Click here to load reader
Upload
lekhanh
View
213
Download
1
Embed Size (px)
Citation preview
© 2015 Mike Edwards
Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)
© 2015 Mike Edwards
Mike Edwards Senior Technical Staff Member, IBM
Cloud Computing & SOA Standards,
UK Chair UK ISO SC38 mirror committee
(BSI IST 38)
© 2015 Mike Edwards
Abstract and Agenda
ISO 27001, ISO 27017 & ISO 27018
This talk describes the ISO Security & Privacy specifications & certifications which apply to
cloud services
• Security & Privacy concerns of cloud service customers
• Standards and certifications
• ISO 27000 series of security & privacy standards
• ISO 27001 & ISO 27002 – the foundations for IT security
• Cloud Computing impact on security & privacy
• ISO 27017 – security for cloud services
• ISO 27018 – data protection for cloud services (i.e. privacy)
© 2015 Mike Edwards
The Cloud Standards Customer Council THE Customer’s Voice for Cloud Standards!
• Provide customer-lead guidance to
multiple cloud standards-defining bodies
• Establishing criteria for open
standards based cloud computing 500+ Organizations participating
2011/2012 Deliverables
Practical Guide to Cloud Computing
Practical Guide to Cloud SLAs
Security for Cloud Computing
Impact of Cloud Computing on Healthcare
2013/2014 Deliverables
Convergence of SoMoClo
Analysis of Public Cloud SLAs
Cloud Security Standards
Migrating Apps to Public Cloud
http://cloud-council.org
2015 Projects (partial)
Update to Security for Cloud Computing whitepaper
Update to Practical Guide to Cloud Service Agreements
Practical Guide to Privacy for the Public Sector
Practical Guide to PaaS
Social Business in the Cloud
Big Data in the Cloud
PGCC Version 2
Migrating Apps: Performance Rqmnts
Cloud Interoperability/Portability
© 2015 Mike Edwards 5
Three Takeaways
Security & Privacy are key concerns for Cloud Service Customers –
many demand proof in relation to cloud services
International standards such as ISO 27001, 27017 & 27018 provide an
open, worldwide and customer-accepted approach
Customers & Providers need a public and open way of declaring the
Security & Privacy capabilities of cloud services
© 2015 Mike Edwards
Top concerns about cloud computing…
69
%
54
%
53
%
52
%
47
%
Security/privacy of
company data
Service quality
Doubts about true cost
savings
Performance / Insufficient
responsiveness over network
Difficulty integrating with
in-house IT
Percent rating the factor as a significant barrier (4 or 5)
Respondents could select multiple items
Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090
What, if anything, do you perceive as actual or
potential barriers to acquiring public cloud services?
Security & Privacy: number one inhibitor to customers adopting cloud services
Source: Oliver Wyman Interviews
© 2015 Mike Edwards
Security matters…
© 2015 Mike Edwards
Standards making organizations
International
Regional /
national
Fora &
consortia
© 2015 Mike Edwards
Customer / User organizations
– CSCC, ODCA (cloud computing)
– CSA (cloud computing security)
Certification organizations
– e.g. ISACA
“Code first” specifications
– HTML5
– Open source projects
– e.g. OpenStack, Cloud Foundry, Docker
Open source implementations
– pressure for availability before ratification of a standard
Other Open technology organizations
© 2015 Mike Edwards
Types of Standards
High level
Governance &
Management
Architectures
Technology
specific
ISO 27018 Data Protection for Cloud Services
ISO 27017 Information Security Controls
for Cloud Services
ISO 17789 Cloud Computing Reference Architecture
Kerberos
RSA AES
Triple-DES X.509 Certificates
SHA Hashing
ISO 29101 Privacy Architecture Framework
ISO 24760 ID Management Architecture
ID and Access Management
Encryption
ISO 19794 Biometric Interchange Formats
Security Assertions
KMIP Key Management
PCI-DSS Controls for Card Data
ISO 19086 Cloud SLAs
ISO 18384 SOA Reference Architecture
China
GB/T 20273 Security Requirements for DBMS
GB/T 31168 Security capability req of cloud services
GB-T 31167 Security guide of cloud computing services
10
© 2015 Mike Edwards
Standards: Certification
Certification: providing assurance
– of an organization (“we are following the process correctly”)
– of an individual (“I understand and I can implement”)
Established through Audit or Examination
May be directly associated with standard
– ISO 27001 certification
May be defined separately from standards
– CSA Star; ISACA CISM
© 2015 Mike Edwards
Why use International Standards?
