EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

Similar documents
Where is the EU in cloud security certification?: Main findings

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

Cloud Computing Standards C-SIG Plenary Brussels, 15 February Luis C. Busquets Pérez DG CONNECT E2

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

NIS Standardisation ENISA view

Current Cloud Certification Challenges Ahead and Proposed Solutions

VdTÜV Statement on the Communication from the EU Commission A Digital Single Market Strategy for Europe

The NIS Directive and Cybersecurity in

ETSI SR V2.0.0 ( )

Optimising cloud security, trust and transparency

Discussion on MS contribution to the WP2018

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Overview of International Standards for Cloud Computing

Package of initiatives on Cybersecurity

A Strategy for a secure Information Society Dialogue, Partnership and empowerment

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

Resilience, Deterrence and Defence: Building strong cybersecurity for the EU

European Union Agency for Network and Information Security

eidas Regulation (EU) 910/2014 eidas implementation State of Play

The Network and Information Security Directive - ENISA's contribution

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Security Aspects of Trust Services Providers

ENISA s Position on the NIS Directive

Cybersecurity. Quality. security LED-Modul. basis. Comments by the electrical industry on the EU Cybersecurity Act. manufacturer s declaration

Google Cloud & the General Data Protection Regulation (GDPR)

cybersecurity in Europe Rossella Mattioli Secure Infrastructures and Services

Call for Expressions of Interest

EU policy on Network and Information Security & Critical Information Infrastructures Protection

Cyber Security in Europe and CEER s new PEER initiative

CONCLUSIONS OF THE WESTERN BALKANS DIGITAL SUMMIT APRIL, SKOPJE

Security and resilience in Information Society: the European approach

COMPLIANCE IN THE CLOUD

LIMITE EN COUNCIL OF THE EUROPEAN UNION. Brussels, 21 October /13 LIMITE CO EUR-PREP 37. NOTE General Secretariat of the Council

CLOUD QUALITY AND CLOUD CERTIFICATION

Joint FIEEC-ZVEI Position on Cybersecurity

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

Building Trust in the Era of Cloud Computing

The Role of ENISA in the Implementation of the NIS Directive Anna Sarri Officer in NIS CIP Workshop Vienna 19 th September 2017

Platform Economy and Trustworthiness Standardization

DIGITIZING INDUSTRY, ICT STANDARDS TO

Web-Accessibility as a human right

General Data Protection Regulation April 3, Sarah Ackerman, Managing Director Ross Patz, Consultant

SOC 3 for Security and Availability

Building an Assurance Foundation for 21 st Century Information Systems and Networks

United4Health session Regulatory Framework Trends & Updates. Nicole Denjoy COCIR Secretary General Wed. 7 May 2014, Berlin (Germany)

Directive on Security of Network and Information Systems

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

In Accountable IoT We Trust

Cyber Security. Activities of an national insurance association based on the example of VVO

eidas Regulation eid and assurance levels Outcome of eias study

General Data Protection Regulation (GDPR) and the Implications for IT Service Management

Cloud28+ Compliance in Cross Border Business

ITU Asia-Pacific Centres of Excellence Training on Conformity and Interoperability. Session 2: Conformity Assessment Principles

H2020 WP Cybersecurity PPP topics

Cloud Computing: A European Perspective. Rolf von Roessing CISA, CGEIT, CISM International Vice President, ISACA

BSI C5 Status Quo. Dr. Clemens Doubrava, BSI,

The European Policy on Critical Information Infrastructure Protection (CIIP) Andrea SERVIDA European Commission DG INFSO.A3

Harmonisation of Digital Markets in the EaP. Vassilis Kopanas European Commission, DG CONNECT

Interoperability and transparency The European context

ERCI cybersecurity seminar Guildford ERCI cybersecurity seminar Guildford

Trust Services for Electronic Transactions

EU General Data Protection Regulation (GDPR) Achieving compliance

GDPR: A QUICK OVERVIEW

Structural Funds and Cloud Computing

This presentation is intended to provide an overview of GDPR and is not a definitive statement of the law.

