Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

UNINFO - BIG DATA & Information Security Standards - Guasconi

542 views

Published on

Fabio Guasconi ha presentato al 3rd ESA International Security Symposium relazioni fra BIG DATA e Information Security Standards.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

UNINFO - BIG DATA & Information Security Standards - Guasconi

  1. 1. BIG DATA & Information Security Standards 3rd ESA International Security Symposium (ISS) Frascati, February 14th 2017
  2. 2. Speaker 2 Fabio GUASCONI  UNINFO board of directors  UNINFO CT 510 "Security" chairman  UNINFO CT 526 "APNR" member  CLUSIT board of directors  CISA, CISM, PCI-QSA, ITIL, ISFS, Lead Auditor 27001 & 9001  Partner and co-founder BL4CKSWAN S.r.l.
  3. 3. Agenda 3 Conclusions Standards and policies relationship Big data related standardization initiatives Main information security standard frameworks Information security standardization introduction
  4. 4. Agenda 4 Conclusions Standards and policies relationship Big data related standardization initiatives Main information security standard frameworks Information security standardization introduction
  5. 5. ‘Standard’ means a technical specification, adopted by a recognised standardisation body, for repeated or continuous application, with which compliance is not compulsory, and which is one of the following: (a) ‘International standard’ means a standard adopted by an international standardisation body (b) ‘European standard’ means a standard adopted by a European Standardisation Organisation (c) ‘Harmonised standard’ means a European standard adopted on the basis of a request made by the Commission for the application of Union harmonisation legislation (d) ‘National standard’ means a standard adopted by a national standardisation body Standard? What is it? 5 From EU Regulation 1025/2012:
  6. 6. Standardization process 6 Need Preliminary inquiry Document development Final inquiry Publication 00 Preliminary Stage 10 Proposal stage 20 Preparatory Stage 30 Committee Stage 40 Enquiry Stage 50 Approval Stage 60 Publication Stage NWIP WD-CD DIS-FDIS IS 00-20 Experts comment 40-60 National bodies comment
  7. 7. Who develops standards? 7 Additionally we have all "fora" and consortia like: W3C, IEEE, IETF, OASIS, UN/CEFACT …
  8. 8. ISO/IEC JTC 1 SC 27's activities 8 WG 1 WG 4 WG 5 WG 1 WG 2 WG 3 WG 1
  9. 9. Agenda 9 Conclusions Standards and policies relationship Big data related standardization initiatives Main information security standard frameworks Information security standardization introduction
  10. 10. Services certification 10 ISO/IEC 27001 is the worldwide reference standard for the certification of Information Security Management Systems (ISMSs). It leads to systematically apply a set of defined processes and security controls depending on a risk management approach. First ISO edition 2005 27536Certified organizations (2016) Context Leadership Planning Support Operation Performance Evaluation Improvement
  11. 11. Products certification 11 ISO/IEC 15408 transposes the dominant Common Criteria approach for certifying the security of products since 1999. First ISO edition 1999 2618Certified products (2016) EAL1 - functionally tested EAL2 - structurally tested EAL3 - methodically tested and checked EAL4 - methodically designed, tested and reviewed EAL5 - semi-formally designed and tested EAL6 - semi-formally verified design and tested EAL7 - formally verified design and tested
  12. 12. Agenda 12 Conclusions Standards and policies relationship Big data related standardization initiatives Main information security standard frameworks Information security standardization introduction
  13. 13. Overview 13 Group Deliverables ISO/IEC JTC 1/SC 32 e-Business standards, including role negotiation; metadata repositories, model specification, metamodel definitions; SQL; and object libraries and application packages built on (using) SQL. ISO/IEC JTC 1/SC 38 Cloud Data Management Interfaces, Open Virtualization Format, Web Services Interoperability ITU-T SG13 Cloud computing based big data requirements, capabilities, and use cases. W3C Multiple standards including ontology specification standards, data markup, query, access con trol, and interchange Open Geospatial Consortium Multiple standards related to the encoding, processing, query, and access control of geospatial data Organization for the Advancement of Structured Information Standards A set of protocols for interacting with structured data content such as OData, standards for security, Cloud computing, SOA, Web services, the Smart Grid, electronic publishing, emergency management, and other areas Transaction Pro cessing Performance Council Specification of TPC Express, BenchmarkTM for Hadoop system and the related kit TM Forum Share experiences to solve critical business challenges including IT transformation, business process optimization, big data analytics, cloud management, and cyber security
