Cloud Security & Privacy Standard Slide

BESTT Group Meeting
Best-practice: protecting security & privacy on the cloud
Public release
Security
Privacy
AuditCloud Security & Privacy
+ Security Landscape of 2017

© ACinfotec 2017 | www.acinfotec.com Page 2
Security landscape of 2017 and beyond
Best practice for securing the cloud
Best practice for for Protecting Privacy in the Cloud
Cloud assurance & audit
Agenda
Key takeaway

Source: The Global Risk Landscape 2016,
World Economic Forum
Cyber attacks are among Top 10 Risks
WEFORUM: Global Risk Landscape 2016

Summary of 2017 Cyber Threat Landscape
§ Advanced Threats Targeting the Cloud
§ Evolution of Ransomware: Changing Data and Destroying Backups
§ GDPR Compliance Approaching
§ Increased Demand for Cyber Insurance
§ Shadow IT
§ Cyber Espionage and Warfare
§ Dronejacking
§ IoT Malware
§ Hacktivists exposing privacy issues

2017 Cyber Security Trends in Thailand
§ Cyber security regulations improvement
§ More demand for cyber security skills
§ Attackers will target consumers
§ Attackers will become more bolder, more commercial
and less traceable
§ Breaches will get more complicated and harder to beat

Sensitive Data in the Cloud
Source: Cloud Adoption & Risk Report Q4/2015 by Skyhigh

Cloud Services Lack of Basic Security Features
Source: Cloud Adoption & Risk Report Q1/2014 by Skyhigh

CSA Top Threats: Notorious Nine
1. Data Breaches
2. Data Loss
3. Account Hijacking
4. Insecure APIs
5. Denial of Service
6. Malicious Insiders
7. Abuse of Cloud Services
8. Insufficient Due Diligence
9. Shared Technology Issues
Source: https://cloudsecurityalliance.org/group/top-threats/

Best Practice
for Securing the Cloud

Guideline for Implementing Security Controls in the Cloud
• Controls derived from
guidance
• Mapped to familiar
frameworks: ISO 27001,
PCI, COBIT
• Applicable to IaaS, PaaS,
SaaS
• Customer vs Provider
roles
• Help bridges the gap for
IT and IT Auditor

CCM v3.0.1 Details

Consensus Assessment Initiatives
§ Self-assessment questionnaire, which can be used to assess cloud security
§ Latest version is v3.0.1 covering 16 governing & operating domains aligned with CCM
https://cloudsecurityalliance.org/group/consensus-assessments/
§ Main mechanism to be listed in CSA STAR registry (see later slide)

Security Guidance for Critical Areas of Focus in Cloud Computing V3.0
Source: https://cloudsecurityalliance.org/download/security-
guidance-for-critical-areas-of-focus-in-cloud-computing-v3/

Controls
CLOUD COMPUTING
// Other Potential Standards //

NIST SP 800-144
Guidelines on Security and Privacy in Public Cloud Computing
Source:
http://csrc.nist.gov/publications/nistpubs/800-
144/SP800-144.pdf

NIST SP 800-144
Security and Privacy Issues and Recommendations

NIST SP 800-144
9 Domains
80+ pages

ISO 27017 Cloud Security
Code of practice for security controls based on ISO/ IEC 27002 for cloud services
• Cloud-specific, ISO standard
• provide the necessary guidance
on information security controls
for the cloud
• Supplemental to ISO 27001,
ISO 27002 and ISO 27018
• Can be used by both Cloud users
and Cloud providers

Introducing ISO 27017
§ The objectives of this International Standard are to provide a security control framework and
implementation guidance for both cloud service customers and cloud service providers.
§ The guidelines of this International Standard include identification of risks and associated
controls for the use of cloud services..
ISO 27017
Controls based on ISO 27002
ISO 27002
controls
ISO 27017
Annex A
Provided specific guidance
for cloud service customers
and cloud service providers
base on ISO 27002 controls
Provided extended control
set for securing the cloud
Specific guidance
for cloud

Specific Guidance based on ISO 27002 Controls
ISO 27017
ISO 27002
controls
Specific guidance
for cloud

Extended control set for securing the cloud
ISO 27017
Annex A

Guidance for security risk related to cloud computing
ISO 27017
Annex B

Best Practice
for Protecting Privacy in the Cloud

ISO 27018 Public Cloud Privacy
Code of practice for protection of PII in public clouds acting as PII processors
• Published on August 2014
• Cloud-specific, ISO standard
• Based on privacy principles
defined in ISO 29100
• Govern how users’ personally
identifiable information (PII)
should be protected by cloud
providers
• Supplemental to ISO 27001 and
ISO 27002

Introducing ISO 27018
§ Typically an organization implementing ISO/IEC 27001 is protecting its own information
assets. However, in the context of PII protection requirements for a public cloud service
provider acting as a PII processor, the organization is protecting the information assets
entrusted to it by its customers.
ISO 27018
Annex A
Provided specific
guidance for protecting
PII base on ISO 27001
controls
Provided additional
controls for protecting
PII base on ISO 29100
principle
ISO 27018
ISO 27002
controls
Specific guidance
for privacy in the
cloud

Specific Guidance based on ISO 27001 Controls
ISO 27018
ISO 27002
controls
Specific guidance
for privacy in the
cloud

Additional controls base on ISO 29100 principle
ISO 27018
Annex A

Assurance & Audit
CLOUD COMPUTING

CSA STAR (Security, Trust and Assurance Registry)
Source: www.cloudsecurityalliance.org/star

What is CSA STAR?
§ Public and free registry of Cloud Provider self assessments, demonstrating
adoption of:
§ Cloud Control Matrix (CCM)
§ Consensus Assessments Initiative Questionnaire (CAIQ)
§ Promoting transparency
§ Free market competition to provide quality assessment
§ Available on October 2011

CSA STAR – What’s On

CSA STAR Listing Process
Level 1 – Self-Assessment
§Cloud Provider fills out CAIQ or customizes CCM
§Uploads document at CSA STAR website
§CSA performs basic verification
§CSA digitally signs and post at STAR
§Free of charge
§Listing expire within 1 year

CSA STAR Certification
Level 2 – Certification
§Base on ISO 27001:2013 with CSA CCM as additional or
compensating controls
§Measures the capability levels of the cloud service provider
§Evaluates the efficiency of an organization’s ISMS and ensure the
scope, processes and objectives are “Fit for Purpose”
§Based on the PDCA model

CSA STAR Certification
§A STAR Certification Certificate cannot be issued unless the
organization has achieved ISO 27001 certification
§The scope of ISO 27001 certification must not be less than the
scope of STAR certification
§The assessment cycle is the same as ISO 27001 – initial assessment
followed by surveillance audits over a 3-year period

Certifications of Leading Cloud Service Providers

Can you Perform Pentest for the Cloud?

How Certified Cloud Services will Help You?

Key Takeaway – Securing the Cloud
Operations
§ Encrypt data when possible, segregate
key management from cloud provider
§ Adapt secure software development
lifecycle
§ Understand provider’s patching,
provisioning, protection
§ Logging, data exfiltration, granular
customer segregation
§ Hardened VM images
§ Assess provider IDM integration, e.g.
SAML, OpenID
Governance
§ Secure cloud engagement before
procurement – contracts, SLAs,
architecture
§ Know provider’s BCM/DR, financial
viability, employee screening
§ Identify data location when possible
§ Plan for provider termination & return
of assets
§ Preserve right to audit
§ Reinvest provider cost savings into due
diligence

For more information, contact: ACinfotec Consulting Services
02-670-8980-3 | services@acinfotec.com | www.acinfotec.com
THANK YOU
DRIVING BUSINESS EXCELLENCE

Cloud Security & Privacy Standard Slide

More Related Content

What's hot (20)

Viewers also liked (6)

Similar to Cloud Security & Privacy Standard Slide (20)

Recently uploaded (20)

Cloud Security & Privacy Standard Slide