PiTuKri - The Finnish Criteria for Assessment of

Information Security of Cloud Services

Division of information security responsibilities in Finland

The security of communications connections and services is the responsibility of the Ministry of Transport and Communications.

The Ministry of Finance is responsible for the steering and development of the state's information security.

The Foreign Ministry is responsible for international information security obligations.

Information classification 2020->

TL IV(restricted)

TL III(confidential)

TL II(secret)

TL I(top secret)

Salassa pidettävä

(~classified)

Information classification 2020->

TL IV(restricted)

TL III(confidential)

TL II(secret)

TL I(top secret)

Salassa pidettävä

(~classified)

Information classification 2020->aggregation of information

TL IV(restricted)

TL III(confidential)

TL II(secret)

TL I(top secret)

Salassa pidettävä

(~classified)

Information classification 2020->aggregation of information

TL IV(restricted)

TL III(confidential)

TL II(secret)

TL I(top secret)

Salassa pidettävä

(~classified)

A national information security authority, whose duties consist of:

• Collecting information on information security violations and threats.

• Informing of information security related matters and performance of communication networks and services;

• Solving information security violations and threats against networks, communications and value-added services;

• Steering and supervision of telecommunications operators' information security management and preparedness;

• Information assurance matters related to the handling of classified information in electronic communications;

• Supervising the responsibilities related to confidentiality of electronic communications.

The National Cyber Security Centre (NCSC-FI)

Security services of the NCSC-FI

Situational awareness and network coordination1

Detection and assistance2

Other authoritative services3

Assessments and accreditations

Accreditation of information systems For governmental organisations' information

systems that are related to fulfilling international information security obligations.

For the systems of companies that participate in international competitive bidding and need accreditation from a National Communications Security Authority.

Assessments and accreditations of cryptographic products

For products intended to be used in protecting national or international classified information.

Assessment services For the information systems under the

command of the authority or systems planned to be procured for such use.

For information systems under the command of the authority based on the request from the Ministry of Finance.

Finnish Communications Regulatory Authority's security assessment and accreditation services support the proactive and preventive security work and actions.

Information security advisory service

The purpose of the information security advisory service is to guarantee awareness of cyber threats and possible resolutions in the operational environment within the organisations.

The focus and the scope of the support is determined in cooperation with the client case-by-case.

NCSC-FI serves public administration and organisations critical to the security of supply with providing advice on information security related matters.

NCSC-FI and the cloud

Both the government and actors within the critical infrastructure have expressed great need for cloud services

Cost benefits

Scalability

Packaged products and services

Versatile outsourcing options

NCSC-FI works proactively to avoid common security challenges of the cloud

On Cloud security

Basis on Risk Management

Perfectly secure (cloud) services do not exist, residual risk remains always

Secure cloud == a service, where the residual risk is proportionate to the use case and protected information

A cloud system with weak security might suffice for some use cases, others may require hardened systems or national cloud systems. Cloud may not be an option at all for some use cases

?

Security Needs to Be Measurable

What is secure enough?

How reliable are the protections against

Common risks

Technology specific risks

Use-case specific ridks

Measuring there effectively requires the use of a framework, i.e. a criteria

?

Evaluating the Applicability of Criteria throught Use Cases

A use case describes how a target group uses the criteria to achieve a goal.

Example: the use case of the Finnish national audit criteria Katakri 2015

An assessment by a security authority, with the goal of gaining assurance of the ability of the target to protect classified information

Need for a criteria tailored for cloud systems

Common risks, cloud risks, use cases

Avoiding misunderstandings

?

Criteria to Assess the Information Security of Cloud

Services (PiTuKri)

Background

2020 – 2025 – 2030 – 2040?

Foresight on future technologies and phenomena at Traficom

Studies emerging phenomena in the digital society

Helps authorities and corporations in preparing for the future

Provides data to support decision making, proposals for the management, as well as tangible solutions

Myriad Work Themes

Promoting secure technology development (e.g. IoT and cloud services)

5g security

https://5gcyberhack.fi/

Digitalisation of traffic

Future financial services

Open data

Satellite services and technologies

Secure Cloud Services

Needs of citizens and small businesses

Coming later

Needs of authorities

Criteria to Assess the Information Security of Cloud Services (PiTuKri)

Goals

Improve protection of non-public information of the authorities, when data is being handled in cloud based environments

Tool for evaluating security of cloud based services

Support authorities’ risk management work

Support the implementation and make the guidelines of public sector cloud use by Ministry of Finance more tangible

PiTuKri – Design Principles

Fulfilling National Needs Efficiently

National needs of Finland

Data classification, legislation changes

Must work for various kinds of organizations

Risk based, different ways to fulfill requirements

Use of and compatibility to pre-existing frameworks

BSI C5, CSA/CCM, ISO 27001, ISO 27017, Katakri 2015, guidelines/criteria of international communities of authorities

Finding balance between not too specific and not too generic

Wishes on Detailed Checklists..

