Resultados 1 a 3 de 3
  1. #1
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    [EN] AWS urged to comply with the ISO 27018 standard

    As AWS expands into services such as email, experts say it should strengthen its data privacy credentials by following the controls set forth in the new ISO 27018 standard.

    The International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) 27018:2014 standard, published in July 2014, applies specifically to the controllers of personally identifiable information. Microsoft last month was the first cloud services provider to be accredited as following the provisions of the ISO/IEC 27018:2014 standard, colloquially known as ISO 27018, which is an extension of ISO 27001.

    Compliance with the ISO 27018 standard means the cloud service provider will not use personal data for advertising and marketing unless expressly instructed by the customer; it will give the customer explicit control over how information is used; it will inform customers where data resides and disclose the use of contractors used to process personal data; it will notify customers about data breaches; and it will submit to a yearly audit from a third party based on these requirements.

    AWS already has ISO certifications under the ISO 27001 and 9001 standards. ISO 27001 specifies security management best practices and 9001 governs the general quality of products and services.

    Microsoft also has ISO 27001 certification. ISO 27018 isn't certified separately, but the British Standards Institute has independently verified that, in addition to Microsoft Azure, both Office 365 and Dynamics CRM Online are aligned with the ISO 27018 standard.
    Última edição por 5ms; 22-03-2015 às 15:30.

  2. #2
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    Does AWS need to meet ISO 27018?

    Infrastructure providers are not controllers per se. AWS does not access, disclose or use customer content, including personal content, stored or processed in the AWS cloud. However, some industry analysts raise the question of whether Amazon WorkMail and WorkDocs services, which remain in preview in the U.S. East (Northern Virginia) and Europe (Ireland) regions, would make it subject to standards like ISO 27018 that apply to data controllers.

    "In this case, where they are moving up the stack, offering more and more higher-value services like mail or desktop as a service, then they should fulfill this new ISO standard," said Rene Buest, senior analyst for Crisp Research based in Kassel, Germany. He believes Amazon will follow Microsoft and meet the standard.

    There are also conflicting directives for companies that do business in both the U.S. and Europe must contend with, according to Renee Murphy, a senior analyst for Forrester Research, Inc. who specializes in security and risk management. As part of an EU privacy directive, European data centers have to notify a user when a law enforcement agency wants access to records, and the user can refuse. In the U.S., those rights don't exist under the auspices of the Patriot Act.

    Microsoft is fighting just such a case of U.S. access to records stored in Ireland, struggling with what the U.S. government sees as corporate borders.

    "Microsoft is trying to make the case that data is local and that data is under the EU law," Murphy said.

    This also isn't Amazon's problem, specifically, but getting that case overturned is critical to the future of not just Microsoft, but all U.S.-based cloud vendors, if they want to be competitive in Europe.

    "If they win, everything goes back to normal," Murphy said. "If they lose it puts the whole U.S. cloud provider market in jeopardy."

    Thus, while not a technical or legal requirement, it would offer customers concerned about cloud data privacy and security some additional comfort if AWS were to follow the ISO 27018 standard as well, legal experts said.

    "They've got ISO certifications already and they want to be seen as being active in this space in helping to protect data," said Frank Jennings, partner at Wallace LLP, London, who specializes in legal questions surrounding cloud computing. "I can't see why they wouldn't want to do that, especially if WorkMail is but one of many office functionality type suites that they're going to be introducing."

    Other industry experts pointed out that ISO 27018 may be redundant to existing standards. For example, there is a lot of overlap between ISO standards and existing prescriptive regulations like the Payment Card Industry Data Security Standard, which AWS has already been certified against as compliant, according to Adrian Sanabria, senior security analyst with 451 Research, based in New York.

    "In fact, it is quite common to see PCI and ISO 27001 assessments paired up because there is so much overlap between the two," Sanabria said.

    Amazon declined to comment for this article.
    Última edição por 5ms; 22-03-2015 às 15:27.

