Presentation is loading. Please wait.

Presentation is loading. Please wait.

Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlmüller.

Published byLucas Hill Modified over 7 years ago

Similar presentations

Presentation on theme: "Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlmüller."— Presentation transcript:

1 Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlmüller

2 Integrating Cloud Service and Security Management Systems
Why should we talk about it? Cloud service providers have to fulfill: Service level agreements and regulations regarding information security How can cloud service providers demonstrate their level of quality? Following best-practices like ISO/IEC 20k related to service management And security management standards like ISO/IEC 27k Proved by certificates Increasing number of valid ISO/IEC 27k certificates worldwide: +20% from year 2014 to 2015 (ISO Survey of Management System Standard Certifications 2015, executive summary) Issues of operating both management systems in a non-integrated form: Inefficiency, costs and risk of contradictions D. Kranzlmüller Integrating Cloud Service and Security Management Systems

3 Use of Cloud Services and External Factors
Some characteristics of cloud services: Measureable On-demand Scalable and elastic Specified level of quality (SLA/OLA) Rapidly provisioned and reconfigured without provider interaction External factors – market needs: Increasing awareness/demand regarding information security at the customer side Influenced by scandals e.g. Yahoo data breach 2014, Enacting of data protection and information security related laws e.g. Personal Data Protection Act 2012 Singapore Amended Act on the Protection of Personal Information APPI Japan, EU GDPR, Basel II, EU-US Privacy Shield D. Kranzlmüller Integrating Cloud Service and Security Management Systems

4 Environment of Cloud Service Providers
Supervisory Authorities Surveillance Information, Reports Information Security? Control, Payment, Information Competitor, Hacker, Espionage Search for Information Cloud Service Provider Customer Need: Protection of Information? Conformity to regulation and standards? Obligation to control supply chain Services, SLA, Information Payment, Obligation to Control Services, Goods, SLA, Information Suppliers D. Kranzlmüller Integrating Cloud Service and Security Management Systems

5 Situation of Cloud Service Providers
Consequences for cloud service providers: Increasing awareness for the need of ensuring the service quality and information security (more potential mistakes!) Need of conforming to regulations and market standards e.g. ITIL, FitSM, Service Management e.g. ISO/IEC 20k, Information Security e.g. ISO/IEC 27k, Data Protection Code of Conduct for Cloud Infrastructure Service Provider in Europe (CISPE) -> Suggests information security management system (ISMS) D. Kranzlmüller Integrating Cloud Service and Security Management Systems

6 Situation of Cloud Service Providers
Organizational Aspects: Cloud service management system security management system Service management standards security management standards Effects on Implementation and operation of management systems (MS) and processes Integrated vs. non-integrated operation of MS: Efforts, Contradictions, 2 improvement processes (CSI and CI) Reconfiguration of cloud services by customers (not only by the provider) Increasing importance of service level management and agreements Need of implementing/operating a service management system (SMS) + additional ISMS D. Kranzlmüller Integrating Cloud Service and Security Management Systems

7 Operation of SMS and ISMS – Non-integrated Effects on some Processes
SMS Requirements ISMS Requirements Compatible? Incident & Service Request Management Change Management Service Design Management Information Security Management (SMS Process) D. Kranzlmüller Integrating Cloud Service and Security Management Systems

8 Situation of Cloud Service Providers
Issues: How to achieve conformity with ISO27k? (ISO20k already established) Are the requirements of ISO20k and ISO27k compatible? What about the differences and common requirements? How to adapt the SMS and processes to achieve conformity with ISO27k? D. Kranzlmüller Integrating Cloud Service and Security Management Systems

9 Result of the Comparison of ISO20k / 27k (1/2)
Overview on some similarities: ISO20k and ISO27k are international standards for the planning, implementation, operation and continual improvement of a quality management system (QMS) and include the Deming-Cycle (Plan, Do, Check, Act, conceptual element of QMS) Definition of requirements regarding e.g. The management system Organizational roles and responsibilities Policies and relevant processes Planning, operation, audit etc. Continual improvement of the management system D. Kranzlmüller Integrating Cloud Service and Security Management Systems

10 Result of the Comparison of ISO20k / 27k (2/2)
Overview on some differences: Structural Elements ISO20k ISO27k Managed Objects Services Information Assets Management Approach Process Orientation Controls to govern Information Security Term: Policy Capture Major Goals of SMS or Process Overloaded Term, used to document many specific requirements D. Kranzlmüller Integrating Cloud Service and Security Management Systems

11 Resolving Differences
Selecting ISO20k as a base for the combined management system: Policy: High-level document for major aspects Other aspects will be documented in subsidiary process descriptions, work instructions or lists Major success factor of process-oriented management systems: Principle of accountability for SMS and process-specific goals often mapped to roles of the SMS-Owner or process owner Suggesting additional requirements to ISO20k to achieve ISO27k-conformance D. Kranzlmüller Integrating Cloud Service and Security Management Systems

12 Overview of Mapped Requirements – Short Extract incl. 2 Examples
ISO27k ISO20k (ex ISM, DCM) ISO20k Ext. (ex ISM, DCM) ISM (+ISO20k) ACM DCM (+ ISO20k) EPM A.8.1.3 9.1 SRM1 ISM8 A.9.2.1 8.1 ACM4 EPM7 Reading the table horizontally: All ISO27k requirements and controls (overall >130) are mapped to old ISO20k requirements or additional new requirements (as presented in the paper) Reading the table vertically: Reveals the missing gaps towards ISO27k-conformity when ISO20k-conformity is given D. Kranzlmüller Integrating Cloud Service and Security Management Systems

