ENISA and Cloud Security Rossen Naydenov Network Information Security Officer Critical Information Infrastructure Protection Department - ENISA European Union Agency for Network and Information Security
Agenda About ENISA Benefits of Cloud Computing Risks in Cloud Computing ENISA Activities in Cloud Security Summary 2
Positioning ENISA activities 3
What is Cloud Computing? Cloud Computing is a business model another way of providing services using such a service is considered outsourcing Cloud computing is a deployment model information processing in shared environment resources can be quickly scaled to meet changing in demands 4
Cloud Opportunities Economies of Scale Better ROI More efficient resource utilization also means cost savings Support innovation Easier deployment of new services Faster time to market High Resiliency Better back up services Better business continuity Standardised solutions Better patch management Better software update management Portable and interoperable 5
Cloud Challenges Isolation Failures One Cloud customer might be able to influence the resources of another (CPU, Memory)..or have access to another customers data (data breach) Loss of Governance Customer cedes some control to the provider (depending on the deployment model) This also affects security Management GUI and API compromise Identity and access management are particularly important Full access to all resources (keys to many kingdoms) Data protection The CSP usually becomes data processor in terms of DP legislation Data processing in datacentres abroad can imply that certain DP requirements cannot be met in the Cloud 6
ENISA engages the community ENISA Cloud Security and Resilience experts group 7
ENISA s work in the area of Cloud 2009 Cloud computing risk assessment 2009 Cloud security Assurance framework 2012 Procure secure (Security in SLAs) 2013 Critical cloud computing 2013 Incident reporting for cloud computing 2013 Securely deploying GovClouds 2013 Support EU Cloud Strategy 2014 Cloud Certification Meta-Framework 2014 Procurement security in GovClouds 2015 Cloud Security guide for SMEs 2015 Cloud Opportunities And Risks in the Finance sector http://www.enisa.europa.eu/activities/resilience-and-ciip/cloud-computing 8
Risk Assessment in the Cloud Famous 2009 Guide Updated in 2012 Security Guide for SMEs 2015 9
Security guide for SMEs Small and medium size enterprises (SMEs) are an important driver for innovation and growth in the EU Cloud Computing is a means for innovation, but cloud is for the SMEs still a challenge. ENISA in this study presents: - 11 security opportunities (compared to legacy IT benefits) - 11 security risks (compared with legacy IT risks) - 12 security questions for the SME to ask the provider (in one security cheat sheet - 2 comprehensive scenarios - Some legal advice 10
and online tool Where you can: rate your opportunities from cloud rate your risks produce a risks map get your security questions 11
Governmental Cloud reports (1/2) 2010: Guide on security and resilience for Governmental Clouds Presentation of the security benefits and drawbacks for the public sector to go in the cloud First steps need to be done towards taking the decision to go cloud 2013: Good practice guide on how to securely deploy Governmental Clouds Definition of a governmental cloud (in a mature market) State of cloud computing adoption in the EU public sector Case studies of different approaches in adopting a cloud solution 12
Governmental Cloud reports (2/2) 2014: Security Framework for Governmental Clouds 4 phases, 10 different steps and the specific actions to be taken in each one 4 use case scenarios to find the solutions that better fits each implementation 13
ENISA s Critical Cloud Study First assessment of CIIP aspects of Cloud computing Illustrates dependencies and provides examples for failures Provides recommendations for Cloud security governance from the CIIP perspective Conclusions can be applied to Governmental Cloud usage 14
Incident Reporting for Cloud Computing Cloud computing incidents could have major impact. Large scale incidents should be reported to improve trust Public sector and industry should agree on scope and thresholds of reporting. ENISA suggests a model for incident reporting of cloud incidents involving CSPs and regulators. 15
ENISA in the area of Cloud Certification Strategic objective of EC Strategy: List of voluntary certification schemes Cloud Certification Schemes List (CCSL): List of existing certification schemes 13 Certification schemes included Powered by ENISA, supported by the EC and the Cloud Selected Industry Group (C-SIG) Cloud Certification Schemes Metaframework (CCSM): Meta-framework based on existing certification schemes Mapping detailed ICT security requirements of the public sector in the EU (11 countries and more will come) Matrix will results to be used for procurement Visit: https://resilience.enisa.europa.eu/cloud-computing-certification 16
Cloud in the Critical Sectors Critical Clouds Cloud Computing in the Finance Sector Cloud supporting Health care systems and services Cloud supporting egovernment 17
Good Practices for the use of Cloud Computing in the area of Finance Sector Identification of critical challenges to cloud computing adoption in the Finance sector Assess legal and regulatory context (challenges and opportunities) in all member states Support industry and understand their uptake why do some use and some don t use cloud Propose recommendations 18
Big Data Security Challenges One of the key functionalities of great interest for Cloud computing Big Data adoption is now booming, however: BD Infrastructure is not secure by default Encryption might not be a practical option in real time systems Accountability, Authentication, Auditing and Logging are rarely implemented (again for performance reasons) ENISA is doing study on Big Data to help identify security challenges and provide good practices 19
Summary ENISA s Objectives Address Industry s Security concerns Improve security baseline levels Rationalise Compliance costs Harmonise Security Objectives Where you can help Provide insights on the key information security challenges you face Contribute information to work in progress Raise questions on current regulations 20
Thank you! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu