More information about this series at

Transcription

1 Edition <kes>

2 With modern computer technology everywhere, the importance of data integrity and the security of IT systems has increased immensely. Given the complexityand rapid progress of information technology, IT professionals need in-depth knowledge in this field. The series Edition <kes> provides the required know-how, promoting risk awareness and helping in the development and implementation of security solutions of IT systems and their environment. <kes> Journal of Information Security (see bimonthly published by DATAKONTEXT GmbH, covers all subjects from audits and security policies to encryption and access control. It also provides information about new security hard- and software as well as the relevant legislation for multimedia and data security. Furthermore, authors of the journal and the book series Edition <kes> help users in basic and expert seminars to implement information security in a practice-oriented manner (see More information about this series at

3 Eberhard von Faber Wolfgang Behnsen Secure ICT Service Provisioning for Cloud, Mobile and Beyond ESARIS: The Answer to the Demands of Industrialized IT Production Balancing Between Buyers and Providers 2nd updated and extended Edition

4 Eberhard von Faber T-Systems Bonn, Germany Wolfgang Behnsen Erlangen, Germany Edition <kes> ISBN DOI / ISBN (ebook) Library of Congress Control Number: Springer Vieweg Springer Fachmedien Wiesbaden GmbH 2012, 2017 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. Printed on acid-free paper This Springer Vieweg imprint is published by Springer Nature The registered company is Springer Fachmedien Wiesbaden GmbH The registered company address is: Abraham-Lincoln-Strasse 46, Wiesbaden, Germany

5 Foreword Companies can gain a decisive market advantage through information and communication technology (ICT). Clouds providing central computing services, mobile access, networking, and machine-to-machine communication are the basis for processing high volumes of business-relevant data, and are at the core of new business concepts and greater performance in existing ones. ICT is used in almost all businesses to automate business processes and increase speed and quality. This "digitalization" has two major consequences. Firstly, enterprises, authorities and even consumers are much more dependent on ICT. The value of the data being processed is going up and up, while adversaries, including hostile hackers, organized crime and industrial spies, are unfortunately highly motivated and active as well. Secondly, ICT is now a ubiquitous part of everyday life. This increases the attack surfaces that adversaries can, and do, exploit. ICT infrastructures and applications are attacked effectively and both enterprises and consumers suffer considerable losses. Though managers and officials know that they have to invest in protecting their ICT, many stakeholders still consider appropriate security to be inconvenient and expensive. At the end of the day, it is about "which party must do what." Technology, business models and trends in the economy lead to an immense centralization of computing power mastered by large-scale IT production. Cost pressure and other customer demands in turn reinforce the need to deliver ICT services in an industrialized manner. User organizations are increasingly using ICT services from ICT service providers instead of producing these services in-house themselves. They demand reliability and seek trustworthy, dependable suppliers offering secure ICT services: A sufficient level of security is an essential and intrinsic element for the successful digitalization of industries, administration, and our society as a whole. The word "intrinsic" is important here. Users demand reliable ICT services and want to concentrate on making the most of them in their business, requiring the security to be integrated "almost invisibly" and "with ease." Nonetheless, it is up to the user to demand and reimburse the appropriate protection of ICT. In fact, every party in the supply chain must make their contribution to security, since the chain is only as strong as its weakest link. However, this cannot be taken as a given but must be arranged systematically. This 2nd, updated and extended edition of the book presents methods and measures for dealing with information security in today's IT industry that were developed and proven in our corporation, with our customers, and with suppliers and partners. This book is intended to help the reader to implement security measures throughout a complex ICT delivery infrastructure in organizations, pro-

6 vi Foreword cesses and technology, from design to service management, while taking into consideration effectiveness as regards customer requirements, and efficiency relating to costs. The book should also help user organizations to understand the security aspects of ICT provision and to select the correct provider and the correct services in terms of information security. In this way, the workable architecture presented here aims to find a balance between buyers and providers: requirements and deliverables must correspond. Secure ICT Service Provisioning for Cloud, Mobile and Beyond is of utmost concern to both parties. Reinhard Clemens Member of the Board of Management at Deutsche Telekom CEO of T-Systems

