Where is the EU in cloud security certification?: Main findings

Similar documents
EU Cloud Computing Policy. Luis C. Busquets Pérez 26 September 2017

This document is a preview generated by EVS

Friedrich Smaxwil CEN President. CEN European Committee for Standardization

ehaction Joint Action to Support the ehealth Network

European Cybersecurity PPP European Cyber Security Organisation - ECSO November 2016

esignature Infrastructure Marketing Model

European Cybersecurity cppp and ECSO. org.eu

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

ITU. The New Global Challenges in Cybersecurity 30 October 2017 Bucharest, Romania

EU e-marketing requirements

EU Cybersecurity Certification Framework

CONCURRENT SESSIONS Wednesday 8:30 10:30 KEMPINSKI HOTEL CORVINUS Erzsébet tér 7-8, Budapest V.

EUREKA European Network in international R&D Cooperation

Country-specific notes on Waste Electrical and Electronic Equipment (WEEE)

European Standardization & Digital Transformation. Ashok GANESH Director Innovation ETICS Management Committee

European Cybersecurity PPP European Cyber Security Organisation - ECSO

Mapping of the CVD models in Europe

EXPOFACTS. Exposure Factors Sourcebook for Europe GENERAL

Combating Pharmacrime AGENDA

The emerging EU certification framework: A role for ENISA Dr. Andreas Mitrakas Head of Unit EU Certification Framework Conference Brussels 01/03/18

Analysis of the Interoperability Possibilities of Implemented Governmental e-services EU15

STANDARDS TO HELP COMPLY WITH EU LEGISLATION. EUROPE HAS WHAT IT TAKES INCLUDING THE WILL?

NIS Country Reports Overview Document

Moving Professionals Forward. World Leader In Competence Based Certification

The Role of SANAS in Support of South African Regulatory Objectives. Mr. Mpho Phaloane South African National Accreditation System

WORKSHOP ON ALL WEEE FLOWS 14/02/17 Alberto Canni Ferrari ERP Italy Country General Manager

GUIDELINES FOR THE MANAGEMENT OF ORGANIC PRODUCE CERTIFICATES BY APPROVED CERTIFYING ORGANISATIONS

Signatories. to the EA Multilateral. and Bilateral Agreements

Purchasing. Operations 3% Marketing 3% HR. Production 1%

ICT Connectivity for Trade & Development

Signatories. to the EA Multilateral. and Bilateral Agreements

Flash Eurobarometer 468. Report. The end of roaming charges one year later

IBM offers Software Maintenance for additional Licensed Program Products

The IECEE CB Scheme facilitates Global trade of Information Technology products.

Cost Saving Measures for Broadband Roll-out

GDPR General Data Protection Regulation

ENISA & Cybersecurity. Steve Purser Head of Technical Competence Department December 2012

The Labour Cost Index decreased by 1.5% when compared to the same quarter in 2017

Report on ISO/IEC/JTC1/SC27 Activities in Digital Identities

DATA-DRIVEN INNOVATION

This document is a preview generated by EVS

Countdown to GDPR. Impact on the Security Ecosystem and How to Prepare

BoR (10) 13. BEREC report on Alternative Retail Voice and SMS Roaming Tariffs and Retail Data Roaming Tariffs

CUSTOMER GUIDE Interoute One Bridge Outlook Plugin Meeting Invite Example Guide

ETSI Governance and Decision Making

This document is a preview generated by EVS

iclass SE multiclass SE 125kHz, 13.56MHz 125kHz, 13.56MHz

This document is a preview generated by EVS

Overcoming the Compliance Challenges of VAT Remittance. 12 April :55 to 16:30 (CEST)

Signatories. to the EA Multilateral. and Bilateral Agreements

ITS Action Plan Task 1.3 Digital Maps

The NIS Directive and Cybersecurity in

Flash Eurobarometer 443. e-privacy

The Canadian Experience

This document is a preview generated by EVS

Digital EAGLEs. Outlook and perspectives

Mexico s Telecommunications Constitutional Reform, the Shared Network and the Public - Private Collaboration. MBB Forum Shanghai, China

This document is a preview generated by EVS

Service withdrawal: Selected IBM ServicePac offerings

THE REGULATORY ENVIRONMENT IN EUROPE

Collaborative Regulation in the APP Economy

EUROPEAN COMMISSION EUROSTAT. Directorate G :Global Business Statistics Unit G-2: Structural business statistics and global value chains

Digital Dividend harmonisation in Europe

This document is a preview generated by EVS

The 13 th Progress Report on the Single European Telecoms Market 2007: Frequently Asked Questions

BASIC PRICE LIST. The price of transportation is added toll in the amount of CZK 1,30 / kg and the current fuel surcharge.

