Add to collection(s) Add to saved
  1. Business
  2. Management

Cloud Certification

advertisement 
ENISA and Cloud Security
Dimitra Liveri| NIS Expert
EuroCloud Forum 2015| Barcelona|07-10-2015
European Union Agency for Network and Information Security
Securing Europe’s Information Society
Operational Office in Athens
2
Positioning ENISA activities
3
Agenda
• Benefits of Cloud Computing
• Risks in Cloud Computing
• ENISA Activities in Cloud Security
• ENISA tools
• Risk Assessment for SMEs
• Cloud Certification Schemes List
• Next steps
4
Cloud Computing is a Business model
• Cloud Computing is another
way of providing IT services
• Characteristics are
-
Highly standardized services
Highly standardized SLAs
• Using such a service is
outsourcing
• Cloud SLAs are usually much
more standardized than in
other outsourcing contracts
5
Cloud Computing is a Deployment Model
•
Cloud computing is a
deployment model
•
Information processing
-
•
•
In a shared environment
using shared computing
resources
Resources can be quickly
scaled to meet changed
demand
Cloud deployments are
usually much more
Cloudand
is a deployment
standardized
automated than legacy IT
© Google / Conny Zhou
model
6
Cloud Opportunities
Economies of Scale
Efficient solutions
• Better ROI
• More efficient resource utilization
also means cost savings
• Cost of security spread to all
customers
High Resiliency
Standardised solutions
• Better back up services
• Better patch management
• Better business recovery
• Better software update
management
• Portable and interoperable
7
Cloud Challenges
Isolation Failures
• control resides to the cloud
provider
Management GUI and API
compromise
• Identity and access management
are particularly important
• Full access to all resources (keys
to many kingdoms)
Loss of Governance
• Customer cedes some control to
the provider (depending on the
deployment model)
• This also affects security
Presentation Title | Speaker Name
Data protection
•
The CSP usually becomes data
processor in terms of DP legislation
•
Data processing in datacentres
abroad can imply that certain DP
requirements cannot be met in the
Cloud
8
Differences in Requirements for
Governments vs. Companies
Private Sector
Public Sector
• Difference depending on
the scale i.e. Large
companies and SMEs
• Legacy Data
• Investment from cost
perspective
EASIER TO MAKE THE RIGHT
DECISION
• Legacy Applications
• Legacy Processes
• Special information
assurance requirements
NEEDS MORE TIME TO
ADOPT
9
ENISA’s work in the area of Cloud
2009 Cloud computing risk assessment
2009 Cloud security Assurance framework
2012 Procure secure (Security in SLAs)
2013 Critical cloud computing
2013 Incident reporting for cloud computing
2013 Securely deploying GovClouds
2013 Support EU Cloud Strategy
2014 Cloud Certification Meta-Framework
2014 Procurement security in GovClouds
2015 Cloud Security guide for SMEs
http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing
10
ENISA engages the community
ENISA Cloud Security and Resilience experts group
11
Cloud Computing Risk Assessment
Addressed to: public sector, private sector (large
companies and SMEs), governmental agencies
12
Risk Assessment in the Cloud
Famous 2009 Guide
Updated in 2012
Security Guide for SMEs –
2015
13
Security guide for SMEs
• Small and medium size enterprises (SMEs) are an important driver for
innovation and growth in the EU
• Cloud Computing is a means for innovation, but cloud is for the SMEs
still a challenge.
• ENISA in this study presents:
-
-
11 security opportunities (compared to legacy IT benefits)
11 security risks (compared with legacy IT risks)
12 security questions for the SME to ask the provider (in one
security “cheat sheet”
2 comprehensive scenarios
Some legal advice
14
…and online tool
Where you can:
• rate your opportunities
from cloud
• rate your risks
• produce a risks map
• get your security
questions
15
Governmental Clouds
Addressed to: public sector,
governmental agencies
16
Governmental Cloud reports (1/2)
2010: Guide on security and resilience for
Governmental Clouds
•
•
Presentation of the security benefits and drawbacks for
the public sector to go in the cloud
First steps need to be done towards taking the decision to
go cloud
2013: Good practice guide on how to securely deploy
Governmental Clouds
•
•
•
Definition of a governmental cloud (in a mature market)
State of cloud computing adoption in the EU public sector
Case studies of different approaches in adopting a cloud
solution
17
Governmental Cloud reports (2/2)
2014: Security Framework for
Governmental Clouds
• 4 phases, 10 different steps
and the specific actions to be
taken in each one
• 4 use case scenarios to find
the solutions that better fits
each implementation
Presentation Title | Speaker Name
18
Critical Clouds
Addressed to: private sector,
(public sector in some cases)
19
ENISA’s Critical Cloud Study
• First assessment of CIIP
aspects of Cloud computing
• Illustrates dependencies and
provides examples for
failures
• Provides recommendations
for Cloud security
governance from the CIIP
perspective
• Conclusions can be applied to
Governmental Cloud usage
20
Incident Reporting for Cloud
Computing
• Cloud computing incidents could
have major impact.