Applicable anywhere in the world
– implement once generally accepted
– valid according to WTO rules
– avoid “balkanization” caused by varying national & regional requirements
Well accepted by customers
– ISO 27001 one of the best known
– plenty of skills & knowledge available
– well developed ecosystem of auditors & certification authorities
12
© 2015 Mike Edwards
ISO Cloud Computing standards
– 17788: Cloud computing Overview and Vocabulary*
– 17789: Cloud computing Reference Architecture*
– 19086: Cloud computing SLAs
– 19941: Cloud computing Interoperability & Portability
– 19944: Cloud computing Data Flow across devices & cloud services
– 27001: Information security management systems ― Requirements
– 27002: Code of practice for information security controls
– 27017: Guidelines on Information security controls for the use of cloud computing
services based on ISO/IEC 27002*
– 27018: Code of practice for data protection controls for public cloud computing
services
– 27036: Information security for supplier relationships
– 29101: Privacy architecture framework
Black = Complete, published
Red = In preparation, draft * = Joint standard with ITUT
© 2015 Mike Edwards Only available as a priced publication
© 2015 Mike Edwards
ISO 27002 specification “Code of practice for information security controls”
Based on ISO 27001 requirements for information security management systems
27002 control sets for:
– Security Policy
– Organization of Information Security
– Asset Management
– Human Resources
– Physical & Environmental
– Supplier Relationship Management
– Communications & Operations
– Management of Application Services
– Access Control
– System Acquisition, Development & Maintenance
– Security Incident Management
– Business Continuity Management
– Compliance
© 2015 Mike Edwards
ISO 27002 specification (cont) “Code of practice for information security controls”
Sample controls:
– “All information security responsibilities should be defined and allocated”
– “Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained”
– “Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization’s assets”
– “Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities”
– “Agreements with suppliers should include requirements to address the information security risks associated with Information and Communications Technology services and product supply chain”
– “The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance”
© 2015 Mike Edwards
ISO 27002 specification (cont) “Code of practice for information security controls”
Sample controls (cont):
– “Information involved in application service transactions should be protected to prevent
incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay”
– “A formal user registration and de-registration procedure should be implemented for granting and revoking access for all user types to all systems and services”
– “The implementation of changes should be controlled by the use of formal change control procedures”
– “Information security incidents should be responded to in accordance with the documented procedures”
– “Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes”
– “Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual, and business requirements”
© 2015 Mike Edwards
Softlayer 27001 Certification
18
© 2015 Mike Edwards
Cloud Computing: Impact on Security & Privacy
Customer data Derived data
App
code
App environment
Functional interfaces End
Users
Admin interfaces
Business interfaces Business
Managers
Administrators
DevOps
Cloud
Service
Cloud service customer
Se
cu
rity
Co
mp
on
en
ts
In-house
Applications
&
Systems
In-house data
Cloud service provider
Split of Security Responsibilities
© 2015 Mike Edwards
ISO 27017 specification “Information security controls for the use of cloud computing services”
Based on ISO 27002 security control specification
– added information for Cloud Service Customers & Cloud Service Providers
– extended control sets for cloud computing: • extra management control & coordination due to security responsibility split
• control of risks due to shared facilities when using cloud computing
• impact on end users of customer organization if they use cloud computing services
• acceptance testing for provided services & for upgrades / new versions
• handling of mobile code
• authentication methods for cloud service use
• application level controls including input/output data validation, message integrity
• audit requirement
higher impact extended controls
• audit logs required, with specified data
• non-disclosure of communications
• monitoring use of cloud services
• protection of audit tools
© 2015 Mike Edwards
Privacy & Data Protection: Roles
21
Data Subject Data Controller Data Processor
Cloud
Service
Customer
Cloud
Service
Provider
Person
Identified by
Personal Data
Regulatory focus
© 2015 Mike Edwards
ISO 27018 specification “Code of practice for data protection controls for public cloud computing services”
Data protection of PII – to meet regulatory requirements – e.g. European data protection regulations
Based on ISO 27002 + additional controls for handling of PII
– separation of test environment – no PII in test environment
– authorization & tracking of removable media containing PII
– where logs contain PII data, special control of logs required
– procedures to address corruption / compromise of passwords
– continuity of data processing within specified documented period
– confidentiality obligation for people with access to PII
– disclosure of PII must be logged
– ensure erasure of temporary files within specified period
– Each individual with access to PII must have unique ID
– Record of authorized users required
© 2015 Mike Edwards
ISO 27018 specification “Code of practice for data protection controls for public cloud computing services”
Higher impact additional controls for handling of PII
– PII only processed in accordance with instructions of PII controller (per contract)
– monitoring event log with specific details in event log where PII changed
– recording of security breaches
– intended destination of target (organization/individual) for transmitted PII
– PII transmitted over public networks must be encrypted
– Documented policy about geographical area for PII storage
© 2015 Mike Edwards 24
“Customers will only use services that they trust”
© 2015 Mike Edwards 25
Questions ?
© 2015 Mike Edwards
Read the CSCC whitepapers – free downloads
Practical Guide to Cloud Service Agreements, V2
http://bit.ly/1IQxrdg
Public Cloud Service Agreements: What to Expect & What to Negotiate
http://bit.ly/1GKbI8O
Practical Guide to Cloud Computing, V2
http://bit.ly/1MwD9mZ
Security for Cloud Computing: 10 Steps to Ensure Success, V2
http://bit.ly/1L3D9gZ
Cloud Security Standards: What to Expect & What to Negotiate
http://bit.ly/18fZFl3
Interoperability and Portability for Cloud Computing: A Guide
http://bit.ly/1Fg7lkk
Migrating Applications to Public Cloud Services: Roadmap for Success
http://bit.ly/1B9YGJy
Web Application Hosting Cloud Solution Architecture
http://bit.ly/1DbOszm
Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success
http://bit.ly/1EDTe9o
Impact of Cloud Computing on Healthcare
http://bit.ly/1B9ZP42
© 2015 Mike Edwards
Join the CSCC Now!
– To have an impact on customer use case based standards requirements
– To learn about all Cloud Standards within one organization
– To help define the CSCC’s future roadmap
– Membership is free & easy: http://www.cloud-council.org/application
Get Involved!
– Join one or more of the CSCC Working Groups
•http://www.cloud-council.org/workinggroups.htm
Call to Action
© 2015 Mike Edwards
Useful links
ISO
– http://www.iso.org/iso/home.html
– http://www.27000.org/
ITU-T
– http://www.itu.int/en/ITU-T/Pages/default.aspx
OASIS
– https://www.oasis-open.org/
– https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=id-cloud
– https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip
IETF
– http://tools.ietf.org/html/rfc6749 (OAuth 2.0)
DMTF
– http://dmtf.org/standards/cadf (CADF)
BSI
– http://www.bsigroup.co.uk/
© 2015 Mike Edwards
More useful links
CSCC
– http://www.cloud-council.org
ODCA
– http://www.opendatacenteralliance.org/
CSA
– https://cloudsecurityalliance.org/
ISACA
– https://www.isaca.org/Pages/default.aspx
PCI
– https://www.pcisecuritystandards.org/security_standards/ (PCI-DSS)
Cloud Foundry
– http://cloudfoundry.org/index.html
Docker
– https://www.docker.com/