1 Pilvipalveluiden tietoturvan standardisointi Juha Röning
2 Sisältö Standardien kirjo Pilvipalveluiden standardit Seurattavat standardit Standardit ja CSA Cloud Controls Matriisi Cloud Software tutkimus Suomessa
3 Standardit Teknologiastandardit ISO Säädökset Tietosuojalainsäädäntö (EU, kansallinen) PCI-DSS Payment Card Industry Security Standards Council HIPAA (US) The Health Insurance Portability and Accountability Act of 1996 FedRamp (US) The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
6 Standardisointiprosessi: ETSI Stage 0 Validate need for standardisation Stage 1 Requirements and objectives Stage 2 Information model Stage 3 Detailed data and protocol model Stage 4 Testing and validation Deploy the standard
7 Standardisointiprosessi: IETF From RFC 2026, section 1.2: In outline, the process of creating an Internet Standard is straightforward: a specification undergoes a period of development and several iterations of review by the Internet community and revision based upon experience, is adopted as a Standard by the appropriate body... and is published. In practice, the process is more complicated, due to (1) the difficulty of creating specifications of high technical quality; (2) the need to consider the interests of all of the affected parties; (3) the importance of establishing widespread community consensus; and (4) the difficulty of evaluating the utility of a particular specification for the Internet community.
8 Tärkeimmät ITU SG13, SG17 ISO SC38, SC27 NIST the National Institute of Standards and Technology: mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. OASIS Organization for the Advancement of Structured Information Standards: is a non-profit consortium that drives the development, convergence and adoption of open standards for the global information society. IETF Internet Engineering Task Force; make the Internet work better from an engineering point of view
9 Tärkeimmät money talks Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. ODCA The Open Data Center Alliance is working actively to shape the future of cloud computing a future based on open, interoperable standards.
10 ITU-T ja ISO standardisointeja ITU-T SG13 Q26: Cloud computing ecosystem, intercloud and general requirements Q27 Cloud functional architecture, infrastructure and networking Q28 Cloud computing resource management and virtualization ISO SC38 WG3 Cloud Computing, Cloud computing reference architecture and vocabulary
11 ITU-T ja ISO standardisointeja ITU-T SG17 -Security Work to build confidence and security in the use of information and communication technologies (ICTs) continues to intensify in a bid to facilitate more secure network infrastructure, services and applications. Over seventy standards (ITU-T Recommendations) focusing on security have been published. ITU-T Study Group 17 (SG17) coordinates security-related work across all ITU-T Study Groups. Often working in cooperation with other standards development organizations (SDOs) and various ICT industry consortia, SG17 deals with a broad range of standardization issues. To give a few examples, SG17 is currently working on cybersecurity; security management; security architectures and frameworks; countering spam; identity management; the protection of personally identifiable information; and the security of applications and services for the Internet of Things (IoT), smart grid, smartphones, web services, social networks, cloud computing, mobile financial systems, IPTV and telebiometrics.
12 ITU-T ja ISO standardisointeja ISO/IEC JTC 1/SC 27 WG 1 Information security management systems WG 2 Cryptography and security mechanisms WG 3 Security evaluation, testing and specification WG 4 Security controls and services WG 5 Identity management and privacy technologies
13 ITU Cloud Security reference architecture
14 Cloud Security Alliance Cloud Controls Matrix Trusted Cloud Infrastructure Security as a Service Cloud Trust Protocol Guidance Document
15 ISO Seurattavia standardeja pilven käyttäjille Controls for Cloud Computing security Additional controls for ISO certification Implementation guidance (27002 päälle) Supply chain guidance Secure Storage (ISO 27040) ITU Cloud Security Framework
16 Seurattavia standardeja NIST The purpose of this document is to provide an overview of public cloud computing and the security and privacy challenges involved. ENISA Cloud Security guide, uusi versio SME-fokuksella ISAE 3402 in-depth audit of a third-party service organization (transparency and trust) https://support.google.com/a/bin/answer.py?hl=en&answer= 60762
17 Cloud security guide: TOP SECURITY RISKS LOSS OF GOVERNANCE LOCK-IN ISOLATION FAILURE COMPLIANCE RISKS MANAGEMENT INTERFACE COMPROMISE: DATA PROTECTION INSECURE OR INCOMPLETE DATA DELETION: MALICIOUS INSIDER
21 Generic Security User stories Pienemmillä organisaatioilla ei välttämättä ole käytössä tietoturva-asiantuntijaa Tapa löytää tietoturvavaatimuksia ja ratkaisuja Antti Vähä-Sipilä and Camillo Särs / F-Secure
