2. ISO 27017 - WHAT ARE
THE BUSINESS
ADVANTAGES OF CLOUD
SECURITY?
27th February 2021 (Saturday)
Time: 09:30 am - 09:55 am IST
ISO 27017:2015 By Ramkumar Ramachandran, Principal
Consultant, Ascentant Corporation, Chennai, India
3. SPEAKER INTRODUCTION
Ramkumar Ramachandran
Principal Consultant, Ascentant Corporation, Chennai, India
• Expertise – ISMS / Data Privacy / CMMI / Agile / GDPR
• IIMC Alumni - SMP
• US / UK / France / China / Singapore / Taiwan / Thailand
/ Malaysia / Indonesia / Bahrain / Kuwait / Qatar / Saudi
Arabia / Srilanka / New Zealand
• Aeronautical Engineer / IIMC Alumni / MIT Sloan
Systems Thinking
• CSQA, CISA, PMP, CDPSE
• Systems Thinking – MIT Sloan School of Management
• LA QMS/ISMS/SMS/BCMS, SAFe Agilist
• ram@ascentantcorp.biz
Ramkumar Ramachandran (c) 3
5. CONTENT
• History of ISO 27001
• Cloud Infrastructure Evolution
• Need for Cloud Security
• ISO 27017 – Additional guidance for Cloud Security to ISO 27002 controls
• ISO 27017 – Additional Controls
• Implementing ISO 27017
Insert Footer Here 5
6. EVOLUTION OFISMS
1995
1998
Initiative from Department of Trade and Industry
BS 7799 Part 1
BS 7799 Part 2
1999
New issue of BS 7799 Part 1 & 2
2000 ISO/IEC 17799:2000
2001 BS 7799-2:2002 (drafted)
Sep 2002 BS 7799-2:2002
Passed and accepted
Jun 2005 ISO 17799:2005
ISO/IEC 27001:2005
Oct 2005
Sep 2013 ISO/IEC 27001:2013
7. ISO 27001 STRUCTURE
CLAUSES
ANNEX A - CONTROLS
7
Context of
the
Organization
Leadership Planning Support Operations
Performance
Evaluation
Improvement
Information
Security
Policies
Organization
of Information
Security
Human
Resource
Security
Asset
Management
Access Control
Cryptography
Physical and
Environmental
Security
Operations
Security
Communications
Security
Software
Acquisition
Development
Maintenance
Supplier
Management
Incident
Management
Security in
BCM
Compliance
9. ISO 27017 - STRUCTURE
9
ISO 27001
Requirements
ISO 27002 Code of
Practice
Additional Controls for ISO
27017
10. CLOUD – DEFINITION BY NIST
Cloud computing is a model for enabling convenient, on-demand network
access to a shared pool of configurable computing resources (e.g.,
networks, servers, storage, applications, and services) that can be rapidly
provisioned and released with minimal management effort or service
provider interaction (from NIST)
Insert Footer Here 10
14. CLOUD SECURITY – DATA SECURITYCONSIDERATIONS
Privacy
Safeguarding personal data as per privacy commitments
Confidentiality
Ensuring data is accessed only on need to know basis
Integrity
Confidence that the data stored in the cloud is not altered in any way by unauthorized parties
Availability
This property ensures that the CSC has access to their data, and are not denied access
14
15. CLOUD SECURITY – DATA STAGES
Data-in-transit
This is when data is in the process of being transmitted either to the cloud infrastructure or to the
computing device used by the CSC. Here, data is most at risk of being intercepted, hence violating
confidentiality
Data-at-rest
This is when data has been stored in the cloud infrastructure. The main issue with this stage for the
CSC is their loss of control over the data. The onus of defending against attacks at this stage hence fall
on the CSP
Data-in-use
This is when data is being processed into information. Here, the issues might lie with the corruption of
data while it is being processed 15
16. ISO 27017
HIGHLIGHTS
• Guidelines for information security controls
applicable to the provision and use of cloud
services
• Additional implementation guidance for
relevant controls specified in ISO/IEC 27002
• Provides controls and implementation
guidance for both cloud service providers
and cloud service customers
• Structured similar to ISO/IEC 27002
• Includes clauses 5 to 18 of ISO/IEC 27002 by
stating the applicability of its texts at each
clause and paragraph
• When controls are needed in addition to
ISO/IEC 27002, they are given in Annex A:
Cloud Service Extended Control Set
16
17. NEW CONTROLS
FOR CLOUD
SECURITY IN ISO
27017
17
Control Ref Seven New Controls
6.3.1 Shared roles and responsibilities within a
cloud computing environment
8.1.5 Removal of cloud service customer assets
9.5.1 Segregation in virtual computing
environments
9.5.2 Virtual machine hardening
12.1.5 Administrator’s operational security
12.4.5 Monitoring of cloud services
13.1.4 Alignment of security management for virtual
and physical networks
18. ISO 27017 APPROACH
Insert Footer Here 18
Cloud service customer Cloud service provider
Guideline for the Cloud Service Subscriber / Customer Guideline for the Cloud service hosting company
19. 4 CLOUD SECTORSPECIFIC CONCEPTS
19
As per A 15
Supplier
Management
CSC should meet
its ISMS goals
CSP should
provide services
to enable CSC to
meet their ISMS
Goals
Where CSP cannot
meet CSC ISMS
requirements, CSC
should implement
additional controls
Both CSC and CSP
should have strong
risk management
practices in place
20. 6 ORGANISATIONOF INFORMATIONSECURITY – ROLES& RESPONSIBILITIES
Activity Cloud Service Customer Cloud Service Provider
Request to create User Ids Primary IT Lead
Creation of User Ids Primary Lead
Access Provisioning for Users Primary IT Lead
Access Control Review Primary Department
Heads
Backup Plan Creation Primary IT Lead
Backup Execution Primary Backup Executive
End Point Security Primary Security Team
Data Encryption Primary Security Team
Insert Footer Here 20
21. 8 ASSET MANAGEMENT– INVENTORY OFASSETS
Insert Footer Here 21
Data Storage Location
Customer Master Details Cloud
Employee Salary On-Prem
Helpdesk Tickets Cloud
Internal
Data
Client A
Client B Client C
22. 8 ASSET MANAGEMENT– ASSET LABELLING
Example: CLD/S/I/001
Label Code can be a Bar Code, QR Code etc. as well
Insert Footer Here 22
<Location / Type of Asset / Criticality / Serial Number>
Serial Number
Soft Copy Internal
Cloud
24. 9 ACCESSCONTROL– AUTHENTICATION TECHNIQUES
24
Standard User Validation Access Enabling
Admin User Validation 1 Validation 2 Access Enabling
25. 9 ACCESSCONTROL– INFORMATIONACCESS RESTRICTION
Cloud Service Cloud Service Function Cloud Customer Data
Read Write Delete Read Write Delete Read Write Delete
Developer X X X
Tester X X X
Lead X X X X
PM X X X X X X
Admin X X X X X X X X X
Insert Footer Here 25
27. 12 OPERATIONSSECURITY – CHANGEMANAGEMENT
Cloud Service
Customer
Cloud
Service
Provider
Insert Footer Here 27
Change
Management of
CSC
Should consider
Changes done by
CSP
Any change done
by CSP Should be
communicated to
CSC
31. 15 SUPPLIER RELATIONSHIPS – SECURITYIN CONTRACTS
The roles and responsibilities in the agreement should address the following, but not limited to it: -
Insert Footer Here 31
• Malware protection
• Backup
• Cryptographic controls
• Vulnerability management
• Incident management
• Technical compliance checking
• Security testing
• Auditing
• Collection, maintenance and protection of evidence, including logs and audit trails
• Protection of information upon termination of the service agreement
• Authentication and access control
• Identity and access management
32. 15 SUPPLIER RELATIONSHIPS – TECHNOLOGYSUPPLY CHAIN
Insert Footer Here 32
Contract Terms apply to the entire technology supply chain
34. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.6.3 Relationship between cloud service customer and cloud service provider
CLD.6.3.1 Shared roles and responsibilities within a cloud computing environment
Responsibilities for shared information security roles in the use of the cloud service should be allocated
to identified parties, documented, communicated and implemented by both the cloud service customer
and the cloud service provider.
