WE

CAN DO

SO MUCH

TOGETHER

Certification Schemes for Cloud Computing DSM Cloud Stakeholders kick off meeting

Leire Orue-Echevarria TECNALIA December 12th, 2017

SMART 2016 / 0029

01 Context

04 Scenarios 03 Security framework

Agenda

05 Next steps

02 Approach

01 Context and Motivation

What is limiting enterprises from using cloud computing services?

(*) Source: Eurostat, 2014

Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*)

This can be extended to the Public Sector

01 Context and Motivation

Key indications to create new strategies and policies for the adoption of cloud computing (*) – Raise awareness and educate users and SMEs on cloud

security. – Improve the transparency of cloud services: continuous

monitoring mechanisms, accountability through, for example, certification and other mechanisms.

– Flexible policy approaches towards cloud security to allow further technological advancements.

– Data Protection, where and how they are stored, accessed, transferred and processed.

– Strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector.

(*) Source: 2015 EU28 Cloud Security Conference

01 Context

Customers need to know and be assured that their data is equally safe no matter where they are located or who provides the service

– What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border?

– What regulation aspects need to be considered / addressed?

What should be the role of the EC?

01 Context

ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115.

NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144 NIST 800 - 53

CSA CCM, CSA Star, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self-Assessment - OCF Level 1

OASIS TOSCA, OASIS CAMP SNIA CDMI, DMTF DSP0243, DMTF DSP0263

ITU-T X.1601, ITU-T X.1631 AICPA SOC 1, AICPA SOC 2, AICPA SOC 3

Plethora of standards, schemes and other relevant frameworks

Others

01 Context

04 Scenarios 03 Security framework

Agenda

05 Next steps

02 Approach

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

02 Approach

Analysed 20+ security and cloud related schemes and compared them with ENISA CCSM

02 Approach

Not covered

Partially covered

Fully covered

Scheme 1 Scheme 2 Scheme 3 Scheme 4 Scheme 5 Scheme 6 Scheme 7 Scheme 8 Scheme 9

1. Information security policy

2. Risk management

3. Security roles

4. Security in Supplier relationships

5. Background checks

6. Security knowledge and training

7. Personnel changes

8. Physical and environmental security

9. Security of supporting util ities

10. Access control to network and information systems

11. Integrity of network and information systems

12. Operating procedures

13. Change management

14. Asset management

15. Security incident detection and response

16. Security incident reporting

17. Business continuity

18. Disaster recovery capabilities

19. Monitoring and logging policies

20. System tests

21. Security assessments

22. Checking compliance

23. Cloud data security

24. Cloud interface security

25. Cloud software security

26. Cloud interoperability and portability

27. Cloud monitoring and log access

Example of coverage summary

Available standards tackle many issues that require to go through different certification / attestation processes

The depth in which security aspects are covered varies depending on the standard

02 Approach

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

Analyzed strategies from the governments of Spain, Italy, Germany, France, Latvia

02 Approach

• 17 control areas

• Per each control: Objective, requirement (basic, additional)

• Attestation • No certificate, • Relies on int’l

standards • Cloud-specific

DE – C5 catalogue

IT - PM Decree 2013

• National ICT security certification scheme based on int’l standards,

• no cloud-specific

ES - ENS

• For eAdmin CSP / digital providers

• Dedicated regulation for cloud issues, providers or not of the eAdmin

• Systems have categories: low, medium, high • Low=self

assessment • Medium/high=

audit every 2 years

• Audit

FR - SecNumCloud

• Certification for CSPs • Based on ANSSI

recommendations and int’l standards

• 2 levels: basic and advanced (^)

• Label

(^) Requirements for ‘Advanced’ are as of 08.09.2017 not published

Different maturity levels of public sector initiatives in EU28

Different approaches: from market driven to highly regulated scenarios

Different levels of granularity

Harmonisation at EU level is considered necessary

02 Approach

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

Analyzed (cross-border) public-private initiatives: Trusted Cloud, Label Cloud, ESCloud, Zeker Online

