1 1.2. Guidelines for Information Security of Cloud Computing - - PowerPoint PPT Presentation

1
SMART_READER_LITE
LIVE PREVIEW

1 1.2. Guidelines for Information Security of Cloud Computing - - PowerPoint PPT Presentation

Aug 07, 2023 334 likes •405 views

Agenda Related Polices to Cloud Computing I. Guidelines for Information Security of Cloud II. Computing Cloud Security Certification Scheme in KOREA Cloud Security Certification Program in Korea III. April. 11, 2017 Jungduk (JD) KIM, Ph.

slide-1
SLIDE 1

1

Cloud Security Certification Scheme in KOREA

  • April. 11, 2017

Jungduk (JD) KIM, Ph. D. Head, Department of Industrial Security Chair, Research Institute of Security Policies jdkimsac@cau.ac.kr

1/15 Beyond Security

Agenda

I.

Related Polices to Cloud Computing

II.

Guidelines for Information Security of Cloud Computing

III.

Cloud Security Certification Program in Korea

  • I. Related Policies to Cloud Computing

3/15 Beyond Security

1.1 Act on the Cloud Computing Promotion & the Protection of its Users

slide-2
SLIDE 2

2

4/15 Beyond Security

1.2. Guidelines for Information Security of Cloud Computing

Category Main contents of measure

  • II. Guidelines for Information Security of Cloud Computing

6/15 Beyond Security

2.1 Case Study (1/3)

Country Certification Scheme Certification Criteria Certification Body Audit/Assessment Body USA FedRAMP NIST SP 800-53 R4 FedRAMP PMO Certification Body (Total 38) JAPAN JCISPA Standards for Cloud Information Security JASA JASA ASP∙SaaS Information Disclosure Certification Systems for Safety and Reliability of Cloud Services ASPIC ASPIC IaaS∙PaaS Data Centre SINGAPORE MTCS-SS ISO/IEC 27001+ Self regulation ITSC Certification Body (Total 7) UK UK-G Cloud Risk Management ISO/IEC 27001+ Self regulation CESG

  • AUSTRALIA

ASD Cloud ISO/IEC 27001+ Self regulation ASD IRAP

7/15 Beyond Security

2.1 Case Study (2/3)

Category USA FedRAMP Republic of Korea

Certification area Cloud service for federal government Cloud service for public org. Control Items Numbers of Items 17 Domains 325 Controls ※ based on moderate 14 Domains 117 Controls Features Inspect on functional requirements for information systems Reflect legal requirements and additional requirements of public org. Reference NIST SP 800-53 Rev4 ISO/IEC 27001/17 Basis Cloud First Policy Law of Cloud Development Article 23 (3) Certification Body FedRAMP PMO (FedRAMP Program Management Office) KISA Audit/Assessment Body Certification Body (Total 40) ) KISA

slide-3
SLIDE 3

3

8/15 Beyond Security

2.1 Case Study (3/3)

Category Information Security Management System(ISMS) Cloud Security certification Program (CSAP)

Assessment subject All Information system service Cloud Service ※ Service for public org. Assessment method Document review, On-site inspection Document review, On-site Inspection, Technical Inspection (Penetration test, Vulnerability test) Certificate Criteria Number of Items 18 Domains 104 Controls 14 Domains 117 Controls Reference ISO/IEC 27001 ISO/IEC 27001 + Specialized Controls (Security of Virtualization, Law of Cloud Development, public org. requirements)

9/15 Beyond Security

2.2 Summary

Category Main contents of measure v Composed of total 14 domains and 117 controls

10/15 Beyond Security

2.3 Additional protection measure for public org. (1/3)

11/15 Beyond Security

2.3 Additional protection measure for public org. (2/3)

Category Obligation Notification method Fine Intrusion Notify promptly to users Notifying with Phone, Cell Phone, mail, E-mail, text messaging, cloud computing services or any of the similar methods Less than 10,000 USD User Information Leakage Notify promptly to users, Notify promptly to Minister of Science, Service Interruption Notify promptly to users

v Legal Requirements

slide-4
SLIDE 4

4

12/15 Beyond Security

2.3 Additional protection measure for public org. (3/3)

  • III. Cloud Security Certification Program

14/15 Beyond Security

3.1 Cloud Security Certification Program Summary

public org. 14 domains and 117 controls

Purpose Related Law Standard Assessment

15/15 Beyond Security

3.2 Assessment Method – Vulnerability Assessment

Definition v On-site verification that the technical measures are appropriately implemented in accordance with the cloud security certification program guidelines for the assets negotiated in the preliminary inspection Auditor and Duration v Auditor team: About 5 people(Lead Auditor, Source code, CVE, CCE Inspectors) v Duration: 10 business day (Depends on Volume of asset and Service Scope) Assessment method Category Method Useautomated analysis tool Use automated analysis tool Use automated analysis tool

slide-5
SLIDE 5

5

16/15 Beyond Security

3.2 Assessment Method – Penetration Test

Purpose v Examine the possibility of penetration through external network to ensure the cloud service is properly implemented / operated in accordance with the cloud security certification program standard Auditor and Duration v Auditor team: closed v Duration: 10 business day(Adjustable) Subject to assessment v Penetration into cloud service portal through external network v Penetration to the hypervisor or other VM via the user VM v VPN Communication Advanced request v Account Information (2 or more), Test allowed time Recommendation v CSP periodically training Penetration test / Response Team Internally

Jungduk Kim jdkimcau@gmail.com http://security.cau.ac.kr