Public-Private proposal for a European Cloud Security Certification - PowerPoint PPT Presentation

Berlin 2 nd April 2019 Public-Private proposal for a European Cloud Security Certification Scheme

C5 success story and the way forward to a European certification for cloud services Clemens Doubrava Head of Section of Information Security in the cloud

Timeline (Once upon a time…) To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA April Sept 2018 2017 Dec 17 Jan 18 3

Working Group Composition Accenture, AMAZON, ANSSI, BBVA/EBF, Bosch GmbH, BSI, CSA, CISCO, Danish Tax Authority, Deutsche Börse Group, Erasmus University, Eurocloud, Fabasoft, Google, HSBC, IBM, JPMorgan, LEET Security, LSEC, Norea, Oodrive, ORACLE, Orange, PWC, SAP , Secura, Securemailbox, TECNALIA, Trusted Cloud, UCIMU/Confindustria/Business Europe, UNINFO, Zeker Online 32 Drafting members Public Co-chairs ● Borja Larrumbide, BBVA-EBF (User) Relevant expertise & ● Helmut Fallmann, FABASOFT (CSP) legitimate interest CSP CERT WG Rapporteur Transparency ● Hans Graux, Timelex European Commision: ● DG-CONNECT Observers Balanced/Commitment/effectiveness ● DG-DIGIT ● JRC ● DG-JUST ENISA 28 Observers Access Partnership, Bitkom/Deutsche Bundesdruckerei, CISCO, CISPE, CTO Security Networks AG, DINSIC, Danish Business Authority, Digital Europe, European Banking Federation, Google, Government of Ontario, HUAWEI, Microsoft, Nokia, OVH, Outscale, Palo Alto, PWC, Santander bank, SALESFORCE, Sistemas de Datos/Digital SME, SCOPE EUROPE, Swedish civil contingencies agency, Upcloud, VARAM, Virtustream (DELL), VdTuev, VMWare 4 4

Working Methodology and tools Strong approved Governance Comprehensive approved Rules of document Procedure document Online Collaborative tool (Community site / Blog) Monitor attendance and relevant www.cspcert.eu contribution Quarterly rotating plenary sessions Webinar formats by default every two weeks with actions and deliverables assigned to drafting members

Goal & Milestones Conformity Assessment Methodologies Continuity & Robustness of: High Independence, • Reporting trust and/or expertise • Monitoring compliance Low Independence, Underlying Security Objectives / trust and/or expertise requirements / Implementation (Assurance Levels) Incomplete Very comprehensive 6 6

Goal & Milestones To explore the possibility of developing a Milestone Open European Cloud Certification Scheme in the 3 Consultation context of the Cybersecurity Act and come up Milestone with a recommendation that will be presented 2 to the European Commission and ENISA Jun Milestone 2019 Jan 1 2019 Oct-Dec 2018 Jan-Oct 2018 7 7

Timeline ☁︐ Vienna plenary (6th & 7th of December 2018) - Milestone 2 initiated July Sept 2019 2017 Jan 18 April 18 July 18 Oct 18 Dec 18 ☁︐ Rome plenary (16th & 17th of October 2018) - Milestone 1 completed and we start milestone 2 8

Update on Milestone 1 Security Objectives / requirements / Implementation 1 Leire Orue-Echevarria Arrieta Project Manager Cloud technologies and security

Update on draft of milestone 1 ISO ISO ISO ISO ISO ISO ISO ISO/IEC Family of ISOIEC ISO/IEC ISO/IEC 17203 17789 19944 19941 19086 19099 22301 24760 27000 29100 29101 29115 ISO/IEC 27000 , ISO/IEC 27001 & ISO /IEC 27002 1. Information security policy 2. Risk management 3. Security roles 4. Security in Supplier relationships 5. Background checks 6. Security knowledge and training 7. Personnel changes 8. Physical and environmental security 9. Security of supporting utilities 10. Access control to network and information systems 11. Integrity of network and information systems 12. Operating procedures 13. Change management 14. Asset management 15. Security incident detection and response 16. Security incident reporting 17. Business continuity 18. Disaster recovery capabilities 19. Monitoring and logging policies 20. System tests 21. Security assessments 22. Checking compliance 23. Cloud data security 24. Cloud interface security 25. Cloud software security 26. Cloud interoperability and portability 27. Cloud monitoring and log access https://ec.europa.eu/digital-single-market/en/news/regulating-cloud-computing-europe-new-study-considers-options-certification-schemes

