O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Cloud Security & Privacy Standard Slide

502 visualizações

Publicada em

Cloud Security & Privacy Standard by ACinfotec

Publicada em: Tecnologia

Cloud Security & Privacy Standard Slide

  1. 1. BESTT Group Meeting Best-practice: protecting security & privacy on the cloud Public release Security Privacy AuditCloud Security & Privacy + Security Landscape of 2017
  2. 2. © ACinfotec 2017 | www.acinfotec.com Page 2 Security landscape of 2017 and beyond Best practice for securing the cloud Best practice for for Protecting Privacy in the Cloud Cloud assurance & audit Agenda Key takeaway
  3. 3. Source: The Global Risk Landscape 2016, World Economic Forum Cyber attacks are among Top 10 Risks WEFORUM: Global Risk Landscape 2016
  4. 4. Summary of 2017 Cyber Threat Landscape § Advanced Threats Targeting the Cloud § Evolution of Ransomware: Changing Data and Destroying Backups § GDPR Compliance Approaching § Increased Demand for Cyber Insurance § Shadow IT § Cyber Espionage and Warfare § Dronejacking § IoT Malware § Hacktivists exposing privacy issues
  5. 5. 2017 Cyber Security Trends in Thailand § Cyber security regulations improvement § More demand for cyber security skills § Attackers will target consumers § Attackers will become more bolder, more commercial and less traceable § Breaches will get more complicated and harder to beat
  6. 6. RISKS CLOUD COMPUTING
  7. 7. © ACinfotec 2017 | www.acinfotec.com Page 7 Sensitive Data in the Cloud Source: Cloud Adoption & Risk Report Q4/2015 by Skyhigh
  8. 8. © ACinfotec 2017 | www.acinfotec.com Page 8 Cloud Services Lack of Basic Security Features Source: Cloud Adoption & Risk Report Q1/2014 by Skyhigh
  9. 9. © ACinfotec 2017 | www.acinfotec.com Page 9 CSA Top Threats: Notorious Nine 1. Data Breaches 2. Data Loss 3. Account Hijacking 4. Insecure APIs 5. Denial of Service 6. Malicious Insiders 7. Abuse of Cloud Services 8. Insufficient Due Diligence 9. Shared Technology Issues Source: https://cloudsecurityalliance.org/group/top-threats/
  10. 10. Best Practice for Securing the Cloud
  11. 11. © ACinfotec 2017 | www.acinfotec.com Page 11 Guideline for Implementing Security Controls in the Cloud • Controls derived from guidance • Mapped to familiar frameworks: ISO 27001, PCI, COBIT • Applicable to IaaS, PaaS, SaaS • Customer vs Provider roles • Help bridges the gap for IT and IT Auditor
  12. 12. © ACinfotec 2017 | www.acinfotec.com Page 12 CCM v3.0.1 Details
  13. 13. © ACinfotec 2017 | www.acinfotec.com Page 13 Consensus Assessment Initiatives § Self-assessment questionnaire, which can be used to assess cloud security § Latest version is v3.0.1 covering 16 governing & operating domains aligned with CCM https://cloudsecurityalliance.org/group/consensus-assessments/ § Main mechanism to be listed in CSA STAR registry (see later slide)
  14. 14. © ACinfotec 2017 | www.acinfotec.com Page 14 Security Guidance for Critical Areas of Focus in Cloud Computing V3.0 Source: https://cloudsecurityalliance.org/download/security- guidance-for-critical-areas-of-focus-in-cloud-computing-v3/
  15. 15. Controls CLOUD COMPUTING // Other Potential Standards //
  16. 16. © ACinfotec 2017 | www.acinfotec.com Page 16 NIST SP 800-144 Guidelines on Security and Privacy in Public Cloud Computing Source: http://csrc.nist.gov/publications/nistpubs/800- 144/SP800-144.pdf
  17. 17. © ACinfotec 2017 | www.acinfotec.com Page 17 NIST SP 800-144 Security and Privacy Issues and Recommendations
  18. 18. © ACinfotec 2017 | www.acinfotec.com Page 18 NIST SP 800-144 9 Domains 80+ pages
  19. 19. © ACinfotec 2017 | www.acinfotec.com Page 19 ISO 27017 Cloud Security Code of practice for security controls based on ISO/ IEC 27002 for cloud services • Cloud-specific, ISO standard • provide the necessary guidance on information security controls for the cloud • Supplemental to ISO 27001, ISO 27002 and ISO 27018 • Can be used by both Cloud users and Cloud providers
  20. 20. © ACinfotec 2017 | www.acinfotec.com Page 20 ISO 27017 Cloud Security Introducing ISO 27017 § The objectives of this International Standard are to provide a security control framework and implementation guidance for both cloud service customers and cloud service providers. § The guidelines of this International Standard include identification of risks and associated controls for the use of cloud services.. ISO 27017 Controls based on ISO 27002 ISO 27002 controls ISO 27017 Annex A Provided specific guidance for cloud service customers and cloud service providers base on ISO 27002 controls Provided extended control set for securing the cloud Specific guidance for cloud
  21. 21. © ACinfotec 2017 | www.acinfotec.com Page 21 ISO 27017 Cloud Security Specific Guidance based on ISO 27002 Controls ISO 27017 Controls based on ISO 27002 ISO 27002 controls Specific guidance for cloud