International Roaming Critical Information Summaries JULY 2017

BoR (11) 08. BEREC Report on Alternative Voice and SMS Retail Roaming Tariffs and Retail Data Roaming Tariffs

Building an Assurance Foundation for 21 st Century Information Systems and Networks

The Significant Role of European Union s GDPR in Data Governance

Items exceeding one or more of the maximum weight and dimensions of a flat. For maximum dimensions please see the service user guide.

ITU Global Cybersecurity Index

Forum Energia Regulation of energy markets Klaus Gerdes Lisbon, October 19th 2006

Patent Portfolio Overview May The data in this presentation is current as of this date.

Cisco Aironet In-Building Wireless Solutions International Power Compliance Chart

in focus Statistics Telecommunications in Europe Contents INDUSTRY, TRADE AND SERVICES 8/2005 Author Martti LUMIO

Improving Resilience in European e-communication networks MTP 1

CEN and CENELEC Position Paper on the draft regulation ''Cybersecurity Act''

Preparing for High-Luminosity LHC. Bob Jones CERN Bob.Jones <at> cern.ch

International Packets

EUMETSAT EXPERIENCE WITH MULTICAST ACROSS GÉANT

Experience from the UK Government s BIM Programme

ILNAS-EN ISO :2016

Current Cloud Certification Challenges Ahead and Proposed Solutions

The Directive on waste electrical and electronic equipment (WEEE) Background and Overview. Conference on Metal Recycling Tokyo, 28 October 2009

The Critical Importance of CIIP to Cybersecurity

From Digital Divide to Digital Inclusion Are we REDI?

This document is a preview generated by EVS

e-sens Electronic Simple European Networked Services

17. WEEE management. Key points: Overview and context

ICT Legal Consulting on GDPR: the possible value of certification in data protection compliance and accountability

EU funded research is keeping up trust in digital society

EPR for WEEE Experiences in Europe

Building Trust in the Era of Cloud Computing

This document is a preview generated by EVS

INTO THE CLOUD WHAT YOU NEED TO KNOW ABOUT ADOPTION AND ENSURING COMPLIANCE

feature The New EU General Data Protection Regulation Benefits and First Steps to Meeting Compliance Better Protection for Personal Data

MINUTES AND TEXTS CUSTOMER MOBILE BOLT-ON GUIDE JUNE 2018 BOLT-ON WILL KEEP YOU IN CONTROL OF YOUR COSTS. INTERNATIONAL NUMBERS FROM YOUR MOBILE, THIS

ACCREDITATION: A BRIEFING FOR GOVERNMENTS AND REGULATORS

European Hospital Survey: Benchmarking Deployment of e-health Services ( ) Country Reports

Transcription:

WE CAN DO SO MUCH TOGETHER Where is the EU in cloud security certification?: Main findings Certification schemes for cloud computing SMART 2016 / 0029 Leire Orue-Echevarria TECNALIA December 11 th, 2017 SMART 2016 / 0029

Agenda 01 Context 03 Stakeholders analysis 02 Approach 04 Market adoption 05 Next steps

01 Context and Motivation What is limiting enterprises from using cloud computing services? Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector (*) Source: Eurostat, 2014

01 Context Customers need to know and be assured that their data is equally safe no matter where they are located or who provides the service What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border? What regulation aspects need to be considered / addressed? What should be the role of the EC?

