APPLIED AND INTEGRATED SECURITY

Similar documents
Secure Services and Quality Testing SST. Security Engineering Privacy by Design Trusted Solutions. Mario Hoffmann. for Service Ecosystems

Cloud Standardization, Compliance and Certification. Class 2012 event 25.rd of October 2012 Dalibor Baskovc, CEO Zavod e-oblak

APPLIED AND INTEGRATED SECURITY

EuroCloud Deutschland_eco e.v. Cloud Computing is the future! For sure! But secure!

Berlin, 15 th November Mark Dunne SaaSAssurance

Cloud Security Introduction and Overview

A Flexible and Comprehensive Approach to a Cloud Compliance Program

Cloud Computing and Privacy Laws! Prof. Dr. Thomas Fetzer, LL.M. Technische Universität Dresden Law School

Security Issues in Cloud Computing

The problem of cloud data governance

FLEXIANT. Utility Computing on Demand

EuroCloud Star Audit. A strong partnership that provides you with a competitive advantage

Privacy Implications of Cloud Computing in Israel

Privacy aspects of Cloud Computing

Cloud Computing Overview

and Deployment Roadmap for Satellite Ground Systems

Security and Compliance in Clouds: Challenges and Solutions

Cloud-Security: Show-Stopper or Enabling Technology?

ASCETiC Whitepaper. Motivation. ASCETiC Toolbox Business Goals. Approach

Enterprise Application Enablement for the Internet of Things

Cloud Computing and Records Management

CHANCES AND RISKS FOR SECURITY IN MULTICORE PROCESSORS

Whitepaper. Canopy Security. Simplicity, Agility, Transparency. An Atos company. Powered by EMC 2 and VMware

Monitoring, Managing and Supporting Enterprise Clouds with Oracle Enterprise Manager 12c Name, Title Oracle

Best Practices at Research Level

Clouds on the Horizon Cloud Security in Today s DoD Environment. Bill Musson Security Analyst

Compliance in Clouds A cloud computing security perspective

Security Challenges in the Cloud

Cloud Computing Security Considerations

LAW ON ELECTRONIC TRANSACTIONS

Governance and the cloud

White Paper on CLOUD COMPUTING

Public Cloud Workshop Offerings

How Microsoft is taking Privacy by Design to Work. Alan Chan National Technology Officer Microsoft Hong Kong 7 May 2015

Trust and Dependability in Cloud Computing

How To Secure Cloud Computing

Cloud Computing - Starting Points for Privacy and Transparency

The NREN s core activities are in providing network and associated services to its user community that usually comprises:

Brainloop Cloud Security

New EU Data Protection legislation comes into force today. What does this mean for your business?

Chapter 1: Introduction

Cloud Computing Contracts. October 11, 2012

Seeing Though the Clouds

How to ensure control and security when moving to SaaS/cloud applications

ITL BULLETIN FOR JUNE 2012 CLOUD COMPUTING: A REVIEW OF FEATURES, BENEFITS, AND RISKS, AND RECOMMENDATIONS FOR SECURE, EFFICIENT IMPLEMENTATIONS

SECURITY MODELS FOR CLOUD Kurtis E. Minder, CISSP

Secure Embedded Systems eine Voraussetzung für Cyber Physical Systems und das Internet der Dinge

2014 NMSBA School Law Conference

Assessing Risks in the Cloud

Security und Compliance in Clouds

Security Challenges of Cloud Providers ( Wie baue ich sichere Luftschlösser in den Wolken )

Cloud Computing Technology

A CLOUD SERVICE BROKER WITH LEGAL-RULE COMPLIANCE CHECKING AND QUALITY ASSURANCE CAPABILITIES

Security in the Cloud

Figure 1 Cloud Computing. 1.What is Cloud: Clouds are of specific commercial interest not just on the acquiring tendency to outsource IT

WWRF Cloud Implications to Security, Privacy, and Trust

COMBINE DIFFERENT TRUST MANAGEMENT TECHNIQUE: RECOMMENDATIONAND REPUTATION IN CLOUD SERVICE. B.Brithi #1, K. Kiruthikadevi *2

Cloud Computing. What is Cloud Computing?

