Pilvipalveluiden tietoturvan standardisointi



Similar documents
Attacking the roadblocks preventing aggressive adoption of Cloud Standards:

Global Efforts to Secure Cloud Computing. Jason Witty President, Cloud Security Alliance Chicago

ISO/IEC JTC 1/WG 10 Working Group on Internet of Things. Sangkeun YOO, Convenor

Cloud Computing Standards: Overview and ITU-T positioning

Latest in Cloud Computing Standards. Eric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

ITU- T Focus Group Cloud Compu2ng

ITU WORK ON INTERNET OF THINGS

Cloud Security Introduction and Overview

Building an Effective

The Cloud Security Alliance

ITU-T Security Standard Activities

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP HP ENTERPRISE SECURITY SERVICES

Cloud Security Standards. Aziza Al Rashdi Director, Cyber Security Professional Services Oman National CERT Information Technology Authority

2011 Cloud Security Alliance, Inc. All rights reserved.

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Lifting the Fog Around Cloud Computing. Eric A. Hibbard, CISSP-ISSAP, ISSEP, ISSMP, CISA CTO Security & Privacy Hitachi Data systems

Cloud Standards - A Telco Perspective

Cloud Computing ISO Security and Privacy Standards: 27017, 27018, Mike Edwards (Chair UK Cloud Standards Committee)

Standards for Cyber Security

Standardised SLAs: how far can we go? DIHC, Euro-Par 2013, Aachan John Kennedy Intel Labs Europe

White Paper on CLOUD COMPUTING

A view from the Cloud Security Alliance peephole

Standard Big Data Architecture and Infrastructure

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Standards in the Digital Single Market: setting priorities and ensuring delivery

INTERNATIONAL TELECOMMUNICATION UNION

TOOLS and BEST PRACTICES

Information Security ISO Standards. Feb 11, Glen Bruce Director, Enterprise Risk Security & Privacy

M2M & Cybersecurity Workshop TIA 2013 M2M Standards and Security. Mihai Voicu CIO/CSO ILS Technology LLC

ISO/IEC JTC 1 SC 38 Cloud Works & Issues

The identity management (IdM) ecosystem: minding the gaps

A Big Picture for Big Data

Trusted Inter-Cloud Challenges

Terms of Reference. ITU-T Focus Group on Smart Cable Television (FG SmartCable)

Standards in the Digital Single Market: setting priorities and ensuring delivery

EU Threat Landscape Threat Analysis in Research ENISA Workshop Brussels 24th February 2015

Cloud Computing Governance & Security. Security Risks in the Cloud

ISO/IEC Information & ICT Security and Governance Standards in practice. Charles Provencher, Nurun Inc; Chair CAC-SC27 & CAC-CGIT

Comparative Analysis of SOA and Cloud Computing Architectures using Fact Based Modeling

Accelerating Cloud adoption with Security Level Agreements automation, monitoring and industry standards compliance

Cloud up to business processes

NIS Direktive und Europäische sicherheitsrelevante Projekte Udo Helmbrecht Executive Director, ENISA

EUROPEAN COMMISSION ENTERPRISE AND INDUSTRY DIRECTORATE-GENERAL. Space, Security and GMES Security Research and Development

AIOTI ALLIANCE FOR INTERNET OF THINGS INNOVATION


Securing The Cloud. Foundational Best Practices For Securing Cloud Computing. Scott Clark. Insert presenter logo here on slide master

Cloud Computing Standards: Overview and first achievements in ITU-T SG13.

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

ISO/IEC JTC 1/SC 38 N 282

Achievements and ongoing work in the ITU-T standardization of the Internet of Things

STORAGE SECURITY TUTORIAL With a focus on Cloud Storage. Gordon Arnold, IBM

NIST Cloud Computing Security Reference Architecture (SP draft)

EUK : South Korea: IoT joint research

NIST Cloud Computing Program Activities

Cloud Security. DLT Solutions LLC June #DLTCloud

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Guiding principles for security in a networked society

IEEE Standards Association (IEEE-SA)

Smart Grid Information Security

CEN and CENELEC response to the EC Consultation on Standards in the Digital Single Market: setting priorities and ensuring delivery January 2016

Cloud Standards Coordination Final Report November 2013 VERSION 1.0

Approach to Information Security Architecture. Kaapro Kanto Chief Architect, Security and Privacy TeliaSonera

GRC Stack Research Sponsorship

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

Cloud Security considerations for business adoption. Ricci IEONG CSA-HK&M Chapter

PCI Compliance and the Cloud: What You Can and What You Can t Outsource Presented By:

Smart Grid Standardization

Standardising the Internet of Things Is Today s System Adequate?

