Proposal for an European Cloud Security Certification Scheme for the - - PowerPoint PPT Presentation

proposal for an european cloud security certification
SMART_READER_LITE
LIVE PREVIEW

Proposal for an European Cloud Security Certification Scheme for the - - PowerPoint PPT Presentation

Mar 30, 2024 14 likes •147 views

Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP Certification WG with Q&A Objectives 1. The objective of the group is to explore the possibility of developing a European Cloud Certification

slide-1
SLIDE 1

Proposal for an European Cloud Security Certification Scheme for the EU

An update by the CSP Certification WG with Q&A

slide-2
SLIDE 2

Objectives

1. The objective of the group is to explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act (Title III, esp. Art. 47 (1)) and come up with a recommendation 2. Such a scheme would facilitate a free movement of data and enable a better comparability of Cloud Services

Important to note

  • We are developing a recommendation for a

European Cloud Certification Scheme that we will present to ENISA, European Commission, member states and any other relevant stakeholder

  • ENISA will be responsible for setting up the

scheme in accordance with the Cybersecurity Act

Our Guiding principles

  • Do not reinvent the wheel, but build

upon what is out there

  • Balanced representation
  • Aim for the highest common

denominator for security assurance

slide-3
SLIDE 3

Working Methodology

  • Safeguard a balanced composition of the

WG ○ Supply side vs. demand side ○ Big companies vs. SME vs. public users/authorities ○ EU centric

  • Openness, Transparency and

Inclusiveness

  • Pooling relevant expertise and experience
  • Promote commitment and effective

contribution

  • Strong approved Governance document
  • Comprehensive approved Rules of Procedure

document

  • Monitor attendance and relevant contribution
  • Webinar formats by default every two weeks

with actions and deliverables assigned to drafting members

  • Quarterly rotating plenary sessions
  • Online Collaborative tool with:

○ Community site for discussion and information interchange between drafting members ○ A Blog website for the general public (http://cspcerteurope.blogspot.com/)

What are the Challenges: What are the tools:

slide-4
SLIDE 4

Working Group Composition

All members

Co-chairs

  • Helmut Fallmann, FABASOFT (CSP)
  • Borja Larrumbide, BBVA-EBF (User)

Rapporteur

  • Hans Graux, Timelex

Drafting members: 23=>27 Observer members: 14=>23 European Commision: 6

  • DG-CONNECT
  • DG-DIGIT
  • JRC
  • DG-JUST

Observer members

Access Partnership CISCO CISPE CTO Security Networks AG DINSIC Danish Business Authority Google HUAWEI Outscale OVH PWC SALESFORCE Sistemas de Datos/Digital SME SCOPE EUROPE Upcloud VARAM VdTuev VMWare

Drafting members

Accenture AMAZON ANSSI BBVA/European Banking Federation Bitkom/Deutsche Bundesdruckerei Bosch GmbH BSI Danish Tax Authority Deutsche Börse Group Fabasoft Fraunhofer/EU Cert/CSA IBM JPMorgan LEET Security Oodrive ORACLE Orange PWC Santander bank SAP TECNALIA Trusted Cloud UCIMU/Confidustria/Business Europe UNINFO VDMA/BDI Zeker Online

slide-5
SLIDE 5

Send expression of interest with short justification and CV to: cspcerteurope@gmail.com

*Also application form in blog

Governance

  • Governance document
  • Rules of procedure
  • Collaboration tool (Drafting members can edit and observers can read

approved documents) ○ Working docs folder (Drafting members only) ○ Minutes folder (all members) ○ Governance, Rules and policies folder (all members) ○ Baseline documents folder (all members) ○ Glossary (all members) ○ Community site (Drafting members only) ○ Webconference bi-weekly audios (Drafting members only) ○ Blog site: http://cspcerteurope.blogspot.com/ ○ Emails exceptionally used so as to use Collaboration tool

CSP CERT DM

Balanced/Commitment/ effectiveness

Observers

Transparency Relevant expertise & legitimate interest

How to become a member?

Confirmation of recepit of expression of interest will follow. Co-chairs evaluate expertise/experience and legitimate

  • interest. Fulfilled?

NO YES Rejection/request to designate real expert Observer member Drafting member (expertise and commitment is required) Confirmation via email including next steps

Public

slide-6
SLIDE 6

Milestones

Continuous Over a period of time Regular One time Incomplete Very comprehensive Underlying standards / requirements / controls (Assurance Levels) High Independence, trust and/or expertise Conformity Assessment Methodology Continuity & Robustness of:

  • Reporting
  • Monitoring compliance

To agree on a comprehensive set of underlying detailed security

  • bjectives.

To develop a recommendation for a European Cloud Certification Scheme which provides for a clear and comprehensive set of security requirements at given level(s) of assurance in accordance with the requirements set out in the Cybersecurity Act.

Milestone 3

To make a comparative analysis of the different conformity assessment methodologies in existence (most prominent ones)

Milestone 2 Milestone 1

Low Independence, trust and/or expertise

slide-7
SLIDE 7

Self Regulatory Process Roadmap 2017-2018

  • D

a t a E c

  • n
  • m

y P a c k a g e ( S e p t 2 1 7 )

  • F

F D & C y b e r s e c u r i t y P a c k a g e ( C S A S e p t 2 1 7 )

  • Mobilization of

relevant Stakeholder

  • K

i c k

  • f

f

  • f

t w

  • W

G s ( 1 2 t h D e c 2 1 7 )

  • Preparatory phase

(Governance & composition)

  • F

i r s t

  • f

f i c i a l m e e t i n g

  • f

W G ( 1 7 t h A p r i l 2 1 8 )

  • Approval of governance

and RoP & work on first deliverable (22nd June 2018)

  • P

a r i s p l e n a r y ( 4 t h & 5 t h

  • f

J u l y 2 1 8 )

  • R
  • m

e p l e n a r y ( 1 6 t h & 1 7 t h

  • f

O c t

  • b

e r 2 1 8 )

  • M

i l e s t

  • n

e 1 c

  • m

p l e t e d a n d w e s t a r t m i l e s t

  • n

e 2

  • V

i e n n a p l e n a r y ( 6 t h & 7 t h

  • f

D e c e m b e r 2 1 8 )

  • M

i l e s t

  • n

e 2 & 3 c

  • m

p l e t e d

Sept 2017 Dec 2018

  • Political agreement on

Free Flow of Data between Council and Parliament

  • Trialogues on Cybersecurity Act in

progress

  • O

p e n c

  • n

s u l t a t i

  • n
  • f

m i l e s t

  • n

e 3 d r a f t

slide-8
SLIDE 8

Update on draft of milestone 1

Start with the most commonly used standards in Europe from Cloud Certification/attestation based

  • n a study funded by the European Commision and led by Tecnalia
slide-9
SLIDE 9

Update on draft of milestone 1

Use ENISA Cloud Certification Schemes Metaframework (CCSM) paper as a reference

slide-10
SLIDE 10

Update on draft of milestone 1

Create a high level Gap Analysis based on C5 (BSI), SecNumCloud (ANSSI), ISO 27002/27017/27018, ENISA CCSM and map them to a new Cloud Category based on the Tecnalia study

slide-11
SLIDE 11

Update on draft of milestone 1

For each Cloud Category create control objectives mapped to it´s requirements and if feasible reference it to existing implementation standards or documents

slide-12
SLIDE 12

Update on draft of milestone 1

For each Cloud Category create control objectives mapped to it´s requirements and if feasible reference it to existing implementation standards or documents

slide-13
SLIDE 13

Q&A!Q&A!Q&A!Q&A!

cspcerteurope@gmail.com