01 Context Plethora of standards, schemes and other relevant frameworks ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115. NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144 NIST 800-53 OASIS TOSCA, OASIS CAMP SNIA CDMI, DMTF DSP0243, DMTF DSP0263 CSA CCM, CSA Star, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self- Assessment - OCF Level 1 ITU-T X.1601, ITU-T X.1631 Others AICPA SOC 1, AICPA SOC 2, AICPA SOC 3

Agenda 01 Context 03 Stakeholders analysis 02 Approach 04 Market adoption 05 Next steps

02 Approach Standards Frameworks Schemes Public Initiatives Private - Public Initiatives Stakeholders Analysis Market Adoption Policy (see next presentation)

02 Approach Standards Frameworks Schemes Public Initiatives Private - Public Initiatives Stakeholders Analysis Market Adoption Policy (see next presentation)

02 Approach ISO ISO ISO ISO ISO ISO ISO ISO/IEC Family of Analysed 20+ security and cloud related 17203 17789 19944 19941 19086 19099 22301 24760 27000 ISO/IEC 27000, schemes and compared them with ENISA ISO/IEC 27001 & ISO /IEC 27002 CCSM 1. Information security policy 2. Risk management 3. Security roles 4. Security in Supplier relationships 5. Background checks 6. Security knowledge and training 7. Personnel changes 8. Physical and environmental security 9. Security of supporting utilities 10. Access control to network and information systems 11. Integrity of network and information systems 12. Operating procedures 13. Change management 14. Asset management 15. Security incident detection and response 16. Security incident reporting 17. Business continuity 18. Disaster recovery capabilities 19. Monitoring and logging policies 20. System tests 21. Security assessments 22. Checking compliance 23. Cloud data security 24. Cloud interface security 25. Cloud software security 26. Cloud interoperability and portability 27. Cloud monitoring and log access ISOIEC 29100 ISO/IEC 29101 Not covered Partially covered Fully covered ISO/IEC 29115

02 Approach Available standards tackle many issues that require to go through different certification / attestation processes The depth in which security aspects are covered varies depending on the standard

02 Approach Standards Frameworks Schemes Public Initiatives Private - Public Initiatives Stakeholders Analysis Market Adoption Policy (see next presentation)

02 Approach Analyzed strategies from the governments of Spain, Italy, Germany, France, Latvia DE C5 catalogue ES - ENS FR - SecNumCloud IT - PM Decree 2013 17 control areas Per each control: Objective, requirement (basic, additional) Attestation No certificate, Relies on int l standards Cloud-specific For eadmin CSP / digital providers Dedicated regulation for cloud issues, providers or not of the eadmin Systems have categories: low, medium, high Low=self assessment Medium/high= audit every 2 years Audit Certification for CSPs Based on ANSSI recommendations and int l standards 2 levels: basic and advanced (^) Label National ICT security certification scheme based on int l standards, no cloudspecific (^) Requirements for Advanced are as of 08.09.2017 not published

02 Approach Different maturity levels of public sector initiatives in EU28 Different approaches: from market driven to highly regulated scenarios Different levels of granularity Harmonisation at EU level is considered necessary

02 Approach Standards Frameworks Schemes Public Initiatives Private - Public Initiatives Stakeholders Analysis Market Adoption Policy (see next presentation)

02 Approach Analyzed (cross-border) public-private initiatives: Trusted Cloud, Label Cloud, ESCloud, Zeker Online Trusted Cloud Zeker Online Label Cloud ESCloud German initiative, now onto FR and NL Non-profit association For SMEs, both CSPs and cloud users Own criteria catalogue Legally bound selfassessment 2 pillars: legal and infrastructure covers the whole service stack Based on standards Audit Initiative by France IT For SMEs 3 layers (IaaS, PaaS, SaaS) 3 levels: initial, confirmed, expert Based on NIST and ITIL Label for 2 (initial), 3 (confirmed), 4 (expert) years Continuous improvement, so recertification obliges to obtain better results than the previous time Collaboration of France and Germany Label 15 core principles No mutual recognition between SecNumCloud and C5

02 Approach Cross-border efforts are commendable However, mutual recognition is still not sufficiently addressed Duplication of efforts?

Agenda 01 Context 03 Stakeholders analysis 02 Approach 04 Market adoption 05 Next steps

03 Stakeholders analysis Survey: 28.09.2017 15.11.2017 Reopened and accessible through: http://tinyurl.com/cloudcertification 494 respondents but only 200 answers were 100% complete, which have been retained for analysis

03 Stakeholders analysis Malta ; 0,00% Luxembourg ; 0,69% Netherlands ; 9,03% Country Slovak Republic ; 2,08% Slovenia ; 1,39% Sweden ; 1,39% United Kingdom ; 5,56% Romania ; 1,39% Spain ; 8,33% Switzerland, US, Chile, South Portugal ; 0,69% Korea and Israel Poland ; 0,69% Other ; 8,33% Austria ; 4,17% Lithuania ; 0,00% Italy ; 6,25% Latvia ; 2,08% Ireland ; 1,39% Hungary ; 0,00% Germany ; 18,75% Greece ; 2,08% France ; 10,42% Belgium ; 8,33% Bulgaria ; 0,69% Croatia ; 1,39% Cyprus ; 0,69% Estonia ; 1,39% Czech Republic ; 0,00% Denmark ; 1,39% Finland ; 1,39%

