1
play

1 1.2. Guidelines for Information Security of Cloud Computing - PowerPoint PPT Presentation

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.


  1. Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph. D. Head, Department of Industrial Security Chair, Research Institute of Security Policies jdkimsac@cau.ac.kr 1/15 Beyond Security 1.1 Act on the Cloud Computing Promotion & the Protection of its Users I. Related Policies to Cloud Computing 3/15 Beyond Security 1

  2. 1.2. Guidelines for Information Security of Cloud Computing Category Main contents of measure II. Guidelines for Information Security of Cloud Computing 4/15 Beyond Security 2.1 Case Study (1/3) 2.1 Case Study (2/3) Category USA FedRAMP Republic of Korea Certification Certification Audit/Assessment Country Certification Criteria Scheme Body Body Certification area Cloud service for federal government Cloud service for public org. Certification Body USA FedRAMP NIST SP 800-53 R4 FedRAMP PMO 17 Domains 325 Controls (Total 38) Numbers of Items 14 Domains 117 Controls ※ based on moderate Standards for Cloud JCISPA JASA JASA Control Information Security Inspect on functional requirements for Reflect legal requirements and additional Items Features ASP∙SaaS Information Disclosure information systems requirements of public org. JAPAN IaaS∙PaaS Certification Systems for ASPIC ASPIC Reference NIST SP 800-53 Rev4 ISO/IEC 27001/17 Safety and Reliability of Data Centre Cloud Services Law of Cloud Development Basis Cloud First Policy ISO/IEC 27001+ Certification Body Article 23 (3) SINGAPORE MTCS-SS ITSC Self regulation (Total 7) FedRAMP PMO UK-G Cloud Risk ISO/IEC 27001+ Certification Body UK CESG - KISA (FedRAMP Program Management Office ) Management Self regulation ISO/IEC 27001+ AUSTRALIA ASD Cloud ASD IRAP Audit/Assessment Self regulation Certification Body (Total 40) ) KISA Body 6/15 7/15 Beyond Security Beyond Security 2

  3. 2.1 Case Study (3/3) 2.2 Summary Information Security Management Cloud Security certification Program Category System(ISMS) (CSAP) Cloud Service v Composed of total 14 domains and 117 controls Assessment subject All Information system service ※ Service for public org. Category Main contents of measure Document review, On-site Inspection, Assessment method Document review, On-site inspection Technical Inspection (Penetration test, Vulnerability test) Number of 18 Domains 14 Domains Items 104 Controls 117 Controls Certificate ISO/IEC 27001 + Specialized Controls Criteria Reference ISO/IEC 27001 (Security of Virtualization, Law of Cloud Development, public org. requirements) 8/15 9/15 Beyond Security Beyond Security 2.3 Additional protection measure for public org. (1/3) 2.3 Additional protection measure for public org. (2/3) v Legal Requirements Category Obligation Notification method Fine Intrusion Notify promptly to users Notifying with Phone, Cell Phone, Notify promptly to users, User Information Less than 10,000 mail, E-mail, text messaging, cloud Notify promptly to Minister of Leakage computing services or any of the USD Science, similar methods Service Notify promptly to users Interruption 10/15 11/15 Beyond Security Beyond Security 3

  4. 2.3 Additional protection measure for public org. (3/3) III. Cloud Security Certification Program 12/15 Beyond Security 3.1 Cloud Security Certification Program Summary 3.2 Assessment Method – Vulnerability Assessment Definition Purpose v On-site verification that the technical measures are appropriately implemented in accordance with the cloud security certification program guidelines for the assets negotiated in the preliminary inspection Auditor and Duration Related Law v Auditor team: About 5 people(Lead Auditor, Source code, CVE, CCE Inspectors) v Duration: 10 business day (Depends on Volume of asset and Service Scope) Standard Assessment method Category Method public org . 14 domains and 117 controls Useautomated analysis tool Use automated analysis tool Assessment Use automated analysis tool 14/15 15/15 Beyond Security Beyond Security 4

  5. 3.2 Assessment Method – Penetration Test Purpose v Examine the possibility of penetration through external network to ensure the cloud service is properly implemented / operated in accordance with the cloud security certification program standard Auditor and Duration v Auditor team: closed v Duration: 10 business day(Adjustable) Subject to assessment v Penetration into cloud service portal through external network v Penetration to the hypervisor or other VM via the user VM v VPN Communication Jungduk Kim Advanced request jdkimcau@gmail.com v Account Information (2 or more), Test allowed time http://security.cau.ac.kr Recommendation v CSP periodically training Penetration test / Response Team Internally 16/15 Beyond Security 5

Recommend


More recommend