02 Approach

Trusted Cloud Label Cloud ESCloud

• German initiative, now onto FR and NL

• Non-profit association

• For SMEs, both CSPs and cloud users

• Own criteria catalogue

• Legally bound self-assessment

• Initiative by France IT • For SMEs • 3 layers (IaaS, PaaS, SaaS) • 3 levels: initial,

confirmed, expert • Based on NIST and ITIL • Label for 2 (initial), 3

(confirmed), 4 (expert) years

• Continuous improvement, so recertification obliges to obtain better results than the previous time

• Collaboration of France and Germany

• Label • 15 core

principles • No mutual

recognition between SecNumCloud and C5

Zeker Online

• 2 pillars: legal and infrastructure

• covers the whole service stack

• Based on standards

• Audit

Cross-border efforts are commendable

However, mutual recognition is still not sufficiently addressed

Duplication of efforts?

02 Approach

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

Survey: 28.09.2017 – 15.11.2017

Reopened and accessible through: http://tinyurl.com/cloudcertification

494 respondents but only 200 answers were 100% complete, which have been retained for analysis

02 Approach

02 Approach

Austria ; 4,17%

Belgium ; 8,33% Bulgaria ; 0,69%

Croatia ; 1,39%

Cyprus ; 0,69%

Czech Republic ; 0,00%

Denmark ; 1,39%

Estonia ; 1,39%

Finland ; 1,39%

France ; 10,42% Germany ; 18,75% Greece ; 2,08%

Hungary ; 0,00%

Ireland ; 1,39%

Italy ; 6,25% Latvia ; 2,08%

Lithuania ; 0,00%

Luxembourg ; 0,69%

Malta ; 0,00%

Netherlands ; 9,03%

Poland ; 0,69%

Portugal ; 0,69%

Romania ; 1,39%

Slovak Republic ; 2,08% Slovenia ; 1,39%

Spain ; 8,33%

Sweden ; 1,39%

United Kingdom ;

5,56%

Other ; 8,33%

Country

Switzerland, US, Chile, South Korea and Israel

02 Approach

Cloud Service Provider ;

34,72%

Cloud Service Consumer ;

40,28%

Public Authority ;

8,33%

Certification authority ;

11,11%

Standardization body ; 5,56%

A certification scheme would increase the adoption of cloud computing (79,2% of the respondents)

56,94% believe that there should be one certification scheme per service layer

56,94% are aware of initiatives being ISO27001, C5, CSA Star, LEET security, Trusted Cloud, SecNumCloud the most named ones.

59% are aware of cross-border initiatives as well as good practices in cloud security

45% are aware of policy initiatives on cloud

02 Approach Conclusions from the survey

02 Approach Conclusions from the survey

6,25%

10,42%

26,39%

32,64%

16,67%

7,64%

0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00% 35,00%

Self-regulatory industry initiatives

Foster mutual recognition of existing nationalinitiatives

Create a European – wide certification framework

None of the others

Actions to reduce fragmentation

Provider of a certification scheme should be either an independent standardization body or an accredited institution (27.78% vs. 26.39%)

Jurisdiction of the certification should be at EU-level

02 Approach Conclusions from the survey

02 Approach Conclusions from the survey

02 Approach Conclusions from the survey

02 Approach Conclusions from the survey Lack of mutual recognition of

certificates across Member States ;

16,38%

Too expensive to obtain the

certification as well as to

maintain it; 11,21%

Few economic benefits ; 18,10%

Certification process is too long ; 12,07%

Certification process is not transparent ;

6,90%

Lack of a dedicated

certification schemes for cloud security ; 12,07%

Diversity of processes /

schemes depending on the

countries or sectors where the service is offered ;

15,52%

Other; 7,76%

Problems faced when dealing with a certification

Cost to obtain and maintain a certification is reported to be between 10,000 € – 100,000 €

Recertification / renewal is mostly 1-3 years

Certification is thought to prevent security incidents, which have occurred to 30% of the respondents with an economic impact of less than 100,000€, although most respondents have not quantified it

Current fragmentation is a barrier to get a certification (65%)

02 Approach Conclusions from the survey

The public sector and the EC should:

– Lead and contribute to the definition of a security certification scheme, reusing and harmonizing existing initiatives

– Set standards and applicable legislation

– Be a Promoter and Influencer

CSP Procurers of the public sector should be certified (92%)

02 Approach Conclusions from the survey

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

Compliance / accreditations by the Top 50 CSPs (XaaS)

02 Approach Market adoption

Compliance with Member States’ requirements

02 Approach Market adoption

Adoption of ISO 27001 (*)

02 Approach

(*) source: http://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1

Market adoption

Market adoption

Adoption of ISO 27001 (*)

02 Approach

(*) source: http://isotc.iso.org/livelink/livelink?func=ll&objId=18808772&objAction=browse&viewType=1

02 Approach

Standards Frameworks

Schemes Public Initiatives

Private - Public Initiatives

Policy Market

Adoption Stakeholders

Analysis

EC Communication (2012)

02 Approach

“cut through the jungle of standards”

#DigitalSingleMarket

#EUdataFF

Cross-border services

eGov Action Plan

ENISA CCSL and CCSM (2013)

Cloud Standardization Initiative – ETSI

(Phase I and Phase II)

DSM Cloud Stake-

holders

ECP

C-SIG

Regulation

GDPR

Policy

NIS

Digitising the European Industry

ePrivacy

02 Approach Policy

As regards to the Data Economy and the free flow of Data, relevant advances have been made, but still additional harmonized effort is needed to reach the DSM and address existing barriers to the free flow of data across borders and sectors.

There is a need for more coordinated efforts in order to launch a new harmonized regulation, regulating aspects such as for instance how to classify and certify providers of digital services or how to ensure that the free flow of data is possible.

01 Context

04 Scenarios 03 Security framework

Agenda

05 Next steps

02 Approach

03 Security Framework

Determine (cloud) security controls and

categories

Match existing standards / schemes with these controls

ISO 27002, C5, CSA CCM, NIST 800-53,

ENISA CCSM

Gap Analysis (as-is vs. should)

Recommendations

Process followed

03 Security Framework

19 categories defined (1/2)

EC-CLOUD CATEGORIES

1. Information Security Policies 2. Personnel & Training

3. Asset Management 4. Identity & Access

Management

5. Cryptography & Key management

6. Physical Infrastructure Security

7. Operation Security 8. Communications Security

9. Procurement Management 10. Incident Management

Process followed

03 Security Framework

19 categories defined (1/2)

EC-CLOUD CATEGORIES

11. Business Continuity 12. Disaster Recovery

13. Compliance 14. Security Assessment

15. Device Management 16. Interoperability &

Portability

17. System Security & Integrity 18. Change & Configuration

Management

19. Risk / Threat / Vulnerability Management

Process followed

03 Security Framework

Certification schemes cover different aspects with different levels of granularity and requirements

A harmonized certification scheme would increase trust in CSPs

Initial findings

01 Context

04 Scenarios 03 Security framework

Agenda

05 Next steps

02 Approach

04 Scenarios

Scenario 1

Market Driven

Scenario 2

Best Practices

Scenario 4

Certification Framework

Scenario 3

EU Common Legal

Framework

Scenario 5

Common Highly Regulated

Framework

Legal Requirements

Technical Requirements

1. Mutual recognition

2. Promotion of an existing initiative to EU level

3. From scratch

04 Scenarios

For each scenario, we have identified: – Pros

– Cons

– Best practices

– Agents involved

– Additional content required

Next, identify: – Impact: regulatory, social, economic

– Governance model

– Include the gatherings from the security framework

01 Context

04 Scenarios 03 Security framework

Agenda

05 Next steps

02 Approach

Gather more evidence from stakeholders

Finish the development of the security framework

Identify the impact (regulatory, social, economic) of each of the identified scenarios at EU-level

State recommendations and potential roadmap

05 Next steps

Visita nuestro blog:

http://blogs.tecnalia.com/inspiring-blog/

www.tecnalia.com

Leire Orue-Echevarria Arrieta, MBA, PhD División ICT / ICT Division IT Competitiveness Leire.Orue-Echevarria@tecnalia.com C/ Geldo. Parque Tecnológico de Bizkaia, Edificio 700 E-48160 Derio - Bizkaia (Spain) Tel: 902 760 000 *. Tel: +34 946 430 850 (International Calls). Mob: +34 664 103 005