34
Cloud service customer Cloud service provider
The cloud service customer should define or extend its
existing policies and procedures in accordance with its
use of cloud services and make cloud service users aware
of their roles and responsibilities in the use of the cloud
service.
The cloud service provider should document and
communicate its information security capabilities, roles,
and responsibilities for the use of its cloud service.
This is along with the information security roles and
responsibilities for which the cloud service customer
would need to implement and manage as part of its use
of the cloud service.
35. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.8.1 Responsibility for assets
CLD.8.1.5 Removal of cloud service customer assets
Assets of the cloud service customer that are on the cloud service provider's premises should be
removed, and returned if necessary, in a timely manner upon termination of the cloud service
agreement.
35
Cloud service customer Cloud service provider
The cloud service customer should request a documented
description of the termination of service process.
This process should cover the return and removal of cloud
service customer's assets followed by the deletion of all
copies of those assets from the cloud service provider's
systems.
The cloud service provider should provide information
about the arrangements for the return and removal of
any cloud service customer's assets upon termination of
the agreement for the use of a cloud service
36. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.9.5 Access control of cloud service customer data in shared virtual environment
CLD.9.5.1 Segregation in virtual computing environments
A cloud service customer's virtual environment running on a cloud service should be protected from
other cloud service customers and unauthorized persons
36
Cloud service customer Cloud service provider
(no additional implementation guidance) The cloud service provider should enforce appropriate
logical segregation of cloud service customer data,
virtualized applications, operating systems, storage, and
network for:
• The separation of resources used by cloud service
customers in multi-tenant environments;
• The separation of the cloud service provider's internal
administration from resources used by cloud service
customers.
Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
37. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.9.5 Access control of cloud service customer data in shared virtual environment
CLD.9.5.2 Virtual machine hardening
Virtual machines in a cloud computing environment should be hardened to meet business needs.
37
Cloud service customer Cloud service provider
When configuring virtual machines, cloud service customers and cloud service providers should ensure that
appropriate aspects are hardened (e.g., only those ports, protocols and services that are needed), and that the
appropriate technical measures are in place (e.g., anti-malware, logging) for each virtual machine used.
Objective: To mitigate information security risks when using the shared virtual environment of cloud computing
38. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.12.1 Operational procedures and responsibilities
CLD.12.1.5 Administrator's operational security
Procedures for administrative operations of a cloud computing environment should be defined,
documented and monitored.
38
Cloud service customer Cloud service provider
The cloud service customer should document procedures
for critical operations where a failure can cause
unrecoverable damage to assets in the cloud computing
environment.
Examples of the critical operations are:
• Installation, changes, and deletion of virtualized
devices such as servers, networks and storage;
• Termination procedures for cloud service usage;
• Backup and restoration.
The cloud service provider should provide documentation
about the critical operations and procedures to cloud
service customers who require it.
39. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.12.4 Logging and monitoring
CLD.12.4.5 Monitoring of Cloud Services
The cloud service customer should have the capability to monitor specified aspects of the operation of
the cloud services that the cloud service customer uses
39
Cloud service customer Cloud service provider
The cloud service customer should request information
from the cloud service provider of the service monitoring
capabilities available for each cloud service.
The cloud service provider should provide capabilities
that enable the cloud service customer to monitor
specified aspects, relevant to the cloud service customer,
of the operation of the cloud services.
For example, to monitor and detect if the cloud service is
being used as a platform to attack others, or if sensitive
data is being leaked from the cloud service.
Appropriate access controls should secure the use of the
monitoring capabilities
40. ANNEXA – CLOUD SERVICEEXTENDEDCONTROLSET
CLD.13.1 Network security management
CLD.13.1.4 Alignment of security management for virtual and physical networks
Upon configuration of virtual networks, consistency of configurations between virtual and physical
networks should be verified based on the cloud service provider's network security policy.
40
Cloud service customer Cloud service provider
(no additional implementation guidance) The cloud service provider should define and document
an information security policy for the configuration of the
virtual network consistent with the information security
policy for the physical network.
The cloud service provider should ensure that the virtual
network configuration matches the information security
policy regardless of the means used to create the
configuration.