• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
Cloud security audit in japan
 

Cloud security audit in japan

on

  • 1,230 views

Cloud Asia Singapore 15 May 2013

Cloud Asia Singapore 15 May 2013

Statistics

Views

Total Views
1,230
Views on SlideShare
1,230
Embed Views
0

Actions

Likes
0
Downloads
0
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Cloud security audit in japan Cloud security audit in japan Presentation Transcript

    • 2013 May 15Tadashi NagamiyaPrincipal Certified Auditor of Information SecurityJapan Information Security AuditAssociation(JASA), NPOCloud Security Audit in Japan1Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • 2INTRODUCTIONCopyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.3Japan Information Security Audit Association(JASA), NPO Title Japan Information Security Audit Association ( JASA ) Established October 10th 2003 Purpose Establishment, maintenance and promotion of the InformationSecurityAudit based on the Authorized Information Security Audit System ofMETI Number of members 55 firms (April 2013)IT Companies and Audit firms Address Head Office; Premia Toyo-cho Building 3-23-21,Toyo, Koutou-ku,Tokyo, 135-0016 Japan URL http://www.jasa.jp/ Chairperson Norihisa Doi (Professor emeritus of Keio University)Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • InvestmentindexBCPEvaluationPublicreleaseSuppliersCustomersCitizensConformity Assessmentfor ISMSAuthorized InformationSecurity Audit SystemObjectiveCriteriaInternational StandardsISO/IEC 27002, etc.METI NotificationIS Management StandardIS Audit StandardReference forEstablishing InformationSecurity GovernanceAuthorized Information Security Audit SystemCopyright 2013 Japan Information Security Audit Association. All rights reserved.Assurance and/or consultation services in which an auditor independently andprofessionally evaluates and verifies the deployment and operational effectivenessof controls based on a risk assessment in order to determine the effectiveness of theinformation security risk management system.Established by METI 2003.4
    • JASA’s ActivitiesCopyright 2013 Japan Information Security Audit Association. All rights reserved.AuditorTargetcompaniesofAuditThe Authorized Information Security Audit SystemPromotion Technique Quality Study Consultation EthicsNon Profit OrganizationJapan Information Security Audit AssociationIndustrial Community(by METI)Cooperationregister AuditInformation Security Management StandardRegistry System for ledger of Information Security Audit FirmsInformation Security AuditInformation Security Audit Standard5
    • Our Goal6 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Developing Secure IT SocietyThrough Information Security Audit PromotionPromotion of the Authorized Information SecurityAudit SystemDevelop Standards and GuidelinesStudy and develop Audit TechniquesPlan and Execute Promotional ActivitiesControl Quality of AuditDevelopment of AuditorsTrain Information Security AuditorDevelop curriculumGive training coursesTest and Certify the auditorMaintain Auditors’ Skills
    • Certified Information Security Auditors7 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Information Security Auditors have knowledge of information technology and audit.Information Security Auditors are working forConsulting firmsAccountant firmsCompanies with information security related certifications or assessments(Internal auditor)* Experts who help audit, such as attorney, accountant, forensic engineer and IT specialist.Senior Auditor 57Auditor 132Assistant Auditor 325subtotal 514Audit Associate*246合計 760There are almost 500 certified information security auditors in Japan.
    • 8CLOUD COMPUTING IN JAPAN8 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.9Market Penetration of Cloud computing service in Japan Penetration ratio is growing9 Copyright 2013 Japan Information Security Audit Association. All rights reserved.(Source)Information and Communication Statistics 2012; MIChttp://www.soumu.go.jp/johotsusintokei/statistics/statistics05.html2011(n=2,067)2012(n=1,892)Using corporate wideUsing in several divisionsNot using, but be acceptable to useNot using and not considering to useDon’t know cloud service well
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.10Market penetration gap between US and Japan Gaps are still wide10 Copyright 2013 Japan Information Security Audit Association. All rights reserved.(Source)Information and Communication Statistics 2013; MIChttp://www.soumu.go.jp/johotsusintokei/whitepaper/ja/h24/html/nc244210.html0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%利用している/利用していた 具体的な予定があり、時期も決定している予定はあるが、時期はまだ決定していない 検討しているが、具体的な予定はない検討していたが、導入しないと決定した 検討していないUSJPUsing/Used Decided starting date of usePlan in progress ConsideringConsidered and decided not to use Doing nothing
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.11Fast adoption of cloud computing service Cloud computing service market is growing. Market size in 2014 is double of 2012 JP market is 1% of the world market in 2012. Growth rate is 20 – 50% in Japan, 18% in the world.Source: IDC Japan, 11/2012Sales;100millonYenAnnualGrowthRate;%Not including IT services, such as system development and cloud brokers.SaaS is including application and managed services (System/Device management, Security andStorage service) .Annual Growth RateSoftware as a Service (SaaS)Platform as a Service (Paas)Infrastructure as a Service (IaaS)
    • Main players12 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Source; BCNBizline 2012/4/27SalesforceAmazon Web Services(AWS)Windows AzureGoogleKVHEquinixBit IsleGMO CloudSakura InternetIDC FrontierLINK/AT. WORKSKagoya JapanPower and IT@Tokyo,etc.FujitsuNECIBMHitachiNTTdataNomura Research InstituteIT holdingsIto Chu Techno SolutionsShin Nittetsu SolutionsFuji SoftSCSKCannon MJ-ITHDKandenSystem Solutions,etc.NIFTY CloudIIJNTT CommunicationsNTTPC CommunicationsBiglobe Cloud HostingKDDI WebCommunicationsetc.ComputerGlobalHosting SIerCommunication
    • 13CLOUD AND SECURITY13 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.14Reason why companies hesitate to use cloud service Concern focus on security, legal system and compliance14 Copyright 2013 Japan Information Security Audit Association. All rights reserved.No need 42.3Security concerns 33.7Cost associate with repurposing to cloud 23.4No merit 22.7Unstable network 15.1Restriction on application customization 10.0Cost of communication 9.4Immaturity of legal system 5.6Not compliant with corporate rules 5.6Others 9.2Reason not to use cloud service 2011 (n=727)(Source)Information and Communication Statistics 2012; MIChttp://www.soumu.go.jp/johotsusintokei/statistics/statistics05.html
    • 15CLOUD SECURITY ASSURANCECopyright 2013 Japan Information Security Audit Association. All rights reserved.
