Standardization for Security of Cloud Computing

Transcription

1 Standardization for Security of Cloud Computing - with Focus on Availability - Thu, 28 February, 2013 Ben T. Katsumi Chief Researcher, Security Economics Laboratory IT Security Center, IPA, Japan

2 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 2

3 Cloud supports economy & society IT infrastructure to sustain emergency response Emergency Safety Retrieval Info Disti. Sharing Victims Support Emergency Services Lifeline Peace Life Economy Society Supports all the human, economic & social activities Cloud Computing and Services Platform 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 3

4 Cloud as IT Infrastructure for ER Case of East Japan Earthquake IT infrastructure for city staffs and volunteer stations for rescues and refugees support 2. Communications between individuals and families 3. Backups/mirroring of gov.s and local gov.s information dissemination: radiation info, citizen services info, etc. 4. IT infrastructure and services to businesses for emergency biz, customer & employee communications and data backups 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 4

5 CC s superior characteristics for ER Ready-for-use pool of resources allow immediate use with: 1. Agility: Short dev. lead time 2. Scalability: Start small, expand as needed 3. Economy: Minimum user cost, minimal cost to vendor allows free offer 4. Tolerance: Tolerant to damages, reliable 5. Security: Built-in security at data centers vs newly built with less or no security a. Upstream candid information flow b. Remote, time-free collaboration platform c. Mash up with data stored in cloud, e.g. maps d. Multi media, large data capability =ACTIVE Emergency Response Concept of conventional BCP/DR is just to recover what used to be in terms of functions and services 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 5

6 Anatomy of cloud from social perspective Reliability of cloud in view of ER, DR and BC Emergency View View at Peace (Positioning in Economy & Society) Potential Risk View Cloud for Emergency Response & Disaster Rescue ER BC Cloud as the System Platform with Resiliency & Dependability Services in Emergency Service at Peace Cloud as the Service or Business Model Cloud as the Model for IT Utilization Cloud Computing Service at Peace Services in Emergency Cloud as the Service Platform Cloud as the Public Asset Security & Privacy of Aggregated Personal Data Potential Risks Potential Risks Social Infrastructure interdependency & Threats in Common Cloud to be resilient, dependable and survivable 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 6

7 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 7

8 Properties for cloud to keep alive Resiliency: tolerable against obstacles from outside a system self-recoverable from damages due to outside causes Dependabillty: free from defects within a system free from failure of a system Survivability: able to transfer from a system to another Related legend: portable, interoperable, migratable 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 8

9 Overview of Cloud Standards for Security Confidentiality Security Information Security Management System (ISMS) for Cloud Computing Cloud Security Audit Integrity Availability Portability Interoperability Migratability = Inter-Cloud 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 9

10 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 10

11 Standardization from Survivability Viewpoint Survivability Resiliency Dependability Interoperability Portability Common Cloud Pla5orm for Inter- cloud Migra;on Standardiza;on Requirements for commonality Common understanding of requirement User- facing business prac;ces Common compliance assurance Cloud ISMS Cloud Security Audit Security Privacy SLA Contract T&C Regula;on Compliance 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 11

12 International Standardization Scheme Joint Technical Committee Terminology ISO/IEC27000 International Organization for Standards International Electro- technical Commission JTC1 SCn SCn SCn SC27 Requirements Guidelines Sector Specific Standards /Guidelines IT Security Techniques ISO/IEC27001 ISO/IEC27006 ISO/IEC27002 ISO/IEC27003 ISO/IEC27004 ISO/IEC ISO/IEC27017 ISO/IEC27011 ISO/IEC27012 ISO/IEC Cloud Computing Security Attributed to: Mr. Shin Yamashita, from presentation at NSF2013 SC38 Distributed Application Platforms and Services Cloud Computing/SOA 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 12