7 Preface The task of making ICT services secure is important and mission critical for any ICT service provider paid to deliver secure ICT services for cloud, mobile and beyond. Such providers are challenged to turn requirements into real material security in a way that is verifiable for customers. This puts leading ICT service providers in a very specific and (does it come as a surprise?) very complicated and truly complex situation. The reasons are easy to see. The provider is facing an almost unmanageable multitude of different sets of requirements that are all to be met by its single ICT service delivery infrastructure. Moreover, the provider must produce the ICT services efficiently, which in turn requires as much standardizing and harmonizing as possible. In the past, security was managed in "customer silos." However, security requirements have increased dramatically in number, coverage and depth in recent years. At the same time, the customers of the ICT service provider demand a significant cost reduction while retaining or even enhancing performance and flexibility, and at the same time being provided with more security transparency and assurance. This situation was the starting point some years ago when a number of security managers from T-Systems sat down together with the authors of this book to discuss precisely the issues described above. We decided to take a big step forward. We invented the idea of "industrializing security" or adapting ICT security to an industrialized ICT provision method. That was the birth of ESARIS, the subject of this book. That approach, and its realization, have proven to be very successful. We decided to publish large parts of the work in order to contribute to Secure ICT Service Provisioning for Cloud, Mobile and Beyond. At the same time, we wanted to encourage customers and a wider audience to discuss the concepts and to adopt useful ideas. In this way, the industry should be able to progress in balancing the requirements of user organizations and the measures that are provided by ICT service providers. With the 1st edition of this book, major concepts of ESARIS were published at the beginning of Since then, our corporation has gained more experience in applying the new methods and measures in practice, and has also developed new ones. Four years later, this 2nd, updated and extended edition presents an even more complete set of concepts, methods and measures. It provides deeper insight, improved rationales and more background information. T-Systems Board of Management decided to implement ESARIS in our corporation and initiated a longerlasting program for introducing it in all subsidiaries around the world. This book reports on real-world experience from this Transformation program. Moreover, it considers feedback from our customers as well as experience gained from using

8 viii Preface ESARIS while managing numerous big and complex deals throughout their IT outsourcing phases, including Sales, Manage the Deal, Transition and Transformation, and Operations. Recently, T-Systems initiated the foundation of the Zero Outage Industry Standard association in which technology leaders are aiming to provide the highest quality and security against outages of IT infrastructure. The work in this association and other examples show that ESARIS closed a substantial gap in the literature about information security. ESARIS "takes operational requirements into account and focuses on user requirements, thus facing the reality in the market economy." It addresses efficiency, standardization and quality in the realm of security; and it helps to manage security in large-scale IT production characterized by a high degree of division of labor and specialization. I consider this book an essential contribution to the successful industrialization of ICT: Users require ICT services that are secure, at an affordable cost. Heike Bayerl Vice President of international Security, Compliance & Quality Management T-Systems, IT Division

9 About this book Managing a large-scale IT production is a challenge. Providing information and communication services ( ICT services ) in a secure manner while meeting the security requirements of the user organizations adds further difficulty. The technical solutions including firewall & Co. are, however, not the issue! Large IT organizations must be able to define, communicate and correctly apply thousands of single measures in a large-scale, industrial environment with thousands of employees located in many countries. This is a real problem and this book will provide solutions to this. Moreover, large IT organizations usually have many customers which are supplied with a complex of different ICT services. Hence, the interaction with those customers is a critical success factor for both sides. This book describes concepts, methods and measures which enable ICT service providers to provide secure ICT services in the beginning second half of the information age, characterized by large-scale IT production with rigorous specialization and division of labor along the complete supply chain. This book is for suppliers playing their role in this environment. Even more important, user organizations are given deep insight in secure IT production which allows them to make the best out of cloud, mobile and beyond. The subject of this book is rather new! The architectural approach in this book is one of the first comprehensive ventures providing mainly IT producers with a security toolset to tackle the challenges of upcoming business and production models. The authors abstain from repeating known security practices. The content of this book is rather new, but already tested and proven. The concepts, models and underlying security measures have been developed and deployed by a large ICT company so that this book can also report on practical experiences. The following slide controls may provide further information. Scope Depth Maturity Time-line Sustainability Security features Secure IT Reliable business Society, regulation, privacy Policies, principles, rules Protection, detection, reaction Research (technology, crypto) Products, technologies Directly workable approach Mid-term perspective (strategic) Management (tactical) Immediate effect (nuts & bolts) Low Medium High

10 Trademark notice: All brand names are trademarks or registered trademarks of their respective companies. Product and other names such as Windows, COBIT and ITIL are also trademarks or registered trademarks and the property of their respective owners. All names are only used for identification and explanation in this book without intent to infringe. The use of such descriptive names, registered names, trademarks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. Pictures: All diagrams are owned and copyright by T-Systems.