  3. #3
    WHT-BR Top Member
    Data de Ingresso
    Dec 2010

    ‘Compliance fatigue’ sets in

    Taylor Armerding
    CSO | Mar 20, 2015

    Compliance with information security regulations is supposed to be, as the most recent iteration of the PCI DSS (Payment Card Industry Data Security Standard) puts it, “business as usual.”

    But many organizations feel like they are drowning in such a sea of regulations that constant compliance with them all doesn’t give them much time to run their usual business.

    Indeed the number of compliance frameworks, most aimed at specific industries but sometimes overlapping, amount to an alphabet soup that could make an IT manager’s eyes glaze over before even starting to look at the fine print.

    The best known, because it affects credit card security (and there have been so many high-profile breaches in the retail sector), is the PCI DSS. But the list goes on … and on.

    There is SOX (Sarbanes Oxley), aimed at protecting investors from accounting fraud; HIPAA (Health Insurance Portability and Accountability Act) to protect personally identifiable information (PII) within healthcare; NIST (National Institute of Standards and Technology), overseeing industry; NERC (North American Electric Reliability Corporation) for energy suppliers; FISMA (Federal Information Security Management Act), which applies to federal agencies; FACTA (Fair and Accurate Credit Transaction Act), aimed at protecting against identity theft; ISO 27K, which provides best-practice recommendations on information security management; and more.

    To the surprise of no one in the industry, a lot of organizations aren’t keeping up.

    Verizon’s “2015 Compliance and Security Report," released earlier this month, did report some good news – that compliance rates between audits increased by an average of 18% across 11 of the 12 requirements.

    But in a number of cases, it meant starting from a very low bar. The percentage of companies validated as compliant in their interim reports increased 9%, but that improvement raised it to only 20%.

    Other surveys showed similar gaps between goals and reality. A DataMotion survey found that about three-quarters of the respondents said their employees occasionally violate their compliance and security policies, many of them doing so knowingly so they can get their jobs done.

    Another survey, by Proficio, found only 43% of respondents saying they met PCI DSS 3.0 standards when they became mandatory on Jan. 1, although 90 percent believed they would be compliant within six months.

    Why the gap? Some call it compliance fatigue. According to Craig Isaacs, CEO of Unified Compliance Framework, “compliance is already out of control, and we expect security regulations and standards to become increasingly stringent in the year ahead. Most organizations have no idea what is actually required of them because they have no way of seeing all the requirements at once,” he said.

    Rich Mogull, analyst and CEO at Securosis, says this is nothing new. “It’s been this way for at least 10 years, maybe longer,” he said. “People have been grumbling about it since SOX hit (in 2002), and some CISOs spend 30% or more of their time dealing with compliance issues.”

    And many smaller organizations are only dimly aware of PCI DSS or not at all. Troy Leach, CTO of the PCI SSC (Security Standards Council) told Politico last fall that regional resellers of Point of Sale (PoS) systems that have suffered multiple breaches, “when asked about PCI compliance, have never heard of the organization.”

    Where the fault lies for the lack of compliance is a matter of some dispute. Mogull, who has been scathing in his criticism of PCI DSS in the past, calls the framework, “a way for the card brands to push risk onto the merchants and payment processors.

    “Small businesses shouldn’t have to understand it,” he said, “especially since most of them totally outsource their payment systems. Those providers are the ones that matter and need to know about it.”

    But others argue that credit card providers are only one player in the system, and improving security requires an investment from everybody, at all levels.

    “Many merchants want the card companies to ‘fix the system,’ whatever that means,” said Anton Chuvakin, research director, security and risk management at Gartner for Technical Professionals. “So my question is: ‘OK, will you, merchants, be willing to chip in? After all, you are as much of a stakeholder in this.’ Until now, the answer was ‘no,’ in my experience.”

    Julie Conroy, analyst with Aite Group, said the frustration with compliance is understandable. “It’s expensive, unsexy, and produces no revenue,” she said. “On the business side, many still consider security considerations a tiresome obstacle to quick time to market.”