13 Requirements of ISO27k - Examples
A Acceptable use of assets (ISO/IEC 27001:2013 (E), p.12 Annex): “Rules for the acceptable use of information and of assets associated with information and information processing facilities shall be identified, documented and implemented” A User registration and de-registration (ISO/IEC 27001:2013 (E), p.13 Annex): “A formal user registration and de-registration process shall be implemented to enable assignment of access rights.” D. Kranzlmüller Integrating Cloud Service and Security Management Systems

14 Mapped Requirements of ISO20k - Examples
Column ISO20k: “9.1” (ISO/IEC :2011(E), p. 22, Chapter 9.1 Configuration management): “There shall be a documented definition of each type of CI. The information recorded for each CI shall ensure effective control and include at least: description of the CI; relationship(s) between the CI and other CIs; relationship(s) between the CI and service components; […] There shall be a documented procedure for recording, controlling and tracking versions of CIs. […]” Column ISO20k: “8.1” (ISO/IEC :2011(E), p. 21, Chapter 8.1 Incident and service request management): “[…] There shall be a documented procedure for managing the fulfilment of service requests from recording to closure.[…]” D. Kranzlmüller Integrating Cloud Service and Security Management Systems

15 Requirements Regarding Existing ISO20k Processes - Examples
Column ISO20k Ext.: “SRM1” (Service Reporting Management): Define and establish methods of monitoring the usage to identify misuse. Column ISM (+ISO20k): “ISM8” (Information Security Management): Define, implement and document rules for the acceptable use of information assets, assets associated with information and information processing facilities. D. Kranzlmüller Integrating Cloud Service and Security Management Systems

16 Integrating Cloud Service and Security Management Systems
Requirements That Should Be Fulfilled by Implementing New Processes - Examples Column ACM: “ACM4” (Access Control Management): Define, implement and maintain procedures to prepare the allocation of access rights by a formal user registration and de-registration process (->interface to CHM). Column EPM: “EPM7” (EPM: Employer and Persons Management): Update the checkout process: After termination of employment, contract or change… define and implement agreements regarding the return of assets: Employees shall return all of the organizational assets in their possession upon termination of their contract or agreement, reconcile a procedure of checkout and return of assets and keys and trigger the deactivation, removal or change of the access rights of employees, contractors or external party users. D. Kranzlmüller Integrating Cloud Service and Security Management Systems

17 Conclusion and Discussion
The paper presents a solid starting point for integrating security management into a given service management system: The ISO27k conformity can be achieved by extending the ISO20k approach: Additional SMS- and process-related requirements Additionally needed processes to complement the given ISO20k-processes Benefit of the mapping regarding a potential ISO27k introductory project: It may assist in assessing and conducting the workload Formerly non-IT aspects of the organization need to be incorporated into the IT service management system e.g. the requirements listed for the employer and people management process A more holistic approach towards the management system of an IT organization Next step: Assess this approach by a real live introductory project at the Leibniz Supercomputing Centre (LRZ) D. Kranzlmüller Integrating Cloud Service and Security Management Systems

Download ppt "Integrating Cloud Service and Security Management Systems B. Kemmler, M. Breuer, S. Metzger, D. Kranzlmüller."

Similar presentations

ISO EMS OVERVIEW FOR CONTRACTORS

ISO EMS OVERVIEW FOR CONTRACTORS
Module N° 4 – ICAO SSP framework

Module N° 4 – ICAO SSP framework
EMS Checklist (ISO model)

EMS Checklist (ISO model)
[Organisation’s Title] Environmental Management System

[Organisation’s Title] Environmental Management System
Page 2 Agenda Page 3 History –Blue Print, 2000 –GIS Process 1.2, 2001 (training only) –GIS Process 2.0, 2003-4 (ITIL based - not implemented) –Supply/Demand.

Page 2 Agenda Page 3 History –Blue Print, 2000 –GIS Process 1.2, 2001 (training only) –GIS Process 2.0, (ITIL based - not implemented) –Supply/Demand.
Software Quality Assurance Plan

Software Quality Assurance Plan
Environmental Management System (EMS)

Environmental Management System (EMS)
Dr. Julian Lo Consulting Director ITIL v3 Expert

Dr. Julian Lo Consulting Director ITIL v3 Expert
Contractor Management and ISO 14001:2004

Contractor Management and ISO 14001:2004
Security Controls – What Works

Security Controls – What Works
Environmental Management Systems Refresher

Environmental Management Systems Refresher
First Practice - Information Security Management System Implementation and ISO 27001 Certification.

First Practice - Information Security Management System Implementation and ISO Certification.
Purpose of the Standards

Purpose of the Standards
ISO 9000:2000 Quality system standards adopted in 1987 by International Organization for Standardization; revised in 1994 and 2000 Technical specifications.

ISO 9000:2000 Quality system standards adopted in 1987 by International Organization for Standardization; revised in 1994 and 2000 Technical specifications.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Property of Common Sense Privacy - all rights reserved 01875340890 THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.

Property of Common Sense Privacy - all rights reserved THE DATA PROTECTION ACT 1998 A QUESTION OF PRINCIPLES Sheelagh F M.
Presentation on Integrating Management Systems www.imsrisksolutions.co.uk.

Presentation on Integrating Management Systems
Viktorija Donceva Trajkovski & Partners Management Consulting Ohrid, May 2009.

Viktorija Donceva Trajkovski & Partners Management Consulting Ohrid, May 2009.
1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)

1 HIPAA Security Overview Centers for Medicare & Medicaid Services (CMS)
University of Sunderland CIFM03Lecture 3 1 QMS / Standards CIFM03 Lecture 3.

University of Sunderland CIFM03Lecture 3 1 QMS / Standards CIFM03 Lecture 3.

Similar presentations

Ads by Google