Integrating Cloud Service and Security Management Systems

Slide Note
Embed
Share

Cloud service providers must adhere to service level agreements and security regulations. Demonstrating quality through best practices and standards like ISO/IEC 20k and 27k is crucial. Utilizing cloud services requires consideration of external factors such as market needs and data protection laws. Supervisory authorities, information security, and control play vital roles in the environment of cloud service providers, necessitating conformity to regulations. Cloud service providers face challenges like ensuring service quality and information security due to increasing awareness.

tong654
tong654 Follow

Uploaded on Oct 10, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlm ller

  2. Integrating Cloud Service and Security Management Systems Why should we talk about it? Cloud service providers have to fulfill: Service level agreements and regulations regarding information security How can cloud service providers demonstrate their level of quality? Following best-practices like ISO/IEC 20k related to service management And security management standards like ISO/IEC 27k Proved by certificates Increasing number of valid ISO/IEC 27k certificates worldwide: +20% from year 2014 to 2015 (ISO Survey of Management System Standard Certifications 2015, executive summary) Issues of operating both management systems in a non-integrated form: Inefficiency, costs and risk of contradictions D. Kranzlm ller Integrating Cloud Service and Security Management Systems 2

  3. Use of Cloud Services and External Factors Some characteristics of cloud services: Measureable On-demand Scalable and elastic Specified level of quality (SLA/OLA) Rapidly provisioned and reconfigured without provider interaction External factors market needs: Increasing awareness/demand regarding information security at the customer side Influenced by scandals e.g. Yahoo data breach 2014, https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo- user-security Enacting of data protection and information security related laws e.g. Personal Data Protection Act 2012 Singapore Amended Act on the Protection of Personal Information APPI Japan, EU GDPR, Basel II, EU-US Privacy Shield D. Kranzlm ller Integrating Cloud Service and Security Management Systems 3

  4. Environment of Cloud Service Providers Supervisory Authorities Information, Reports Surveillance Information Security? Control, Payment, Information Competitor, Hacker, Espionage Search for Cloud Service Provider Customer Need: Information Services, SLA, Information Protection of Information? Conformity to regulation and standards? Obligation to control supply chain Payment, Obligation to Control Services, Goods, SLA, Information Suppliers D. Kranzlm ller Integrating Cloud Service and Security Management Systems 4

  5. Situation of Cloud Service Providers Consequences for cloud service providers: Increasing awareness for the need of ensuring the service quality and information security (more potential mistakes!) Need of conforming to regulations and market standards e.g. ITIL, FitSM, Service Management e.g. ISO/IEC 20k, Information Security e.g. ISO/IEC 27k, Data Protection Code of Conduct for Cloud Infrastructure Service Provider in Europe (CISPE) -> Suggests information security management system (ISMS) D. Kranzlm ller Integrating Cloud Service and Security Management Systems 5

  6. Situation of Cloud Service Providers Organizational Aspects: Cloud service management system Service management standards security management system security management standards Effects on Implementation and operation of management systems (MS) and processes Integrated vs. non-integrated operation of MS: Efforts, Contradictions, 2 improvement processes (CSI and CI) Reconfiguration of cloud services by customers (not only by the provider) Increasing importance of service level management and agreements Need of implementing/operating a service management system (SMS) + additional ISMS D. Kranzlm ller Integrating Cloud Service and Security Management Systems 6

  7. Operation of SMS and ISMS Non-integrated Effects on some Processes ISMS Requirements SMS Requirements Compatible? Incident & Service Request Management Change Management Service Design Management Information Security Management (SMS Process) D. Kranzlm ller Integrating Cloud Service and Security Management Systems 7

  8. Situation of Cloud Service Providers Issues: How to achieve conformity with ISO27k? (ISO20k already established) Are the requirements of ISO20k and ISO27k compatible? What about the differences and common requirements? How to adapt the SMS and processes to achieve conformity with ISO27k? D. Kranzlm ller Integrating Cloud Service and Security Management Systems 8

  9. Result of the Comparison of ISO20k / 27k (1/2) Overview on some similarities: ISO20k and ISO27k are international standards for the planning, implementation, operation and continual improvement of a quality management system (QMS) and include the Deming-Cycle (Plan, Do, Check, Act, conceptual element of QMS) Definition of requirements regarding e.g. The management system Organizational roles and responsibilities Policies and relevant processes Planning, operation, audit etc. Continual improvement of the management system D. Kranzlm ller Integrating Cloud Service and Security Management Systems 9

  10. Result of the Comparison of ISO20k / 27k (2/2) Overview on some differences: Structural Elements Managed Objects Management Approach ISO20k Services ISO27k Information Assets Controls to govern Information Security Overloaded Term, used to document many specific requirements Process Orientation Term: Policy Capture Major Goals of SMS or Process D. Kranzlm ller Integrating Cloud Service and Security Management Systems 10

  11. Resolving Differences Selecting ISO20k as a base for the combined management system: Policy: High-level document for major aspects Other aspects will be documented in subsidiary process descriptions, work instructions or lists Major success factor of process-oriented management systems: Principle of accountability for SMS and process-specific goals often mapped to roles of the SMS-Owner or process owner Suggesting additional requirements to ISO20k to achieve ISO27k-conformance D. Kranzlm ller Integrating Cloud Service and Security Management Systems 11