03 Stakeholders analysis Certification authority ; 11,11% Standardizatio n body ; 5,56% Public Authority ; 8,33% Cloud Service Provider ; 34,72% Cloud Service Consumer ; 40,28%

03 Stakeholders analysis Conclusions from the survey A certification scheme would increase the adoption of cloud computing (79,2% of the respondents) 56,94% believe that there should be one certification scheme per service layer 56,94% are aware of initiatives being ISO27001, C5, CSA Star, LEET security, Trusted Cloud, SecNumCloud the most named ones. 59% are aware of cross-border initiatives as well as good practices in cloud security 45% are aware of policy initiatives on cloud

03 Stakeholders analysis Conclusions from the survey Actions to reduce fragmentation None of the others 7,64% Develop a regulation on the security certification of cloud computing services, specifying the 16,67% Create a European wide certification framework 32,64% Extend best practices already available in EU Member States for cloud security certification 26,39% Foster mutual recognition of existing national initiatives 10,42% Self-regulatory industry initiatives 6,25% 0,00% 5,00% 10,00% 15,00% 20,00% 25,00% 30,00% 35,00%

03 Stakeholders analysis Conclusions from the survey Provider of a certification scheme should be either an independent standardization body or an accredited institution (27.78% vs. 26.39%) Jurisdiction of the certification should be at EUlevel

03 Stakeholders analysis Conclusions from the survey

03 Stakeholders analysis Conclusions from the survey

03 Stakeholders analysis Conclusions from the survey Diversity of processes / schemes depending on the countries or sectors where the service is offered ; 15,52% Lack of a dedicated certification schemes for cloud security ; 12,07% Problems faced when dealing with a certification Other; 7,76% Few economic benefits ; 18,10% Lack of mutual recognition of certificates across Member States ; 16,38% Too expensive to obtain the certification as well as to maintain it; 11,21% Certification process is not transparent ; 6,90% Certification process is too long ; 12,07%

03 Stakeholders analysis Conclusions from the survey Cost to obtain and maintain a certification is reported to be between 10,000 100,000 Recertification / renewal is mostly 1-3 years Certification is thought to prevent security incidents, which have occurred to 30% of the respondents with an economic impact of less than 100,000, although most respondents have not quantified it Current fragmentation is a barrier to get a certification (65%)

03 Stakeholders analysis Conclusions from the survey The public sector and the EC should: Lead and contribute to the definition of a security certification scheme, reusing and harmonizing existing initiatives Set standards and applicable legislation Be a Promoter and Influencer CSP Procurers of the public sector should be certified (92%)

Agenda 01 Context 03 Stakeholders analysis 02 Approach 04 Market adoption 05 Next steps

04 Market adoption Compliance / accreditations by the Top 50 CSPs (XaaS)

04 Market adoption Compliance with Member States requirements

04 Market adoption Adoption of ISO 27001 (*) (*) source: http://isotc.iso.org/livelink/livelink?func=ll&objid=18808772&objaction=browse&viewtype=1

04 Market adoption Adoption of ISO 27001 (*) (*) source: http://isotc.iso.org/livelink/livelink?func=ll&objid=18808772&objaction=browse&viewtype=1

Agenda 01 Context 03 Stakeholders analysis 02 Approach 04 Market adoption 05 Next steps

05 Next steps In-depth analysis on the responses provided in the surveys Interview, if appropriate, more relevant actors Use these results, where appropriate, as input for the recommendations

Leire Orue-Echevarria Arrieta, MBA, PhD División ICT / ICT Division IT Competitiveness Leire.Orue-Echevarria@tecnalia.com C/ Geldo. Parque Tecnológico de Bizkaia, Edificio 700 E-48160 Derio - Bizkaia (Spain) Tel: 902 760 000 *. Tel: +34 946 430 850 (International Calls). Mob: +34 664 103 005 Visita nuestro blog: http://blogs.tecnalia.com/inspiring-blog/ www.tecnalia.com

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback