Click icon to add picture Click icon to add picture ENISA and Cloud Security Dimitra Liveri NIS Expert EuroCloud Forum 2015 Barcelona 07-10-2015 European Union Agency for Network and Informaton Security Click icon to add picture
Positoning ENISA actvites HA ND S ON P O LI C Y IM P L E M E N MOBILISING COMMUNITIES TAT IO N RECOMMENDATIONS 2
Agenda ENISA Actvites in Cloud Security ENISA tools Risk Assessment for SMEs Cloud Certfcaton Schemes List Next steps 3
Diferences in Requirements for Governments vs. Companies Private Sector Diference depending on the scale i.e. Large companies and SMEs Investment from cost perspectve Public Sector Legacy Data Legacy Applicatons Legacy Processes Special informaton assurance requirements NEEDS MORE TIME TO ADOPT EASIER TO MAKE THE RIGHT DECISION 4
ENISA s work in the area of Cloud 2009 Cloud computng risk assessment 2009 Cloud security Assurance framework 2012 Procure secure (Security in SLAs) 2013 Critcal cloud computng 2013 Incident reportng for cloud computng 2013 Securely deploying GovClouds 2013 Support EU Cloud Strategy 2014 Cloud Certfcaton Meta-Framework 2014 Procurement security in GovClouds 2015 Cloud Security guide for SMEs htp://www.enisa.europa.eu/actvites/resilience-and-ciip/cloud-computng 5
ENISA engages the community ENISA Cloud Security and Resilience experts group 6
Cloud Computng Risk Assessment Addressed to: public sector, private sector (large companies and SMEs), governmental agencies 7
Risk Assessment in the Cloud Famous 2009 Guide Updated in 2012 Security Guide for SMEs 2015 8
Security guide for SMEs Small and medium size enterprises (SMEs) are an important driver for innovaton and growth in the EU Cloud Computng is a means for innovaton, but cloud is for the SMEs stll a challenge. ENISA in this study presents: - 11 security opportunites (compared to legacy IT benefts) 11 security risks (compared with legacy IT risks) 12 security questons for the SME to ask the provider (in one security cheat sheet 2 comprehensive scenarios Some legal advice 9
and online tool Where you can: rate your opportunites from cloud rate your risks produce a risks map get your security questons 10
Cloud Certfcaton Addressed to: private sector - large companies and SMEs, (public sector and governmental agencies in some cases) 11
The EU Cloud Strategy EU should not only be cloud-friendly, but also cloud actve The The European European Commission s Commission s strategy strategy Cutng Cutng through through the the jungle jungle of of I I am am pleased pleased that that ETSI ETSI launched launched and and steered steered the the Cloud Cloud Standards Standards Coordinaton Coordinaton technical technical standards standards (CSC) (CSC) initatve initatve in in aa fully fully transparent transparent and and open open way way for for all all stakeholders. stakeholders. Unleashing Unleashing the the potential potential of of cloud cloud computing computing in in Europe Europe Adopted Adopted on on 27 27 September September 2012, 2012, it it is is designed designed to to speed speed up up and and increase increase the the use use of of Development Development of of model model safe safe and and fair fair contract contract terms terms and and conditons conditons...ensuring...ensuring technical technical security security requirements requirements are are mapped mapped onto onto certfcaton, certfcaton, as as ENISA ENISA is is leading leading cloud cloud computing computing across across the the economy economy...... we we ofcially ofcially launch launch the the platorm platorm for for public public sector sector cooperaton cooperaton with with this this A A European European Cloud Cloud Partnership Partnership to to "Cloud "Cloud for for Europe" Europe" initatve. initatve. This This is is an an enormous enormous step step forward. forward. drive drive innovaton innovaton and and growth growth Neelie Neelie Kroes, Kroes, European European Commissioner Commissioner for for the the Digital Digital Agenda Agenda Oct Oct 2013 2013 from from the the public public sector sector 12
ENISA realising the EU Cloud Strategy: Certfcaton Strategic objectve of EC Strategy: List of voluntary certfcaton schemes Cloud Certfcaton Schemes List (CCSL): List of existng certfcaton schemes 13 Certfcaton schemes included Powered by ENISA, supported by the EC and the Cloud Selected Industry Group (C-SIG) Cloud Certfcaton Schemes Meta-framework (CCSM): Meta-framework based on existng certfcaton schemes Mapping detailed ICT security requirements of the public sector in the EU (11 countries and more will come) Matrix will results to be used for procurement 13 Visit: htps://resilience.enisa.europa.eu/cloud-computng-certfcaton
How we draw CCSM 14
Next steps Ex-post analysis of cloud incidents (early 2016) EU perspectve on ex post analysis (forensics) for cloud incidents: 8 countries(it, ES, IE, NL, GR, FR, EE, UK): Academia, LEAs, Forensics Specialists, CERTs. Challenges, procedures, tools, legal restrictons ICT in e-health (2016) Challenges and opportunites of ICT deployments in ehealth (medical records, patent records etc) Cloud computng use case in ehealth Big data use case in e Health 15
Click icon to add picture Thank you and Welcome! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu