Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.

ISO 27017 – What are the Business Advantages of Cloud Security?

Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India

  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

ISO 27017 – What are the Business Advantages of Cloud Security?

  1. 1. Contact us: info@alvinintegrated.com | +91 8802 505619, +91 8287509289 | www.alvinintegrated.com Platinum Sponsor OUR SPONSORS & PARTNERS Event Partner www.alvinintegrated.com Knowledge Partners 27th FEB 2021 (SATURDAY) 09:00 AM - 17:30 PM IST
  2. 2. ISO 27017 - WHAT ARE THE BUSINESS ADVANTAGES OF CLOUD SECURITY? 27th February 2021 (Saturday) Time: 09:30 am - 09:55 am IST ISO 27017:2015 By Ramkumar Ramachandran, Principal Consultant, Ascentant Corporation, Chennai, India
  3. 3. SPEAKER INTRODUCTION Ramkumar Ramachandran Principal Consultant, Ascentant Corporation, Chennai, India • Expertise – ISMS / Data Privacy / CMMI / Agile / GDPR • IIMC Alumni - SMP • US / UK / France / China / Singapore / Taiwan / Thailand / Malaysia / Indonesia / Bahrain / Kuwait / Qatar / Saudi Arabia / Srilanka / New Zealand • Aeronautical Engineer / IIMC Alumni / MIT Sloan Systems Thinking • CSQA, CISA, PMP, CDPSE • Systems Thinking – MIT Sloan School of Management • LA QMS/ISMS/SMS/BCMS, SAFe Agilist • ram@ascentantcorp.biz Ramkumar Ramachandran (c) 3
  4. 4. ISO 27017 OVERVIEW SESSION
  5. 5. CONTENT • History of ISO 27001 • Cloud Infrastructure Evolution • Need for Cloud Security • ISO 27017 – Additional guidance for Cloud Security to ISO 27002 controls • ISO 27017 – Additional Controls • Implementing ISO 27017 Insert Footer Here 5
  6. 6. EVOLUTION OFISMS 1995 1998 Initiative from Department of Trade and Industry BS 7799 Part 1 BS 7799 Part 2 1999 New issue of BS 7799 Part 1 & 2 2000 ISO/IEC 17799:2000 2001 BS 7799-2:2002 (drafted) Sep 2002 BS 7799-2:2002 Passed and accepted Jun 2005 ISO 17799:2005 ISO/IEC 27001:2005 Oct 2005  Sep 2013 ISO/IEC 27001:2013
  7. 7. ISO 27001 STRUCTURE CLAUSES ANNEX A - CONTROLS 7 Context of the Organization Leadership Planning Support Operations Performance Evaluation Improvement Information Security Policies Organization of Information Security Human Resource Security Asset Management Access Control Cryptography Physical and Environmental Security Operations Security Communications Security Software Acquisition Development Maintenance Supplier Management Incident Management Security in BCM Compliance
  8. 8. ISO 27002 – CODE OF PRACTICE – CONTROLSHIERARCHY Group Control Objective Controls Controls Control Objective Control Copyright © 2018 8 14 of them 35 of them 114 of them
  9. 9. ISO 27017 - STRUCTURE 9 ISO 27001 Requirements ISO 27002 Code of Practice Additional Controls for ISO 27017
  10. 10. CLOUD – DEFINITION BY NIST Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction (from NIST) Insert Footer Here 10
  11. 11. CLOUD INFRASTRUCTUREEVOLUTION Insert Footer Here 11 Mainframe Desktop /Laptop Client Server Thin Client Cloud Infrastructure
  12. 12. VISUAL CLOUD INFRASTRUCTUREDEPICTION Insert Footer Here 12 SaaS PaaS IaaS
  13. 13. CLOUD SECURITY – BASIC SECURITY RISK CONSIDERATIONS Organizational Security Risks Resource Planning / Change Management / Malicious Insiders Physical Security Risks Data Location / Server, Storage & Network Technological Security Risks Application Development / Portability / Lack of Interoperability standards Compliance and Audit Risks Legal Challenges / Compliance & Audit / Business Continuity & Disaster Recovery Data Security Risks Identity & Access Management / Multi-tenancy risks / Backup / Data Privacy 13
  14. 14. CLOUD SECURITY – DATA SECURITYCONSIDERATIONS Privacy Safeguarding personal data as per privacy commitments Confidentiality Ensuring data is accessed only on need to know basis Integrity Confidence that the data stored in the cloud is not altered in any way by unauthorized parties Availability This property ensures that the CSC has access to their data, and are not denied access 14
  15. 15. CLOUD SECURITY – DATA STAGES Data-in-transit This is when data is in the process of being transmitted either to the cloud infrastructure or to the computing device used by the CSC. Here, data is most at risk of being intercepted, hence violating confidentiality Data-at-rest This is when data has been stored in the cloud infrastructure. The main issue with this stage for the CSC is their loss of control over the data. The onus of defending against attacks at this stage hence fall on the CSP Data-in-use This is when data is being processed into information. Here, the issues might lie with the corruption of data while it is being processed 15
  16. 16. ISO 27017 HIGHLIGHTS • Guidelines for information security controls applicable to the provision and use of cloud services • Additional implementation guidance for relevant controls specified in ISO/IEC 27002 • Provides controls and implementation guidance for both cloud service providers and cloud service customers • Structured similar to ISO/IEC 27002 • Includes clauses 5 to 18 of ISO/IEC 27002 by stating the applicability of its texts at each clause and paragraph • When controls are needed in addition to ISO/IEC 27002, they are given in Annex A: Cloud Service Extended Control Set 16
  17. 17. NEW CONTROLS FOR CLOUD SECURITY IN ISO 27017 17 Control Ref Seven New Controls 6.3.1 Shared roles and responsibilities within a cloud computing environment 8.1.5 Removal of cloud service customer assets 9.5.1 Segregation in virtual computing environments 9.5.2 Virtual machine hardening 12.1.5 Administrator’s operational security 12.4.5 Monitoring of cloud services 13.1.4 Alignment of security management for virtual and physical networks
  18. 18. ISO 27017 APPROACH Insert Footer Here 18 Cloud service customer Cloud service provider Guideline for the Cloud Service Subscriber / Customer Guideline for the Cloud service hosting company
  19. 19. 4 CLOUD SECTORSPECIFIC CONCEPTS 19 As per A 15 Supplier Management CSC should meet its ISMS goals CSP should provide services to enable CSC to meet their ISMS Goals Where CSP cannot meet CSC ISMS requirements, CSC should implement additional controls Both CSC and CSP should have strong risk management practices in place
  20. 20. 6 ORGANISATIONOF INFORMATIONSECURITY – ROLES& RESPONSIBILITIES Activity Cloud Service Customer Cloud Service Provider Request to create User Ids Primary IT Lead Creation of User Ids Primary Lead Access Provisioning for Users Primary IT Lead Access Control Review Primary Department Heads Backup Plan Creation Primary IT Lead Backup Execution Primary Backup Executive End Point Security Primary Security Team Data Encryption Primary Security Team Insert Footer Here 20
  21. 21. 8 ASSET MANAGEMENT– INVENTORY OFASSETS Insert Footer Here 21 Data Storage Location Customer Master Details Cloud Employee Salary On-Prem Helpdesk Tickets Cloud Internal Data Client A Client B Client C
  22. 22. 8 ASSET MANAGEMENT– ASSET LABELLING Example:  CLD/S/I/001 Label Code can be a Bar Code, QR Code etc. as well Insert Footer Here 22 <Location / Type of Asset / Criticality / Serial Number> Serial Number Soft Copy Internal Cloud
  23. 23. 9 ACCESS CONTROL– USER REGISTRATION /DE-REGISTRATION/ ACCESS Insert Footer Here 23 Registration Provisioning Details De-Registration Details Access Provisioning Details Confirmation
  24. 24. 9 ACCESSCONTROL– AUTHENTICATION TECHNIQUES 24 Standard User Validation Access Enabling Admin User Validation 1 Validation 2 Access Enabling
  25. 25. 9 ACCESSCONTROL– INFORMATIONACCESS RESTRICTION Cloud Service Cloud Service Function Cloud Customer Data Read Write Delete Read Write Delete Read Write Delete Developer X X X Tester X X X Lead X X X X PM X X X X X X Admin X X X X X X X X X Insert Footer Here 25
  26. 26. 10 CRYPTOGRAPHY – ENCRYPTION CYCLE 26 GENERATION STORAGE ACTIVATION DISTRIBUTION ROTATION EXPIRATION REVOCATION DESTRUCTION
  27. 27. 12 OPERATIONSSECURITY – CHANGEMANAGEMENT Cloud Service Customer Cloud Service Provider Insert Footer Here 27 Change Management of CSC Should consider Changes done by CSP Any change done by CSP Should be communicated to CSC
  28. 28. 12 OPERATIONSSECURITY – CAPACITYMANAGEMENT Insert Footer Here 28
  29. 29. 12 OPERATIONSSECURITY– TECHNICALVULNERABILITY MANAGEMENT Insert Footer Here 29
  30. 30. Insert Footer Here 30 13 COMMUNICATIONSSECURITY– SEGREGATIONOF NETWORK Tenant 1 Tenant 2 Tenant 3
  31. 31. 15 SUPPLIER RELATIONSHIPS – SECURITYIN CONTRACTS The roles and responsibilities in the agreement should address the following, but not limited to it: - Insert Footer Here 31 • Malware protection • Backup • Cryptographic controls • Vulnerability management • Incident management • Technical compliance checking • Security testing • Auditing • Collection, maintenance and protection of evidence, including logs and audit trails • Protection of information upon termination of the service agreement • Authentication and access control • Identity and access management
  32. 32. 15 SUPPLIER RELATIONSHIPS – TECHNOLOGYSUPPLY CHAIN Insert Footer Here 32 Contract Terms apply to the entire technology supply chain
  33. 33. 16 INFORMATIONSECURITYINCIDENTMANAGEMENT Insert Footer Here 33 Incidents Reported Incidents / Incident Status CSP
  34. 34. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.6.3 Relationship between cloud service customer and cloud service provider CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment Responsibilities for shared information security roles in the use of the cloud service should be allocated to identified parties, documented, communicated and implemented by both the cloud service customer and the cloud service provider. 34 Cloud service customer Cloud service provider The cloud service customer should define or extend its existing policies and procedures in accordance with its use of cloud services and make cloud service users aware of their roles and responsibilities in the use of the cloud service. The cloud service provider should document and communicate its information security capabilities, roles, and responsibilities for the use of its cloud service. This is along with the information security roles and responsibilities for which the cloud service customer would need to implement and manage as part of its use of the cloud service.