  12. Overview of Mapped Requirements Short Extract incl. 2 Examples ISO27k ISO20k (ex ISM, DCM) ISO20k Ext. (ex ISM, DCM) ISM (+ISO20k) ACM DCM (+ ISO20k) EPM A.8.1.3 9.1 SRM1 ISM8 A.9.2.1 8.1 ACM4 EPM7 Reading the table horizontally: All ISO27k requirements and controls (overall >130) are mapped to old ISO20k requirements or additional new requirements (as presented in the paper) Reading the table vertically: Reveals the missing gaps towards ISO27k-conformity when ISO20k-conformity is given D. Kranzlm ller Integrating Cloud Service and Security Management Systems 12

  13. Requirements of ISO27k - Examples A 8.1.3 - Acceptable use of assets (ISO/IEC 27001:2013 (E), p.12 Annex): Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented A 9.2.1 - User registration and de-registration (ISO/IEC 27001:2013 (E), p.13 Annex): A formal user registration and de-registration process shall be implemented to enable assignment of access rights. D. Kranzlm ller Integrating Cloud Service and Security Management Systems 13

  14. Mapped Requirements of ISO20k - Examples Column ISO20k: 9.1 (ISO/IEC 20000-1:2011(E), p. 22, Chapter 9.1 Configuration management): There shall be a documented definition of each type of CI. The information recorded for each CI shall ensure effective control and include at least: description of the CI; relationship(s) between the CI and other CIs; relationship(s) between the CI and service components; [ ] There shall be a documented procedure for recording, controlling and tracking versions of CIs. [ ] a) b) c) Column ISO20k: 8.1 (ISO/IEC 20000-1:2011(E), p. 21, Chapter 8.1 Incident and service request management): [ ] There shall be a documented procedure for managing the fulfilment of service requests from recording to closure.[ ] D. Kranzlm ller Integrating Cloud Service and Security Management Systems 14

  15. Requirements Regarding Existing ISO20k Processes - Examples Column ISO20k Ext.: SRM1 (Service Reporting Management): Define and establish methods of monitoring the usage to identify misuse. Column ISM (+ISO20k): ISM8 (Information Security Management): Define, implement and document rules for the acceptable use of information assets, assets associated with information and information processing facilities. D. Kranzlm ller Integrating Cloud Service and Security Management Systems 15

  16. Requirements That Should Be Fulfilled by Implementing New Processes - Examples Column ACM: ACM4 (Access Control Management): Define, implement and maintain procedures to prepare the allocation of access rights by a formal user registration and de-registration process (->interface to CHM). Column EPM: EPM7 (EPM: Employer and Persons Management): Update the checkout process: After termination of employment, contract or change define and implement agreements regarding the return of assets: Employees shall return all of the organizational assets in their possession upon termination of their contract or agreement, reconcile a procedure of checkout and return of assets and keys and trigger the deactivation, removal or change of the access rights of employees, contractors or external party users. D. Kranzlm ller Integrating Cloud Service and Security Management Systems 16

  17. Conclusion and Discussion The paper presents a solid starting point for integrating security management into a given service management system: The ISO27k conformity can be achieved by extending the ISO20k approach: Additional SMS- and process-related requirements Additionally needed processes to complement the given ISO20k-processes Benefit of the mapping regarding a potential ISO27k introductory project: It may assist in assessing and conducting the workload Formerly non-IT aspects of the organization need to be incorporated into the IT service management system e.g. the requirements listed for the employer and people management process A more holistic approach towards the management system of an IT organization Next step: Assess this approach by a real live introductory project at the Leibniz Supercomputing Centre (LRZ) D. Kranzlm ller Integrating Cloud Service and Security Management Systems 17

Related


State-of-the-art Analysis of VM-based Cloud Management Platforms

State-of-the-art Analysis of VM-based Cloud Management Platforms

kolb_926
Online Procurement Auctions for Resource Pooling in Client-Assisted Cloud Storage Systems

Online Procurement Auctions for Resource Pooling in Client-Assisted Cloud Storage Systems

