German IT-Grundschutz Cloud Management

Transcription

1 German IT-Grundschutz Cloud Management Workshop Certification, InteRnationalisation and standardization in cloud Security Cooperation with Dominic Mylo

2

3 Introduction Dominic Mylo 3

4 Atos Cloud Competencies Experience in providing Cloud Services Canopy Research & Innovation department of Atos has more than 10 ongoing research projects related to cloud security Corporate Member Alliance Atos is member of European Cloud Partnership Actively participating in initiatives run by ETSI, ENISA, CEN Atos is participating in Helix Nebula federated cloud for science Cloud Leader Award

5

6 IT-Grundschutz Methodology Describes a method for setting up and integrating IS management in an organisation. ISO certification process in accordance with IT-Grundschutz by german BSI as accreditation body per law. The IT-Grundschutz Catalogues contain over 4500 pages describing potential threats and protective security controls. The IT-Grundschutz Catalogues are constantly being revised, and new, specialised subjects are added as required. Enhanced with new trends and technologies e.g. cloud 6

7 Security Concept IT-Grundschutz simplified process Structure analysis Protection requirments determination Modelling of domain (select safeguards) Basic security check (compare target / current state) normal prot. Requirements Risk analysis High protection Requirements Implementation of safeguards IT-Grundschutz sec controls Individual sec controls 7

8 Protection Requirements Technical, organisational, personnel, and infrastructural security safeguards Reach a baseline security level Protect business-related information having normal protection requirements. Basis for IT systems and applications requiring a high level of protection. Protection requirements are define by possible impact caused by loss of CIA. Cloud Problem: CSP cannot rate the protection value of cloud data (CSP is not information owner) a) Ask the cloud user b) CSP defines data allowed to put in the Cloud 8

9 Layer Model IT-Grundschutz Layer 1 Layer 2 Layer 3 Layer 4 Layer 5 covers all generic information security issues. These include the human resources, data backup concept covers the technical issues related to building construction. Examples include the modules for buildings, server rooms covers individual IT systems. Examples include the general client, general server, telecommunication system, laptop modules. concerns the issues relating to networking IT systems. Examples include WLAN, VoIP, network management modules deals with the actual applications. Examples include the , web server, and database modules. Cloud Modules Virtualisation (Cloud) Storage systems Cloud Modules Cloud Usage Cloud Management Webservices 9

10

11 Information sources International Best Practices Alliance Cloud Control Matrix Guidance ENISA Cloud Computing Risk Assessment BSI Security Recommendations for Cloud Computing Providers VMware Study VCE Vblock IETF Cloud Computing Reference Framework 11

12 Target Group Cloud Management Module Cloud Service Provider Cloud User should use Module Cloud usage Target group german public agencies Applicable cross market Secure providing, management & operation of cloud environments Out of scope: infrastructure security system security Application security 12

13 Cloud Reference Model IETF data / content Cloud Portal Cloud Self-Service- Portal Cloud Management: Cloud Services (SaaS, PaaS, IaaS) Cloud configuration Registry & Repository resource control layer Audit & Logging SLA virtual resource control layer Security physical resource control layer 13

14 Cloud Management Threats Summary Failures in Planning Cloud Service Templates Incorrect Provisioning of Cloud Services Insufficient isolation of cloud services Insufficient Business Continuity Mgt organisational shortcomings Insufficient configuration of cloud services and management components Failures in automated Cloud Management deliberate acts Human error fraudulent use of administrative permissions technical failures Outage of cloud management components unauthorised usage of snapshots incompatibility between cloud-management and cloud-ressources information leakage by cloud cartography 14

15 Security Controls Summary Planning Cloud Service Templates and Cloud-Ressources Third party contracts Selection of cloud-components Business continuity backup Planning concepts Provisioning Secure communication for cloud access BCM implemen tation Training for cloud administrators operation Event logging and monitoring patch management Security Controls to ensure continuous Multitenancy Cloud user administration Complete and secure deletion of cloud data for sensible information Controlled provisioning & deprovisioning of cloud services secure automation 15

16 For more information please contact: Dominic Mylo Security Consultant T +49 (5931) M +49 (177) dominic.mylo@atos.net Lohberg Meppen Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos WorldGrid are registered trademarks of Atos SE Atos. 16