Add and Update Cloud References

[mmccool]

The following references may need to be added to Security and Privacy Guidelines:

• SP 800-53 Rev. 5 - Security and Privacy Controls for Information Systems and Organizations
• Implementing the Cloud Security Principles

[mlagally]

https://www.ncsc.gov.uk/collection/cloud-security/implementing-the-cloud-security-principles

[mmccool]

The UK document is almost like a blog article than a citable document, unfortunately. At any rate we probably should cite the whole thing: https://www.ncsc.gov.uk/collection/cloud-security We should probably also look at what it cites in turn. Although it has some weird self-references, too.

[mmccool]

Also, I note the NIST reference is for "Information Systems" which is quite broad, but we consulted with them specifically on considerations for IoT system, which would be more focused. Also, these are "national" documents, international ones might be better (e.g. ISO). If do cover national standards, we should have a semi-complete list, including e.g. EU, Canada, etc. Impossible (nearly) to be complete for national standards, so these should be "e.g." citations, and "Compliant with national standards such as ...".

[mmccool]

There is this ISO standard, which is under development but will be published in June. It specifically refers to IoT Security and Privacy: ISO 44373. There is a more general ISO standard for Data Privacy also: ISOIEC-27001. However, ISOIEC-27001 is not one standard, but dozens. SOME may be applicable.

[JKRhb]

For Europe, the ETSI standard EN 303 645 for Consumer Internet of Things devices is probably also relevant.

[mmccool]

So probably best to focus this on IoT/Cloud integration, but the above references are about the broader context of cloud security. So we probably want to look for better, more focused references for IoT-Cloud integration. Second we probably want to think about specific threats and risks for cloud integration but that can be a separate issue... https://github.com/w3c/wot-security/issues/228

Also, I think we should deal with the "Terminology" reference above separately and focus in this issue on finding an including a good reference for IoT-Cloud integration security.

[mmccool]

Some possible references:

• https://www.trendmicro.com/vinfo/us/security/news/internet-of-things/a-security-guide-to-iot-cloud-convergence (but... just a blog post)

[mahdanoura]

I found the following IoT security standards, which do not focus on cloud-IoT integration:

• NIST IR 8228: assist users in better understanding and managing the cybersecurity and privacy risks associated with individual IoT devices
• NIST IR 8259: assist IoT device manufacturers to improve the security of their IoT products
• ENISA Baseline Security Recommendation for IoT: creates cybersecurity guidelines for both consumers and IoT manufacturers, with focus on critical infrastructures
• ETSI EN 303 645 - V2.1.1: covering consumer IoT devices for device manufacturers
• OWASP IoT Security Guidance: top 10 lists of IoT vulnerabilities to help manufacturers, developers, and consumers better understand IoT security risks
• Code of Practice by the UK Government: secure by design approach