Presentation is loading. Please wait.

Presentation is loading. Please wait.

Www.enisa.europa.eu ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency.

Published byDalia Wyke Modified over 9 years ago

Similar presentations

Presentation on theme: "Www.enisa.europa.eu ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency."— Presentation transcript:

1 www.enisa.europa.eu ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency (ENISA) OGF28 2010 Munich March, 2010

2 www.enisa.europa.eu Created in 2004 Centre of Expertise Supports EU institutions Facilitator of information exchange between EU institutions, public sector & private sector. Advising and assisting Collecting and analysing Promoting methods Raising awareness ENISA 2

3 www.enisa.europa.eu ENISA’s Understanding of Cloud Computing Cloud computing is a new business model that allows: Highly abstracted HW and SW resources Rapid scalability and flexibility Near instantaneous provisioning Shared resources (hardware, database, memory, etc...) ‘Service On demand’, usually with a ‘pay as you go’ billing system Programmatic management (e.g. through Web Services API)

4 www.enisa.europa.eu 4 ENISA Cloud Computing Objectives Help governments and businesses to leverage the cost benefits of cloud computing taking due consideration of security requirements. Improve transparency on security practices to allow informed decisions Creating trust and trustworthiness by promoting best practice and assurance standards

5 www.enisa.europa.eu Reaching the objectives 5 ENISA Deliverables and Ongoing Activities: Cloud Computing: Benefits, Risks and Recommendations for Information security 2009 Assurance framework 2009 Research Recommendations 2009 Gov-Cloud security and resilience analysis (2010) Cloud Assurance Framework (CAM) consortium 2010 2011 (proposed) procurement and monitoring guidance for government cloud contracts.

6 www.enisa.europa.eu Cloud Computing: Benefits, Risks and Recommendations for Information security 6

7 www.enisa.europa.eu 7 Security Benefits

8 www.enisa.europa.eu Economies of scale The same amount of investment in security may result in better protection Many security measures are cheaper when implemented on a larger scale. o (e.g. filtering, patch management, hardening of virtual machine instances and hypervisors, etc)

9 www.enisa.europa.eu The Risks

10 www.enisa.europa.eu Very high value assets More Data in transit (Without encryption?) Management interfaces are interesting targets for attackers. Trustworthiness of insiders. Hypervisors- hypervisor layer attacks on virtual machines are very attractive

11 www.enisa.europa.eu Loss of Governance The client cedes control to the Provider on a number of issues effecting security: o External penetration testing may not be permitted. o Very limited logs available. o Usually no forensics service offered o No information on location/jurisdiction of data. o Outsource or sub-contract services to third- parties (fourth parties?) SLAs may not offer a commitment to provide the above services, thus leaving a gap in security defences.

12 www.enisa.europa.eu Compliance Challenges Cloud Provider may not be able to provide evidence of their own compliance to the relevant requirements. Cloud Provider may not permit audit by the Cloud Customer. In certain cases, using a cloud implies certain kind of compliance cannot be achieved

13 www.enisa.europa.eu Legal and contractual risks Data may be stored in multiple jurisdictions, some of which may be risky. Lack of compliance with EU Data Protection Directive o Potentially difficult for the customer (data controller) to check the data handling practices of the provider o Multiple transfers of data exacerbated the problem Subpoena and e-discovery Confidentiality and Non-disclosure Intellectual Property Risk Allocation and limitation of liability

14 www.enisa.europa.eu Cryptographic Key Management Key management is (currently) the responsibility of the cloud customer. Distributed key management is difficult. Therefore key provisioning and storage is usually out of band – i.e. off-cloud Some models, e.g. one key per account, do not scale to multiple accounts/account holders Hardware security modules are difficult to implement in the cloud.

15 www.enisa.europa.eu Vendor Lock in Few tools, procedures or standard formats for data and service portability Difficult to migrate from one provider to another, or to migrate data and services to or from an in-house IT environment Potential dependency of service provision on a particular Cloud Provider.

16 www.enisa.europa.eu Resource Exhaustion Overbooking Underbooking Caused by o Resource allocation algorithms o Unpredictable peaks in legitimate demand. o Denial of Service

17 www.enisa.europa.eu Cloud Computing Information Assurance Framework 17

18 www.enisa.europa.eu Aims at increasing transparency by defining a a minimum baseline for: Comparing cloud offers Assessing the risk to go Cloud Reducing audit burden and security risks Cloud Information Assurance Framework

19 www.enisa.europa.eu Cloud Information Assurance Framework An example Network architecture controls Well-defined controls are in place to mitigate DDoS (distributed denial–of-service) attacks e.g. o Defence in depth (traffic throttling, packet black-holing, etc..) o Defences are in place against ‘internal’ (originating from the cloud providers networks) attacks as well as external (originating from the Internet or customer networks) attacks. Measures are specified to isolate resource usage between accounts for virtual machines, physical machines, network, storage (e.g., storage area networks), management networks and management support systems, etc. The architecture supports continued operation from the cloud when the customer is separated from the service provider and vice versa (e.g., there is no critical dependency on the customer LDAP system).

