Security frameworks for Gov Clouds: A Technical Analysis

Similar documents
The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Infrastructures and Service Dimitra Liveri Network and Information Security Expert, ENISA

Discussion on MS contribution to the WP2018

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

Network and Information Security Directive

The NIS Directive and Cybersecurity in

Cyber Security in Europe

New cybersecurity landscape in the EU Sławek Górniak 9. CA-Day, Berlin, 28th November 2017

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

ENISA activities in ICT security certification Dr. Prokopios Drogkaris NIS Expert NLO Meeting Athens

Securing Europe's Information Society

Where is the EU in cloud security certification?: Main findings

Optimising cloud security, trust and transparency

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

ICTLC Paolo Balboni, Ph.D.

Cyber Security Beyond 2020

ENISA Cooperation in the EU / NIS Directive

NIS Standardisation ENISA view

Achieving Global Cyber Security Through Collaboration

European Union Agency for Network and Information Security

The Network and Information Security Directive - ENISA's contribution

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Package of initiatives on Cybersecurity

Cybersecurity in the EU Steve Purser Head of Operational Departments, ENISA Regional Cybersecurity Forum Sofia, Bulgaria 29 th November 2016 European

ENISA EU Threat Landscape

Technology's role in General Data Protection Regulation Dr. Prokopios Drogkaris Officer in NIS SECPRE 2017 Oslo

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Technical guidelines implementing eidas

Directive on security of network and information systems (NIS): State of Play

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

European Union Agency for Network and Information Security

Making cloud SLAs readily usable in the EU private sector. C-SIG WG on Cloud Standards 18 January 2017 Brussels, Belgium

Current Cloud Certification Challenges Ahead and Proposed Solutions

EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Cloud First Policy General Directorate of Governance and Operations Version April 2017

European Cybersecurity cppp and ECSO. org.eu

EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

SCCE ECEI 2014 EU DATA PRIVACY COMPLIANCE FOR US DRIVEN PROJECTS. Monica Salgado JANINE REGAN CIPP/E

Improving Resilience in European e-communication networks MTP 1

From Cloud adoption to Cloud first Enabling effective Cloud usage

ENISA S WORK ON ICS AND SMART GRID SECURITY

INFORMATION SECURTITY POLICY IN PUBLIC SECTOR IN SLOVENIA

Call for Expressions of Interest

ENISA & Cybersecurity. Dr. Udo Helmbrecht Executive Director, European Network & Information Security Agency (ENISA) 25 October 2010

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

EuroCloud Europe. Key success factors for trustworthy Cloud Adoption in the EU. 16-JUNE-2015 Riga Andreas Weiss. Trust in Cloud

EISAS Enhanced Roadmap 2012

Minutes of National Laison Officer s Meeting,

Our agenda. The basics

Cybersecurity & Digital Privacy in the Energy sector

Driving Global Resilience

COMPLIANCE IN THE CLOUD

Valérie Andrianavaly European Commission DG INFSO-A3

2017 ANNUAL TRUST SERVICES SECURITY INCIDENTS ANALYSIS. ENISA Article 19 Team

METHODOLOGY AND CRITERIA FOR THE CYBERSECURITY REPORTS

Cybersecurity governance in Europe. Sokratis K. Katsikas Systems Security Laboratory Dept. of Digital Systems University of Piraeus

How to Establish Security & Privacy Due Diligence in the Cloud

The EU Cybersecurity Package: Implications for ENISA Dr. Steve Purser Head of ENISA Core Operations Athens, 30 th January 2018

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

Security Aspects of Trust Services Providers

How to work your cloud around the UK ICO s Data Protection Act

GDPR: A QUICK OVERVIEW

G8 Lyon-Roma Group High Tech Crime Subgroup

TEL2813/IS2820 Security Management

How to ensure control and security when moving to SaaS/cloud applications

CSIRT capacity building Andrea Dufkova CSIRT-relations, COD1 NLO meeting Athens June 8. European Union Agency for Network and Information Security

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

GOVSEC - SECURE GOVERNANCE ( ) IDENTIFICATION OF THE ACTION EXECUTIVE SUMMARY. Service in charge

Securing Europe s IoT Devices and Services

HEALTH IN ECSO (European Cyber Security Organisation) 18 October 2017

General Framework for Secure IoT Systems

Security Management Models And Practices Feb 5, 2008

STORK Secure Identity Across Borders Linked

European Cybersecurity PPP European Cyber Security Organisation - ECSO

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

Introduction to the Federal Risk and Authorization Management Program (FedRAMP)

Cyber Security in Europe and CEER s new PEER initiative

Plan a Pragmatic Approach to the new EU Data Privacy Regulation

Version 1.0, November 2014

Οnline privacy tools for the general public. European Union Agency for Network and Information Security 1

WELCOME ISO/IEC 27001:2017 Information Briefing

Incentives for IoT Security. White Paper. May Author: Dr. Cédric LEVY-BENCHETON, CEO

Third public workshop of the Amsterdam Group and CODECS European Framework for C-ITS Deployment

Cybersecurity Strategy of the Republic of Cyprus

IPv6 Deployment Survey. Based on responses from the RIPE community during June 2009 Maarten Botterman RIPE 59, Lisbon, 6 October 2009