13 Cloud Security Management Standards ISMS Requirements Code of Practice for Information Security Controls Example: Guide for cloud consumers Monitoring and review of supplier services following to be added to guidance: Cloud consumer should regularly monitor and review the services, reports and records provided by the cloud provider Security in Cloud Computing Addition to controls of of: 1. cloud-specific controls, implementation guidance & other information Based on proposal from Japan 2. supplementary implementation guidance to existing controls Example: Guide for cloud providers Implementing information security continuity following to be added to guidance: Cloud provider should provide the following information to the cloud consumer to develop and implement business continuity plan covering cloud service. Attributed to: Mr. Shin Yamashita, from presentation at NSF February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 13

14 Security Management for Supplier Relations Information Security for Supplier Relationships Part 1 Overview and Concepts To provide detailed controls and implementation guidance for section 15 of : To be aimed at both Acquirer and Supplier In view of information security risks in acquisition such as: Supplier may access the information of acquirer Acquirer information may be deposited/entrusted to supplier Purchased products may cause security incidents to acquirer Part 2 Common Requirements Part 3 Guidelines for ICT Supply Chain Security Part 4 Guidelines for Security of Cloud Services Attributed to: Mr. Shin Yamashita, from presentation at NSF February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 14

15 Security Audit Framework for Cloud Provider 2 Security Management & Control Systems Attestation/Assertion of Certain Extent and Level of Security Management and Controls A set of Security Management & Controls (standard) ISMS, regulations, laws & treatments 0 Confirmation required Requirement of consistency 3 provision Report/Certification Audit Independent Cloud Security Auditor Compliance Declaration Consumer Certified Cloud Security Management & Controls Implementation and Operation B Security Management & Control Systems Certification 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 15 C 4 1 A

16 Cloud assurance framework Basic attestation is commitment of basic security level. Cloud provider, which has satisfied the basic security requirements, can declare basic attestation without disclosing detail of the countermeasures. Basic attestation is announced to all users, Special attestation is shown to each consumer. Cloud Consumer Audit Report Basic attestation Risk management for general use of cloud + Special attestation (Additional) Risk management for more important information in cloud Cloud Provider Merit to auditor Efficient auditing on basic requirements Assurance Auditor Auditing the deployment and operation of controls being effective by independent expert Basic attestation; Audit each service Special attestation; Audit each customer Copyright 2012 Japan Information Security Audit Association. All rights reserved. 16

17 Basic requirements; Controls for high and medium risks Cloud information security management standard Annex defines Basic requirements for cloud provider which are necessary controls deployed and operated for declaring Basic Attestation for Information Security for Cloud Service. Basic Attestation for Information Security for Cloud Service shows the top management declares executing risk management surely. Cloud audit assures Basic Attestation for Information Security for Cloud Service signed by top management of cloud provider Cloud consumers select secure cloud service having an assured Basic Attestation for Information Security for Cloud Service Items of Basic requirements for cloud provider are selected from risk and controls table made by experts H01: Expanding damages caused by high concentration of resources and infrastructure Basic requirements focus on eleven risks, -high and medium level- selected from twenty one risk items. Requirements for basic attestation of cloud information security management High RIsk Medium Risk No H01 H02 H03 H04 H05 H06 M07 M08 M09 M10 M11 Name of risk Increasing Impacts of highly aggregated computing resources and infrastructures Mismatch between virtual and physical systems on design and operation phase Loss of business reputation due to co-tenant activities Resource exhaustion (under or over provisioning) Isolation failure Compromise service engine Cloud provider malicious insider - abuse of high privilege rolls) Management interface compromise (manipulation, availability of infrastructure) Intercepting data in transit Data leakage on up/download, intra-cloud Insecure or ineffective deletion of data Distributed denial of service (DDoS) Declaration of basic attestation is provider s commitment of managing high and medium risk. Copyright 2012 Japan Information Security Audit Association. All rights reserved. 17