• Large scale incidents should be
reported to improve trust
• Public sector and industry should
agree on scope and thresholds of
reporting.
• ENISA suggests a model for
incident reporting of cloud
incidents involving CSPs and
regulators.
21
Cloud in the Critical Sectors
Critical
Clouds
Cloud
Computing in
the Finance
Sector
Cloud
supporting
Health care
systems and
services
Cloud
supporting
eGovernment
22
Good Practices for the use of Cloud
Computing in the area of Finance Sector
• Identification of critical
challenges to cloud computing
adoption in the Finance sector
• Assess legal and regulatory
context (challenges and
opportunities) in all member
states
• Support industry and
understand their uptake – why
do some use and some don’t
use cloud
• Propose recommendations
23
Cloud Certification
Addressed to: private sector large companies and SMEs,
(public sector and governmental
agencies in some cases)
24
The EU Cloud Strategy
“EU should not only be cloud-friendly, but also cloud–active”
The European
Commission’s
strategy
“Unleashing the
potential of cloud
computing in
Europe”
Adopted on 27
September 2012,
it is designed to
speed up and
increase the use
of cloud
computing
across the
economy
Cutting through the
jungle of technical
standards
Development of
model “safe and
fair” contract terms
and conditions
A European Cloud
Partnership to
drive innovation
and growth from
the public sector
“I am pleased that ETSI launched and steered
the Cloud Standards Coordination (CSC)
initiative in a fully transparent and open way
for all stakeholders.”
“...ensuring technical security requirements are
mapped onto certification, as ENISA is
leading…”
“... we officially launch the platform for public
sector cooperation with this "Cloud for
Europe" initiative. This is an enormous step
forward.…”
Neelie Kroes, European Commissioner for the
Digital Agenda Oct 2013
25
ENISA realising the EU Cloud Strategy:
Certification
• Strategic objective of EC Strategy: List of
voluntary certification schemes
•
Cloud Certification Schemes List (CCSL): List
of existing certification schemes
– 13 Certification schemes included
– Powered by ENISA, supported by the EC
and the Cloud Selected Industry Group
(C-SIG)
•
Cloud
Certification
Schemes
Metaframework (CCSM): Meta-framework based
on existing certification schemes
– Mapping detailed ICT security
requirements of the public sector in the
EU (11 countries and more will come)
– Matrix will results to be used for
procurement
Visit: https://resilience.enisa.europa.eu/cloud-computing-certification
26
How we draw CCSM
Country A
Country B
Security
requirement
Security
requirement
Security
requirement
Security
requirement
Security
requirement
Security
requirement
Security
requirement
Security
requirement
Requirements
not covered by
CCSM or existing
certification
schemes remain
to be evaluated
separately.
CCSM Security objectives
Security
objective
Security
objective
Security
objective
Cloud Certification Scheme
Scheme ref
Scheme ref
Security
objective
Security
objective
Cloud Certification Scheme
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
Scheme ref
27
Next steps
Ex-post analysis of cloud incidents (early 2016)
• EU perspective on ex post analysis (forensics) for cloud
incidents: 8 countries(IT, ES, IE, NL, GR, FR, EE, UK): Academia,
LEAs, Forensics Specialists, CERTs.
• Challenges, procedures, tools, legal restrictions
ICT in e-Health (2016)
• Challenges and opportunities of ICT deployments in eHealth
(medical records, patient records etc)
• Cloud computing use case in eHealth
• Big data use case in e Health
28
Thank you and Welcome!
PO Box 1309, 710 01 Heraklion, Greece
Tel: +30 28 14 40 9710
info@enisa.europa.eu
www.enisa.europa.eu
Related documents
Slide - People
Slide - People
Jordan University of Science and Technology Abstract: Authors
Jordan University of Science and Technology Abstract: Authors
Cloud Computing - Lutheran Services in America
Cloud Computing - Lutheran Services in America
Lisa Neal-Graves, Director Technology Insights, Intel
Lisa Neal-Graves, Director Technology Insights, Intel
Cisco Video Strategy - Distributed Computing Industry Association
Cisco Video Strategy - Distributed Computing Industry Association
Document
Document
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
Earth Science January 22, 2014 17.3 RCQ Pg 488 List 3 factors that
MSc Internet and Database Systems
MSc Internet and Database Systems
Download
advertisement