a method by which a set of files, directories and objects from a source system can be transferred to a destination system.  The bulk transfer of large quantities of data is well suited for LTFS due to the economic and environmental characteristics of tape. Building on top of the LTFS format, a standardized method for transferring data is defined that provides many advantages.

The LTFS Format Specification defines a file system format separate from any implementation on data storage media. Using this format, data is stored in LTFS Volumes. An LTFS Volume holds data files and corresponding metadata to completely describe the directory and file structures stored on the volume.
 
The LTFS Format has these features:

• An LTFS Volume can be mounted and volume content accessed with full use of the data without the need to access other information sources.
• Data can be passed between sites and applications using only the information written to an LTFS Volume.
• Files can be written to, and read from, an LTFS Volume using standard POSIX file operations.

The LTFS Format is particularly suited to these usages:

• Data export and import.
• Data interchange and exchange.
• Direct file and partial file recall from sequential access media. Archival storage of files using a simplified, self-contained or “self-describing” format on sequential access media.