Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

Transcription

1 Cloud Security Standards Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

2 Introduction Sign Off December 2012 Information Technology Authority (ITA) and International Telecommunications Union (ITU) established ITU-Arab Regional Cybersecurity Center (ARCC) with a vision of creating a safer and cooperative cybersecurity environment in the Arab Region. ITU-ARCC is acting as ITU s cybersecurity hub in the region localizing and coordinating cybersecurity initiatives. Launch March

3 ITU-ARCC services The ITU-ARCC to provide many of the services for Arab states into five main themes Cybersecurity Strategy and Governance Cybersecurity Assurance & Compliance Emergency Incident Response Cybersecurity Capacity Building Technical Services and Information Sharing 3

4 ITU-ARCC Activities

5 ITU- ARCC Activities Regional Cybersecurity Summit Workshops Specialized Training Cybersecurity Exercises Competitions 5

6 Exhibitions ITU Telecom world-thailand 2013 Gitex-Dubai 2013 COMEX Exhibition, Oman 2014 COMEX Exhibition, Oman

7 Definitions Cloud Computing: also known as on-demand computing, is a kind of internet-based computing, where shared resources and information are provided to computers and other devices on-demand. It is a model for enabling ubiquitous, on-demand access to a shared pool of configurable computing resources Cloud Computing Security Cloud computing security is the set of control-based technologies and policies designed to adhere to regulatory compliance rules and protect information, data applications and infrastructure associated with cloud computing use 7

8 10 Worst Cloud Security Threats Of 2015 Data Breaches Data Loss DDoS Attack Account Hijacking Insider Attacks Insufficient Due Diligence Malware Viruses Phishing Attacks BYOD 8

9 ISO Standards ISO Standards (Security & Privacy Specification & Certification which may apply to Cloud Service: ISO & ISO The foundation for IT Security ISO Security for Cloud Services ISO Data Protection for Cloud Services (e.g Privacy) 9

10 Standards Making Organizations International Regional / National Fora & Consortia 10

11 Other Open Technology Organizations Customer / User Organizations: CSCC, ODCA (Cloud Computing) CSA (Cloud Computing Security) Certification Organizations: ISACA Open Code Specifications: HTML5 Open source project - openstack, Cloud Foundry, Docker 11

12 Type of Standards High Level Governance & Management ISO ISO PCI - DSS Architecture ISO ISO ISO ISO Technology Specific GB/ T GB- T Kerberos SCIM ISO ISO KIMP 12

13 Standards: Certification Certification Benefits: - Organization - Individual Established through Audit Or Examination May be directly associated with standard - ISO Certification May be defined separately from standards - CSA STAR, ISACA CISM 13

14 ISO Cloud Computing Standards 17788: Cloud Computing Overview & Vocabulary 17789: Cloud Computing Reference Architecture I9086: Cloud Computing SLAs 19941: Cloud Computing interoperability & Portability 19944: Cloud computing Data Flow across devices & cloud services 27001: Information Security Management Systems Requirements 27002: Code of Practice for information security controls 27017: Guidelines on Information security controls for the use of cloud computing services based on ISO : Code of Practice for data protection controls for public cloud computing services 27036: Information Security for supplier relationships 29101: Privacy architecture framework. 14

15 ISO ISO/IEC Information security management Benefits of ISO/IEC Information Security Management Identify risks and put controls in place to manage or reduce them Flexibility to adapt controls to all or selected areas of your business Gain stakeholder and customer trust that their data is protected Demonstrate compliance and gain status as preferred supplier Meet more tender expectations by demonstrating compliance 15

