Current Cloud Certification Challenges Ahead and Proposed Solutions

Transcription

1 Current Cloud Certification Challenges Ahead and Proposed Solutions Daniele Catteddu, CTO Cloud Security Alliance

2 AGENDA 3 Challenges 1 Framework 3 Key Requirements 3 Solutions Copyright Cloud Security Alliance

3 Compliance and assurance are becoming complex matters Copyright Cloud Security Alliance

4 TRENDS Several Countries creating their own National accreditation schemes ISO27017 and released NOT certifiable standards! Several ISO CBs launching their own proprietary scheme to align with 27017&18. NEW Legal requirements popping up: EU GDPR and NIS Directive Copyright Cloud Security Alliance

5 CHALLENGES 1: PROLIFERATION OF SCHEMES certifications, including national, and global, sectorspecific, cloud-specific and generic available. Copyright Cloud Security Alliance

6 This is Microsoft: how many companies can afford such an effort for compliance? Copyright Cloud Security Alliance

7 HOW many different audits a CSP should be subject to? Is that effective? Secure? Copyright Cloud Security Alliance

8 This proliferation has resulted in a barrier to entry for Proliferation of scheme is a barrier to market entry for SMEs. Copyright Cloud Security Alliance

9 How about the users? Isn t a bit confusing for them too? Copyright 2011 Cloud Security Alliance

10 CHALLENGE 2 : PROVIDING HIGHER ASSURANCE&TRANSPARENCY Available certification schemes are based either a self or on 3 rd party assessment. Either point in time or over a period of time assessments Offer good-enough-assurance, BUT Copyright 2011 Cloud Security Alliance

11 CHALLENGE 2 : PROVIDING HIGHER ASSURANCE&TRANSPARENCY Certification schemes and assurance solutions: Do NOT respond to the assurance & transparency needs of orgs with high-risk profiles. Do NOT cover continuous monitoring certification Do NOT address continuous assurance Copyright Cloud Security Alliance

12 CHALLENGE 3: PRIVACY COMPLIANCE Compliance with privacy and data protection law is a challenge for organizations. The GDPR imposes a high legal standard for privacy and data protection. Available certification schemes fall short in addressing privacy requirements The Safe Harbor 2.0 / Privacy Shield will reinforce the need to adequately cover privacy requirements Copyright Cloud Security Alliance

13 CSA Solution: Open Certification Framework / STAR Program

14 OPEN CERTIFICATION FRAMEWORK The CSA Open Certification Framework is an industry initiative to allow global, accredited, trusted certification of cloud providers.

15 CCM V CONTROL AREAS

16 ALIGNMENT CCM & CAIQ Controls now directly referenced Numbering & questions linked to control

17 ACCREDITED CERTIFICATION BODIES

18 Current level of adoption Currently 208 Cloud Service Providers/Services Word Wide have decided to be part of the STAR Program! That includes STAR Self Assessment (163) STAR Certification (37) STAR Attestation (4) C-STAR Assessment (4)

19 CSA S SOLUTION CSA proposes to leverage the Open Certification Framework (OCF) & Security Trust Assurance Registry (STAR) Program to provide: a global recognition scheme for security and privacy certification and a set of GRC tools and practices that addresses the complex assurance and transparency requirements of cloud stakeholders Copyright 2011 Cloud Security Alliance

20 Key requirements

21 REQUIREMENTS 1 Balance the need of nations and business sectors to develop their specific security requirements with the need of CSPs to reduce compliance costs Copyright Cloud Security Alliance

22 REQUIREMENTS 2 Avoid that humans (auditors) do activities that can be performed by machines (e.g. collecting data) Copyright Cloud Security Alliance

23 REQUIREMENTS 3 Make sure that accurate and reliable evidences/information are provided to relevant people, in a timely fashion, leveraging as much as possible automatic means Copyright Cloud Security Alliance

24 MULTI-PARTY RECOGNITION SCHEME

25 Everyone wants to feels special, but. the sequencing of the chimpanzee genomes confirms that chimps share approximately 99% of my DNA. Cloud Security Alliance, 2016

26 Similarly over ¾ of the security requirements of the all the organisation are the SAME!

27 Leveraging the OPEN CERTIFICATION FRAMEWORK Need for independent body to crate harmonisation. Rules and mechanisms for standardising the requirements / controls definition Rules and mechanism for a multiparty recognition scheme Creating a repository of evidences in order to avoid unnecessary re-auditing

28 Controls & Requirements Repository

29 Controls & Requirements definition & validation

30 Developing a security certification / attestation based on continuous Auditing & monitoring)

31 OCF Level 3 CSA STAR Continuous is meant to enable automation of in the auditing/assessment/monitoring (either internal or external) and certification of security practices of CPSs. CSP will share their security practices according to CSA formatting and specifications, and customers, broker and tool vendors can retrieve and present this information in a variety of contexts. It builts on the following CSA best practices/standards: Cloud Control Matrix (CCM) Cloud Trust Protocol (CTP) CloudAudit (A6) CSA Cloud Security SLAs

32 Privacy Level Agreement Code of Conduct integration into the STAR Program

33 CSA Privacy Level Agreement (PLA [V2]) - EU compliance tool!!!!!!!!!!!! Privacy(Level(Agreement(Working(Group! Privacy!Level!Agreement![V2]:! A!Compliance!Tool!for!Providing!Cloud!! Services!in!the!European!Union! The! PLA([V2]! has! been! developed! within! CSA! by! an! expert! Working! Group! composed! of! representatives! of! Cloud! Service! Providers,!local!Data!Protection!Authorities!and!independent!security!and!privacy!professionals;!co(chaired!by!Dr.!Paolo!Balboni! and!francoise!gilbert,!with!the!technical!supervision!of!daniele!catteddu.!! The!PLA!working!group!is!sponsored!by!!!!! May!2015! CLOUD SECURITY ALLIANCE PLA Working Group - PLA [V2]: A Compliance Tool for Providing Cloud Services in the European Union! Copyright 2015 Cloud Security Alliance. All rights reserved.!! Goal: Provide CSPs a tool to achieve EU-wide data protection compliance Provide cloud customer with a tool to evaluate CSP EU-wide data protection compliance Scope & Methodology Deals with the B2B scenario Follows EU current Data Protection Law Strongly based on WP29 Opinion 5/2012 on Cloud Computing, written in the light of ISO/IEC 27018, the Cloud Service Level Agreement Standardisation Guidelines, the work developed by the Cloud Select Industry Group on Code of Conduct, & the Cloud Accountability Project Considers differences between CSP-controller and CSP-processor

34 DPA s opinions on PLA?

35 Privacy Level Agreement V2 1. Identity of the CSP (and of representative in the EU as applicable), its role, and the contact information for the data protection inquiries 2. Ways in which the data will be processed 3. Data transfer 4. Data security measures 5. Monitoring 6. Personal Data breach notification 7. Data portability, migration, and transfer back assistance 8. Data retention, restitution, and deletion 9. Accountability 10. Cooperation 11. Legally required disclosure

36 PLA V2 Table (Annex 1)

37 Legal Compliance OCF and PLA Privacy Level Agreement Code of Conduct Technical Compliance

38 NEXT STEP: PLA Code of Conduct Finalize the alignment of PLA with GDPR requirements Approve the PLA certification governance structure => PLA Code of Conduct Seek for the Art.29 WP endorsement

39 ????

40 THANK YOU! CONTACT US Daniele Catteddu, CTOCloud Security