11 Table of Contents Part 1: Foundation Subject (from pain to pleasure) Challenges Areas of activity beyond Protection, Detection, Reaction Transparency Interfaces and interaction Standardization Solutions Environment Frameworks for ESARIS Perspectives: corporate versus product security Main building blocks and general set-up ESARIS Dimensions ESARIS Work Areas ESARIS Collaboration Model Hierarchy of Security Standards Overview Level 1: Corporate Security Policy Level 2: Corporate Security Rules Level 3: ICT Security Principles Level 4: ICT Security Standards Level 5: ICT Security Baselines ESARIS Concept of Double Direction Standards ESARIS Security Taxonomy Design criteria for the ESARIS Security Taxonomy Structure of the ESARIS Security Taxonomy Areas and the ICT Security Standards at a glance Networks Data center Customer and users Evidence and Customer Relation Service Management Risk Management and Certification Summary of standards and taxonomy Provider Scope of Control... 74

12 xii Table of contents 5 Secured by definition integration with core business (ITSM) ITSM processes and why security must be integrated into them Division of labor between IT and IT security How the integration looks like and actually works Part 2: Core activities Standardization ensuring quality and efficiency Understanding standardization, its necessity and benefits ESARIS Industrialization Concept Dealing with requirements Composition of services ESARIS Security Specification Concept Obstacles towards standardization and solutions Attainment achieving compliance with ESARIS standards Foundation Requirements engineering and elaboration and application of ESARIS standards ESARIS Attainment Levels and verification of compliance Service offering portfolio integration Fulfillment meeting customer demands Foundation IT outsourcing Assurance for customers Contractual evidence Operational evidence Contractual and other changes Flexibility managing the supplier network Roles and types of suppliers Third party integration model Part 3: Implementation Maintenance requirements, documents, improvements Document IDs and more Virtual organization, roles and processes Library, versions and consistency Protecting intellectual property Transformation implementing ESARIS sustainably Mission: induce a massive change Approach: ESARIS Maturity Level and master plan Enablement: training and communication Voyage of ICT services

13 Table of contents xiii 12 Implementation IT production and its protection in practice Evidence and Customer Relation Match (Im)Prove Correct Accomplishing security Service Management Plan Build Change Accomplishing security Stocktake Assemble Preserve Accomplishing security ICT Service Access Transportation Customer side and endpoints Connectivity Securing transportation Securing workplaces Securing connectivity IT Service Production The lower IT stack IT management and data center premises Applications Securing the lower IT stack Securing IT management and data center premises Securing applications Risk Management and Certification Routine day-to-day security management using ESARIS Fourteen tasks for managing security using ESARIS Three ways of verifying compliance with security standards A number of tips to deal with trouble and confusion Buyers and providers: joint security management Conclusion Annexes A Authors and acknowledgement B Glossary (terms and definitions) B.1 Fundamental terms B.2 Terms relating to security organization B.3 Terms relating to difficulties and restoration B.4 Major concepts and models at a glance C Literature D Abbreviations E Index

14 xiv Table of contents Overview: Fig. 1 below provides a quick point of reference. Front matter Part 1: Foundation 1. Introduction: from pain to pleasure Challenges Beyond Protection, Detection, Reaction Solutions Part 2: Core activities Part 3: Implementation 10. Maintenance: documents and more Naming conventions and assignments Document management Library, versions, consistency etc. Protecting intellectual property Annexes Foreword Preface About this book Contents 6. Standardization: quality and efficiency Necessity and benefits ESARIS Industrialization Concept ESARIS Specification Concept Obstacles and solutions Authors and acknowledgement 2. Scope and environment Perspectives; governance, frameworks Enforcement Framework for ESARIS Endorsement Framework for ESARIS 11. Transformation: sustainable roll-out Subject: induce massive changes Approach: levels, master plans etc. Enablement: Training and communication Voyage of ICT services 7. Attainment: comply with standards Foundation and overview From requirements all the way to ESARIS Attainment Levels Service catalog integration Literature 3. Building blocks and general set-up ESARIS Dimensions and Work Areas ESARIS Collaboration Model Hierarchy of Security Standards Concept of Double Direction Standards 12. Implementation: secure ICT in practice Evidence and customer relation Service Management ICT Service Access ICT Service Production Certification and Risk Management 8. Fulfillment: meet customer demands IT-outsourcing: phases and actions Assurance: contractual evidence Assurance: operational evidence Contractual and other changes Glossary Fig. 1: Structure of this book 4. ESARIS Security Taxonomy Design criteria Structure Areas and ICT Security Standards Provider Scope of Control 13. Routine: security management Central activities due to the use of ESARIS Three ways of verifying compliance Dealing with trouble and confusion Joint security management 9. Flexibility: manage supplier networks IT industry: roles and deliverables ESARIS Third Party Integration Model Summary Index 5. Integration with core business (ITSM) Secure by definition IT business units versus IT security Hands-on integrations 14. Conclusion Development of IT, IT security and ESARIS