ENISA and Cloud Security

Similar documents
ENISA and Cloud Security

ENISA and Cloud Security

Cloud and Critical Information Infrastructures

How To Write An Article On The European Cyberspace Policy And Security Strategy

European Cloud. Computing Strategy. State of play: Ken Ducatel DG CONNECT

European Cloud Computing. Strategy. Cloud standards. Ken Ducatel DG CONNECT

Prof. Udo Helmbrecht

ENISA What s On? ENISA as facilitator for enhanced Network and Information Security in Europe. CENTR General Assembly, Brussels October 4, 2012

European Cloud Computing Strategy

How To Understand And Understand The European Priorities In Information Security

Security and privacy standardization for the SME community

Cloud Security Standardisation & Certification. Arjan de Jong Policy Advisor Information Security

EU Priorities in Cybersecurity. Steve Purser Head of Core Operations Department June 2013

Unleashing the Potential of Cloud Computing in Europe - What is it and what does it mean for me?

Procurement Innovation for Cloud Services in Europe - PICSE

Cooperation in Securing National Critical Infrastructure

An SME perspective on Cloud Computing November 09. Survey

COMMISSION STAFF WORKING DOCUMENT. Report on the Implementation of the Communication 'Unleashing the Potential of Cloud Computing in Europe'

Enhancing Cyber Security in Europe Dr. Cédric LÉVY-BENCHETON NIS Expert Cyber Security Summit 2015 Milan 16 April 2015

ENISA: Cybersecurity policy in Energy Dr. Andreas Mitrakas, LL.M., M.Sc., Head of Unit Quality & data mgt

Security Framework for Governmental Clouds

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. DigitPA egovernment e Cloud computing.

Cloud Computing. and the European Strategy. State of play: Dan-Mihai CHIRILĂ DG CONNECT

Dr. Vangelis OUZOUNIS Senior Expert Security Policies ENISA.

The Future of Cloud Computing: Elasticity, Legacy Support, Interoperability and Quality of Service

Expert Group on Cloud Computing Services and Standards ( EGCCSS ) Formation of Working Groups

CLOUD COMPUTING FOR ehealth DATA PROTECTION ISSUES

National Cyber Security Strategies

Council of the European Union Brussels, 4 July 2014 (OR. en) Mr Uwe CORSEPIUS, Secretary-General of the Council of the European Union

Cloud Security Introduction and Overview

ENISA Cloud Computing Security Strategy

Cloud Computing Security ENISA. Daniele Catteddu, CISM, CISA. Convegno Associazione Italiana Information Systems Auditors.

NIS Direktive und Europäische sicherheitsrelevante Projekte Udo Helmbrecht Executive Director, ENISA

ENISA TRAINING. Tentative agenda for workshop. Supported and co- organised by: TLP WHITE JANUARY 2016

ICT 7: Advanced cloud infrastructures and services

EU Cybersecurity Strategy and Proposal for Directive on network and information security (NIS) {JOIN(2013) 1 final} {COM(2013) 48 final}

Cloud computing: benefits, risks and recommendations for information security

Multi-Jurisdictional Study: Cloud Computing Legal Requirements. Julien Debussche Associate January 2015

Cyber Europe Key Findings and Recommendations

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Cloud Standards Coordination Final Report November 2013 VERSION 1.0

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Cloud Security Incident Reporting

Supporting CSIRTs in the EU Marco Thorbruegge Head of Unit Operational Security European Union Agency for Network and Information Security

Cloud computing and personal data protection. Gwendal LE GRAND Director of technology and innovation CNIL

European Union Agency for Network and Information Security ENISA ANNUAL REPORT

EU policy on Network and Information Security and Critical Information Infrastructure Protection

White Paper on CLOUD COMPUTING

Standards for Cyber Security

The role of certification and standards for trusted Cloud solutions

CLOUD COMPUTING Contractual and data protection aspects

ehealth in support of safety, quality and continuity of care within and across borders

Virtual Appliance Instructions for ENISA CERT Training TLP WHITE APRIL European Union Agency For Network And Information Security

Cloud Computing and Government Services August 2013 Serdar Yümlü SAMPAŞ Information & Communication Systems

ICT 7: Advanced cloud infrastructures and services. ICT 8: Boosting public sector productivity and innovation through cloud computing services

Towards defining priorities for cybersecurity research in Horizon 2020's work programme Contributions from the Working Group on Secure ICT

OUTCOME OF PROCEEDINGS

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security

Achieving Global Cyber Security Through Collaboration

ENISA workshop on Security Certification of ICT products in Europe

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage

Role of contracts in Cloud Computing an Overview. Kevin McGillivray Doctoral Candidate (NRCCL)

Cyber Security in Austria

A Comparison of IT Governance & Control Frameworks in Cloud Computing. Jack D. Becker ITDS Department, UNT & Elana Bailey

CYSPA - EC projects supporting NIS

Digital Agenda for Europe Cartagena de Indias, September 1, 2015

Legal aspects of cloud computing

Cloud Security Guide for SMEs

Methodologies for the identification of Critical Information Infrastructure assets and services

ICT transforming business in the UK. Ian Osborne Director, Business to Business, Intellect

WORK PROGRAMME NOVEMBER 2012

Information Security: Cloud Computing

BEUC s contribution on Cloud Computing for the Public Hearing in the ITRE Committee, European Parliament, 29 May 2013

Towards a Cloud of Public Services

PCP and PPP trends and user stories in Europe

Europe Offers Incentives to Cloud Computing Growth

Cyber Security in Europe

ENISA Work programme

(DRAFT)( 2 ) MOTION FOR A RESOLUTION

Nationwide Deployment of Social Alarms in Sweden

Transcription:

ENISA and Cloud Security Dimitra Liveri NIS Expert EuroCloud Forum 2015 Barcelona 07-10-2015 European Union Agency for Network and Information Security

Securing Europe s Information Society Operational Office in Athens 2

Positioning ENISA activities 3

Agenda Benefits of Cloud Computing Risks in Cloud Computing ENISA Activities in Cloud Security ENISA tools Risk Assessment for SMEs Cloud Certification Schemes List Next steps 4

Cloud Computing is a Business model Cloud Computing is another way of providing IT services Characteristics are - Highly standardized services - Highly standardized SLAs Using such a service is outsourcing Cloud SLAs are usually much more standardized than in other outsourcing contracts 5

Cloud Computing is a Deployment Model Cloud computing is a deployment model Information processing - In a shared environment - using shared computing resources Resources can be quickly scaled to meet changed demand Cloud deployments are usually much more standardized and automated than legacy IT Cloud is a deployment model Google / Conny Zhou 6

Cloud Opportunities Economies of Scale Better ROI Cost of security spread to all customers Efficient solutions More efficient resource utilization also means cost savings High Resiliency Better back up services Better business recovery Standardised solutions Better patch management Better software update management Portable and interoperable 7

Cloud Challenges Isolation Failures control resides to the cloud provider Loss of Governance Customer cedes some control to the provider (depending on the deployment model) This also affects security Management GUI and API compromise Identity and access management are particularly important Full access to all resources (keys to many kingdoms) Data protection The CSP usually becomes data processor in terms of DP legislation Data processing in datacentres abroad can imply that certain DP requirements cannot be met in the Cloud Presentation Title Speaker Name 8

Differences in Requirements for Governments vs. Companies Private Sector Difference depending on the scale i.e. Large companies and SMEs Investment from cost perspective Public Sector Legacy Data Legacy Applications Legacy Processes Special information assurance requirements EASIER TO MAKE THE RIGHT DECISION NEEDS MORE TIME TO ADOPT 9

ENISA s work in the area of Cloud 2009 Cloud computing risk assessment 2009 Cloud security Assurance framework 2012 Procure secure (Security in SLAs) 2013 Critical cloud computing 2013 Incident reporting for cloud computing 2013 Securely deploying GovClouds 2013 Support EU Cloud Strategy 2014 Cloud Certification Meta-Framework 2014 Procurement security in GovClouds 2015 Cloud Security guide for SMEs http://www.enisa.europa.eu/activities/resilience-and-ciip/cloud-computing 10

ENISA engages the community ENISA Cloud Security and Resilience experts group 11

Cloud Computing Risk Assessment Addressed to: public sector, private sector (large companies and SMEs), governmental agencies 12

Risk Assessment in the Cloud Famous 2009 Guide Updated in 2012 Security Guide for SMEs 2015 13

Security guide for SMEs Small and medium size enterprises (SMEs) are an important driver for innovation and growth in the EU Cloud Computing is a means for innovation, but cloud is for the SMEs still a challenge. ENISA in this study presents: - 11 security opportunities (compared to legacy IT benefits) - 11 security risks (compared with legacy IT risks) - 12 security questions for the SME to ask the provider (in one security cheat sheet - 2 comprehensive scenarios - Some legal advice 14

and online tool Where you can: rate your opportunities from cloud rate your risks produce a risks map get your security questions 15