addingt
Simplify Label Design with Label.Cloud

Simplify Label Design with Label.Cloud

urso_rz
Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

Secure Cloud Applications with Intel SGX - OSDI 2014 Presentation Summary

albritton_a
Cloud-Optimized HDF5 Files Overview

Cloud-Optimized HDF5 Files Overview

gianni
Emerging Trends in Cloud Databases: Challenges and Opportunities

Emerging Trends in Cloud Databases: Challenges and Opportunities

phuong_o
Cloud Adoption and Organizational Change Management Program Overview

Cloud Adoption and Organizational Change Management Program Overview

topolski_m
Understanding Cloud Federation and Identity Management

Understanding Cloud Federation and Identity Management

islarose
Understanding Cloud Security Threats and Vulnerabilities

Understanding Cloud Security Threats and Vulnerabilities

mesa_i
Cloud_cci: Comprehensive Overview of Available Data and Evaluation

Cloud_cci: Comprehensive Overview of Available Data and Evaluation

ksned
Overview of VIIRS Cloud Properties Products and Requirements

Overview of VIIRS Cloud Properties Products and Requirements

alexande
Overview of DMTF Cloud Standards and CIMI.v2 Use Cases

Overview of DMTF Cloud Standards and CIMI.v2 Use Cases

spoe
Challenges and Solutions in Elastic Cloud Security

Challenges and Solutions in Elastic Cloud Security

mancini_a
Ensuring Cloud Security: Strategies for a Safe Transition

Ensuring Cloud Security: Strategies for a Safe Transition

verena
Progress in Cloud Communications Strategy for Canadians and Employees

Progress in Cloud Communications Strategy for Canadians and Employees

boho_an
Exploring Cloud Cryptography for Secure Data Processing

Exploring Cloud Cryptography for Secure Data Processing

vespera
Overview of Cloud Standard APIs and Contextualization Methods

Overview of Cloud Standard APIs and Contextualization Methods

dcar
Research Insights on IHEP Disk Storage Systems and Cloud Computing Integration

Research Insights on IHEP Disk Storage Systems and Cloud Computing Integration

fshel
Comprehensive Cloud Security Measures and Solutions

Comprehensive Cloud Security Measures and Solutions

mad_ne
Cloud-based Parallel Implementation of SLAM for Mobile Robots

Cloud-based Parallel Implementation of SLAM for Mobile Robots

sha_buc
HNSciCloud and VMDIRAC Project Overview

HNSciCloud and VMDIRAC Project Overview

shakhzoda
EGI Federated Cloud Infrastructure Overview

EGI Federated Cloud Infrastructure Overview

melb_nhi
EOSC-hub Project Overview - Integrating and Managing Services for European Open Science Cloud

EOSC-hub Project Overview - Integrating and Managing Services for European Open Science Cloud

heck_ael
NESDIS Cloud Framework: Revolutionizing Data-Agnostic Cloud Computing

NESDIS Cloud Framework: Revolutionizing Data-Agnostic Cloud Computing

anor_329

More Related Content

Enhancing Mobile-Cloud Computing with Autonomous Agents Framework
Enhancing Mobile-Cloud Computing with Autonomous Agents Framework
Oblivious RAM: Enhancing Data Privacy in Cloud Computing
Oblivious RAM: Enhancing Data Privacy in Cloud Computing
Overview of Cloud Computing Technologies and Business Implications
Overview of Cloud Computing Technologies and Business Implications
Understanding Coupling of Convective Motions and Cloud Macrophysics in Climate Model CMDV-CM4
Understanding Coupling of Convective Motions and Cloud Macrophysics in Climate Model CMDV-CM4
United States Coast Guard Cloud Strategy Overview
United States Coast Guard Cloud Strategy Overview
Understanding Cloud Computing: Benefits and Risks
Understanding Cloud Computing: Benefits and Risks
Understanding Cloud Computing Cost Comparison
Understanding Cloud Computing Cost Comparison
GOES-16 Cloud Mask and Top Properties Update in AWIPS-2 NWS/OBS
GOES-16 Cloud Mask and Top Properties Update in AWIPS-2 NWS/OBS
Cloud VR Network Requirements and Development Strategy in July 2022
Cloud VR Network Requirements and Development Strategy in July 2022
Cloud Load Balancing Overview and Requirements
Cloud Load Balancing Overview and Requirements
Exploring the Cloud: Insights from InSITE Conferences
Exploring the Cloud: Insights from InSITE Conferences
Understanding the Value of Cloud Computing
Understanding the Value of Cloud Computing
Cloud Computing and Future Networks: Driving Innovation in Africa
Cloud Computing and Future Networks: Driving Innovation in Africa
Enhancing Cloud Data Transactions with Deuteronomy
Enhancing Cloud Data Transactions with Deuteronomy
Achieving Secure and Scalable Data Access Control in Cloud Computing
Achieving Secure and Scalable Data Access Control in Cloud Computing
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Control Plane Security in Self-service Cloud Platforms
Control Plane Security in Self-service Cloud Platforms
Ensuring Platform Integrity and Trust in Cloud Computing Environments
Ensuring Platform Integrity and Trust in Cloud Computing Environments
Avoco's Cloud-Based Information Card Selector: Enhancing Usability and Security
Avoco's Cloud-Based Information Card Selector: Enhancing Usability and Security
Understanding Wide Area Networking Using Frame Relay Cloud
Understanding Wide Area Networking Using Frame Relay Cloud
Solving IT Security Problems with iRODS at NOAA's National Climatic Data Center
Solving IT Security Problems with iRODS at NOAA's National Climatic Data Center
Understanding the Role of Security Champions in Organizations
Understanding the Role of Security Champions in Organizations
Understanding the Roles of a Security Partner
Understanding the Roles of a Security Partner
Enhancing Cloud Security Through Virtual Machine Co-Migration for IDS Offloading
Enhancing Cloud Security Through Virtual Machine Co-Migration for IDS Offloading