Certification in the EU Cloud Strategy

Certification in the EU Cloud Strategy Authors Marnix Dekker, Dimitra Liveri, European Union Network and Information Security Agency (ENISA) Contact For enquiries about this paper or ENISA s activities in the area of cloud security, send an email to: cloud.security@enisa.europa.eu 1 Introduction In 2012 the EC issued a communication called European strategy for Cloud computing unleashing the power of cloud computing in Europe. One of the actions outlined there is to assist the development of EU-wide voluntary certification schmes make a list of such schemes. In the strategy ENISA is asked to support this work. The EC, as one of the first steps, set up a group of experts from industry, called Cloud Select Industry Group (C-SIG), with a number of working groups, also on Certification, abbreviated as the CERT-SIG. For several months the CERT-SIG met and discussed about the possible role of (voluntary) cloud certification schemes in the context of the European cloud computing strategy. The CERT-SIG derived a list of high-level criteria (for cloud certification schemes) and a first list of certification schemes. Under the European cloud computing strategy and following the first results of the CERT-SIG, ENISA was asked to collect the results of the CERT-SIG and propose further steps. In this paper we first introduce the context, by recalling the parts of the EC Cloud strategy related to certification and by giving a brief overview of how existing information security certification work (Section 2). We then summarize the results of the CERT-SIG (Section 3). Finally we give ENISA s perspective on the results so far and the challenges (Section 4). In Section 5 we propose two solutions and a timeline of next steps. We conclude with some general remarks and recommendations for the Steering Board of the European Cloud Partnership. Page 1

2 Background 2.1 Certification in the European Cloud Strategy In September 2012, the European Commission adopted a strategy for Unleashing the Potential of Cloud Computing in Europe. The strategy outlines actions to deliver a net gain of 2.5 million new European jobs, and an annual boost of EUR 160 billion to EU GDP (around 1%), by 2020. The strategy is designed to speed up and increase the use of cloud computing across the economy. This strategy was the result of an analysis of the overall policy, regulatory and technology landscapes and of a wide consultation of stakeholders, undertaken to identify what needs to be done to make the most of the potential that the cloud has to offer. The goal of the European Cloud Strategy is to stimulate the active adoption of cloud computing in Europe (by both the public and private sector) by providing a climate of certainty and trust. The key actions of the cloud strategy, which are closely related to information security and certification, are: Standardization and certification: ETSI is asked to produce a map of existing standards relevant for cloud computing. The EC will work with ENISA to support development of EUwide voluntary schemes and to make a list of such schemes by 2014. Cloud Contract Terms: The EC will develop model terms for Cloud SLAs as well as a set of safe and fair contract terms for consumers and SMEs. The EC will also work with experts to develop a code of conduct for cloud providers regarding data protection, which will be submitted to the Article 29 Working Party for endorsement. European Cloud Partnership: The EC will set up a European Cloud Partnership, involving industry and public sector, which will develop common procurement requirements adapted to European needs. The strategy highlights the importance of public sector procurement: The public sector has a strong role to play in shaping the cloud computing market. As the EU's largest buyer of IT services, it can set stringent requirements for features, performance, security, interoperability and data portability and compliance with technical requirements. It can also lay down requirements for certification. In the strategy ENISA was asked to support the Commission in these activities and in particular to work with the EC to support voluntary certification schemes and establishing a list of existing certification schemes. Page 2

2.2 Information security certification schemes To provide the reader with some background on information security certification schemes, we first give a brief 1 overview of some existing certification schemes for information security management. We chose three examples to give an overview of the variety of existing informations security certification schemes: ISO 27001, which is used globally in different sectors, PCI DSS, which is used by organizations processing payments with payment cards, and IT Grundschutz, a national scheme set-up by the German BSI. These schemes are not cloud specific, but they are relevant examples of existing certification schemes in the area of network and information security. For the sake of clarity we introduce two terms used in this document (see Figure 1). Information security standard: a standard or specification of technical or organisational measures to protect the security of network and information systems. Certification scheme: the information security standard and the processes for auditing (or selfassessments), the subsequent certification of an organization and/or expiry of the certification. 2.2.1 ISO 27001 certification scheme The most well known and most widely used certification scheme is the ISO27001 certification scheme for information security management systems. The underlying standard (ISO27001) ISO 2700x specifies requirements for implementing an EC-Enterprise/ information security management system Industry (ISMS), as part of the organization's overall business risks management processes. ISO27001 accreditation describes a set of high-level security objectives National (aka control objectives). It is accompanied by IRCA Accreditation the ISO 27002 standard 2, which describes more Body detailed security measures (aka security controls). In a way ISO 27001 is a taxonomy of certification of the key auditor Certification Certification controls, while the annex of ISO 27001 and the Body Body standard ISO 27002 provide detailed recommendations for the implementation of controls. The ISMS of an organization can be formally certified to be compliant with ISO the 27001 standard. This is shortly called being ISMS ISMS ISMS ISMS ISO27K1 certified. Figure 2 Overview of ISO 27001 certification scheme It is good to make three remarks here: Certification scheme Information security standard Figure 1: Terminology used certification and audit 1 A more lengthy overview of such schemes can be found in a separate ENISA paper, which was produced for national telecom regulators, in the context of ENISA s work on supporting the EU countries in implementing Article 13a of the Framework directive. 2 http://www.iso.org/iso/iso_catalogue/catalogue_tc/catalogue_detail.htm?csnumber=50297 Page 3

The ISO 27001 standard focuses on the risks for an organization, using network and information systems. It may not be entirely appropriate to address the issue of whether or not an organization can be trusted to deliver IT services as a product for customers. The organization can choose the scope of the certification, which means in practice that an organization s ISO27K1 certificate might not cover all the organization s products or services. Sometimes the scope of certifications is publicly available, but not always. The organization can choose which control it wants to implement and which risks it decides to accept. Being ISO27K1 certified does not mean that security controls are always appropriate but that there is a due process behind risk management and the selection of controls and that associated risks have been accepted by management. In the Figure 2 we depict the overall set-up of the ISO 27001 certification scheme. It works as follows. An organisation may be certified compliant with ISO 27001 by a number of Certification Bodies worldwide. Certification bodies are accredited by a National Accreditation Body (NAB). For example, the NAB in the United Kingdom is UKAS 3. The auditors auditing the ISMS have to be licensed/certified as ISMS Lead Auditor(s) by a NAB-accredited Certification Body, or the International Register of Certificated Auditors (IRCA) 4. 2.2.2 Payment Card Industry Data Security Standard (PCI-DSS) certification Another well-known certification scheme is PCI- DSS. PCI-DSS is governed and operated by payment card brands. It is mandatory for organisations that store, process or transmit cardholder data (for these brands). PCI DSS gives guidance to software developers and manufacturers of applications and devices used in payment transactions. The overall process is overlooked by the PCI Council. The scheme is depicted in the figure on the right. Each payment card brand has its own program for compliance with PCI DSS. Merchants and service providers must prove compliance and report their compliance status annually to the payment card brand they work with. So while the PCI Security Standards Council sets the standards, merchants and service providers participating in certain payment schemes have to comply with the requirements of their partners. Payment Card Industry Data Security Standard (PCI-DSS) Auditing standards for QSAs Payment Card Brands (Mastercard, Visa, etc) Enforcement of compliance with the PCI DSS Figure 3 Overview of PCI DSS certification and determination of any non-compliance penalties are carried out by the individual payment card brands and not by the PCI Security Standards council. Operational issues regarding compliance by involved entities are directed to the payment brands themselves. The diagram to the right shows the overall set-up of PCI-DSS. issues compliance with PCI Security Standards Council (PCI SSC) certifies and audits periodically for adequacy members of Qualified Security Assessors (QSAs)/ Approved Scanning Vendors(ASVs) QSA audits Organization issues ASV scans Auditing standards for ASVs compliance with audits and scans reports to PC brand(s) 3 http://www.ukas.com/default.asp 4 http://www.irca.org Page 4

