2 ii About ENISA The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at Authors Dr. Marnix Dekker, Matina Lakka Contact For contacting the authors please use For media enquires about this paper, please use Acknowledgements This work was done in collaboration with Antonio Ramos (Leetsecurity). Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. European Network and Information Security Agency (ENISA), 2013
3 iii Executive summary TODO: We provide an overview of standards relevant for cloud computing security. We map the standards to a set of use cases.
4 iv Table of Contents Executive summary... iii 1 Introduction Cloud service model Use cases Standards Mapping standards Conclusions References Related ENISA papers Legislation Annex: Full list of standards HTML / XML WSDL / SOAP OAuth SAML OData OVF OpenStack CAMP CIMI ODCA SUoM SCAP CSA CCM EuroCloud Star Audit EuroPriSe ISO ITIL SOC Tier Certification... 25
5 Introduction We provide an overview of standards relevant for cloud computing security. Besides giving a brief summary of different standards, and explaining how they work, we also provide two maps which show the main characteristics of standards and in which use cases they become relevant for cloud customers. This work is done in the context of the cloud strategy issued in 2012 by the EC which calls for ENISA to support the EC in listing certification schemes and standards. This is an intermediate result which merely lists and provides an overview of standards relevant for cloud computing customers, from a security perspective. 1.1 Target audience This document is aimed at CIO s, and architects in enterprises and SMEs in the EU, and at CIO s and decision makers in government organizations in the EU. It may be of interest also for industry experts and industry associations. 1.2 Scope This document looks at standards which are relevant for cloud customers when adopting or using cloud computing services. Standards we included in this document are security standards, when relevant for cloud computing users, and cloud computing standards, when relevant for cloud computing users from a security perspective. This means that we include interoperability standards when relevant for the security of customers. We ignore standards below the transport layer (Ethernet, TCP/IP, TLS/SSL, HTTP, SMTP, et cetera). We also ignore standards for providers about how to design and develop cloud services, which have direct use for customers. For example, there may be standards for cooling server racks which may be relevant when building cloud services, but we exclude because they are not directly relevant for customers. 1.3 Structure of this document In Section 2 we provide an overview of the different technologies involved in the different types of cloud computing. In Section 3 we analyse the use cases in the procurement lifecycle. In Section 4 we present our list of standards, and in Section 5 we introduce two types of standards maps: One map shows which standards address which technological areas, and other characteristics of standards (openness, adoption rate, et cetera). In the other map we show which standards address which use cases. We conclude with some observations about gaps and overlaps.
6 Cloud service model Cloud computing services are often divided in three types: Software as a Service (SaaS): In SaaS, the provider delivers full-fledged software or application, via the internet. Applications range from servers, clients, document editors, or customer relationship management systems. SaaS services can often be accessed with a browser or a web services client. Platform as a Service (PaaS): In PaaS, the provider delivers a platform for customers to run software applications on, via the internet. The applications that customers can run on these platforms ranges from scripts (PHP, Python) or byte code (Java servlets, C#). Often PaaS providers also provide a software development tool to develop applications for the platform. Examples include Google App engine, Microsoft Azure, Amazon Elastic Beanstalk. Infrastructure as a Service (IaaS): In IaaS the provider delivers storage (virtual databases) or computing resources (virtual hardware), via the internet. Examples include Amazon s Elastic Compute Cloud, Google s Compute Engine, Amazon Simple Storage Service, Google Cloud Storage, Microsoft Windows Azure Storage, Rackspace, Amplidata, cloud.bg and VPS.net We explain the different technologies involved in the different types of cloud services. Cloud Service Model IaaS PaaS SaaS OS Application Customer Provider Virtual Machine Hypervisor Data client Application server Application Facilities (Network, Housing, Cooling, Power) Fig 1. Map of different technologies in the different types of cloud services.
7 Use cases In this section we look at the overall procurement lifecycle and we identify 7 high-level use cases where the customer interacts with a cloud service provider. We stress that this is a limited list of use cases, and that it is not an exhaustive list of use cases. In each of these use cases standards may apply. Use Cases UC1:Select cloud service UC2:Agree contract/sla Cloud user UC3:Migrate/ Integrate UC4:Operate/ Manage Cloud provider UC5:Monitor UC6:Audit/ Inspect UC7:Exit/ Migrate Fig 2. Business use case diagram with 7 high-level use cases Auditor UC1: Select cloud service: Customer wants to decide about a cloud service to use (if at all). User could issue a request for proposal and compare offers, and/or carry out a due diligence process on existing offers. User may require parts of the provider or the service to be certified. UC2: Agree contract/ Service Legal Agreement (SLA): Customer wants to agree on a contract and an SLA defining detailed service levels and agreed procedures between the customer and the provider. UC3: Migrate/Integrate: Customer wants to migrate some existing application and/or data integrate the cloud service with existing services systems and applications. UC4: Operate/manage: Customer wants to manage and configure the service. UC5: Monitor: Customer wants to monitor the service, during operation, for example to know about issues, service levels, et cetera. UC6: Audit/Inspect: Customer wants to audit or inspect the service, for example post-incident or to show (as part of a audit of the customer s organisation). UC7: Exit/Migrate: Customer wants to exit the contract, and migrate its application or data to another provider.
