If the cloud is more secure than most
Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” Cloud Computing Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards Dr David Ross, Chief Information Security Officer, [email protected] ©2014 Copyright Bridge Point Communications Pty Ltd slide 1 If the cloud is more secure than most business systems, why don’t we move our SCADA systems into the cloud? Image: NASA, Bill Fecych and Don©2014 Johnson in Bridge reactor roomPty inLtd 1959. Copyright Pointcontrol Communications slide 2 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 1 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” Barriers • Don’t trust the technology • Don’t trust own understanding of the technology • Don’t trust the vendor’s understanding of the technology! ©2014 Copyright Bridge Point Communications Pty Ltd slide 3 cloud computing1: • paradigm for enabling network access to a scalable and elastic pool of shareable physical or virtual resources with on-demand self-service provisioning and administration [1] ISO/IEC DIS 17788 Information technology — Cloud computing ─ Overview and vocabulary ©2014 Copyright Bridge Point Communications Pty Ltd slide 4 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 2 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” What is Cloud? • 6 Key Characteristics: • Broad network access • On-demand self-service • Multi-tenancy • Resource pooling • Rapid elasticity and scalability • Measured service ©2014 Copyright Bridge Point Communications Pty Ltd slide 5 Multi-tenancy A feature where physical or virtual resources are allocated in such a way that multiple tenants and their computations and data are isolated from and inaccessible to one another. Typically, and within the context of multi-tenancy, the group of cloud service users that form a tenant will all belong to the same cloud service customer organization. There might be cases where the group of cloud service users involves users from multiple different customers, particularly in the case of public cloud and community cloud deployments. However, a given cloud service customer organization might have many different tenancies with a single ©2014 Copyright Bridge Point Communications Pty Ltd slide 6 cloud service provider representing different groups within the PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 3 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” multi-tenancy • 3.2.26 multi-tenancy: allocation of physical or virtual resources such that multiple tenants (3.2.36) and their computations and data are isolated from and inaccessible to one another • 3.2.36 tenant: group of cloud service users (3.2.16) sharing access to a set of physical and virtual resources ISO/IEC DIS 17788 Information technology — Cloud computing ─ Overview and vocabulary ©2014 Copyright Bridge Point Communications Pty Ltd slide 7 Managed Services Co-Lo & DCs NOT cloud ©2014 Copyright Bridge Point Communications Pty Ltd slide 8 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 4 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” On-Demand Self-Service CLOUD ©2014 Copyright Bridge Point Communications Pty Ltd slide 9 On-Demand Self-Service CLOUD ©2014 Copyright Bridge Point Communications Pty Ltd slide 10 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 5 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” On-Demand Self-Service CLOUD ©2014 Copyright Bridge Point Communications Pty Ltd slide 11 On-Demand Self-Service CLOUD ©2014 Copyright Bridge Point Communications Pty Ltd slide 12 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 6 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” On-Demand Self-Service CLOUD ©2014 Copyright Bridge Point Communications Pty Ltd slide 13 Major Roles of Cloud Computing • cloud service provider: party (3.1.6) which makes cloud services (3.2.7) available • cloud service customer: party (3.1.6) which is in a business relationship for the purpose of using cloud services (3.2.7) • cloud service partner: party (3.1.6) which is engaged in support of, or auxiliary to, activities of either the cloud service provider (3.2.14) or the cloud service customer (3.2.10), or both ISO/IEC DIS 17788 Cloud computing ─©2014 Overview Copyright and Bridgevocabulary Point Communications Pty Ltd PUBLIC - ©2014 Bridge Point Communications Pty Ltd slide 14 Page 7 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” 4 Deployment Models • Public Cloud • Private Cloud • Community Cloud • Hybrid Cloud ©2014 Copyright Bridge Point Communications Pty Ltd slide 15 3 NIST “Types” now “Capabilities Types” • Original 3 “Types” (NIST): • Infrastructure-as-a-Service (IaaS), • Platform-as-a-Service (PaaS), and • Software-as-a-Service (SaaS). ©2014 Copyright Bridge Point Communications Pty Ltd slide 16 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 8 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” 3 NIST “Types” now “Capabilities Types” • De-facto NIST “Types” now abstracted to 2 levels: • Cloud Service Categories • Cloud Capabilities Types • Now 3 “Capabilities Types” (ISO 17788): • Infrastructure Capabilities Type, • Platform Capabilities Type, and • Application Capabilities Type. • And many “Cloud Service Categories”, including: • IaaS, PaaS, and SaaS. ©2014 Copyright Bridge Point Communications Pty Ltd slide 17 ISO/IEC DIS 17789 Cloud computing ─ Reference architecture ISO/IEC DIS 17789 Information technology — ©2014architecture Copyright Bridge Point Communications Pty Ltd slide 18 Cloud computing ─ Reference PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 9 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC DIS 17789 Cloud computing ─ Reference architecture ISO/IEC DIS 17789 Information technology — ISO/IEC DIS 17789 Cloud computing ─ Reference architecture ©2014 Copyright Bridge Point Communications Pty Ltd slide 19 ISO/IEC DIS 17789 Cloud computing ─ Reference architecture ISO/IEC DIS 17789 Information technology — ©2014architecture Copyright Bridge Point Communications Pty Ltd slide 20 Cloud computing ─ Reference PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 10 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC DIS 17789 Cloud computing ─ Reference architecture ©2014 Copyright Bridge Point Communications Pty Ltd slide 21 ISO • Not an acronym, “ISO” is the short name in any language • Long name is: “International Organization for Standardization” (yes, ‘z’s) • Which translates to: “Organisation Internationale de Normalisation” “Internationale Organisation fur Normung” etc. ©2014 Copyright Bridge Point Communications Pty Ltd slide 22 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 11 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” IEC • Is the English initialisation • International Electrotechnical Commission • E.g. Commission Électrotechnique Internationale (CEI) in French ©2014 Copyright Bridge Point Communications Pty Ltd slide 23 ISO/IEC • Joint Technical Committee 1 (JTC 1) • To develop, maintain, promote, and facilitate standards in the fields of information technology (IT) and Information and Communications Technology (ICT). • Sub-Committees (SC) Working Groups (WG) Special Working Groups (SWG) Sub-Committees’ Working Groups (SC x/WG y) ©2014 Copyright Bridge Point Communications Pty Ltd slide 24 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 12 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” JTC 1 29 sub-groups: Subcommittee/Working Group ISO/IEC JTC 1/SC 1 ISO/IEC JTC 1/SWG 1 ISO/IEC JTC 1/SWG 2 ISO/IEC JTC 1/SC 2 ISO/IEC JTC 1/SWG 3 ISO/IEC JTC 1/SWG 5 ISO/IEC JTC 1/SWG 6 ISO/IEC JTC 1/WG 7 ISO/IEC JTC 1/WG 8 ISO/IEC JTC 1/SC 2 ISO/IEC JTC 1/SC 6 ISO/IEC JTC 1/SC 7 ISO/IEC JTC 1/SC 17 ISO/IEC JTC 1/SC 22 ISO/IEC JTC 1/SC 23 ISO/IEC JTC 1/SC 24 ISO/IEC JTC 1/SC 25 ISO/IEC JTC 1/SC 27 ISO/IEC JTC 1/SC 28 ISO/IEC JTC 1/SC 29 ISO/IEC JTC 1/SC 31 ISO/IEC JTC 1/SC 32 ISO/IEC JTC 1/SC 34 ISO/IEC JTC 1/SC 35 ISO/IEC JTC 1/SC 36 ISO/IEC JTC 1/SC 37 ISO/IEC JTC 1/SC 38 ISO/IEC JTC 1/SC 39 ISO/IEC JTC 1/SC 40 Title Smart Cities Accessibility (SWG-A) SWG - Directives Big Data Planning Internet of Things (IoT) Management Sensor networks Governance of IT Coded character sets Telecommunications and information exchange between systems Software and systems engineering Cards and personal identification Programming languages, their environments and system software interfaces Digitally Recorded Media for Information Interchange and Storage Computer graphics, image processing and environmental data representation Interconnection of information technology equipment IT Security techniques Office equipment Coding of audio, picture, multimedia and hypermedia information Automatic identification and data capture techniques Data management and interchange Document description and processing languages User interfaces Information technology for learning, education and training Biometrics Distributed application platforms and services (DAPS) Sustainability for and by Information Technology ©2014 Copyright Bridge Point Communications Pty Ltd slide IT Service Management and IT Governance 25 ISO/IEC JTC 1/SC 27 • IT Security techniques • Number of published ISO standards under responsibility of ISO/IEC JTC 1/SC 27 (includes updates): 136 • Participating countries: 53 • Observing countries: 17 ©2014 Copyright Bridge Point Communications Pty Ltd slide 26 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 13 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC JTC 1/SC 27 ISO/IEC WD 27003 20.60 Information technology -- Security techniques -- Information security management system implementation guidance ISO/IEC WD 27004 20.60 Information technology -- Security techniques -- Information security management -- Measurement ISO/IEC WD 27005 20.60 Information technology -- Security techniques -- Information security risk management ISO/IEC CD 27006 Information technology -- Security techniques -- Requirements for bodies providing audit and certification of information 30.60 security management systems ISO/IEC CD 27011 Information technology -- Security techniques -- Information security management guidelines for telecommunications 30.00 organizations based on ISO/IEC 27002 ISO/IEC WD 27013 Information technology -- Security techniques -- Guidance on the integrated implementation of ISO/IEC 27001 and 20.60 ISO/IEC 20000-1 ISO/IEC CD 27017 Information technology -- Security techniques -- Code of practice for information security controls for cloud computing 30.60 services based on ISO/IEC 27002 ISO/IEC DIS 27018 Information technology -- Security techniques -- Code of practice for PII protection in public cloud acting as PII 40.99 ©2014 Copyright Bridge Point Communications Pty Ltd slide 27 processors ISO/IEC JTC 1/SC 38 • Distributed application platforms and services (DAPS) • WG 1: Web Services, • WG 2: Service Oriented Architecture (SOA), and • WG 3: Cloud Computing • Number of published ISO standards under responsibility of ISO/IEC JTC 1/SC 38 (includes updates): 4 • Participating countries: 27 • Observing countries: 8 ©2014 Copyright Bridge Point Communications Pty Ltd slide 28 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 14 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC JTC 1/SC 38 • Participating Countries • Australia (SA) • Austria (ASI) • Brazil (ABNT) • Canada (SCC) • China (SAC) • Denmark (DS) • Finland (SFS) • France (AFNOR) • Germany (DIN) • • • • • • • • • India (BIS) Ireland (NSAI) Israel (SII) Italy (UNI) Japan (JISC) Korea, Republic of (KATS) Luxembourg (ILNAS) Netherlands (NEN) Poland (PKN) • Portugal (IPQ) • Russian Federation • • • • • • • (GOST R) Singapore (SPRING) South Africa (SABS) Spain (AENOR) Sweden (SIS) Switzerland (SNV) United Kingdom (BSI) United States (ANSI) ©2014 Copyright Bridge Point Communications Pty Ltd slide 29 ISO/IEC JTC 1/SC 38 • Observing Countries • Belgium (NBN) • Bosnia and Herzegovina (BAS) • Czech Republic (UNMZ) • Hong Kong (ITCHKSAR) (Correspondent member) • New Zealand (SNZ) • Norway (SN) • Serbia (ISS) • Uruguay (UNIT) ©2014 Copyright Bridge Point Communications Pty Ltd slide 30 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 15 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC JTC 1/SC 38 ISO/IEC DIS 17788 Information technology -- Cloud computing -- Overview and vocabulary ISO/IEC DIS 17789 Information technology -- Cloud computing -- Reference architecture ISO/IEC CD 18384-1 Information technology - Reference Architecture for Service Oriented Architecture (SOA) -Part 1: Terminology and Concepts for SOA ISO/IEC CD 18384-2 Information Technology - Reference Architecture for Service Oriented Architecture (SOA) -Part 2: Reference Architecture for SOA Solutions ISO/IEC CD 18384-3 Information technology - Reference Architecture for Service Oriented Architecture (SOA) -Part 3: Ontology for SOA 40.60 40.60 30.60 30.60 30.60 ISO/IEC NP 19086 Information technology -- Distributed application platforms and services -- Cloud computing -- 10.99 Service level agreement (SLA) framework and terminology ©2014 Copyright Bridge Point Communications Pty Ltd slide 31 ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • DIS 17788 ISO/IEC DIS 17788 Information Technology – Cloud Computing – Overview and Vocabulary • Editor: Eric Hibbard (US) • Disposition of DIS comments complete • Progressing to IS ©2014 Copyright Bridge Point Communications Pty Ltd slide 32 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 16 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • DIS 17789 ISO/IEC DIS 17789 Information Technology – Cloud Computing – Reference Architecture • Editor: Laura Lindsay (US) • Disposition of DIS comments complete • Progressing to IS ©2014 Copyright Bridge Point Communications Pty Ltd slide 33 ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • WD 19086 ISO/IEC 19086 Information Technology – Cloud Computing – Service Level Agreement (SLA) Framework and Terminology • Editors: Eric Simmon (US) Liu Na (China) Toshihiro Suzuki (Japan) • Working Draft in progress ©2014 Copyright Bridge Point Communications Pty Ltd slide 34 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 17 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” Read the contract! Backups add security? • Real Example: Cloud Service includes “automatic backup service that copies customer data to an external backup service, providing a further level of security to customer data … stored for 3 months after being made … can be extended to up to 7 years if required” • Perfectly legitimate, but there are 2 meanings for “secure” here • By default, backup is overwritten after 3 months … no restores over 3 months old! • Backups go to a third party … with whom you have no contract for handling your data! • The backups are … NOT encrypted! ©2014 Copyright Bridge Point Communications Pty Ltd slide 35 Backups ©2014 Copyright Bridge Point Communications Pty Ltd slide 36 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 18 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” Backups ©2014 Copyright Bridge Point Communications Pty Ltd slide 37 • Weak, vague, or one-sided SLAs and contracts • Real Example: “The following list presents an overview of some of the audits and assessments that the” Cloud Service “undergoes on a regular basis”... • The Cloud Service did indeed undergo regular audits … but only held certifications for two of the five in their list in that year. • Difference between ‘undergo audits’ and ‘meet requirements’. • Require certification ©2014 Copyright Bridge Point Communications Pty Ltd slide 38 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 19 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • WD 19086 ISO/IEC 19086 Information Technology – Cloud Computing – Service Level Agreement (SLA) Framework and Terminology • Editors: Eric Simmon (US) Liu Na (China) Toshihiro Suzuki (Japan) • Working Draft in progress ©2014 Copyright Bridge Point Communications Pty Ltd slide 39 ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • ISO/IEC 19086-1 Information Technology – Cloud Computing – Service Level Agreement (SLA) Framework and Terminology – Part 1 : Overview and Concepts • Acting Editors: Eric Simmon (US)* Liu Na (China)* Toshihiro Suzuki (Japan)* • Pending Project Subdivision ©2014 Copyright Bridge Point Communications Pty Ltd slide 40 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 20 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • ISO/IEC 19086-2 Information Technology – Cloud Computing – Service Level Agreement (SLA) Framework and Terminology – Part 2 : Metrics • Acting Editors: Eric Simmon (US)* Liu Na (China)* Toshihiro Suzuki (Japan)* • Pending Project Subdivision ©2014 Copyright Bridge Point Communications Pty Ltd slide 41 ISO/IEC JTC 1/SC 38/WG 3 (Cloud) • ISO/IEC 19086-3 Information Technology – Cloud Computing – Service Level Agreement (SLA) Framework and Terminology – Part 3 : Core Requirements • Acting Editors: Eric Simmon (US)* Liu Na (China)* Toshihiro Suzuki (Japan)* • Pending Project Subdivision ©2014 Copyright Bridge Point Communications Pty Ltd slide 42 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 21 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” The Cloud Computing SLA Standard(s) • RELATIONSHIP BETWEEN THE MASTER AGREEMENT AND SLAS • CLOUD SLA MANAGEMENT • THE ROLE OF SERVICE LEVEL OBJECTIVES, METRICS, REMEDIES, • • • • • • • • AND EXCEPTIONS IN THE SLA CLOUD SLA ELEMENTS 9.4 Service Monitoring Element 13 9.5 Roles and Responsibilities 13 9.6 Accessibility 13 9.7 Availability 14 9.7.1 Allowable Downtime 14 9.7.2 Downtime 14 9.7.3 Making remedy claims on Availability service level objectives ©2014 Copyright Bridge Point Communications Pty Ltd slide 43 The Cloud Computing SLA Standard(s) • • • • • • • • • • • 9.8 Cloud Service Performance 15 9.8.1 Cloud Service Response Time 15 9.8.2 Cloud Service Capacity 16 9.8.3 Cloud Service Capability Indicators 17 9.9 Protection of Personally Identifiable Information (PII) 17 9.10 Information Security 18 9.11 Termination of Service 18 9.11.1 Description 19 9.11.2 Context for Termination of Service 19 9.11.3 Notification of Service Termination 20 9.11.4 Return of Assets 20 ©2014 Copyright Bridge Point Communications Pty Ltd slide 44 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 22 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” The Cloud Computing SLA Standard(s) • • • • • • • • • • • • 9.12.3 Service Incident Notification 20 9.12.5 System Logs 20 9.12.6 Service Incident Handling 20 9.12.7 Failure (service outage) Notification 21 9.14.1 Resiliency/Fault Tolerance 21 9.14.4 Cloud Service Customer Data Backup and Restore 25 9.14.6 Retention Period for Backup Data 25 9.14.8 Verification of Saved Data Integrity 25 9.14.9 Service Continuity – Disaster Prevention and Recovery 9.15.1 Intellectual Property Rights (IPR) 29 9.15.6 Account Data 30 9.15.7 Derived Data 30 25 ©2014 Copyright Bridge Point Communications Pty Ltd slide 45 The Cloud Computing SLA Standard(s) • • • • • • • • • • • • 9.15.8 Personally Identifiable Information (PII) 30 9.15.9 Data Portability 30 9.15.10 Data Deletion 31 9.15.11 Data Location 31 9.15.12 Data Examination 31 9.15.13 Law enforcement Access 31 9.15.15 Recovery Point Objective 31 9.15.16 Retention Period for backup data 31 9.15.17 Plan for Deletion of Data 31 9.15.19 Compensation and Insurance for Data leakage and Loss 9.15.20 Data portability upon contract cancellation 32 9.16 Attestations, Certifications and Audits 32 ©2014 Copyright Bridge Point Communications Pty Ltd slide 46 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 23 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” There’ll be no Hobbits allowed out until you pay your Cloud Service Provider bill Image: National Museum of Denmark, Photographer: Kai Bridge UldallPoint Communications Pty Ltd slide 47 ©2014 Copyright CSA’s Role in Assurance Control Requirements Private, Community & Public Clouds Provider Assertions Copyright © 2013 Cloud©2014 SecurityCopyright Alliance www.cloudsecurityalliance.org Bridge Point Communications Pty Ltd slide 48 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 24 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” Path to High Assurance + Real time, continuous monitoring 3rd Party Assessment + Self Assessment + Clear GRC objectives Copyright © 2013 Cloud©2014 SecurityCopyright Alliance Image: www.cloudsecurityalliance.org Bridge Point Communications Pty Ltd slide 49 ©2014 Copyright Bridge Point Communications Pty Ltd slide 50 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 25 Dr David Ross “Incorporating Security Provisions into the New ISO/IEC Cloud Computing SLA Standards” ©2014 Copyright Bridge Point Communications Pty Ltd slide 51 Contact • Thanks, David Ross: [email protected] • Standards Australia: [email protected] and Damian Fisher: [email protected] • Standards Australia IT-038 (AU SC38 mirror committee): Chair: Dr John Zic: [email protected] P/Mgr: Jenny Mance: [email protected] ©2014 Copyright Bridge Point Communications Pty Ltd slide 52 PUBLIC - ©2014 Bridge Point Communications Pty Ltd Page 26
© Copyright 2025