Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

Latest in Cloud Computing Standards Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems 1

Short Introduction CTO Security & Privacy, Hitachi Data Systems Involved with a bunch of organizations International Representative, INCITS TC CS1 Cyber Security Co-Chair, Cloud Security Alliance (CSA) International Standardization Council (ISC) Co-Chair, American Bar Association SciTech Law ediscovery & Digital Evidence Committee Vice Chair, American Bar Association SciTech Law Cloud Computing Committee Chair, IEEE Information Assurance Standards Committee (IASC) Chair, SNIA Security Technical Work Group Vice Chair, IEEE Security in Storage Work Group (P1619) Standards Geek Co-Editor, ISO/IEC 17788 (Cloud computing Overview and terminology) Editor, ISO/IEC 27040 (Storage security) Editor, ISO/IEC 27050-1 (ediscovery Overview and concepts) Editor, ISO/IEC 27050-3 (ediscovery Code of practice) Editor, IEEE Std 1619r (XTS-AES) Security Professional 30+ years ICT experience; 15+ years security & privacy Government (NASA, DoE, DoD), academia (University of California), and industry Certifications: CISSP, ISSAP, ISSMP, ISSEP, CISA 2

Standards Alphabet Soup CSA = Cloud Security Alliance DMTF = Distributed Management Task Force ENISA = European Network and Information Security Agency ETSI = European Telecommunications Standards Institute IEC = International Electrotechnical Commission IEEE = Institute of Electrical and Electronics Engineers INCITS = International Committee for Information Technology Standards ISO = International Organization for Standardization ITU-T = International Telecommunication Union Telecom NIST = National Institute for Standards and Technology OASIS = Organization for the Advancement of Structured Information Standards SNIA = Storage Networking Industry Association TCG = Trusted Computing Group 3

Sample Cloud SDO Relationships CSA ITU-T CT-CC ENISA ISO/IEC SC27 ISO/IEC SC38 TCG INCITS/ CS1 INCITS/ DAPS38 Formal Informal IEEE NIST SNIA DMTF 4

Standards & Glaciers Similar Pace 5

Cloud Computing cloud computing: paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with self-service provisioning and administration on-demand SOURCE: ISO/IEC DIS 17788 Resolution ITU-T X.ccdef (Information technology Cloud computing Overview and vocabulary) 6

ISO/IEC JTC 1/SC 38 SC38 = Information Technology Distributed Application Platforms & Services ISO/IEC 17788 (Cloud computing Vocabulary and overview) Collaborative Team (CT) with ITU-T/SG13 to develop common text Defines key cloud terminology and provides an overview of cloud computing Intended to be a foundation document for cloud computing Stage: Draft International Standard (DIS); ballot closes 3/24/2014 ISO/IEC 17789 (Reference architecture) Collaborative Team (CT) with ITU-T/SG13 to develop common text Covers general concepts and characteristics of cloud computing, the components/functions and roles and their capabilities and inter-relationships Focused on the requirements of what Cloud services provide, not how to design solutions and implementations Stage: Draft International Standard (DIS); ballot closes 3/24/2014 7

ISO/IEC JTC 1/SC 38 (cont.) ISO/IEC 19086 (Service Level Agreement Guidance) Provides an overview of SLAs for cloud services Identifies the relationship between the master service agreement and the SLA Addresses SLA concepts and requirements that can be used to build SLAs Specifies terms and conditions as well as metrics commonly used in SLAs for cloud services Seeks to establish a set of common SLA building blocks (concepts, terms, definitions, contexts) that can then be used to create SLAs that will help avoid confusion and facilitate common understanding between the Cloud Service Providers and the Cloud Service Customers Stage: Working Draft (WD) 8

ITU-T/Study Group 13 (SG13) Future networks including cloud computing, mobile and nextgeneration networks Y.ccdef (ISO/IEC 17788) Cloud computing definition and vocabulary Y.cceco Cloud computing: ecosystem, use cases and general requirements Y.Cloud-SIDE-Reqts High level requirements and capabilities for cloud enabled service environment Y.ccic Framework of inter-cloud for network and infrastructure Y.ccinfra Cloud computing infrastructure requirements Y.ccra (ISO/IEC 17789) Cloud computing reference architecture Y.e2eccrmr End-to-end cloud computing resources management requirements Y.VNC Resource control and management for virtual networks for cloud services (VNCs) 9