20 www.enisa.europa.eu Framework 2010 – Cloud Assurance Metric Provider comparison on security features

21 www.enisa.europa.eu 21 Government in the Cloud: impact on service security & resilience 2010 – Supporting EU Governments in Cloud Migration ENISA aims to: Analyze and evaluate the impact of cloud computing on the resilience and security of GOV services Provide recommendations and good practices for European Members State planning to migrate to cloud computing

22 www.enisa.europa.eu Governments and the Cloud 22 UK DK USA Singapore Japan Australia Gov Agencies and Public Organizations around the globe are moving non-critical applications towards a "cloud approach". In Europe we have some fast adopters, i.e. Denmark and UK, announcing/planning to move into the cloud. In the short-medium term (1 to 3 years) an increasing number of Public Organizations, in EU Member States, will consider/adopt cloud computing....

23 www.enisa.europa.eu 2011 procurement and monitoring guidelines Procurement Criteria Monitoring and Supervision CERT, ISAC Information security procurement criteria and monitoring of government cloud contracts.

24 www.enisa.europa.eu Conclusions Cloud computing can represent an improvement in security for non-critical applications and data. But transparency is crucial: customers must be given a means to assess and compare provider security practices. In the current state of the art, migrating critical applications and data to the cloud is still very risky (even private clouds) It is not currently clear to what extent the Cloud Computing model can be applied to applications that require high levels of security.

25 www.enisa.europa.eu http://www.nis-summer-school.eu/ Subscribe to the NIS'10 Newsletter at http://www.nis-summer-school.eu/ Subscribe to the NIS'10 Newsletter at http://www.nis-summer-school.eu/

Download ppt "Www.enisa.europa.eu ENISA – Cloud Computing Security Strategy Dr Steve Purser Head of Technical Department European Network and Information Security Agency."

Similar presentations

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.

Creating HIPAA-Compliant Medical Data Applications with Amazon Web Services Presented by, Tulika Srivastava Purdue University.
Cloud Security Assessment. 2 CoE IT Leadership.- Progress report Introduction »Cloud computing is an approach in which infrastructure and software resources.

Cloud Security Assessment. 2 CoE IT Leadership.- Progress report Introduction »Cloud computing is an approach in which infrastructure and software resources.
Course: e-Governance Project Lifecycle Day 1

Course: e-Governance Project Lifecycle Day 1
Cloud computing security related works in ITU-T SG17

Cloud computing security related works in ITU-T SG17
Cloud Computing - clearing the fog Rob Gear 8 th December 2009.

Cloud Computing - clearing the fog Rob Gear 8 th December 2009.
In Harmony, In the Cloud: Harmonizing Data Protection Rules In a Cross-Border World Steve Mutkoski Worldwide Director Policy Microsoft Corporation.

In Harmony, In the Cloud: Harmonizing Data Protection Rules In a Cross-Border World Steve Mutkoski Worldwide Director Policy Microsoft Corporation.
The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.

The Gathering Cloud computing - Legal considerations David Goodbrand, Partner 28 February 2013 Aberdeen Edinburgh Glasgow.
Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.

Improving Cybersecurity Through Research & Innovation Dr. Steve Purser Head of Technical Competence Department European Network and Information Security.
By Adam Balla & Wachiu Siu

By Adam Balla & Wachiu Siu
© 2011 IBM Corporation Cloud Security Perspectives Dan Carlsen Certified Security IT Specialist – IBM

© 2011 IBM Corporation Cloud Security Perspectives Dan Carlsen Certified Security IT Specialist – IBM
© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.

© BT PLC 2005 ‘Risk-based’ Approach to Managing Infrastructure a ‘Commercial Prospective’ Malcolm Page BT UK AFCEA Lisbon 2005.
1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev. 12-16-11)

1 DCS860A Emerging Technology Physical layer transparency in Cloud Computing (rev )
Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.

Planning and Managing Information Security Randall Sutton, President Elytra Enterprises Inc. April 4, 2006.
IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.

IACT 901 Module 9 Establishing Technology Strategy - Scope & Purpose.
ENISA and Cloud Security

ENISA and Cloud Security
Www.enisa.europa.eu European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.

European Union Agency for Network and Information Security Follow ENISA: ENISA and standards Sławomir Górniak European Union Agency.
Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.

Cloud Computing Stuart Dillon-Roberts. “In the simplest terms, cloud computing means storing & accessing data & programs over the Internet instead of.
© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.

© 2012 AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual.
Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.

Auditing Cloud Computing: Adapting to Changes in Data Management IIA and ISACA Joint Meeting March 12, 2013 Presented by: Jay Hoffman (AEP), John Didlott.
Session 4.2 Creation of national ICT security infrastructure for developing countries Industry-wide approach: Raising awareness for ICT security infrastructure.

Session 4.2 Creation of national ICT security infrastructure for developing countries Industry-wide approach: Raising awareness for ICT security infrastructure.

Similar presentations

Ads by Google