CTI Capability Maturity Model Marco Lourenco

Workshop on Addressing the Barriers to IPv6 Deployment Spanish use case

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

Supporting IT Security Response Teams

ENISA s Position on the NIS Directive

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

Managing Jurisdictional Risks for Public Cloud Services

Enhancing the cyber security &

D3.1 Validation workshops Workplan v.0

GDPR Update and ENISA guidelines

Practical Guide to Cloud Computing Version 2. Read whitepaper at

Cloud28+ Compliance in Cross Border Business

Transcription:

Security frameworks for Gov Clouds: A Technical Analysis Dimitra Liveri EU Network and Information Security Agency (ENISA) Dr. Jesus Luna CSA EMEA Technical University of Darmstadt TUDA www.enisa.europa.eu

Agenda Previous work on Governmental Clouds in ENISA Overview of GovClouds in the EU Governmental Clouds a definition Security Framework Methodology Structure Examples and mapping Conclusions and recommendations www.enisa.europa.eu 2

ENISA work on Governmental Clouds 2010: Guide on security and resilience for Governmental Clouds Presentation of the security benefits and drawbacks for the public sector to go in the cloud First steps need to be done towards taking the decision to go cloud 2013: Good practice guide on how to securely deploy Governmental Clouds Definition of a governmental cloud (in a mature market) State of cloud computing adoption in the EU public sector Case studies of different approaches in adopting a cloud solution www.enisa.europa.eu 3

Governmental Clouds in Europe - 2013 September 2013 (red = private, yellow = public., blue = community) www.enisa.europa.eu 4

Definition of Governmental Cloud Governmental Clouds: cloud services and systems that support public administration services General characteristics Governance and control by government or public body Ownership and management by government or public body Due diligence by government or public body Compliance with national laws www.enisa.europa.eu 5

Governmental Clouds 2014 Security framework for Governmental Clouds, 2014 ENISA suggests a security (and privacy) framework for the public administration to adopt cloud computing The framework presents the 4 phases (PDCA) 9 activity domains-16 security steps from the pre-procurement phase till the finalization of the contract and exit The framework is build on 4 use cases real cases-of Cloud implementation in the EU, and provides examples of approaches for each of the phases (countries: UK, ES, GR, EE) www.enisa.europa.eu 6

Methodology (1/2) 1- Desktop Research Early stage of deployment Security and Privacy are key factors for Gov Cloud adoption Shortage of pilots/practical experiences (i.e. Cloud4Europe) Security challenges include certifications, SLA s, and risk models. Lack of security frameworks. 2- Security Framework (1 st version) Based on desktop research. Initial MS Gov Cloud analysis. www.enisa.europa.eu 7

Methodology 3- Security Framework (2 nd version) Surveying and identifying four Gov Cloud use cases from MS (i.e., Estonia, Greece, Spain, and United Kingdom). The use cases were selected for being representative of Gov Cloud adoption. 4- Security Framework (Final version) Organized as a security life cycle (Plan-Do- Check-Act or PDCA). Separate the phases in activities and the activities in steps www.enisa.europa.eu 8

Main elements of the framework Questionnaire Templates Logic Model Reference Implementations Gov Cloud Security Framework www.enisa.europa.eu 9

Roles Cloud Owner relates to the organization that legally owns the Gov Cloud and defines policies and requirements. Cloud Service Provider (CSP)is the organization that provides Cloud services to the GovCloud and takes responsibility for making them available to the Cloud Customers. Cloud Customeris the organization/public administration using the Cloud services provided by the CSP through the Cloud Owner. www.enisa.europa.eu 10

Logic Model Each phase of the PDCA is sub-divided in sample tasks/actions reflecting the requirements of a country s public administration. Supported by visual workflows, and assessment questionnaires. www.enisa.europa.eu 11

Questionnaire Templates Template organized in PDCA-Phases and Steps Assessment questions designed to support Gov Cloud stakeholders www.enisa.europa.eu 12

Reference Implementation Our study provides empirical validation of the developed GovCloud security framework, by applying it to the selected MS use cases of: Estonia, Greece, Spain, and United Kingdom. The report visually presents the different approaches each country took according to their needs and national security requirements www.enisa.europa.eu 13

Mapping Gov Clouds to the framework www.enisa.europa.eu 14

Mapping Gov Clouds to the framework www.enisa.europa.eu 15

Conclusions and recommendations Despite the considerable efforts (e.g., EC and ENISA), the level of MS GovCloud adoption is still low. Common security denominators exist across the MS deployed Gov Clouds e.g., defined roles, and use of standards. However, our analysis also shows different security practices in e.g., accreditation procedures, and SLA management. Analyzed GovClouds have established policies for incident management. Adopted approaches are usually covered at the design stage (PLAN-DO phase). Need to define baseline security controls based on the selected service/deployment model www.enisa.europa.eu 16

Contact us Dimitra Liveri, dimitra.liveri@enisa.europa.eu Marnix Dekker, marnix.dekker@enisa.europa.eu Cloud security at ENISA, cloud.security@enisa.europa.eu For more information see ENISA s website: http://enisa.europa.eu Follow ENISA s twitter feed: @enisa_eu Follow ENISA: European Union Agency for Network and Information Security www.enisa.europa.eu

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback