proposal for an european cloud security certification
play

Proposal for an European Cloud Security Certification Scheme for the - PowerPoint PPT Presentation

Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP Certification WG with Q&A Objectives 1. The objective of the group is to explore the possibility of developing a European Cloud Certification


  1. Proposal for an European Cloud Security Certification Scheme for the EU An update by the CSP Certification WG with Q&A

  2. Objectives 1. The objective of the group is to explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act (Title III, esp. Art. 47 (1)) and come up with a recommendation 2. Such a scheme would facilitate a free movement of data and enable a better comparability of Cloud Services Important to note Our Guiding principles ● We are developing a recommendation for a ● Do not reinvent the wheel , but build European Cloud Certification Scheme that we upon what is out there will present to ENISA, European ● Balanced representation Commission, member states and any other ● Aim for the highest common relevant stakeholder denominator for security assurance ● ENISA will be responsible for setting up the scheme in accordance with the Cybersecurity Act

  3. Working Methodology What are the What are the tools: Challenges: ● Strong approved Governance document ● Safeguard a balanced composition of the ● Comprehensive approved Rules of Procedure WG document ○ Supply side vs. demand side ● Monitor attendance and relevant contribution ○ Big companies vs. SME vs. public ● Webinar formats by default every two weeks users/authorities with actions and deliverables assigned to ○ EU centric drafting members ● Quarterly rotating plenary sessions ● Openness, Transparency and ● Online Collaborative tool with: Inclusiveness ○ Community site for discussion and ● Pooling relevant expertise and experience information interchange between drafting ● Promote commitment and effective members contribution ○ A Blog website for the general public (http://cspcerteurope.blogspot.com/)

  4. Working Group Composition All members Observer members Drafting members Access Partnership Accenture Co-chairs CISCO AMAZON ● Helmut Fallmann, FABASOFT (CSP) CISPE ANSSI ● Borja Larrumbide, BBVA-EBF (User) CTO Security Networks AG BBVA/European Banking Federation Rapporteur DINSIC Bitkom/Deutsche Bundesdruckerei Danish Business Authority Bosch GmbH ● Hans Graux, Timelex Google BSI Drafting members: 23=>27 HUAWEI Danish Tax Authority Outscale Deutsche Börse Group Observer members: 14=>23 OVH Fabasoft PWC Fraunhofer/EU Cert/CSA European Commision: 6 SALESFORCE IBM Sistemas de Datos/Digital SME JPMorgan ● DG-CONNECT SCOPE EUROPE LEET Security ● DG-DIGIT Upcloud Oodrive ● JRC VARAM ORACLE ● DG-JUST VdTuev Orange VMWare PWC Santander bank SAP TECNALIA Trusted Cloud UCIMU/Confidustria/Business Europe UNINFO VDMA/BDI Zeker Online

  5. Governance ● Governance document ● Rules of procedure Public ● Collaboration tool (Drafting members can edit and observers can read approved documents) Relevant expertise & ○ Working docs folder (Drafting members only) CSP CERT legitimate interest ○ Minutes folder (all members) Observers ○ Governance, Rules and policies folder (all members) Balanced/Commitment/ ○ Baseline documents folder (all members) effectiveness ○ Glossary (all members) DM ○ Community site (Drafting members only) ○ Webconference bi-weekly audios (Drafting members only) Transparency ○ Blog site: http://cspcerteurope.blogspot.com/ ○ Emails exceptionally used so as to use Collaboration tool How to become a member? Rejection/request to designate Confirmation via email including Confirmation of recepit of expression of interest will NO real expert Send expression of interest with short justification and CV Co-chairs evaluate to: expertise/experience follow. next steps and legitimate cspcerteurope@gmail.com interest. Fulfilled? Observer member *Also application form in blog YES Drafting member (expertise and commitment is required)

  6. Milestones Milestone 3 Milestone 2 To develop a recommendation for a European Cloud Certification Scheme which provides for a clear and To make a comparative analysis of the different conformity comprehensive set of security requirements at given assessment methodologies in existence (most prominent ones) level(s) of assurance in accordance with the requirements set out in the Cybersecurity Act. Conformity Assessment Methodology Continuity & Robustness of: • Reporting Continuous • Monitoring compliance High Independence, trust and/or expertise Over a period of time Regular One time Low Independence, trust and/or expertise Underlying standards / requirements / controls Incomplete Very comprehensive (Assurance Levels) Milestone 1 To agree on a comprehensive set of underlying detailed security objectives.

  7. 2017 Sept Self Regulatory Process Roadmap 2017-2018 ● D a t a 2 E 0 c 1 o ● 7 n ) F o F m D y ●Mobilization of ( & P C a S C c y A k b a relevant S e g r e s e p e ( t S Stakeholder c 2 u e 0 r p i 1 t t 7 y ) P a c k a g e ● K i c k - 2 o f 0 f 1 o 7 f ) t w ●Preparatory phase o W G (Governance & s ( 1 2 composition) t h D e c ● F i r s t ●Approval of governance A o f p f r i c i i l a 2 l and RoP & work on first 0 m 1 8 e e ) deliverable (22nd June t i n g o 2018) f W G ( 1 7 t h ●Political agreement on Free Flow of Data between Council and Parliament ● R o m e ● 1 P 7 t p a h l r ● e i M o n s f a 5 p i t l e O r h l y e s c o n ( a t t a o o 1 f n n b 6 J r d y e e t u h l ( w r y 2 1 4 2 & e 2 t c h 0 s o 0 1 & t 1 a m 8 8 r ) p t ) l m e i t l e ●Trialogues on Cybersecurity Act in e d s t o n e progress ● O p e n m c i l o e n s s t u o n l t e a t i 3 o n d r ● o a f V f t i e n n o a f D p ● e l M e c n e i a l m e r s y b c t o e ( o n r 6 m t e 2 h p 0 2 & 2018 Dec l 1 e & 8 t 7 e ) d 3 t h

  8. Update on draft of milestone 1 Start with the most commonly used standards in Europe from Cloud Certification/attestation based on a study funded by the European Commision and led by Tecnalia

  9. Update on draft of milestone 1 Use ENISA Cloud Certification Schemes Metaframework (CCSM) paper as a reference

  10. Update on draft of milestone 1 Create a high level Gap Analysis based on C5 (BSI), SecNumCloud (ANSSI), ISO 27002/27017/27018, ENISA CCSM and map them to a new Cloud Category based on the Tecnalia study

  11. Update on draft of milestone 1 For each Cloud Category create control objectives mapped to it´s requirements and if feasible reference it to existing implementation standards or documents

  12. Update on draft of milestone 1 For each Cloud Category create control objectives mapped to it´s requirements and if feasible reference it to existing implementation standards or documents

  13. Q&A! Q&A! Q&A! Q&A! cspcerteurope@gmail.com

Recommend


More recommend