Public-Private proposal for a European Cloud Security Certification - - PowerPoint PPT Presentation

Public-Private proposal for a European Cloud Security Certification Scheme

Berlin 2nd April 2019

C5 success story and the way forward to a European certification for cloud services

Clemens Doubrava Head of Section of Information Security in the cloud

3

Timeline (Once upon a time…)

Sept 2017 April 2018 Jan 18 Dec 17

To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA

4

Working Group Composition

4

CSP CERT WG

Balanced/Commitment/effectiveness

Observers

Transparency Relevant expertise & legitimate interest Public

Access Partnership, Bitkom/Deutsche Bundesdruckerei, CISCO, CISPE, CTO Security Networks AG, DINSIC, Danish Business Authority, Digital Europe, European Banking Federation, Google, Government of Ontario, HUAWEI, Microsoft, Nokia, OVH, Outscale, Palo Alto, PWC, Santander bank, SALESFORCE, Sistemas de Datos/Digital SME, SCOPE EUROPE, Swedish civil contingencies agency, Upcloud, VARAM, Virtustream (DELL), VdTuev, VMWare Accenture, AMAZON, ANSSI, BBVA/EBF, Bosch GmbH, BSI, CSA, CISCO, Danish Tax Authority, Deutsche Börse Group, Erasmus University, Eurocloud, Fabasoft, Google, HSBC, IBM, JPMorgan, LEET Security, LSEC, Norea, Oodrive, ORACLE, Orange, PWC, SAP , Secura, Securemailbox, TECNALIA, Trusted Cloud, UCIMU/Confindustria/Business Europe, UNINFO, Zeker Online

Co-chairs

• Borja Larrumbide, BBVA-EBF (User)
• Helmut Fallmann, FABASOFT (CSP)

Rapporteur

• Hans Graux, Timelex

European Commision:

• DG-CONNECT
• DG-DIGIT
• JRC
• DG-JUST

ENISA

32 Drafting members 28 Observers

Working Methodology and tools

Online Collaborative tool (Community site / Blog) Strong approved Governance document Comprehensive approved Rules of Procedure document Monitor attendance and relevant contribution Webinar formats by default every two weeks with actions and deliverables assigned to drafting members Quarterly rotating plenary sessions

www.cspcert.eu

6

Goal & Milestones

6

Incomplete Very comprehensive Underlying Security Objectives / requirements / Implementation (Assurance Levels) High Independence, trust and/or expertise Conformity Assessment Methodologies Continuity & Robustness of:

• Reporting
• Monitoring compliance

Low Independence, trust and/or expertise

7

Goal & Milestones

7

To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA

Milestone 1 Milestone 2 Milestone 3 Open Consultation

Jan-Oct 2018 Oct-Dec 2018 Jan 2019 Jun 2019

8

Timeline

☁︐Rome plenary (16th & 17th of October 2018)

• Milestone 1 completed and

we start milestone 2 ☁︐Vienna plenary (6th & 7th of December 2018)

• Milestone 2 initiated

Sept 2017 July 2019 April 18 Dec 18 Jan 18 July 18 Oct 18

Update on Milestone 1

Security Objectives / requirements / Implementation

Leire Orue-Echevarria Arrieta Project Manager Cloud technologies and security

1

Update on draft of milestone 1

https://ec.europa.eu/digital-single-market/en/news/regulating-cloud-computing-europe-new-study-considers-options-certification-schemes

• 1. Information security policy
• 2. Risk management
• 3. Security roles
• 4. Security in Supplier relationships
• 5. Background checks
• 6. Security knowledge and training
• 7. Personnel changes
• 8. Physical and environmental security
• 9. Security of supporting utilities
• 10. Access control to network and information systems
• 11. Integrity of network and information systems
• 12. Operating procedures
• 13. Change management
• 14. Asset management
• 15. Security incident detection and response
• 16. Security incident reporting
• 17. Business continuity
• 18. Disaster recovery capabilities
• 19. Monitoring and logging policies
• 20. System tests
• 21. Security assessments
• 22. Checking compliance
• 23. Cloud data security
• 24. Cloud interface security
• 25. Cloud software security
• 26. Cloud interoperability and portability
• 27. Cloud monitoring and log access

Update on draft of milestone 1

https://ec.europa.eu/digital-single-market/en/news/regulating-cloud-computing-europe-new-study-considers-options-certification-schemes

Update on draft of milestone 1

https://www.enisa.europa.eu/news/enisa-news/enisa-cloud-certification-schemes-metaframework

United Kingdom, Italy, Netherlands, Spain, Sweden, Germany, Finland, Austria, Slovakia, Greece and Denmark.

Update on draft of milestone 1

Update on draft of milestone 1

Conformity Assessment Methodologies

Bert Tuinsma MSc RA Chairman of Zeker-OnLine, Issuer of Trust Certificates for Cloud Services

Update on Milestone 2

2

Conformity Assessment

to enhance the credibility (or confidence or trust) towards stakeholders

• f a statement expressed by a cloud service

provider (CSP) that its cloud process, product or service (including those from sub-service providers) meets the requirements of a pre-defined set of control objectives and a related set of measures, as defined under Milestone 1.

Purpose

Conceptual Framework

Conformity Assessment

Levels of provided assurance

Three levels of Assurance

• Basic
• Substantial
• High

It’s the user (risk owner) who determines the level of confidence needed for a specific cloud service, taking into account the risk of a failure happening and the impact that would have.