Standardization Requirements Analysis on Big Data in Public Sector based on Potential Business Models

A HYPE-FREE STROLL THROUGH CLOUD STORAGE SECURITY

Cloud Computing Security Audit

Cloud Security Trust Cisco to Protect Your Data

The European Alliance for IoT Innovation

PROPOSAL 20. Resolution 130 of Marrakesh on the role of ITU in information and communication network security

Transcription:

Pilvipalveluiden tietoturvan standardisointi Juha Röning Juha.Roning@oulu.fi

Sisältö Standardien kirjo Pilvipalveluiden standardit Seurattavat standardit Standardit ja CSA Cloud Controls Matriisi Cloud Software tutkimus Suomessa

Standardit Teknologiastandardit ISO 27001 Säädökset Tietosuojalainsäädäntö (EU, kansallinen) PCI-DSS Payment Card Industry Security Standards Council HIPAA (US) The Health Insurance Portability and Accountability Act of 1996 FedRamp (US) The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Pilven standardoijat

Teemoja Virtualisoinnin tuomat uhat Jaetut resurssit, CPU/verkko, vuodot Yksityisyys Tiedon sijainti, salaaminen, palvelun yksityisyyspolitiikka Identiteetin hallinta

Standardisointiprosessi: ETSI Stage 0 Validate need for standardisation Stage 1 Requirements and objectives Stage 2 Information model Stage 3 Detailed data and protocol model Stage 4 Testing and validation Deploy the standard

Standardisointiprosessi: IETF From RFC 2026, section 1.2: In outline, the process of creating an Internet Standard is straightforward: a specification undergoes a period of development and several iterations of review by the Internet community and revision based upon experience, is adopted as a Standard by the appropriate body... and is published. In practice, the process is more complicated, due to (1) the difficulty of creating specifications of high technical quality; (2) the need to consider the interests of all of the affected parties; (3) the importance of establishing widespread community consensus; and (4) the difficulty of evaluating the utility of a particular specification for the Internet community.

Tärkeimmät ITU SG13, SG17 ISO SC38, SC27 NIST the National Institute of Standards and Technology: mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. OASIS Organization for the Advancement of Structured Information Standards: is a non-profit consortium that drives the development, convergence and adoption of open standards for the global information society. IETF Internet Engineering Task Force; make the Internet work better from an engineering point of view

Tärkeimmät money talks Cloud Security Alliance The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. ODCA The Open Data Center Alliance is working actively to shape the future of cloud computing a future based on open, interoperable standards.

ITU-T ja ISO standardisointeja ITU-T SG13 Q26: Cloud computing ecosystem, intercloud and general requirements Q27 Cloud functional architecture, infrastructure and networking Q28 Cloud computing resource management and virtualization ISO SC38 WG3 Cloud Computing, Cloud computing reference architecture and vocabulary

ITU-T ja ISO standardisointeja ITU-T SG17 -Security Work to build confidence and security in the use of information and communication technologies (ICTs) continues to intensify in a bid to facilitate more secure network infrastructure, services and applications. Over seventy standards (ITU-T Recommendations) focusing on security have been published. ITU-T Study Group 17 (SG17) coordinates security-related work across all ITU-T Study Groups. Often working in cooperation with other standards development organizations (SDOs) and various ICT industry consortia, SG17 deals with a broad range of standardization issues. To give a few examples, SG17 is currently working on cybersecurity; security management; security architectures and frameworks; countering spam; identity management; the protection of personally identifiable information; and the security of applications and services for the Internet of Things (IoT), smart grid, smartphones, web services, social networks, cloud computing, mobile financial systems, IPTV and telebiometrics.

ITU-T ja ISO standardisointeja ISO/IEC JTC 1/SC 27 WG 1 Information security management systems WG 2 Cryptography and security mechanisms WG 3 Security evaluation, testing and specification WG 4 Security controls and services WG 5 Identity management and privacy technologies

ITU Cloud Security reference architecture

Cloud Security Alliance Cloud Controls Matrix Trusted Cloud Infrastructure Security as a Service Cloud Trust Protocol Guidance Document

ISO Seurattavia standardeja pilven käyttäjille Controls for Cloud Computing security Additional controls for ISO 27001 certification Implementation guidance (27002 päälle) Supply chain guidance Secure Storage (ISO 27040) ITU Cloud Security Framework

Seurattavia standardeja NIST 800-144 The purpose of this document is to provide an overview of public cloud computing and the security and privacy challenges involved. ENISA Cloud Security guide, uusi versio SME-fokuksella ISAE 3402 in-depth audit of a third-party service organization (transparency and trust) http://aws.amazon.com/compliance/ https://support.google.com/a/bin/answer.py?hl=en&answer= 60762

Cloud security guide: TOP SECURITY RISKS LOSS OF GOVERNANCE LOCK-IN ISOLATION FAILURE COMPLIANCE RISKS MANAGEMENT INTERFACE COMPROMISE: DATA PROTECTION INSECURE OR INCOMPLETE DATA DELETION: MALICIOUS INSIDER

Cloud Controls Matrix

ISO

Cloud Software Turvallisuus ketterässä tuotteenhallinnassa Riskinhallinta Yksityisyyden suoja Rajapintatestaus Organisaatioiden välinen luottamus

Generic Security User stories Pienemmillä organisaatioilla ei välttämättä ole käytössä tietoturva-asiantuntijaa Tapa löytää tietoturvavaatimuksia ja ratkaisuja Antti Vähä-Sipilä and Camillo Särs / F-Secure

Rajapintatestaus Radamsa-työkalu ohjelmistojen toimintavarmuuden testaamiseen Selain on erityisen kriittinen pilvipalveluissa Yli sata haavoittuvuutta löydetty ja korjattu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information