    • ConceptCopyright 2013 Japan Information Security Audit Association. All rights reserved. 16
    • Assurance for information security managementCopyright 2013 Japan Information Security Audit Association. All rights reserved.ManagementAuditorAuditing the deployment and operation ofcontrols being effective as independent expertInformation security management assurance is used as a method of assuring the appropriatecountermeasures are designed, deployed and operated to protect information assets.CustomersAssertionAuditReport■Controls・ Physical environment・Remote back up・ Multiplexing・ Cryptography・・・Shown in contract when usingcustomer data, in explanation forusing privacy data and etc..Assuring the assertion isreliable ( or no)Report forAssuranceOrder ofAuditingManaging factors definedas risks of informationsecurityAudit17
    • Problem of applying assurance to cloud computingCopyright 2013 Japan Information Security Audit Association. All rights reserved.Cloud providerAuditorIsolationFirewallMonitoringSLAMgmt.SystemRemotebackupMultiplexingCryptographMonopolizing…■AssertionManagement declares execution ofcountermeasures as committed toclientsManagement needs to define each assertion foreach clients, or provide a public announcement ofsecurity countermeasuresAssuranceAuditing the deployment andoperation of controls beingeffective by independent expert 1. Provider,Disclosure of detailcountermeasures maycause newvulnerabilitiesAssurance requires individual assertions which list detailed countermeasures for information security, andtherefore does not fit cloud computing services which offer a standardized pre-set service. .Provider deceleratingexecution of committedcountermeasures2. Customer,Difficult to identify remainingrisks without detailedinformation ofcountermeasuresIs it secure?Customizedexplanation foreach clients is alarge burden.AuditReportCloud Customer18
    • Defining basic requirement for assertionCopyright 2013 Japan Information Security Audit Association. All rights reserved.• Basic requirements for managing risk need to be defined for general information assets.• Simple assertion format is defined without showing detailed countermeasures.• Customer can make additional requirements and audit rights by special agreement■ Basic assertionDeclaration stating basic requirements satisfied■ Special assertionDeclaration stating additional requirements of a customer’sspecial request satisfiedCloud information security standardDefine basic requirementsCloudproviderCloud Customer【Merit for provider 】Small risk to declare【Merit for Customers】Easy to assess risks ofcloud computing serviceBased on Information securitymanagement guidelines for the useof cloud computing services;METI; based on ISO 27002:2006IsolationFirewallMonitoringSLAMgmt.SystemRemotebackupMultiplexingCryptographMonopolizing…19
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.20Basic Assertion (Draft)Assertion of Information Security Management for Cloud Computing ServiceYear/Month/Dayxxxx CorporationCOO of cloud service xxxxxxxxxxx Corporation assesses information security management for xxxxx Cloud Computing Service inYear/Month/Day, based on the Information Security Standard for Cloud Computing (NPO Japan InformationSecurity Audit Association, August 2012).We declare we have adopted and are satisfying the Basic Requirements of the Assertion for Cloud ComputingService, based on the result of the assessment.We are responsible to the management, monitoring management conditions and assessment of the informationsecurity for xxxxx Cloud Computing Service.Scope of the assertionScopexxxxx Cloud Computing ServiceRisks to be mitigatedH04 Shortage of resourceRisks above are selected from the Basic Requirements of the Assertion for Cloud Computing Service in the Information SecurityStandard for Cloud Computing Ⅱ. 2 .20 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Cloud assurance frameworkCopyright 2013 Japan Information Security Audit Association. All rights reserved.Cloud Customer Cloud ProviderAuditorAssertion verified by cloud information security audit fits cloud computing by defining basic assertionrequirements of information security and complying with special assertion requirements requested by eachCustomer.【Merit to auditor】Efficient auditing on basicrequirementsBasic assertion is announced to all users ,Special assertion is shown to each Customer.and could be addedBasic assertionRisk management for general use of cloudSpecial assertionRisk management for more important information in cloudAssuranceAuditing the deployment and operation ofcontrols being effective by independent expertBasic assertion; Audit each serviceSpecial assertion; Audit each customerAuditReportBasic assertion focuses to mitigate high and middle risk21
