Final Public-Private recommendation for a European Cloud Security Certification Scheme

Amsterdam 12th June 2019

2

Timeline

Data Economy Package (Sept 2017)FFD & Cybersecurity Package (CSA Sept 2017)

Mobilization of relevant Stakeholder

☁Kick-off of two WGs (12th Dec 2017)

Preparatory phase (Governance & composition)

Sept2017

April2018Jan 18Dec 17

To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISA

3

Working Group Composition

3

CSP CERT WG

DraftingMember

Balanced/Commitment/effectivenessObservers

Transparency

Relevant expertise & legitimate interest

Public

Access Partnership, Amadeus, Bitkom/Deutsche Bundesdruckerei, CISCO, CISPE, CTO Security Networks AG, DINSIC, Danish Business Authority, Digital Europe, European Banking Federation, Google, Government of Ontario, HUAWEI, Microsoft, Nokia, OVH, Outscale, Palo Alto, PWC, Santander bank, SALESFORCE, Sistemas de Datos/Digital SME, SCOPE EUROPE, Swedish civil contingencies agency, Upcloud, VARAM, Virtustream (DELL), VdTuev, VMWare

Accenture, AMAZON, ANSSI, BBVA/EBF, Bosch GmbH, BSI, CSA, CISCO, Danish Tax Authority, Deutsche Börse Group, Erasmus University, Eurocloud, Fabasoft, Google, HSBC, IBM, JPMorgan, LEET Security, LSEC, Norea, Oodrive, ORACLE, Orange, PWC, SAP, Secura, Securemailbox, TECNALIA, Trusted Cloud, UCIMU/Confindustria/Business Europe, UNINFO, Zeker Online

Co-chairs● Borja Larrumbide, BBVA-EBF (User)● Helmut Fallmann, FABASOFT (CSP)

Rapporteur● Hans Graux, Timelex

European Commission:● DG-CONNECT● DG-DIGIT● JRC● DG-JUST

ENISA

32 Drafting members

29 Observers

Working Methodology and tools

Online Collaborative tool (Community site / Blog)

Strong approved Governance document

Comprehensive approved Rules of Procedure document

Monitor attendance and relevant contribution

Webinar formats by default every two weeks with actions and deliverables assigned to drafting members

Quarterly rotating plenary sessions

www.cspcert.eu

5

Goal & Milestones

5

Continuous

Over a

period oftime

Regular

One time

Incomplete Very comprehensive

Underlying Security Objectives / requirements / Implementation

(Assurance Levels)

High Independence, trust and/or expertise

Conformity AssessmentMethodologies

Continuity & Robustness of:• Reporting • Monitoring compliance

Low Independence, trust and/or expertise

6

Goal & Milestones

6

To explore the possibility of developing a European Cloud Certification Scheme in the context of the Cybersecurity Act and come up with a recommendation that will be presented to the European Commission and ENISAMilestone

1

Milestone2

Milestone3Open

Consultation

Jan-Oct2018

Oct-Dec2018

Jan2019

Jun2019

7

Timeline

Data Economy Package (Sept 2017)FFD & Cybersecurity Package (CSA Sept 2017)

Mobilization of relevant Stakeholder

☁Kick-off of two WGs (12th Dec 2017)

Preparatory phase (Governance & composition)

☁Brussel plenary (17th April 2018)

Approval of governance and RoP & work on first deliverable (22nd June 2018)

☁Paris plenary (4th & 5th of July 2018)

☁Rome plenary (16th & 17th of October 2018)- Milestone 1 completed and we start milestone 2

☁Vienna plenary (6th & 7th of December 2018)- Milestone 2 initiated

Sept2017

July2019

Political agreement on Free Flow of Data between Council and Parliament

Trialogues on Cybersecurity Act in progress

Open consultation (Jan 2019)

April 18 Dec 18Jan 18 July 18 Oct 18☁Madrid plenary(26th & 27th Feb 2019)- Initiate draft of milestone 3

☁Berlin plenary2nd & 3th of April 2019)

☁Amsterdam plenary (12/13th June)- Milestone 3 ends- Proposal ends too

Prof. William OchsCertification Enablement Manager

Cisco Global CertificationsUSA

Cloud Computing Assurance Levels (CCAL)

