EU Cloud Computing Policy
Luis C. Busquets Pérez
26 September 2017
The digital revolution is built on data
6 million people employed
7.4 million people employed
Most economic activity will depend on data within a decade Potential of the data-driven economy
Ref.: European Data Market Study SMART 2013/0063, available at: http://datalandscape.eu/
Ensuring that Europe's economy, industry and employment take full advantage of what digitalisation offers.
Creating a European Digital Economy and society with growth potential
• Digitising industry
• Cloud
• Inclusive digital economy and society
• e-government
• Standardisation & interoperability
• Digital skills
• Data economy
Pillar 3 ECONOMY
& SOCIETY
What is limiting enterprises from using cloud computing services?
(*) Source: Eurostat, 2014
Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector
Building a European Data Economy
Building a Data Economy
Free Flow of Data
Interoperability and portability Liability Ownership and
access to data
FFD Iceberg
Data
Localisation Restrictions
Legal Uncertainty
Lack of Trust
General FFD Principle
Data Security
Data Availability
Data Portability
FFD Building Blocks
What is limiting enterprises from using cloud computing services?
(*) Source: Eurostat, 2014
Factors limiting enterprises from using cloud computing services, by size class, EU-28, 2014 (*) This can be extended to the Public Sector
2015 EU28 Cloud Security Conference • Raise awareness and educate users and SMEs on
cloud security. • Improve the transparency of cloud services:
continuous monitoring mechanisms, accountability through, for example, certification and other mechanisms.
• Flexible policy approaches towards cloud security to allow further technological advancements.
• Data Protection, where and how they are stored, accessed, transferred and processed.
• Strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector.
Certification Schemes for Cloud Computing SMART 2016/0029 Challenge: Customers need to know and be
assured that their data is equally safe no matter where they are located or who provides the service
• What security aspects need to be considered in cloud computing that ensure Free Flow of Data and cross-border?
• What regulation aspects need to be considered / addressed?
• How much would it cost for a European CSP to comply with a certification scheme? And how much would be the cost of no-certification?
ISO/IEC 17203, ISO/IEC 17826:2012, ISO/IEC 19041, ISO/IEC 19044, ISO 19086, ISO/IEC 19099, ISO/IEC 19831, ISO 19941, ISO 19944, ISO/IEC 20000-1, ISO 22301,ISO/IEC 24760-1, Family of ISO/IEC 2700x, ISO/IEC 29100, ISO/IEC 29101, ISO/IEC 29115. NIST SP 500-299, Draft NIST SP 500-307, NIST SP 800-125, NIST SP 800-144
CSA CCM, CSA CTP, CSA A6, CSA CAIQ, CSA TCI, CSA PLA, CSA Attestation - OCF Level 2, CSA Attestation - OCF Level 1, CSA Self-Assessment - OCF Level 1
OASIS TOSCA, OASIS CAMP
SNIA CDMI, DMTF DSP0243, DMTF DSP0263
EuroCloud Self-Assessment, EuroCloud Star Audit
Certified Cloud Service –TüV, Rheinland
ITU-T X.1601, ITU-T X.1631 AICPA SOC 1, AICPA SOC 2, AICPA SOC 3 Others
Current Situation
(*) Source: ETSI CSC
03 Current Situation
ISO 17203
ISO 17789
ISO 19944
ISO 19941
ISO 19086
ISO 19099
ISO 22301
ISO/IEC 24760
Family of 27000ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002
ISOIEC 29100
ISO/IEC 29101
ISO/IEC 29115
1. Information security policy2. Risk management3. Security roles4. Security in Supplier relationships5. Background checks6. Security knowledge and training7. Personnel changes8. Physical and environmental security9. Security of supporting util ities10. Access control to network and information systems11. Integrity of network and information systems12. Operating procedures13. Change management14. Asset management15. Security incident detection and response16. Security incident reporting17. Business continuity18. Disaster recovery capabilities19. Monitoring and logging policies20. System tests21. Security assessments22. Checking compliance23. Cloud data security24. Cloud interface security25. Cloud software security26. Cloud interoperabil ity and portabil ity27. Cloud monitoring and log access
Not covered Partially covered Fully covered
03 Current Situation
Not covered Partially covered Fully covered