    • Risks related to Cloud Computing ServiceCopyright 2013 Japan Information Security Audit Association. All rights reserved. 22
    • Cloud Computing Service Specific Risks (High 6 Items)Copyright 2013 Japan Information Security Audit Association. All rights reserved.No Name of risk ExplanationHighRIskH01Impacts increased due tohighly aggregated computingresources and infrastructuresThe impact of failure using virtual technology, which aggregates N virtualmachines into one physical host, is N times larger than normal computing,. Andthe impact of failure in a data center becomes large, when lots of Customerenvironment concentrates to single data center for efficiency of infrastructure.For instance, a miss-configuration at the network layer in a data center canbecome a disaster that results in a major cloud system outage.H02Mismatch between virtual andphysical systems in design andoperation phaseBecause virtual technology enables the oversubscription of capacity, theconventional knowledge for design, operation and management of computer andnetwork cannot be applied to systems utilizing virtual technology in some cases.e.g. Summation of virtual resources cannot be equivalent to summation ofphysical resource as Software does not correspond to physical host, and theVLAN design of virtual switch is different from a physical switch.Enlarging the scale and complexity of computers and networks, which straddlevirtual and physical resources, risks causing an unexpected failure or largeincident.H03Loss of business reputation dueto co-tenant activitiesEquivalent to ENISA No.4H04Resource exhaustion (under orover provisioning)Equivalent to ENISA No.8H05 Isolation failure Equivalent to ENISA No.9H06 Compromise of service engine Equivalent to ENISA No.1923
    • Cloud Computing Service Specific Risks (Middle & Low 15 Items)24 Copyright 2013 Japan Information Security Audit Association. All rights reserved.No Name of risk ExplanationMediumRiskM07 Cloud provider malicious insider - abuse of high privilege accsess ENISA No.10M08Management interface compromise (manipulation, availability ofinfrastructure)ENISA No.11M09Intercepting data in transitData leakage on up/download, intra-cloudENISA No.12,ENISA No.13M10 Insecure or ineffective deletion of data ENISA No.14M11 Distributed denial of service (DDoS) ENISA No.15LowRiskL12 Lock-in ENISA No.1L13 Loss of governance ENISA No.2L14 Supply chain failure ENISA No.7L15 Economic denial of services (EDoS) ENISA No.16L16 Loss of encryption keys ENISA No.17L17 Execution of illegal exploring/scanning ENISA No.18L18 Subpoena and e-discovery ENISA No.21L19 Risk from changes of jurisdiction ENISA No.22L20 Data Protection risks ENISA No.23L21 Licensing Risks ENISA No.24
    • Develop basic requirement ofinformation security for cloud service25Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Guidebook forcloud informationsecurityProcess to definition of basic requirements26 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Informationsecuritymanagementstandard forcloudcomputingTable of Risk andcountermeasuresAnnexRisk andcountermeasuresfor cloud serviceENISARisks of cloud(21 items)Discussionbyexperts,providersandCustomersReviewing from view point ofprovider.ENISA: "Cloud Computing - Benefits, risks and recommendations for information security", European Network and Information Security Agency, November 2009.Informationsecuritymanagementguidelines for theuse of cloudcomputing services(METI)BasicrequirementsforInformationsecurity ofcloudcomputing
    • Model of Cloud composition27 Copyright 2013 Japan Information Security Audit Association. All rights reserved.PhysicalrouterCPU, Memory NICVirtual machine monitorHost (Physical Server)NIC CPU,MemoryData CenterPhysicalswitchPhysicalstorageInternetVirtualNICVirtualmachineHost (Physical Server)VM/Processof operatingCustomerVMVirtualNICPhysical switch(L2/L3/L4/L7, etc)Service managerPhysicalstorageVirtualization EngineVirtualstorageVirtualstorage VirtualstorageVirtualNICVirtualmachineVirtual machine monitorVirtualNICVirtualmachineVirtualNICVirtualNICVirtualmachineVirtualswitchVirtual switch Virtual networkVirtual networkVM/Processof operatingCustomerVM
    • 【Reference】 Model of Cloud Computing28 Copyright 2013 Japan Information Security Audit Association. All rights reserved.【Cloud Computing LayerModel】【System Structure of Cloud Computing 】Area of Standardized IS Management•Low level layers are critical area for security.•Cloud specific risks are mostly technological factors, which are in covered area.•Controls for upper layers depend on service models, such as SaaS, PaaS, IaaS and so on.
