Security Requirements Analytics and Design Principles
Security Requirements Analytics and Design Principles
Regulatory compliance and security requirements
Security requirements are derived to prevent breaches of the system and data, and refer to requirements or constraints concerning confidentiality (Confidentiality), integrity (Integrity), and availability (Availability) that affect the protection of data used or generated by the target system.
Security requirements include criteria for controlling system data and functions, operational access, as well as credential and access permission management, data and infrastructure security, and related measures.
When building an information system on the cloud, you must comply with information security laws and guidelines based on the types and attributes of the data the system handles.
Especially public institutions and the financial sector must follow separate cloud adoption guidelines.
Although various security activities are performed within the organization to protect information, systematically managing the extensive information security work areas without omission is a very challenging task.
Therefore, to effectively protect an organization’s information assets from various security threats, a systematic management approach is required.
The information security management system is intended for comprehensive and systematic security management of an organization, and it designs and builds policies, organizational structures, operational measures, and system security frameworks for administrative, technical, and physical security domains.
Based on this framework, organizations can maintain security levels and perform continuous security controls.
Administrative Security Administrative security is a core area that establishes an organization’s security policies, forms a security team, and continuously improves vulnerabilities by preventing security risks through security operations and audits. This serves as the standard for implementing technical and physical security, and is responsible for the organization’s security operations and controls. Administrative security includes establishing security policies and organizational structures, personnel security management, information protection education and training, risk management, asset management, auditing and monitoring, business continuity management, and disaster recovery.
Technical Security Technical security refers to implementing security during the adoption and operation of detailed areas such as hardware, software, and networks, based on security policies. Specifically, we design the security architecture required for IT system operations and perform the deployment, monitoring, and operation of security equipment. Technical security includes system, network, database, Application, and digital content security. The main areas of cloud architecture correspond to this technical security.
Physical Security – Cloud Service Provider Security Physical security is a security domain that safely protects assets requiring protection, such as major facilities and equipment, from physical threats, and ensures stability and continuity. Physical security includes physical security measures, equipment and office protection, data center security, and access control solutions. In on-premises or private cloud environments, users manage physical security themselves, but in public clouds, the cloud service provider manages it.
Cloud service providers maintain physical security levels and demonstrate them through various information security management system certifications.
Establishing and operating an information security management system tailored to a specific purpose helps achieve the fundamental goal of information protection and contributes to securing trust in the organization’s security preparedness.
It also helps the organization comply with the legal regulations of its operational domain.
Various information security management system certifications are offered domestically and internationally to verify the adequacy of security operations, and organizations can obtain them as needed for their work.
The table below presents domestic and international information security management system certifications, including cloud.
| Category | Standard | content | authentication target |
|---|---|---|---|
| international | ISO 27001 | International standards for information security management requirements, including policies, physical security, and access control, in an information protection management system. | CSP provider |
| international | ISO 27017 | International certification scheme that adheres to the security controls and implementation guidelines required for cloud security of cloud service providers (Cloud Service Provider). | CSP provider |
| international | ISO 27018 | An international certification program that provides the controls and guidelines required to ensure the secure processing of personal data handled by cloud services offered by a Cloud Service Provider. | CSP provider, cloud user |
| international | CSA STAR | International cloud service information security certification that evaluates maturity based on the Cloud Controls Matrix(CCM) and grants the STAR(Security, Trust & Assurance Registry) certification. | CSP provider |
| international | ISO 27799 | International certification specialized for medical information protection management systems to legally and securely manage sensitive medical data such as treatment and prescription records. | CSP provider |
| Korea | CSAP | A system to supply cloud computing services that have been verified for safety and reliability to national/public institutions by checking compliance with security certification standards, in order to improve and guarantee the level of information protection, in accordance with the 「Act on the Development of Cloud Computing and User Protection」. | CSP provider |
| Korea | ISMS-P | A system where the Internet Promotion Agency or a certification authority certifies that a series of measures and activities for information security and personal data protection meet the certification criteria. | CSP provider, cloud user |
| Korea | K-PaaS Conformity Certification | The K-PaaS conformity test certification is a system that certifies products or services that support the K-PaaS platform and are extended with additional features. | CSP provider |
| Korea | Financial Security Agency Safety Evaluation | Basic Protection Measures and Safety Assessment Certification for IT Assets and Data Centers | CSP provider, cloud user |
Regulations and certification standards such as the above present security requirements that each organization must comply with when designing, building, and operating information systems.
It particularly outlines the requirements that cloud service providers (CSP) must comply with and the measures users must implement for information security when building information systems in the cloud.
Cloud security threats
Deploying an information system to the cloud means that an organization’s information assets shift into the cloud’s security management domain.
This means that the security domain, which was previously managed within the scope of the on‑premises computer room or data center, is expanding beyond the Internet to the cloud.
The existing security model places security devices at the boundary between the internal network and external network, establishing a trust boundary and is based on a perimeter‑based security model that protects the internal network.
However, as the trust boundary expands from the Internet to the cloud, a perimeter-based security model alone has limitations in blocking security threats.
CSA (Cloud Security Alliance) announces the major security threats that arise in the cloud each year.
The table below lists the major cloud security threats announced in 2024.
| ‘24 ranking | security threat | Explanation |
|---|---|---|
| 1 | Misconfiguration and inadequate change control Incorrect configuration and inadequate change control | Data leakage occurs due to misconfigured data stores and containers, excessive privileges, retaining default credentials and configuration settings without changes, unlimited access ports and services, and lack of proper design and validation. |
| 2 | Identity and Access Management Insufficient ID, credential, access and key management, privileged users | Mismanaged IAM causes data corruption, malicious leaks, supply chain collapse, and reduced business continuity. |
| 3 | Insecure interfaces and APIs Insecure interfaces and APIs | Unauthorized endpoint access due to poorly designed APIs, weak authentication procedures, excessive privilege grants, exploitation of unpatched systems, logical design flaws, and disabled logging and monitoring, leading to cloud resource leakage, deletion or modification, and service disruption. |
| 4 | Inadequate selection/implementation of cloud security strategy Cloud security architecture and insufficient security | When performing a Lift&Shift cloud migration, security issues arise from directly porting existing security features and a low understanding of the shared responsibility model. |
| 5 | Insecure third-party resources Insecure 3rd Party resources | Open-source and API issues security concerns. Apply software security vulnerability assessment and asset identification, resource inspection, SAST/DAST (dynamic/static analysis), etc. |
| 6 | Insecure software development Insecure software development | Implement secure key management and CI/CD application security checks to address security vulnerabilities caused by increasing software complexity. |
| 7 | Accidental cloud disclosure Accidental cloud data disclosure | Rapid cloud migration and expansion can lead to a lack of security governance, resulting in insufficient security transparency for cloud inventory and network exposure, which may cause unintended data leaks. |
| 8 | System vulnerabilities system vulnerabilities | Incidents occur due to zero‑day vulnerabilities, missing security patches, architectural flaws, weak credentials, etc. |
| 9 | Limited cloud visibility/observability Limited cloud visibility | Occurs when you cannot effectively visualize and analyze whether cloud service usage is safe or malicious. Lack of visibility into misuse/abuse by internal staff and cloud resource theft due to external breaches. |
| 10 | Unauthenticated resource sharing unauthenticated resource sharing | Sensitive or critical data may be leaked or damaged due to unauthorized intrusion. |
| 11 | Advanced Persistent Threat Intelligent Persistent Attack | Hackers, criminal organizations, and persistent security threats cause breaches. |