11

Auditoria de Seguridad ISO/IEC 27000 en la nube ¿Qué debo tomar en cuenta?

Iván Alberto Jaimes Cortés

Consultor Seguridad de la Información

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

2

Agenda

• Cloud, que es? y tipos de cloud

• Características del cloud computing

• Modelos de implantación Cloud

• Triada de la Seguridad

• Beneficios del cloud

• Retos del cloud

• SLA (Service Level Agreement)

• ISO/IEC 27000:2013

• Controles ISO/IEC 27000:2013

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

3

Cloud, que es? y tipos de cloud

• Cloud computing es un nuevo modelo de prestación de servicios de negocio y

tecnología, que permite al usuario acceder a un catálogo de servicios estandarizados y

responder con ellos a las necesidades de su negocio, de forma flexible y adaptativa, en

caso de demandas no previsibles o de picos de trabajo, pagando únicamente por el

consumo efectuado.

Tipos de

Nube

Descripción

Saas Software como servicio, servicio de software o aplicaciones

como Gmail, salesforce, etc

Paas Accede a la nube para usar herramientas y recursos para

desarrollar, probar, administrar y desplegar aplicaciones y

sistemas.

Iaas Accede a la Nube para usar Hardware como servidores

virtuales, almacenamiento y dispositivos de redes como firewall.

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

4

Características del Cloud Computing

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

5

Modelos de implantación Cloud

HÍBRIDA

PÚBLICA PRIVADA

COMUNITARIA

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

6

Triada de la Seguridad

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

8

Beneficios del Cloud

• Reducción de costos

• Mayor disponibilidad

• Menos downtime

• Mayor Escalabilidad

• Mas recursos en el momento exacto que los requiera.

• Eficiencia, menos problemas de TI

• Modificación inmediata de recursos

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

9

Retos en la Nube

• Riesgo del Cloud Provider

– Identificar si el Cloud Provider cuenta con historial positivo en entrega

de servicios

–Reputación del Cloud Provider

–Confiabilidad del Cloud Provider

• La información que se coloca no se encuentra bajo nuestro estricto control

• Dependencia de conectividad ISP

• Latencia en la red

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

10

SLA (Service Level Agreement)

• Un Service Level Agreement (SLA), es un acuerdo escrito entre un proveedorde servicio y su cliente con objeto de fijar el nivel acordado para la calidad dedicho servicio. El SLA es una herramienta que ayuda a ambas partes a llegar aun consenso en términos del nivel de calidad del servicio, en aspectos talescomo tiempo de respuesta, disponibilidad horaria, documentación disponible,personal asignado al servicio, etc.

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

11

ISO/IEC 27000:2013

ISO/IEC 27000 es un conjunto de estándares desarrollados por ISO (InternationalOrganization for Standardization) e IEC (International Electrotechnical Commission), queproporcionan un marco de gestión de la seguridad de la información utilizable por cualquiertipo de organización, pública o privada, grande o pequeña.

ISO/IEC 27002 se conforma por:

14 DOMINIOS, 35 OBJETIVOS DE CONTROL Y 114 CONTROLES

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

12

Controles ISO/IEC 27002

5. Políticas de Seguridad

• Que políticas de seguridad rigen al Cloud Provider?

• Están aprobadas por la dirección?

• Cada cuando las revisan?

7. Seguridad Ligada a los Recursos Humanos

• Al contratar investigan antecedentes de los empleados.

• Se tienen términos y condiciones de contratación?

• Se proporciona concientización en seguridad al ingresar al cloud provider?

• Se tienen sanciones.

• Se cuenta con un proceso de cese o cambio de puesto de trabajo?

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

13

Controles ISO/IEC 27002

9. Control de Accesos

• El Cloud provider cuenta con una política de accesos.

• Tienen un proceso de ABC de usuarios.

• Gestionan los derechos de acceso con privilegios especiales.

• Cuentan con procedimientos seguros de inicio de sesión.

10. Cifrado

• El Cloud Provider cuenta con política de controles criptográficos

• Tiene un proceso para gestión de claves

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

14

Controles ISO/IEC 27002

11. Seguridad Física y Ambiental

• El bunker cuenta con controles de seguridad

• Se tienen controles de seguridad en oficinas.

• Instalación de suministro

• Seguridad en el cableado

12. Seguridad en la Operativa

• Documentación de los procesos internos

• Gestión de cambios

• Gestión de capacidades

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

15

Controles ISO/IEC 27002

13. Seguridad en las telecomunicaciones

• Controles de Red

• Segregación de redes

16. Gestión de incidentes en la seguridad de la Información

• Como trata los incidentes el Cloud provider

• Respuesta a incidentes

• Recopilación de evidencias

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

20

Auditar el uso de la nube

• Planificar la auditoria y determinar áreas a revisar

• Recopilar a través de entrevistas y revisión de documentos

• Documentar señalamientos y discutir con la gerencia

• Preparar y discutir Informe Final

This document may contain brand names, text, graphics or images which are registered trade marks, trade marks, service marks, or trade names of third parties which are owned by their respective owners.© Copyright 2014 Global Lynx, Inc. All rights reserved.This material is property of Global Lynx, Inc (www.globallynx.com). Reproduction in whole or in part is prohibited.

21

Gracias

Iván Alberto Jaimes Cortes