Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)

Cloud Computing ISO Security and Privacy Standards: 27017, 27018, 27001 Mike Edwards (Chair UK Cloud Standards Committee)

Mike Edwards Senior Technical Staff Member, IBM Cloud Computing & SOA Standards, UK Chair UK ISO SC38 mirror committee (BSI IST 38) mike_edwards@uk.ibm.com

Abstract and Agenda ISO 27001, ISO 27017 & ISO 27018 This talk describes the ISO Security & Privacy specifications & certifications which apply to cloud services Security & Privacy concerns of cloud service customers Standards and certifications ISO 27000 series of security & privacy standards ISO 27001 & ISO 27002 the foundations for IT security Cloud Computing impact on security & privacy ISO 27017 security for cloud services ISO 27018 data protection for cloud services (i.e. privacy)

The Cloud Standards Customer Council THE Customer s Voice for Cloud Standards! Provide customer-lead guidance to multiple cloud standards-defining bodies 2011/2012 Deliverables Practical Guide to Cloud Computing Practical Guide to Cloud SLAs Security for Cloud Computing Impact of Cloud Computing on Healthcare Establishing criteria for open standards based cloud computing 500+ Organizations participating 2013/2014 Deliverables Convergence of SoMoClo Analysis of Public Cloud SLAs Cloud Security Standards Migrating Apps to Public Cloud Social Business in the Cloud Big Data in the Cloud PGCC Version 2 Migrating Apps: Performance Rqmnts Cloud Interoperability/Portability 2015 Projects (partial) Update to Security for Cloud Computing whitepaper Update to Practical Guide to Cloud Service Agreements Practical Guide to Privacy for the Public Sector Practical Guide to PaaS http://cloud-council.org

Three Takeaways Security & Privacy are key concerns for Cloud Service Customers many demand proof in relation to cloud services Customers & Providers need a public and open way of declaring the Security & Privacy capabilities of cloud services International standards such as ISO 27001, 27017 & 27018 provide an open, worldwide and customer-accepted approach 5

Top concerns about cloud computing Security & Privacy: number one inhibitor to customers adopting cloud services What, if anything, do you perceive as actual or potential barriers to acquiring public cloud services? Security/privacy of company data 69 % Service quality Doubts about true cost savings Performance / Insufficient responsiveness over network Difficulty integrating with in-house IT Percent rating the factor as a significant barrier (4 or 5) Respondents could select multiple items 47 % 54 % 53 % 52 % Source: IBM Market Insights, Cloud Computing Research, July 2009. n=1,090 Source: Oliver Wyman Interviews

Security matters

Standards making organizations International Regional / national Fora & consortia

Other Open technology organizations Customer / User organizations CSCC, ODCA (cloud computing) CSA (cloud computing security) Certification organizations e.g. ISACA Code first specifications HTML5 Open source projects e.g. OpenStack, Cloud Foundry, Docker Open source implementations pressure for availability before ratification of a standard

Types of Standards High level Governance & Management Architectures ISO 18384 SOA Reference Architecture ISO 17789 Cloud Computing Reference Architecture ISO 27018 Data Protection for Cloud Services ISO 27017 Information Security Controls for Cloud Services ISO 29101 Privacy Architecture Framework PCI-DSS Controls for Card Data ISO 24760 ID Management Architecture 10 Technology specific GB/T 31168 Security capability req of cloud services China GB-T 31167 Security guide of cloud computing services GB/T 20273 Security Requirements for DBMS RSA AES Kerberos ID and Access Management Triple-DES X.509 Encryption Certificates SHA Hashing Security Assertions ISO 19086 Cloud SLAs ISO 19794 Biometric Interchange Formats KMIP Key Management

Standards: Certification Certification: providing assurance of an organization ( we are following the process correctly ) of an individual ( I understand and I can implement ) Established through Audit or Examination May be directly associated with standard ISO 27001 certification May be defined separately from standards CSA Star; ISACA CISM

Why use International Standards? Applicable anywhere in the world implement once generally accepted valid according to WTO rules avoid balkanization caused by varying national & regional requirements Well accepted by customers ISO 27001 one of the best known plenty of skills & knowledge available well developed ecosystem of auditors & certification authorities 12

ISO Cloud Computing standards 17788: Cloud computing Overview and Vocabulary* 17789: Cloud computing Reference Architecture* 19086: Cloud computing SLAs 19941: Cloud computing Interoperability & Portability 19944: Cloud computing Data Flow across devices & cloud services 27001: Information security management systems Requirements 27002: Code of practice for information security controls 27017: Guidelines on Information security controls for the use of cloud computing services based on ISO/IEC 27002* 27018: Code of practice for data protection controls for public cloud computing services 27036: Information security for supplier relationships 29101: Privacy architecture framework * = Joint standard with ITUT Black = Complete, published Red = In preparation, draft

Only available as a priced publication

ISO 27002 specification Code of practice for information security controls Based on ISO 27001 requirements for information security management systems 27002 control sets for: Security Policy Organization of Information Security Asset Management Human Resources Physical & Environmental Supplier Relationship Management Communications & Operations Management of Application Services Access Control System Acquisition, Development & Maintenance Security Incident Management Business Continuity Management Compliance