2.2.3 IT Grundschutz certification As a last example we discuss a certification scheme set up by the German government, the Federal Office for Information Security (BSI) to be precise: the IT Grundschutz certification. IT Grundschutz (German for IT Baseline protection) provides a framework and a list of basic information security requirements. The BSI Standards contain recommendations on methods, processes, procedures, approaches and measures relating for information security. The BSI standards are a set of recommended security measures for IT systems. The purpose of these standards is is to provide a baseline of security which is reasonable and adequate to satisfy basic security requirements. The standards are not meant to be used for higher security requirements. BSI standards are implemented on a voluntary basis and also certification to the IT- Grundschutz standards is optional. Numerous companies and public agencies use IT-Grundschutz Catalogues as the basis for their security measures. audit outcome Federal Office for Information Security (BSI) BSI 100-1 Certification authority BSI 100-2 BSI Standards BSI 100-3 accreditation Auditor licences An IT Grundschutz certification involves Figure 4: Overview of IT Grundschutz certification auditing of the information security management system as well as auditing of the specific information security measures on the basis of IT-Grundschutz. Aufitors are licenses by the BSI and the BSI organizes periodic trainings for auditors. An IT Grundschutz certification always includes an official ISO27001 certification but, due to some additionally audited technical aspects, it is more comprehensive. In fact IT Grundschutz can be considered to be more detailed and more prescriptive than ISO27001. defines implements BSI 100-4 Federal German Government BSI checks Provider implements Page 5

3 CERT SIG Results Last year the EC set up a group of experts from industry 5, called the Select Industry Group, which consists of three subgroups: one working group focusses on SLAs for cloud computing, one focusses on data protection in cloud computing, and one focusses on certification for cloud computing: we call the latter CERT-SIG in this document. The focus of CERT-SIG is to discuss about the possible role of (voluntary) cloud certification schemes in the context of the cloud computing strategy. In the first meeting of the CERT-SIG it was decided that the scope would be security as well as data protection 6. In the first months of 2013 the CERT-SIG produced the following results. These results were presented at the CERT-SIG meeting of May 29 th 2013: a list of guiding principles for cloud certification schemes, a first list of existing certification schemes, and general recommendations for further steps. Below we summarize these results. 3.1 Guiding Principles The CERT-SIG produced a list of guiding principles that were derived after discussion and a survey across a range of stakeholders selected by the members of the CERT-SIG. The main principles were selected from a long list of potential principles and the rating by respondents to the survey was used to select the key principles: Certification schemes for cloud providers should: be customer-centric, i.e. address real user concerns especially liability risk in the cloud. be industry-driven and voluntary, i.e. no mandatory schemes should be imposed. have a governance structure with a separation of duties, i.e. standard setting, accreditation and execution organizations is carried out by separate organizations. provide for the possibility of self-attestation. be technology neutral i.e. it should be appropriate for all vendors, products, technologies, and business models (closed source, open source, et cetera). be lean and affordable, i.e. it should be appropriate also for small cloud providers (SMEs). be based as much as possible on global standards to avoid duplications and ensure global compatibility of cloud services. 3.2 List of certification schemes The CERT-SIG produced a list of existing certification schemes which could be relevant for cloud computing. We report the list below. ISO 27001/2 ISO 20000 (ITIL) CSA Open Certification Framework (OCF) Eurocloud Star Audit - 5 The working groups under the Select Industry Group are open for participation for all interested stakeholders. 6 The work of the subgroup on data protection will be taken into account for this aspect. Page 6

SOC 1-2-3 PCI DSS Europrise FISMA Cloud Industry Forum Code of Practice ISACA COBIT Security Rating (Leet security) TUV certififed 3.3 Recommendations from industry The CERT-SIG issued several recommendations for the EC and the European Cloud Partnership about (voluntary) certification schemes. These recommendations were also presented to the European Cloud Partnership Steering Board at their second meeting on July 4 th 2013 in Tallinn, Estonia. We report them below: Endorse coherent application of the guiding principles for cloud computing certification schemes for future policy making at EU level and by EU member states, most notably with respect to the review of the EU Data Protection Directive and the Draft Network and Information Security Directive; Endorse improvement of existing data security standards and certification schemes to meet the specific requirements of cloud computing; Endorse development of a data protection standard and certification regime for cloud computing that is compatible with existing data security standards; the new data protection standard should be endorsed by the data protection authorities in the EU (Art 29 Working Party); Endorse creation for an EU-wide one-stop shop for data security and data protection certification schemes for cloud computing (through mutual recognition by EU member states); Endorse application of data security and data protection certification schemes for cloud computing in public procurement all over the EU. Page 7

4 ENISA s perspective At the meeting of the CERT-SIG of May 29 th 2013, it was concluded that ENISA would be invited to advance the first results of the CERT-SIG. In this section we make some remarks about the CERT-SIG results and we introduce two specific (hypothetical) scenario s to outline problems to be addressed. 4.1 About the CERT-SIG results First of all we would like to remark the quick work by the EC and the industry experts to get some first results. We believe it is very important to consult with the industry about the role of certification. At the same time we think it is important to better understand the needs of customers in this respect: the public sector CIOs who are the first customers of the strategy, because usually the needs and views of the industry are not fully aligned with those of customers. Having said this, there are some more technical and more detailed remarks we would like to make about the CERT-SIG results. Existing Certification schemes: A number of the certification schemes listed by CERT-SIG are not really certification schemes that could be used in a procurement scenario. For example, PCI DSS, although a very interesting certification scheme, can not be used as a cloud certification scheme because PCI DSS is meant for providers processing payment card details, and it applies only to those processes and systems supporting payments. Subjective principles: Some of the principles listed by the CERT-SIG are rather subjective, for example, the criteria customer centric and lean and affordable. It seems difficult to use these principles as objective criteria to assess or categorise certification schemes. It would be better to use more objective and technical criteria, which would allow customers to judge how customer centric or lean and affordable a certification scheme is. Principle: Customer-centric, addressing real user concerns: Traditional information security standards (such as ISO27001) provide a certain structure of security management processes and certification asserts compliance with this structure. Overall such certifications could create more trust with customers. At the same time it should be noted that despite the existence and widespread use of such schemes (see the widespread adoption and use of ISO27001) customer still cite lack of trust as a key concern. Apparently customers have additional concerns not addressed by such high-level information security management standards. For example, the study 7 commissioned by the EC mentions accountability and liability of providers regarding security breaches and data protection and cites data protection requirements and jurisdiction issues as common concerns. These issues are not always addressed by existing certification schemes 8. This would suggest that certification schemes might need to be extended. Principle: Self-assessment and self-attestation: The possibility of self-attestation is listed by CERT-SIG as a key principle. In practice this would mean that the underlying standard and, if needed, an auditing manual or self assessment guide, should be available (publicly or for purchase). In other words, for self-assessment to be a possibility the security standard underlying the certification should be open (public, or available against a fee) and sufficiently self-explanatory to allow a self-assessment. The possibility to do a selfassessment could be a way to make a certification scheme affordable for smaller companies, 7 http://ec.europa.eu/information_society/activities/cloudcomputing/docs/quantitative_estimates.pdf 8 On the positive side, new certification initiatives seem to be focussing more on the core process of cloud providers (delivering a service to providers) and on the interface between provider and customer (SLAs, liability, division of responsibilities, et cetera). Page 8

because no (expensive) third-party audits are necessary. Of course, this also means that the costs of purchasing the standards should be fairly limited, and be significantly smaller than the yearly costs of audits, or otherwise self-assessments would not be affordable either. Principle: Lean and affordable: Certification schemes should be lean and affordable also for smaller providers. This is important to allow innovation and to support new and smaller providers to enter the market. As mentioned, the possibility to do a self-assessment and a subsequent self-attestation is one way of achieving this. Secondly, when a certification or standard prescribes specific technical security measures, the situation of smaller providers must be take into account, and for them it should be possible to use more light-weight security measures, appropriate for their situation and their information security risks in particular. High-level recommendations about data protection: Finally, CERT-SIG also made more highlevel recommendations: Two recommendations regard data protection (one-stop shop, data protection standards and certification). Data protection legislation is often mentioned as one of the key obstacles for customers in adopting to cloud computing. The borderless nature of cloud computing puts the spotlight on the fact that that there are different jurisdictions with different data protection laws. We note that there are hardly any standards or certification schemes that address the compliance needs of customers in this respect. Customers need to be compliant to data protection legislation and often (as data controllers) they have to perform due-dilligence on the services before they can start using them. To simplify matters customers would like to have a certification scheme for cloud services which assures them that they will be compliant when using these services. The question is whether informations security certification schemes can be extended to support this. There is a SIG working group focussing specifically on data protection, developing a code of conduct for providers. Pragmatically the best approach seems to be for CERT-SIG to focus now on the security controls which are currently contained in existing cloud certification schemes, and use the results of the data protection subgroup later to derive auditable security controls. 4.2 About the challenges: Two procurement scenarios We sketch two simple hypothetical scenarios to explain better some of the issues mentioned in the cloud strategy. The first scenario is directly related to the goal of the cloud strategy, which is to see how certification can be used to improve uptake of cloud computing in the private sector. The second scenario focusses on cloud computing procurement in the public sector. The cloud strategy underlines the role public procurement can play in improving the (secure) adoption of cloud computing also in the private sector. 4.2.1 Scenario 1: SME buying a cloud service Let us take an SME who considers adopting a cloud service. John works at a small SME and he wants to use cloud for email and document sharing, basically to bring down costs and reduce the work of maintaining servers on premise. John s CEO asks John to find a secure and resilient cloud service which is not too expensive. John is browsing different offers in the market. Trying to understand which service is more secure, John notices there are a number of different certification schemes that could be relevant. Some providers are ISO27001 certified, some providers are certified as CloudSecure a new certification scheme from IberianCloud, an association that aims to improve trust in the cloud market in Spain and Portugal, and then there are also providers who are participating in the CloudAssured program of the CloudRobustness Consortium an international organisation focussing on improving security and Page 9