18 Points of Cloud Security Audit System Simplified Cloud Model High RIsk Medium Risk Pre-fixed Set of Attestation Audit System Pre-defined Risk Factors No H01 H02 H03 H04 H05 H06 M07 M08 M09 M10 M11 Name of risk Increasing Impacts of highly aggregated computing resources and infrastructures Mismatch between virtual and physical systems on design and operation phase Loss of business reputation due to co-tenant activities Resource exhaustion (under or over provisioning) Isolation failure Compromise service engine Cloud provider malicious insider - abuse of high privilege rolls) Management interface compromise (manipulation, availability of infrastructure) Intercepting data in transit Data leakage on up/download, intra-cloud Insecure or ineffective deletion of data Distributed denial of service (DDoS) Provider Japan Consumer

19 Guidelines and recommendations in Japan (1) Owner METI (Ministry of Economy, Trade and Industry) SLA Guideline for SaaS Guideline URL (in white letters: available in English) Information Security Report Model Check List of Service Levels in Cloud Computing Information security management guidelines for the use of cloud computing services Guide to Safe Use of Cloud Services for Small-to-Mid-Sized Enterprises IPA (Informationtechnology Promotion Information Disclosure Reference Guide for Cloud Service Providers Agency) Recommendation for Safe Use of Cloud Services Cloud Security Management Standard, Risk-vs-Control List, Security Cheklist and JASA (Japan Security associated manuals, etc. Audit Association) 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 19

20 Guidelines and recommendations in Japan (2) Owner JDCC (Japan Data Center Council) MIC(Ministry of Interior and Communicati ons) ASPIC (ASP SaaS Cloud Consortium) Abstract Data Center Facility Standard Guideline URL (in white letters: available in English) Report on Review of Data Center Facility Standard Based on East Japan Great Earthquake Information Security Measures Guideline for ASP and SaaS Information Disclosure Guide on Safety and Reliability of ASP and SaaS Information Disclosure Guide on Safety and Reliability of Data Centers Guide to Use Data Centers Guide for Coopreration among Data Center Operators Guide for Consumer Protection and Compliance in Cloud Services February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 20

21 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 21

22 Definitions Interoperable, Portable, Migratable Interoperability: a property of a product or system, whose interfaces are completely understood, to work with other products or systems, present or future, without any restricted access or implementation. <Wikipedia> data Portability: the ability of a program (or software be processed systems and/or system) to execute properly on multiple hardware applications platforms. <Wikitionary> Migratability: the ability to move computer code or files from one computer or network to another. <Wikitionary> 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 22

23 Cloud services to survive DC down Interoperability and Portability Common interfaces, formats, languages Organization OGF(Open Grid Forum) DMTF(Distributed Management Task Force, Inc.) SNIA(Storage Networking Industry Association) OASIS(Organization for the Advancement of Structured Information Standards) Open ID Foundation IETF (Internet Engineetring Task Force) IEEE (Institute of Electric and Electronic Engineers Association) ISO (International Standards Organization) Typical Cloud Standards OCCI(Open Cloud Computing Interface) OVF(Open Virtualization Format) CIMI(Cloud Infrastructure Management Interface) CDMI(Cloud Data Management Interface) TOSCA (Topology and Orchestration Specification for Cloud Application) OpenID Connect SCIM (Simple Cloud Identity Management ) CPIP (Guide for Cloud Portability and Interoperability Profiles) SIIF (Standard for Intercloud Interoperability and Federation) ISO/IEC February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 23

24 Cloud services to survive DC down Interoperable, Portable, Migratable Common platform architectures Organization Cloud Platform Open Stack Foundation Open Stack Apache Software Foundation Cloud Stack Eucalyptus Systems, Inc. OpenNebula Project Wakame Project Eucalyptus OpenNebula Wakame-vdc Applications may be easily migrated between common cloud platforms. 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 24

25 Cloud services to survive DC down Migratable Virtual Machine or Service Function to be automatically transferred from a DC to another Intercloud Operation for Backup, Failover, Restoration, Recovery and Migration Source: 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 25