ISO 27002 specification (cont) Code of practice for information security controls Sample controls: All information security responsibilities should be defined and allocated Assets associated with information and information processing facilities should be identified and an inventory of these assets should be drawn up and maintained Conflicting duties and areas of responsibility should be segregated to reduce opportunities for unauthorized or unintentional modification or misuse of the organization s assets Security perimeters should be defined and used to protect areas that contain either sensitive or critical information and information processing facilities Agreements with suppliers should include requirements to address the information security risks associated with Information and Communications Technology services and product supply chain The use of resources should be monitored, tuned, and projections made of future capacity requirements to ensure the required system performance

ISO 27002 specification (cont) Code of practice for information security controls Sample controls (cont): Information involved in application service transactions should be protected to prevent incomplete transmission, mis-routing, unauthorized message alteration, unauthorized disclosure, unauthorized message duplication or replay A formal user registration and de-registration procedure should be implemented for granting and revoking access for all user types to all systems and services The implementation of changes should be controlled by the use of formal change control procedures Information security incidents should be responded to in accordance with the documented procedures Plans should be developed and implemented to maintain or restore operations and ensure availability of information at the required level and in the required time scales following interruption to, or failure of, critical business processes Records should be protected from loss, destruction, falsification, unauthorized access and unauthorized release, in accordance with statutory, regulatory, contractual, and business requirements

Softlayer 27001 Certification 18

Security Components Cloud Computing: Impact on Security & Privacy End Users DevOps In-house Applications & Systems Functional interfaces Admin interfaces Cloud Service App code App environment Administrators Business Managers In-house data Business interfaces Derived data Customer data Cloud service customer Cloud service provider Split of Security Responsibilities

ISO 27017 specification Information security controls for the use of cloud computing services Based on ISO 27002 security control specification added information for Cloud Service Customers & Cloud Service Providers extended control sets for cloud computing: extra management control & coordination due to security responsibility split control of risks due to shared facilities when using cloud computing impact on end users of customer organization if they use cloud computing services acceptance testing for provided services & for upgrades / new versions handling of mobile code authentication methods for cloud service use application level controls including input/output data validation, message integrity audit requirement higher impact extended controls audit logs required, with specified data non-disclosure of communications monitoring use of cloud services protection of audit tools

Privacy & Data Protection: Roles Data Subject Data Controller Data Processor Person Identified by Personal Data Cloud Service Customer Cloud Service Provider Regulatory focus 21

ISO 27018 specification Code of practice for data protection controls for public cloud computing services Data protection of PII to meet regulatory requirements e.g. European data protection regulations Based on ISO 27002 + additional controls for handling of PII separation of test environment no PII in test environment authorization & tracking of removable media containing PII where logs contain PII data, special control of logs required procedures to address corruption / compromise of passwords continuity of data processing within specified documented period confidentiality obligation for people with access to PII disclosure of PII must be logged ensure erasure of temporary files within specified period Each individual with access to PII must have unique ID Record of authorized users required

ISO 27018 specification Code of practice for data protection controls for public cloud computing services Higher impact additional controls for handling of PII PII only processed in accordance with instructions of PII controller (per contract) monitoring event log with specific details in event log where PII changed recording of security breaches intended destination of target (organization/individual) for transmitted PII PII transmitted over public networks must be encrypted Documented policy about geographical area for PII storage

Customers will only use services that they trust 24

Questions? 25

Read the CSCC whitepapers free downloads Practical Guide to Cloud Service Agreements, V2 http://bit.ly/1iqxrdg Public Cloud Service Agreements: What to Expect & What to Negotiate http://bit.ly/1gkbi8o Practical Guide to Cloud Computing, V2 http://bit.ly/1mwd9mz Security for Cloud Computing: 10 Steps to Ensure Success, V2 http://bit.ly/1l3d9gz Cloud Security Standards: What to Expect & What to Negotiate http://bit.ly/18fzfl3 Interoperability and Portability for Cloud Computing: A Guide http://bit.ly/1fg7lkk Migrating Applications to Public Cloud Services: Roadmap for Success http://bit.ly/1b9ygjy Web Application Hosting Cloud Solution Architecture http://bit.ly/1dboszm Convergence of Social, Mobile & Cloud: 7 Steps to Ensure Success http://bit.ly/1edte9o Impact of Cloud Computing on Healthcare http://bit.ly/1b9zp42

Call to Action Join the CSCC Now! To have an impact on customer use case based standards requirements To learn about all Cloud Standards within one organization To help define the CSCC s future roadmap Membership is free & easy: http://www.cloud-council.org/application Get Involved! Join one or more of the CSCC Working Groups http://www.cloud-council.org/workinggroups.htm

Useful links ISO http://www.iso.org/iso/home.html http://www.27000.org/ ITU-T http://www.itu.int/en/itu-t/pages/default.aspx OASIS https://www.oasis-open.org/ https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=id-cloud https://www.oasis-open.org/committees/tc_home.php?wg_abbrev=kmip IETF http://tools.ietf.org/html/rfc6749 (OAuth 2.0) DMTF http://dmtf.org/standards/cadf (CADF) BSI http://www.bsigroup.co.uk/

More useful links CSCC http://www.cloud-council.org ODCA http://www.opendatacenteralliance.org/ CSA https://cloudsecurityalliance.org/ ISACA https://www.isaca.org/pages/default.aspx PCI https://www.pcisecuritystandards.org/security_standards/ (PCI-DSS) Cloud Foundry http://cloudfoundry.org/index.html Docker https://www.docker.com/