Certified cloud service TüV
OASIS CAMP
SNIA CDMI
OGF OCC
SAML OAuth2.0 OpenID DMTF DSP0243
DMTF DSP0263
CSA CCM
1. Information security policy2. Risk management3. Security roles4. Security in Supplier relationships5. Background checks6. Security knowledge and training7. Personnel changes8. Physical and environmental security9. Security of supporting util ities10. Access control to network and information systems11. Integrity of network and information systems12. Operating procedures13. Change management14. Asset management15. Security incident detection and response16. Security incident reporting17. Business continuity18. Disaster recovery capabilities19. Monitoring and logging policies20. System tests21. Security assessments22. Checking compliance23. Cloud data security24. Cloud interface security25. Cloud software security26. Cloud interoperabil ity and portabil ity27. Cloud monitoring and log access
EC Communication (2012)
Landscape
“cut through the jungle of standards”
#Digital Single Market
#EUdataFF
Cross-border services
Digital Agenda 2020
ENISA CCSL and CCSM (2013)
Cloud Standardization Initiative – ETSI
(Phase I and Phase II)
ECI
Public and Public-Private
Initiatives
Trusted Cloud (DE)
Label Cloud (FR)
Regulation
GDPR
C5
ENS
NIS
SecNumCloud
FFD
Current analysis of strategies from Spain, Italy, Germany and France
• 17 control areas • Per each control:
Objective, requirement (basic, additional)
• Attestation • No certificate, • Relies on int’l
standards • Cloud-specific
DE – C5 catalogue
IT - PM Decree 2013
• National ICT security certification scheme based on int’l standards,
• no cloud-specific
ES - ENS
• For eAdmin CSP / digital providers
• Dedicated regulation for cloud issues, providers or not of the eAdmin
• Systems have categories: low, medium, high
• Low=self assessment
• Medium/high= audit every 2 years
• Audit
FR - SecNumCloud
• Certification for CSPs • Based on ANSSI
recommendations and int’l standards
• 2 levels: basic and advanced (^)
• Label
(^) Requirements for ‘Advanced’ are as of 08.09.2017 not pub
Current Analysis of private initiatives: Trusted Cloud, Label Cloud, ESCloud
Trusted Cloud Label Cloud ESCloud
• German initiative, now onto FR and NL
• Non-profit association • For SMEs, both CSPs and
cloud users • Own criteria catalogue • Legally bound self-
assessment • Prices to appear on the
listing: 150-300€/month
• Initiative by France IT • For SMEs • 3 layers (IaaS, PaaS, SaaS) • 3 levels: initial, confirmed,
expert • Based on NIST and ITIL • Label for 2 (initial), 3
(confirmed), 4 (expert) years
• Continuous improvement, so recertification obliges to obtain better results than the previous time
• Collaboration of France and Germany
• Label • 15 core principles • No mutual recognition
between SecNumCloud and C5
Needs and requirements are being gathered by means of online surveys and personal interviews
Survey launched end of June Accessible at http://tinyurl.com/cloudcertification Low number of respondents, possibly due to the
summer period Campaign in social networks
04 Needs and requirements
Main conclusions from Spain • Mutual recognition should be favoured • Consider as best practice the European
Interoperability framework (EIF) (*), • specifically focus on Article 10 - “Node operators of nodes providing
authentication shall prove that, in respect of the nodes participating in the interoperability framework, the node fulfils the requirements of standard ISO/IEC 27001 by certification, or by equivalent methods of assessment, or by complying with national legislation”
• Establish a generic certification on security and then a certification focused on cloud security. Later on, a certification on portability could be considered.
• An EU wide security certification framework can solve some issues but specific (legal) requirements will be further requested
(*) COMMISSION IMPLEMENTING REGULATION (EU) 2015/1501 of 8 September 2015
Scenarios
Next steps Continue analyzing initiatives by EU member
states, policy initiatives and answers from the survey
Develop the common security framework • Objectives • Controls • Requirements • Map to standards
Detail the impact (economic, regulatory, social) and the next steps for each scenario
Workshop in December 2017