Tips For Buying Cloud Infrastructure

Response of the German Medical Association

Information Security: Cloud Computing

Strategic Compliance & Securing the Cloud. Annalea Sharack-Ilg, CISSP, AMBCI Technical Director of Information Security

INTERNATIONAL ASSOCIATION OF CHIEFS OF POLICE. Guiding Principles on Cloud Computing in Law Enforcement

Privacy in the Cloud A Microsoft Perspective

Code of Ethics for Pharmacists and Pharmacy Technicians

Cyber Security and Cloud Computing. Dr Daniel Prince Course Director MSc in Cyber Security

Towards the Integration of Security transparency in the modelling and design of cloud based systems. M. Ouedraogo, S. Islam

Cloud Security checklist Are you really ready for Cloud

Summary of responses to the public consultation on Cloud computing run by CNIL from October to December 2011 and analysis by CNIL

Private vs. Public Cloud Solutions

goberlin a Trusted Cloud Marketplace for Governmental and Commercial Services

CLOUD COMPUTING GUIDELINES FOR LAWYERS

University of Sunderland Business Assurance Information Security Policy

Guidelines Cloud Computing German Law, Data Protection & Compliance

Virtualization Impact on Compliance and Audit

CLOUD SERVICE LEVEL AGREEMENTS Meeting Customer and Provider needs

Cloud Computing and Security Risk Analysis Qing Liu Technology Architect STREAM Technology Lab

Security Concerns about Cloud Computing in Healthcare. Kate Borten, CISSP, CISM President, The Marblehead Group

Analyzing the Applicatbility of Airline Booking Systems for Cloud Computing Offerings

Overview. Data protection in a swirl of change Cloud computing. Software as a service. Infrastructure as a service. Platform as a service

Cloud Computing in a Government Context

Cloud Monitoring. A challenging Application for Complex Event Processing. Bastian Hoßbach, Bernhard Seeger. ETH Zürich October 7, 2011

CLOUD COMPUTING READINESS CHECKLIST

CLOUD COMPUTING OVERVIEW

Statement of Scott Charney. Corporate Vice President, Trustworthy Computing Microsoft Corporation

ARTICLE Cloud Computing in automation technology

Capturing the New Frontier:

SIEM is only as good as the data it consumes

IT Security in Industrie 4.0

Open Certification Framework. Vision Statement

Market Data + Services. Advanced outsourcing solutions. IT Hosting and Managed Services

The Cloud in Regulatory Affairs - Validation, Risk Management and Chances -

Last updated: 30 May Credit Suisse Privacy Policy

MACHINE-TO-MACHINE (M2M) THE 4 TH INDUSTRIAL REVOLUTION?

Making HR Simpler. A Guide to Software as a Service. Cezanne Software White Paper

Applied and Integrated Security. C. Eckert

Cloud Computing in a Regulated Environment

HR/Employment Law Consultancy Services. Your Service, Your Way

Information Management Compliance and Data protection.

Transcription:

APPLIED AND INTEGRATED SECURITY New approach for Compliance, Security and Data privacy assessment in the Cloud Age NGCert Next Generation Certification EuroCloud Forum 2015 Fraunhofer

AGENDA Fraunhofer AISEC in a nutshell New approach for Compliance, Security and Data privacy assessment in the Cloud Age NGCert Next Generation Certification

Fraunhofer AISEC In a nutshell Fraunhofer Institute for Applied and Integrated Security Parkring 4 85748 Garching (near Munich) Germany Founded 2009 > 100 employees end of 2014 Directors: Prof. Dr. Claudia Eckert Prof. Dr. Georg Sigl http://www.aisec.fraunhofer.de

Fraunhofer AISEC In a nutshell Fields of expertise Embedded Security Security Evaluation Hardware Security Product Protection Cloud & Service Computing Network Security Automotive Security Smart Grid Security Secure Software Engineering

New approach for Compliance, Security and Data privacy assessment in the Cloud Age NGCert Next Generation Certification http://www.ngcert.de/

Definitions Trust Trust can be used to measure our confidence that a secure system behaves as expected. Security guidelines & policies, SLAs, certificates (CSA, NIST, BSI, EuroCloud, ) Certification You don t have to measure by your own Certificates can give evidence that a system behaves as specified and expected. Cloud Services IaaS, PaaS, SaaS A question of trust(?) Dynamic, flexibel, on-demand Dynamic Certification Certification criteria are verified dynamically and on-demand

Two numbers 56% of German companies worry about that Cloud Computing compromises compliance requirements 83% of German companies do expect that the data centre is operated in Germany Source: Cloud Monitor 2015 Association for Information Technology, Telecommunications and New Media BITKOM

I will not talk about... The Court of Justice declares that the Commission s US Safe Harbour Decision is invalid http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

Example: EuroCloud Star Audit Developed under European Cloud Strategy for a worldwide use https://eurocloud-staraudit.eu/ SaaS Seal of Quality Provider profile, contract and compliance, security, infrastructure realibility, processes, applications, implementations Levels of quality from 1 to 5 stars (example criteria out of > 150) 3 Stars: Provider allows the choice of place of jurisdiction by the customer or offers a contract directly according to the customers legislation 4 Stars: Direct access by admins is restricted and before getting single access transaction data will be anonymised with respect to user profiles. 5 Stars: At least once a year pentests will be performed and documented in order to proof that security means have been implemented appropriately. Link: DuD - Datenschutz und Datensicherheit 5 2011, Zertifizierte Cloud durch das EuroCloud Star Audit SaaS, Rüdiger Giebichenstein, Andreas Weiss http://download.springer.com/static/pdf/151/art%253a10.1007%252fs11623-011-0082-2.pdf?auth66=1414339689_8a619a43e4843532c4422402cb113d19&ext=.pdf

