Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Oulu University Secure Programming Group
Pilvipalveluiden tietoturvan standardisointi
Juha Röning
Oulu University Secure Programming Group
Sisältö
Standardien kirjo
Pilvipalveluiden standardit
Seurattavat standardit
Standardit ja CSA Cloud Controls Matriisi
Cloud Software –tutkimus Suomessa
Oulu University Secure Programming Group
Standardit
• Teknologiastandardit
• ISO 27001
• Säädökset
• Tietosuojalainsäädäntö (EU, kansallinen)
• PCI-DSS
• Payment Card Industry Security Standards Council
• HIPAA (US)
• The Health Insurance Portability and Accountability Act of 1996
• FedRamp (US)
• The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services.
Oulu University Secure Programming Group
Pilven standardoijat
Oulu University Secure Programming Group
Teemoja
• Virtualisoinnin tuomat uhat
• Jaetut resurssit, CPU/verkko, vuodot
• Yksityisyys
• Tiedon sijainti, salaaminen, palvelun yksityisyyspolitiikka
• Identiteetin hallinta
Standardisointiprosessi: ETSI
Stage 0 – Validate need for standardisation
Stage 1 – Requirements and objectives
Stage 2 – Information model
Stage 3 – Detailed data and protocol model
Stage 4 – Testing and validation
Deploy the standard
Standardisointiprosessi: IETF
From RFC 2026, section 1.2:
In outline, the process of creating an Internet Standard is straightforward: a specification undergoes a period of development and several iterations of review by the Internet community and revision based upon experience, is adopted as a Standard by the appropriate body... and is published. In practice, the process is more complicated, due to (1) the difficulty of creating specifications of high technical quality; (2) the need to consider the interests of all of the affected parties; (3) the importance of establishing widespread community consensus; and (4) the difficulty of evaluating the utility of a particular specification for the Internet community.
Oulu University Secure Programming Group
Tärkeimmät
• ITU
• SG13, SG17
• ISO
• SC38, SC27
• NIST
• the National Institute of Standards and Technology: mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life.
• OASIS
• Organization for the Advancement of Structured Information Standards: is a non-profit consortium that drives the development, convergence and adoption of open standards for the global information society.
• IETF
• “Internet Engineering Task Force; make the Internet work better from an engineering point of view”
Oulu University Secure Programming Group
“Tärkeimmät” money talks
• Cloud Security Alliance
• The Cloud Security Alliance (CSA) is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders.
• ODCA
• The Open Data Center Alliance is working actively to shape the future of cloud computing — a future based on open, interoperable standards.
Oulu University Secure Programming Group
ITU-T ja ISO standardisointeja
• ITU-T SG13
• Q26: Cloud computing ecosystem, intercloud and general requirements
• Q27 Cloud functional architecture, infrastructure and networking
• Q28 Cloud computing resource management and virtualization
• ISO SC38
• WG3 Cloud Computing, Cloud computing reference architecture and vocabulary
Oulu University Secure Programming Group
ITU-T ja ISO standardisointeja
• ITU-T SG17 -Security
• Work to build confidence and security in the use of information and communication technologies (ICTs) continues to intensify in a bid to facilitate more secure network infrastructure, services and applications. Over seventy standards (ITU-T Recommendations) focusing on security have been published.
• ITU-T Study Group 17 (SG17) coordinates security-related work across all ITU-T Study Groups. Often working in cooperation with other standards development organizations (SDOs) and various ICT industry consortia, SG17 deals with a broad range of standardization issues.
• To give a few examples, SG17 is currently working on cybersecurity; security management; security architectures and frameworks; countering spam; identity management; the protection of personally identifiable information; and the security of applications and services for the Internet of Things (IoT), smart grid, smartphones, web services, social networks, cloud computing, mobile financial systems, IPTV and telebiometrics.
Oulu University Secure Programming Group
ITU-T ja ISO standardisointeja
• ISO/IEC JTC 1/SC 27
• WG 1 Information security management systems
• WG 2 Cryptography and security mechanisms
• WG 3 Security evaluation, testing and specification
• WG 4 Security controls and services
• WG 5 Identity management and privacy technologies
Oulu University Secure Programming Group
ITU Cloud Security reference architecture
Oulu University Secure Programming Group
Cloud Security Alliance
• Cloud Controls Matrix
• Trusted Cloud Infrastructure
• Security as a Service
• Cloud Trust Protocol
• Guidance Document
Oulu University Secure Programming Group
Seurattavia standardeja pilven käyttäjille
• ISO
• Controls for Cloud Computing security
• Additional controls for ISO 27001 certification
• Implementation guidance (27002 päälle)
• Supply chain guidance
• Secure Storage (ISO 27040)
• ITU
• Cloud Security Framework
Oulu University Secure Programming Group
Seurattavia standardeja
• NIST 800-144
• The purpose of this document is to provide an overview of public cloud computing and the security and privacy challenges involved.
• ENISA
• Cloud Security guide, uusi versio SME-fokuksella
• ISAE 3402
• in-depth audit of a third-party service organization (transparency and trust)
• http://aws.amazon.com/compliance/
• https://support.google.com/a/bin/answer.py?hl=en&answer=60762
Oulu University Secure Programming Group
Cloud security guide: TOP SECURITY RISKS
• LOSS OF GOVERNANCE
• LOCK-IN
• ISOLATION FAILURE
• COMPLIANCE RISKS
• MANAGEMENT INTERFACE COMPROMISE:
• DATA PROTECTION
• INSECURE OR INCOMPLETE DATA DELETION:
• MALICIOUS INSIDER
Oulu University Secure Programming Group
Cloud Controls Matrix
Oulu University Secure Programming Group
ISO
Oulu University Secure Programming Group
Cloud Software
• Turvallisuus ketterässä tuotteenhallinnassa
• Riskinhallinta
• Yksityisyyden suoja
• Rajapintatestaus
• Organisaatioiden välinen luottamus
Oulu University Secure Programming Group
Generic Security User stories
• Pienemmillä organisaatioilla ei välttämättä ole käytössä tietoturva-asiantuntijaa
• Tapa löytää tietoturvavaatimuksia ja ratkaisuja
• Antti Vähä-Sipilä and Camillo Särs / F-Secure
Oulu University Secure Programming Group
Oulu University Secure Programming Group
Rajapintatestaus
• Radamsa-työkalu ohjelmistojen toimintavarmuuden testaamiseen
• Selain on erityisen kriittinen pilvipalveluissa
• Yli sata haavoittuvuutta löydetty ja korjattu