European Cloud Computing Cloud standards Strategy Ken Ducatel DG CONNECT
The Cloud Computing Strategy The European Commission's strategy 'Unleashing the potential of cloud computing in Europe' Adopted on 27 September 2012, it is designed to speed up and increase the use of cloud computing across the economy Cloud strategy's key actions Cutting through the jungle of technical standards Development of model 'safe and fair' contract terms and conditions A European Cloud Partnership to drive innovation and growth from the public sector. DG CONNECT working groups for the implementation of the strategy ETSI: Cloud Standards Coordination The Cloud Select Industry Group on Certification Schemes The Cloud Select Industry Group on Code of Conduct The Cloud Select Industry Group on Service Level Agreements Research: The Cloud Expert Group Steering Board Launched on 4-5/12/2012 Launched on 21/02/2013 Launched on 10/04/2013 Now completed Launched on 19/11/2012 The European Cloud Partnership Cloud for Europe To be launched In 11/ 2013
ETSI Cloud Standards Coordination Launched in December 2012 Workshop in Cannes, co-organized by EC, 200+ participants Definition of work structure: 3 TGs, a coordination group ( reference ) Work over half-way now Regular e-meetings (weekly), 4 Face-to-Face meetings TG1 and TG2 results provided: {roles, actors} and {use cases} Work on-going in TG3: consolidation, mapping, narrative the tough part
Done: Cloud Standards Coordination Interim report (end June 2013) Report to ECP Steering Board (July 2013) Ahead: Face to face meeting Sophia Antipolis (October 2013) Final report preparation Final Conference Brussels (11 December 2013)
Use case examples Application on a Cloud Cloud Bursting Data Portability Processing Sensitive Data Data Integrity Guaranteed Availability Phases: Acquisition; Operation; Termination
Standards coming up in the mapping draft of service acquisition Terminology and Metrics Service assessment and comparison Negotiation Standard expression of SLA Determining SLA targets/thresholds Customer DP obligations Customer retrieves service offers TMF TR178, NIST Metrics WS-Agreement, CSCC SLA White Paper, TMF GB963, SMI TMF GB917, WS-Agreement Negotiation ISO SC38 SLA Framework & Terminology ENISA Procure Secure CSA Guidance, Europrise specifications CSA Star registry, ISO27001/2
Standards & Security Certification Schemes: Why bother? Vendor Accountability & Consumer Trust Focus Areas Data Security Compliance with EU Data Protection Rules Benefits Cloud Users Ability to compare cloud offerings Outsource due diligence for compliance Cloud Vendors Legal certainty Cost reduction CSIGs Guiding Principles User-centric Voluntary, business driven Leverage global standards/schemes No one fits all: schemes to reflect various use cases Technology neutrality Lean and affordable Governance: separation of duties for standardization, accreditation and auditing
Identified EXISTING Certification schemes ISACA - COBIT Cloud Security Alliance Open Certification Schema SOC / ISAE 3402 / SSAE16 LeetSecurity Rating Europrise Cloud Industry Forum Code of Practice Fisma ISO 27001 Eurocloud Star Audit PCI-C TÜV Rheinland ISO 20000 / ITIL Initial Evaluation Data security: recognized standards/schemes, but only few fit for cloud purpose Data protection: no recognized standards/schemes yet Lack of transparency about some schemes (recognition, scope, added value, etc.) No one-stop shop in EU
On-going and potential ACTIONS Analysis of existing Certification Schemes Qualified list of certification schemes (ENISA 2014) Metaframework to assist comparison to be developed (ENISA 2014) Actions on Cloud Certification Schemes Emerging data security standards to cloud requirements (ISO 27018) Draft code of conduct for data protection in the cloud & prototypes Endorsement of code of conduct by regulatory authorities, (esp. Data Protection Authorities)?Refer to/ use cloud certification schemes in public procurement??eu-wide mutual recognition of cloud certificates? EU Policy Framework & Cloud Certification EU Data Protection Regulation EU NIS- Directive in Cyber Security Strategy