26 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 26

27 Conditions for stake holders to make use of cloud under emergent situation Allie among CSPs Inter-cloud colab. Migration Data duplication and synchronization Inter-cloud connection SLA Security CSPs & DCs BCP and SLA Building safety Lifelines: power, air, water Operator: call up, commute, food, supply Data backup Security Telecom Carriers BCP and DR Telecom lines Transmission stations and relays Lifelines for switches and transmitters Redundancy Aux power supply Security Consumers BCP Office Lifelines for office and workforce Workforce call up and commute Data backup Security Social environmental support : Rules and guidelines to support the above conditions Cloud services defined from social resource management Technical standards and common interfaces 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 27

28 Interdependency of Critical Infrastructure IT infrastructure/ services lost System Failure HW Cyber Attacks Cyber Attacks Traffic Congestion System Failure SW Data Center Failure Power Outage Communication Services Failure Refinery & Tank Failure Operator Unavailable Power Systems Failure Radio Station Collapse Cable Cutoff 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 28

29 Cloud Data Centers burden and criticalness Power Plants Railways Roads Oil Stock Logis;cs Produc;on [Supply side] Electricity Telecom Operators Fuel Supply Water Daily Supply Decision making algorithms should be established Cloud Data Center Support CI and General [Demand side] Safety Informa;on Refugee Housing Opera;on Emergency Mediacl Care Support Stuff Delivery Support and Rescu Administra;on Rescue Informa;on Dissemina;on Admin Informa;on Dissemina;on Medical Care Water Financing Administra;on Other Systems Emergency Response Critical Infrastructure 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 29

30 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 30

31 Conditions for Inter-Cloud Migration Virtual Machine or Service Function to be automatically transferred from a DC to another Issues to be allocated Technical Security Economy/Biz Legal International Technical feasibility, compatibility assurance Security features and capability should be maintained and guaranteed SLAs should be maintained and guaranteed Other terms & conditions should be consistent Rights and obligations to be transferred or re-contract? Compliance requirement fulfillment to be assured What if transfer is over a border? Legal enforcement etc. 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 31

32 Agenda Background: Risk of cloud black out Overview of Cloud Standards for Security Cloud Security Management & Audit Standards Interoperability and Portability Inter-Cloud Migration and Operation Considerations on Conditions under Emergency Considerations on Inter-Cloud Operation Summary 28 February 2013 Copyright IPA Information-Technology Promotion Agency 32

33 Conditions of cloud as a CIIP Clearly understand cloud as the social infrastructure Incorporate cloud in critical infrastructure disaster protection planning Designate and understand cloud as a critical information infrastructure Prioritize cloud in disaster recovery and emergency response Secure availability of cloud services as a consistent resource Establish technical solutions to make cloud services portable, interoperable and migratable to overcome platform failure Develop/establish social system/agreement to support intercloud migration/operation Common SLA, SecLA, T&C, etc. for agreement interoperability Common understanding on regulatory obligations to be maintained after cloud services transfer Facilitate the same internationally for cross-border transfer 28 February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 33

34 ENISA Report on Cloud as a CIIP Cloud computing and natural disasters: A key benefit of cloud computing is resilience in the face of regional power cuts or local natural disasters. It is difficult to mitigate the impact of fairly common regional disasters like floods, storms, or earthquakes in a set up with only a single datacentre, or a traditional set-up with a legacy onsite IT deployment. Standardisation: From a CIIP perspective standardization in cloud computing is very important, because it allows customers to mitigate issues related to a specific provider or a specific platform. Standardization, especially for IaaS and PaaS services, would allow customers to move workload to other providers in case one provider has suffers a large outages caused by system failures or even administrative or legal disputes February 2013 Copyright 2013 IPA Information-Technology Promotion Agency 34

35 Special thanks!!! Standardization for Security of Cloud Computing - with Focus on Availability -- Thu, 28 February, 2013 Ben T. Katsumi Chief Researcher, Security Economics Laboratory IT Security Center, IPA, Japan t-katsu@ipa.go.jp