    • PhysicalLayerVirtualized LayerrService layer(SaaS /PaaS /IaaS / etc.)User layerVirtual Resource Layer( Virtual Machine /Virtual Storage /Virtual Network /etc.)Virtualizing Function(Hypervisor /Host OS)Hardware (Server/ Storage/ Network/ etc.)Facility (HVAC/Power/Communication/ etc.)ServiceManagementSystem( Orchestration/BCP/ DR/Monitoring/Operation/Security)【Cloud Computing Layer Model】29 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Area of Standardized IS ManagementPhysicalLayerLayer Model to define technical controls clearly
    • Information security management standard for cloud service30 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Classification ContentsInformationsecuritymanagementstandardforcloudcomputingGovernanceStandard・Defines factors for Direct, Monitor, Evaluate, Oversee and Report in information security governanceNote; It is important for cloud Customer that cloud provider establishes information governanceFactors are based on Guidance of introducing Information Security Governance (2009; METI)ManagementStandard・Added risk communication factors to plan, do, check and act in information security management factors・Items are based on ISO 27001:2005 and ISO 27002:2006 and ISO27005:2008・Items selected considering wide users, such as organizations aiming to have ISO27001 certification, those bodieswhich are building original ISMS, information security audit firms and organizations having information securityaudit.ControlStandard・Aiming to give alternatives which an organization selects under risk mitigation policy, in the phase of establishinginformation security management.・Items are set by experts adding on ISO27001:2005 Annex A “Objectives and controls”, ISO27002:2006,“Information security management guidelines for the use of cloud computing services”.・Considering consistency to “Items recommended to cloud providers to do” in “Information security managementguidelines for the use of cloud computing services”・Adding cloud specific items to 2008 “Information Security Management Standard” by METI:.Cloud service specific standard for assuring security management of cloud services, in the Authorized Information SecurityAudit System, which encourages cloud usage by creating fair market. It is composed of three categories, Governance Standard,Management Standard and Control Standard.
    • Information security management standard for cloud service31 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Cloud Customers have to locate and operate information processing systems in the area which they cannot govern. SoCustomers can manage risks of environment which they cannot control computer resources and information, confirmingthe points;1. Provider establishes information security governance2. Provider manages information security appropriately3. Provider has efficient risk communication to Customers when an incident occurs and so on.Cloud information security standard adds category of information security governance and risk communication, andrevise controls of cloud computing specific matters to information security standard ( based on ISO 27001 and 27002).IS Management Items(62)IS Control Items(1152)Information SecurityManagement StandardIS Management Items(62)IS Control Items(1152)Several items are revisedIS Governance Items (6)Risk CommunicationItems (4)Cloud SpecificControls(236)Information Security Management Standardfor Cloud ComputingCloud IS GovernanceStandardCloud IS ManagementStandardCloud IS ControlStandard
    • Table of Risk and countermeasures32 Copyright 2013 Japan Information Security Audit Association. All rights reserved.RISK H01 : Expanding damages caused by high concentration of resources and infrastructureControls to mitigate a risk vary according to layer. Controls for each layer are listed, so that anyoperator can know what to do.Layer Target levelRisks of concern Point of measures bycloud serviceprovidersCorresponding terms ininformation securitystandardRemaining risksThreats VulnerabilitiesVirtualizedLayerResourceLayerA partial failure ora local disaster doesnot cause a largeinterruption ofserviceBugs・・・・Structureenabling an eventcauses chainedresponse・・・Stopping the chain offailures6.3.2.2 The mechanisms toensure that the requirements andcriteria for acceptance of newsystems・・・6.3.2.3・・・Occurrence of unexpectedtroubleFunctionLayerSingle failurepoint (Theinterruption of thepoint occurs theinterruption of themost part ofsystem)Dividing cloud system intomulti parts to avoid fullinterruption of cloudserviceC.2.1.1・・・the informationprocessing facilities using virtualtechnology should be virtualizedas multiple parts.Troubles occurringsimultaneouslyPhysicalLayerOperational error・・・・Enlarging redundancy ofcloud system not tointerrupt the cloud service6.6.1.16The network used in thesystem which cannot be allowedto stop should be redundantC.1.1.1・・・Synchronic troubles ofredundant partsServiceManagementSystemDividing cloud system intomulti parts to avoid fullinterruption of cloudserviceC. ・・・the informationprocessing facilities using virtualtechnology should be virtualizedas multiple partsTroubles occurringsimultaneously
