Output Break-out Session #1Security and Privacy

ETSI 2012. All rights reservedCLOUD STANDARDS COORDINATIONCannes, 4-5 December 2012

ETSI/BOARD(12)89_0XX

Session 1Security and Privacy

Rapporteur: Thomas Haeberlen (ENISA)

Co-Facilitators: Daniele Catteddu (CSA), Michael Fisher (BT)

Participants: ~ 50

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

Functional scope

The scope covers the creation of a standards landscape and roadmap applicable to electronic information processed or stored in the cloud. The context is information security and privacy/data protection.Specifically, five main areas are envisagedGovernanceRisk assessmentComplianceTechnology-neutral risk treatment + controlsFrameworks at detail level e.g. encryption, authentication, accountability, BCM, incident management, etc.Consider cloud-relevant standards, not just cloud-specific

Use cases/requirements Key questions that need to be addressed (bearing in mind the EU landscape and market) Cross-border legal issuesBoth privacy and security issues were citedDiversity in Data Privacy laws across EU seems to be a very prominent issueConflict of interest between cloud users and national security of hosting countryVisibility, transparencyAssurance and trustCertification, Audit and testingCompatibility and interoperability with standards outside EuropeIdentity and Access Management, AAASecurity along the supply chainVirtualization and multi-tenancy risksData location, Secure data deletion

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

Use cases/requirements Requirements/use casesUse cases very diverse, no clear picture emerged during the sessionDefined use cases are essential Having a reference architecture would be helpful Need to cover the whole spectrum from consumer cloud to public procurement for government clouds and ECP

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

Who does what in this space?Organizations delivering technical specifications and/or standardsISO/IEC JTC1 SC27InfoSec: 27000, 27001, 27002, 27005, 27009 (number TBC), 27017 / 27036-1 / 27036-5 / Sector Specific Implementation of ISO 27001Privacy: 27018, 29100, 29100, 29101, PIMS project, PIA projectCommon Criteria ITU-T SG17X.ccsec, X.gpimBSI (Germany)Security Recommendations for Cloud Computing ProvidersIT-Grundschutz plus extensions (e.g. technical guidelines)NISTSP 800-12, SP 800-14, SP 800-26, SP 800-37, SP 800-53 rev4, SP 800-122, SP 800-144

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

Who does what in this space? (contd)Organizations delivering technical specifications and/or standards (continued)ENISACloud Assurance Framework, Procure Secure guidelinesETSISeveral standards related to electronic signatures etc.BSi (UK)BS 10012UK governmentPublished g-cloud security & privacy checklists for 27001/2Information Security Forum Standard of Good PracticeCSA Cloud Control Matrix (CCM) / Open Certification Framework (OCF)

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

Who does what in this space? (contd)Organizations delivering technical specifications and/or standards (continued)Payment Card Industry Security Standards Council: PCI DSSIETF: RFC2196, SCIMEuroCloud: STAR AuditAICPA: SOC 1, SOC 2, SOC 3ODCA: requirementsOASIS: SAMLOpenID FoundationCommonwealth of Massachusetts: Checklist under Massachusetts General, Law Chapter 93H, 201 CMR 17.00

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

Who does what in this space? (contd)Organizations delivering technical specifications and/or standards (continued)ISACA - Cobit 5Shared Assessments ProgramCOSOOther suggestions on relevant standardsITILV3ISAE 3402FFIECPMBOKInformation security rating (www.leetsecurity.com)CMMIfor Development, V1.2TOGAF 8.1

ETSI/BOARD(12)89_0XX*

ETSI/BOARD(12)89_0XX

*