Pilvipalveluiden tietoturvan standardisointi

Transcription

1 Pilvipalveluiden tietoturvan standardisointi Juha Röning

2 Sisältö Standardien kirjo Pilvipalveluiden standardit Seurattavat standardit Standardit ja CSA Cloud Controls Matriisi Cloud Software tutkimus Suomessa

3 Standardit Teknologiastandardit ISO Säädökset Tietosuojalainsäädäntö (EU, kansallinen) PCI-DSS Payment Card Industry Security Standards Council HIPAA (US) The Health Insurance Portability and Accountability Act of 1996 FedRamp (US) The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

4 Pilven standardoijat

5 Teemoja Virtualisoinnin tuomat uhat Jaetut resurssit, CPU/verkko, vuodot Yksityisyys Tiedon sijainti, salaaminen, palvelun yksityisyyspolitiikka Identiteetin hallinta

6 Standardisointiprosessi: ETSI Stage 0 Validate need for standardisation Stage 1 Requirements and objectives Stage 2 Information model Stage 3 Detailed data and protocol model Stage 4 Testing and validation Deploy the standard

7 Standardisointiprosessi: IETF From RFC 2026, section 1.2: In outline, the process of creating an Internet Standard is straightforward: a specification undergoes a period of development and several iterations of review by the Internet community and revision based upon experience, is adopted as a Standard by the appropriate body... and is published. In practice, the process is more complicated, due to (1) the difficulty of creating specifications of high technical quality; (2) the need to consider the interests of all of the affected parties; (3) the importance of establishing widespread community consensus; and (4) the difficulty of evaluating the utility of a particular specification for the Internet community.

8 Tärkeimmät ITU SG13, SG17 ISO SC38, SC27 NIST the National Institute of Standards and Technology: mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. OASIS Organization for the Advancement of Structured Information Standards: is a non-profit consortium that drives the development, convergence and adoption of open standards for the global information society. IETF Internet Engineering Task Force; make the Internet work better from an engineering point of view

9 Tärkeimmät money talks Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. ODCA The Open Data Center Alliance is working actively to shape the future of cloud computing a future based on open, interoperable standards.

10 ITU-T ja ISO standardisointeja ITU-T SG13 Q26: Cloud computing ecosystem, intercloud and general requirements Q27 Cloud functional architecture, infrastructure and networking Q28 Cloud computing resource management and virtualization ISO SC38 WG3 Cloud Computing, Cloud computing reference architecture and vocabulary

11 ITU-T ja ISO standardisointeja ITU-T SG17 -Security Work to build confidence and security in the use of information and communication technologies (ICTs) continues to intensify in a bid to facilitate more secure network infrastructure, services and applications. Over seventy standards (ITU-T Recommendations) focusing on security have been published. ITU-T Study Group 17 (SG17) coordinates security-related work across all ITU-T Study Groups. Often working in cooperation with other standards development organizations (SDOs) and various ICT industry consortia, SG17 deals with a broad range of standardization issues. To give a few examples, SG17 is currently working on cybersecurity; security management; security architectures and frameworks; countering spam; identity management; the protection of personally identifiable information; and the security of applications and services for the Internet of Things (IoT), smart grid, smartphones, web services, social networks, cloud computing, mobile financial systems, IPTV and telebiometrics.

12 ITU-T ja ISO standardisointeja ISO/IEC JTC 1/SC 27 WG 1 Information security management systems WG 2 Cryptography and security mechanisms WG 3 Security evaluation, testing and specification WG 4 Security controls and services WG 5 Identity management and privacy technologies

13 ITU Cloud Security reference architecture

14 Cloud Security Alliance Cloud Controls Matrix Trusted Cloud Infrastructure Security as a Service Cloud Trust Protocol Guidance Document

15 ISO Seurattavia standardeja pilven käyttäjille Controls for Cloud Computing security Additional controls for ISO certification Implementation guidance (27002 päälle) Supply chain guidance Secure Storage (ISO 27040) ITU Cloud Security Framework

16 Seurattavia standardeja NIST The purpose of this document is to provide an overview of public cloud computing and the security and privacy challenges involved. ENISA Cloud Security guide, uusi versio SME-fokuksella ISAE 3402 in-depth audit of a third-party service organization (transparency and trust)

17 Cloud security guide: TOP SECURITY RISKS LOSS OF GOVERNANCE LOCK-IN ISOLATION FAILURE COMPLIANCE RISKS MANAGEMENT INTERFACE COMPROMISE: DATA PROTECTION INSECURE OR INCOMPLETE DATA DELETION: MALICIOUS INSIDER

18 Cloud Controls Matrix

19 ISO

20 Cloud Software Turvallisuus ketterässä tuotteenhallinnassa Riskinhallinta Yksityisyyden suoja Rajapintatestaus Organisaatioiden välinen luottamus

21 Generic Security User stories Pienemmillä organisaatioilla ei välttämättä ole käytössä tietoturva-asiantuntijaa Tapa löytää tietoturvavaatimuksia ja ratkaisuja Antti Vähä-Sipilä and Camillo Särs / F-Secure

22

23

24 Rajapintatestaus Radamsa-työkalu ohjelmistojen toimintavarmuuden testaamiseen Selain on erityisen kriittinen pilvipalveluissa Yli sata haavoittuvuutta löydetty ja korjattu