resilience of cloud computing services. John is confused and he has not even started to look at the brochures of these providers yet. How can John trust the security certifications of these providers. What does it mean that a provider is certified as CloudSecure. Is the CloudAssured certification comparable to CloudSecure? Or is there an important difference? 4.2.2 Scenario 2: Government organisation buying a cloud service Now take two countries Wonderland and Atlantis both the countries have similar but different public procurement security requirements 9. A public procurement officer Alice, who works for the government of Wonderland, issues an RFP (request for proposal), asking vendors to offer a particular service. In Wonderland government IT should be compliant with a list of requirements (called X). Alice adds these requirements to the RFP. A provider CloudAlpha, based in Wonderland, has just what Alice needs and makes an offer. Before accepting the offer Alice does a due-dilligence to assess that the security requirements X are met. After the deal is done Alice lists this service on a government intranet page under the heading compliant cloud services. The idea is that other procurement officers in Wonderland can now procure the same service quicker, without having to worry if all government requirements are met. In the country Atlantis Bob is a procurement officer. In Atlantis the list of security requirements for public procurement are slightly different (called Y). Bob comes across the service of CloudAlpha which looks interesting. CloudAlpha, at the same time, has been looking for an oppportunity to expand its business and deliver also to government customers in other countries. How can Bob (somehow) reuse the work done by Alice, and quickly assess whether or not the service of CloudAlpha is compliant with the list of security requirements Y. Because we know that there is a lot of overlap between the public procurement security requirements of Wonderland and Atlantis. Note that in scenario 2 we give an example of government procurement of cloud services, but it is good to stress that there are many different approaches to public procurement of cloud computing and there are many different types of governmental cloud programs. For example, in some countries the governmental cloud computing program involves a kind of pre-assessment of cloud providers, which allows providers to list their services in a catalogue after a quick cross-check of security requirements by the government organization supporting the cloud program. 9 Most countries have national security requirements, more or less similar to ISO27001, but most countries also have specific detailed additional requirements, for example about the use of cryptography. Page 10

5 Solutions and timeline In this section we look at how to address the problems described in the two scenarios of the previous section. First of all it is good to note a key difference between the two scenarios. In the first scenario the SME is not so much interested in all the detailed security requirements. The customer is more interested in the general set-up of the scheme who audits, who sets the standard, et cetera. But in the second scenario the customer has to fulfil detailed security requirements (set government-wide). So in this case the customer needs to know in detail which security requirements are covered by the certificatioin scheme. To address these different needs we propose to develop two tools: - List of certification schemes: It is important to list the existing certification schemes, relevant for cloud computing customers, and to provide potential customer with an overview of objective characteristics per scheme, to help the customer understand how the scheme works and if it is appropriate. - Metaframework of existing certification schemes: It is important to build a meta-framework of detailed security requirements (aka controls) covered by the existing schemes, to provide more transparency to customers and allow customers to map their detailed security requirements to the certification(s) of a provider. 5.1 List of certification schemes Based on the preliminary work done by the CERT-SIG, and taking into account some of the issues we raised earlier, we made a list of detailed aspects which could be usefull for customers to understand how a certification scheme works (for example, who is governing it, how quality is assured, and so on). From this list of aspects we created a questionnaire which could be filled in by owners of a certification scheme or by experts familiar with the scheme. The questionnaire is included in Annex A1. In Annex A we include the full questionnaire and we show the answers for ISO 270001 as an example. We also asked some members in the CERT-SIG to fill in this questionnaire for their certification schemes. Their answers are included in the annex as well: it covers CSA OCF, Leet security rating, EuroCloud Star Audit framework and the TUV certififed cloud service program. 5.2 Meta-framework of certification schemes Next year, supporting the cloud strategy and as part of its annual work program, ENISA will work on creating a meta-framework of security measures for cloud providers. This meta-framework will be built from the detailed security measures in existing security standards and allow a mapping between relevant cloud certification schemes and also between custom security requirements from customers. The meta-framework will consist of: A set of domains each containing several high level security control objectives Per security objective a detailed set of detailed security measures, grouped in sophistication levels, creating in this way a maturity model 10. The meta-framework will build on ENISA experience in Article 13a where such a framework was developed for government authorities who supervise security in the telecom sector. 10 The need for a maturity model was also highlighted in recent discussions held with the ECP steering board. Page 11

Key objectives for the meta-framework: It should be a mapping that is useful for customers. It should not become a technical exercise which is only understandable by the GRC experts at providers. And secondly, it should address a setting where one provider adheres to several standards and schemes. Remark about maturity models versus security levels The meta-framework we propose here contains per security objective detailed security measures, grouped in sophistication levels. This creates a kind of maturity model. We would like to stress here however that we do not advocate a one-dimensional rating for security (bronze, silver, gold). To explain the difference we take an example: Suppose an IaaS provider specializes in business continuity and physical security. The IaaS provider does not have many employees, does not develop software and does not have a helpdesk for trouble shooting accounts of end-users. In this case the security measures around business continuity and physical security are probably state-of-the-art. But at the same time, because the provider employs few employees and does not develop software, there is no need for a state-of-the-art human resource security policy or state-of-the-art secure software development programs. A SaaS provider, on the other hand, may have a very different focus much more on software development. It would be difficult and misleading to try and capture the security of these two providers in a single value. The problem of a one-dimensional security rating can also be explained from the perspective of the customer. Suppose a customer wants to buy a highly reliable cloud service, for storing encrypted backups of its data. The customer would like to be able to select a provider with top-notch business continuity but at the same time the customer is not too interested in confidentiality aspects, because the service will be used only for storing encrypted backups. A one-dimensional rating would treat all the different aspects of security in the same way, and this would not make selection much easier for the customer. The meta-framework we aim to develop here (which follows the approach taken in the work on Article 13a) basically splits high-level security objectives from detailed security measures. Per security objective a range of different security measures are listed and these measures are grouped in different levels of sophistication. In this way different topics (like software security, or business continuity) can be treated separately. 5.3 Alternative solutions We also discuss briefly some alternative solutions for the sake of completeness, and we argue why they are not feasible or less feasible. One set of security requirements and one certification scheme Instead of listing different schemes and making a meta-framework for mapping the different schemes, one could also try and agree on a single set of security requirements. In that case the first step would be to try and find a single set of security requirements that is acceptable to all EU countries. This list would then be used as the basis for a single EU-wide certification scheme. Although it is certainly a possible approach we see two major issues with this approach: One set of security requirements and one certification scheme means that SMEs and member states should agree completely about these security requirements. Given the variety of different security standards and certification schemes it will be hard to get agreement on this. One certification scheme would also not leverage on the many certification schemes that exist already, risking duplicate work. Page 12