8 Standards In this document for each standard we will look at the following aspects: the estimate size of the user base, either end-users or organization. We distinguish three levels: o *** globally thousands of organizations worldwide o ** widely - hundreds of organizations, regional or worldwide o * limited tens of organizations or less, for example in pilots Certification/auditing whether or not there is a certification framework, to certify with the standard, or, alternatively, whether or not it is common to have third-party audits to certify. We distinguish between three levels: *** Audits are common and certification frameworks exists. ** There are audits against the standard, no formal certification scheme. * De-facto standard. There is no audit or certification against it. - whether or not the standard is public and open, whether or not the review process if public and open. We distinguish three levels: *** Open consultation for drafts (like W3C, IETF, OASIS, etc.), open access to final versions (or a small fee, for example less than 100 euro). ** Consultation is closed/membership, but there is open access to the standard. * The standard is not open to the public and access to the standard is restricted or to purchase a useful standards set you will spend more than 100 euro. the use cases where this standard plays a role (ranging from UC1, UC7) the kind of technology the standard applies to (IaaS, PaaS, SaaS) In this document we focus on the following standards. This list is based on input from ETSI working group on standards and the list of cloud standards published by NIST. HTML / XML WSDL/SOAP OAuth SAML OData OVF OpenStack CAMP CIMI ODCA SuoM SCAP CSA CCM Eurocloud Star Audit EuroPrise ISO ITIL SOC Tier Certification For the sake of readability the list of standards is included as an annex.
9 UC7 (Exit/migrate) UC6 (Audit/inspect) UC5 (Monitor) UC4 (Operate/manage) UC3 (Migrate/integrate) UC2 (Agree contract) UC1 (Select cloud service) Mapping standards In this section we present two maps of standards, showing: - Which standards address which use cases - Which standards have which characteristics Table 1 shows which standards address which use cases: HTML/XML WSDL/SOAP x x OAuth x x x SAML x x x OData x x x OVF x x x OpenStack x x x CAMP x x x x CIMI x x x ODCA SUoM x x SCAP x CSA CCM x x EuroCloud Star Audit x x EuroPrise x x ISO x x ITIL x x SOC x x Tier Certification x x Table1. by the standard
10 Certification Organization Facilities Saas Paas IaaS In Table 2 we show the application domain of the different standards, and their general characteristics, in terms of adoption, certification and openness. Other characteristics HTML/XML x x *** * *** WSDL/SOAP x x *** * *** OAuth x *** * *** SAML x *** * *** OData x x * * *** OVF x *** * *** OpenStack x x ** * ** CAMP x * * ** CIMI x * * *** ODCA SUoM x * * ** SCAP x x x x *** * ** CSA CCM x x * *** *** EuroCloud Star Audit x x x * *** * EuroPrise x x * *** ** ISO x x *** *** ** ITIL x ** *** ** SOC x x ** *** ** Tier Certification x ** *** * Table2. Characteristics of the standards
11 Conclusions //TODO //Note about data protection there does not seem to be a standard for privacy settings or security measures to protect personal data. Maybe interesting for future work. //Note about LEA access request there is sometimes talk about standardizing data access requests, forensics. This may be interesting for future work. In this document, we focus on the common use cases involving the customer. //Note possible weak areas there are some use cases where very few standards exists: UC2. Agree contract / SLAs UC3. Migrate / integrate for PaaS and SaaS models UC4. Operate / manage for PaaS and SaaS models UC5. Monitoring UC7. Exit / migrate PaaS and SaaS models NOTE: Could be interesting the idea of services labelling introduced by the EU Cyber-security strategy
12 References 7.1 Related ENISA papers The 2009 ENISA Cloud computing risk assessment assess risks and benefits for SMEs who consider adopting cloud computing. The 2011 ENISA report on security and resilience of Governmental clouds provides guidance for government organisations for selecting cloud computing services. The 2012 ENISA report on secure procurement of cloud computing services, focuses on monitoring service levels of cloud computing services. The 2012 ENISA report on National Cyber Security Strategies aims to identify the most common and recurrent elements and practices of national cyber security strategies (NCSSs), in the EU and non-eu countries. //Eu CLOUD PARTNERSHIP 7.2 Legislation RELEVANT LEGISLATION
13 Annex: Full list of standards In this section we describe the different standards. 8.1 HTML / XML HyperText Markup Language (HTML) / Extensible Markup Language (XML) World Wide Web Consortium: HTML Working Group ; and XML Core Working Group Open: Development Discussion is kept between W3C members (and potentially, non-members experts invited by the Group Chair). Availabiltiy Protocol is freely available to download from XML Protocol Working Group UC3. Migrate/Integrate As standard de facto of Internet, the use of HTML / XML allows user to move from one provider to another without, because all providers are going to support both. IaaS and SaaS Both languages makes possible communications between elements. Because of this they also affects to API/GUI element. The use of these languages is not accredited nor certified by any body, but as they have become W3C Recommendation, they are used these days as the basis for Internet based services. Globally Millions of companies use these standards, as XML has come into common use for the interchange of data over the Internet (RFC 3023 gives rules for the construction of Internet Media Types for use when sending XML)
15 Description OAuth SOAP / WSDL standards are voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Millions of companies use these standards, as XML has come into common use for the interchange of data over the Internet (RFC 3023 gives rules for the construction of Internet Media Types for use when sending XML). SOAP is a protocol specification for exchanging structured information in the implementation of Web Services in computer networks. It relies on Extensible Markup Language (XML) for its message format, and usually relies on other Application Layer protocols, most notably HTTP or SMTP, for message negotiation and transmission. Protocol consists of three parts: an envelope, which defines what is in the message and how to process it, a set of encoding rules for expressing instances of applicationdefined datatypes, and a convention for representing procedure calls and responses. WSDL is an XML-based interface description language that is used for describing the functionality offered by a web service. A WSDL description of a web service provides a machine-readable description of how the service can be called, what parameters it expects, and what data structures it returns. OAuth 2.0 Authorization Framework Internet Engineering Task Force (IETF) Open: Development Standard is discussed by IETF OAuth Working Group experts. Availability Document is freely available to download from IETF website. UC3. Migrate/Integrate OAuth allows an user to manage access to provider resources aligned with their internal needs. UC4. Operate/Manage During the life of the service, OAuth supports the modification of success authorizations to provider resources, according to user needs. UC7. Exit/Migrate OAuth facilitates portability between cloud implementations that support the framework. SaaS As a framework that allows to access to an HTTP service, it works on the API/GUI element of the cloud service model. 2 and
16 Description 8.4 SAML OAuth framework is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Due to adoption by main public cloud providers and social networks, OAuth is used by thousands of applications and millions of users. OAuth enables a third-party application to obtain limited access to an HTTP service, either on behalf of a resource owner by orchestrating an approval interaction between the resource owner and the HTTP service, or by allowing the third-party application to obtain access on its own behalf (openid is included as a subset of OAuth). OAuth introduces an authorization layer and separates the role of the client from that of the resource owner. In OAuth, the client requests access to resources controlled by the resource owner and hosted by the resource server, and is issued a different set of credentials than those of the resource owner. Security Assertion Markup Language (SAML) Organization for the Advancement of Structured Information Standards (OASIS) Open: Development Standard is discussed by OASIS Security Services Technical Committee experts. Availability Document is freely available to download from OASIS website. UC3. Migrate/Integrate SAML provides users with an interface to manage the provision of identification and user authentication between user and provider. UC4. Operate/Manage During the life of the service, SAML supports the modification of identification and user authentication, according to user needs. UC7. Exit/Migrate SAML facilitates portability between cloud implementations that support the language. SaaS As a framework that allows to access to an HTTP service, it works on the API/GUI component of the cloud service model. SAML standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally Thousands of applications use SAML, but it is estimated than only less of 10% of the available applications (in fact, it is being replaced by Oauth as standard defactor for identity management)
17 Description 8.5 OData SAML provides an XML-based framework for communication user authentication, entitlement, and attribute information between online partners. SAML provides a standard XML representation for specifying this information and interoperable ways to exchange and obtain it. By defining standardized mechanisms for the communication of security and identity information between business partners, SAML makes federated identity, and the cross domain transactions that it enables, a reality. Open Data Protocol OData & Organization for the Advancement of Structured Information Standards (OASIS) Open: Development Standard is discussed by OASIS OData Technical Committee experts. Availability Document is freely available to download from OData website. UC3. Migrate/Integrate Using OData, cloud users could connect internal services with cloud ones, making the integration of this kind of service easier. UC4. Operate/Manage Data management is one of the most important issues regarding cloud services. Use of standards like OData makes easier to interchange data with cloud providers. UC7. Exit/Migrate When changing from one cloud service provider to another, using standards of data management reduces the lock-in ability of any provider. IaaS and SaaS OData works on the elements of the cloud service model that allows access to data. OData protocol is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of applications and tens of live services implement OData Protocol at the moment of issuing this report (according to OData website).
18 Description 8.6 OVF Description OData is a web protocol for querying and updating data. OData applies and builds upon Web technologies such as HTTP, Atom Publishing Protocol and JSON to provide access to information from a variety of applications, services, and stores. OData can be used to expose and access information from a variety of sources including, but not limited to, relational databases, file systems, content management systems and traditional Web sites. OData provides an uniform way to expose, structure, query and manipulate data using REST practices and JSON or ATOM syntax to describe the payload. Open Virtualization Format Distributed Management Task Force (DMTF) Open: Development Standard is discussed by DMTF group experts. Availability Document is freely available to download from DMTF website UC3. Migrate/Integrate If the user implements virtualization, can benefit from OVF, making easier the movement to the cloud. UC4. Operate/Manage During the service life-cycle, OVF allows the user to install new virtual machines in an easy way. UC7. Exit/Migrate If providers adopt OVF, users can move her virtual machines from one to another without the need of modifications in this field. IaaS. OVF establishes requirements for easing mobility of virtual machines and hypervisor OVF protocol is voluntary and there is no body responsible to accredit in any way that a service is with it. Globally OVF has been adopted by main virtualization players, so thousands of users are using the standard. OVF is a standard for packaging and distributing virtual appliances or more generally software to be run in virtual machines. The standard describes an open, secure, portable, efficient and extensible format for the packaging and distribution of software and not lied to any particular hypervisor or processor architecture.
19 OpenStack Description 8.8 CAMP OpenStack Open Source Cloud Computing Software OpenStack Foundation Partly open: Development Software new functionalities are discussed between OpenStack Foundation experts. Availability Documents and source code are freely available to download from OpenStack website. UC3. Migrate/Integrate Using OpenStack systems by a user simplify the move to the cloud (always that provider uses it also). UC4. Operate/Manage During the life of the service, OpenStack dashboard allows the management of cloud resources by the user. UC5. Monitor OpenStack dashboard could be used also to monitor the usage of cloud resources. UC7. Exit/Migrate OpenStack systems facilitates portability between cloud implementations that support the specification. Facilities and IaaS. Attending to OpenStack elements, network, hardware and hypervisor are mainly covered by the software. Use of a system OpenStack compatible is voluntary and there is no body responsible to accredit in any way that a system is with it. Widely Hundreds of companies have joined the OpenStack project. OpenStack is a free open source software committed to an open design and development process. The mission of the project is to enable any organization to create and offer cloud computing services running on standard hardware. OpenStack has the following components: compute, object storage, image service, identity, dashboard, networking, block storage, metering, and orchestration & service definition. Cloud Application Management for Platforms
20 Description 8.9 CIMI CloudBees, Cloudsoft, Huawei, Oracle, Rackspace, Red Hat, and Software AG Partly open: Development Specification has been created by the organisations mentioned above. Availability Document is freely available to download from CAMP website. UC3. Migrate/Integrate CAMP provides users with artifacts and APIs to manage the provision of resources of her PaaS provider. UC4. Operate/Manage During the life of the service, CAMP supports the modification of PaaS resources, according to user needs. UC5. Monitor CAMP specification can be used to supervise the use of PaaS resources during the operation of the service. UC7. Exit/Migrate CAMP facilitates portability between cloud implementations that support the specification. PaaS CAMP focuses on manage PaaS elements of the infrastructure. CAMP specification is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Parts of the specification are under development by OASIS and not public adherence has been shown apart from authors. The main objective of CAMP specification is to leverage similarities between different PaaS offerings (using languages as Java, Python, and Ruby and frameworks such as Spring and Rails) and to produce a generic application and platform management API that is language, framework, and platform neutral. The specification includes the artifacts and APIs that need to be offered by a PaaS cloud to manage the building, running, administration, monitoring and patching of applications in the cloud contributing to the interoperability among self-service interfaces to PaaS clouds. Cloud Infrastructure Management Interface (CIMI) Model and RESTful HTTP-based Protocol. An interface for managing cloud infrastructure. Distributed Management Task Force, Inc. (DMTF)
21 Description Open: Development Standard is discussed by DMTF Cloud Management Working Group experts. Availability Document is freely available to download from DMTF website. UC3. Migrate/Integrate CIMI provides users with an interface to manage the provision of resources of her IaaS provider. UC4. Operate/Manage During the life of the service, CIMI supports the modification of IaaS resources, according to user needs. UC7. Exit/Migrate CIMI facilitates portability between cloud implementations that support the specification. IaaS CIMI proposes an interface to manage infrastructure resources. CIMI standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of companies has publicly shown its support to CIMI since it was published in August, CIMI defines a logical model for the management of resources within the infrastructure as a Service domain. With this porpoise, basic resources of IaaS (machines, storage, and networks) are modelled using a Representational State Transfer (REST)-style protocol using HTTP (could be mapped to other protocols). Requests are sent using an HTTP verb (PUT, GET, DELETE, etc.) and includes a message body in either JSON or XML format. Open Virtualization Format (OVF) Specification support in CIMI allows an OVF package to be used to create CIMI management resources by importing the package. CIMI addresses the management of lifecycle of infrastructure provided by a provider ODCA SUoM Standard Units of Measure for IaaS docs?download=458:standard_units_of_measure Open Data Center Alliance (ODCA) Partly open: Development Standard is discussed by ODCA experts. Availability Document is freely available to download from ODCA website.
