APPLIED AND INTEGRATED SECURITY New approach for Compliance, Security and Data privacy assessment in the Cloud Age NGCert Next Generation Certification EuroCloud Forum 2015 Fraunhofer
AGENDA Fraunhofer AISEC in a nutshell New approach for Compliance, Security and Data privacy assessment in the Cloud Age NGCert Next Generation Certification
Fraunhofer AISEC In a nutshell Fraunhofer Institute for Applied and Integrated Security Parkring 4 85748 Garching (near Munich) Germany Founded 2009 > 100 employees end of 2014 Directors: Prof. Dr. Claudia Eckert Prof. Dr. Georg Sigl http://www.aisec.fraunhofer.de
Fraunhofer AISEC In a nutshell Fields of expertise Embedded Security Security Evaluation Hardware Security Product Protection Cloud & Service Computing Network Security Automotive Security Smart Grid Security Secure Software Engineering
New approach for Compliance, Security and Data privacy assessment in the Cloud Age NGCert Next Generation Certification http://www.ngcert.de/
Definitions Trust Trust can be used to measure our confidence that a secure system behaves as expected. Security guidelines & policies, SLAs, certificates (CSA, NIST, BSI, EuroCloud, ) Certification You don t have to measure by your own Certificates can give evidence that a system behaves as specified and expected. Cloud Services IaaS, PaaS, SaaS A question of trust(?) Dynamic, flexibel, on-demand Dynamic Certification Certification criteria are verified dynamically and on-demand
Two numbers 56% of German companies worry about that Cloud Computing compromises compliance requirements 83% of German companies do expect that the data centre is operated in Germany Source: Cloud Monitor 2015 Association for Information Technology, Telecommunications and New Media BITKOM
I will not talk about... The Court of Justice declares that the Commission s US Safe Harbour Decision is invalid http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
Example: EuroCloud Star Audit Developed under European Cloud Strategy for a worldwide use https://eurocloud-staraudit.eu/ SaaS Seal of Quality Provider profile, contract and compliance, security, infrastructure realibility, processes, applications, implementations Levels of quality from 1 to 5 stars (example criteria out of > 150) 3 Stars: Provider allows the choice of place of jurisdiction by the customer or offers a contract directly according to the customers legislation 4 Stars: Direct access by admins is restricted and before getting single access transaction data will be anonymised with respect to user profiles. 5 Stars: At least once a year pentests will be performed and documented in order to proof that security means have been implemented appropriately. Link: DuD - Datenschutz und Datensicherheit 5 2011, Zertifizierte Cloud durch das EuroCloud Star Audit SaaS, Rüdiger Giebichenstein, Andreas Weiss http://download.springer.com/static/pdf/151/art%253a10.1007%252fs11623-011-0082-2.pdf?auth66=1414339689_8a619a43e4843532c4422402cb113d19&ext=.pdf
Problem Statement Traditional approach to certification Manual evaluation of a certificate s requirements Static testing intervals and validity of one to three years Audit & Certification Audit Audit 0 1 2 Years
Problem Statement Problem of traditional approaches of certificates Between audits the certified Cloud service has changed already Violation of requirements of a certificate can occur without recognising Audit & Certification Audit?? Audit 0 1 2 Years
Problem Statement Automatic and continuous evaluation of the requirements Automatic comparison of high-level requirements of a certificate with information about the Cloud service (e.g. behaviour during runtime based on monitoring data) Audit & Certification Audit?? Audit 0 1 2 Years
Motivation Cloud Computing Cloud service certifications attempt to assure a high level of security and compliance. Cloud services are part of an everchanging environment Challenge: Security, data privacy, service level objectives and legal compliance (e.g. commissioned data processing) Certification Multi-year validity periods may put in doubt the reliability of certifications Many widespread certificates already existed before Cloud More tailored certificates needed Important: Transparency and trustworthiness Research goal: Continuous auditing of selected certification criteria assure continuously reliable and secure cloud services and thereby increase the trustworthiness of certifications.
The big picture Certificates & Catalogues of Criteria Aggregation and interpretation of Cloud sensor data Legal Complex Event Processing Machine Learning & Data Mining Data and process model Monitoring & Testing Tools Implications Criteria, derived from technical information needs to be validated automatically and ondemand Cloud Ecosystems Status information
<Excursion> Legal Implications EIC, 5th-8th May, 2015 mario.hoffmann@aisec.fraunhofer.de, Fraunhofer AISEC
I will not talk about... The Court of Justice declares that the Commission s US Safe Harbour Decision is invalid http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf
Legal implications (1/3) According to German data protection law the usage of Cloud Computing services is about commissioned data processing Cloud-User Cloud-Provider Customer Monitoring Obligation Contractor German Data Protection Act regulates the monitoring obligation of the Cloud user concerning technical and organisational measures of the Cloud provider
Legal implications (2/3) External expertise Challenge Personal on-site control Cloud users show a common lack of expert knowledge Where data is stored is ambiguous Disproportional effort necessary Validation Tourism is not practical for both sides Approach Utilisation of external expertise possible but static certification does not fully fulfil legal compliance Dynamic certification?
Legal implications (3/3) Research questions from a legal perspective: Who certifies? Private or public institution? Legitimation? Reputation? Acceptance? How are the testing criteria defined and specified? Are they up-to-date? Who supervises the certification authority? What kind of legal impact has the grant/denial of such a certificate? Fields of law concerned: Constitutional law, constitutional process law, European law, data protection law, administrative law, administrative procedural law, civil law, civil process law, competition law, criminal law etc.
</Excursion> Legal Implications EIC, 5th-8th May, 2015 mario.hoffmann@aisec.fraunhofer.de, Fraunhofer AISEC
NGCert Next Generation Certification nationally funded project 10/2014-09/2017 http://www.ngcert.de/download/papers/ Hypotheses: It is possible to evaluate critical requirements of a certificate automatically. A completely automatic certification for dedicated test steps (only) is possible. Certificate requirements (checklist) Σ Checklists (requirements of all certificates) Automatically verifiable technical requirements Metric 1 (with threshold)... Metric N Technical requirements but not automatically verifiable Automatic test steps can help to prove fulfiling requirements regarding quality, data protection, and data security ensuring legal compliance. Results & Reports (e.g. dashboard) Analyse & Validate (e.g. CEP)
NGCert Summary Design principles for developing dynamic certifications Appropriate metrics and (new) methods for assuring requirements such as security, privacy, and compliance to Match monitoring results as appropriate evidence for common compliance controls in the area of security, data privacy, service level objectives and legal compliance Certification framework and tool chain for continuous (semi-)automated auditing (e.g., monitoring, logging, reporting, and alerting services)
Contact Fraunhofer AISEC Parkring 4 85748 Garching (near Munich) Germany Service & Application Security SAS Mario Hoffmann Head of department Tel: +49-(0)89 322 9986-177 Fax: +49-(0)89 322 9986-299 email: Web: mario.hoffmann@aisec.fraunhofer.de http://www.aisec.fraunhofer.de