Final Public-Private recommendation for a European Cloud Security - - PowerPoint PPT Presentation

final public private recommendation for a european cloud
SMART_READER_LITE
LIVE PREVIEW

Final Public-Private recommendation for a European Cloud Security - - PowerPoint PPT Presentation

Mar 06, 2023 227 likes •665 views

Amsterdam 12 th June 2019 Final Public-Private recommendation for a European Cloud Security Certification Scheme Timeline To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act

slide-1
SLIDE 1

Final Public-Private recommendation for a European Cloud Security Certification Scheme

Amsterdam 12th June 2019

slide-2
SLIDE 2

2

Timeline

Data Economy Package (Sept 2017) FFD & Cybersecurity Package (CSA Sept 2017) Mobilization of relevant Stakeholder

☁Kick-off of two WGs

(12th Dec 2017) Preparatory phase (Governance & composition)

Sept 2017 April 2018 Jan 18 Dec 17

To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA

slide-3
SLIDE 3

3

Working Group Composition

3

CSP CERT WG Drafting Member

Balanced/Commitment/effectiveness

Observers

Transparency Relevant expertise & legitimate interest Public

Access Partnership, Amadeus, Bitkom/Deutsche Bundesdruckerei, CISCO, CISPE, CTO Security Networks AG, DINSIC, Danish Business Authority, Digital Europe, European Banking Federation, Google, Government of Ontario, HUAWEI, Microsoft, Nokia, OVH, Outscale, Palo Alto, PWC, Santander bank, SALESFORCE, Sistemas de Datos/Digital SME, SCOPE EUROPE, Swedish civil contingencies agency, Upcloud, VARAM, Virtustream (DELL), VdTuev, VMWare Accenture, AMAZON, ANSSI, BBVA/EBF, Bosch GmbH, BSI, CSA, CISCO, Danish Tax Authority, Deutsche Börse Group, Erasmus University, Eurocloud, Fabasoft, Google, HSBC, IBM, JPMorgan, LEET Security, LSEC, Norea, Oodrive, ORACLE, Orange, PWC, SAP , Secura, Securemailbox, TECNALIA, Trusted Cloud, UCIMU/Confindustria/Business Europe, UNINFO, Zeker Online

Co-chairs

  • Borja Larrumbide, BBVA-EBF (User)
  • Helmut Fallmann, FABASOFT (CSP)

Rapporteur

  • Hans Graux, Timelex

European Commission:

  • DG-CONNECT
  • DG-DIGIT
  • JRC
  • DG-JUST

ENISA

32 Drafting members 29 Observers

slide-4
SLIDE 4

Working Methodology and tools

Online Collaborative tool (Community site / Blog) Strong approved Governance document Comprehensive approved Rules of Procedure document Monitor attendance and relevant contribution Webinar formats by default every two weeks with actions and deliverables assigned to drafting members Quarterly rotating plenary sessions

www.cspcert.eu

slide-5
SLIDE 5

5

Goal & Milestones

5

Continuous Over a period of time Regular One time Incomplete Very comprehensive Underlying Security Objectives / requirements / Implementation (Assurance Levels) High Independence, trust and/or expertise Conformity Assessment Methodologies Continuity & Robustness of:

  • Reporting
  • Monitoring compliance

Low Independence, trust and/or expertise

slide-6
SLIDE 6

6

Goal & Milestones

6

To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA

Milestone 1 Milestone 2 Milestone 3 Open Consultation

Jan-Oct 2018 Oct-Dec 2018 Jan 2019 Jun 2019

slide-7
SLIDE 7

7

Timeline

Data Economy Package (Sept 2017) FFD & Cybersecurity Package (CSA Sept 2017) Mobilization of relevant Stakeholder

☁Kick-off of two WGs

(12th Dec 2017) Preparatory phase (Governance & composition)

☁Brussel plenary

(17th April 2018) Approval of governance and RoP & work on first deliverable (22nd June 2018)

☁Paris plenary (4th & 5th of

July 2018) ☁Rome plenary (16th & 17th of October 2018)

  • Milestone 1 completed and

we start milestone 2 ☁Vienna plenary (6th & 7th of December 2018)

  • Milestone 2 initiated

Sept 2017 July 2019

Political agreement on Free Flow of Data between Council and Parliament Trialogues on Cybersecurity Act in progress Open consultation (Jan 2019)

April 18 Dec 18 Jan 18 July 18 Oct 18

☁Madrid plenary(26th & 27th Feb 2019)

  • Initiate draft of milestone 3

☁Berlin plenary 2nd & 3th of April 2019) ☁Amsterdam plenary (12/13th June)

  • Milestone 3 ends
  • Proposal ends too
slide-8
SLIDE 8
  • Prof. William Ochs

Certification Enablement Manager Cisco Global Certifications USA

Cloud Computing Assurance Levels (CCAL)

slide-9
SLIDE 9

CCAL Overview

  • Scope of the Certification
  • Refined Objectives for the European CSP Service Certification
  • Assurance Levels

○ Role of Risk Management in Determination ○ Characteristics and Requirements for the Assurance Levels

  • Ensuring EU-wide Recognition of Certificates through Consistency of

Assurance Levels

slide-10
SLIDE 10

CCAL Overview

  • CSPCERT WG Defines 26 Recommendations for ENISA and the EU

Commission Related to Certification Assurance Levels

  • Recommendations are tied directly to the European Union Cybersecurity Act

(EUCA)

  • CCAL Focus Primarily on Article 51 and Article 52 of the EUCA
  • Provides for Examples that could be utilized in the selection of a Certification

Level of Assurance based on risk scenarios and risk assessments taken by an end-user for a Cloud Service

  • Provides for CSP certification perimeters and the addition of new sectoral

requirements or overlays to the certification

  • Provides for Cybersecurity act’s assurance requirements and their

correspondence to the different assurance levels

slide-11
SLIDE 11

CCAL: Scope of the Certification

“In order to be certified, the cloud service must meet all the requirements of the certification scheme reference documents that are applicable to the service boundary (e.g. IaaS, PaaS, SaaS, XaaS) and the chosen level of assurance.” CSPCERT, Milestone 3.

slide-12
SLIDE 12

CCAL: Refined Objectives for the European CSP Service Certification

“The assessment of the correct implementation of the controls that achieve the security objectives listed in the Milestone 1 document (see Annex 1) with a methodology from the ones listed in the Milestone 2 document should be a guide to ensure that all these objectives are fulfilled regarding a certain assurance level.” CSPCERT, Milestone 3.

slide-13
SLIDE 13

CCAL: Refined Objectives for the European CSP Service Certification

  • Focused on Article 51 of EUCA
  • First 10 Recommendations Fall Under Article 51
  • All CSPCERT Recommendations are numbered and come with a Justification

statement.

slide-14
SLIDE 14

CCAL: Assurance Levels and Risk Assessment Correlation

  • Focused on Article 52 of EUCA
  • Recommendations 11-21, Fall Under

Article 52

  • “Performing a proper risk analysis

requires that both dimensions need to be considered and assessed. Based on the outcome of the risk assessment, a required level of assurance can be determined.” CSPCERT, Milestone 3.

slide-15
SLIDE 15

CCAL: Assurance Levels

Defined Areas Impacted by Recognized Risks

Personal Business Societal

slide-16
SLIDE 16

CCAL: Assurance Levels as Defined in EUCA Article 52

Basic Substantial High

slide-17
SLIDE 17

CCAL: Assurance Levels

CSP Certification Perimeter & Addition of New Sectoral Requirements

slide-18
SLIDE 18

CCAL: Ensuring EU-Wide Recognition

  • Recommendations 22-26 Focus on Level of Trust, Fidelity, and Certificate

Acceptance

  • Introduce the Concepts of Audit Level of Detail relevant to Assurance Level
  • Introduce Peer Review Mechanisms
  • Introduce Governance’s Import (Addressed in Detail in SGOV)
  • Recommends NCCA Endorses the Final Audit Reports and Issuance of

Certificate

slide-19
SLIDE 19

Tom Vreeburg Independent IT Risk and Assurance professional Advisor to the board of NOREA. NOREA Netherlands

Cyber Security Act Requirements (CSAR)

slide-20
SLIDE 20

EU Cybersecurity Act (EUCA) provides cybersecurity certification framework (Section III, Art 46 a.o.) CSPCert provides recommendations for ENISA to prepare a European Cybersecurity Certification Scheme for Cloud Service Providers EUCA, Art 46: ‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes; Requirements for a scheme in particular in EUCA art 54 and 55

CSAR Part

slide-21
SLIDE 21

Elements of European cybersecurity certification schemes 22 elements provide minimum requirements

CSPCert added 20+ recommendations to provide guidance to ENISA how to detail these elements in the EU Cybersecurity Certification Scheme for Cloud Service Providers

EUCA Art 54

slide-22
SLIDE 22
  • Purpose of the scheme:

○ Provide stakeholders with statement on scope, reliability and security of cloud service ○ Enhance credibility/confidence/ trust of statement by CSP

  • Scoping in a cloud

environment

Scope

slide-23
SLIDE 23
  • Purpose of the scheme:

○ Provide stakeholders with statement on scope, reliability and security of cloud service ○ Enhance credibility/confidence/ trust of statement by CSP

  • Scoping in a cloud

environment

Scope

slide-24
SLIDE 24

Information needed for issuance of the certificate

Identification CSP’s Conformity statement CSP’s description of the service Control objectives, related controls and tests of controls Other information

Supplementary cybersecurity information (EUCA Art 55) Consequences of non- compliance with requirements of the scheme

Information provided by Cloud Service Provider

slide-25
SLIDE 25

Maximum period of validity

Required level of assurance High Continuous audit strategy or annual audit Substantial Continuous audit strategy or annual audit Basic Max validity 3 years with annual control check

slide-26
SLIDE 26

Scheme Governance (SGOV)

Clemens Doubrava Head of Section of Information Security in the cloud BSI Germany Aurelien Leteinturier Head of security products and services approval unit ANSSI France

slide-27
SLIDE 27
  • Commons parts between all assurance levels
  • Committee and groups
  • Complaints management
  • Peer Review
  • Community management
  • Specific governance recommendations
  • For each assurance level
  • Basic, Substantial and High

SGOV Part

slide-28
SLIDE 28

Joint Expert Group Management Committee Conciliation Commission Joint Expert Group Joint Expert Group

Set Up / Mandate Report Appoint

Committee and groups (EU level)

slide-29
SLIDE 29

Complaints Management

slide-30
SLIDE 30

Peer reviews

slide-31
SLIDE 31

NCCA & Experts NCCA & Experts NCCA & Experts

Community management

slide-32
SLIDE 32

Monitoring Body CSP Service

Approve & Supervise Evaluate & monitor Supervise evaluations Issue Certificate Community Management

National Cybersecurity Certification Authority (NCCA)

Assurance level Basic

slide-33
SLIDE 33

Assurance level Substantial

slide-34
SLIDE 34

Conformity Assessment Body (CAB)

CSP Service

Accreditate Approve Evaluate Supervise evaluations Monitor certificates Issue Certificate Community Management Accreditate

National Cybersecurity Certification Authority (NCCA) National Accreditation Body (NAB)

Assurance level High

slide-35
SLIDE 35

Conclusion and recommendations

Leire Orue-Echevarria Arrieta Project Manager Cloud technologies and security Tecnalia Spain

slide-36
SLIDE 36

General recommendation

To include the development of an EU- wide cloud security certification scheme in the EU rolling work programme for European cybersecurity certification framework under the EUCA To request ENISA to prepare a candidate scheme on the basis of the present proposal

CSPCERT does not recommend a completely new certification scheme but rather for a scheme based on existing practices/schemes/standards used by the industry and internationally recognized

slide-37
SLIDE 37

Cloud Computing Assurance Levels (CCAL)

3 levels of assurance: Basic, Substantial and High, depending on the risk level associated Clear guidance on how to perform this risk assessment and link the assurance level to the cloud service A description of what the basic/substantial/high assurance level indicates Examples of which level

  • f assurance should be

associated with which service Assurance levels

slide-38
SLIDE 38

Cloud Computing Assurance Levels (CCAL)

Defined a set of Security Objectives, with a taxonomy and a methodology to include new ones, when required Evaluation criteria Keep a similar taxonomy and update it when appropriate Keep a similar methodology for the inclusion of new controls and update it accordingly

slide-39
SLIDE 39

Third-party

Cloud Computing Assurance Levels (CCAL)

3 conformity assessment methodologies (CAM) Conformity Assessment Methodologies Evidence-based ISO-based ISAE-based To reduce the level of bias, assess third-party conformity assessment methodologies for safeguards to ensure a common level of trust Clear guidance on the required procedures and criteria per assurance level Evaluate the possibility of including continuous monitoring for High CAMs must measure

  • perational effectiveness in

S and H, and not merely control existence Frequency of renewal and what triggers it

slide-40
SLIDE 40

Cybersecurity Act Requirements (CSAR)

Baseline certification requirements and security objectives that could be enhanced with further regulatory requirements coming from regulators, supervisors or the industry CSPs shall retain the ability to provide services outside the scope for which they are being certified, but cannot, in this case, use this certification for the purpose

  • f

providing these services

slide-41
SLIDE 41

Scheme Governance (SGOV)

Establish governance requirements as a part of the scheme, to implement and maintain the scheme Involve relevant stakeholders (e.g. regulators, supervisors, industry) to avoid overlaps with other regulations and facilitating security, trust, privacy, transparency and free flow of data Maintain a dedicated website with information on the scheme, and related data on certified CSPs and the validity

slide-42
SLIDE 42

42

42

cspcerteurope@gmail.com www.cspcert.eu