Conformity Assessment

• Self-assessment

○

Evidence-based conformity assessment

• Third Party Assurance

○ Based upon ISO defined approach ○ Based upon ISAE defined approach

• Continuous Monitoring [in development]

CAMs in place

Conformity Assessment

Reporting and validity

• Evidence based: No reporting
• ISO features a full scale 3-year and audit
• cycle. Result is a certification
• ISAE 3402 Type II is an attestation report
• n the design, implementation and
• perating effectiveness over a past period

Conformity Assessment

Elements of a CAM

• Independence
• Competency/Expertise
• Professional standards
• Code of conduct
• Qualification
• Accreditation
• Accountability
• Liability
• Monitoring and supervision

Appendix analysis the first three Conformity methodologies

Conformity Assessment

Open Consultation

https://ec.europa.eu/eusurvey/runner/cspcertconsultation

Milestone 1 doc Milestone 2 doc

Launched 15th January 2019

Closed 3th February 2019

Scope, assumptions and status

Aurelien Leteinturier Head of security products and services approval unit

Update on Milestone 3

3

Milestone 3 - objectives

• Clarify assumptions regarding the CSP services certification
• Provide recommandations for the implementation of the CSPCert Scheme:
• Refine the scope and purpose of the certification
• Give guidelines to implement the governance of the scheme
• Refine Milestone 1 and Milestone 2 conclusions
• Document structure is aligned with the one of CyberSecurity Act
• CCAL : CSP certification scheme objectives and assurance levels
• CSAR : Refinement of cybersecurity act requirement regarding CSP certification scheme
• SGOV : Governance of the CSP certification scheme

Risk Assessement (milk and fridge)

SaaS Applet Cloud Computing platform Feared events

• Rotten milk,
• Massive order
• f milk bottle
• Wrong orders

(lactose free vs regular) Certification strategy

• Which services, products

and process ?

• Which assurance level ?
• Residual risk management ?
• Specific requirement

CSA certification requirement

SaaS Applet Cloud Computing platform Feared events

• Rotten milk,
• Massive order
• f milk bottle
• Wrong orders

(lactose free vs regular) Certification strategy

• Which services, products

and process ?

• Which assurance level ?
• Residual risk management ?
• Specific requirement

CSA certification Product CSA certification Software / Cloud service CSA certification Cloud service CSA Software CSA certification Product

Risk owners / Responsibilities

SaaS Cloud Computing platform Feared events

• Rotten milk,
• Massive order
• f milk bottle
• Wrong orders

(lactose free vs regular) Certification strategy

• Which services, products

and process ?

• Which assurance level ?
• Residual risk management ?
• Specific requirement

CSA Certification CSA certification Product

MiFEURG*

*Milk and Fridge European Union Regulation Group

Applet

CSA Certification CSA Certification CSA Certification CSA Certification

What is CSPCert group’s knowledge…

About cows and fridge ? …close to nothing relevant

CSP service certification perimeter

Cloud Computing platform Feared events

• Rotten milk,
• Massive order
• f milk bottle
• Wrong orders

(lactose free vs regular) Certification strategy

• Which services, products

and process ?

• Which assurance level ?
• Residual risk management ?
• Specific requirement

Applet SaaS

CSP certification perimeter

CSP service certification

Baseline CSP service (SaaS, PaaS and Iaas), certified

Assurance level : Basic, High or Substantial Energy Automotive

Specific Requirements Specific Requirements

Specific sector

Specific Requirements

CSP certification perimeter

Hundreds shades of controls…

Control 1 Control 2 Control 3 Control 4 Control xxx

• +

++ + + + + ++ ++

• Technical

level and stringency

• f controls
• +

++ Depth

• f evaluation/

assessment

Nesting the assurance levels

• A CSP service certified at a assurance level high fulfills as well :

○ Requirements for the assurance level substantial ○ Requirements for the assurance level basic

• A CSP service certified at a assurance

level substantial fulfills as well :

○ Requirements for the assurance level basic

Milestone 3 status of work

• Structure of the document is agreed
• Some parts are written and under review of the group
• Need candidates to write
• ther parts of the document

Mapping of CSA and Parts of Milestone 3 document

Articles Content CCAL CSAR SGOV 43, 43a and 43b General consideration regarding the cybersecurity certification framework. 44 and 44a Preparation, adoption and review of a European cybersecurity certification schemes, publication on a centralized website of schemes and certificates. part 45 Security objectives of European certification schemes X 46 and 46a Assurance level of European certification schemes, and conformity self-assessment X 47 and 47a Elements of European cybersecurity certification schemes and Cybersecurity information for certified products, process and services X 48 Cybersecurity certification, which indicates who is able to deliver certificates regarding a specific assurance level. X 49 National cybersecurity certification schemes and certificates, which give requirement regarding the transition period between legacy national and European certification scheme. X 50 and 50a National cybersecurity certification authorities, which describes roles and duties for the

• NCSA. The article 50a covers the peer review mechanism, which will be used

X X 51 and 52 Conformity assessment body and their notification X 53 European Cybersecurity Certification Group X 53a, 53b and 54 Complaint, effective juridical remedy and penalties regarding a conformity assessment body

• r a certificate.

X X

Submission of the final proposal

XXX

Deadline?

12th of June 2019 in Amsterdam

36

36

cspcerteurope@gmail.com www.cspcert.eu