Post on 14-Dec-2015
European Union Agency for Network and Information Security
ENISA and Cloud SecurityDimitra Liveri| NIS ExpertEuroCloud Forum 2015| Barcelona|07-10-2015
2
Securing Europe’s Information Society
Operational Office in Athens
3
Positioning ENISA activities
4
• Benefits of Cloud Computing
• Risks in Cloud Computing
• ENISA Activities in Cloud Security
• ENISA tools
• Risk Assessment for SMEs• Cloud Certification Schemes List
• Next steps
Agenda
5
• Cloud Computing is another way of providing IT services
• Characteristics are- Highly standardized services- Highly standardized SLAs
• Using such a service is outsourcing
• Cloud SLAs are usually much more standardized than in other outsourcing contracts
Cloud Computing is a Business model
6
Cloud is a deployment model
© Google / Conny Zhou
Cloud Computing is a Deployment Model
• Cloud computing is a deployment model
• Information processing- In a shared environment- using shared computing resources
• Resources can be quickly scaled to meet changed demand
• Cloud deployments are usually much more standardized and automated than legacy IT
7
Economies of Scale
• Better ROI
• Cost of security spread to all customers
High Resiliency
• Better back up services
• Better business recovery
Cloud Opportunities
Efficient solutions
• More efficient resource utilization also means cost savings
Standardised solutions
• Better patch management
• Better software update management
• Portable and interoperable
8Presentation Title | Speaker Name
Isolation Failures
• control resides to the cloud provider
Loss of Governance
• Customer cedes some control to the provider (depending on the deployment model)
• This also affects security
Cloud Challenges
Management GUI and API compromise
• Identity and access management are particularly important
• Full access to all resources (keys to many kingdoms)
Data protection
• The CSP usually becomes data processor in terms of DP legislation
• Data processing in datacentres abroad can imply that certain DP requirements cannot be met in the Cloud
9
Public Sector
• Legacy Data
• Legacy Applications
• Legacy Processes
• Special information assurance requirements
NEEDS MORE TIME TO ADOPT
Differences in Requirements for Governments vs. Companies
Private Sector
• Difference depending on the scale i.e. Large companies and SMEs
• Investment from cost perspective
EASIER TO MAKE THE RIGHT DECISION
10
ENISA’s work in the area of Cloud
2009 Cloud computing risk assessment
2009 Cloud security Assurance framework
2012 Procure secure (Security in SLAs)
2013 Critical cloud computing
2013 Incident reporting for cloud computing
2013 Securely deploying GovClouds
2013 Support EU Cloud Strategy
2014 Cloud Certification Meta-Framework
2014 Procurement security in GovClouds
2015 Cloud Security guide for SMEs
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing
11
ENISA engages the community
ENISA Cloud Security and Resilience experts group
12
Cloud Computing Risk Assessment
Addressed to: public sector, private sector (large companies and SMEs), governmental agencies
13
Risk Assessment in the Cloud
Famous 2009 Guide Updated in 2012 Security Guide for SMEs – 2015
14
Security guide for SMEs
• Small and medium size enterprises (SMEs) are an important driver for innovation and growth in the EU
• Cloud Computing is a means for innovation, but cloud is for the SMEs still a challenge.
• ENISA in this study presents:
- 11 security opportunities (compared to legacy IT benefits)- 11 security risks (compared with legacy IT risks)- 12 security questions for the SME to ask the provider (in one
security “cheat sheet”- 2 comprehensive scenarios- Some legal advice
15
…and online tool
Where you can:
• rate your opportunities from cloud
• rate your risks
• produce a risks map
• get your security questions
16
Governmental Clouds
Addressed to: public sector, governmental agencies
17
Governmental Cloud reports (1/2)
2010: Guide on security and resilience for Governmental Clouds
• Presentation of the security benefits and drawbacks for the public sector to go in the cloud
• First steps need to be done towards taking the decision to go cloud
2013: Good practice guide on how to securely deploy Governmental Clouds
• Definition of a governmental cloud (in a mature market)• State of cloud computing adoption in the EU public sector• Case studies of different approaches in adopting a cloud
solution
18Presentation Title | Speaker Name
Governmental Cloud reports (2/2)
2014: Security Framework for Governmental Clouds
• 4 phases, 10 different steps and the specific actions to be taken in each one
• 4 use case scenarios to find the solutions that better fits each implementation
19
Critical Clouds
Addressed to: private sector, (public sector in some cases)
20
ENISA’s Critical Cloud Study
• First assessment of CIIP aspects of Cloud computing
• Illustrates dependencies and provides examples for failures
• Provides recommendations for Cloud security governance from the CIIP perspective
• Conclusions can be applied to Governmental Cloud usage
21
• Cloud computing incidents could have major impact.