    • Customer’s easy selection by assured “Basic Assertion”Copyright 2013 Japan Information Security Audit Association. All rights reserved.H01: Expanding damages caused by high concentration of resources and infrastructureItems of “Basic requirements for cloud provider” are selected from risk and controls table made by expertsRequirements for basic assertionof cloud information security managementBasic requirements focus on eleven risks, -high andmedium level- selected from twenty one risk items.No Name of riskHighRIskH01Increasing Impacts of highly aggregatedcomputing resources and infrastructuresH02Mismatch between virtual and physical systemson design and operation phaseH03Loss of business reputation due to co-tenantactivitiesH04Resource exhaustion (under or overprovisioning)H05 Isolation failureH06 Compromise service engineMediumRiskM07Cloud provider malicious insider - abuse of highprivilege rolls)M08Management interface compromise(manipulation, availability of infrastructure)M09Intercepting data in transitData leakage on up/download, intra-cloudM10 Insecure or ineffective deletion of dataM11 Distributed denial of service (DDoS)• Cloud information security management standard Annex defines “Basic requirements for cloud provider” which are necessary controls deployedand operated for declaring “Basic assertion for Information Security for Cloud Service”.• “Basic assertion for Information Security for Cloud Service” shows the top management declares executing appropriate risk management.• Cloud audit assures “Basic assertion for Information Security for Cloud Service” by top management of cloud provider• Cloud Customers select secure cloud service having an assured “Basic assertion for Information Security for Cloud Service”Declaration of basic assertion isprovider’s commitment of managingover medium risk.33
    • Requirements for Basic AssertionCopyright 2013 Japan Information Security Audit Association. All rights reserved.IS Governance Items (6)IS Management & Risk CommunicationItems (66)IS Control Items(1388)IS Governance Items (6)IS Management & Risk CommunicationItems (66)IS Control Items(894)Requirements for basic AssertionBasic Item (Policy, etc.) andControls for High and Medium riskInformation Security Management Standardfor Cloud Computing34
    • Customer should mitigate residual risksCopyright 2013 Japan Information Security Audit Association. All rights reserved.There is never “no risk”, even if all items related to cloud information security management standard are executed.Inevitable risks exist such as an act of God, due to limitation of technologies, etc. Top management of provider candeclare basic assertions as long as risks are managed to a low level. Cloud Customer should recognize these risks, andshould take action to mitigate.Risks of cloud service covered by provider declaring basic assertion・Increasing damage of incident due to high concentration ofresources・Failure of isolation・Abuse of privileges/internal dishonesty・Jurisdictional risk due todifferent judicature・User lock・Zero dayattack・DamagebeforedetectionRiskexample基本言明において対策が講じられるリスク(例: 高集約化の影響、隔離の失敗、内部不正等)=情報セキュリティ対策の基本部分Whole risks of cloud serviceRisks mitigated under basic assertionManaged risks by implementing countermeasures based on entire informationsecurity management standard for cloud computingInevitablerisksResidual risksCoveredarea ofitems ofstandard35
    • • Special assertion declares provider execute countermeasures committed to a specific customer, addingon basic requirements.• Special assertion get assured based on cloud information security audit by order of each customer thatrequest s special treatment for information security management to cloud service.Committed safer area by special assertionSpecial Assertion36 Copyright 2013 Japan Information Security Audit Association. All rights reserved.GovernancestandardCloud securitymanagementstandardManagementstandardControlstandardGovernancestandardManagementstandardControlStandard(basic part)Basic assertionGovernancestandardManagementstandardSpecial assertionControl StandardBasic + requested parts(part depending on the request)OtherCommitted area by basic assertionSpecial items overISO27002 can be added
    • Complex communication for existing information security audit37 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Customer has to check the disclosed security information in order to confirm it to the provider and in order to audit. Iffor example there are 10 processes this is significant additional work for the cloud provider and cannot be consideredtrivial work.Cloud Customer Cloud provider② Check acceptability of risks① Disclose information⑤ Disclose additionalinformationUse cloud service③ Request detail informationInformation securitymanagement standard for cloudcomputing⑥ List up items for audit⑦ Audit activities⑨ Report of audit④ Accept the request⑧ Disclose information for audit⑩Read the audit reportAuditorImplementation guidefor userAssertionImplementationguide forproviderHard to understandwithout enoughknowledgeProblem1Due to variation ofrequest it is difficult toresponse timelyproblem2
    • Basic assertion makes it simple and easy38 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Check basic assertion, then use the cloud!Cloud Customer Cloud provider③ Assertion is verified byauditor.Decide to use the cloudservice① Each service havingaudited before assertionreleasedAuditorBasicrequirementsfor cloudproviderAssured② Do and assess the controls・Assess the controls areeffective・Deploying and operatingcontrols defined in the basicrequirementsBasic assertionAnnounced andassured assertion
    • Special assertion makes securer service easy to set39 Copyright 2013 Japan Information Security Audit Association. All rights reserved.It is easier for the Customer to add special requests to basic requirements than defining all items required items toperform. Provider easily selects controls using “Table of risk and countermeasures”.Cloud Customer Cloud provider②Residual risks are clear ① Basic control sets⑤ Select additional controlsand disclose themDecide to use the cloudservice③ Request mitigation forremaining risks⑥ Plan audit items foradditional controls⑦ Audit activity⑨ ⑨ Report of audit④ Research risk andcountermeasures⑧Disclose informationrequested from auditors⑩ Read the audit reportAuditorSpecialassertionTable of riskandcountermeasuresBasicrequirementsfor cloudproviderEasy to selectcontrols forrequested riskmitigationAssuredBasic assertion
    • Promotion of Audit40Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.41Study group for Cloud Information Security Audit Established December 4th, 2012 39 Companies (40 on March 31th) include Japan subsidiaries of US firms.►Cloud provider 32 companies− Communication ; (12) NTT, KDDI, IIJ, etc.− System integration; (18) Fujitsu, Hitachi, NTTdata, etc.− Cloud dedicated company;( 1) SalesForce.com►Other related− Accountant; ( 2) Ernst&Young, PWC− Security service; ( 7) NRIsecure, MIND etc. Chair Person Professor Eijiro Ohki Kogakuin UniversityAssistant Chair Person Doctor Koji Nakao KDDI & NICTISO/IEC JT1 SC27 Japan Committee WG4 Chari PersonITU-T SG17 Assistant Chair Person41 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.42New system for Auditing Smaller investment►Lots of certifications; ISO/IEC27001, SSAE16 for SOX, PCI-DSS− These cost are only transferable to clients, such as financial institutions.►No scheme for service oriented certification►Small margin (Business of cheap service to big numbers of costumers) Having enough auditors with knowledge of cloud computing technology►It’s a brand new technology.►It is still changing rapidly►It is being operated globally►The size operation is big42 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Cloud Provides’ Concern
    • New system for Auditing43 Copyright 2013 Japan Information Security Audit Association. All rights reserved.GoalMaking Internal audit auditableInternal Audit Toolkit• Standard Audit procedure• Standard Audit forms• Audit Guide book for EngineersQualification of Auditor• Certified assistant Auditor and upperlevels Internal audit enforcement►Train cloud engineers as auditor (Qualification)►Standardized procedure, standardized format for auditing and certification of skill Internal audit assessment by independent auditorSolution
    • Requirements forBasic Assertion(Disclosed)Internal auditprocedureInternalauditorManagerCloud ProviderAssessment ofinternal auditAssessment ofexternal auditAudit documentsSignTRUSTCloud CustomerSystem of Cloud Information Security Audit44 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Internal audit standardization・Procedure・Documents Format・QualificationAssertionResearchQualification
    • New area of Cloud information Security AssessmentISO/IEC27001 CertificationInternal Audit Assessment understandardized procedureInternal Audit with validity which isassured by external auditorExternal Audit Assessment(Ex. SOC2, SOC3)AmbiguitySeverity45 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Clear Assurance,but few providers participate and the scopeis limitedNot cloud specificInternal audit depends on the certificates,which is not enoughIndirect assurance by external auditor,which is reliable and the most of providersparticipateCloud specific controlsAssurance of standardized internal auditwith certain reliabilityAssessment Level/Contents
    • Standard Audit procedure46 Copyright 2013 Japan Information Security Audit Association. All rights reserved.クラウド情報セキュリティ管理策基準に対する標準監査手続(リスクH01~H06対応)Ver.1.0.1項番 主たる監査対象 監査技法 監査手続 留意点 備考C.1.1 C.1.1.1 一部の情報処理設備(物理サーバ、物理ストレージ、物理ネットワーク機器、通信ケーブル、アクセス回線など)の機能の喪失がクラウドサービスを停止させないために、情報処理設備を冗長化する1 情報処理設備の設計書閲覧(レビュー)機能の喪失がクラウドサービスを停止させる可能性のある情報処理設備を特定していることを確認する2 情報処理設備の設計書閲覧(レビュー)情報処理設備に単一障害点が存在しないように設計が冗長化されていることを確認する3 情報処理設備 観察(視察) 情報処理設備が冗長化して設置・敷設・構成されていることを確認する4 情報処理設備の設定観察(視察) 情報処理設備の冗長化機能の設定がされていることを確認する5 ・情報処理設備の試験記録・情報処理設備の点検記録・情報処理設備の運用記録閲覧(レビュー)情報処理設備の冗長化機能が実行された記録(試験運転、定期点検、実運転等)があることを確認する6 情報処理設備 再実施 情報処理設備の冗長化機能が働くことを確認するC.1.1.2 一部の管理機能(クラウドコントローラ、クラウドサービスマネージャなど)の喪失がクラウドサービスを停止させないために、管理機能を提供する情報処理設備を冗長化する1 管理機能(クラウドコントローラ、クラウドサービスマネージャなど)を提供する情報処理設備の設計書閲覧(レビュー)管理機能(クラウドコントローラ、クラウドサービスマネージャなど)の喪失がクラウドサービスを停止させる可能性のある情報処理設備を特定していることを確認する2 管理機能(クラウドコントローラ、クラウドサービスマネージャなど)を提供する情報処理設備の設計書閲覧(レビュー)管理機能(クラウドコントローラ、クラウドサービスマネージャなど)を提供する情報処理設備に単一障害点が存在しないように設計が冗長化されていることを確認する3 管理機能(クラウドコントローラ、クラウドサービスマネージャなど)を提供する情報処理設備観察(視察) 管理機能(クラウドコントローラ、クラウドサービスマネージャなど)を提供する情報処理設備が冗長化して設置・敷設・構成されていることを確認する情報処理設備(クラウドサービスの提供にかかわるもの、クラウドサービスを提供するもの及びクラウドサービスとして提供されるものを含む。)は、一部の機能の喪失がクラウドサービスを停止させないために冗長化するクラウドサービスを提供するためのクラウド事業者のシステムは、クラウドサービス提供の基盤となる情報処理設備(物理サーバ、物理ストレージ、物理ネットワーク機器、通信ケーブル、アクセス回線等)の他、それらを管理する情報処理設備(クラウドコントローラ、クラウドサービスマネージャ等)等により構成される。これらいずれかが冗長性を欠く場合には、単一障害点となり得る。冗長の方式は、一般に、すべての手段が同時に動作するように意図された常用冗長の他、一部の手段が動作している間、他の手段は必要となるまで動作しない待機冗長などがある。仮想マシンを利用するIaaSの場合、同一構成の2つの仮想マシンが常に同時に動作するフォールトトレランス、障害発生を検知すると自動的に他の物理マシン上に同一構成の仮想マシンを新たに起動して動作を継続するフェイルオーバー、手動でライブマイグレーションを行うスイッチオーバーなどの方式があり、動作条件、ダウンタイムの長短、トランザクションの継続の可否などに違いがある。以上の冗長の方式は、いずれも物理サーバを複数使用するIaaSの構成に特徴的なものであるが、物理サーバ以外の情報処理設備(物理ストレージ、物理ネットワーク機器、通信ケーブル、アクセス回線等)についても、それぞれ冗長化されなければ、単一障害点の解消には至らないことに留意すべきである。特に、大規模なデータセンターにおいては、多数の物理サーバや物理ストレージ等を接続する内部ネットワークは大きく複雑であり、迂回経路の設計と経路切替えの運用の失敗は、データセンター単位の大規模障害をもたらすことがある。クラウドセキュリティ管理基準(管理策編) クラウド情報セキュリティ管理基準の標準監査手続(管理策編)クラウド管理策基準 クラウド詳細管理策ControlControlin DetailNo.Subject tobe assessedMethodProcedureRemarkReference
    • Example47 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Info. Sec StandardControls in detailStandard Procedure for auditNoMaterial forEvidenceMethod Procedure Remarks Reference6.3.2.3 Safe guardedsystem shouldbe stated in“Requirementsand Standardsof new systemacceptance,” inwhich trivialincidents do notcause anincident chainthat results inan interruptionof service ofthe cloudservice.1 ・Standardfor SystemDevelopment・Standardfor SystemAcceptanceReview Confirm the safeguard system isstated in“Requirements andStandard of newsystem acceptance”.The safeguardsystemshouldsatisfy6.3.2.1control.Example of theassessment procedurefor the sage guardsystem;Reviewing whethersystem designdocument statesprotection mechanismfor incident chainExecution of systemacceptance test whichshows working ofprotection mechanismfor incident chain2 ・Systemdeveloper・SystemAcceptanceManagerInterview Confirm theexecution ofacceptance iscompliant to theprocedure definedas the safe guardsystem in systemacceptance process.The safeguardsystemshouldsatisfy6.3.2.1control.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.48Document formsCopyright 2013 Japan Information Security Audit Association. All rights reserved.48言明書本文対象リスク方針管理基準 採否 管理策監査基本計画書/実施計画書目的範囲尺度とする管理基準期間・期日段階監査目標重点項目管理体制本文実施時期・場所監査実施者監査手続き概要実施計画監査手続書管理策 技法 個別監査手続監査調書(含証跡)非公開  形式など各社任意)個別監査手続 監査内容/証跡/判定監査実施監査報告書(保証報告書形式)導入区分概要区分意見区分監査手続と判定管理策 個別監査手続 判定基本計画情報 管理基準項目 目的 管理基準 詳細管理策1. 1.1.1 1.1.1.1情報 監査手続  標準項目 目的 管理基準 詳細管理策1. 1.1.1 1.1.1.1主対象 技法 監査手続組織の管理策に合致した監査手続の策定情報 監査技術ガイド監査手続実装例監査方法準拠参考における番号 識別名 具体的内容高 H01 高集約中低M07L12関連(n:m関係)詳細化(1:1) 例示(n:m)選択・抽出パ パ パ パ パ パ パパ パ パ パ パ パ パ パ パパイロット監査において 標準を踏襲し 各社が策定 微細変更)する項目凡例パイロット監査において 標準を作成すべき文書項目 目的 管理基準 管理策x. x.1.1 x.1.1.1主対象 技法 監査手続 個別監査対象 技法個別監査手続 監査結果 判定監査証跡x.1.1.1(1)x.1.1.1(2)x.1.1.1(3)x.1.1.2 x.1.1.2(1)x.1.1.2(2)x.1.1.3 x.1.1.3(1)x.1.1.3(2)x.1.1.1(1)x.1.1.1(3)x.1.1.3(1)自社向けに詳細化, ,組織などを特定――― (4桁 で採否可)x.1.1.1(1)x.1.1.1(3)x.1.1.3(1)○△○情報 監査手続  標準 個別監査手続 チェクリスト――― ―パイロット監査において 公開対象とする文書Assertion Audit PlanAudit Procedure Audit Record Audit ReportDisclosedLimited
    • Guide book of Cloud information Security Audit for Engineers49 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Contents50 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Chapter Title Contents1. Outline Background, Target Readers , Terms and Reference2. Documents The role of the guide in related documents3. Cloud ComputingModelExplanation of general/typical structure of cloud computingtechnology, which is applied to development of the informationsecurity management standard for cloud computing. It is layermodel of layers below;・Physical Layer・Virtualized Layer・Service Management System4. Guide Implementation and assessment guide of technologies based onthe general/typical structure of cloud computing technology.4.1 Physical Layer4.2 Virtualized Network Layer4.3 Virtualized Server Layer4.4 Virtualized Storage Layer4.5 Service Management System5. Closing Authors’ Comment
