Working Group on Cloud Security and Privacy (WGCSP) First Working Group Meeting 29.5.2012 1
Review of fexisting i Standards d and Best Practices on Cloud Security Security Standards and Status List of Some Publicly Available Cloud Security Best Practices and Related Documents Cloud Security Frameworks 2
Security Standards and Status Categorization Authentication & Authorization Number of standards that are approved/ accepted by market 11 Number of standards that are under development 0 Confidentiality Integrity 7 0 4 0 Identity Management Security Monitoring & Incident Response Security Policy Management 4 7 3 1 0 0 Availability 1 0 Source : NIST Cloud Computing Standards Roadmap (July 2011) 3
List of Some Publicly Available Cloud Security Best Practices and Related Documents Organisation Document Title Timeline Cloud Security Alliance Security Guidance for Critical Areas of Focus in Cloud Computing Nov 2011 (version 3.0) (CSA) Cloud Controls Matrix (CCM) Aug 2011 (version 1.2) Top Threats to Cloud Computing Mar 2010 European Network and Cloud Computing, Benefits, risks and recommendations for information Nov 2009 Information Security Agency (ENISA) security Security & Resilience in Governmental Clouds Jan 2011 Cloud Computing Information Assurance Framework Nov 2009 ISACA Guiding Principles for Cloud Computing Adoption and Use Feb 2012 ITU-T Focus Group on Cloud Cloud Computing Security Feb 2012 Computing National Institute of Standards Guidelines on Security and Privacy Issues in Public Cloud Computing Jan 2012 ad and Technology oo (NIST) NS (NIST 800-144) Open Data Center Alliance (ODCA) Open Group Cloud Work Group Security Monitoring Jun 2011 Security Provider Assurance Jun 2011 An Architectural View of Security for Cloud Jun 2011 Security For Cloud and SOA Reference Architecture Drafting Final: 2Q2012 Open Group Cloud Security position paper 2Q2011 Group Security For Cloud and SOA Reference Architecture Drafting Final: 2Q2012 4
Cloud Security Framework (1) Cloud Architecture Domain 1: Cloud Computing Architectural Framework Governance Domains Domain 2: Governance and Enterprise Risk Management Domain 3: Legal Issues : Contracts and Electronic Discovery Domain 4: Compliance and Audit Domain 5: Information Management and Data Security Domain 6: Portability and Interoperability Operational Domains Domain 7: Traditional Security, Business Continuity, and Disaster Recovery Domain 8: Data Center Operations Domain 9: Incident Response, Notification, and Remediation Domain 10: Application Security Domain 11: Encryption and Key Management Domain 12: Identity and Access Management Domain 13: Virtualization Domain 14: Security as a Service Source : Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 issued by Cloud Security Alliance in November 2011 5
Cloud Security Framework (2) Governance Compliance Trust Architecture Identity and Access Management Software Isolation Data Protection ti Availability Incident Response Source : Guidelines on Security and Privacy in Public Cloud Computing (800-144) issued by NIST 6
Summary Most of the security standards are mature and accepted by the market, except Requirement of IdM in Cloud Computing Significant number of cloud security best practices and related documents are publicly available, yet few tailored for the local environment Although different organizations have different cloud security framework, the basic components are similar 7
Potential Focus Areas of the Working Group Development of cloud security best practices, guidelines or standards d that are tailored df for the local l environment. For example, a best practices guide on cloud security and privacy of public cloud for local SMEs. Participation in the development of security standards that t not yet available or being developed d but not yet t approved or accepted by the market. For example, Identity and Access Management standards. Identification of cloud security framework components that the Working Group would pay more attention to. For example, Compliance and Audit. 8
Objectives of Cloud Security Standards Create a common, shared and consistent language/terminology in describing security controls Provide an open and fair framework for industry level compliance Enable cloud users to compare different cloud offerings off erings Encourage cloud service providers to invest in IT security controls Lower overall risk and cost for Hong Kong industry to adopt cloud computing 9
-END - 10