Update on draft of milestone 1 https://ec.europa.eu/digital-single-market/en/news/regulating-cloud-computing-europe-new-study-considers-options-certification-schemes

Update on draft of milestone 1 United Kingdom, Italy, Netherlands, Spain, Sweden, Germany, Finland, Austria, Slovakia, Greece and Denmark. https://www.enisa.europa.eu/news/enisa-news/enisa-cloud-certification-schemes-metaframework

Update on draft of milestone 1

Update on draft of milestone 1

Update on Milestone 2 Conformity Assessment Methodologies 2 Bert Tuinsma MSc RA Chairman of Zeker-OnLine, Issuer of Trust Certificates for Cloud Services

Conformity Assessment to enhance the credibility (or confidence or trust) towards stakeholders Purpose of a statement expressed by a cloud service provider (CSP) that its cloud process, product or service (including those from sub-service providers) meets the requirements of a pre-defined set of control objectives and a related set of measures, as defined under Milestone 1.

Conformity Assessment Conceptual Framework

Conformity Assessment Three levels of Assurance • Basic • Substantial Levels of • High provided assurance It’s the user (risk owner) who determines the level of confidence needed for a specific cloud service, taking into account the risk of a failure happening and the impact that would have .

Conformity Assessment Self-assessment ● Evidence-based conformity assessment ○ CAMs in Third Party Assurance ● place ○ Based upon ISO defined approach ○ Based upon ISAE defined approach Continuous Monitoring [in development] ●

Conformity Assessment • Evidence based: No reporting • ISO features a full scale 3-year and audit Reporting cycle. Result is a certification and validity • ISAE 3402 Type II is an attestation report on the design, implementation and operating effectiveness over a past period

Conformity Assessment • Independence • Competency/Expertise • Professional standards • Code of conduct Elements of • Qualification a CAM • Accreditation • Accountability • Liability • Monitoring and supervision Appendix analysis the first three Conformity methodologies

Open Consultation Launched 15th January 2019 https://ec.europa.eu/eusurvey/runner/cspcertconsultation Milestone 1 doc Milestone 2 doc Closed 3th February 2019

Update on Milestone 3 Scope, assumptions and status 3 Aurelien Leteinturier Head of security products and services approval unit

Milestone 3 - objectives ● Clarify assumptions regarding the CSP services certification ● Provide recommandations for the implementation of the CSPCert Scheme: ● Refine the scope and purpose of the certification ● Give guidelines to implement the governance of the scheme ● Refine Milestone 1 and Milestone 2 conclusions ● Document structure is aligned with the one of CyberSecurity Act ● CCAL : CSP certification scheme objectives and assurance levels ● CSAR : Refinement of cybersecurity act requirement regarding CSP certification scheme ● SGOV : Governance of the CSP certification scheme

Risk Assessement (milk and fridge) SaaS Cloud Computing platform Applet Feared events Certification strategy - Rotten milk, - Which services, products - Massive order and process ? of milk bottle - Which assurance level ? - Wrong orders Residual risk management ? - ( lactose free vs regular ) - Specific requirement

CSA certification requirement CSA certification Software / Cloud service SaaS Cloud Computing platform CSA certification Product CSA certification Cloud service CSA Software Applet Feared events Certification strategy - Rotten milk, CSA certification - Which services, products - Massive order Product and process ? of milk bottle - Which assurance level ? - Wrong orders Residual risk management ? - ( lactose free vs regular ) - Specific requirement

Risk owners / Responsibilities CSA CSA Certification Certification SaaS Cloud Computing CSA platform Certification CSA MiFEURG* Applet Certification Feared events Certification strategy - Rotten milk, CSA CSA certification - Which services, products Certification - Massive order Product and process ? of milk bottle - Which assurance level ? - Wrong orders Residual risk management ? - ( lactose free vs regular ) - Specific requirement *Milk and Fridge European Union Regulation Group

What is CSPCert group’s knowledge… About cows and fridge ? …close to nothing relevant

CSP service certification perimeter CSP certification perimeter SaaS Cloud Computing platform Applet Feared events Certification strategy - Rotten milk, - Which services, products - Massive order and process ? of milk bottle - Which assurance level ? - Wrong orders Residual risk management ? - ( lactose free vs regular ) - Specific requirement