ITU-T/Study Group 17 (SG17) Security X.1600 (X.ccsec) High-level security framework for cloud computing X.cc-control (ISO/IEC 27017) Guidelines supporting the implementation of information security controls for cloud service providers and cloud service customers of cloud computing services X.goscc Guidelines of operational security for cloud computing X.sfcse Security functional requirements for Software as a Service (SaaS) application environment X.ccidm Requirement of IdM in cloud computing 10

ISO/IEC JTC 1/SC27 SC27 = Information Technology Security techniques ISO/IEC 27017 (Code of practice for information security controls for cloud computing services based on ISO/IEC 27002) Common text standard with ITU-T/SG17 Additional implementation guidance for relevant information security controls specified in ISO/IEC 27002; and Additional controls and implementation guidance that specifically relate to cloud computing services. Technical Report => International Standard Stage: Committee Draft (CD) ISO/IEC 27018 (Code of practice for data protection controls for public cloud computing services) Applies to organizations providing public cloud computing services that act as PII processors (possibly PII controllers) Establishes commonly accepted control objectives, controls and guidelines for implementing controls to protect Stage: Draft International Standard (DIS) 11

ISO/IEC JTC 1/SC27 (cont.) ISO/IEC 27036-4 (Information security for supplier relationships Part 4: Guidelines for security of cloud services) Provides cloud service acquirers and suppliers managing the information security risks caused by using cloud services integrating information security processes and practices into the cloud based product and service life cycle processes responding to risks specific to the acquisition or provision of cloud-based services Define guidelines supporting the implementation of Information Security Management for the use of cloud service Stage: 2 nd Working Draft (WD) ISO/IEC 27040 (Storage security) Overview of storage security concepts and related definitions Guidance on the threat, design and control aspects associated with typical storage scenarios and storage technology areas Secure multi-tenancy Limited coverage for cloud storage (e.g., CDMI) Stage: Draft International Standard (DIS) Numerous other security standards that are potentially relevant! 12

Standards Setting Organizations (SSO) & Industry Associations 13

NIST Information Technology Laboratory Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing Special Publication 800-145, The NIST Definition of Cloud Computing Special Publication 800-146, Cloud Computing Synopsis and Recommendations Special Publication 500-291, NIST Cloud Computing Standards Roadmap Special Publication 500-292, NIST Cloud Computing Reference Architecture Special Publication 500-293, (Draft). US Government Cloud Computing Technology. Special Publication 500-299, (Draft) NIST Cloud Computing Security Reference Architecture Interagency Report 7904, (Draft) Trusted Geolocation in the Cloud: Proof of Concept Implementation 14

Cloud Security Alliance (CSA) Security Guidance for Critical Areas of Focus in Cloud Computing Open Certification Framework Cloud Controls Matrix (CCM) Trusted Cloud Initiative (TCI) Reference Architecture Model Top Threats to Cloud Computing Security as a Service (SecaaS) Implementation Guidance Many others 15

OASIS Cloud Application Management for Platforms (CAMP) Identity in the Cloud (IDCloud) Symptoms Automation Framework (SAF) Topology and Orchestration Specification for Cloud Applications (TOSCA) Cloud Authorization (CloudAuthZ) Public Administration Cloud Requirements (PACR) 16

Other Cloud Activities of SSOs & IAs IEEE Standards Association (IEEE-SA) P2301 - Guide for Cloud Portability and Interoperability Profiles (CPIP) P2302 - Standard for Intercloud Interoperability and Federation (SIIF) Trusted Computing Group (TCG) Trusted Multi-Tenant Infrastructure (TMI) Use Cases Trusted Multi-tenant Infrastructure (TMI) Specification [Goal] Storage Network Industry Association (SNIA) Cloud Data Management Interface (CDMI) specification ISO/IEC 17826: 2012, Information technology -- Cloud Data Management Interface (CDMI) [CDMI v1.0.2] The Open Group Service-oriented Cloud Computing Infrastructure (SOCCI) Framework Cloud Computing Reference Architecture (CCRA) 17