24 Rajapintatestaus Radamsa-työkalu ohjelmistojen toimintavarmuuden testaamiseen Selain on erityisen kriittinen pilvipalveluissa Yli sata haavoittuvuutta löydetty ja korjattu
Latest in Cloud Computing Standards Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1 Short Introduction CTO Security & Privacy, Hitachi Data Systems Involved
Vast Landscape of Cloud Standards Development Organizations (SDOs) 2 4 Mission Statement (Non-Profit) Promote common level of understanding Consumers Providers Security Requirements Attestation of Assurance
Approach to Information Security Architecture Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera About TeliaSonera TeliaSonera provides network access and telecommunication services that help
White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples
November 2013 VERSION 1.0 Executive Summary The European Commission Communication on the European Cloud strategy identifies a key action for standardisation in this context: Key action 1: Cutting through
Amazon Web Services: Risk and Compliance July 2012 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers
ericsson White paper Uen 307 23-3230 February 2014 Guiding principles for security in a networked society The technological evolution that makes the Networked Society possible brings positive change in
Information Security Management System for Microsoft s Cloud Infrastructure Online Services Security and Compliance Executive summary Contents Executive summary 1 Information Security Management System
ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS Shirley Radack, Editor Computer Security Division Information
ICC CYBER SECURITY GUIDE FOR BUSINESS ICC CYBER SECURITY GUIDE FOR BUSINESS Acknowledgements The ICC Cyber security guide for business was inspired by the Belgian Cyber security guide, an initiative of
Data Intensive Storage Services for Cloud Environments Dimosthenis Kyriazis National Technical University of Athens, Greece Athanasios Voulodimos National Technical University of Athens, Greece Spyridon
Amazon Web Services: Risk and Compliance January 2011 (Please consult http://aws.amazon.com/security for the latest version of this paper) 1 This document intends to provide information to assist AWS customers
ISO/IEC JTC 1 Information technology Big data Preliminary Report 2014 Our vision To be the world s leading provider of high quality, globally relevant International Standards through its members and stakeholders.
Priority III: A National Cyberspace Security Awareness and Training Program Everyone who relies on part of cyberspace is encouraged to help secure the part of cyberspace that they can influence or control.
The IT Industry s Cybersecurity Principles for Industry and Government 2011 ITI MEMBER COMPANIES Apple Inc. TABLE OF CONTENTS Executive Summary 5 Setting the Stage 7 Six Cybersecurity Principles 9 Principle
www.ijcsi.org 487 A Framework for Secure Cloud Computing Ahmed E. Youssef 1 and Manal Alageel 2 1 Dept. of Information Systems, King Saud University Riyadh, 11543, KSA 2 Dept. of Information Systems, King
Security Framework for Cloud Computing Environment: A Review Ayesha Malik, Muhammad Mohsin Nazir Department of Computer Science Lahore College for Women University, Lahore, Pakistan. firstname.lastname@example.org,
Secure Your Information: Information Security Principles for Enterprise Architecture Report June 2007 DISCLAIMER: To the extent permitted by law, this document is provided without any liability or warranty.
A Special Report Cloud Computing Report on Cloud Computing used in the Aerospace and Defense Industry 1 Important Disclaimer: The Aerospace Industries Association of America, Inc. ( AIA ) has no intellectual
DKE/DIN ROADMAP Version 1.0 TECHNOLOGIES PEOPLE APPLICATIONS The German Standardization Roadmap Smart City Concept Publisher VDE ASSOCIATION FOR ELECTRICAL, ELECTRONIC & INFORMATION TECHNOLOGIES Responsible
A Member of OneBeacon Insurance Group SSAE 16 & SAS 70 A Primer on Changes to Service Organization Audit Standards Author: Jack Fletcher, Risk Control Technology Specialist Published: November 2014 Executive
DRAFT, Version 0.9, March 2013 ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private
Semester: Title: Cloud computing - impact on business Project Period: September 2014- January 2015 Aalborg University Copenhagen A.C. Meyers Vænge 15 2450 København SV Semester Coordinator: Henning Olesen
CHILDREN AND FAMILIES EDUCATION AND THE ARTS ENERGY AND ENVIRONMENT HEALTH AND HEALTH CARE INFRASTRUCTURE AND TRANSPORTATION The RAND Corporation is a nonprofit institution that helps improve policy and
Special Publication 500 291 NIST Cloud Computing Standards Roadmap National Institute of Standards and Technology NIST Cloud Computing Standards Roadmap Working Group Michael Hogan Fang Liu Annie Sokol