22 Description 8.11 SCAP UC2. Agree contract/ Service Legal Agreement (SLA) SUoM is usable within a Service Catalog prior to service delivery, as a definition of the expected service capabilities while services are in use and as a billing reference after consumption. UC5. Monitoring Through the use of SUoM, customers will be able to monitor the usage of resources agreed with the cloud provider. IaaS The document includes units of measures for elements under IaaS model. Standard Units of Measure for IaaS standard is voluntary and there is no body responsible to accredit in any way that a service is with it. Limited Tens of organisations adhered to ODCA adhere to this document. SUoM describes quantitative and qualitative attributes of services to enable easier, more precise comparison and discovery of the marketplace. The objective is provide a way to compare services from competing providers of cloud services, as well as with their own internal capabilities. Such comparison could be either quantitative on a like-for-like basis (e.g., quantity of consumption, period of usage, etc.) and qualitative on a set of service assurance attributes (e.g., degree of elasticity, degree of service level, etc.). Security Content Automation Protocol (SCAP) National Institute of Standards and Technology (NIST) Partly open: Development Standard is discussed by NIST community. Availability Document is freely available to download from NIST website. UC5. Monitor Using SCAP, users can monitor security flaws and evaluations of the infrastructure. Besides using common language, both sides can understand what has been detected in the infrastructure. Facilities, IaaS, PaaS, and SaaS. The document tries to make easier the security interchange information between parties, at all levels with potential vulneratibilies, i.e. all the layers in the Cloud Model except organisation. NIST provides an SCAP Content Validation Tool that organizations can use to help validate the correctness of their SCAP content.
23 Description 8.12 CSA CCM Some pieces of SCAP are globally adopted as CVSS or CVE, while the rest should be consider as of limited use (CPE, CCE ). In fact, there are 43 content producers products that have been validated to be SCAPcompliant that correspond to the main vulnerability assessment vendors, so hundred of thousands of companies are consuming information SCAP-compliant. SCAP is suite of specifications that standardize the format and nomenclature by which software flaw and security configuration information is communicated, both to machines and humans. SCAP is a multi-purpose framework of specifications that support automated configuration, vulnerability and patch checking, technical control activities, and security measurement. SCAP v1.2 is comprised of eleven component specifications: Languages: Extensible Configuration Checklist Description Format (XCCDF), Open Vulnerability and Assessment Language (OVAL ), and Open Checklist Interactive Language (OCIL TM ). Reporting formats: Asset Reporting Format (ARF) and Asset Identification. Enumerations: Common Platform Enumeration (CPE TM ), Common Configuration Enumeration (CCE TM ), and Common Vulnerabilities and Exposures (CVE ). Measurement and scoring systems: Common Vulnerability Scoring System (CVSS) and Common Configuration Scoring Systems (CCSS). Integrity: Trust Model for Security Automation Data (TMSAD). Cloud Controls Matrix v1.3 (CCM) https://cloudsecurityalliance.org/research/ccm/ Cloud Security Alliance - CSA Open: Development Standard is discussed by CSA experts. Availability Document is freely available to download from CSA website. UC1. Select Cloud Service Users can include being CCM compliant as a pre-requisite for selecting a provider. For use it, CCM requirements has to be relevant for the specific service the user wants to move to the cloud. UC6. Audit/Inspect If users desire her provider to be audited, she could ask him for certification of with CCM by a third party using the Open Certification Framework. Facilities and. Requirements included in the CCM are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer.
24 Compliance with CCM can be showed in two ways: Self-assessment by the provider, publishing the way she complies with it using the Consensus Assessments Initiative Questionnaire (CAIQ) and the public Security, Trust & Assurance Registry (STAR). Certification by a third party via CSA Open Certification Framework. Limited Tens of organizations have shown to be using it (according to STAR, adopted by 22 cloud service providers). Besides, it is widely mention by security industry practitioners. Description CCM customizes general security controls collected by other standards (ISO 27002, ISACA COBIT, PCI, NIST ) for the cloud computing services. CCM is a control framework aligned with the CSA guidance in 13 domains that provides security principles to guide cloud vendors and is part of the CSA Governance, Risk Management and Compliance (GRC) Stack EuroCloud Star Audit The Open Certification Framework is a program that seeks an incremental cloud provider certification according to the CSA s security guidance and control objectives. The framework suggests three levels, each one offering additional layer of trust, from a self-assessment by the provider itself, through an assessment by a third party (at this moment, CSA and BSI has signed an agreement), to a continuous monitoring which is under development at this moment. EuroCloud Star Audit EuroCloud Deutschland eco. E.V. Not open: Development Elaborated by EuroCloud Deutschland experts. Availability It is not available for download from EuroCloud website; neither it is available for purchase. UC1. Select Cloud Service Users can include a Star Audit Certification as a pre-requisite for selecting a provider. Users can choose between the three different levels certifiable: one, two or three stars. UC6. Audit/Inspect If users desire her provider to be audited, she could ask him for keeping the certification, assuring that provider is audited every year against EuroCloud criteria. SaaS, Facilities and s. Although detailed requirements are not public, Star Audit is focused on SaaS layer. Nevertheless it has a certification adaptation for the infrastructure (named SaaS Ready certification) which includes requirements for the facilities that support the SaaS provision and the organisation itself.
25 Description 8.14 EuroPriSe Certification by eco IT Service und Beratung GmbH auditors Limited Less than ten services have been certified using this scheme. SaaS Star Audit considers different grades for certification, similar to hotel stars (from 1 to 5), although certifications are given only from 3 stars for SaaS services. There are three modalities of certification that could be summarized in the following way: Star Audit SaaS certification = Star Audit SaaS Ready certification (infrastructure) + Star Audit SaaS App certification (application) Criteria included in EuroCloud certification are: Contract and ; Security; Operations and infrastructure; Operational processes; Application; and Implementation. EuroPriSe European Privacy Seal https://www.european-privacy-seal.eu/ Unabhängiges Landeszentrum fuer Datenschutz Scheswig-Holstein (ULD) Partly open: Development Certification criteria was developed by members of European project that started the programme Availability Criteria are freely available to download from EuroPrise website UC1. Select Cloud Service Users that wanted to assure that providers comply with European privacy regulations can include holding an EuroPrise certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect If users desire her provider of European privacy regulation be audited, she could ask him for keeping the certification, assuring that provider is audited every year against EuroPrise criteria. Facilities and. Requirements included in the EuroPriSe Criteria are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer. Certification by ULD Limited Twelve (12) valid seals at this moment
26 Description 8.15 ISO Description EuroPrise offers a European privacy certificate scheme for IT products and IT-based services. Manufacturers and vendors of IT products and IT-based services can apply for the European certificate. It is awarded after successful evaluation of the product or service by independent experts (142 registered) and a validation of the evaluation report by an impartial certification body. EuroPrise Criteria are divided into the following four sets: Overview on fundamental issues; Legitimacy of data processing; Technical-al measures; and Data subjects rights. Information technology Security techniques Information security management systems - Requirements International Organization for Standardization (ISO) / International Electrotechnical Commission (IEC) Partly open: Development of standard is discussed only by ISO/IEC. Availability: Document is available for purchase from the ISO online store. UC1. Select Cloud Service Users can include ISO/IEC certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect Although ISO/IEC certifies providers with an Security Information Management System not a security level, standard audits could serve the user to know that a third party annually reviews provider s security procedures. Facilities and This standard as a definition of an ISMS certifiable framework, applies to all the elements relatives to the management of information security in the provider side, but it does not include any specific requirements for cloud services.. Standard is certifiable by accredited certification entities Globally Thousands of companies are certified against this standard (7.940 according to which cannot be consider a complete register) ISO/IEC 27001:2005 set the principles to define, develop and operate an Information Security Management System (ISMS) that could be certified afterwards for an accreditation body. It is based on the PDCA (plan-do-check-act) model fostering continuous improvement of information security, but it does not prescribe neither obliges to any kind of specific or security measures.
27 ITIL Description 3 Information Technology Infrastructure Library United Kingdom s Cabinet Office. Partly open: Development of standard is discussed only by Cabinet Office. Availability: Document is available for purchase from the Best Management Practice online store. UC1. Select Cloud Service Users can include ISO/IEC certification as a pre-requisite for selecting a provider. UC6. Audit/Inspect ISO/IEC certifies providers service management practices, so standard audits could serve the user to know that a third party annually reviews provider s those practices against the standard scheme.. Due to the focus of this framework on service management, it has been considered that the element of the cloud model more affected by it is the organization one. Certification could by achieved against ISO/IEC 20000:2 (IT Service Management Certification Scheme). Widely Hundreds of companies are certified against ISO/IEC 2000 (713 according to which cannot be consider a complete register) ITIL is a set of practices for IT service management (ITSM) that focuses on aligning IT services with the needs of business. ITIL describes processes, procedures, tasks and checklists that could be used by a service provider for establishing integration with the organization s strategy. It allows the organization to establish a baseline from which it can plan, implement, and measure. ITIL 2011 has five core publications: ITIL Service Strategy ITIL Service Design ITIL Service Transition ITIL Service Operation ITIL Continual Service Improvement 3 Based on Wikipedia definition,
28 SOC 215 Description Service Organization Control Reports AICPA American Institute of Certified Public Accountants CICA Canadian Institute of Chartered Accountants Partly open: Development Elaborated by AICPA/CICA experts Availability Basic documents are freely available to download from AICPA and Webtrust.org websites; more specific ones have to be purchased. UC1. Select Cloud Service Use of SOC report (specially SOC2/SOCE types) allows providers to show with a predefined set of requirements defined by AICPA/CICA. Users can ask for a SOC report of the service she would like to use as a pre-requisite for selecting a provider. UC6. Audit/Inspect SOC reports are issued for a valid period of time, so if users ask for the reports periodically, provider is audited continously against security criteria by a CPA. Facilities and. Requirements included in the Trust Services Principles, Criteria, and Illustrations are set in a generic way, i.e. although they affect every layer of the infrastructure, they are not specific for any layer. SOC reports can be issued by independent Certified Public Accountants (CPAs) acting according to AICPA/CICA standards. Widely adopted Hundreds of companies have been audited against this type of reports (previously known as SAS70 reports). SOC reports are internal control reports on the service provided by a service organization providing information that users need to assess the risks. These reports are the successors of famous SAS70 ones. These reports provides with an independent evaluation of the effectiveness of controls that address operations and. In fact, there are three reporting options: SOC 1 (restricted use): Focus solely on controls at a service organization that are likely to be relevant to an audit of a user entity s financial statements. SOC 2 (generally restricted use): Uses the predefined criteria in Trust Services Principles, Criteria and Illustrations (security, availability, processing integrity, confidentiality and privacy) to provide a description of the service organization s system, auditor s tests of controls and results and auditor s opinion on that description. SOC 3 (general use with a public seal): Uses the mentioned criteria to only provide auditor s opinion on whether the system achieved the trust services criteria.
29 Tier Certification Description Data Center Site Infraestructure Tier Standard The Uptime Institute Not open: Development Elaborated and discussed by the Owners Advisory Committee (those organizations that have successfully achieved Tier Certification). Availability It is not available for download from Uptime Institute website; neither it is available for purchase. UC1. Select Cloud Service Use of Tier certification allows providers to show with a predefined set of requirements defined by Uptime Institute. Users can ask for a Tier certification of the data center she would like to use as a pre-requisite for selecting a provider. UC6. Audit/Inspect For selecting a data center, clients can ask for a Tier certification according to her requirements in order to assure that a third party (The Uptime Institute) has audited that data center according to the tier certification requirements. Facilities. The standard applies to the elements included in data centers: Hardware, housing and power/cooling. The Uptime Institute has retained the exclusive legal right to review, assess, and Certify data centers to the Institute s Tier Classification System. There are three steps: Design Certification Constructed Facility Certification Operational Sustainability Rating Widely adopted There are 269 data centers certified from Tier II to Tier IV (according to Uptime Institute website) 5 as Operational Sustainable 4 as Constructed Facilites 210 as Design Documents The standard is an objective basis for comparing the functionality, capacities, and relative cost of a particular site infrastructure design topology against others, or to compare group of sites.
Cloud Standards and Security 1 Introduction We provide an overview of standards relevant for cloud computing security. Besides giving a brief summary of different standards, and explaining how they work,
Vendor Provided Validation Details - McAfee Policy Auditor 6.2 The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. Statement of
Open Certification Framework Vision Statement Jim Reavis and Daniele Catteddu August 2012 BACKGROUND The Cloud Security Alliance has identified gaps within the IT ecosystem that are inhibiting market adoption
Cloud Security Alliance and Standards Jim Reavis Executive Director March 2012 About the CSA Global, not for profit, 501(c)6 organization Over 32,000 individual members, 120 corporate members, 60 chapters
Cloud Security Certification January 21, 2015 1 Agenda 1. What problem are we solving? 2. Definitions (Attestation vs Certification) 3. Cloud Security Responsibilities and Risk Exposure 4. Who is responsible
Cloud Standardization, Compliance and Certification Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak Todays Agenda IT Resourcing with Cloud Computing and related challenges Landscape
The standards landscape in cloud PRESENTATION computing TITLE GOES HERE Vincent Franceschini CTO Distributed Architectures, Hitachi Data System Chairman Emeritus, SNIA Governing Board Member, SNIA Cloud
Secure Content Automation Protocol (SCAP): How it is increasingly used to automate enterprise security management activities Sean Barnum email@example.com September 2011 Overview What is SCAP? Why SCAP?
GRC Stack Research Sponsorship Overview Achieving Governance, Risk Management and Compliance (GRC) goals requires appropriate assessment criteria, relevant control objectives and timely access to necessary
Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab Qing.Liu@chi.frb.org 1 Disclaimers This presentation provides education on Cloud Computing and its security
The role of standards in driving cloud computing adoption The emerging era of cloud computing The world of computing is undergoing a radical shift, from a product focus to a service orientation, as companies
Expert Reference Series of White Papers Understanding NIST s Cloud Computing Reference Architecture: Part II firstname.lastname@example.org www.globalknowledge.net Understanding NIST s Cloud Computing Reference
Navigating Cloud Standards David Bicket Director m-assure Limited email@example.com Acknowledgements: Kate Craig-Wood, Memset Ian Osborne, Intellect, ICT KTN, CIF Standards Chairman Learning objectives What
Attacking the roadblocks preventing aggressive adoption of Cloud Standards: How SNIA and other standards orgs are developing standards that benefit high priority use cases. John Eastman, CTO, Presented
eenviper White Paper #4 Cloud Computing and Government Services August 2013 Serdar Yümlü SAMPAŞ Information & Communication Systems 1 Executive Summary Cloud computing could revolutionise public services
Overview of Cloud Computing (ENCS 691K Chapter 1) Roch Glitho, PhD Associate Professor and Canada Research Chair My URL - http://users.encs.concordia.ca/~glitho/ Overview of Cloud Computing Towards a definition
The Cloud Security Alliance Daniele Catteddu, Managing Director EMEA & OCF-STAR Program Director Cloud Security Alliance ABOUT THE CLOUD SECURITY ALLIANCE To promote the use of best practices for providing
AN OVERVIEW OF INFORMATION SECURITY STANDARDS February 2008 The Government of the Hong Kong Special Administrative Region The contents of this document remain the property of, and may not be reproduced
Outline SECURE CLOUD COMPUTING Introduction (of many buzz words) References What is Cloud Computing Cloud Computing Infrastructure Security Cloud Storage and Data Security Identity Management in the Cloud
Information Security ISO Standards Feb 11, 2015 Glen Bruce Director, Enterprise Risk Security & Privacy Agenda 1. Introduction Information security risks and requirements 2. Information Security Management
1 The following is merely a collection of notes taken during works, study and just-for-fun activities No copyright infringements intended: all sources are duly listed at the end of the document This work
Towards security management in the cloud utilizing SECaaS JAN MÉSZÁROS University of Economics, Prague Department of Information Technologies W. Churchill Sq. 4, 130 67 Prague 3 CZECH REPUBLIC firstname.lastname@example.org
Integration of Hotel Property Management Systems (HPMS) with Global Internet Reservation Systems If company want to be competitive on global market nowadays, it have to be persistent on Internet. If we
U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC) econsent Trial Project Architectural Analysis & Technical Standards Produced
GRC and Cloud Services By David Lingenfelter 2012 Background > MaaS360 SaaS Cloud Model > Mobile Device Management > FISMA Moderate Certified > SAS-70/SOC-2 > Member of the Cloud Security Alliance > Participant
V1.0 Enhancing Security for Next Generation Networks and Cloud Computing Tony Rutkowski Yaana Technologies Georgia Tech ITU-T Q.4/17 Rapporteur ETSI Workshop 19-20 January 2011 Sophia Antipolis, France
NIST Interagency Report 7800 (Draft) Applying the Continuous Monitoring Technical Reference Model to the Asset, Configuration, and Vulnerability Management Domains (DRAFT) David Waltermire, Adam Halbardier,
26 Informatica Economică vol. 18, no. 4/2014 An Overview of the Most Important Reference Architectures for Cloud Computing Răzvan ZOTA, Ionuț Alexandru PETRE The Bucharest University of Economic Studies
The Need for Service Catalog Design in Cloud Services Development The purpose of this document: Provide an overview of the cloud service catalog and show how the service catalog design is an fundamental
Security in the Green Cloud Smart and Green infrastructure symposium 2011 Prague May 19 th 2011 Steinthor Bjarnason email@example.com 2011 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cloud Computing Technology The Architecture Overview Danairat T. Certified Java Programmer, TOGAF Silver firstname.lastname@example.org, +66-81-559-1446 1 Agenda What is Cloud Computing? Case Study Service Model Architectures
Flexible Identity Federation Quick start guide version 1.0.1 Publication history Date Description Revision 2015.09.23 initial release 1.0.0 2015.12.11 minor updates 1.0.1 Copyright Orange Business Services
April 2012 Global Efforts to Secure Cloud Computing Jim Reavis Executive Director Cloud: ushering in IT Spring Technology consumerization and its offspring Cloud: Compute as a utility Smart Mobility: Compute
Qualys PC/SCAP Auditor Getting Started Guide August 3, 2015 COPYRIGHT 2011-2015 BY QUALYS, INC. ALL RIGHTS RESERVED. QUALYS AND THE QUALYS LOGO ARE REGISTERED TRADEMARKS OF QUALYS, INC. ALL OTHER TRADEMARKS
NSW Government Data Centre & Cloud Readiness Assessment Services Standard v1.0 June 2015 ICT Services Office of Finance & Services McKell Building 2-24 Rawson Place SYDNEY NSW 2000 email@example.com
A Strawman Model NIST Cloud Computing Reference Architecture and Taxonomy Working Group January 3, 2011 Objective Our objective is to define a neutral architecture consistent with NIST definition of cloud
Orchestrating the New Paradigm Cloud Assurance Amsterdam 17 January 2012 John Hermans - Partner Current business challenges versus traditional IT Organizations are challenged with: Traditional IT seems
The Magazine for IT Security May 2010 sör alex / photocase.com free digital version made in Germany issue 3 Luiz Fotolia.com Clouds or storm clouds? Cloud Computing Security by Javier Moreno Molinero Gradually,
How to ensure control and security when moving to SaaS/cloud applications Stéphane Hurtaud Partner Information & Technology Risk Deloitte Laurent de la Vaissière Directeur Information & Technology Risk
Cloud Computing Architecture: A Survey Abstract Now a day s Cloud computing is a complex and very rapidly evolving and emerging area that affects IT infrastructure, network services, data management and
Interoperate in Cloud with Federation - Leveraging federation standards can accelerate Cloud computing adoption by resolving vendor lock-in issues and facilitate On Demand business requirements Neha Mehrotra
Mobile Cloud Computing T-110.5121 Open Source IaaS Tommi Mäkelä, Otaniemi Evolution Mainframe Centralized computation and storage, thin clients Dedicated hardware, software, experienced staff High capital
A Flexible and Comprehensive Approach to a Cloud Compliance Program Stuart Aston Microsoft UK Session ID: SPO-201 Session Classification: General Interest Compliance in the cloud Transparency Responsibility
Standardised SLAs: how far can we go? DIHC, Euro-Par 2013, Aachan John Kennedy Intel Labs Europe Before we begin AMD AT&T Microelectronics Digital Equipment Harris Semiconductor Hewlett-Packard IBM Intel
Standards and Guidelines for Information Technology Infrastructure, Architecture, and Ongoing Operations This document describes applicable standards and guidelines for the university's policy on Information
Computing - Starting Points for Privacy and Transparency Ina Schiering Ostfalia University of Applied Science Wolfenbüttel, Germany IFIP Summerschool: Privacy and Identity Management for Life, Helsingborg,
Interoperable Cloud Storage with the CDMI Standard Storage and Data Management in a post-filesystem World Mark Carlson, SNIA TC and Oracle Co-Chair, SNIA Cloud Storage TWG and Initiative Author: Mark Carlson,
sm Open Data Center Alliance Usage: SERVICE CATALOG Legal Notice This Open Data Center Alliance SM Usage: Service Catalog is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS WHO ARE NOT
Interoperability & Portability for Computing: A Guide http://www.cloud-council.org/cscc--interoperability-and-portability.pdf December, 2014 The Standards Customer Council THE Customer s Voice for Standards!
Cloud Computing for Architects This four day, hands-on boot camp begins with an examination of the Cloud Computing concept, the structure and key characteristics of Clouds, and takes a look under the hood
Introduction and Overview Klaus Gribi Senior Security Consultant firstname.lastname@example.org May 6, 2015 Agenda 2 1. Cloud Security Cloud Evolution, Service and Deployment models Overview and the Notorious
Information Technology Services The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University
Introduction to Cloud Computing Srinath Beldona email@example.com Agenda Pre-requisites Course objectives What you will learn in this tutorial? Brief history Is cloud computing new? Why cloud computing?
White Paper on CLOUD COMPUTING INDEX 1. Introduction 2. Features of Cloud Computing 3. Benefits of Cloud computing 4. Service models of Cloud Computing 5. Deployment models of Cloud Computing 6. Examples
Assuria Auditor The Configuration Assurance, Vulnerability Assessment, Change Detection and Policy Compliance Reporting Solution for Enterprise 1. Introduction Information security means protecting information
Virtual Appliance Instructions for ENISA CERT Training TLP WHITE APRIL 2015 www.enisa.europa.eu European Union Agency For Network And Information Security About ENISA The European Union Agency for Network
Trust but Verify Vincent Campitelli VP IT Risk Management McKesson Corporation Trust but Verify Cloud Security 3 Agenda Cloud Defined Cloud Opportunities Cloud Challenges What s Different? How to Verify
Cloud Security Panel: Real World GRC Experiences ISACA Atlanta s 2013 Annual Geek Week Agenda Introductions Recap: Overview of Cloud Computing and Why Auditors Should Care Reference Materials Panel/Questions
SSAE 16 for Transportation & Logistics Companies Chris Kradjan Kim Koch 1 The material appearing in this presentation is for informational purposes only and should not be construed as advice of any kind,
Security & Trust in the Cloud Ray Trygstad Director of Information Technology, IIT School of Applied Technology Associate Director, Information Technology & Management Degree Programs Cloud Computing Primer
IT Cloud / Data Security Vendor Risk Management Associated with Data Security September 9, 2014 Speakers Brian Thomas, CISA, CISSP In charge of Weaver s IT Advisory Services, broad focus on IT risk, security
CLOUD TECH SOLUTION AT INTEL INFORMATION TECHNOLOGY ICApp Platform as a Service Open Data Center Alliance, Inc. 3855 SW 153 rd Dr. Beaverton, OR 97003 USA Phone +1 503-619-2368 Fax: +1 503-644-6708 Email:
Chris Francis IBM Technical Relations and Regulatory Affairs Cloud up to business processes Chris Francis Existing state of play Conventional solutions Software as a Service Platform as a Service Infrastructure
Securing The Cloud Foundational Best Practices For Securing Cloud Computing Scott Clark Agenda Introduction to Cloud Computing What is Different in the Cloud? CSA Guidance Additional Resources 2 What is
Certified Cloud Computing Professional VS-1067 Certified Cloud Computing Professional Certification Code VS-1067 Vskills Cloud Computing Professional assesses the candidate for a company s cloud computing
sm Open Data Center Alliance Usage: Provider Assurance Rev. 1.1 Legal Notice This Open Data Center Alliance SM Usage:Provider Assurance is proprietary to the Open Data Center Alliance, Inc. NOTICE TO USERS
sm OPEN DATA CENTER ALLIANCE USAGE Model: Software as a Service (SaaS) Interoperability Rev 1.0 SM Table of Contents Legal Notice... 3 Executive Summary... 4 Purpose... 5 Assumptions... 5 SaaS Interoperability
Emerging Technologies Professional Cloud Solutions and Service Practices The Shift to a Service-on-Demand Business Operating Model and Working Practices By Mark Skilton, CEO, Digital Ecosystem practices,
Cloud computing: benefits, risks and recommendations for information security Dr Giles Hogben Secure Services Programme Manager European Network and Information Security Agency (ENISA) Goals of my presentation
SESSION ID: CIN-W07 Logically Securing a Public Cloud Service Tim Mather CISO Cadence Design Systems @mather_tim Disclaimer: AWS (Amazon Web Services) is referenced in this presentation extensively, only
Vast Landscape of Cloud Standards Development Organizations (SDOs) 2 4 Mission Statement (Non-Profit) Promote common level of understanding Consumers Providers Security Requirements Attestation of Assurance
Geoff Raines Cloud Engineer Approved for Public Release; Distribution Unlimited. 13-2170 2013 The MITRE Corporation. All rights reserved. Why are P & I important for DoD cloud services? Improves the end-to-end
SOA CERTIFIED JAVA DEVELOPER (7 Days) To achieve this certification, the following exams must be completed with a passing grade: Exam S90.01: Fundamental SOA & Service-Oriented Computing Exam S90.02: SOA
Product Data Sheet Cisco Intelligent Automation for Cloud Early adopters of cloud-based service delivery were seeking additional cost savings beyond those achieved with server virtualization and abstraction.
An Enterprise Continuous Monitoring Technical Reference Architecture 12/14/2010 Presenter: Peter Mell Senior Computer Scientist National Institute of Standards and Technology http://twitter.com/petermmell
Cloud Computing An Introduction Distributed Systems Sistemi Distribuiti Andrea Omicini firstname.lastname@example.org Dipartimento di Informatica Scienza e Ingegneria (DISI) Alma Mater Studiorum Università di
VMware vcloud Architecture Toolkit Version 2.0.1 October 2011 This product is protected by U.S. and international copyright and intellectual property laws. This product is covered by one or more patents
FDCC & SCAP Content Challenges Kent Landfield Director, Risk and Compliance Security Research McAfee Labs Where we have been 1 st Security Automation Workshop nearly 20 people in a small room for the day
Cloud Computing & Service Oriented Architecture An Overview Sumantra Sarkar Georgia State University Robinson College of Business November 29 & 30, 2010 MBA 8125 Fall 2010 Agenda Cloud Computing Definition
Cloud Computing Information Security and Privacy Considerations April 2014 All-of-Government Cloud Computing: Information Security and Privacy Considerations April 2014 1 Crown copyright. This copyright