Add to collection(s) Add to saved
  1. No category
Uploaded by Amuluru Chenchuvineeth

CloudSecurity2 805ec110facd901494e2ea3172dbcd0c

advertisement 
Cloud Security
2. Security Frameworks
2. Security Frameworks
1.
2.
3.
4.
2
SecurityArchitectures
The Jericho Forum & Cloud SecurityAlliance
Security Benefits
Summary
Cloud Security
Cloud Computing – Key Drivers
Lowered costof
ownership:
Efficiency of resources:
• Cloud computing
virtualization technology
can increase the
utilization percentage of
resources owing to time
sharing
• Lowercapital
expenditure
• Pay for what you use
• Repair & maintenance
savings
• Software and license
purchase savings
• Physical space savings
Increased business
agility:
• Highlyautomated-easy/
fast to deploy
• Ability to combine&
create customized
services instantly
• Resilience achieved
through ultra-redundant
architecture
• Potential as inexpensive,
virtual disaster recovery
solution
Increased
efficiency
of
resources
Increased
business
agility
Drivers
• Scalable servicesand
applications
Disaster recovery
capabilities:
• Collaborating/sharing
made easier between
disparate offices, remote
workers, and suppliers
Lowered
cost of
ownershi
p
Better
disaster
recovery
capabilitie
s
Informatio
n ubiquity
• Reduces companies
consumption ofenergy
and need for multiple
data centers
Information ubiquity:
• Computing delivered as
a borderless utility —
applications live in a
variety of locations,data
flows cross geographic
boundaries, allowing ease
of access todata
• Accessibility from
anywhere via Internet
• 24X7 availability to
applications &services
from anywhere
2.1 Security Architectures
ArchitecturalApproaches
Authentication
System life-cycleprocesses
Support stability /flexibility
Strategic
Convey understanding of
security controls



Authorisation
Administration
Qualities
Manage complexity
Relationship to
wider IT
architecture
What are the benefits of using architectural
principles when implementing systems?
4
Risk
Management
Audit
Asset
Protection
Assurance
Availability
TOGAF 9.2 – Areas of concern for the security architect
Cloud Security
http://pubs.opengroup.org/architecture/togaf9-doc/arch/index.html
2.1 Security Architectures
TOGAF 9.2
Authentication: The substantiation of the identity of a person or entity related to the enterprise or system in some way.
Authorization: The definition and enforcement of permitted capabilities for a person or entity whose identity has been
established.
Audit: The ability to provide forensic data attesting that the systems have been used in accordance with stated security
policies.
Assurance: The ability to test and prove that the enterprise architecture has the security attributes required to uphold the
stated security policies.
Availability: The ability of the enterprise to function without service interruption or depletion despite abnormal or malicious
events.
Asset Protection: The protection of information assets from loss or unintended disclosure, and resources from
unauthorized and unintended use.
Administration: The ability to add and change security policies, add or change how policies are implemented in the
enterprise, and add or change the persons or entities related to thesystems.
Risk Management: The organization's attitude and tolerance for risk. (This risk management is different from the special
definition found in financial markets and insurance institutions that have formal risk management departments.)
See http://pubs.opengroup.org/architecture/togaf9-doc/arch/
5
Cloud Security
2.1 Security Architectures
Other SecurityArchitectures & Models
System Security Engineering Capability Maturity Model (SSE-CMM)
http://standards.iso.org/ittf/PubliclyAvailableStandards/index.html
6
•
This is an adaptation of the
Capability Maturity Model
(CMM) from Carnegie Melon
University
•
Highlights the importance of
security across all aspects of
systems engineering
•
The international standard
ISO/IEC21827 is based on SSECMM
Cloud Security
2.1 Security Architectures
Other SecurityArchitectures & Models
ISO 27001 – ISO 27006

This is a series of international standards for informationsecurity
European Network and Information Security Agency(ENISA)

Have published a number of important documents regarding cloud
computing and security issues relating to cloud computing
 http://www.bluesource.net/2017/05/12/how-will-the-gdpr-affect-security-in-cloud-computing/
 https://www.itgovernance.eu/blog/en/expert-qa-gdpr-and-cloud-computing/
7
Cloud Security
https://www.enisa.europa.eu/news/enisa-news/enisastudy-on-the-security-aspects-of-virtualization
https://www.enisa.europa.eu/topics/cloud-and-bigdata/secure-use-of-cloud-computing-in-the-financesector-annexes/view
IBM https://www.ibm.com/developerworks/rational/li
brary/enterprise-architecture-financialsector/index.html
2.1 Security Architectures
Other SecurityArchitectures & Models
National Institute of Standards and Technology (NIST)

9
Numerous documents

Minimum Security Requirements for Federal Information and Information
Systems

Minimum Security Requirements for Federal Information and Information
Systems

Information Security Handbook:A Guide for Managers
Cloud Security
2.1 Security Architectures
Cloud Computing Reference Models
Cloud Security Alliance(CSA)

TCI (Trusted Cloud Initiative)
ReferenceArchitecture

Draws on other references and sources such as
TOGAF,the Jericho Forum etc.
https://cloudsecurityalliance.org/

Security Guidance for CriticalAreasof
Focus in Cloud Computing v4.0
See https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
10
Cloud Security
2.2 The Jericho Forum
‘De-perimeterisation is simply the concept of architecting security for the extended business boundary and not an arbitrary IT boundary.’
[Business rationale for de-perimeterisation, The JerichoForum]
DE-PERIMETERISE!!!!
See https://collaboration.opengroup.org/jericho/Business_Case_for_DP_v1.0.pdf
11
Cloud Security
2.2 The Jericho Forum
De-Perimiterisation
A de-perimiterisedfuture?
Today there are key indicators that every organisation will be seeing within their
business that indicate a de-perimeterised future:
•The increasing mismatch of the (legal) business border and the network perimeter
as business becomes more integrated and their relationships less clear
• Business demanding to interconnect systems directly where B2B relationships exist
•The need to have good network connectivity and access to all organisations with
whom you have a business relationship
• Distributed /shared applications across business relationships
•Increasing number of applications using technology that bypasses firewall security at
the perimeter (typically using Web-based techniques that can legitimately traverse
the perimeter)
•Increasing inability of traditional firewall and other network perimeter controls
to combat malware that uses Web and e-Mail basedtechniques
[Business rationale for de-perimeterisation,The Jericho Forum]
12
Cloud Security
2.2 The Jericho Forum
The Cloud Cube Model &SOA (Service Virtualisation)
The Jericho Forum have published a documententitled
‘Cloud Cube Model: Selecting Cloud Formations for
Secure Collaboration’

Focused on enabling secure business collaboration using different cloud
formations
The Jericho Forum promote a Collaboration Oriented Architecture
See https://collaboration.opengroup.org/jericho/COA_v2.0.pdf
13
Cloud Security
2.2 The Jericho Forum
The Cloud Cube Model
Outsourced/Insourced:Who
is running your cloud?
Internal/External:
Where does the
cloud exist?
Perimeterised/Deperimeterised: Based
on traditional IT
perimeter security or
COA?
Proprietary/O pen:How
interoperable is the
technology?
14
Cloud Security
2.2 At a Glance
15
Cloud Security
2.2 The Jericho Forum
Association with CSA
The Jericho Forum have collaborated on the development of the CSA
Guidelines v3.0
Further collaborationactivities
16
Cloud Security
2.2 The STAR Initiative
The Cloud Security Alliance (CSA) has launched the Security,Trust & Assurance
Registry (STAR ) initiative at the end of 2011.The CSA STAR is the first step in
improving transparency and assurance in the cloud.The CSA Security,Trust &
Assurance Registry (STAR) is a publicly accessible registry that documents the
security controls provided by various cloud computing offerings, thereby helping
users assess the security of cloud providers they currently use or are considering
contracting with.
The objective and mission of CSA STAR are improving trust in the cloud and ICT
market by offering transparency and assurance. STAR wants to give response to the
need of different categories of cloud customers and providers, from those with low
risk profile and simple compliance requirements to those organizations with highrisk profile and complex governance structure
17
Cloud Security
2.2 The STAR Initiative
18
Cloud Security
2.2 The CCM – CSA Controls
The Cloud Security Alliance Cloud Controls Matrix (CCM) isspecifically designed to
provide fundamental security principles to guide cloud vendors and to assist
prospective cloud customers in assessing the overall security risk of a cloud
provider.The CSA CCM provides a controls framework that gives detailed
understanding of security concepts and principles that are aligned to the Cloud
Security Alliance guidance in 13 domains.
The foundations of the Cloud Security Alliance Controls Matrix rest on its customized
relationship to other industry-accepted security standards,regulations, and controls
frameworks such as the ISO 27001/27002, ISACA COBIT (Control Objectives for
Information and Related Technologies), PCI, NIST, Jericho Forum and NERC CIP and
will augment or provide internal control direction for service organization control
reports attestations provided by cloud providers.As a framework, the CSA CCM
provides organizations with the needed structure, detail and clarity relating to
information security tailored to the cloud industry.
19
Cloud Security
2.2 The Jericho Forum & CSA
CSA ReferenceArchitecture
T C I ReferenceArchitecture Model
20
Cloud Security
2.2 The Jericho Forum
CSA ReferenceArchitecture
https://securityintelligence.com/choosing-theright-security-framework-to-fit-your-business/
https://cloudsecurityalliance.org/research/
21
Cloud Security
Regulatory and compliance requirements are not optional
Multi-Tier Cloud Security Framework is an addition to the growing list ofRegulatory
requirements related to CloudComputing
Canada
Federal/Provincial
PIPEDA,FOIPPA,
PIPA
EuropeanUnion
EU Data ProtectionDirective
and Member States Data
Protection Laws
U.S. Federal
GLBA, HIPAA, COPPA,
Do Not Call, Safe
Harbor, Red Flags
South Korea
Act on Promotion of
Information and
CommunicationsNetwork
Utilization and Data
Protection
Japan
Personal
Information
ProtectionAct
Hong Kong
PersonalData
Privacy
Ordinance
Numerous
State Laws
Breach
Notification
39 Statesfrom
CA to NY
Taiwan
ComputerProcessed Personal
Data ProtectionLaw
Chile
Law forthe
Protection
of Private
Life
Philippines
Data Privacy
Lawproposed
by ITECC
Argentina
Personal Data
Protection Law,
Confidentialityof
InformationLaw
New Zealand
Privacy Act
South Africa
Electronic
Communications
and Transactions
Act
India
Law pending
currentlyunder
discussion
Australia
Federal Privacy Amendment Bill
State Privacy Bills in Victoria, New
South Wales and Queensland, new
emailspam and privacy regulations
Cross Certification Framework (CCF)
1. Information Security
Management
2. HumanResources
3. RiskManagement
4. Third Party
5. Legal & Compliance
6. Incident Management
7. Data Governance
8. Audit Logging &
monitoring
9. Security Configuration
10. Security Testing&
monitoring
11. System Acquisition&
Development
12. Encryption
13. Physical &
Environmental Security
14. Operations
15. Change Management
16. BCP & DR
17. Cloud services
Administration
18. Cloud User Access
19. Tenancy &Customer
Isolation
20. Disclosure
22
1. Compliance
2. Data Governance
3. Facility Security
4. Human Resources Security
5. Information Security
6. Legal
7. Operations Management
8. Risk Management
9. Release Management
10. Resiliency
11. Security Architecture
• Gap analysis ofMTCSagainst
ISO27k & CSA
• Details of the additional steps
that CSPs must take to get
MTCS when they alreadyhave
ISO27k or CSAOCF
1.
2.
3.
4.
Security Policy
Organization
Asset Management
HumanResource
Security
5. Physical Security
6. Communications &
Operations
Management
7. InformationSystems
Development
8. Access Control
9. Incident
Management
10. Business Continuity
11. Compliance
• Certification Renewal,
Maintenance &Revocation
• Deployment plan – phased
approach, pilots,grandfathering,
exemptions etc.
2.3 Security Benefits
Let’s have a look atENISA
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/cloud-computing
24
Cloud Security
2.4 Summary
SecurityArchitectures
The Jericho Forum & CSA
Security Benefits
25
Cloud Security
Related documents
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
One of the lead activities assigned to ITU-T Study Group... presentation gives an overview on the ongoing work of Study... SG13 Activities and Achievements Related to Cloud Computing
Cloud Based Business Growth Support Processes
Cloud Based Business Growth Support Processes
Security Position
Security Position
Download
advertisement