Problem Statement Traditional approach to certification Manual evaluation of a certificate s requirements Static testing intervals and validity of one to three years Audit & Certification Audit Audit 0 1 2 Years

Problem Statement Problem of traditional approaches of certificates Between audits the certified Cloud service has changed already Violation of requirements of a certificate can occur without recognising Audit & Certification Audit?? Audit 0 1 2 Years

Problem Statement Automatic and continuous evaluation of the requirements Automatic comparison of high-level requirements of a certificate with information about the Cloud service (e.g. behaviour during runtime based on monitoring data) Audit & Certification Audit?? Audit 0 1 2 Years

Motivation Cloud Computing Cloud service certifications attempt to assure a high level of security and compliance. Cloud services are part of an everchanging environment Challenge: Security, data privacy, service level objectives and legal compliance (e.g. commissioned data processing) Certification Multi-year validity periods may put in doubt the reliability of certifications Many widespread certificates already existed before Cloud More tailored certificates needed Important: Transparency and trustworthiness Research goal: Continuous auditing of selected certification criteria assure continuously reliable and secure cloud services and thereby increase the trustworthiness of certifications.

The big picture Certificates & Catalogues of Criteria Aggregation and interpretation of Cloud sensor data Legal Complex Event Processing Machine Learning & Data Mining Data and process model Monitoring & Testing Tools Implications Criteria, derived from technical information needs to be validated automatically and ondemand Cloud Ecosystems Status information

<Excursion> Legal Implications EIC, 5th-8th May, 2015 mario.hoffmann@aisec.fraunhofer.de, Fraunhofer AISEC

I will not talk about... The Court of Justice declares that the Commission s US Safe Harbour Decision is invalid http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

Legal implications (1/3) According to German data protection law the usage of Cloud Computing services is about commissioned data processing Cloud-User Cloud-Provider Customer Monitoring Obligation Contractor German Data Protection Act regulates the monitoring obligation of the Cloud user concerning technical and organisational measures of the Cloud provider

Legal implications (2/3) External expertise Challenge Personal on-site control Cloud users show a common lack of expert knowledge Where data is stored is ambiguous Disproportional effort necessary Validation Tourism is not practical for both sides Approach Utilisation of external expertise possible but static certification does not fully fulfil legal compliance Dynamic certification?

Legal implications (3/3) Research questions from a legal perspective: Who certifies? Private or public institution? Legitimation? Reputation? Acceptance? How are the testing criteria defined and specified? Are they up-to-date? Who supervises the certification authority? What kind of legal impact has the grant/denial of such a certificate? Fields of law concerned: Constitutional law, constitutional process law, European law, data protection law, administrative law, administrative procedural law, civil law, civil process law, competition law, criminal law etc.

</Excursion> Legal Implications EIC, 5th-8th May, 2015 mario.hoffmann@aisec.fraunhofer.de, Fraunhofer AISEC

NGCert Next Generation Certification nationally funded project 10/2014-09/2017 http://www.ngcert.de/download/papers/ Hypotheses: It is possible to evaluate critical requirements of a certificate automatically. A completely automatic certification for dedicated test steps (only) is possible. Certificate requirements (checklist) Σ Checklists (requirements of all certificates) Automatically verifiable technical requirements Metric 1 (with threshold)... Metric N Technical requirements but not automatically verifiable Automatic test steps can help to prove fulfiling requirements regarding quality, data protection, and data security ensuring legal compliance. Results & Reports (e.g. dashboard) Analyse & Validate (e.g. CEP)

NGCert Summary Design principles for developing dynamic certifications Appropriate metrics and (new) methods for assuring requirements such as security, privacy, and compliance to Match monitoring results as appropriate evidence for common compliance controls in the area of security, data privacy, service level objectives and legal compliance Certification framework and tool chain for continuous (semi-)automated auditing (e.g., monitoring, logging, reporting, and alerting services)

Contact Fraunhofer AISEC Parkring 4 85748 Garching (near Munich) Germany Service & Application Security SAS Mario Hoffmann Head of department Tel: +49-(0)89 322 9986-177 Fax: +49-(0)89 322 9986-299 email: Web: mario.hoffmann@aisec.fraunhofer.de http://www.aisec.fraunhofer.de

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information