Cloud Computing ISO Security and Privacy Standards: 27017, 27018, Mike Edwards (Chair UK Cloud Standards Committee)

Transcription

1 Cloud Computing ISO Security and Privacy Standards: 27017, 27018, Mike Edwards (Chair UK Cloud Standards Committee)

2 Mike Edwards Senior Technical Staff Member, IBM Cloud Computing & SOA Standards, UK Chair UK ISO SC38 mirror committee (BSI IST 38)

3 Abstract and Agenda ISO 27001, ISO & ISO This talk describes the ISO Security & Privacy specifications & certifications which apply to cloud services Security & Privacy concerns of cloud service customers Standards and certifications ISO series of security & privacy standards ISO & ISO the foundations for IT security Cloud Computing impact on security & privacy ISO security for cloud services ISO data protection for cloud services (i.e. privacy)

4 The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-lead guidance to multiple cloud standards-defining bodies 2011/2012 Deliverables Practical Guide to Cloud Computing Practical Guide to Cloud SLAs Security for Cloud Computing Impact of Cloud Computing on Healthcare Establishing criteria for open standards based cloud computing 500+ Organizations participating 2013/2014 Deliverables Convergence of SoMoClo Analysis of Public Cloud SLAs Cloud Security Standards Migrating Apps to Public Cloud Social Business in the Cloud Big Data in the Cloud PGCC Version 2 Migrating Apps: Performance Rqmnts Cloud Interoperability/Portability 2015 Projects (partial) Update to Security for Cloud Computing whitepaper Update to Practical Guide to Cloud Service Agreements Practical Guide to Privacy for the Public Sector Practical Guide to PaaS

5 Three Takeaways Security & Privacy are key concerns for Cloud Service Customers many demand proof in relation to cloud services Customers & Providers need a public and open way of declaring the Security & Privacy capabilities of cloud services International standards such as ISO 27001, & provide an open, worldwide and customer-accepted approach 5

6 Top concerns about cloud computing Security & Privacy: number one inhibitor to customers adopting cloud services What, if anything, do you perceive as actual or potential barriers to acquiring public cloud services? Security/privacy of company data 69 % Service quality Doubts about true cost savings Performance / Insufficient responsiveness over network Difficulty integrating with in-house IT Percent rating the factor as a significant barrier (4 or 5) Respondents could select multiple items 47 % 54 % 53 % 52 % Source: IBM Market Insights, Cloud Computing Research, July n=1,090 Source: Oliver Wyman Interviews

7 Security matters

8 Standards making organizations International Regional / national Fora & consortia

9 Other Open technology organizations Customer / User organizations CSCC, ODCA (cloud computing) CSA (cloud computing security) Certification organizations e.g. ISACA Code first specifications HTML5 Open source projects e.g. OpenStack, Cloud Foundry, Docker Open source implementations pressure for availability before ratification of a standard

10 Types of Standards High level Governance & Management Architectures ISO SOA Reference Architecture ISO Cloud Computing Reference Architecture ISO Data Protection for Cloud Services ISO Information Security Controls for Cloud Services ISO Privacy Architecture Framework PCI-DSS Controls for Card Data ISO ID Management Architecture 10 Technology specific GB/T Security capability req of cloud services China GB-T Security guide of cloud computing services GB/T Security Requirements for DBMS RSA AES Kerberos ID and Access Management Triple-DES X.509 Encryption Certificates SHA Hashing Security Assertions ISO Cloud SLAs ISO Biometric Interchange Formats KMIP Key Management

11 Standards: Certification Certification: providing assurance of an organization ( we are following the process correctly ) of an individual ( I understand and I can implement ) Established through Audit or Examination May be directly associated with standard ISO certification May be defined separately from standards CSA Star; ISACA CISM

12 Why use International Standards? Applicable anywhere in the world implement once generally accepted valid according to WTO rules avoid balkanization caused by varying national & regional requirements Well accepted by customers ISO one of the best known plenty of skills & knowledge available well developed ecosystem of auditors & certification authorities 12

13 ISO Cloud Computing standards 17788: Cloud computing Overview and Vocabulary* 17789: Cloud computing Reference Architecture* 19086: Cloud computing SLAs 19941: Cloud computing Interoperability & Portability 19944: Cloud computing Data Flow across devices & cloud services 27001: Information security management systems Requirements 27002: Code of practice for information security controls 27017: Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002* 27018: Code of practice for data protection controls for public cloud computing services 27036: Information security for supplier relationships 29101: Privacy architecture framework * = Joint standard with ITUT Black = Complete, published Red = In preparation, draft

14 Only available as a priced publication

15 ISO specification Code of practice for information security controls Based on ISO requirements for information security management systems control sets for: Security Policy Organization of Information Security Asset Management Human Resources Physical & Environmental Supplier Relationship Management Communications & Operations Management of Application Services Access Control System Acquisition, Development & Maintenance Security Incident Management Business Continuity Management Compliance

16 ISO specification (cont) Code of practice for information security controls Sample controls: All information security responsibilities should be defined and allocated Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization s assets Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities Agreements with suppliers should include requirements to address the information security risks associated with Information and Communications Technology services and product supply chain The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance

17 ISO specification (cont) Code of practice for information security controls Sample controls (cont): Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay A formal user registration and de-registration procedure should be implemented for granting and revoking access for all user types to all systems and services The implementation of changes should be controlled by the use of formal change control procedures Information security incidents should be responded to in accordance with the documented procedures Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual, and business requirements

18 Softlayer Certification 18

19 Security Components Cloud Computing: Impact on Security & Privacy End Users DevOps In-house Applications & Systems Functional interfaces Admin interfaces Cloud Service App code App environment Administrators Business Managers In-house data Business interfaces Derived data Customer data Cloud service customer Cloud service provider Split of Security Responsibilities

20 ISO specification Information security controls for the use of cloud computing services Based on ISO security control specification added information for Cloud Service Customers & Cloud Service Providers extended control sets for cloud computing: extra management control & coordination due to security responsibility split control of risks due to shared facilities when using cloud computing impact on end users of customer organization if they use cloud computing services acceptance testing for provided services & for upgrades / new versions handling of mobile code authentication methods for cloud service use application level controls including input/output data validation, message integrity audit requirement higher impact extended controls audit logs required, with specified data non-disclosure of communications monitoring use of cloud services protection of audit tools

21 Privacy & Data Protection: Roles Data Subject Data Controller Data Processor Person Identified by Personal Data Cloud Service Customer Cloud Service Provider Regulatory focus 21

22 ISO specification Code of practice for data protection controls for public cloud computing services Data protection of PII to meet regulatory requirements e.g. European data protection regulations Based on ISO additional controls for handling of PII separation of test environment no PII in test environment authorization & tracking of removable media containing PII where logs contain PII data, special control of logs required procedures to address corruption / compromise of passwords continuity of data processing within specified documented period confidentiality obligation for people with access to PII disclosure of PII must be logged ensure erasure of temporary files within specified period Each individual with access to PII must have unique ID Record of authorized users required

23 ISO specification Code of practice for data protection controls for public cloud computing services Higher impact additional controls for handling of PII PII only processed in accordance with instructions of PII controller (per contract) monitoring event log with specific details in event log where PII changed recording of security breaches intended destination of target (organization/individual) for transmitted PII PII transmitted over public networks must be encrypted Documented policy about geographical area for PII storage

24 Customers will only use services that they trust 24

25 Questions? 25

26 Read the CSCC whitepapers free downloads Practical Guide to Cloud Service Agreements, V2 Public Cloud Service Agreements: What to Expect & What to Negotiate Practical Guide to Cloud Computing, V2 Security for Cloud Computing: 10 Steps to Ensure Success, V2 Cloud Security Standards: What to Expect & What to Negotiate Interoperability and Portability for Cloud Computing: A Guide Migrating Applications to Public Cloud Services: Roadmap for Success Web Application Hosting Cloud Solution Architecture Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success Impact of Cloud Computing on Healthcare

27 Call to Action Join the CSCC Now! To have an impact on customer use case based standards requirements To learn about all Cloud Standards within one organization To help define the CSCC s future roadmap Membership is free & easy: Get Involved! Join one or more of the CSCC Working Groups

28 Useful links ISO ITU-T OASIS IETF (OAuth 2.0) DMTF (CADF) BSI

29 More useful links CSCC ODCA CSA ISACA PCI (PCI-DSS) Cloud Foundry Docker