Oulu University Secure Programming Group

Pilvipalveluiden tietoturvan standardisointi

Juha Röning

Juha.Roning@oulu.fi

Oulu University Secure Programming Group

Sisältö

Standardien kirjo

Pilvipalveluiden standardit

Seurattavat standardit

Standardit ja CSA Cloud Controls Matriisi

Cloud Software –tutkimus Suomessa

Oulu University Secure Programming Group

Standardit

• Teknologiastandardit

• ISO 27001

• Säädökset

• Tietosuojalainsäädäntö (EU, kansallinen)

• PCI-DSS

• Payment Card Industry Security Standards Council

• HIPAA (US)

• The Health Insurance Portability and Accountability Act of 1996

• FedRamp (US)

• The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.

Oulu University Secure Programming Group

Pilven standardoijat

Oulu University Secure Programming Group

Teemoja

• Virtualisoinnin tuomat uhat

• Jaetut resurssit, CPU/verkko, vuodot

• Yksityisyys

• Tiedon sijainti, salaaminen, palvelun yksityisyyspolitiikka

• Identiteetin hallinta

Standardisointiprosessi: ETSI

Stage 0 – Validate need for standardisation

Stage 1 – Requirements and objectives

Stage 2 – Information model

Stage 3 – Detailed data and protocol model

Stage 4 – Testing and validation

Deploy the standard

Standardisointiprosessi: IETF

From RFC 2026, section 1.2:

In outline, the process of creating an Internet Standard is straightforward: a specification undergoes a period of development and several iterations of review by the Internet community and revision based upon experience, is adopted as a Standard by the appropriate body... and is published. In practice, the process is more complicated, due to (1) the difficulty of creating specifications of high technical quality; (2) the need to consider the interests of all of the affected parties; (3) the importance of establishing widespread community consensus; and (4) the difficulty of evaluating the utility of a particular specification for the Internet community.

Oulu University Secure Programming Group

Tärkeimmät

• ITU

• SG13, SG17

• ISO

• SC38, SC27

• NIST

• the National Institute of Standards and Technology: mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.

• OASIS

• Organization for the Advancement of Structured Information Standards: is a non-profit consortium that drives the development, convergence and adoption of open standards for the global information society.

• IETF

• “Internet Engineering Task Force; make the Internet work better from an engineering point of view”

Oulu University Secure Programming Group

“Tärkeimmät” money talks

• Cloud Security Alliance

• The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.

• ODCA

• The Open Data Center Alliance is working actively to shape the future of cloud computing — a future based on open, interoperable standards.

Oulu University Secure Programming Group

ITU-T ja ISO standardisointeja

• ITU-T SG13

• Q26: Cloud computing ecosystem, intercloud and general requirements

• Q27 Cloud functional architecture, infrastructure and networking

• Q28 Cloud computing resource management and virtualization

• ISO SC38

• WG3 Cloud Computing, Cloud computing reference architecture and vocabulary

Oulu University Secure Programming Group

ITU-T ja ISO standardisointeja

• ITU-T SG17 -Security

• Work to build confidence and security in the use of information and communication technologies (ICTs) continues to intensify in a bid to facilitate more secure network infrastructure, services and applications. Over seventy standards (ITU-T Recommendations) focusing on security have been published.

• ITU-T Study Group 17 (SG17) coordinates security-related work across all ITU-T Study Groups. Often working in cooperation with other standards development organizations (SDOs) and various ICT industry consortia, SG17 deals with a broad range of standardization issues.

• To give a few examples, SG17 is currently working on cybersecurity; security management; security architectures and frameworks; countering spam; identity management; the protection of personally identifiable information; and the security of applications and services for the Internet of Things (IoT), smart grid, smartphones, web services, social networks, cloud computing, mobile financial systems, IPTV and telebiometrics.

Oulu University Secure Programming Group

ITU-T ja ISO standardisointeja

• ISO/IEC JTC 1/SC 27

• WG 1 Information security management systems

• WG 2 Cryptography and security mechanisms

• WG 3 Security evaluation, testing and specification

• WG 4 Security controls and services

• WG 5 Identity management and privacy technologies

Oulu University Secure Programming Group

ITU Cloud Security reference architecture

Oulu University Secure Programming Group

Cloud Security Alliance

• Cloud Controls Matrix

• Trusted Cloud Infrastructure

• Security as a Service

• Cloud Trust Protocol

• Guidance Document

Oulu University Secure Programming Group

Seurattavia standardeja pilven käyttäjille

• ISO

• Controls for Cloud Computing security

• Additional controls for ISO 27001 certification

• Implementation guidance (27002 päälle)

• Supply chain guidance

• Secure Storage (ISO 27040)

• ITU

• Cloud Security Framework

Oulu University Secure Programming Group

Seurattavia standardeja

• NIST 800-144

• The purpose of this document is to provide an overview of public cloud computing and the security and privacy challenges involved.

• ENISA

• Cloud Security guide, uusi versio SME-fokuksella

• ISAE 3402

• in-depth audit of a third-party service organization (transparency and trust)

• http://aws.amazon.com/compliance/

• https://support.google.com/a/bin/answer.py?hl=en&answer=60762

Oulu University Secure Programming Group

Cloud security guide: TOP SECURITY RISKS

• LOSS OF GOVERNANCE

• LOCK-IN

• ISOLATION FAILURE

• COMPLIANCE RISKS

• MANAGEMENT INTERFACE COMPROMISE:

• DATA PROTECTION

• INSECURE OR INCOMPLETE DATA DELETION:

• MALICIOUS INSIDER

Oulu University Secure Programming Group

Cloud Controls Matrix

Oulu University Secure Programming Group

ISO

Oulu University Secure Programming Group

Cloud Software

• Turvallisuus ketterässä tuotteenhallinnassa

• Riskinhallinta

• Yksityisyyden suoja

• Rajapintatestaus

• Organisaatioiden välinen luottamus

Oulu University Secure Programming Group

Generic Security User stories

• Pienemmillä organisaatioilla ei välttämättä ole käytössä tietoturva-asiantuntijaa

• Tapa löytää tietoturvavaatimuksia ja ratkaisuja

• Antti Vähä-Sipilä and Camillo Särs / F-Secure

Oulu University Secure Programming Group

Oulu University Secure Programming Group

Rajapintatestaus

• Radamsa-työkalu ohjelmistojen toimintavarmuuden testaamiseen

• Selain on erityisen kriittinen pilvipalveluissa

• Yli sata haavoittuvuutta löydetty ja korjattu