    But she added that while merchants don’t like the blame being placed on them for breaches, “the reality is that the merchant is where the data resides in the current model, and where the compromises are taking place.”

    She and others also say the headaches of compliance are minor compared with those that would be caused by a major breach. She offers an example from one of the biggest players in the business – Apple.

    I’ve spoken with banks whose security guys were not brought into the discussion about the Apple Pay launch until the 11th hour. The result: fraud rates that are nearly 80 times the industry average,” she said.

    Or, all one needs to do is look at the headlines. In January, Anthem Inc., the nation’s second-largest health insurer, discovered a breach that reportedly affected the health records of 78.8 million people. Just this past week, Premera Blue Cross, a major provider of health care services in the West, announced that an intrusion into its networks may have compromised the financial and medical records of 11 million customers. The breaches are more evidence that health records are now considered more valuable than credit card information.

    Everybody in the business agrees that security is important and worth time, effort and money. But there is disagreement over the expectation that complete compliance 100 percent of the time is even possible.

    “There’s always a time when you are out of compliance to some degree,” Mogull said. “That’s how the PCI Security Standards Council gets away with saying (expletive) like, ‘no PCI compliant organization has ever been breached.’ Yes, they really say that – they revoke certification after every breach.”

    Alphonse Pascual, director, fraud and security at Javelin Strategy & Research, is somewhat sympathetic to merchants as well. “Merchants are pushing back on the notion that PCI DSS is a fair standard,” he said. “Instead it is being portrayed as a Band-Aid for an inherently insecure method of payment which merchants are being unfairly asked to subsidize, while at the same time having to pay for the privilege of accepting card payments.”

    Conroy said that as technologies such as tokenization and point-to-point encryption become more pervasive, “the burden on merchants will decrease, but unfortunately we’re still in early stages there.”

    Meanwhile, 100 percent of the time may be out of reach. But Chuvakin and others say it is possible to get much closer. One way to move in that direction is to reduce the “scope” of what is covered by compliance regulations.

    “If you have 10,000 systems, do you think all of them legitimately have to handle regulated data?” he asked. “Probably not, so reduce the scope, build walls around it, then implement compliance controls inside that ‘walled garden.’”

    Or, as the Verizon report put it, “if you store less cardholder data in fewer places, it reduces the opportunities for breaches to occur and limits the damage that a breach can cause.”

    A way for smaller PCI organizations to reduce their scope, according to Dennis Devlin, CISO and senior vice president of Privacy Practice at SAVANTURE, is to, “use virtual terminals and not store any credit card information locally. If you can't run in the tall grass with the big dogs, stay on the porch,” he said.

    Technology can help as well, according to Isaacs, whose firm has developed a knowledgebase tool to navigate the maze of regulations to help organizations know exactly which ones apply to them.

    And once organizations know what applies to them, experts say technology can also help them maintain compliance. Reuven Harrison, CTO and cofounder of Tufin, insists that it can be done, “by embedding automated compliance checks and documentation into IT change processes.”

    Devlin agreed. “Policies need to be monitored 7x24x365 via automated business rules that can detect anomalies and deviations from normal, correlate the events, and provide actionable intelligence and guidance,” he said.

    Stephen Orfei, general manager of the PCI SSC, didn’t offer any views of technology solutions for compliance, but said, “the bottom line is no technology or tool can replace the need for vigilance in security activities.”

    Pascual agrees with that mandate. “It (compliance) is not a once a year affair,” he said. “It needs to be baked in throughout the business. If you’re not doing that, you won’t be compliant and eventually you’ll pay the price.”
    Última edição por 5ms; 23-03-2015 às 17:02.

Permissões de Postagem

  • Você não pode iniciar novos tópicos
  • Você não pode enviar respostas
  • Você não pode enviar anexos
  • Você não pode editar suas mensagens