EU Cloud Computing Policy Luis C. Busquets Pérez 26 September 2017
The digital revolution is built on data Most economic activity will depend on data within a decade Potential of the data-driven economy 6 million people employed 7.4 million people employed Ref.: European Data Market Study SMART 2013/0063, available at: http://datalandscape.eu/
Creating a European Digital Economy and society with growth potential Pillar 3 ECONOMY & SOCIETY Ensuring that Europe's economy, industry and employment take full advantage of what digitalisation offers. Digitising industry Cloud Inclusive digital economy and society e-government Standardisation & interoperability Digital skills Data economy
What is limiting enterprises from using cloud computing services? Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector (*) Source: Eurostat, 2014
Building a European Data Economy Building a Data Economy Free Flow of Data Ownership and access to data Interoperability and portability Liability
FFD Iceberg FFD Building Blocks Data Localisation Restrictions General FFD Principle Legal Uncertainty Lack of Trust Data Security Data Availability Data Portability
What is limiting enterprises from using cloud computing services? Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector (*) Source: Eurostat, 2014
2015 EU28 Cloud Security Conference Raise awareness and educate users and SMEs on cloud security. Improve the transparency of cloud services: continuous monitoring mechanisms, accountability through, for example, certification and other mechanisms. Flexible policy approaches towards cloud security to allow further technological advancements. Data Protection, where and how they are stored, accessed, transferred and processed. Strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector.
Certification Schemes for Cloud Computing SMART 2016/0029 Challenge: Customers need to know and be assured that their data is equally safe no matter where they are located or who provides the service What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border? What regulation aspects need to be considered / addressed? How much would it cost for a European CSP to comply with a certification scheme? And how much would be the cost of no-certification?
Current Situation ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115. NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144 OASIS TOSCA, OASIS CAMP EuroCloud Self- Assessment, EuroCloud Star Audit SNIA CDMI, DMTF DSP0243, DMTF DSP0263 Certified Cloud Service TüV, Rheinland ITU-T X.1601, ITU-T X.1631 Others CSA CCM, CSA CTP, CSA A6, CSA CAIQ, CSA TCI, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self-Assessment - OCF Level 1 AICPA SOC 1, AICPA SOC 2, AICPA SOC 3
(*) Source: ETSI CSC
ISO ISO ISO ISO ISO ISO 03 Current Situation 17203 17789 19944 19941 19086 19099 ISO 22301 ISO/IEC 24760 Family of 27000 ISO/IEC 27000, ISO/IEC 27001 & ISO /IEC 27002 ISOIEC 29100 ISO/IEC 29101 ISO/IEC 29115 1. Information security policy 2. Risk management 3. Security roles 4. Security in Supplier relationships 5. Background checks 6. Security knowledge and training 7. Personnel changes 8. Physical and environmental security 9. Security of supporting utilities 10. Access control to network and information systems 11. Integrity of network and information systems 12. Operating procedures 13. Change management 14. Asset management 15. Security incident detection and response 16. Security incident reporting 17. Business continuity 18. Disaster recovery capabilities 19. Monitoring and logging policies 20. System tests 21. Security assessments 22. Checking compliance 23. Cloud data security 24. Cloud interface security 25. Cloud software security 26. Cloud interoperability and portability 27. Cloud monitoring and log access Not covered Partially covered Fully covered
Certified cloud service TüV OASIS CAMP SNIA CDMI OGF OCC 03 Current Situation SAML OAuth2.0 OpenID DMTF DSP0243 DMTF DSP0263 CSA CCM 1. Information security policy 2. Risk management 3. Security roles 4. Security in Supplier relationships 5. Background checks 6. Security knowledge and training 7. Personnel changes 8. Physical and environmental security 9. Security of supporting utilities 10. Access control to network and information systems 11. Integrity of network and information systems 12. Operating procedures 13. Change management 14. Asset management 15. Security incident detection and response 16. Security incident reporting 17. Business continuity 18. Disaster recovery capabilities 19. Monitoring and logging policies 20. System tests 21. Security assessments 22. Checking compliance 23. Cloud data security 24. Cloud interface security 25. Cloud software security 26. Cloud interoperability and portability 27. Cloud monitoring and log access Not covered Partially covered Fully covered
Landscape cut through the jungle of standards #Digital Single Market EC Communication (2012) Digital Agenda 2020 Public and Public-Private Initiatives Regulation ECI #EUdataFF ENISA CCSL and CCSM (2013) Trusted Cloud (DE) GDPR Cross-border services Cloud Standardization Initiative ETSI (Phase I and Phase II) Label Cloud (FR) NIS C5 FFD ENS SecNumCloud
Current analysis of strategies from Spain, Italy, Germany and France DE C5 catalogue ES - ENS FR - SecNumCloud IT - PM Decree 2013 17 control areas Per each control: Objective, requirement (basic, additional) Attestation No certificate, Relies on int l standards Cloud-specific For eadmin CSP / digital providers Dedicated regulation for cloud issues, providers or not of the eadmin Systems have categories: low, medium, high Low=self assessment Medium/high= audit every 2 years Audit Certification for CSPs Based on ANSSI recommendations and int l standards 2 levels: basic and advanced (^) Label National ICT security certification scheme based on int l standards, no cloud-specific (^) Requirements for Advanced are as of 08.09.2017 not pub
Current Analysis of private initiatives: Trusted Cloud, Label Cloud, ESCloud Trusted Cloud Label Cloud ESCloud German initiative, now onto FR and NL Non-profit association For SMEs, both CSPs and cloud users Own criteria catalogue Legally bound selfassessment Prices to appear on the listing: 150-300 /month Initiative by France IT For SMEs 3 layers (IaaS, PaaS, SaaS) 3 levels: initial, confirmed, expert Based on NIST and ITIL Label for 2 (initial), 3 (confirmed), 4 (expert) years Continuous improvement, so recertification obliges to obtain better results than the previous time Collaboration of France and Germany Label 15 core principles No mutual recognition between SecNumCloud and C5
04 Needs and requirements Needs and requirements are being gathered by means of online surveys and personal interviews Survey launched end of June Accessible at http://tinyurl.com/cloudcertification Low number of respondents, possibly due to the summer period Campaign in social networks
Main conclusions from Spain Mutual recognition should be favoured Consider as best practice the European Interoperability framework (EIF) (*), specifically focus on Article 10 - Node operators of nodes providing authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation Establish a generic certification on security and then a certification focused on cloud security. Later on, a certification on portability could be considered. An EU wide security certification framework can solve some issues but specific (legal) requirements will be further requested (*) COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015
Scenarios
Next steps Continue analyzing initiatives by EU member states, policy initiatives and answers from the survey Develop the common security framework Objectives Controls Requirements Map to standards Detail the impact (economic, regulatory, social) and the next steps for each scenario Workshop in December 2017