Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlmüller
Integrating Cloud Service and Security Management Systems Why should we talk about it? Cloud service providers have to fulfill: Service level agreements and regulations regarding information security How can cloud service providers demonstrate their level of quality? Following best-practices like ISO/IEC 20k related to service management And security management standards like ISO/IEC 27k Proved by certificates Increasing number of valid ISO/IEC 27k certificates worldwide: +20% from year 2014 to 2015 (ISO Survey of Management System Standard Certifications 2015, executive summary) Issues of operating both management systems in a non-integrated form: Inefficiency, costs and risk of contradictions D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Use of Cloud Services and External Factors Some characteristics of cloud services: Measureable On-demand Scalable and elastic Specified level of quality (SLA/OLA) Rapidly provisioned and reconfigured without provider interaction External factors – market needs: Increasing awareness/demand regarding information security at the customer side Influenced by scandals e.g. Yahoo data breach 2014, https://yahoo.tumblr.com/post/150781911849/an-important-message-about-yahoo-user-security Enacting of data protection and information security related laws e.g. Personal Data Protection Act 2012 Singapore Amended Act on the Protection of Personal Information APPI Japan, EU GDPR, Basel II, EU-US Privacy Shield D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Environment of Cloud Service Providers Supervisory Authorities Surveillance Information, Reports Information Security? Control, Payment, Information Competitor, Hacker, Espionage Search for Information Cloud Service Provider Customer Need: Protection of Information? Conformity to regulation and standards? Obligation to control supply chain Services, SLA, Information Payment, Obligation to Control Services, Goods, SLA, Information Suppliers D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Situation of Cloud Service Providers Consequences for cloud service providers: Increasing awareness for the need of ensuring the service quality and information security (more potential mistakes!) Need of conforming to regulations and market standards e.g. ITIL, FitSM, Service Management e.g. ISO/IEC 20k, Information Security e.g. ISO/IEC 27k, Data Protection Code of Conduct for Cloud Infrastructure Service Provider in Europe (CISPE) -> Suggests information security management system (ISMS) D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Situation of Cloud Service Providers Organizational Aspects: Cloud service management system security management system Service management standards security management standards Effects on Implementation and operation of management systems (MS) and processes Integrated vs. non-integrated operation of MS: Efforts, Contradictions, 2 improvement processes (CSI and CI) Reconfiguration of cloud services by customers (not only by the provider) Increasing importance of service level management and agreements Need of implementing/operating a service management system (SMS) + additional ISMS D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Operation of SMS and ISMS – Non-integrated Effects on some Processes SMS Requirements ISMS Requirements Compatible? Incident & Service Request Management Change Management Service Design Management Information Security Management (SMS Process) D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Situation of Cloud Service Providers Issues: How to achieve conformity with ISO27k? (ISO20k already established) Are the requirements of ISO20k and ISO27k compatible? What about the differences and common requirements? How to adapt the SMS and processes to achieve conformity with ISO27k? D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Result of the Comparison of ISO20k / 27k (1/2) Overview on some similarities: ISO20k and ISO27k are international standards for the planning, implementation, operation and continual improvement of a quality management system (QMS) and include the Deming-Cycle (Plan, Do, Check, Act, conceptual element of QMS) Definition of requirements regarding e.g. The management system Organizational roles and responsibilities Policies and relevant processes Planning, operation, audit etc. Continual improvement of the management system D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Result of the Comparison of ISO20k / 27k (2/2) Overview on some differences: Structural Elements ISO20k ISO27k Managed Objects Services Information Assets Management Approach Process Orientation Controls to govern Information Security Term: Policy Capture Major Goals of SMS or Process Overloaded Term, used to document many specific requirements D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Resolving Differences Selecting ISO20k as a base for the combined management system: Policy: High-level document for major aspects Other aspects will be documented in subsidiary process descriptions, work instructions or lists Major success factor of process-oriented management systems: Principle of accountability for SMS and process-specific goals often mapped to roles of the SMS-Owner or process owner Suggesting additional requirements to ISO20k to achieve ISO27k-conformance D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Overview of Mapped Requirements – Short Extract incl. 2 Examples ISO27k ISO20k (ex ISM, DCM) ISO20k Ext. (ex ISM, DCM) ISM (+ISO20k) ACM DCM (+ ISO20k) EPM A.8.1.3 9.1 SRM1 ISM8 A.9.2.1 8.1 ACM4 EPM7 Reading the table horizontally: All ISO27k requirements and controls (overall >130) are mapped to old ISO20k requirements or additional new requirements (as presented in the paper) Reading the table vertically: Reveals the missing gaps towards ISO27k-conformity when ISO20k-conformity is given D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Requirements of ISO27k - Examples A 8.1.3 - Acceptable use of assets (ISO/IEC 27001:2013 (E), p.12 Annex): “Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented” A 9.2.1 - User registration and de-registration (ISO/IEC 27001:2013 (E), p.13 Annex): “A formal user registration and de-registration process shall be implemented to enable assignment of access rights.” D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Mapped Requirements of ISO20k - Examples Column ISO20k: “9.1” (ISO/IEC 20000-1:2011(E), p. 22, Chapter 9.1 Configuration management): “There shall be a documented definition of each type of CI. The information recorded for each CI shall ensure effective control and include at least: description of the CI; relationship(s) between the CI and other CIs; relationship(s) between the CI and service components; […] There shall be a documented procedure for recording, controlling and tracking versions of CIs. […]” Column ISO20k: “8.1” (ISO/IEC 20000-1:2011(E), p. 21, Chapter 8.1 Incident and service request management): “[…] There shall be a documented procedure for managing the fulfilment of service requests from recording to closure.[…]” D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Requirements Regarding Existing ISO20k Processes - Examples Column ISO20k Ext.: “SRM1” (Service Reporting Management): Define and establish methods of monitoring the usage to identify misuse. Column ISM (+ISO20k): “ISM8” (Information Security Management): Define, implement and document rules for the acceptable use of information assets, assets associated with information and information processing facilities. D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Integrating Cloud Service and Security Management Systems Requirements That Should Be Fulfilled by Implementing New Processes - Examples Column ACM: “ACM4” (Access Control Management): Define, implement and maintain procedures to prepare the allocation of access rights by a formal user registration and de-registration process (->interface to CHM). Column EPM: “EPM7” (EPM: Employer and Persons Management): Update the checkout process: After termination of employment, contract or change… define and implement agreements regarding the return of assets: Employees shall return all of the organizational assets in their possession upon termination of their contract or agreement, reconcile a procedure of checkout and return of assets and keys and trigger the deactivation, removal or change of the access rights of employees, contractors or external party users. D. Kranzlmüller Integrating Cloud Service and Security Management Systems
Conclusion and Discussion The paper presents a solid starting point for integrating security management into a given service management system: The ISO27k conformity can be achieved by extending the ISO20k approach: Additional SMS- and process-related requirements Additionally needed processes to complement the given ISO20k-processes Benefit of the mapping regarding a potential ISO27k introductory project: It may assist in assessing and conducting the workload Formerly non-IT aspects of the organization need to be incorporated into the IT service management system e.g. the requirements listed for the employer and people management process A more holistic approach towards the management system of an IT organization Next step: Assess this approach by a real live introductory project at the Leibniz Supercomputing Centre (LRZ) D. Kranzlmüller Integrating Cloud Service and Security Management Systems