  35. 35. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.8.1 Responsibility for assets CLD.8.1.5 Removal of cloud service customer assets Assets of the cloud service customer that are on the cloud service provider's premises should be removed, and returned if necessary, in a timely manner upon termination of the cloud service agreement. 35 Cloud service customer Cloud service provider The cloud service customer should request a documented description of the termination of service process. This process should cover the return and removal of cloud service customer's assets followed by the deletion of all copies of those assets from the cloud service provider's systems. The cloud service provider should provide information about the arrangements for the return and removal of any cloud service customer's assets upon termination of the agreement for the use of a cloud service
  36. 36. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.1 Segregation in virtual computing environments A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons 36 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should enforce appropriate logical segregation of cloud service customer data, virtualized applications, operating systems, storage, and network for: • The separation of resources used by cloud service customers in multi-tenant environments; • The separation of the cloud service provider's internal administration from resources used by cloud service customers. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
  37. 37. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.9.5 Access control of cloud service customer data in shared virtual environment CLD.9.5.2 Virtual machine hardening Virtual machines in a cloud computing environment should be hardened to meet business needs. 37 Cloud service customer Cloud service provider When configuring virtual machines, cloud service customers and cloud service providers should ensure that appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used. Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
  38. 38. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.1 Operational procedures and responsibilities CLD.12.1.5 Administrator's operational security Procedures for administrative operations of a cloud computing environment should be defined, documented and monitored. 38 Cloud service customer Cloud service provider The cloud service customer should document procedures for critical operations where a failure can cause unrecoverable damage to assets in the cloud computing environment. Examples of the critical operations are: • Installation, changes, and deletion of virtualized devices such as servers, networks and storage; • Termination procedures for cloud service usage; • Backup and restoration. The cloud service provider should provide documentation about the critical operations and procedures to cloud service customers who require it.
  39. 39. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.12.4 Logging and monitoring CLD.12.4.5 Monitoring of Cloud Services The cloud service customer should have the capability to monitor specified aspects of the operation of the cloud services that the cloud service customer uses 39 Cloud service customer Cloud service provider The cloud service customer should request information from the cloud service provider of the service monitoring capabilities available for each cloud service. The cloud service provider should provide capabilities that enable the cloud service customer to monitor specified aspects, relevant to the cloud service customer, of the operation of the cloud services. For example, to monitor and detect if the cloud service is being used as a platform to attack others, or if sensitive data is being leaked from the cloud service. Appropriate access controls should secure the use of the monitoring capabilities
  40. 40. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET CLD.13.1 Network security management CLD.13.1.4 Alignment of security management for virtual and physical networks Upon configuration of virtual networks, consistency of configurations between virtual and physical networks should be verified based on the cloud service provider's network security policy. 40 Cloud service customer Cloud service provider (no additional implementation guidance) The cloud service provider should define and document an information security policy for the configuration of the virtual network consistent with the information security policy for the physical network. The cloud service provider should ensure that the virtual network configuration matches the information security policy regardless of the means used to create the configuration.
  41. 41. Questions are Welcome!
  42. 42. Please give your feedbacks in the chat box about the session!!

×