    • Structure51 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Implemented general/typicaltechnologies of componentsExample of appliedtechnological controls forinformation securityAudit example to the controls
    • Example of contents52 Copyright 2013 Japan Information Security Audit Association. All rights reserved.4.4 Virtualized Storage Layer・・・4.4.1 Virtualized Functional Storage Layer・・・(1)Isolation between tenants・・・Info. Sec Standard in detail Implementation Example Object to be assessed6.10.3 Log and informationof the log related to cloudcomputing service should beprotected from manipulationsand unauthorized access・・・①Stamp the time to the logs.②Keep the logs inWORM(Write Once ReadMany).① Assess the certification oftime- Is the time stamp created bycertified Authority and undercertified procedure?- Is the time stamp in logauthentic?Corresponding to informationsecurity standard for cloudcomputingExample of implementation Guidance for audit
    • Example of contents53 Copyright 2013 Japan Information Security Audit Association. All rights reserved.6.3 Virtualized network layer・・・6.1 Virtualizing Function・・・(2)Development and Acceptance of System Plan・・・Info. Sec Standard in detail Implementation Example Object to be assessed6.3.1 System planning andacceptance・・・・・・・・・・・・・・・・・・・・・・Divide a system incomponent units to limit aninfluence range of the systemfailure.Read specifications andconfirm that a system isdivided in component unitsCorresponding to informationsecurity standard for cloudcomputingExample of implementation Guidance for audit
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.54Pilot Audit 12 Providers start pilot audit using the tool kit First phase (April)► Chose one of high risk items►Trial audit in a month►Review the audit result Second phase(To this fiscal year end)►Update toolkit►Scope of high and medium risk items►Test of external audit Goal►Establishment of the cloud audit system54 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.55ParticipantsCompany Services1 FUJITSU LIMITED Fujitsu Global Cloud Platform FGCP/S52 Hitachi, Ltd. Harmonious Cloud Platform Resource Service3 Information Services International-Dentsu, Ltd. CLOUDiS4 Internet Initiative Japan Inc. IIJ GIO Service5 ITOCHU Techno-Solutions Corporation ElasticCUVIC Service6 NIFTY Corporation NIFTY Cloud7 NTT Communications Corporation Biz Hosting Enterprise CloudBizHosting Cloudn8 NTT COMWARE CORPORATION SmartCloud(R) Resource Pool9 NTT PC Communications Incorporated WebARENA VPSCloud10 NTT SMARTCONNECT CORPORATION Smart Connect VPSSmart Strage11 NIPPON TELEGRAPH AND TELEPHONEEAST CORPORATIONBiz Hikari Cloud Anshin Server HostingBiz Hikari Cloud Anshin Data Backup12 salesforce.com Co.,Ltd. Salesforce CRMSalesforce Platform
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.56Result of Pilot study (Interim) 7 of 12 companies’ answers for our questionnaire56 Copyright 2013 Japan Information Security Audit Association. All rights reserved.Q1 How do you think the pilot auditimpact?Q2 How do you think each audit tool we developed ?SQ1.Enhancementof ISMSSQ2Internal auditlevel upSQ1StandardprocedureSQ2Guide bookSQ3AuditFormatstronglyeffective1 1 very easy touse0 1 0effective 3 5 easy to use 5 2 4neutral 2 1 neutral 1 4 2seldomeffective1 0 hard to use 1 0 1nevereffective0 0 very hard touse0 0 0Total 7 7 7 7 7Q1-SQ1: The audit scope of 3 companies are narrow. Two of them say “neutral”. One says “seldom effective”.Q2-SQ2: The 4 auditors contributed to develop the guide book, so they say “neutral”.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.57Next Steps Contribution to International standard►ISO/IEC 27017− Comments as providers− Proposal of cloud specific controls►Proposal to the New Work Item for cloud security technology− Cloud security technology for implementation and assessment− Based on “Guide book of Cloud information Security Audit for Engineers” Execution of the cloud information security audit►Starting from 2014 FY (planned)►Establishing new organization – Cloud security promotion Alliance (Tentative name)− The end of this May− Developing new controls and assessment technologies based on facts− Researching information security failure (Future)57 Copyright 2013 Japan Information Security Audit Association. All rights reserved.
    • Copyright 2013 Japan Information Security Audit Association. All rights reserved.58Thank you!Tadashi Nagamiya