ENISA and Cloud Security Udo Helmbrecht | Executive Director EU28 Cloud Security Conference| Riga | 16-06-2015
Positioning ENISA activities POLICY IMPLEMENTATION HANDS ON MOBILISING COMMUNITIES RECOMMENDATIONS
EU Legislation The EU Cloud Strategy The Digital Single Market The EU cloud strategy has been finalised ENISA supported the objective on Cloud Certification (next slide) DSM now calls for creating a European digital economy through the use of IoT, Cloud and Big Data Presentation Title | Speaker Name
ENISA’s Cloud Security work 2009 Cloud computing risk assessment 2009 Cloud security Assurance framework 2011 Security and resilience of GovClouds 2012 Procure secure (Security in SLAs) 2013 Critical cloud computing 2013 Incident reporting for cloud computing 2013 Securely deploying GovClouds 2013 Support EU Cloud Strategy Cloud Computing Schemes List (CCSL) 2014 Cloud Certification Meta-Framework (CCSM) 2014 Security frameworks for Gov Clouds 2015 Security guide for SMEs 2015 Post analysis for Cloud Incidents (in progress) http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing This is an overview of the work we did in the past and are doing. Our early papers from 2009 are still widely downloaded and quoted. They basically give an overview of the main risks and benefits when moving to the cloud. Let me go over some of them quickly. Put in about “ENISA’s work on Cloud Computing, but concentrating on how we have helped industry secure a developing business model (work with CSA, support for the EU Cloud strategy). Here we can stress the fact that we look for security solutions that are economically viable and provide a reasonable trade-off between opportunity and risk. This is ENISA supporting economic growth.” All SecureCloud events are coorganized with CSA
Challenges and Opportunities for SMEs adopting Cloud Geographic Spread Elasticity Physical Security Patching and updating Certification and compliance Risks Overloads Unexpected costs Vendor lock-in Administrative or legal outages Foreign jurisdiction issues Recommendation Assess your risks and opportunities using the ENISA SME Tool Share the Security questions with your Cloud provider Visit: https://www.enisa.europa. eu/activities/Resilience- and-CIIP/cloud- computing/security-for- smes/sme-guide-tool Security Guide for SMEs 2015 ENISA believes security is a driver for cloud adoption
Governmental Clouds 2010: Guide on security and resilience for Governmental Clouds 2013: Good practice guide on how to securely deploy Governmental Clouds 2014: Security Framework for Governmental Clouds Studies on governmental Clouds Recommendations report 2013: EC and MS to support the development of an EU strategy to foster the adoption of governmental Cloud; EC and MS to develop a business model to guarantee the sustainability and economies of scale or governmental Cloud solutions; MS and Cloud providers to foster the development of a framework to mitigate the “loss of control” issue; EC and MS to promote the definition of a regulatory framework to address the “locality problem”; MS and Cloud providers to encourage the development of governmental Cloud solutions compliant with EU and country specific regulation; EC and MS to support the development of an SLA framework; EC and MS to foster the adoption of baseline security measures for both public and private Cloud deployment models; EC and MS to develop a certification framework; Academia and Cloud providers to foster research on governmental Cloud security; EC and MS to support privacy enhancement in the Cloud. Report 2014 creates this framework in steps for all [public sector to go cloud (from the request of a service till the end of a contract)
Governmental Clouds – Key Recommendations Support the development of an EU strategy to foster the adoption of governmental Cloud; Develop a business model to guarantee the sustainability and economies of scale or governmental Cloud solutions; Promote the definition of a regulatory framework to address the “locality problem”; MS and Cloud providers to encourage the development of governmental Cloud solutions compliant with EU and country specific regulation; EC and MS to foster the adoption of baseline security measures for both public and private Cloud deployment models; EC and MS to develop a certification framework; Push for privacy enhancement in the Cloud (to promote governmental clouds adoption).
ENISA realising the EU Cloud Strategy: Certification Strategic objective of EC Strategy: List of voluntary certification schemes Cloud Certification Schemes List (CCSL): List of existing certification schemes 13 Certification cloud related schemes included Users can understand what each certification means for a provider/ providers can assess which certification to obtain. The tools are officially announced the end of January, This service is offered by ENISA and we will continue – we are now in the process of adding new schemes. In 2012 the EC issued a communication called “European strategy for Cloud computing – unleashing the potential of cloud computing in Europe”. One of the actions outlined in the strategy is to assist the development of EU-wide voluntary certification schemes make a list of such schemes. In the strategy ENISA is asked to support this work. The tools and documents on this page have been developed by ENISA, in collaboration with the European Commission and the Cloud Selected Industry Group on Certification (aka C-SIG Certification). The creation of a list of certification schemes is explicitly mentioned as a key action in the European Cloud Strategy. Read more about the background of this work in ENISA's paper on Certification in the EU cloud strategy. CCSL is a list of (existing) certification schemes, relevant for cloud computing customers. CCSL provide potential customers with an overview of objective characteristics per scheme, to help them understand how the scheme works and if it is appropriate for their setting. CCSL was already implemented as an online tool and published in spring 2014. CCSM is a metaframework of existing certification schemes, which maps detailed security requirements in the public sector to security objectives in existing certification schemes. The goal of CCSM is to provide more transparency and help customers in the public sector with cloud procurement. Cloud Certification Schemes Meta-framework (CCSM): Meta-framework based on existing certification schemes Assist customers in the public sector with cloud procurement. Visit: https://resilience.enisa.europa.eu/cloud-computing-certification
Cloud in the Critical Sectors Critical Clouds Cloud Computing in the Finance Sector Cloud supporting Health care systems and services Cloud supporting eGovernment ENISA first talked about Critical Clouds in 2012 Currently ENISA is focusing on the challenges and opportunities cloud can offer (or cause) in the Finance and Health sector. In parallel we continue our work on governmental Clouds promoting Cloud usage in public administration
Summary of actions/recommendations for the Cloud community 01 ENISA creates online tools to support the SMEs and the public sector to “go- cloud” 02 Support the development of a common SLA framework for EU to support Governmental Clouds 03 Enhance trust through compliance and certification 04 Promote legislative background to support critical clouds 05 Engage into dialogue and promote partnerships between the public and private sector
Thank you and Welcome!