• No results found

German IT-Grundschutz Cloud Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "German IT-Grundschutz Cloud Management"

Copied!
16
0
0

Loading.... (view fulltext now)

Download now ( 16 Page )

Full text

(1)

German IT-Grundschutz

Cloud Management

Dominic Mylo

Cooperation with

Workshop

Certification, InteRnationalisation and

standaRdization in cloUd Security

(2)
(3)

3 CIRRUS Workshop Cloud Security Vienna, 19. November 2013

Introduction

Dominic Mylo

(4)

Cloud Security Vienna, 19. November 2013

Atos Cloud Competencies

▶ Experience in providing Cloud Services

– Canopy

– Research & Innovation department of Atos has more

than 10 ongoing research projects related to cloud security ▶ Corporate Member Cloud Security Alliance

▶ Atos is member of European Cloud Partnership

▶ Actively participating in initiatives run by ETSI, ENISA, CEN ▶ Atos is participating in Helix Nebula federated cloud

for science

(5)
(6)

Cloud Security Vienna, 19. November 2013

IT-Grundschutz Methodology

▶ Describes a method for setting up and integrating IS management in an organisation.

▶ ISO 27001 certification process in accordance with IT-Grundschutz by german BSI as accreditation body per law.

▶ The IT-Grundschutz Catalogues contain over 4500 pages describing potential threats and protective security controls.

▶ The IT-Grundschutz Catalogues are constantly being revised, and new, specialised subjects are added as required.

(7)

7

CIRRUS Workshop Cloud Security Vienna, 19. November 2013

Security Concept IT-Grundschutz

Structure analysis

Protection requirments determination

Risk analysis

Modelling of domain (select safeguards)

Implementation of safeguards

Individual sec controls IT-Grundschutz sec controls normal prot. Requirements High protection Requirements

simplified process

(8)

Cloud Security Vienna, 19. November 2013

Protection Requirements

▶ Technical, organisational, personnel, and infrastructural security safeguards ▶ Reach a baseline security level

▶ Protect business-related information having normal protection requirements. ▶ Basis for IT systems and applications requiring a high level of protection. ▶ Protection requirements are define by possible impact caused by loss of CIA. ▶ Cloud Problem: CSP cannot rate the protection value of cloud data

(CSP is not information owner) ▶ a) Ask the cloud user

(9)

9

CIRRUS Workshop Cloud Security Vienna, 19. November 2013

Layer Model IT-Grundschutz

▶ Cloud Usage ▶ Cloud Management ▶ Webservices

Layer 1

Layer 2

Layer 3

Layer 4

Layer 5

covers all generic information security issues. These include the human resources, data

backup concept

covers the technical issues related to building construction. Examples include the modules for buildings, server rooms

covers individual IT systems. Examples include the general client, general server, telecommunication system, laptop modules. concerns the issues relating to networking IT systems. Examples include WLAN, VoIP,

network management modules

deals with the actual applications. Examples include the e-mail, web server, and database modules. ▶ Virtualisation ▶ (Cloud) Storage systems

Cloud Modules

Cloud Modules

(10)
(11)

11

CIRRUS Workshop Cloud Security Vienna, 19. November 2013

Information sources

International Best Practices

Cloud Security Alliance

– Cloud Control Matrix

– Cloud Security Guidance

ENISA

– Cloud Computing Risk Assessment ▶ BSI

– Security Recommendations for Cloud Computing Providers ▶ VMware

– Study VCE Vblock

IETF

(12)

Cloud Security Vienna, 19. November 2013

Target Group

Cloud Management Module

▶ Cloud Service Provider

▶ Cloud User should use Module „Cloud usage“ ▶ Target group german public agencies

▶ Applicable cross market ▶ Secure providing,

management & operation of cloud environments ▶ Out of scope:

– infrastructure security

(13)

13

CIRRUS Workshop Cloud Security Vienna, 19. November 2013

Cloud Reference Model

IETF

data / content Cloud Portal

Cloud Services (SaaS, PaaS, IaaS)

resource control layer

virtual resource control layer

physical resource control layer

Cloud

„Self-Service-Portal“ Cloud Management:

Cloud configuration Registry & Repository

Audit & Logging SLA

(14)

Cloud Security Vienna, 19. November 2013

Cloud Management Threats

Summary

organisational shortcomings Human error technical failures deliberate acts

▶ Failures in Planning Cloud Service Templates

▶ Incorrect Provisioning of Cloud Services

▶ Insufficient isolation of cloud services

▶ Insufficient Business Continuity Mgt

▶ Insufficient configuration of cloud services and management

components

▶ Failures in automated Cloud Management

▶ Outage of cloud management components

▶ unauthorised usage of snapshots

▶ fraudulent use of

administrative permissions

(15)

15 CIRRUS Workshop Cloud Security Vienna, 19. November 2013

Security Controls

Summary

Provisioning Planning concepts implemen tation operation BCM

▶ Planning Cloud Service Templates and Cloud-Ressources

▶ Third party contracts

▶ Selection of cloud-components

▶ Secure communication for cloud access

▶ Training for cloud administrators

▶ Event logging and monitoring

▶ patch management

▶ Security Controls to ensure continuous Multitenancy

▶ Business continuity

▶ backup

▶ Cloud user administration

▶ Complete and „secure“ deletion of cloud data for sensible information

▶ Controlled provisioning & deprovisioning of cloud services

(16)

Cloud Security Vienna, 19. November 2013

Atos, the Atos logo, Atos Consulting, Atos Worldline, Atos Sphere, Atos Cloud and Atos WorldGrid

www.atos.net

For more information please contact:

Dominic Mylo Security Consultant T +49 (5931) 805-478 M +49 (177) 915 1856 [email protected] Lohberg 10 49716 Meppen

References

Download now ( PDF - 16 Page - 1.25 MB )

Related documents

Epidemic model with isolation in multilayer networks

Hence we focus our study in an epidemic model in a two-layer network, and we use an isolation parameter w to measure the effect of quarantining infected individuals from both layers

No association between gain in body mass index across the life course and midlife cognitive function and cognitive reserve—The 1946 British birth cohort study

These associations remained significant at 20 and 26 years after adjusting for BMI at the previous age (model 1) in both men and women, suggesting that higher BMI gain at these ages

PUCIT Database Systems Course Outline

Database Design: The System Development Life Cycle (SDLC), The Database Life Cycle (DBLC), Database Design Strategies, Transaction Management and Concurrency

Parental Influence on Radicalization and De-radicalization according to the Lived Experiences of Former Extremists and their Families

Consistent with the work of Christmann (2012) and Silke (2008), this study reveals no direct link between family and the development of extreme ideals: both formers and their

Key Management Challenges in a Cloud Ecosystem

Cloud Consumer Cloud Provider Cloud Service Management Cloud Carrier Cloud Auditor Cloud Consumer Provisioning/ Configuration Portability/ Interoperability Security Audit

Low Thrust Trajectories in Multi Body Regimes

The unique characteristics of this class of periodic solutions allow the design of an almost planar transfer from a geocentric orbit and the use of the Backflip

LESSON PLAN. Sub.Name: CLOUD COMPUTING Branch: CSE, Semester& Sections:VIII A

Infrastructure as a Service(IaaS): Virtual Machines Provisioning and Migration Services, On the management of Virtual machines for cloud Infrastructures, Enhancing

Design Optimization of the Suction Manifold of a Reciprocating Compressor Using Sensitivity Analysis

The procedure for design optimization is based on the feedback from sensitivity analysis studies and other inputs (like pressure maps and total pulsation energy)