View
359
Download
0
Category
Preview:
Citation preview
Security in Smart City Implementation:Infrastructure and People
David Shearer (ISC)2 Chief Executive Officer
dshearer@isc2.org | www.isc2.org
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Stakeholders Involved in Shaping a City
2
Political Leaders, Managers and
Operators of the Local Government
The Service Operators – public or private:
Communication, Electricity, Education, Transport, Water,
Waste, etc.
Investors: Private Banks,
Venture Capitalists, Pension Funds,
International Banks
Solution Providers: Technology Providers,
Financiers and Investors
End users and ‘Prosumers’: Inhabitants and Local Business
Representatives
Source: International ElectrotechnicalCommission- Orchestrating infrastructure for Sustainable Smart Cities
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Operating Systems for City Infrastructure
» Smart cities are enabled by recent advances in key technologies:• Pervasive sensor networks• Low-cost communications• Software-as-a-Service
» Pain points are awaiting to be solved…
3
Source: International Electrotechnical Commission- Orchestrating infrastructure for sustainable Smart Cities
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Importance of Standards in Smart City
» Cloud is a crucial part of any smart city
» Web-services over cloud» A portal server can allow
for the creation of unified, even if personalized, user interfaces, taking into account individual settings such as language
» Who is managing the ‘Portal’ & the web service?
4
One portal server structure, integrating systems using standards from IEC, ISO, JTC1, ITU-TSource: International Electrotechnical Commission- Orchestrating infrastructure for sustainable Smart Cities
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Cloud in a Smart City• Awareness: Understanding current cloud
usage within an organization and/or a city
• Opportunism: Identifying strong cloud adoption opportunities ( From ‘Cloud First’ to ‘Cloud-First Security-Now’ Policy)
• Strategy: Building cloud adoption program - architecture, frameworks, business alignment and IT skill sets
• Capacity Building: Assessment of own enterprises’ needs for capacity building and training in cloud computing-related areas
5
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
(ISC)² Global Information Security Workforce Study
https://www.isc2cares.org/uploadedFiles/wwwisc2caresorg/Content/GISWS/FrostSullivan-(ISC)%C2%B2-Global-Information-Security-Workforce-Study-2015.pdf
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Not a Question of if, But How Much
7
Source: 2015 (ISC)² Global Information Security Workforce Study – A Frost and Sullivan Market Study
Most respondents made cloud a priority for their organizations and continue to do so over the next two years.
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Prevalence of Cloud Models: SaaS, PaaS, IaaS
8
Source: 2015 (ISC)² Global Information Security Workforce Study – A Frost and Sullivan Market Study
44
24
32
39
26
35
42
24
3534
26
4041
27
33
40
2832
39
25
3638
28
33
0
5
10
15
20
25
30
35
40
45
50
Software as a service (SaaS) Platform as a Service (PaaS) Infrastructure as a Service (IaaS)
Worldwide APAC Australia Hong Kong India Japan Singapore South KoreaIn%
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Cloud Adoption Barriers
9
Source: 2015 Cloud Security Spotlight Report
Security is still the biggest perceived barrier to further cloud adoption. Nine out of ten organizations are very or moderately concerned about public cloud security.
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Security Concerns in Public Clouds
10
Source: 2015 Cloud Security Spotlight Report
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
CSA “Notorious 9 Security Threats”
73%
61% 59%57% 56% 56% 55%
77%
69% 68%
62% 62%65%
61%
78%
67% 68% 67%63%
55%59%
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
Data loss Account Hijacking Malicious Insiders Insufficient DueDiligence
Insecure APIs Denial of Service Abuse andNefarious Use
Worldwide APAC Singapore
11
Source: 2015 (ISC)² Global Information Security Workforce Study – A Frost and Sullivan Market Study
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Elevating Cloud Assurance
12
Strong data encryption is the top overall choice for elevating cloud information assurance among APAC countries. Singapore respondents see adopting security governance as a way of elevating information assurance in the cloud.
18%
11%9%
7% 6% 6%
16%
10%
7% 8%7% 8%
14%
9%
4%
11%
5% 6%
0%2%4%6%8%
10%12%14%16%18%20%
Strong encryption ofdata
Continuousmonitoring
Incorporatingsecurity into
software design andimplementation
Adopting securitygovernance
Implementingidentity based
network solutions
Employ Role BasedAccess Controls
(RBAC)
Worldwide APAC Singapore
Source: 2015 (ISC)² Global Information Security Workforce Study – A Frost and Sullivan Market Study
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Demand for Training and EducationIn most areas in the APAC region including Singapore, cloud computing is the area requiring the most training and education, however in Australia, training in BYOD and incident response ranked a close second.
Base: Filtered respondents (n=7,985).
0%
10%
20%
30%
40%
50%
60%
70%
Clou
dco
mpu
ting
Brin
g-yo
ur-
own-
devi
ce(B
YOD)
Inci
denc
ere
spon
se
Info
rmat
ion
risk
man
agem
ent
Mob
ile d
evic
em
anag
emen
t
Fore
nsic
s
Appl
icat
ions
and
syst
emde
velo
pmen
tse
curit
y
Acce
ss c
ontr
olsy
stem
s and
met
hodo
logy
End-
user
secu
rity
awar
enes
s
Secu
rity
man
agem
ent
Secu
rity
arch
itect
ure
and
mod
els
Worldwide APAC Australia Hong Kong India Japan Singapore South Korea
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Industry Needs…
• Professionals who understand and can apply effective security measures to cloud environments
• A reliable indicator of overall competency in cloud security
• Roadmap and career path into cloud security• Common global understanding of professional
knowledge and best practices in the design, implementation and management of cloud computing systems.
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Credentials for Industry Best Practices
CCSPDeeper,
advanced experience-based
cloud security knowledge
CCSKBroad, Foundational, Baseline
Knowledge
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Cloud in the FutureAdoption of cloud-based cybersecurity services• Entrust a broadening range of critical services to the cloud, including real -time
monitoring and analytics, advanced authentication and identity and access management
Adoption of DevOps to DevSecOps• Ensure security controls are applied and implemented as part of development before
operational acceptance.• The importance of ‘bolted-in’ secure software development for cloud-based
operations
Wide use of SaaS covering any cloud service where consumers are able to access software applications over the internet anywhere, anytime.• These applications are hosted in the cloud and can be used for a wide range of tasks
for both individuals and organizations
16
© Copyright 1989 – 2016, (ISC)2 All Rights Reserved
Properly assess the overall security risk
Cloud providers need the expertise to also ensure their services meet certain security requirements
Understand how cloud is changing information security best practices
17
Mandate
© Copyright 1996-2015. (ISC)², Inc. All rights reserved.
Recommended