Skjema for vurdering av sikkerhet i skytjenester (cloud)
Cloud Security Alliance (CSA) sin metodikk for å vurdere sikkerhet i skytjenester.
Husk at dere alltid må vurdere selv om svarene fra skyleverandørene er tilfredsstillende eller om det er behov for ytterligere avklaringer.
Veiledning
Basert på Security Guidance v4.0 (Veiledning om CSA over) fra Cloud Security Alliance (CSA) under lisens: Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License (CC-BY-NC-SA 4.0).
Introduksjon til skytjenester
- Kapittel 1: Cloud Architecture
Infrastruktur og nettverksikkerhet
- Kapittel 6: Management Plane and Business Continuity
- Kapittel 7: Infrastructure Security
- Kapittel 8: Virtualization and Containers
Risiko og styring
- Kapittel 2: Governance and Enterprise Risk Management
- Kapittel 3: Legal issues, Contracts and Electronic Discovery
- Kapittel 4: Compliance and Audit Management
- ENISA: Cloud Computing Risk Assessment
Data og applikasjonssikkerhet
- Kapittel 5: Information Governance
- Kapittel 10: Application Security
- Kapittel 11: Data Security and Encryption
- Kapittel 12: Identity, Entitlement and Access Management
Sikker drift i skyen
- Kapittel 13: Security as a Service
- Kapittel 9: Incident Response
- Kapittel 14: Related Technologies
Krav
Cloud Controls Matrix (CCM) består av 133 kontrollkrav. Last ned Krav CSA CCM over for å bli kjent med kontrollkravene:
Spørsmål
Cloud Security Alliance (CSA) har utarbeidet et spørreskjema for å hjelpe med å vurdere om skyleverandører tilfredsstiller kravene i Cloud Controls Matrix.
Spørsmålene er samlet i Consensus Assessment Initiative Questionnaire (CAIQ) (se Spørsmål om CSA CAIQ over).
NB! CAIQ erstatter ikke din egen risiko- og sikkerhetsvurdering. Du har kanskje spørsmål som er unike for din virksomhet eller som er mer kritisk/sensitiv for vurdering av skytjenester.
Register
Security, Trust & Assurance Registry (STAR).
Søk etter den skyleverandør eller skytjeneste som du ønsker å vurdere, eller be aktuelle leverandører om å sende sin CAIQ-besvarelse til deg.
Eksempel 1: Hvor er mine data lagret?
Krav: Datacenter Security & Information Lifecycle Management, spørsmål DSI-01.5
Spørsmål: Can you provide the physical location/geography of storage of a tenant's data in advance?
Microsoft Azure: Yes. Most Azure services permit customers to specify the particular geography where their customer data will be stored. Data may be replicated within a selected geographic area or region for redundancy, but it will not be replicated outside of it unless specifically configured so by the customer.
AWS: AWS provides customers the flexibility to place instances and store data within multiple geographic regions. AWS Customers designate in which physical region their data and their servers will be located. AWS will not move customers' content from the selected Regions without notifying the customer, unless required to comply with the law or requests of governmental entities. For a complete list of available regions, see the AWS Global Infrastructure page (https://aws.amazon.com/about-aws/global-infrastructure/)
Google Cloud Platform: Yes. Google may store customer data in the following locations: https://www.google.com/about/datacenters/locations/
Eksempel 2: Kan kunder utføre revisjon selv?
Et slikt krav er ikke beste praksis, derimot er beste praksis at det skal gjennomføres uavhengige revisjoner minimum årlig.
Krav: Audit Assurance & Compliance, spørsmål AAC-02.5
Spørsmål: Do you conduct external audits regularly as prescribed by industry best practices and guidance?
Microsoft Azure: Yes. Microsoft conducts audits and assessments against a growing number of US, international, and industry standards and frameworks. These include PCI DSS, SOC, ISO, IRAP, CDSA, MTCS, FedRAMP, DISA, and many others. More details about Azure's current portfolio of certifications can be found at the Azure Trust Center website.
AWS: AWS provides third-party attestations, certifications, Service Organization Controls (SOC) reports and other relevant compliance reports directly to our customers under NDA. The AWS ISO 27001 certification can be downloaded here: ISO 27001 Global Certification. The AWS SOC 3 report can be downloaded here: SOC3 Amazon Web Services.
Google Cloud Platform: Yes. Google is committed to maintaining a program where independent verification of security, privacy and compliance controls are regularly reviewed. Google undergoes several independent third party audits to test for data safety, privacy, and security, as noted below: SOC 1 / 2 / 3 (Formerly SSAE16 or SAS 70), ISO 27001, ISO 27017 / 27018, PCI-DSS, HIPAA