Other Cloud Activities of SSOs & IAs Distributed Management Task Force (DMTF) DSP0243 Open Virtualization Format (OVF) ISO/IEC 17203:2011, Information technology -- Open Virtualization Format (OVF) specification DSP0263 Cloud Infrastructure Management Interface (CIMI) Model and REST Interface over HTTP Specification DSP0264 CIMI-CIM Specification Internet Engineering Task Force (IETF) RFC 6208 Cloud Data Management Interface (CDMI) Media Types Draft RFCs Cloud Based Mobile Core Network Problem Statement Cloud Reference Framework Accessing Cloud Services Cloud Networking: VPN Applicability and NVo3 Gap Analysis Network as a service requirement in cloud datacenter An Architecture for a Secure Cloud Collaboration System Huge number of RFCs that enable the cloud. 18

Key Developments 19

NIST View of the Cloud 20

Shifting Cloud Concepts (1) NIST Essential Characteristics => Key Characteristics Cloud Deployment Models (Public, Private, Hybrid, Community) Major Cloud Computing Roles Cloud Service Customer (includes cloud service user) Cloud Service Provider Cloud Service Partner (includes cloud auditor and cloud service broker) Key Cross Cutting Aspects Auditability, availability, governance, interoperability, maintenance and versioning, performance, portability, privacy, regulatory, resiliency, reversibility, security, service levels and service level agreements 21

Shifting Cloud Concepts (2) Cloud Capability Types Application Capabilities Type cloud service customer can use the cloud service provider s applications Platform Capabilities Type cloud service customer can deploy, manage and run customer-created or customer-acquired applications using one or more programming language and one or more execution environments supported by the cloud service provider Infrastructure Capabilities Type cloud service customer can provision and use processing, storage and networking resources NIST Service Models => Cloud Service Categories All Cloud Service Categories defined using one or more Cloud Capability Types Accommodates NIST and ITU-T service models Allows for a near infinite number of Cloud Service Categories (start your marketing engines) 22

Service Categories vs. Capability Types Cloud Service Categories Software as a Service Platform as a Service Infrastructure as a Service Cloud Capabilities Types Infrastructure Platform Application X Network as a Service X X X Data Storage as a Service X X X Compute as a Service X Communication as a Service X X Database as a Service X X Desktop as a Service... Washing-machine as a Service (WaaS) Security as a Service X X X X X X 23 SOURCE: ISO/IEC DIS 17788 Resolution ITU-T X.ccdef

Cloud Computing Reference Architecture (Functional Components) 24

CSA & Standards 25

CSA Interactions with SDOs International Standards Council (ISC) Primary CSA interface with Standards Development Organizations Operates similar to a National Body mirror committee Current ISC representatives from CA, CN, DE, FR, GB, HK, SG, TW, US Membership application is available to active corporate members Formal Liaison Relationships: ISO/IEC JTC 1/SC 27 Category A ISO/IEC JTC 1/SC 38 Category A ITU-T (Study Group 13 & 17) A.4 & A.5 Tracking many other organizations 26

Primary SDO Focus Primary Interest in SC27 Projects ISMS: ISO/IEC 27001, ISO/IEC 27002 Cloud: ISO/IEC 27017 ITU-T X.cc-control, ISO/IEC 27018, ISO/IEC 27036-4 SC27 Projects of Interest: ISO/IEC 27009, ISO/IEC 27021, ISO/IEC 27035, ISO/IEC 27036 (Supply chain security), ISO/IEC 27040 (Storage security), ISO/IEC 27044 (SEIM), ISO/IEC 27050 (ediscovery) SC38 Projects ISO/IEC 17788 ITU-T X.ccdef, ISO/IEC 17789 ITU-T X.ccra, ISO/IEC 19086 (SLA) ITU-T Projects X.1600 (X.ccsec), X.goscc, X.sfcse 27

CSA ISC Contact Details ISC Standard Secretariat Aloysius Cheang Managing Director APAC Cloud Security Alliance Member, SG NB Co-Chairs Andreas Fuchsberger Regional Standards Officer Microsoft Member, GB NB Eric A. Hibbard CTO Security and Privacy Hitachi Data Systems Member, US NB 28 https://cloudsecurityalliance.org/isc/

Final Thoughts A significant number of the cloud computing standards and specifications are still in draft form There are many organization operating in this space, but it does appear there are conscious efforts to avoid duplication and contradiction It is unlikely that a single, all-encompassing standard (or source for standards) will emerge for cloud 29

eric.hibbard@hds.com 30