• Large scale incidents should be reported to improve trust
• Public sector and industry should agree on scope and thresholds of reporting.
• ENISA suggests a model for incident reporting of cloud incidents involving CSPs and regulators.
Incident Reporting for Cloud Computing
22
Critical Clouds
Cloud in the Critical Sectors
Cloud supporting Health care systems and services
Cloud supporting eGovernment
Cloud Computing in the Finance Sector
23
• Identification of critical challenges to cloud computing adoption in the Finance sector
• Assess legal and regulatory context (challenges and opportunities) in all member states
• Support industry and understand their uptake – why do some use and some don’t use cloud
• Propose recommendations
Good Practices for the use of Cloud Computing in the area of Finance Sector
24
Cloud Certification
Addressed to: private sector - large companies and SMEs, (public sector and governmental agencies in some cases)
25
The EU Cloud Strategy
“EU should not only be cloud-friendly, but also cloud–active”
“I am pleased that ETSI launched and steered the Cloud Standards Coordination (CSC) initiative in a fully transparent and open way for all stakeholders.”
“...ensuring technical security requirements are mapped onto certification, as ENISA is leading…”
“... we officially launch the platform for public sector cooperation with this "Cloud for Europe" initiative. This is an enormous step forward.…” Neelie Kroes, European Commissioner for the Digital Agenda Oct 2013
Cutting through the jungle of technical standards
Development of model “safe and fair” contract terms and conditions
A European Cloud Partnership to drive innovation and growth from the public sector
The European Commission’s
strategy “Unleashing the
potential of cloud computing in
Europe”
Adopted on 27 September 2012, it is designed to speed up and
increase the use of cloud
computing across the economy
26
ENISA realising the EU Cloud Strategy: Certification
• Strategic objective of EC Strategy: List of voluntary certification schemes
• Cloud Certification Schemes List (CCSL): List of existing certification schemes– 13 Certification schemes included– Powered by ENISA, supported by the EC
and the Cloud Selected Industry Group (C-SIG)
Visit: https://resilience.enisa.europa.eu/cloud-computing-certification
• Cloud Certification Schemes Meta-framework (CCSM): Meta-framework based on existing certification schemes– Mapping detailed ICT security
requirements of the public sector in the EU (11 countries and more will come)
– Matrix will results to be used for procurement
27
How we draw CCSMCountry A
Security objective
Security objective
Security objective
CCSM Security objectives Requirements not covered by CCSM or existing certification schemes remain to be evaluated separately.
Cloud Certification Scheme
Scheme ref Scheme refScheme ref
Scheme ref Scheme refScheme ref
Scheme ref Scheme refScheme ref
Cloud Certification Scheme
Scheme ref Scheme ref
Scheme ref Scheme ref
Security requirement
Security objective
Security objective
Security requirement
Security requirement
Security requirement
Security requirement
Country B
Security requirement
Security requirement
Security requirement
28
Next stepsEx-post analysis of cloud incidents (early 2016)
• EU perspective on ex post analysis (forensics) for cloud incidents: 8 countries(IT, ES, IE, NL, GR, FR, EE, UK): Academia, LEAs, Forensics Specialists, CERTs.
• Challenges, procedures, tools, legal restrictions
ICT in e-Health (2016)
• Challenges and opportunities of ICT deployments in eHealth (medical records, patient records etc)
• Cloud computing use case in eHealth• Big data use case in e Health
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
info@enisa.europa.eu
www.enisa.europa.eu
Thank you and Welcome!