eu cloud computing policyiso/iec 24760 family of 27000 iso/iec 27000 , iso/iec 27001 & iso /iec...

20
EU Cloud Computing Policy Luis C. Busquets Pérez 26 September 2017

Upload: others

Post on 01-Oct-2020

32 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

EU Cloud Computing Policy

Luis C. Busquets Pérez

26 September 2017

Page 2: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

The digital revolution is built on data

6 million people employed

7.4 million people employed

Most economic activity will depend on data within a decade Potential of the data-driven economy

Ref.: European Data Market Study SMART 2013/0063, available at: http://datalandscape.eu/

Page 3: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Ensuring that Europe's economy, industry and employment take full advantage of what digitalisation offers.

Creating a European Digital Economy and society with growth potential

• Digitising industry

• Cloud

• Inclusive digital economy and society

• e-government

• Standardisation & interoperability

• Digital skills

• Data economy

Pillar 3 ECONOMY

& SOCIETY

Page 4: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

What is limiting enterprises from using cloud computing services?

(*) Source: Eurostat, 2014

Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector

Page 5: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Building a European Data Economy

Building a Data Economy

Free Flow of Data

Interoperability and portability Liability Ownership and

access to data

Page 6: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

FFD Iceberg

Data

Localisation Restrictions

Legal Uncertainty

Lack of Trust

General FFD Principle

Data Security

Data Availability

Data Portability

FFD Building Blocks

Page 7: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

What is limiting enterprises from using cloud computing services?

(*) Source: Eurostat, 2014

Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector

Page 8: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

2015 EU28 Cloud Security Conference • Raise awareness and educate users and SMEs on

cloud security. • Improve the transparency of cloud services:

continuous monitoring mechanisms, accountability through, for example, certification and other mechanisms.

• Flexible policy approaches towards cloud security to allow further technological advancements.

• Data Protection, where and how they are stored, accessed, transferred and processed.

• Strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector.

Page 9: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Certification Schemes for Cloud Computing SMART 2016/0029 Challenge: Customers need to know and be

assured that their data is equally safe no matter where they are located or who provides the service

• What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border?

• What regulation aspects need to be considered / addressed?

• How much would it cost for a European CSP to comply with a certification scheme? And how much would be the cost of no-certification?

Page 10: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115. NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144

CSA CCM, CSA CTP, CSA A6, CSA CAIQ, CSA TCI, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self-Assessment - OCF Level 1

OASIS TOSCA, OASIS CAMP

SNIA CDMI, DMTF DSP0243, DMTF DSP0263

EuroCloud Self-Assessment, EuroCloud Star Audit

Certified Cloud Service –TüV, Rheinland

ITU-T X.1601, ITU-T X.1631 AICPA SOC 1, AICPA SOC 2, AICPA SOC 3 Others

Current Situation

Page 11: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

(*) Source: ETSI CSC

Page 12: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

03 Current Situation

ISO 17203

ISO 17789

ISO 19944

ISO 19941

ISO 19086

ISO 19099

ISO 22301

ISO/IEC 24760

Family of 27000ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002

ISOIEC 29100

ISO/IEC 29101

ISO/IEC 29115

1. Information security policy2. Risk management3. Security roles4. Security in Supplier relationships5. Background checks6. Security knowledge and training7. Personnel changes8. Physical and environmental security9. Security of supporting util ities10. Access control to network and information systems11. Integrity of network and information systems12. Operating procedures13. Change management14. Asset management15. Security incident detection and response16. Security incident reporting17. Business continuity18. Disaster recovery capabilities19. Monitoring and logging policies20. System tests21. Security assessments22. Checking compliance23. Cloud data security24. Cloud interface security25. Cloud software security26. Cloud interoperabil ity and portabil ity27. Cloud monitoring and log access