Governmental Clouds Addressed to: public sector, governmental agencies 16

Governmental Cloud reports (1/2) 2010: Guide on security and resilience for Governmental Clouds Presentation of the security benefits and drawbacks for the public sector to go in the cloud First steps need to be done towards taking the decision to go cloud 2013: Good practice guide on how to securely deploy Governmental Clouds Definition of a governmental cloud (in a mature market) State of cloud computing adoption in the EU public sector Case studies of different approaches in adopting a cloud solution 17

Governmental Cloud reports (2/2) 2014: Security Framework for Governmental Clouds 4 phases, 10 different steps and the specific actions to be taken in each one 4 use case scenarios to find the solutions that better fits each implementation Presentation Title Speaker Name 18

Critical Clouds Addressed to: private sector, (public sector in some cases) 19

ENISA s Critical Cloud Study First assessment of CIIP aspects of Cloud computing Illustrates dependencies and provides examples for failures Provides recommendations for Cloud security governance from the CIIP perspective Conclusions can be applied to Governmental Cloud usage 20

Incident Reporting for Cloud Computing Cloud computing incidents could have major impact. Large scale incidents should be reported to improve trust Public sector and industry should agree on scope and thresholds of reporting. ENISA suggests a model for incident reporting of cloud incidents involving CSPs and regulators. 21

Cloud in the Critical Sectors Critical Clouds Cloud Computing in the Finance Sector Cloud supporting Health care systems and services Cloud supporting egovernment 22

Good Practices for the use of Cloud Computing in the area of Finance Sector Identification of critical challenges to cloud computing adoption in the Finance sector Assess legal and regulatory context (challenges and opportunities) in all member states Support industry and understand their uptake why do some use and some don t use cloud Propose recommendations 23

Cloud Certification Addressed to: private sector - large companies and SMEs, (public sector and governmental agencies in some cases) 24

The EU Cloud Strategy EU should not only be cloud-friendly, but also cloud active The European Commission s strategy Unleashing the potential of cloud computing in Europe Adopted on 27 September 2012, it is designed to speed up and increase the use of cloud computing across the economy Cutting through the jungle of technical standards Development of model safe and fair contract terms and conditions A European Cloud Partnership to drive innovation and growth from the public sector I am pleased that ETSI launched and steered the Cloud Standards Coordination (CSC) initiative in a fully transparent and open way for all stakeholders....ensuring technical security requirements are mapped onto certification, as ENISA is leading... we officially launch the platform for public sector cooperation with this "Cloud for Europe" initiative. This is an enormous step forward. Neelie Kroes, European Commissioner for the Digital Agenda Oct 2013 25

ENISA realising the EU Cloud Strategy: Certification Strategic objective of EC Strategy: List of voluntary certification schemes Cloud Certification Schemes List (CCSL): List of existing certification schemes 13 Certification schemes included Powered by ENISA, supported by the EC and the Cloud Selected Industry Group (C-SIG) Cloud Certification Schemes Metaframework (CCSM): Meta-framework based on existing certification schemes Mapping detailed ICT security requirements of the public sector in the EU (11 countries and more will come) Matrix will results to be used for procurement Visit: https://resilience.enisa.europa.eu/cloud-computing-certification 26

How we draw CCSM Country A Country B Security requirement Security requirement Security requirement Security requirement Security requirement Security requirement Security requirement Security requirement CCSM Security objectives Security objective Security objective Security objective Security objective Security objective Requirements not covered by CCSM or existing certification schemes remain to be evaluated separately. Cloud Certification Scheme Cloud Certification Scheme Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref Scheme ref 27

Next steps Ex-post analysis of cloud incidents (early 2016) EU perspective on ex post analysis (forensics) for cloud incidents: 8 countries(it, ES, IE, NL, GR, FR, EE, UK): Academia, LEAs, Forensics Specialists, CERTs. Challenges, procedures, tools, legal restrictions ICT in e-health (2016) Challenges and opportunities of ICT deployments in ehealth (medical records, patient records etc) Cloud computing use case in ehealth Big data use case in e Health 28

Thank you and Welcome! PO Box 1309, 710 01 Heraklion, Greece Tel: +30 28 14 40 9710 info@enisa.europa.eu www.enisa.europa.eu

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information