Cloud and Critical Information Infrastructures

Transcription

1 Cloud and Critical Information Infrastructures Cloud computing in ENISA Dr. Evangelos Ouzounis Head of Infrastructure & Services Unit

2 About ENISA The European Union Network and Information Security Agency Gives advice on information security issues to national authorities, EU institutions, businesses and citizens Acts as a forum for sharing good NIS practices Facilitates information exchange and collaboration Setup in 2004 new mandate till 2020 ENISA has an advisory role and focuses on prevention and preparedness 2

3 Challenges in the Cloud Security and resilience Compliance with regulatory requirements Data protection and privacy Loss of governance 3

4 ENISA and the EU Cloud Strategy EU should not only be cloud-friendly, but also cloud -active The strategic plan of the EC to enable and facilitate the adoption of cloud services in the public and private sector across the EU. Key Objectives: produce a list of standards that could apply to Cloud Computing create a contract/ SLA template for procuring cloud services establish a European Cloud Partnership Working groups: ETSI: Cloud Standards Coordination The cloud security working group on Certification schemes The cloud security working group on Code of Conduct The cloud security working group on SLAs European Cloud Partnership 4

5 Proposed NIS Directive and Incident Reporting 4 4 Market operator or public administration 3 4 Competent national authority 2 5 Security measures Notifying Early warning Informing Summary reporting 1 Proposed by the EC in February 2013 Our focus: Article 14 on security requirements and notifications Public Cooperation network of competent authorities ENISA report: Incident Reporting for Cloud Computing 5

6 ENISA supporting EC policies European Cloud Partnership Participating in working groups Governmental clouds Cloud Computing Certification Risk assessment for SMEs NIS Directive proposal Critical Clouds (2013) Incident Reporting for Cloud Computing 6

7 Supporting the ECP ETSI standardization working group Cloud Standards coordination List of existing cloud standards EC Certification SIG Mapping of existing voluntary certification schemes Common voluntary certification framework SLA SIG Support the SIG activities 7

8 Certification in the Cloud EC Certification Selected Industry Group (SIG) List of certification schemes relevant for cloud Cloud specific schemes? Or cloud relevant schemes? Mapping of cert. schemes against SIG principles One meta-framework for all (ENISA 2014) Information security domains Control objectives organized in sophistication levels (maturity model) 8

9 Cloud Certification Mockup Cloud Certification List site description 9

10 Governmental clouds Support the EU Cloud Strategy to facilitate the take up of cloud services by the public sector in the EU Is this critical? Example: The UK G-Cloud "framework", worth up to 60 million will operate for an initial six-month period, after which successful applicants will be able to sell a range of tools the government expects will include , word processing, hosting, ERP, records management, CRM and other office productivity software Overview of governmental clouds across the EU Good practices of gov cloud implementations Set of recommendations on which aspects the governmental bodies should take into account when setting up a cloud. ENISA report: Securing governmental clouds 10

11 Critical cloud computing CIIP perspective: Preventing large failures and large cyber attacks. IT IT IT IT IT IT IT Kroes (2010): cloud computing may indeed become one of the backbones of our digital future ENISA report:

12 Incident Reporting for Cloud Computing Cloud Provider Cloud Provider Criticality of Cloud Services R1 R1 Incidents in scope Critical Infrastructure Critical Infrastructure Large user SME User User Suggested Framework Templates R2 NCA* R3: Summary R1+R2 EU cooperation networks (NCAs, ENISA) ENISA report: Incident Reporting for Cloud Computing 12

13 ENISA Recommendations (1/2) National Risk Assessment Risk Assessment for Critical Clouds Risk assessment framework for SMEs Interconnections and interdependencies in the cloud backbone network Legislative background to support critical clouds Competent authorities network Public sector procurement process Minimum security requirements in different sophistication levels Security measures for gov cloud services Common security certification framework 13

14 ENISA Recommendations (2/2) Promote the definition of a regulatory framework to address the locality problem Compliance with EU data protection law Enhance privacy and data protection in the Cloud Support the development of a common SLA framework for EU Foster research on Cloud Computing security solutions Academia and research centres EU funded projects 14

15 ENISA Cloud Security and Resilience Experts Group 15

16 ENISA s cloud security work 2009 Cloud computing risk assessment 2009 Cloud security control framework 2011 Security and resilience for gov clouds 2011 Security parameters in gov cloud SLAs 2012 Procure secure 2013 Critical Cloud 2013 Incident reporting for cloud computing 2013 Guideline for Govclouds 2013 Cloud Certification (EU Cert SIG) 16

17 Contact us 17