Integrating Cloud Service and Security Management Systems

Slide Note
Embed
Share

Cloud service providers must adhere to service level agreements and security regulations. Demonstrating quality through best practices and standards like ISO/IEC 20k and 27k is crucial. Utilizing cloud services requires consideration of external factors such as market needs and data protection laws. Supervisory authorities, information security, and control play vital roles in the environment of cloud service providers, necessitating conformity to regulations. Cloud service providers face challenges like ensuring service quality and information security due to increasing awareness.


Uploaded on Oct 10, 2024 | 0 Views


Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript


  1. Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlm ller

  2. Integrating Cloud Service and Security Management Systems Why should we talk about it? Cloud service providers have to fulfill: Service level agreements and regulations regarding information security How can cloud service providers demonstrate their level of quality? Following best-practices like ISO/IEC 20k related to service management And security management standards like ISO/IEC 27k Proved by certificates Increasing number of valid ISO/IEC 27k certificates worldwide: +20% from year 2014 to 2015 (ISO Survey of Management System Standard Certifications 2015, executive summary) Issues of operating both management systems in a non-integrated form: Inefficiency, costs and risk of contradictions D. Kranzlm ller Integrating Cloud Service and Security Management Systems 2

  3. Use of Cloud Services and External Factors Some characteristics of cloud services: Measureable On-demand Scalable and elastic Specified level of quality (SLA/OLA) Rapidly provisioned and reconfigured without provider interaction External factors market needs: Increasing awareness/demand regarding information security at the customer side Influenced by scandals e.g. Yahoo data breach 2014, https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo- user-security Enacting of data protection and information security related laws e.g. Personal Data Protection Act 2012 Singapore Amended Act on the Protection of Personal Information APPI Japan, EU GDPR, Basel II, EU-US Privacy Shield D. Kranzlm ller Integrating Cloud Service and Security Management Systems 3

  4. Environment of Cloud Service Providers Supervisory Authorities Information, Reports Surveillance Information Security? Control, Payment, Information Competitor, Hacker, Espionage Search for Cloud Service Provider Customer Need: Information Services, SLA, Information Protection of Information? Conformity to regulation and standards? Obligation to control supply chain Payment, Obligation to Control Services, Goods, SLA, Information Suppliers D. Kranzlm ller Integrating Cloud Service and Security Management Systems 4

  5. Situation of Cloud Service Providers Consequences for cloud service providers: Increasing awareness for the need of ensuring the service quality and information security (more potential mistakes!) Need of conforming to regulations and market standards e.g. ITIL, FitSM, Service Management e.g. ISO/IEC 20k, Information Security e.g. ISO/IEC 27k, Data Protection Code of Conduct for Cloud Infrastructure Service Provider in Europe (CISPE) -> Suggests information security management system (ISMS) D. Kranzlm ller Integrating Cloud Service and Security Management Systems 5

  6. Situation of Cloud Service Providers Organizational Aspects: Cloud service management system Service management standards security management system security management standards Effects on Implementation and operation of management systems (MS) and processes Integrated vs. non-integrated operation of MS: Efforts, Contradictions, 2 improvement processes (CSI and CI) Reconfiguration of cloud services by customers (not only by the provider) Increasing importance of service level management and agreements Need of implementing/operating a service management system (SMS) + additional ISMS D. Kranzlm ller Integrating Cloud Service and Security Management Systems 6

  7. Operation of SMS and ISMS Non-integrated Effects on some Processes ISMS Requirements SMS Requirements Compatible? Incident & Service Request Management Change Management Service Design Management Information Security Management (SMS Process) D. Kranzlm ller Integrating Cloud Service and Security Management Systems 7

  8. Situation of Cloud Service Providers Issues: How to achieve conformity with ISO27k? (ISO20k already established) Are the requirements of ISO20k and ISO27k compatible? What about the differences and common requirements? How to adapt the SMS and processes to achieve conformity with ISO27k? D. Kranzlm ller Integrating Cloud Service and Security Management Systems 8

  9. Result of the Comparison of ISO20k / 27k (1/2) Overview on some similarities: ISO20k and ISO27k are international standards for the planning, implementation, operation and continual improvement of a quality management system (QMS) and include the Deming-Cycle (Plan, Do, Check, Act, conceptual element of QMS) Definition of requirements regarding e.g. The management system Organizational roles and responsibilities Policies and relevant processes Planning, operation, audit etc. Continual improvement of the management system D. Kranzlm ller Integrating Cloud Service and Security Management Systems 9

  10. Result of the Comparison of ISO20k / 27k (2/2) Overview on some differences: Structural Elements Managed Objects Management Approach ISO20k Services ISO27k Information Assets Controls to govern Information Security Overloaded Term, used to document many specific requirements Process Orientation Term: Policy Capture Major Goals of SMS or Process D. Kranzlm ller Integrating Cloud Service and Security Management Systems 10

  11. Resolving Differences Selecting ISO20k as a base for the combined management system: Policy: High-level document for major aspects Other aspects will be documented in subsidiary process descriptions, work instructions or lists Major success factor of process-oriented management systems: Principle of accountability for SMS and process-specific goals often mapped to roles of the SMS-Owner or process owner Suggesting additional requirements to ISO20k to achieve ISO27k-conformance D. Kranzlm ller Integrating Cloud Service and Security Management Systems 11

  12. Overview of Mapped Requirements Short Extract incl. 2 Examples ISO27k ISO20k (ex ISM, DCM) ISO20k Ext. (ex ISM, DCM) ISM (+ISO20k) ACM DCM (+ ISO20k) EPM A.8.1.3 9.1 SRM1 ISM8 A.9.2.1 8.1 ACM4 EPM7 Reading the table horizontally: All ISO27k requirements and controls (overall >130) are mapped to old ISO20k requirements or additional new requirements (as presented in the paper) Reading the table vertically: Reveals the missing gaps towards ISO27k-conformity when ISO20k-conformity is given D. Kranzlm ller Integrating Cloud Service and Security Management Systems 12

  13. Requirements of ISO27k - Examples A 8.1.3 - Acceptable use of assets (ISO/IEC 27001:2013 (E), p.12 Annex): Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented A 9.2.1 - User registration and de-registration (ISO/IEC 27001:2013 (E), p.13 Annex): A formal user registration and de-registration process shall be implemented to enable assignment of access rights. D. Kranzlm ller Integrating Cloud Service and Security Management Systems 13

  14. Mapped Requirements of ISO20k - Examples Column ISO20k: 9.1 (ISO/IEC 20000-1:2011(E), p. 22, Chapter 9.1 Configuration management): There shall be a documented definition of each type of CI. The information recorded for each CI shall ensure effective control and include at least: description of the CI; relationship(s) between the CI and other CIs; relationship(s) between the CI and service components; [ ] There shall be a documented procedure for recording, controlling and tracking versions of CIs. [ ] a) b) c) Column ISO20k: 8.1 (ISO/IEC 20000-1:2011(E), p. 21, Chapter 8.1 Incident and service request management): [ ] There shall be a documented procedure for managing the fulfilment of service requests from recording to closure.[ ] D. Kranzlm ller Integrating Cloud Service and Security Management Systems 14

  15. Requirements Regarding Existing ISO20k Processes - Examples Column ISO20k Ext.: SRM1 (Service Reporting Management): Define and establish methods of monitoring the usage to identify misuse. Column ISM (+ISO20k): ISM8 (Information Security Management): Define, implement and document rules for the acceptable use of information assets, assets associated with information and information processing facilities. D. Kranzlm ller Integrating Cloud Service and Security Management Systems 15

  16. Requirements That Should Be Fulfilled by Implementing New Processes - Examples Column ACM: ACM4 (Access Control Management): Define, implement and maintain procedures to prepare the allocation of access rights by a formal user registration and de-registration process (->interface to CHM). Column EPM: EPM7 (EPM: Employer and Persons Management): Update the checkout process: After termination of employment, contract or change define and implement agreements regarding the return of assets: Employees shall return all of the organizational assets in their possession upon termination of their contract or agreement, reconcile a procedure of checkout and return of assets and keys and trigger the deactivation, removal or change of the access rights of employees, contractors or external party users. D. Kranzlm ller Integrating Cloud Service and Security Management Systems 16

  17. Conclusion and Discussion The paper presents a solid starting point for integrating security management into a given service management system: The ISO27k conformity can be achieved by extending the ISO20k approach: Additional SMS- and process-related requirements Additionally needed processes to complement the given ISO20k-processes Benefit of the mapping regarding a potential ISO27k introductory project: It may assist in assessing and conducting the workload Formerly non-IT aspects of the organization need to be incorporated into the IT service management system e.g. the requirements listed for the employer and people management process A more holistic approach towards the management system of an IT organization Next step: Assess this approach by a real live introductory project at the Leibniz Supercomputing Centre (LRZ) D. Kranzlm ller Integrating Cloud Service and Security Management Systems 17

Related


More Related Content