"A detailed checklist for cloud service X using service model Y for service Z"

E.g. 6 services * 3 models = 18 criteria

Add 5 most common Saas services per cloud, 18 + 5 * 6 = 48 criteria

Add data on cloud specific functionalities -> 100+ criteria (and more each year)

Add criteria for different service components, development, deployment, maintenance, ...

.. with Broad Applicability

"A high-level criteria that can be used with different services and use cases"

Applicability for various needs

Requires more competence from the users of the criteria

PiTuKri – The Approach

Risks faced by cloud services separated by

Service model (IaaS, PaaS, SaaS, ...)

Implementation model (private cloud, public, combination, ...)

Service provider (authority or company within Finland, EU/EEC, other)

Physical location of data including management (FI, EU/EEC, other)

...and by type of protected information

Security classification (restricted, confidential, ...) and data owner/type

Personal information (GDPR boogeyman)

Effect of large amounts of above information available in one place

Information/service availability for preparedness reasons

Who is the adversary?

Structure

10 sections

Section 1, framework conditions

Determines whether it’s possible to continueevaluation based on risks, i.e. is cloud even an option for this use case and what kind of general conditionsare needed

Sections 2-10, collections of controls that reducethe risks associated with cloud based services in the areas of

Security management (administrative)

Physical security

Information assurance

Finding balance between simple to follow explicitcriteria vs. more generic criteria, and categorization of requirements

Section 1, Framework conditionsData type Service type Physical

locationCSP Additional information

Public No limitations No limitations No limitations The focus of assessing the applicability of security measures is on securingsufficient integrity and availability

Classified("Salassa

pidettävä")

No limitations No limitations No limitations If the information does not contain personal data.

Personal data No limitations Areas enabled in compliance

with the regulations

No limitations The service entity must meet the requirements of the specific legislationthat governs the protection of personal data (including GDPR).

TL IV No limitations Finland National Foreign authorities shall not have a direct nor an indirect access to theinformation. The restrictions concerning the physical location also coveradministration, backup and maintenance. Security clearance for the CSP.

Aggregate of classified data

(TL III)

Private/community

Finland National Similarly to above. Need to know emphasized. Detection of mass queriesof data.

Agggregate of TL IV (TL III)

Private/community

Finland National Similarly to above.

Preparedness No limitations Finland National The information must be accessible even under exceptional circumstances.The management of the information must be possible entirely withinnational borders.

TL III / II Private/community

Finland National Foreign authorities shall not have a direct nor an indirect access to theinformation. The restrictions concerning the physical location also coveradministration, backup and maintenance. Security clearance for the CSP.Additional requirements from Katakri.

Example control

PiTuKri - Usage

Built to support various types of cloud services and usage scenarios

Evaluating security of cloud based services

Cloud service provider’s own information security work

Genericity, can be applied to different scenarios

Service model (IaaS, ...)

Specifics of the cloud service provider

Specifics of the application/service

Risk-based Appropriate Use

Risk assessment

Each authority is responsible for the security of their information systems

Ensuring coverage and reliability of evaluation

Risk based handling of evaluation findings

Appropriate use

Interpretation of the criteria based on requirements for the specific use case

Some weaknesses may be compensated with controls on another level (platform vs. application controls)

Pick and choose!

PiTuKri – Relation to Other Frameworks

National data classification as a driver

Contents based on international and national public frameworks

BSI C5, CSA/CCM, ISO 27001 & 27017, Katakri 2015

The required protections and controls are strongly linked to the nature and classification of the data

This was already a common practice in the interpretation of requirements

Other certifications can support compliance efforts

Evidence for the compliance can sometimes be supported by other frameworks and certifications

Cross-comparison tables coming later

Case-by-case decision on applicability of previous evaluations

Level of information assurance required

But

Different frameworks and certifications measure dissimilar things

E.g. hard compliance against minimal requirements set by an information owner vs. risk-based certification within the scope of an information security management system

Variance in certification scope

Different requirements on the assurance in the protection of classified data

Verification methods vary greatly in granularity and depth

PiTuKri –The Future

Continuous development

Version 1.0 published in Finnish in May 2019

Swedish and English versions are being translated, publication fall 2019

Development continues

Collecting feedback and requests

Update to be expected Q4/2019 or early 2020

Support tools and extra information

Evaluation tool (May 2019)

Cross-comparison (fall 2019)

Use case examples (fall 2019)

Feedback welcome! ncsa (at) traficom (dot) fi

Thank You! https://www.ncsa.fi

ncsa (at) traficom (dot) fi