Robert Brammer. Senior Advisor to the Internet2 CEO Internet2 NET+ Security Assessment Forum. 8 April 2014

Future-Proof Security & Privacy in IoT

eidas Workshop Return on Experience from Conformity Assessment Bodies - EY June 13, 2016 Contacts: Arvid Vermote

Data Protection in the AWS Cloud: Implementing GDPR and Overview of C5

Critical Information Infrastructure Protection. Role of CIRTs and Cooperation at National Level

ENISA And Standards Adri án Belmonte ETSI Security Week Event Sophia Antipolis (France) 22th June

How icims Supports. Your Readiness for the European Union General Data Protection Regulation

Directive on security of network and information systems (NIS): State of Play

Toward Horizon 2020: INSPIRE, PSI and other EU policies on data sharing and standardization

ENISA EU Threat Landscape

Promoting Digital Economy in the Eastern Partnership. Vassilis Kopanas European Commission, DG CONNECT

Workshop IT Star IT Security Professional Positioning and Monitoring: e-cfplus support

GDPR Update and ENISA guidelines

Cloud Standards: Vincent Franceschini CTO Intelligent Data Fabrics, Hitachi Data Systems Chairman Emeritus, SNIA

What is cloud computing? The enterprise is liable as data controller. Various forms of cloud computing. Data controller

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

Enhancing the security of CIIPs in Europe - ENISA s Approach Dimitra Liveri Network and Information Security Expert

Cyber Security in Europe

An Overview of ISO/IEC family of Information Security Management System Standards

COMESA CYBER SECURITY PROGRAM KHARTOUM, SUDAN

Networking Session - A trusted cloud ecosystem How to help SMEs innovate in the Cloud

The German IT Security Certification Scheme. Joachim Weber

Bringing cyber to the Board of Directors & C-level and keeping it there. Dirk Lybaert, Proximus September 9 th 2016

ECSA Assessment Report

Security Management Models And Practices Feb 5, 2008

Your Trusted Partner in Europe European Business Reliance Centre

Towards a European Cloud Computing Strategy

ENISA Cooperation in the EU / NIS Directive

Joint ITU-UNIDO Forum on Sustainable Conformity Assessment for Asia-Pacific Region (Yangon City, Republic of Union of Myanmar November 2013)

Securing Europe's Information Society

EUROPEAN COMMISSION DIRECTORATE GENERAL FOR INTERPRETATION

CSA GUIDANCE VERSION 4 S TAT E O F T H E A R T CLOUD SECURITY AND GDPR NOTES. Hing-Yan Lee (Dr.) EVP, APAC, Cloud Security Alliance

Towards a European e-competence Framework

Protecting your data. EY s approach to data privacy and information security

Compliance & Security in Azure. April 21, 2018

Transcription:

EU Cloud Computing Policy Luis C. Busquets Pérez 26 September 2017

The digital revolution is built on data Most economic activity will depend on data within a decade Potential of the data-driven economy 6 million people employed 7.4 million people employed Ref.: European Data Market Study SMART 2013/0063, available at: http://datalandscape.eu/

Creating a European Digital Economy and society with growth potential Pillar 3 ECONOMY & SOCIETY Ensuring that Europe's economy, industry and employment take full advantage of what digitalisation offers. Digitising industry Cloud Inclusive digital economy and society e-government Standardisation & interoperability Digital skills Data economy

What is limiting enterprises from using cloud computing services? Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector (*) Source: Eurostat, 2014

Building a European Data Economy Building a Data Economy Free Flow of Data Ownership and access to data Interoperability and portability Liability

FFD Iceberg FFD Building Blocks Data Localisation Restrictions General FFD Principle Legal Uncertainty Lack of Trust Data Security Data Availability Data Portability

What is limiting enterprises from using cloud computing services? Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector (*) Source: Eurostat, 2014

2015 EU28 Cloud Security Conference Raise awareness and educate users and SMEs on cloud security. Improve the transparency of cloud services: continuous monitoring mechanisms, accountability through, for example, certification and other mechanisms. Flexible policy approaches towards cloud security to allow further technological advancements. Data Protection, where and how they are stored, accessed, transferred and processed. Strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector.

Certification Schemes for Cloud Computing SMART 2016/0029 Challenge: Customers need to know and be assured that their data is equally safe no matter where they are located or who provides the service What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border? What regulation aspects need to be considered / addressed? How much would it cost for a European CSP to comply with a certification scheme? And how much would be the cost of no-certification?

Current Situation ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115. NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144 OASIS TOSCA, OASIS CAMP EuroCloud Self- Assessment, EuroCloud Star Audit SNIA CDMI, DMTF DSP0243, DMTF DSP0263 Certified Cloud Service TüV, Rheinland ITU-T X.1601, ITU-T X.1631 Others CSA CCM, CSA CTP, CSA A6, CSA CAIQ, CSA TCI, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self-Assessment - OCF Level 1 AICPA SOC 1, AICPA SOC 2, AICPA SOC 3

(*) Source: ETSI CSC

ISO ISO ISO ISO ISO ISO 03 Current Situation 17203 17789 19944 19941 19086 19099 ISO 22301 ISO/IEC 24760 Family of 27000 ISO/IEC 27000, ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115 1. Information security policy 2. Risk management 3. Security roles 4. Security in Supplier relationships 5. Background checks 6. Security knowledge and training 7. Personnel changes 8. Physical and environmental security 9. Security of supporting utilities 10. Access control to network and information systems 11. Integrity of network and information systems 12. Operating procedures 13. Change management 14. Asset management 15. Security incident detection and response 16. Security incident reporting 17. Business continuity 18. Disaster recovery capabilities 19. Monitoring and logging policies 20. System tests 21. Security assessments 22. Checking compliance 23. Cloud data security 24. Cloud interface security 25. Cloud software security 26. Cloud interoperability and portability 27. Cloud monitoring and log access Not covered Partially covered Fully covered

Certified cloud service TüV OASIS CAMP SNIA CDMI OGF OCC 03 Current Situation SAML OAuth2.0 OpenID DMTF DSP0243 DMTF DSP0263 CSA CCM 1. Information security policy 2. Risk management 3. Security roles 4. Security in Supplier relationships 5. Background checks 6. Security knowledge and training 7. Personnel changes 8. Physical and environmental security 9. Security of supporting utilities 10. Access control to network and information systems 11. Integrity of network and information systems 12. Operating procedures 13. Change management 14. Asset management 15. Security incident detection and response 16. Security incident reporting 17. Business continuity 18. Disaster recovery capabilities 19. Monitoring and logging policies 20. System tests 21. Security assessments 22. Checking compliance 23. Cloud data security 24. Cloud interface security 25. Cloud software security 26. Cloud interoperability and portability 27. Cloud monitoring and log access Not covered Partially covered Fully covered

Landscape cut through the jungle of standards #Digital Single Market EC Communication (2012) Digital Agenda 2020 Public and Public-Private Initiatives Regulation ECI #EUdataFF ENISA CCSL and CCSM (2013) Trusted Cloud (DE) GDPR Cross-border services Cloud Standardization Initiative ETSI (Phase I and Phase II) Label Cloud (FR) NIS C5 FFD ENS SecNumCloud

Current analysis of strategies from Spain, Italy, Germany and France DE C5 catalogue ES - ENS FR - SecNumCloud IT - PM Decree 2013 17 control areas Per each control: Objective, requirement (basic, additional) Attestation No certificate, Relies on int l standards Cloud-specific For eadmin CSP / digital providers Dedicated regulation for cloud issues, providers or not of the eadmin Systems have categories: low, medium, high Low=self assessment Medium/high= audit every 2 years Audit Certification for CSPs Based on ANSSI recommendations and int l standards 2 levels: basic and advanced (^) Label National ICT security certification scheme based on int l standards, no cloud-specific (^) Requirements for Advanced are as of 08.09.2017 not pub

Current Analysis of private initiatives: Trusted Cloud, Label Cloud, ESCloud Trusted Cloud Label Cloud ESCloud German initiative, now onto FR and NL Non-profit association For SMEs, both CSPs and cloud users Own criteria catalogue Legally bound selfassessment Prices to appear on the listing: 150-300 /month Initiative by France IT For SMEs 3 layers (IaaS, PaaS, SaaS) 3 levels: initial, confirmed, expert Based on NIST and ITIL Label for 2 (initial), 3 (confirmed), 4 (expert) years Continuous improvement, so recertification obliges to obtain better results than the previous time Collaboration of France and Germany Label 15 core principles No mutual recognition between SecNumCloud and C5

04 Needs and requirements Needs and requirements are being gathered by means of online surveys and personal interviews Survey launched end of June Accessible at http://tinyurl.com/cloudcertification Low number of respondents, possibly due to the summer period Campaign in social networks

Main conclusions from Spain Mutual recognition should be favoured Consider as best practice the European Interoperability framework (EIF) (*), specifically focus on Article 10 - Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation Establish a generic certification on security and then a certification focused on cloud security. Later on, a certification on portability could be considered. An EU wide security certification framework can solve some issues but specific (legal) requirements will be further requested (*) COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015

Scenarios

Next steps Continue analyzing initiatives by EU member states, policy initiatives and answers from the survey Develop the common security framework Objectives Controls Requirements Map to standards Detail the impact (economic, regulatory, social) and the next steps for each scenario Workshop in December 2017

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback