© 2015 Mike Edwards

Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)

© 2015 Mike Edwards

Mike Edwards Senior Technical Staff Member, IBM

Cloud Computing & SOA Standards,

UK Chair UK ISO SC38 mirror committee

(BSI IST 38)

mike_edwards@uk.ibm.com

© 2015 Mike Edwards

Abstract and Agenda

ISO 27001, ISO 27017 & ISO 27018

This talk describes the ISO Security & Privacy specifications & certifications which apply to

cloud services

• Security & Privacy concerns of cloud service customers

• Standards and certifications

• ISO 27000 series of security & privacy standards

• ISO 27001 & ISO 27002 – the foundations for IT security

• Cloud Computing impact on security & privacy

• ISO 27017 – security for cloud services

• ISO 27018 – data protection for cloud services (i.e. privacy)

© 2015 Mike Edwards

The Cloud Standards Customer Council THE Customer’s Voice for Cloud Standards!

• Provide customer-lead guidance to

multiple cloud standards-defining bodies

• Establishing criteria for open

standards based cloud computing 500+ Organizations participating

2011/2012 Deliverables

Practical Guide to Cloud Computing

Practical Guide to Cloud SLAs

Security for Cloud Computing

Impact of Cloud Computing on Healthcare

2013/2014 Deliverables

Convergence of SoMoClo

Analysis of Public Cloud SLAs

Cloud Security Standards

Migrating Apps to Public Cloud

http://cloud-council.org

2015 Projects (partial)

Update to Security for Cloud Computing whitepaper

Update to Practical Guide to Cloud Service Agreements

Practical Guide to Privacy for the Public Sector

Practical Guide to PaaS

Social Business in the Cloud

Big Data in the Cloud

PGCC Version 2

Migrating Apps: Performance Rqmnts

Cloud Interoperability/Portability

© 2015 Mike Edwards 5

Three Takeaways

Security & Privacy are key concerns for Cloud Service Customers –

many demand proof in relation to cloud services

International standards such as ISO 27001, 27017 & 27018 provide an

open, worldwide and customer-accepted approach

Customers & Providers need a public and open way of declaring the

Security & Privacy capabilities of cloud services

© 2015 Mike Edwards

Top concerns about cloud computing…

69

%

54

%

53

%

52

%

47

%

Security/privacy of

company data

Service quality

Doubts about true cost

savings

Performance / Insufficient

responsiveness over network

Difficulty integrating with

in-house IT

Percent rating the factor as a significant barrier (4 or 5)

Respondents could select multiple items

Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090

What, if anything, do you perceive as actual or

potential barriers to acquiring public cloud services?

Security & Privacy: number one inhibitor to customers adopting cloud services

Source: Oliver Wyman Interviews

© 2015 Mike Edwards

Security matters…

© 2015 Mike Edwards

Standards making organizations

International

Regional /

national

Fora &

consortia

© 2015 Mike Edwards

Customer / User organizations

– CSCC, ODCA (cloud computing)

– CSA (cloud computing security)

Certification organizations

– e.g. ISACA

“Code first” specifications

– HTML5

– Open source projects

– e.g. OpenStack, Cloud Foundry, Docker

Open source implementations

– pressure for availability before ratification of a standard

Other Open technology organizations

© 2015 Mike Edwards

Types of Standards

High level

Governance &

Management

Architectures

Technology

specific

ISO 27018 Data Protection for Cloud Services

ISO 27017 Information Security Controls

for Cloud Services

ISO 17789 Cloud Computing Reference Architecture

Kerberos

RSA AES

Triple-DES X.509 Certificates

SHA Hashing

ISO 29101 Privacy Architecture Framework

ISO 24760 ID Management Architecture

ID and Access Management

Encryption

ISO 19794 Biometric Interchange Formats

Security Assertions

KMIP Key Management

PCI-DSS Controls for Card Data

ISO 19086 Cloud SLAs

ISO 18384 SOA Reference Architecture

China

GB/T 20273 Security Requirements for DBMS

GB/T 31168 Security capability req of cloud services

GB-T 31167 Security guide of cloud computing services

10

© 2015 Mike Edwards

Standards: Certification

Certification: providing assurance

– of an organization (“we are following the process correctly”)

– of an individual (“I understand and I can implement”)

Established through Audit or Examination

May be directly associated with standard

– ISO 27001 certification

May be defined separately from standards

– CSA Star; ISACA CISM

© 2015 Mike Edwards

Why use International Standards?

Applicable anywhere in the world

– implement once generally accepted

– valid according to WTO rules

– avoid “balkanization” caused by varying national & regional requirements

Well accepted by customers

– ISO 27001 one of the best known

– plenty of skills & knowledge available

– well developed ecosystem of auditors & certification authorities

12

© 2015 Mike Edwards

ISO Cloud Computing standards

– 17788: Cloud computing Overview and Vocabulary*

– 17789: Cloud computing Reference Architecture*

– 19086: Cloud computing SLAs

– 19941: Cloud computing Interoperability & Portability

– 19944: Cloud computing Data Flow across devices & cloud services

– 27001: Information security management systems ― Requirements

– 27002: Code of practice for information security controls

– 27017: Guidelines on Information security controls for the use of cloud computing

services based on ISO/IEC 27002*

– 27018: Code of practice for data protection controls for public cloud computing

services

– 27036: Information security for supplier relationships

– 29101: Privacy architecture framework

Black = Complete, published

Red = In preparation, draft * = Joint standard with ITUT

© 2015 Mike Edwards Only available as a priced publication

© 2015 Mike Edwards

ISO 27002 specification “Code of practice for information security controls”

Based on ISO 27001 requirements for information security management systems

27002 control sets for:

– Security Policy

– Organization of Information Security

– Asset Management

– Human Resources

– Physical & Environmental

– Supplier Relationship Management

– Communications & Operations

– Management of Application Services

– Access Control

– System Acquisition, Development & Maintenance

– Security Incident Management

– Business Continuity Management

– Compliance

© 2015 Mike Edwards

ISO 27002 specification (cont) “Code of practice for information security controls”

Sample controls:

– “All information security responsibilities should be defined and allocated”

– “Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained”

– “Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets”

– “Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities”

– “Agreements with suppliers should include requirements to address the information security risks associated with Information and Communications Technology services and product supply chain”

– “The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance”

© 2015 Mike Edwards

ISO 27002 specification (cont) “Code of practice for information security controls”

Sample controls (cont):

– “Information involved in application service transactions should be protected to prevent

incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay”

– “A formal user registration and de-registration procedure should be implemented for granting and revoking access for all user types to all systems and services”

– “The implementation of changes should be controlled by the use of formal change control procedures”

– “Information security incidents should be responded to in accordance with the documented procedures”

– “Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes”

– “Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual, and business requirements”

© 2015 Mike Edwards

Softlayer 27001 Certification

18

© 2015 Mike Edwards

Cloud Computing: Impact on Security & Privacy

Customer data Derived data

App

code

App environment

Functional interfaces End

Users

Admin interfaces

Business interfaces Business

Managers

Administrators

DevOps

Cloud

Service

Cloud service customer

Se

cu

rity

Co

mp

on

en

ts

In-house

Applications

&

Systems

In-house data

Cloud service provider

Split of Security Responsibilities

© 2015 Mike Edwards

ISO 27017 specification “Information security controls for the use of cloud computing services”

Based on ISO 27002 security control specification

– added information for Cloud Service Customers & Cloud Service Providers

– extended control sets for cloud computing: • extra management control & coordination due to security responsibility split

• control of risks due to shared facilities when using cloud computing

• impact on end users of customer organization if they use cloud computing services

• acceptance testing for provided services & for upgrades / new versions

• handling of mobile code

• authentication methods for cloud service use

• application level controls including input/output data validation, message integrity

• audit requirement

higher impact extended controls

• audit logs required, with specified data

• non-disclosure of communications

• monitoring use of cloud services

• protection of audit tools

© 2015 Mike Edwards

Privacy & Data Protection: Roles

21

Data Subject Data Controller Data Processor

Cloud

Service

Customer

Cloud

Service

Provider

Person

Identified by

Personal Data

Regulatory focus

© 2015 Mike Edwards

ISO 27018 specification “Code of practice for data protection controls for public cloud computing services”

Data protection of PII – to meet regulatory requirements – e.g. European data protection regulations

Based on ISO 27002 + additional controls for handling of PII

– separation of test environment – no PII in test environment

– authorization & tracking of removable media containing PII

– where logs contain PII data, special control of logs required

– procedures to address corruption / compromise of passwords

– continuity of data processing within specified documented period

– confidentiality obligation for people with access to PII

– disclosure of PII must be logged

– ensure erasure of temporary files within specified period

– Each individual with access to PII must have unique ID

– Record of authorized users required

© 2015 Mike Edwards

ISO 27018 specification “Code of practice for data protection controls for public cloud computing services”

Higher impact additional controls for handling of PII

– PII only processed in accordance with instructions of PII controller (per contract)

– monitoring event log with specific details in event log where PII changed

– recording of security breaches

– intended destination of target (organization/individual) for transmitted PII

– PII transmitted over public networks must be encrypted

– Documented policy about geographical area for PII storage

© 2015 Mike Edwards 24

“Customers will only use services that they trust”

© 2015 Mike Edwards 25

Questions ?

© 2015 Mike Edwards

Read the CSCC whitepapers – free downloads

Practical Guide to Cloud Service Agreements, V2

http://bit.ly/1IQxrdg

Public Cloud Service Agreements: What to Expect & What to Negotiate

http://bit.ly/1GKbI8O

Practical Guide to Cloud Computing, V2

http://bit.ly/1MwD9mZ

Security for Cloud Computing: 10 Steps to Ensure Success, V2

http://bit.ly/1L3D9gZ

Cloud Security Standards: What to Expect & What to Negotiate

http://bit.ly/18fZFl3

Interoperability and Portability for Cloud Computing: A Guide

http://bit.ly/1Fg7lkk

Migrating Applications to Public Cloud Services: Roadmap for Success

http://bit.ly/1B9YGJy

Web Application Hosting Cloud Solution Architecture

http://bit.ly/1DbOszm

Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success

http://bit.ly/1EDTe9o

Impact of Cloud Computing on Healthcare

http://bit.ly/1B9ZP42

© 2015 Mike Edwards

Join the CSCC Now!

– To have an impact on customer use case based standards requirements

– To learn about all Cloud Standards within one organization

– To help define the CSCC’s future roadmap

– Membership is free & easy: http://www.cloud-council.org/application

Get Involved!

– Join one or more of the CSCC Working Groups

•http://www.cloud-council.org/workinggroups.htm

Call to Action

© 2015 Mike Edwards

Useful links

ISO

– http://www.iso.org/iso/home.html

– http://www.27000.org/

ITU-T

– http://www.itu.int/en/ITU-T/Pages/default.aspx

OASIS

– https://www.oasis-open.org/

– https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=id-cloud

– https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip

IETF

– http://tools.ietf.org/html/rfc6749 (OAuth 2.0)

DMTF

– http://dmtf.org/standards/cadf (CADF)

BSI

– http://www.bsigroup.co.uk/

© 2015 Mike Edwards

More useful links

CSCC

– http://www.cloud-council.org

ODCA

– http://www.opendatacenteralliance.org/

CSA

– https://cloudsecurityalliance.org/

ISACA

– https://www.isaca.org/Pages/default.aspx

PCI

– https://www.pcisecuritystandards.org/security_standards/ (PCI-DSS)

Cloud Foundry

– http://cloudfoundry.org/index.html

Docker

– https://www.docker.com/