Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES

Interna'onal Standards Ac'vi'es on Cloud Security EVA KUIPER, CISA CISSP EVA.KUIPER@HP.COM HP ENTERPRISE SECURITY SERVICES

Agenda Importance of Common Cloud Standards Outline current work undertaken Define Cloud security requirements & prac<ces Review various ISO Standards both published and in development

The Importance of Common Standards for the Cloud Cloud services offer many proprietary techniques which prevent interoperability and portability between environments. Benefits of Common Standards: Prevents vendor lockout Creates common terminology for cloud consumers AND providers Creates a common set of control objec<ves for security controls for cer<fica<ons and audits Creates standardized methodologies and formats for monitoring and logging Creates a standardized set of assurance models used by both cloud consumers and cloud providers Provides a standardized set of APIs for ease of automa<on and instrumenta<on

Ongoing technical work in ISO JTC1 SC27 General ISO 27000, 27001, 27002, Informa<on security best prac<ces and security cer<fica<on ISO 27036-1, 27036-2, 27036-3 Supply chain risk management Numerous other ISO standards covering technical topics in network management, iden<ty management, cryptography, and privacy Cloud Specific ISO 27017 Security guidance on 27001 implementa<on requirements for cloud ISO 27018 Data protec<on controls for public cloud ISO 27036-4 Security guidance on supply chain risk management issues specific to cloud deployments Collabora<on with SC38 on Cloud- related projects (ISO 17788, 17789) Study period for Cloud Risk Assessment

ISO/IEC 17788 highlights Cloud Terminology Key Characteris<cs Broad Network Access network accessible from anywhere Measured Service usage monitored, controlled, reported, and billed Mul<- tenancy physical and virtual resources allocated in a manner which isolates one tenant s computa<on and data from other tenants On- demand self- service cloud service customer provisions as needed automa<cally or with minimal interac<on with cloud service provider Rapid elas<city and scalability physical or virtual resources are rapidly and elas<cally provisioned as needed per service agreement Resource pooling cloud service provider resources are aggregated without customer control or knowledge of how resources are provided or where they are located unless contractual agreement specifies loca<on

ISO/IEC 17788 highlights Cloud compu<ng roles and ac<vi<es Cloud service customer business rela<onship with cloud service provider or cloud service customer for the purpose of using cloud services Cloud service partner a party suppor<ng the ac<vi<es of either the cloud service provider or the cloud service customer e.g. cloud auditor, cloud service broker Cloud service provider a party which makes cloud services available

ISO/IEC 17788 highlights Cloud Service Capabili<es Applica<on capabili<es type cloud service customer uses the cloud service provider s applica<on Infrastructure capabili<es type cloud service customer provisions and uses processing, storage, or networking resources Pla^orm capabili<es type cloud service customer deploys, manages, and runs a customer- created or customer- acquired applica<on using programming languages or execu<on environments supported by the cloud service provider

ISO/IEC 17788 highlights Cloud Service Categories Communica<ons as a Service (CaaS) Real<me interac<on and collabora<on Compute as a Service (CompaaS) Provisioning and use of processing resources needed to deploy and run so`ware Infrastructure as a Service (IaaS) Infrastructure capabili<es are provided to the cloud service customer Network as a Service (NaaS) Capability provided is transport connec<vity and related network capabili<es Pla^orm as a Service (PaaS) Capability provided is pla^orm capabili<es type So`ware as a Service (SaaS) Capability provided is the applica<on capabili<es type

ISO/IEC 17788 highlights Cloud Deployment models Public Cloud resources are controlled by the cloud service provider and available to any cloud service customer Private Cloud cloud deployment used exclusively by a single cloud service customer with a narrowly controlled boundary based on limi<ng customers to one organiza<on. May be operated by customer or third party, on premise or off premise. Community Cloud supports and is shared by a specific collec<on of cloud service customers with shared requirements and a rela<onship with one another. Broad boundary limi<ng par<cipa<on to customers with shared set of concerns Hybrid Cloud deployment model using at least two different deployment models bound together by appropriate technology to enable interoperability, data portability, and applica<on portability. Boundary reflects its two base deployments.

ISO/IEC 27017 ISO/IEC DIS 27017 Informa<on technology - - Security techniques - - Code of prac<ce for informa<on security controls based on ISO/IEC 27002 for cloud services Status: Under development Target publica<on date: 2015-10- 31

ISO/IEC 27017 Overview SCOPE Gives guidelines for relevant controls specified in ISO/IEC 27002 Provides addi<onal controls with implementa<on guidance specifically rela<ng to cloud services for both cloud service providers and cloud service customers NORMATIVE REFERENCES ISO/IEC 27000, Informa(on technology - Security techniques - Informa(on security management systems - Overview and vocabulary ISO/IEC 17788, Informa(on technology Cloud compu(ng Overview and vocabulary ISO/IEC 17789, Informa(on technology Cloud compu(ng Reference architecture ISO/IEC 27002:2013, Informa(on technology - Security techniques - Code of prac(ce for informa(on security controls

ISO/IEC 27017 Overview Cloud sector- specific security concepts in this standard Supplier rela<onships in cloud services Acquirer- supplier rela<onship Supply chain rela<onships between cloud infrastructure providers and cloud applica<on providers Rela<onships between cloud service customers and cloud service providers Cloud service customer s business process dependency upon CIA of cloud service Cloud service customer requires security informa<on from cloud service provider to determine if addi<onal controls must be implemented for risk mi<ga<on Managing informa<on security risks in cloud services derived from its features Networking Resource sharing Cross- jurisdic<onal service provisioning Limited visibility into implementa<on of controls Etc.

ISO/IEC 27017 Overview Appendix B provides references for risk sources and risks in the provision and use of cloud services Recommenda<on ITU- T X.1601, Security framework for cloud compu(ng - Jan. 2014 Australian Government Informa<on Management Office, Summary of Checkpoints of Privacy and Cloud Compu(ng for Australian Government Agencies: BeMer Prac(ce Guide - Feb. 2013 Australian Signals Directorate, Sec<on 17 Overview of Cloud Compu(ng Security Considera(ons of Cloud Compu(ng Security Considera(ons - Sep. 2012 Hong Kong OGCIO, Security & Privacy Checklist for Cloud Service Providers in Handling Personal Iden(fiable Informa(on in Cloud PlaSorms - April 2013 Hong Kong OGCIO, Security Checklists for Cloud Service Consumers - Jan. 2013 NIST, SP800-144 Guidelines on Security and Privacy in Public Cloud Compu(ng - Dec. 2011 NIST, SP800-146 Cloud Compu(ng Synopsis and Recommenda(ons - May 2012

ISO/IEC 27017 Demo of Content

ITU- T X.1601 digression ISO/IEC 27017 provides a list of references for cloud- based threat/risk assessments. ITU- T X.1601 provides useful informa<on on this topic and, unlike ISO/IEC standards, this ITU- T standard is FREE. Topics covered: Security threats for cloud compu<ng Security threats for cloud service customers (CSCs) Security threats for cloud service providers (CSPs) Security challenges for cloud compu<ng Security challenges for cloud service customers (CSCs) Security challenges for cloud service providers (CSPs) Security challenges for cloud service partners (CSNs)

ITU- T X.1601 Con'nued Cloud compu<ng security capabili<es Trust model Iden<ty and access management (IAM), authen<ca<on, authoriza<on and transac<on audit Physical security Interface security Compu<ng virtualiza<on security Network security Data isola<on, protec<on and privacy protec<on Security coordina<on Opera<onal security Incident management Disaster recovery Service security assessment and audit Interoperability, portability and reversibility Supply chain security

ITU- T X.1601 Con'nued Useful threat tables Y indicates where a security capability addresses a threat or challenge

ISO/IEC 27018 Status: Published ISO/IEC 27018:2014 Informa<on technology Security techniques Code of prac<ce for PII protec<on in public clouds ac<ng as PII processors Abstract ISO/IEC 27018:2014 establishes commonly accepted control objec<ves, controls and guidelines for implemen<ng measures to protect Personally Iden<fiable Informa<on (PII) in accordance with the privacy principles in ISO/IEC 29100 for the public cloud compu<ng environment. In par<cular, ISO/IEC 27018:2014 specifies guidelines based on ISO/IEC 27002, taking into considera<on the regulatory requirements for the protec<on of PII which might be applicable within the context of the informa<on security risk environment(s) of a provider of public cloud services. ISO/IEC 27018:2014 is applicable to all types and sizes of organiza<ons, including public and private companies, government en<<es, and not- for- profit organiza<ons, which provide informa<on processing services as PII processors via cloud compu<ng under contract to other organiza<ons. The guidelines in ISO/IEC 27018:2014 might also be relevant to organiza<ons ac<ng as PII controllers; however, PII controllers can be subject to addi<onal PII protec<on legisla<on, regula<ons and obliga<ons, not applying to PII processors. ISO/IEC 27018:2014 is not intended to cover such addi<onal obliga<ons.

ISO/IEC 27018:2014 preview

ISO/IEC 27018:2014 preview

ISO/IEC 27018:2014 Demo of standard

SC27 Cloud Study Groups Cloud Compu<ng Security and Privacy SC27 liaison officers and project editors meet to maintain consistency and alignment among cloud standards Use cases used to develop joint text between SC27(ISO/IEC 27017) and ITU- T SG17(X.ccsec) Study Period on Cloud Security Technologies was extended to inves<gate: Virtualiza<on Security Security as a Service Integra<on of Cloud Compu<ng into exis<ng projects: Storage Incident Management Forensics Supplier Rela<onships Disaster Recovery

New work in study period Cloud risk management Based upon NIST work on Cloud adapted Risk Management Framework Dra` created by CS1 for input into study period work in progress Responsibili<es shi` from Provider to Consumer depending on the cloud deployment model Cloud specific considera<ons for risk management emerge based on the shi` in responsibility

Other Cloud Standardiza'on Ac'vi'es ITU- T SG17 X.ccsec ENISA Cloud Compu<ng Security Risk Assessment Procure Secure Cri<cal Cloud Compu<ng ETSI - Cloud Standards Coordina<on Workshops Coordinate with stakeholders in the cloud standards ecosystems Devise standards roadmaps in support of EU policy in cri<cal areas such as security, interoperability, data portability, and reversibility

Other Cloud Standardiza'on Ac'vi'es Cloud Security Alliance (CSA) Established Interna<onal Standardiza<on Council in 2012 Liaisons with ISO/IEC SC27, ISO/IEC SC38 and ITU- T, contributor to cloud standards Standards and best prac<ces on many aspects of cloud security, for example: Security Guidance Cloud Controls Matrix Training and Cer<ficate of Cloud Security Knowledge (CCSK) CSA Security Trust and Assurance Registry (STAR)

Ge[ng involved locally Cloud Security Alliance: Searle Chapter Free membership Monthly mee<ngs in Bellevue 8 <mes/year Generally held towards end of month Thursday evening 6-8 Two speakers and food hrps://chapters.cloudsecurityalliance.org/searle/

Ques<ons?