Agenda Singapore Standard for Multi-Tiered Cloud Security - SS 584:2013 1. To provide an overview of Multi-Tier Cloud Security (MTCS SS584:2013) standard 2. To detail the deployment considerations and related initiatives Wong Onn Chee, Cloud Security Working Group Chair, SPSTC Outline Background 1. Background 1. Surveys have consistently confirmed that cloud security is Number 1 concern in adoption 2. Objectives 3. The MTCS Working Group 2. Concern & tolerance of security differs from users to users 4. The MTCS Model & Framework 3. We need a security standard to provide visibility & clarity of security provisions of CSPs for better matching of users ’ needs 5. MTCS Structure 6. Major Control Areas/Domains 7. Deployment Considerations & Related Initiatives 8. Summary
Objectives MTCS Stds Development Model Approved By: The Council, IT Standard Committee Endorsed By: Cloud Computing Standards Coordinating Taskforce 1. To provide a cloud security framework • Caters for different needs of cloud users from basic requirements to one with high confidentiality, high integrity & high availability such as FSI Work Groups • Expressed as a multi-tier model (similar to Uptime Institute ’ s DC tiers) Consultation FGs*: Standards Development WG (Prof Industry Players • Highlights key security areas & associated controls for each tier Bodies/ Assoc/ Regulators) & (CSPs, Cloud User Consultants, IDA Reps & Others) • Complements existing security standards (e.g. ISO27001 & industry specific standards/regulatory requirements) 2. Standard seeks to foster adoption of sound risk management & security practices for cloud computing while provide businesses with greater clarity Pilot Deployment : CSPs, Auditors, * Completed 2 rounds of 2- on the levels of security offered by different CSPs Lead Users month public comment (~350 comments addressed) * MTCS Working Group Multi-Tier Model of Cloud Security Industry led MTCS WG oversees development of cloud security standards 1. Dr. Kang Meng Chow Chairman ITSC 2. Mr. Tao Yao Sing Deputy Chairman IDA – NCCO Industry Specific Standards (e.g. Govt, Finance & 3. Ms Kong Pei Wee Secretariat ITSC Healthcare industries) – More Specific Controls 4. Mr. Wong Onn Chee Member ITSC-SPSTC 5. Mr. John Yong Member IDA – ISEC 6. Mr. Hector Goh* Member IDA – ISEC 7. Dr. Lam Kwok Yan Member AISP Multi-tier Cloud Security Standards – Cloud Related Controls 8. Mr. Alan Sinclair Member MOHH 9. Mr. Greg Malewski* Member MOHH ISO 27001 (ISMS) – Base Standards
Framework of MTCS Standard Structure of MTCS standard MTCS is based on a multi-level framework comprising 3 levels of IS requirements The Standard Level Overview Security Control Focus Non-business critical data & Baseline security controls for potentially 1 Core Information Cloud Specific systems low-impact information systems Security Information Security A set of more stringent security controls Most business critical data & 2 for potentially moderate-impact systems information systems Cloud Cloud Tenancy and Cloud Cloud Services Cloud User Regulated organisations with Additional set of security controls for Infrastructure Operations Customer Governance Administration Access Security Management Isolation 3 specific requirements & more potentially high-impact information stringent security needs systems Structure of MTCS standard Structure of MTCS standard 1. Consists of the following focus areas: 2. Consists of the following Clauses: a. Cloud governance (Clauses 6-12) 6. Information security management 19. Operations 7. Human resources 20. Change management b. Cloud infrastructure security (Clauses 13-17) 8. Risk management 21. BCP and DR 9. Third-party 22. Cloud services administration c. Cloud operations management (Clauses 18-21) 10. Legal and compliance 23. Cloud User access 11. Incident management 24. Tenancy and customer isolation d. Cloud specific information security (Clauses 22-24) 12. Data governance i. Cloud services administration 13. Audit logging and monitoring ii. Cloud user access 14. Secure configuration iii. Tenancy and customer isolation 15. Security testing and monitoring 16. System acquisitions and development 17. Encryption 18. Physical and environmental
CSP Self-Disclosure Checklist CSP Self-Disclosure Checklist Criteria Measures / Disclosure Requirements Criteria Measures / Disclosure Requirements Right to audit Ability to conduct own reviews (e.g., site assessment, penetration test) Incident & problem Support provided (e.g., notification, cooperation with outside parties) & costs management Compliance List of compliance statuses Billing (Measured Svc) Metrics & accuracy Data ownership Data ownership limitations Data portability Mechanisms supported including media and format upon termination Data retention Periods for user data, user log data, and infrastructure log data Access to CSP ’ s network Methods to access the provider (e.g., Internet IPV4/6, site-to-site VPN, frame relay) Data sovereignty Data locations, capability to restrict geographies, and DR locations User management Options for integrating with customer IDM, 2-factor solutions Information non-disclosure What if any information may be disclosed Lifecycle Automatic or customisable service upgrades and changes Availability Mean time between failures; service availability Security configuration Mechanism to enforce check on security configuration BCP / DR Recovery point objective; Recovery time objective enforcement checks Multi-tenancy Tenancy options Liability Limits in-case of incidents/failure to meet service commitment Capacity elasticity Peak load handling capabilities for capacity Change Management Comms plan and procedures for managing changes Network resiliency & Peak load handling capabilities for network On-demand self-service* Users can unilaterally provision computing capabilities as needed elasticity automatically without requiring human interaction with CSPs Storage redundancy & Peak load handling capabilities for storage elasticity * Five essential characteristics of Cloud Computing as defined by NIST Deployment Considerations MTCS Certification Scheme (1/2) 1. Deployment 1. URL: http://www.ida.gov.sg/collaboration-and-initiatives/initiatives/for-infocomm- - Incorporate MTCS as a requirement into Public Cloud Services bulk tender enterprises/MTCS-Certification-Scheme 3 rounds of training sessions for CSPs, CBs and SaaS ISVs have been conducted 2. Scope 2. Cross-Certification schemes with other standards (ISO 27001) to - 3 different levels of security certification (tiers 1, 2 & 3) & further qualified with types of services (IaaS, PaaS & SaaS) facilitate easy migration to MTCS SS - WIP Example: 3. Working with Singapore Accreditation Council (SAC) to provide “ Company X is certified to supply Infrastructure-as-a-Service at Tier level 2 according accreditation services to Certification Bodies to MTCS standard (SS584 : 2013) ” 3. Validity 4. Establishment of a website to capture CSP certification & self- - Certification will be valid for 3 years with a yearly surveillance audit to be conducted. disclosure info to promote TRUST building through TRANSPARENCY
MTCS Certification Scheme (2/2) List of Participating Certification Bodies Certification Body Certification Body DNV Business Assurance Pte Ltd Certification International (Singapore) Pte 4. Qualified Assessors for MTCS Certification Ltd 81 Science Park Drive, #02-03 Chadwick, 60 Albert Street, #13-03 OG Albert Complex, - CSPs shall identify & source Certification Bodies (CBs) to undertake certification. Singapore 118257 Singapore 189969 5. Prerequisite SGS International Certification Services TUV SUD PSB Cert - All applicants must complete CSP self-disclosure and Statement of Applicability Singapore Pte. Ltd. 1 Science Park Drive, (SoA). 3 Toh Tuck Link, #01-02/03, Singapore 118221 Singapore 596228 BSI Group Singapore Pte Ltd TUV Rheinland Singapore Pte Ltd 1 Robinson Road, #15-01 AIA Tower, 25 International Business Park, #05-105, German Centre, Singapore 609916 Singapore 048542 Singapore ISC Pte Ltd 2 Kim Yam Road, #12-03, Singapore 239320 Cross-Certification with Other Standards MTCS Certification (Accredited) Framework 1. Objective: To target: Certification Scheme a. Local CSPs with regional businesses 3 different levels of security certification & further qualified with types of b. Foreign CSPs with plans to provide cloud services in Singapore services Certification will be valid for 3 years with a yearly surveillance audit to be 2. MTCS-ISO27001 Cross-Certification in 1Q 2014 conducted a. To address CSPs in process of attaining or already ISO27001 certified Qualified Assessors for MTCS Certification b. Gaps Analysis report (ISO27001:2005->MTCS SS) has been published @IDA website Audit skill and cloud computing security knowledge Relevant audit experience Prerequisites All applicants must complete CSP self-disclosure
Recommend
More recommend