CCAL Overview

● Scope of the Certification● Refined Objectives for the European CSP Service Certification● Assurance Levels

○ Role of Risk Management in Determination

○ Characteristics and Requirements for the Assurance Levels

● Ensuring EU-wide Recognition of Certificates through Consistency of Assurance Levels

CCAL Overview● CSPCERT WG Defines 26 Recommendations for ENISA and the EU

Commission Related to Certification Assurance Levels● Recommendations are tied directly to the European Union Cybersecurity Act

(EUCA)● CCAL Focus Primarily on Article 51 and Article 52 of the EUCA● Provides for Examples that could be utilized in the selection of a Certification

Level of Assurance based on risk scenarios and risk assessments taken by an end-user for a Cloud Service

● Provides for CSP certification perimeters and the addition of new sectoral requirements or overlays to the certification

● Provides for Cybersecurity act’s assurance requirements and their correspondence to the different assurance levels

CCAL: Scope of the Certification

“In order to be certified, the cloud service must meet all the requirements of the certification scheme reference documents that are applicable to the service

boundary (e.g. IaaS, PaaS, SaaS, XaaS) and the chosen level of assurance.”CSPCERT, Milestone 3.

CCAL: Refined Objectives for the European CSP Service Certification

“The assessment of the correct implementation of the controls that achieve the security objectives listed in the Milestone 1 document (see Annex 1) with a

methodology from the ones listed in the Milestone 2 document should be a guide to ensure that all these objectives are fulfilled regarding a certain assurance

level.” CSPCERT, Milestone 3.

CCAL: Refined Objectives for the European CSP Service Certification

● Focused on Article 51 of EUCA● First 10 Recommendations Fall Under Article 51● All CSPCERT Recommendations are numbered and come with a Justification

statement.

CCAL: Assurance Levels and Risk Assessment Correlation

● Focused on Article 52 of EUCA● Recommendations 11-21, Fall Under

Article 52● “Performing a proper risk analysis

requires that both dimensions need to be considered and assessed. Based on the outcome of the risk assessment, a required level of assurance can be determined.” CSPCERT, Milestone 3.

CCAL: Assurance LevelsDefined Areas Impacted by Recognized Risks

Personal

Business

Societal

CCAL: Assurance Levels as Defined in EUCA Article 52

Basic

Substantial

High

CCAL: Assurance LevelsCSP Certification Perimeter & Addition of New Sectoral Requirements

CCAL: Ensuring EU-Wide Recognition

● Recommendations 22-26 Focus on Level of Trust, Fidelity, and Certificate Acceptance

● Introduce the Concepts of Audit Level of Detail relevant to Assurance Level● Introduce Peer Review Mechanisms● Introduce Governance’s Import (Addressed in Detail in SGOV)● Recommends NCCA Endorses the Final Audit Reports and Issuance of

Certificate

Tom VreeburgIndependent IT Risk and Assurance professional

Advisor to the board of NOREA.NOREA

Netherlands

Cyber Security Act Requirements (CSAR)

EU Cybersecurity Act (EUCA) provides cybersecurity certification framework (Section III, Art 46 a.o.)

CSPCert provides recommendations for ENISA to prepare a European Cybersecurity Certification Scheme for Cloud Service Providers

EUCA, Art 46: ‘European cybersecurity certification scheme’ means a comprehensive set of rules, technical requirements, standards and procedures that are established at Union level and that apply to the certification or conformity assessment of specific ICT products, ICT services or ICT processes;

Requirements for a scheme in particular in EUCA art 54 and 55

CSAR Part

Elements of European cybersecurity

certification schemes22 elements provide

minimum requirements

CSPCert added 20+ recommendations to provide guidance to ENISA how to detail these elements in the

EU Cybersecurity Certification Scheme for Cloud Service Providers

EUCA Art 54

● Purpose of the scheme:

○ Provide stakeholders with statement on scope, reliability and security of cloud service

○ Enhance credibility/confidence/ trust of statement by CSP

● Scoping in a cloud environment

Scope

● Purpose of the scheme:

○ Provide stakeholders with statement on scope, reliability and security of cloud service

○ Enhance credibility/confidence/ trust of statement by CSP

● Scoping in a cloud environment

Scope

Information needed for issuance of the certificate

IdentificationCSP’s Conformity statementCSP’s description of the serviceControl objectives, related controlsand tests of controlsOther information

Supplementary cybersecurity information (EUCA Art 55)

Consequences of non-compliance with requirements of the scheme

Information provided by Cloud Service Provider

Maximum period of validity

Required level of assurance

High

Continuous audit strategy or

annual audit

Substantial

Continuous audit strategy or

annual audit

Basic

Max validity 3 years with

annual control check

Scheme Governance (SGOV)

Clemens Doubrava

Head of Section of Information Security in the cloudBSI

Germany

Aurelien Leteinturier

Head of security products and services approval unitANSSIFrance

● Commons parts between all assurance levels● Committee and groups● Complaints management● Peer Review● Community management

● Specific governance recommendations● For each assurance level● Basic, Substantial and High

SGOV Part

JointExpert Group

Management Committee

Conciliation CommissionJoint

Expert Group

JointExpert Group

Set Up /Mandate

Report Appoint

Committee and groups (EU level)

Complaints Management

Peer reviews

NCCA &Experts

NCCA &Experts

NCCA &Experts

Community management

Monitoring Body CSP Service

Approve& Supervise

Evaluate & monitor

Supervise evaluations

IssueCertificate

Community Management

National Cybersecurity Certification Authority

(NCCA)

Assurance level Basic

Assurance level Substantial

Conformity Assessment Body (CAB) CSP Service

Accreditate Approve

Evaluate

Supervise evaluationsMonitor certificates

IssueCertificate

Community Management

Accreditate National Cybersecurity Certification Authority

(NCCA)NationalAccreditation Body (NAB)

Assurance level High

Conclusion and recommendations

LeireOrue-Echevarria Arrieta

Project Manager Cloud technologies and securityTecnalia

Spain

General recommendation

To include the development of an EU-wide cloud security certification scheme in the EU rolling work programme for European cybersecurity certification framework under the EUCA

To request ENISA to prepare a candidate scheme on the basis of the present proposal

CSPCERT does not recommend a completely new certification scheme but rather for a scheme based on

existing practices/schemes/standards used by the industry and internationally recognized

Cloud Computing Assurance Levels (CCAL)

3 levels of assurance: Basic, Substantial and High, depending on the risk level associated

Clear guidance on how to perform this risk assessment and link the assurance level to the cloud service

A description of what the basic/substantial/high assurance level indicates

Examples of which level of assurance should be associated with which service

Assurance levels

Cloud Computing Assurance Levels (CCAL)

Defined a set of Security Objectives, with a taxonomy and a methodology to include new ones, when required

Evaluation criteriaKeep a similar taxonomy and update it when appropriate

Keep a similar methodology for the inclusion of new controls and update it accordingly

Third-party

Cloud Computing Assurance Levels (CCAL)

3 conformity assessment methodologies (CAM)

Conformity Assessment Methodologies

Evidence-based

ISO-based

ISAE-based

To reduce the level of bias, assess third-party conformity assessment methodologies for safeguards to ensure a common level of trust

Clear guidance on the required procedures and criteria per assurance level

Evaluate the possibility of including continuous monitoring for High

CAMs must measure operational effectiveness in S and H, and not merely control existence Frequency of renewal and

what triggers it

Cybersecurity Act Requirements (CSAR)

Baseline certification requirements and security objectives that could be enhanced with further regulatory requirements coming from regulators, supervisors or the industry

CSPs shall retain the ability toprovide services outside the scopefor which they are being certified, butcannot, in this case, use thiscertification for the purpose ofproviding these services

Scheme Governance (SGOV)

Establish governance requirements as a part of the scheme, to implement and maintain the scheme

Involve relevant stakeholders (e.g. regulators, supervisors, industry) to avoid overlaps with other regulations and facilitating security, trust, privacy, transparency and free flow of data

Maintain a dedicated website with information on the scheme, and related data on certified CSPs and the validity

4242

cspcerteurope@gmail.com

www.cspcert.eu