  22. 22. © ACinfotec 2017 | www.acinfotec.com Page 22 ISO 27017 Cloud Security Extended control set for securing the cloud ISO 27017 Annex A
  23. 23. © ACinfotec 2017 | www.acinfotec.com Page 23 ISO 27017 Cloud Security Guidance for security risk related to cloud computing ISO 27017 Annex B
  24. 24. Best Practice for Protecting Privacy in the Cloud
  25. 25. © ACinfotec 2017 | www.acinfotec.com Page 25 ISO 27018 Public Cloud Privacy Code of practice for protection of PII in public clouds acting as PII processors • Published on August 2014 • Cloud-specific, ISO standard • Based on privacy principles defined in ISO 29100 • Govern how users’ personally identifiable information (PII) should be protected by cloud providers • Supplemental to ISO 27001 and ISO 27002
  26. 26. © ACinfotec 2017 | www.acinfotec.com Page 26 ISO 27018 Public Cloud Privacy Introducing ISO 27018 § Typically an organization implementing ISO/IEC 27001 is protecting its own information assets. However, in the context of PII protection requirements for a public cloud service provider acting as a PII processor, the organization is protecting the information assets entrusted to it by its customers. ISO 27018 Annex A Provided specific guidance for protecting PII base on ISO 27001 controls Provided additional controls for protecting PII base on ISO 29100 principle ISO 27018 Controls based on ISO 27002 ISO 27002 controls Specific guidance for privacy in the cloud
  27. 27. © ACinfotec 2017 | www.acinfotec.com Page 27 ISO 27018 Public Cloud Privacy Specific Guidance based on ISO 27001 Controls ISO 27018 Controls based on ISO 27002 ISO 27002 controls Specific guidance for privacy in the cloud
  28. 28. © ACinfotec 2017 | www.acinfotec.com Page 28 ISO 27018 Public Cloud Privacy Additional controls base on ISO 29100 principle ISO 27018 Annex A
  29. 29. Assurance & Audit CLOUD COMPUTING
  30. 30. © ACinfotec 2017 | www.acinfotec.com Page 30 CSA STAR (Security, Trust and Assurance Registry) Source: www.cloudsecurityalliance.org/star
  31. 31. © ACinfotec 2017 | www.acinfotec.com Page 31 What is CSA STAR? § Public and free registry of Cloud Provider self assessments, demonstrating adoption of: § Cloud Control Matrix (CCM) § Consensus Assessments Initiative Questionnaire (CAIQ) § Promoting transparency § Free market competition to provide quality assessment § Available on October 2011
  32. 32. © ACinfotec 2017 | www.acinfotec.com Page 32 CSA STAR – What’s On
  33. 33. © ACinfotec 2017 | www.acinfotec.com Page 33 CSA STAR – What’s On
  34. 34. © ACinfotec 2017 | www.acinfotec.com Page 34 CSA STAR Listing Process Level 1 – Self-Assessment §Cloud Provider fills out CAIQ or customizes CCM §Uploads document at CSA STAR website §CSA performs basic verification §CSA digitally signs and post at STAR §Free of charge §Listing expire within 1 year
  35. 35. © ACinfotec 2017 | www.acinfotec.com Page 35 CSA STAR Certification Level 2 – Certification §Base on ISO 27001:2013 with CSA CCM as additional or compensating controls §Measures the capability levels of the cloud service provider §Evaluates the efficiency of an organization’s ISMS and ensure the scope, processes and objectives are “Fit for Purpose” §Based on the PDCA model
  36. 36. © ACinfotec 2017 | www.acinfotec.com Page 36 CSA STAR Certification §A STAR Certification Certificate cannot be issued unless the organization has achieved ISO 27001 certification §The scope of ISO 27001 certification must not be less than the scope of STAR certification §The assessment cycle is the same as ISO 27001 – initial assessment followed by surveillance audits over a 3-year period
  37. 37. © ACinfotec 2017 | www.acinfotec.com Page 37 Certifications of Leading Cloud Service Providers
  38. 38. © ACinfotec 2017 | www.acinfotec.com Page 38 Certifications of Leading Cloud Service Providers
  39. 39. © ACinfotec 2017 | www.acinfotec.com Page 39 Certifications of Leading Cloud Service Providers
  40. 40. © ACinfotec 2017 | www.acinfotec.com Page 40 Can you Perform Pentest for the Cloud?
  41. 41. © ACinfotec 2017 | www.acinfotec.com Page 41 How Certified Cloud Services will Help You?
  42. 42. Key Takeaway – Securing the Cloud Operations § Encrypt data when possible, segregate key management from cloud provider § Adapt secure software development lifecycle § Understand provider’s patching, provisioning, protection § Logging, data exfiltration, granular customer segregation § Hardened VM images § Assess provider IDM integration, e.g. SAML, OpenID Governance § Secure cloud engagement before procurement – contracts, SLAs, architecture § Know provider’s BCM/DR, financial viability, employee screening § Identify data location when possible § Plan for provider termination & return of assets § Preserve right to audit § Reinvest provider cost savings into due diligence
  43. 43. For more information, contact: ACinfotec Consulting Services 02-670-8980-3 | services@acinfotec.com | www.acinfotec.com THANK YOU DRIVING BUSINESS EXCELLENCE

×