Недавно услышал и мне понравилась следующая метафора: "Когда мы садимся в самолет, мы принимаем возможные риски его крушения (как бы это страшно не звучало), мы доверяем и пилоту, и авиакомпании, и техникам которые обслуживают данный самолет. Причем доверяем самое ценно, что у нас есть - свою жизнь..."
Ну вот, пока сообщество специалистов по безопасности думает над вопросом "как же так спецефично нужно защищать "облака"", ведущие компании ( BSI и CSA ) уже анонсируют свой подход: сертификация провайдеров облачных услуг ("Open Certification Framework For Cloud Providers"). Идея проста, есть 3 уровня (самооценка; независимая оценка, использующая идеи ISO 27001; и некая "идеальная" сертификация, которая появится позднее):
- The initial level is CSA STAR Self Assessment: Cloud providers can submit reports to the CSA STAR Registry to indicate their compliance with CSA best practices. This is available immediately.
- The second level, CSA STAR CERTIFICATION, is a third-party independent assessment: this certification leverages the requirements of the ISO/IEC 27001:2005 management systems standard together with the CSA Cloud Control Matrix (CCM). These assessments will be conducted by approved certification bodies only. Availability is expected in H1 2013.
- The STAR Certification will be enhanced in the future by continuos monitoring-based certification: this third level is currently under development.
Если полезем в глубь подхода, то увидим, что доменов и контролей много, и, как это водится у BSI, ими не очень-то удобно пользоваться. Веса и сложность доменов не сбалансированы (полный перечень привожу в "Дальше"), "что", "как" и "зачем" делать с первого взгляда не понятно. Из приятных моментов отмечу лишь наличие ссылок (маппинг) на основные ИБ стандарты: COBIT (правда 4.1), ISO 27001, NIST SP 800-53, PCI DSS и пр.
Ссылки для подробного изучения (описание и опросники):
Вот как-то так. А как Вам идея сертификации?
name='more'>
- Compliance:
- Audit Planning
- Independent Audits
- Third Party Audits
- Contact / Authority Maintenance
- Information System Regulatory Mapping
- Intellectual Property
- Data Governance
- Ownership / Stewardship
- Classification
- Handling / Labeling / Security Policy
- Retention Policy
- Secure Disposal
- Nonproduction Data
- Information Leakage
- Risk Assessments
- Facility Security:
- Policy
- User Access
- Controlled Access Points
- Secure Area Authorization
- Unauthorized Persons Entry
- Offsite Authorization
- Offsite equipment
- Asset Management
- Human Resources Security:
- Background Screening
- "Employment Agreements"
- Employment Termination
- Information Security:
- Management Program
- Management Support / Involvement
- Policy
- Baseline Requirements
- Policy Reviews
- Policy Enforcement
- User Access Policy
- User Access Restriction / Authorization
- User Access Revocation
- User Access Reviews
- Training / Awareness
- Industry Knowledge / Benchmarking
- Roles / Responsibilities
- Management Oversight
- Segregation of Duties
- User Responsibility
- Workspace
- Encryption
- Encryption Key Management
- Vulnerability / Patch Management
- Antivirus / Malicious Software
- Incident Management
- Incident Reporting
- Incident Response Legal Preparation
- Incident Response Metrics
- Acceptable Use
- Asset Returns
- eCommerce Transactions
- Audit Tools Access
- Diagnostic / Configuration Ports Access
- Network / Infrastructure Services
- Portable / Mobile Devices
- Source Code Access Restriction
- Utility Programs Access
- Legal:
- Nondisclosure Agreements
- Third Party Agreements
- Operations Management:
- Policy
- Documentation
- Capacity / Resource Planning
- Equipment Maintenance
- Risk Management:
- Program
- Assessments
- Mitigation / Acceptance
- Business / Policy Change Impacts
- Third Party Access
- Release Management:
- New Development / Acquisition
- Production Changes
- Quality Testing
- Outsourced Development
- Unauthorized Software Installations
- Resiliency:
- Management Program
- Impact Analysis
- Business Continuity Planning
- Business Continuity Testing
- Environmental Risks
- Equipment Location
- Equipment Power Failures
- Power / Telecommunications
- Security Architecture:
- Customer Access Requirements
- User ID Credentials
- Data Security / Integrity
- Application Security
- Data Integrity
- Production / Nonproduction Environments
- Remote User Multifactor Authentication
- Network Security
- Segmentation
- Wireless Security
- Shared Networks
- Clock Synchronization
- Equipment Identification
- Audit Logging / Intrusion Detection
- Mobile Code