List of certification schemes and one-on-one mappings An alternative approach would be to list existing cloud certification schemes and map these certification schemes one-on-one. We see some issues with the second part of this approach: A one-on-one mapping between every pair of schemes means a lot of work. For example, for 10 schemes 45 mappings (or deltas) would be needed 11 ). Not all certification schemes or security standards have the same level of detail. Some schemes focus on high-level security objectives, while others go into details about technical security measures, for specific technology. This complicates a one-to-one mapping. Take for example an ISO27001 certification and an IT Grundschutz certification. There is not a simple delta between the two schemes, because the IT Grundschutz certification has a higher level of detail. 5.4 Timeline Taking into account discussions with CERT-SIG and the feedback from the ECP steering board, we propose the following next steps. These next steps have been discussed and agreed with the experts in the CERT-SIG. 5.4.1 Next steps for the list of certification schemes We propose to implement a website which lists certification schemes, with, per scheme, the fields discussed in Section 6, and included in an annex. The list of certification schemes would give customers (SMEs for example) a quick overview of general characteristics, like who governs the scheme, who does the auditing, what type of assets are certified, who has been certified. Proposed next steps in this area are: End of 2013, certification website: Develop a website by the end of 2013 which lists different information security certification schemes. ENISA will commit resources to set up and maintain this list. Beginning of 2014, update process: Develop together with CERT-SIG a process A process (for example a periodic meeting of experts) for adding a new certification scheme to the list of certification schemes (or updating the listing if needed). ENISA will drive and oversee this process, and use the expertise from members of CERT-SIG. Mid 2014, customer review: The characteristics used in the list of schemes should be developed not only together with the industry, but also together with customers, including public sector customers and private sector customers. We propose to ask the ECP steering board and government experts to review the structure of the list and provide feedback. End of 2014, interface layer: Using the feedback from public and private sector we propose to enhance the (flat) list of schemes with an interface layer that allows customers to analyse and compare different schemes. 5.4.2 Next steps for the meta-framework Next year, as part of its annual work program, ENISA will develop a single meta-framework containing high-level security objectives and detailed security measures grouped in sophistication levels. Hence the meta-framework will allow mapping to high-level standards such as ISO27001 but also more detailed security requirements (such as those contained in IT Grundschutz and PCI DSS). 11 The number of possible pairs from a set of N, is (mathematically) pronounced as N choose 2, and is calculated as N! divided by 2 times (N-2)!. Page 13

As mentioned, this meta framework would allow us to map the different existing certification schemes and also to map the different governmental security standards in the different EU member states. Proposed next steps in this area are: Beginning of 2014, usage scenarios: Select usage scenarios that will be the drivers for the meta-framework, together with experts from CERT-SIG. Beginning of 2014, scope and set-up: Selection of schemes in scope and the general set-up of the meta-framework, together with experts in the CERT-SIG. Mid 2014, first draft: Delivery of a first draft of the meta-framework for review by experts in the CERT-SIG. End of 2014, mapping process: A process (for example a periodic meeting of experts) to support: o Mapping a new certification scheme to the meta-framework (or updating the mapping if needed). o Updating the meta-framework (security objectives, security measures), if needed, for example if new best practices become part of certification schemes. o Updating the meta-framework to take into account results from the other SIG subgroups, for example from the SIG subgroup on data protection. Page 14

6 Conclusions In this paper have summarized the results of the CERT-SIG on cloud certification obtained so far. We also gave our perspective on these results and we identify the main challenges. In Section 5 we propose two solutions that could improve and support the use of (voluntary) certification schemes, improve transparency and general address the security issues customers are faced with when adopting cloud computing. We also provide an indicative timeline of next steps (Section 5.4). We would like to mention here the constructive collaboration with the EC and the members of CERT- SIG in quickly reaching consensus about intermediate results, identifying key challenges and next steps. One important challenge is the fact that there are many different certification schemes in use (in the EU and globally) and that in many EU member states there are different sets of security requirements for public procurement of IT. The work the of CERT-SIG group was also discussed at the ECP steering board meeting in Talinn. Apart from a general endorsement of the work so far and a request to deliver practical results as soon as possible, several comments were made about information security and data protection 12 : The key security challenge is the lack of transparency on security. An approach based on certification against two or three security levels seems very useful. There is a need to identify minimal standards, based on existing best practices. These should focus on public sector needs, but the private sector is free to adopt these if it sees a benefit to doing so. With a single standard the EU cloud sector could lead the world market for cloud services. We believe the current approach and timeline addresses the feedback received from the ECP Steering board. The two proposed solutions (a list of certification schemes and a meta-framework of certification schemes) have the potential to improve transparency and clarity about information security in cloud computing. The work of CERT-SIG is now split in two parts: the list of certification schemes and the meta-framework of certification schemes. The former can be seen as a quick win. The work done by CERT-SIG so far this year allows us set up such a list quickly. We are planning to deliver a website this year, which lists objective characteristics of the different existing certification schemes. In this way a tangible result is delivered quickly. The list could be used directly by SMEs and government organizations in the process of procuring cloud services. We also propose a meta-framework which contains detailed security requirements (aka security controls) which are common in different certification schemes. This metaframework will improve transparency. The meta-framework will have different security levels and in this way be flexible enough to deal with different types of services and different types of customers. The meta-framework will be developed in 2014. Finally, although the meta-framework will not substitute the many existing certification schemes, it will provide the basis for discussing about which are the common security requirements used in different EU member states. In that sense, this meta-framework could 12 Minutes of the http://ec.europa.eu/information_society/newsroom/cf/dae/document.cfm?doc_id=2628 Page 15

be a first step towards identifying a set of common security requirements for public procurement of cloud computing. We invite the ECP steering board to provide feedback on this document, the proposed solutions and the timeline for future work. We would like to ask the ECP Steering board to: Endorse the approach described here, the two solutions: a list of certification schemes and a meta-framework of certification schemes, as well as the timeline of next steps. Faciltate a review by public sector customers of the list of certification schemes (in spring 2014), to allow iterative improvement of the list of schemes. This review should cover what is listed about schemes but also if there is a need to develop a better interface layer on top of the (flat) listing currently envisioned. Facilitate usage of the meta-framework in pilots (around mid 2014), to provide early feedback and realistic test cases for the meta-framework. Provide CERT-SIG with feedback about customer needs which are not yet covered by existing certification schemes. In this way CERT-SIG would be able to understand if existing certification schemes need to be extended with new security controls. We look forward to continuing the fruitful collaboration with the European Commission and the CERT-SIG and we look forward to deliver useful and tangible results that can be used directly by SMEs, European enterprises, public organizations procureing cloud computing, and the organizations in the European Cloud Partnership. Page 16

Annex A: This annex contains: Listing certification schemes An empty questionnaire, which provides a structure for describing, objectively, the main characteristics of a certification scheme. We provided an example of how to fill in the questionnaire: ISO 27001. Furthermore we have asked several representatives in the CERT-SIG to use the questionnaire and fill in the answers for their certification schemes. They are: o CSA OCF o Leetsecurity rating o TUV Cloud certified o Eurocloud Star Audit Note that the empty questionnaire was subsequently changed as a result of feedback, so their may be difference between the questions in the empty questionnaire (in Appendix A1) and the answers for the different schemes in the rest of the appendix. A.1 Empty questionnaire A.1.1 General information Provide general information about the certification scheme. Name of certification scheme Acronym Governing organisation What is the governance model Link to main site of scheme (describe briefly the governance model, which organizations are in the board, if/how customers/providers can provide feedback on the overall scheme, etc) Certification target one or more cloud services, an organisation, one or more services, set of business processes, other describe briefly A.1.2 Underlying information security standard or best practices Provide information about the underlying security standard(s) or best practice(s). What is the underlying information security standard or best practice Organisation governing the standard Link to standard or best practice What is the structure of the standard or best practice? (describe briefly titles, structure, areas/domains addressed, et cetera) control objectives, detailed technical requirements, both, Page 17

general advice other describe briefly Which assets are covered Organization (processes, policies), Facilities (hardware, cooling, etc), IaaS PaaS SaaS Is the standard or best practice available to the public? Is the standard or best practice based on existing international standards? Give one or more representative examples of a requirement set in the standard? public and free, purchase for a small fee, membership required for access, no, other describe briefly yes- describe briefly no (quote/or describe the requirement) A.1.3 Assessments and certification of compliance Provide information about the process of assessment of compliance to the standard or best practice, (self-assessment, auditing, monitoring) and how the assessment results to certification. Describe the process leading to certififcation, from the assessments (self-assessment, auditing, continuous monitoring) to the issuing of a certificate of compliance. Which organisations are accredited to issue certificates? Which organisations license/certify auditors? How is the quality of the auditors guaranteed. Is a description of the audit process publicly available? Does the framework support quality or maturity levels? (describe) (describe briefly) (describe briefly) training, information sessions courses, diplomas audit code/guideline, not yes, provide a link no yes, provide a link no Is self-assessment an option? yes provide a link to a self-assessment form no Page 18