Not covered Partially covered Fully covered

Page 13: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

03 Current Situation

Not covered Partially covered Fully covered

Certified cloud service TüV

OASIS CAMP

SNIA CDMI

OGF OCC

SAML OAuth2.0 OpenID DMTF DSP0243

DMTF DSP0263

CSA CCM

1. Information security policy2. Risk management3. Security roles4. Security in Supplier relationships5. Background checks6. Security knowledge and training7. Personnel changes8. Physical and environmental security9. Security of supporting util ities10. Access control to network and information systems11. Integrity of network and information systems12. Operating procedures13. Change management14. Asset management15. Security incident detection and response16. Security incident reporting17. Business continuity18. Disaster recovery capabilities19. Monitoring and logging policies20. System tests21. Security assessments22. Checking compliance23. Cloud data security24. Cloud interface security25. Cloud software security26. Cloud interoperabil ity and portabil ity27. Cloud monitoring and log access

Page 14: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

EC Communication (2012)

Landscape

“cut through the jungle of standards”

#Digital Single Market

#EUdataFF

Cross-border services

Digital Agenda 2020

ENISA CCSL and CCSM (2013)

Cloud Standardization Initiative – ETSI

(Phase I and Phase II)

ECI

Public and Public-Private

Initiatives

Trusted Cloud (DE)

Label Cloud (FR)

Regulation

GDPR

C5

ENS

NIS

SecNumCloud

FFD

Page 15: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Current analysis of strategies from Spain, Italy, Germany and France

• 17 control areas • Per each control:

Objective, requirement (basic, additional)

• Attestation • No certificate, • Relies on int’l

standards • Cloud-specific

DE – C5 catalogue

IT - PM Decree 2013

• National ICT security certification scheme based on int’l standards,

• no cloud-specific

ES - ENS

• For eAdmin CSP / digital providers

• Dedicated regulation for cloud issues, providers or not of the eAdmin

• Systems have categories: low, medium, high

• Low=self assessment

• Medium/high= audit every 2 years

• Audit

FR - SecNumCloud

• Certification for CSPs • Based on ANSSI

recommendations and int’l standards

• 2 levels: basic and advanced (^)

• Label

(^) Requirements for ‘Advanced’ are as of 08.09.2017 not pub

Page 16: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Current Analysis of private initiatives: Trusted Cloud, Label Cloud, ESCloud

Trusted Cloud Label Cloud ESCloud

• German initiative, now onto FR and NL

• Non-profit association • For SMEs, both CSPs and

cloud users • Own criteria catalogue • Legally bound self-

assessment • Prices to appear on the

listing: 150-300€/month

• Initiative by France IT • For SMEs • 3 layers (IaaS, PaaS, SaaS) • 3 levels: initial, confirmed,

expert • Based on NIST and ITIL • Label for 2 (initial), 3

(confirmed), 4 (expert) years

• Continuous improvement, so recertification obliges to obtain better results than the previous time

• Collaboration of France and Germany

• Label • 15 core principles • No mutual recognition

between SecNumCloud and C5

Page 17: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Needs and requirements are being gathered by means of online surveys and personal interviews

Survey launched end of June Accessible at http://tinyurl.com/cloudcertification Low number of respondents, possibly due to the

summer period Campaign in social networks

04 Needs and requirements

Page 18: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Main conclusions from Spain • Mutual recognition should be favoured • Consider as best practice the European

Interoperability framework (EIF) (*), • specifically focus on Article 10 - “Node operators of nodes providing

authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation”

• Establish a generic certification on security and then a certification focused on cloud security. Later on, a certification on portability could be considered.

• An EU wide security certification framework can solve some issues but specific (legal) requirements will be further requested

(*) COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015

Page 19: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Scenarios

Page 20: EU Cloud Computing PolicyISO/IEC 24760 Family of 27000 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115. 1. Information security policy 2. Risk

Next steps Continue analyzing initiatives by EU member

states, policy initiatives and answers from the survey

Develop the common security framework • Objectives • Controls • Requirements • Map to standards

Detail the impact (economic, regulatory, social) and the next steps for each scenario

Workshop in December 2017