Okay. Hello. So my name is Ava FFA. I'm working for large it or cloud service provider and caring about the security of the platform we are using to deliver these kind of services to our enterprise customers. But today I'm more representing the zero outage industry standard initiative. This initiative is a consortium or association of it companies, and we care about quality in it. And what it's not about only outages presenting outages is only also about security. So we call this zero defect security, so enhancing the quality developing practices to enhance the quality of security. Okay.
Today's yeah. Is a very short presentation because I will not be the only presenter today in this session, it will be you. So I will briefly explain a topic and then I hope that we will have a discussion about this. You can share your thoughts about this. You can share your ideas, you can take decisions or whatever.
So I will only show three slides about this. And the last slide will guide you and help you to yeah, just start the discussion. Okay. So cloud security has done us expectations.
So often we accept what we have and this is realistic, but what we sometimes forget is our own real requirements, our actual requirements, our expectations, the benefits we are expecting from those. And this is what we want to talk about. So when I say cloud security standards, maybe you have heard about some of them. Here are examples. If you don't have heard about these, it's no issue because I will present some general things at last slide, which help you to start discussing. So first one is the C five of federal office of information security in Germany. That's well known.
That's a CCM, the cloud control metrics from the cloud security Alliance. That's the second example and the ISO standard 27 0 17 is also about cloud security.
And the last example here is coming from a user organization from the information security forum, a collection of user organizations, without going into too much detail on, on this here on this second slide, I show you some example, some, some differences between these four standards. Let's talk about the content first. So if you look on C five, then there's CSA CCM on, on the ISO standard, 27 or 17, or the ISF user guidance on this.
You see, they all have yeah, about 100, maybe 200 security controls, but there are differences. The measures control objectives or controls security controls. The ISF is reducing the number a bit. The ISO has some 114 plus seven because the seven are cloud specific. Whereas all the other standards have described general practices and general measures, which are also relevant for other it services, not specific to cloud also about the contents.
What, what is expecting, what is the main purpose to deliver these standards for the C five is a proof on conformity. I want to know if it conforms with the standard CSI as providing compliance, but is not, not very specific on whom is, is this guidance provided for is O is an implementation related standard. And the ISF is very different from those. It is about user. It provides user guides, so it's not implementing. So informing how, how cloud service should be secured, how it should be used and how user organizations can understand if it's that it's used.
So there also, the audience is different. So in the C five, it's primarily for auditors and for the ISF, it's exclusively for the use of organizations. The other standards are not very clear about this. So it's for different, different audiences, but there are differences in cloud's cloud computing services.
There's not only one, there are many, and they have many offering different services and, and there are different.
The, the, the obvious examples of these differences are that the first provide different service models. So you know about infrastructure as a service, for instance, platform, as a service and software, as a service, as an example, although it's much more complicated, you also see the difference here. C five is very unaware of these service models. Whereas the cloud security Alliance, cloud control metrics mentioned these also, the ISO mentioned these and also the ISF, the deployment model is also a difference because you can have a private cloud.
You can have on, can have a public cloud, you can have a hybrid cloud or a community cloud or whatever. There are also difference.
These, this is in most cases, not even mentioned that these, these different deployment models exist.
If they are mentioned, then it's very unspecific. So this is a situation, but don't worry if you don't, if you have not read these standards and you are not knowing all the details here is some, yeah, some, some proposal for expectations. So it's black and white, but I have different categories from, from the top to the bottom. First of all, what are we expecting? So from the nature, are we expecting minimal requirements?
Are, are you, are you expecting comprehensive specifications covering everything? Are you expecting general act wise, like on a management level, that you are able to manage security in this area? Or are you expecting implementation related things that is on a technical level, guiding the engineerings and the administrators to care for security?
Is it for, is it about best practice? What we want to have the recommendation to do something, or are we talking obligations?
You see, there are different options of expectations and maybe not every standard can, can meet everything usage. Also, there are differences, there are different options on this. You can establish compliance primarily.
So to get certified, have these certificate on which you can put on the wall, or should the standard provide actionable advice that allows people to implement and care for security, the market could be different, but also the target group, is it primarily for the cloud service provider, so where it needs to be implemented or primarily for the user organization using the cloud standards. And here also, if it is for the cloud service provider, this is for architects, this is on a general level, how this is architected, or is it on an engineering level?
So implementation related the same is for user organizations. Is it purchasing guys, which allows you to compare different, different, different offerings or the user guide, which, which guides you, how to use this? Yeah. Is it cloud in general or is it specific? So is it specifically describing differences between the service model deployment was other things, these are options now it's your turn. So what are you expecting from cloud security standards?
So, and you can yeah. Maybe select something from here, say, okay, minimal requirements would be my, my choice or I'm expecting a full, fully and comprehensive specification or whatever. What is the right audience?
Or what is the right target group? Okay. Who will start
Do the first,
From my perspective, it depends on the role that I have in that ecosystem, what I am want to have. And of course, in addition to that, it depends also on this type of service or deployment model, whether I wanted to have in more detail or not looking at my current employer situation, we are mostly consuming.
So I'm not, when it comes to SAS, for example, I'm not interested in, in the lowest technical detail when it comes to IAS where we have to maintain the virtual machines. And so on, then of course we are interested in the respective standards. So I think there is no clear.
Yes, no, but it depends on,
Okay. So to just to summarize, you're expecting different standards for different roles. Okay. I think it's not existing. Is that right?
So, okay. We should add something.
Anyone want to add, build on that? Yes. Excellent.
And then it's on the, on the nature. I'm from Holland and there, we had our previous security regulation.
It, it was general advice. It was the beer, but it, it consisted also at an implementation card and, and it was good from management level to have to beer. But when you had to build something and that find there in the good practice and what, what should be done, you had the B, and that was the operational guidance.
And I think that's, that's often quite handy for the different target groups, but also, yeah, it's good on material level on to discuss, but when you have to practice it and have to show to the auditor auditors that you complied and you, you need that, that other technical technical level, that operational implementation kind. So it's sometimes it's handy to have both,
But you think that it should be hierarchical. So starting with general things and then stabbing down, so that it's well organized.
So that,
Yeah. But what what's, especially if you have those, those principles or those, those high level, then it's also good to have for the other, for the target group that you have, those operational guide sales and that's that's are the only thing where you can audit and you can prove to your auditor. Yes.
I, I implant implemented it as, as, as asked then. So yeah.
You, you need both documents, I think. Okay.
Yes.
Okay. I'm also come from Holland. So from my perspective, I believe that, you know, the, the listed standards, which is used by hosting providers, you know, that their knowledge is completely different than the users. And if you see the standards being, you know, for the end, let's say for the end users who is utilizing the IAS pass, or SA is you, there's already a, a, the other standards, which is catch upon a little bit. So from my perspective, agree also with the gentleman were there.
So you could be handy to have both, you know, to have this control, both perspectives, but I will also say, you know, keeping the people, the readers skills in mind as well, because, you know, for users, they don't really care about how many hypervisor you are using or how, how is the fundamental thing works. But for us, it's more vicarious if you host our applications here.
So how, how can you make that? For example, as to cyber O X friendly, something like that.
Okay. Thank you. Do you think that we can combine information for user organizations and information for it, service providers or cloud service providers in one store? Would that work so it's yes or no?
You can, maybe we can vote
A family.
So it could be something like a standard family, you know, wise for the end user. They otherwise for oh,
A standard family.
That's, that's a good, good idea. So for different roles, maybe and different level of detail, so it's can organize in a actually architectural manner.
It's not, not, not, not being one sheet, one paper, which you have to read. Okay.
Thank you.
If you, like, you can also comment on these standards, for example, wanted to avoid finger pointing. Yeah. So that this is neutral here. So general advice what's what are your expectations?
Yes. So I'm from BP and I'm based in London, in my opinion, this should be everything on the right hand side. I think a technical standard needs to be specific. It needs to be product agnostic, but technically specific. I think if we go with minimum requirements, chances are people would just stick to the minimum requirements just to have a take in the box.
And also on the implementation guide, our general advice, I think on the management level, they probably won't go down to the nitty gritties where security standards need to sit on. They issue high level management, intent as policies. Whereas if we are building a standard, it has to be kind of translatable into component level configurations on each of the products. So this is the conduit between management intent and the, and the implementation details and best practice versus industry standard. I think it has to be an industry standard.
We, as a consumer of cloud services, often we have to do audits security audits of our suppliers. If we give everyone slightly different way of doing things. And this means we have to have full knowledge of how they operate and how they manage. Whereas if we expect everyone meets the same standard, we have a consistent way of doing things. As long as I know that you comply to the standard, I don't need to go even further. So that will make the compliance and attestation a last employer as well. That's in my opinion, of course. Okay. Actionable advice. Definitely. Yes.
I mean this, the it's actually the other way around, you have to get certified against the standard. I, I wouldn't go with action about advice maybe internally, but if we're talking about suppliers, consumers, this has to be kind of have a third party governing body.
Well, I, I don't think I need to go into any further details, but I think that's my opinion.
Interesting.
Do you think that cloud cloud security standards can cover every type of cloud computing service because you want to have it specific, you want to have the implementation level covered and everything
In my personal view, I think the technology is so fluid and actually you have so many new things which is pop up in the cloud computing area. So I think that definitely need to be taken into consideration, you know, the, the, the evolution of the technology itself.
Okay.
Any other opinion about this? Okay.
So it's, it's a really critical question. That's why I'm asking this may, maybe there's a compromise and a solution for this. So watch out for tomorrow's keynote. We will continue this. And I will specifically come to these questions tomorrow morning at night. Thank you very much.