Is continuous monitoring part of the framework (like in PCI DSS)? Are the results of assessments (selfassessments, auditing, monitoring) publicly accessible? Is the scope of assessment publicly available? Is the standard and/or framework updated following past incidents and/or changing technology. yes no yes - provide a link to an example no yes - provide a link to an example no yes describe briefly no Does certification expire? yes describe briefly no A.1.4 Current adoption and usage Provide information about the adoption and usage of the certification framework. Describe the current adoption of the certification framework. How many providers have been certified? What is the reach of the certification scheme What is the potential applicability of the certification scheme (describe briefly) (integer) provide link national, across the EU, sector-specific, global, pilots only, few providers, none). national, across the EU, sector-specific, global Page 19

A.2 Example: ISO 27001 We have filled in this example based on publicly available information, without consulting representatives from ISO. A.2.1 General information Name of certification framework Acronym Governing organisation Link to main site of framework Certification target ISO/IEC 27001 Certification ISO27001 ISO/IEC http://www.iso.org/iso/home/standards/certification.htm an organisation (the scope can be limited to specific systems or business processes) A.2.2 Underlying information security standard or best practices What is the underlying information security standard or best practice Organisation governing the standard Link to standard or best practice What is the structure of the standard or best practice? Which assets are covered Is the standard publicly available? Is the standard or best practice based on existing international standards? Give one or more representative examples of a requirement set in the standard? ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements ISO/IEC http://www.iso.org/iso/home/store/catalogue_tc/ catalogue_detail.htm?csnumber=42103 control objectives (detailed technical requirements are described in ISO27002) Organization (processes, policies) Purchase for a fee (130 euro) Yes The standard is based on 4 steps: Plan (establish the ISMS) Establish ISMS policy, objectives, processes and procedures relevant to managing risk and improving information security to deliver results inaccordance with an organization s overall policies and objectives. Do (implement and operate the ISMS): Implement and operate the ISMS policy, controls, processes and procedures. Check (monitor and review the ISMS): Assess and, where applicable, measure process performance against ISMS policy, objectives and practical experience and report the results to management for review. Page 20

Act (maintain and improve the ISMS): Take corrective and preventive actions, based on the results of the internal ISMS audit and management review or other relevant information, to achieve continual improvement of the ISMS. A.2.3 Assessments and certification of compliance Describe the process leading to certififcation, from the assessments (self-assessment, auditing, continuous monitoring) to the issuing of a certificate of compliance. Which organisations are accredited to issue certificates? Which organisations license/certify auditors? How is the quality of the auditors guaranteed. Is a description of the audit process publicly available? Does the framework support quality or maturity levels? Is self-assessment an option? Is continuous monitoring part of the framework (like in PCI DSS)? Are the results of assessments (selfassessments, auditing, monitoring) publicly accessible? Is the scope of assessments publicly available? Is the standard and/or framework See http://www.iso.org/iso/home/standards/certification.htm Each country has a national accreditation body (NAB). The provider who wants to be ISO27001 certified contacts its NAB. The NAB.has a list of accredited organisations, aka certification bodies (CBs), who can do audits and assess compliance to the standard. The certification usually has two steps. First the CB does a pre-certification audit, the audited organization can then take actions on suggestions from the certification auditor. In the second step the CB does the final audit and certifies the ISMS. Each country has a NAB who accredits CBs. CBs include for example BSI, Certification Europe, DNV, JACO IS, KEMA, KPMG, SFS-Sertifiointi Oy, SGS, STQC, SAI Global Limited, UIMCert GmbH Organisations accredited by the NAB they are called CBs Training and an exam results in certification of auditor. IRCA certifies auditors: http://www.irca.org/en-gb/certification/schemes/ No (but steps are described in http://www.27000.org/ismsprocess.htm ) no no no no (sometimes organisations publish the scope see http://www.iso27001certificates.com/ ) ISO updates the standard every couple of years Page 21

updated following past incidents and/or changing technology. Does certification expire? yes, yearly re-certification is required A.2.4 Current adoption and usage Describe the current adoption of the certification framework. How many organisations have been certified? What is the reach of the certification scheme What is the potential applicability of the certification scheme It is the most widely used information security management standard and thousands of organisations are certified across the globe. 7940 the register of certificates can be found at: http://www.iso27001certificates.com/ global, global Page 22

A.3 Example: CSA Open Certification Framework The data contained in the questionnaire was provided by a representative from CSA. A.3.1 General information Name of certification framework Acronym Governing organisation Link to main site of framework Certification target Open Certification Framework - OCF The OCF Programme is structured in 3 levels; OCF - Level 1 CSA STAR Self Assessment - Level 2 CSA STAR Certification / Level 2 CSA STAR Attestation - Level 3 CSA STAR Continuous Cloud Security Alliance (CSA) is the organisation governing the overall programme. In same cases CSA have a partner that support the implementation of the scheme. For Instance: In Level 2 STAR Certification, CSA is supported by the British Standard Institution (BSI) that is the organisation managing the certification and accreditation of STAR Certification Lead Auditors. In Level 2 STAR Attestation, CSA is supported by AICPA https://cloudsecurityalliance.org/research/ocf/#_resources An organisation or a service or a business process. More in details: - Level 2 STAR Certification: the certification process is based ISO 27001 and similarly to ISO27001 it follows ISO/IEC 17021:2011, Conformity assessment Requirements for bodies providing audit and certification of management systems, ISO/IEC 27006:2011, Information technology Security techniques Requirements for bodies providing audit and certification of information security management systems, ISO 19011, Guidelines for auditing management systems - Level 2 STAR ATTESTATION: the certification process is based on AICPA SOC 2 (AT 101) A.3.2 Underlying information security standard or best practices What is the underlying information security standard or best practice - STAR Self Assessment is based on Cloud Controls Matrix v 1.3. and Cloud Assessment Initiatives Questionnaire Page 23

- STAR Certification is based on 2 underlying standards: - ISO/IEC 27001:2005 Information technology Security techniques Information security management systems Requirements - Cloud Security Alliance Cloud Control Matrix (CCM) v. 1.4 Please note that as soon as the new version of Cloud Control Matrix will be made available there will a transition period during which companies can decide to use either V 1.4. or the new version. The new version of CCM will be named V.3 this is because the new version represent an harmonisation with CSA Guidance v3 - STAR Attestation is based on the following underlying standards: - AICPA Trust Services Principles & Criteria and - AICPA AT 101 - Cloud Security Alliance Cloud Control Matrix (CCM) v. 1.4 STAR Continuous will be based on the following underlying standards: - Cloud Security Alliance Cloud Control Matrix (CCM) v. 3 - Cloud Security Alliance - Cloud Trust Protocol - Cloud Security Alliance CloudAudit Organisation governing the standard Link to standard or best practice Cloud Security Alliance (CCM, Cloud Trust Protocol and CLoudAudit) ISO/IEC (ISO 27001) AICPA (Trust Service Principle & Criteria AT 101). Cloud Control Matrix: https://cloudsecurityalliance.org/research/ccm/ Cloud Assessment Initiative Questionnaire: https://cloudsecurityalliance.org/research/cai/ Cloud Trust Protocol: https://cloudsecurityalliance.org/research/ctp/ CloudAudit: https://cloudsecurityalliance.org/research/cloudaudit/ Please note that both Cloud Trust Protocol and Cloud Audit Page 24

What is the structure of the standard or best practice? are currently under review. Version 2 of CTP will be published at the end of 2013. Cloud Control Matrix is security framework currently structured in 13 domains and composed of 98 controls. Some of them are to be considered controls objectives, others are more detailed technical requirements The set of controls included in CCM are cloud relevant controls. The CCM controls are also mapped against the most relevant information security controls framework: ISO 27001-2005, Nist SP 800-53, FedRAMP, PCI DSS, Cobit v4.1, AICPA Trust Principle. The CCM v3 includes also the mapping against ENISA IAF and German BSI Cloud Security Catalogue. Which assets are covered Organization (processes, policies), IaaS PaaS SaaS Is the standard or best practice available to the public? Public and free Is the standard or best practice based on existing international standards? Cloud Control Matrix CCM: The controls of CCM are mainly based on the Cloud Security Alliance Security Guidance https://cloudsecurityalliance.org/research/securityguidance/. The CSA CCM provides a controls framework that gives detailed understanding of security concepts and principles that are aligned to the Cloud Security Alliance guidance in 13 domains. The foundations of the Cloud Security Alliance Controls Matrix rest on its customized relationship to other industry-accepted security standards, regulations, and controls frameworks such as the ISO 27001/27002, ISACA COBIT, PCI, NIST, Jericho Forum and NERC CIP and will augment or provide internal control direction for service organization control reports attestations provided by cloud providers. As a framework, the CSA CCM provides organizations with the needed structure, detail and clarity relating to information security tailored to the cloud industry. Cloud Trust Protocol: it is a new standards Cloud Audit it is a new standard Page 25