  14. 14. NIST SP 1500 14 Big Data Interoperability Framework, published in 2015 - Volume 1, Definitions - Volume 2, Taxonomies - Volume 3, Use Cases and General Requirements - Volume 4, Security and Privacy - Volume 5, Architectures White Paper Survey - Volume 6, Reference Architecture - Volume 7, Standards Roadmap
  15. 15. NIST SP 1500 15 Inherits elements from CSA Big Data Working Group Top 10 Challenges in Big Data Security and Privacy >> Security Considerations within Cloud Ecosystems 11 use cases for scenarios relating to:  Retail / Marketing (3)  Healthcare (3)  Cybersecurity (1)  Government (2)  Aviation (1)  Maritime transportation (1)
  16. 16. NIST SP 1500 16  Infrastructure Security  Data Privacy  Data Management  Integrity and Reactive Security
  17. 17. ISO/IEC 20547 17 Big data reference architecture, works started 2016 — Part 1: Framework and application process (ISO/IEC TR 20547-1) — Part 2: Use cases and derived requirements (ISO/IEC TR 20547-2) — Part 3: Reference architecture (ISO/IEC 20547-3) — Part 4: Security and privacy fabric (ISO/IEC 20547-4) — Part 5: Standards roadmap (ISO/IEC TR 20547-5) ISO/IEC JTC 1 SC 27 WG 4
  18. 18. ISO/IEC 20547-4, 1st WD 18 • Structure of document • Big data security and privacy challenges Overview • Architecture, security, privacy Big data reference architecture security & privacy • Roles & related activities for big data security and privacy • System orchestrator, data provider, data consumer, application provider Big data reference architecture user view Big data reference architecture function view Big data reference architecture fabric view • Security & privacy issues, use cases, guidelines, security & privacy controls Annexes ISO/IEC 27001/2 ISO/IEC 29100 ISO/IEC JTC 1/SC 27 SD16 Information security library (ISL) CSA Big Data Security and Privacy Handbook
  19. 19. ISO/IEC 20547-4, 1st WD 19 D.2 Security controls D.2.1 Confidentiality D.2.2 Authentication D.2.3 System health D.2.4 Device and application registration D.2.5 Identity and access management D.2.6 Data governance D.2.7 Infrastructure management D.2.8 Risk and accountability ... D.2.10 Application layer identity D.2.11 Business risk model ... D.2.19 Encryption and key management D.2.20 End Point Input Validation D.2.21 End user layer identity management D.2.22 Forensics D.3 Privacy controls D.3.1 Data life cycle management D.3.2 Privacy risk management D.3.3 Identity management D.3.4 User consent management D.3.5 Compliance ... D.3.9 Data anonymization, pseudonymization D.3.10 Privacy preserving computation D.3.11 Data provenance D.3.12 Privacy policy enhancement D.3.13 Consent management mechanism
  20. 20. Agenda 20 Conclusions Standards and policies relationship Big data related standardization initiatives Main information security standard frameworks Information security standardization introduction
  21. 21. Relevant policies 21 Products (15408)  Organizational security policy Set of security rules, procedures, or guidelines for an organization that may pertain to a specific operational environment  Security function policy Set of rules describing specific security behavior enforced by the product security functionalities and expressible as a set of functional requirements Services (27001)  Information security management system policy Formal expression of the top management's intentions and directions regarding an ISMS  Policies for information security Managements directives regarding specific contexts and related control sets How are they related with Big Data?
  22. 22. Relevant policies 22 SYSTEM ORCHESTRATOR Infosec Information classification Data access & storage policies Encryption policies Accounting policies
  23. 23. Agenda 23 Conclusions Standards and policies relationship Big data related standardization initiatives Main information security standard frameworks Information security standardization introduction
  24. 24. Conclusions 24 System Security Application Security Network Security Cloud Security Big Data Security 1) Big data is a key emerging technological trend 2) Information security and privacy should not be so emerging 3) Past infosec and privacy efforts should take into account new big data elements but without reinventing the wheel
  25. 25. 25 Thanks for your attention! UNINFO http://www.uninfo.it/ uninfo@uninfo.it Corso Trento 13 - 10129 Torino Tel. +39 011501027 - Fax +39 011501837 Fabio GUASCONI fabio.guasconi@bl4ckswan.com https://www.facebook.com/UNINFO.it https://twitter.com/uninfo_it http://www.slideshare.net/uninfoit

×