16 Structure of the ISO Introduction - the standard uses a process approach. 1 Scope - it specifies generic ISMS requirements suitable for organizations of any type, size or nature. 2 Normative references - only ISO/IEC is considered absolutely essential to users of 27001: the remaining ISO27k standards are optional. 3 Terms and definitions - a brief, formalized glossary, soon to be superseded by ISO/IEC Context of the organization - understanding the organizational context, the needs and expectations of interested parties, and defining the scope of the ISMS. Section 4.4 states very plainly that The organization shall establish, implement, maintain and continually improve a compliant ISMS. 5 Leadership - top management must demonstrate leadership and commitment to the ISMS, mandate policy, and assign information security roles, responsibilities and authorities. 6 Planning - outlines the process to identify, analyze and plan to treat information security risks, and clarify the objectives of information security. 7 Support - adequate, competent resources must be assigned, awareness raised, documentation prepared and controlled. 8 Operation - a bit more detail about assessing and treating information security risks, managing changes, and documenting things (partly so that they can be audited by the certification auditors). 9 Performance evaluation - monitor, measure, analyze and evaluate/audit/review the information security controls, processes and management system in order to make systematic improvements where appropriate. 10 Improvement - address the findings of audits and reviews (e.g. nonconformities and corrective actions), make continual refinements to the ISMS Annex A Reference control objectives and controls - little more in fact than a list of titles of the control sections in ISO/IEC The annex is normative, implying that certified organizations are expected to use it, but they are free to deviate from or supplement it in order to address their particular information security risks. Bibliography - points readers to five related standards, plus part 1 of the ISO/IEC directives, for more information. In addition, ISO/IEC is identified in the body of the standard as a normative (i.e. essential) standard and there are several references to ISO on risk management. 16

17 ISO

18 ISO/IEC Certificates 18

19 ISO Structure and format of ISO/IEC 27002:2013 ISO/IEC is a code of practice - a generic, advisory document, not a formal specification such as ISO/IEC It recommends information security controls addressing information security control objectives arising from risks to the confidentiality, integrity and availability of information. Organizations that adopt ISO/IEC must assess their own information security risks, clarify their control objectives and apply suitable controls (or indeed other forms of risk treatment) using the standard for guidance. 19

20 Content of ISO

21 ISO ISO standard will provide guidance on the information security elements of cloud computing, recommending and assisting with the implementation of cloud-specific information security controls supplementing the guidance in ISO27002 The standard will offer information security advice for both cloud service customers and cloud service providers, offering guidance for both parties side-by-side in each section, for instance section on information security roles and responsibilities says, in part Cloud service customer The cloud service customer should agree with the cloud service provider on an appropriate separation of information security roles and responsibilities and confirm that it can fulfil its allocated roles and responsibilities. The information security roles and responsibilities of both parties should be stated in an agreement. The cloud service customer should identify and manage the customer support and care representative and the cloud service business manager of the cloud service provider Cloud service provider The cloud service provider should agree and document an appropriate separation of information security roles and responsibilities with its cloud service customers, its cloud service providers and its suppliers. 21

22 ISO

23 ISO ISO/IEC 27018:2014 Information technology Security techniques Code of practice for protection of Personally Identifiable Information (PII) in public clouds acting as PII processors This standard provides guidance aimed at ensuring that cloud service providers offer suitable information security controls to protect the privacy of their customers clients by securing PII (Personally Identifiable Information) entrusted to them The standard will be followed by ISO covering the wider information security angles of cloud computing, other than privacy The standard intends to be a reference for selecting PII protection controls within the process of implementing a cloud computing information security management system 23

24 ISO27018 As the first-ever standard that deals with the protection of personal data for the cloud, ISO/IEC has the following key objectives: Help cloud service providers that process personally identifiable information to address applicable legal obligations as well as customer expectations Enable transparency so customers can choose well-governed cloud services Facilitate the creation of contracts for cloud services Provide cloud customers with a mechanism to ensure cloud providers compliance with legal and other obligation 24

25 ISO

26 ISO

27 Cloud Security Alliance The Cloud Security Alliance (CSA) is the world s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA s activities, knowledge and extensive network benefit the entire community impacted by cloud from providers and customers, to governments, entrepreneurs and the assurance industry and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. cloudsecurityalliance.org 27

28