Give one or more representative examples of a requirement set in the standard? STAR Certification: it is based on ISO 27001, therefore adopts the same PLAN-DO-CHECK-ACT approach. Moreover the underlying cloud relevant standard (CCM) is composed of 98 controls, structured in 13 domains: Example of controls areas are: - Compliance - Information System Regulatory Mapping - Data Governance - Information Leakage - Facility Security - Secure Area Authorization - Human Resources - Employment Termination - Information Security - User Access Restriction / Authorization - Information Security - Incident Reporting - Information Security - Source Code Access Restriction - Risk Management - Business / Policy Change Impacts - Resiliency - Business Continuity Testing - Security Architecture - Remote User Multi-Factor Authentication - Security Architecture - Shared Networks - Security Architecture - Audit Logging / Intrusion Detection STAR Attestation: is based on SOC 2 therefore is a period of time type of assessment vs. the point in time type of assessment of ISO27001. In essence in a SOC 2 audit the auditors are assessing the effectiveness of a controls over a period of time. Like in the case of STAR Certification, even STAR Attestation support SOC 2 assessment with cloud relevant controls coming from CCM. A.3.3 Assessments and certification of compliance Describe the process leading to certification, from the assessments (self-assessment, auditing, continuous monitoring) to the issuing of a certificate of compliance. STAR Self Assessment: based on a self assessment STAR Certification: it follow the same process of an ISO 27001 ceritification with the addition of the assessment of Cloud Control Matrix againist a maturity model. Details can be found in the document Auditing CCM Release 1 https://cloudsecurityalliance.org/research/ocf/#_resources STAR Attestation: it will follow the same process of a SOC 2 audit. Page 26

Which organisations are accredited to issue certificates? Which organisations license/certify auditors? STAR Certification: only recognised Certification Body can apply to become STAR Certification Auditors. At this point in time the only Certification Body accredited is the British Standard Institution (BSI). STAR Attestation: A SOC 2 audit can only performed by an independent certified public accountant (CPA) or firm. CPA firms that perform SOC audits must adhere to specific professional standards established by the American Institute of Certified Public Accountants (AICPA). The same principle applies to STAR Attestation audits. STAR Certification: the British Standard Institution (BSI) is the only governing body for the certification of other Certification Body that want to become STAR Certification Auditors. STAR Attestation: any accountant could become a CPA How is the quality of the auditors guaranteed. STAR Certification: to be become a STAR Certification Auditor, an individual working for a Certification Body has to attend the STAR Certification Lead Auditor course. It should be noted that to become a STAR Certification Auditor such individual should be already ISO 27001 Lead Audit (in other word being ISO 27001 Lead Auditor is a pre-requisite for becoming STAR Certification Auditor). For detailed information please consult the document: Requirements for organisations providing STAR certification Release 1 at https://cloudsecurityalliance.org/research/ocf/#_resources Is a description of the audit process publicly available? YES https://cloudsecurityalliance.org/research/ocf/#_resources Relevant document: Auditing CCM Release 1 Does the framework support quality or maturity levels? Is self-assessment an option? Is continuous monitoring part of the framework (like in PCI DSS)? Are the results of assessments (self- STAR Self Assessment: no it doesn t STAR Certification: Yes it does STAR Attestation: no it doesn t STAR Continuous: To be defined. YES: https://cloudsecurityalliance.org/star/ https://cloudsecurityalliance.org/star/submit/ Yes, but Level 3 STAR Continuous would be available for certification only 2015 STAR Self Assessment: YES, https://cloudsecurityalliance.org/star/registry/ Page 27

assessments, auditing, monitoring) publicly accessible? STAR Certification: Yes, company will be asked to publish the scope of their certification and the Statement of Applicability (this would be done on voluntary basis though). STAR Attestation: no it doesn t Is the scope of assessment publicly available? STAR Continuous: To be defined. STAR Self Assessment: YES, STAR Certification: Yes STAR Attestation: no Is the standard and/or framework updated following past incidents and/or changing technology. Does certification expire? STAR Continuous: To be defined. Cloud Control Matrix that is the common denominator across OCF Levels (STAR Self Assessment, Certification, Attestation and Continuous) is reviewed periodically (every year) based on relevant input provided by the Information Security community. Those input might be based on the past incidents or changing in technology. The review policy for CCM foresees a DOT release on annual basis in case new controls are added or the content or existing ones is changed. Major releases are expected to happen only in case of structural changes. CSA doesn t foresee any structural change after CCM v3 for a long period of time. STAR Self Assessment: No, but anybody visiting the STAR Registry can verify the date of the self assessment. STAR Certification: the certification follows the ISO 27001 cycle, therefore inspection are done every 6 or 12 months STAR Attestation: it follow the SOC 2 cycles, therefore period inspections are done STAR Continuous: it will be based on a continuous auditing of relevant security properties A.3.4 Current adoption and usage Describe the current adoption of the certification framework. STAR Self Assessment: currently there are 36 entries in the STAR self assessment registry. STAR Certification: to be launched on the 25 th of September 2013. Already 15 companies have requested to be certified. 6 companies (2 in APAC, 2 in Europe, 2 in USA) went through a pilot. STAR Attestation: will be available in Q1 2014 Page 28

How many providers have been certified? What is the reach of the certification scheme What is the potential applicability of the certification scheme STAR Continuous: will be available in 2015 NOTE: Cloud Controls Matrix is adopted by over a thousand organising word wide (this is basd on the companies that have notified us their intention to use CCM in their internal practices). Other available data on CCM adoption: an avaregae of 1500 download / month in the last 24 months. CCM is currently used to the biggest security consulting organisations (KPMG, E&Y, Accenture, PwC, Deloitte and others) in their consuting practives. NOTE: The Singaporean Govrnment has already selected OCF as reference internation certification scheme for the internal market. NOTE: Taiwan G-Cloud will be the first Gov Cloud to be certified againist STAR Certification; they have already succesully completed a pilot in May and the certification assessment is due to take place before end of 2013. 36 Global Global Sector specific Page 29

A.4 Example: LeetSecurity A.4.1 General information Name of certification framework Acronym - Governing organisation Link to main site of framework Certification target Security Rating Guide Leet security, SL www.leetsecurity.com All kind of ICT services, including any type of cloud service (SaaS, PaaS, or IaaS) A.4.2 Underlying information security standard or best practices What is the underlying information security standard or best practice General information regarding the provider: o Strategic Business plan Strategic plan for the following 3 years o Financial Financial statements audited o Management Organization chart Short-term objectives CV/Bio of people in the management of the company/unit responsible for the service o Commercial Number of service users Evolution of service users Commercial plan for the service o Operation Service road map People certifications in the service operation Training policy Unwanted rotation ratio Service awards and recognitions Certifications (quality, development ) Outsourcing policy Dispute resolution system (arbitration) Follow-up information regarding: o Mergers and acquisitions o Security incidents o Changes in service plans o Certifications and/or audits issues o Change in key third party outsourcers Page 30

Organisation governing the standard Link to standard or best practice What is the structure of the standard or best practice? Maturity of security measures implemented, classified into the following 14 areas: o Information security Management Program o Systems Operation o Personnel Security o Facility Security o Third-party processing o Resilience o Compliance o Malware protection o Network controls o Monitoring Access control o Secure development o Incident handling o Cryptography Leet security, SL http://www.leetsecurity.com/en/rating-guide/ The guide includes two types of requirements: General information, regarding the provider (see first question). The cloud provider should provide this information to the governing organisation that, after evaluating it, could establish an upper rating level for their services. Specific requirements regarding security measures implemented in the specific service that is being rated. These requirements are classified into 14 areas (see first question). Every area, if needed, has further classification of requirements for clarification purpouses. So, requirements are divided in two levels. Which assets are covered Organization (processes, policies), Facilities (hardware, cooling, etc), All the elements needed to provide the service being rated, including all the elements that are subcontracted to third parties. Is the standard or best practice available to the public? Is the standard or best practice based on existing international standards? Public and free A Guide to Building Secure Web Applications and Web Services, 2.0 Black Hat Editions. July 27, 2005; OWASP The Open Web Application Security Project. ANSI/TIA-942-2005 Telecommunications Infrastructure Standard for Data Centers. CERT Resilience Management Model, Version 1.0. Generic Goals and Practices, Software Engineering Institute, May 2010. Page 31

Give one or more representative examples of a requirement set in the standard? Cloud Control Matrix version 1.2, Cloud Security Alliance, August 2011. European Parliament and Council Directive 95/46/EC of Oct, 24th 1995 on the protection of individuals with regard to the processing of personal data. Data Center Site Infrastructure Tier Standard: Topology, 2010. Uptime Institute Professional Services, LLC. Fundamental Practices for Secure Software Development. A Guide to the Most Effective Secure Development Practices in Use Today, 2nd Edition, February 8, 2011. SAFECode Software Assurance Forum for Excellence in Code ISO/IEC 27001:2005 Information Technology Security Techniques Information security management systems Requirements. ISO/IEC 27002:2005 Information Technology Security Techniques Code of practice for Information Security Management. NIST Special Publication 800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations, February 2012, National Institute of Standards and Technology U.S. Department of Commerce. Payment Card Industry Data Security Standard version 2.0, October 2010, Payment Card Industry Security Standard Council. Procure Secure. A guide to monitoring of security service levels in cloud contracts, European Network and Information Security Agency (ENISA), 2012. Security Recommendations for Cloud Computing Providers (minimum information security requirements), June 2011, Federal Office for Information Security. Systems Security Engineering Capability Maturity Model SSE CMM version 3.0, June 15, 2003, Carnegie Mellon University. Example 1. How to calculate the rating level Every chapter is also divided in a number of variable different elements that should be considered to evaluate the rating of each chapter. Finally, for each element, this methodology states the conditions that should be meet for achieve each level, considering that the conditions are cumulative; this is for achieving rating B, conditions of rating E, D and C should also be met. In order to aggregate the rating levels obtained, the formula is the minimum one. This is, when aggregating rating levels, Page 32

A.4.3 the result is the minimum of the levels achieved in each element or chapter. That is, a service may have different ratings for different chapters of its infrastructure. However, the service s overall rating is equal to the lowest rating across all chapters. Thus, a service that is rated B for all chapters except Systems Operation, where it is rated C, is rated C overall. The overall rating for the data center is based on its weakest component. Besides, chapters are divided into the following categories: Common security measures Security Measures regarding confidentiality Security Measures regarding integrity Security Measures regarding availability Example 2. Supply-chain assurance (see annex A) Example 3. Compliance with security policies and standards, and technical compliance (see annex B) Example 4. Monitoring system-use (see annex C) Assessments and certification of compliance Describe the process leading to certififcation, from the assessments (self-assessment, auditing, continuous monitoring) to the issuing of a certificate of compliance. The rating system proposed by leet security is a provider-fee model with the peculiarity that includes self-declaration of the level by the vendor itself. This model means that the vendor decides the rating level of its service, but with the surveillance of leet security. According to the methodology defined, first rating requires a validation by leet security team to assure that criteria included in this guide have been correctly applied, in the same way that any modification proposed by the vendor is analyzed by the agency before publish it. To assure the correct application of our methodology over time, leet security has established two mechanisms of control: Random periodic audits Complaint channel for users of rated services Leet security keeps the right to modify the rating level assigned to a service as a result of these controls, but also because of our analysts opinion or the market / sector evolution. Graphically, the procedure could be represented as shown in the attached diagram. Page 33

Which organisations are accredited to issue certificates? Which organisations license/certify auditors? How is the quality of the auditors guaranteed. Is a description of the audit process publicly available? Does the framework support quality or maturity levels? Is self-assessment an option? Only leet security There is no licensing / cerfication for external auditors. leet security trains the vendor staff that will elaborate the rating proposal for the rating classification. Training by leet security CISA certification Other certifications are optional: CCSK, for example. Yes: http://www.leetsecurity.com/en/procedimiento-decalificacion/ Yes. Rating system is based on five levels from A to E (being A the best case) which are assigned to three dimensions of security for each service rated: confidentiality, integrity and availability (CIA). In this way, the rating of a service will have the form of three letters set, i.e. BDC meaning that the service has a rating of B regarding confidentiality, a D in relation to integrity, and an C in availability. See: http://www.leetsecurity.com/en/metodologia-decalificacion/ As mentioned, the scheme stablishes a supervised selfassessment model to provide the ratings to the cloud service. Page 34

Is continuous monitoring part of the framework (like in PCI DSS)? Are the results of assessments (selfassessments, auditing, monitoring) publicly accessible? Is the scope of assessment publicly available? So, all the security labels are provided starting with a selfassessment by the provider that is analysed and checked by the rating agency with an in situ inspection the first time, and only if it is considered needed in the following rating modifications. Finally, the agency has the compromise to audit all the services rated, at least once every three years. Yes. Cloud provider has to sign an agreement (annually renewable) with leet security to use the rating system that olbigues her to inform about: Mergers and acquisitions Security incidents Changes in service plans Certifications and/or audits issues Change in key third party outsourcers There is also a continuous monitoring by rating agency analysts of vendor and market conditions for identifying changing situations that could lead to a need of revision of services rated. Finally, it includes a compliant channel for service users that is managed by the agency that allows service users to present situations or criteria discrepancies with the vendor. And, regarding security monitoring by the cloud provider itself, there is a requirement, named Monitoring access control focused on assure the measures that provider implements regarding montinoring. Yes, service labels will be publicily accessible through our site (www.leetsecurity.com) Yes. In all the cases, the scope is the same: The scope shall include all the systems connected and not completely segregated for the systems directly involved in the service provision. Systems consist of people, processes and technology, like servers, applications and network components, including virtualized components. Examples of the previous elements are the following: Servers - Web, application, database, authentication, mail, proxy, network time protocol, domain name servers Applications Internal / external, purchased / custom Page 35

Is the standard and/or framework updated following past incidents and/or changing technology. Does certification expire? Network components Firewalls, switches, routers, wireless access points, network appliances, security appliances If there were no network segmentation, the entire network should be in scope of the rating. Network segmentation can be implemented through different physical or logical means that restrict access to a particular segment of a network (such as, properly configured internal network firewalls or routers with strong access control lists). If network segmentation is used to reduce the scope of the rating evaluation, the vendor should document the mechanisms in place and how an adequate configuration is guaranteed (network's configuration, technologies deployed, and other controls that may be implemented). Rating assignment is based on the evaluation of all system components involved in the service provision. So, if the vendor uses a third-party service provider for any part of that provision or to manage any component (routers, firewalls, databases, physical security, applications, security appliances and/or servers) there may be an impact on the security of the service provision. For those providers that outsource part of their infrastructure to third-party service providers, the rating evaluation should include the role of each service provider, clearly identifying which requirements apply to the assessed entity and which apply to the service provider. There are two options for thirdparty service providers to validate the rating level: 1. They can undergo a rating evaluation on their own and provide the level obtained to their customers; or 2. It they do not undergo their own rating evaluation; they will need to have their services included in the scope of their customers rating evaluation. This way of define the scope is based on the PCI DSS way. This approach was choosen because it simplifies user understanding of security labels. They do not have to worry about the scope, because the scope is all the elements that impacts in the security of the cloud service. Yes, there is a plan to update it every two years. (At this moment, the guide is younger so we are in the first version) Yes, label validity is one year. A.4.4 Current adoption and usage Page 36

Describe the current adoption of the certification framework. How many providers have been certified? What is the reach of the certification scheme What is the potential applicability of the certification scheme It is in the first stage. In this moment, we are carrying our firsts cloud services ratings with evicertia which includes the evaluation of their five cloud services they offer. None NOTE: This scheme is not going to have providers certified, because labels are assigned to the specific cloud services. Pilots Global Page 37

A.5 Example: TUV Certified Cloud Service A.5.1 General information Name of certification framework Acronym Governing organisation Link to main site of framework Certified Cloud Service n.a. TÜV Rheinland http://www.tuv.com/en/corporate/business_customers/con sulting_and_information_security/strategic_information_sec urity/cloud_security_certification/cloud_security_certificatio n.html Certification target one or more cloud services (scope for the certification are services with cloud characteristics, the audit comprises detailed technical, organizational, process and compliance inspections) A.5.2 Underlying information security standard or best practices Provide information about the underlying security standard(s) or best practice(s) underlying the certification framework. What is the underlying information security standard or best practice Organisation governing the standard Link to standard or best practice What is the structure of the standard or best practice? Requirements and control catlogues of TÜV Rheinland for Cloud Services, structured in the requirement areas: Organizational structure Cloud architecture Data security Processes Compliance TÜV Rheinland The standard is not yet available on the Internet due to TÜV Rheinland Group s policy. It can be made available the next months. control objectives, detailed technical requirements, process requirements Which assets are covered Organization (processes, policies), Facilities (hardware, cooling, etc), IaaS PaaS SaaS Is the standard or best practice available to the public? The standard will be made available in 2013 after further clarification of the TÜV Rheinland Group s policy on publishing standards. Page 38

Is the standard or best practice based on existing international standards? Give one or more representative examples of a requirement set in the standard? yes- the standard is based on ISO/IEC 27001, BSI Baseline Protection Manual (IT-Grundschutz), ITIL, NIST recommendations, Cobit, data privacy regulation adopted to Cloud requirements Service Level Management From the customer's perspective service features and quality of the cloud service its assigned thresholds should be described in a manner that is both comprehensible and complete. SLAs are concluded by making use of an 'ondemand self service'. The cloud service provider shall demonstrate that it actively develops and operates a structure for the components required for the service (technical catalogue of services) and sufficiently manages the parties involved (sub-providers) in rendering the cloud services to ensure service quality. A.5.3 Assessments and certification of compliance Provide information about the process of assessment of compliance to the standard or best practice, (self-assessment, auditing, monitoring) and how the assessment results to certification. Describe the process leading to certififcation, from the assessments (self-assessment, auditing, continuous monitoring) to the issuing of a certificate of compliance. Which organisations are accredited to issue certificates? Which organisations license/certify auditors? How is the quality of the auditors guaranteed. Is a description of the audit process publicly available? The audit process, which may lead to a certification of the service, comprises various steps: 1. Interviews and conceptional analyses of organizational and administrative processes 2. Interviews and conceptional analyses of the compliance management system 3. Interviews and conceptional analyses of the service management processes 4. Architectural review and security analyses If no high risks and deviations to the certification requirements according to the TÜV Rheinland requirements catalogue exist, the service will be certified. TÜV Rheinland TÜV Rheinland training, information sessions audit code/guideline, yes, http://www.tuv.com/en/corporate/business_custom ers/consulting_and_information_security/strategic_i Page 39

Does the framework support quality or maturity levels? Is self-assessment an option? no Is continuous monitoring part of the framework (like in PCI DSS)? Are the results of assessments (selfassessments, auditing, monitoring) publicly accessible? Is the scope of assessment publicly available? Is the standard and/or framework updated following past incidents and/or changing technology. nformation_security/cloud_security_certification/clo ud_security_certification.html No a service quality level according to a service description is certified Yes, at least every year No but certificate statements (qualitative statements on the quality of the service) are issued yes - http://www.certipedia.com/quality_marks/0000037 035?locale=en yes the standard, requirements and control catalogues are updated at least once a year Does certification expire? yes the certification is valid for three years (certification period). At least two monitoring audits (continuous monitoring) apply during one certification period. A.5.4 Current adoption and usage Provide information about the adoption and usage of the certification framework. Describe the current adoption of the certification framework. How many providers have been certified? What is the reach of the certification scheme What is the potential applicability of the certification scheme TÜV Rheinland Certified Cloud Service is the most widely used and inpedendent cloud service certification in Germany and becomes more and more relevant across Europe. 6 (+5 ongoing) http://www.certipedia.com/ Note: not all certifications are published as requested by our customers national, across the EU, global, national, across the EU, global A.6 Eurocloud Star audit A.6.1 General information Name of certification framework Acronym EuroCloud Star Audit ECSA Page 40

Governing organisation Link to main site of framework EuroCloud http://www.saas-audit.de/en/ Sample dissemination in German: https://www.promis.eu/de/eurocloud-star-audit/ International platform based on Promis with multiple languages available in Q2/2014 Certification target one or more cloud services in conjunction with a company as customer facing contract partner A.6.2 Underlying information security standard or best practices Provide information about the underlying security standard(s) or best practice(s) underlying the certification framework. What is the underlying information security standard or best practice Governing organisation Link to standard or best practice What is the structure of the standard or best practice? EuroCloud Guideline Law, Data Privacy and Compliance EuroCloud Member advice ISO 27001 as reference for ITSMS ITIL Library 3.0 fpr Business Process Management COBIT 5.0 N/A N/A control objectives, general advice Which assets are covered Organization (processes, policies), Facilities (hardware, cooling, etc), IaaS PaaS SaaS Is the standard or best practice available to the public? Is the standard or best practice based on existing international standards? Partially disclosed https://www.dropbox.com/el/?r=/s/wsno5sk341ge886/ecstara uditinfo.zip&b=clk:35326487:16835348746143952723:1124:558 &z=aad1lnogznjgk5eoivwd_y4xcfzwshtrkmifjljljnx3ug No Further details: http://www.youtube.com/watch?v=dghhslyxeg4&feature=plcp ENISA (http:///activities/riskmanagement/files/deliverables/cloud-computing-riskassessment) http://de.slideshare.net/eurocloud/tues1200-standards- Page 41

Give one or more representative examples of a requirement set in the standard? compliancecertandreasweisseurocloudde http://www.saas-audit.de/en/511/requirements/ A.6.3 Assessments and certification of compliance Provide information about the process of assessment of compliance to the standard or best practice, (self-assessment, auditing, monitoring) and how the assessment results to certification. Describe the process leading to certififcation, from the assessments (self-assessment, auditing, continuous monitoring) to the issuing of a certificate of compliance. Which organisations are accredited to issue certificates? Which organisations license/certify auditors? How is the quality of the auditors guaranteed. http://www.saas-audit.de/files/2013/09/082012_ec_competence.pdf EuroCloud eco IT Service and Consulting GmbH further partnerships to be established in Q4/2013 training, information sessions courses audit code/guideline Random sampling of submissions by EuroCloud Is a description of the audit process publicly available? Does the framework support quality or maturity levels? Is self-assessment an option? Is continuous monitoring part of the framework (like in PCI DSS)? Are the results of assessments (selfassessments, auditing, http://www.saas-audit.de/files/2011/04/110223- Quick_Reference_en.pdf http://www.saas-audit.de/en/859/the-eurocloud-competencefor-quality-and-compliance-insurance-2/ http://www.saasaudit.de/files/2013/09/082012_ec_competence.pdf Planned for 2105 (NGCert) see also: http://www.saasaudit.de/files/2013/09/16062013eurocloud_aw_certificationeur ope-v4.pdf (page 38) Currently disclosed by audited party EuroCloud is allowed to publish a summary report, WebSite in preparation Page 42

monitoring) publicly accessible? Is the scope of assessment publicly available? Is the standard and/or framework updated following past incidents and/or changing technology. yes the scope is always the same and outlined http://www.saas-audit.de/files/2011/04/110223- Quick_Reference_en.pdf yes at least a catalog review each year, identify new requirements based on common practice and streamline control request according to the feedback out of existing audits Add country specific requirements according to local regulation requirements Does certification expire? yes after 2 Years, indicated on the plaque A.6.4 Current adoption and usage Provide information about the adoption and usage of the certification framework. Describe the current adoption of the certification framework. How many providers have been certified? What is the reach of the certification scheme What is the potential applicability of the certification scheme Fully established in D, AT CH in preparation after adjustment to local regulation In preparation for France, Slovenia, Portugal, Finland, Romania, Netherlands, Italy, Sweden, Poland Cooperation agreement with China, Taiwan and Australia Successful: 3 SaaS, 1 IaaS, 50 DC Colocations Rejected: apprx. 20 due to pre assessement and identified compliance issues Running: 2 SaaS, 1 IaaS across the EU across the EU global but not in scope, strong interest by the asian market Dissemination potential: http://www.bmwi.de/en/service/publications,did=476736.html Page 43