Security frameworks for Gov Clouds: A Technical Analysis

Transcription

1 Security frameworks for Gov Clouds: A Technical Analysis Dimitra Liveri EU Network and Information Security Agency (ENISA) Dr. Jesus Luna CSA EMEA Technical University of Darmstadt TUDA

2 Agenda Previous work on Governmental Clouds in ENISA Overview of GovClouds in the EU Governmental Clouds a definition Security Framework Methodology Structure Examples and mapping Conclusions and recommendations 2

3 ENISA work on Governmental Clouds 2010: Guide on security and resilience for Governmental Clouds Presentation of the security benefits and drawbacks for the public sector to go in the cloud First steps need to be done towards taking the decision to go cloud 2013: Good practice guide on how to securely deploy Governmental Clouds Definition of a governmental cloud (in a mature market) State of cloud computing adoption in the EU public sector Case studies of different approaches in adopting a cloud solution 3

4 Governmental Clouds in Europe September 2013 (red = private, yellow = public., blue = community) 4

5 Definition of Governmental Cloud Governmental Clouds: cloud services and systems that support public administration services General characteristics Governance and control by government or public body Ownership and management by government or public body Due diligence by government or public body Compliance with national laws 5

6 Governmental Clouds 2014 Security framework for Governmental Clouds, 2014 ENISA suggests a security (and privacy) framework for the public administration to adopt cloud computing The framework presents the 4 phases (PDCA) 9 activity domains-16 security steps from the pre-procurement phase till the finalization of the contract and exit The framework is build on 4 use cases real cases-of Cloud implementation in the EU, and provides examples of approaches for each of the phases (countries: UK, ES, GR, EE) 6

7 Methodology (1/2) 1- Desktop Research Early stage of deployment Security and Privacy are key factors for Gov Cloud adoption Shortage of pilots/practical experiences (i.e. Cloud4Europe) Security challenges include certifications, SLA s, and risk models. Lack of security frameworks. 2- Security Framework (1 st version) Based on desktop research. Initial MS Gov Cloud analysis. 7

8 Methodology 3- Security Framework (2 nd version) Surveying and identifying four Gov Cloud use cases from MS (i.e., Estonia, Greece, Spain, and United Kingdom). The use cases were selected for being representative of Gov Cloud adoption. 4- Security Framework (Final version) Organized as a security life cycle (Plan-Do- Check-Act or PDCA). Separate the phases in activities and the activities in steps 8

9 Main elements of the framework Questionnaire Templates Logic Model Reference Implementations Gov Cloud Security Framework 9

10 Roles Cloud Owner relates to the organization that legally owns the Gov Cloud and defines policies and requirements. Cloud Service Provider (CSP)is the organization that provides Cloud services to the GovCloud and takes responsibility for making them available to the Cloud Customers. Cloud Customeris the organization/public administration using the Cloud services provided by the CSP through the Cloud Owner. 10

11 Logic Model Each phase of the PDCA is sub-divided in sample tasks/actions reflecting the requirements of a country s public administration. Supported by visual workflows, and assessment questionnaires. 11

12 Questionnaire Templates Template organized in PDCA-Phases and Steps Assessment questions designed to support Gov Cloud stakeholders 12

13 Reference Implementation Our study provides empirical validation of the developed GovCloud security framework, by applying it to the selected MS use cases of: Estonia, Greece, Spain, and United Kingdom. The report visually presents the different approaches each country took according to their needs and national security requirements 13

14 Mapping Gov Clouds to the framework 14

15 Mapping Gov Clouds to the framework 15

16 Conclusions and recommendations Despite the considerable efforts (e.g., EC and ENISA), the level of MS GovCloud adoption is still low. Common security denominators exist across the MS deployed Gov Clouds e.g., defined roles, and use of standards. However, our analysis also shows different security practices in e.g., accreditation procedures, and SLA management. Analyzed GovClouds have established policies for incident management. Adopted approaches are usually covered at the design stage (PLAN-DO phase). Need to define baseline security controls based on the selected service/deployment model 16

17 Contact us Dimitra Liveri, Marnix Dekker, Cloud security at ENISA, For more information see ENISA s website: Follow ENISA s twitter Follow ENISA: European Union Agency for Network and Information Security