output break-out session #1 security and privacy cloud...

Output Break-out Session #1

Security and Privacy

© ETSI 2012. All rights reserved

CLOUD STANDARDS COORDINATION

Cannes, 4-5 December 2012

Session 1

Security and Privacy

Thomas Haeberlen (ENISA)

Daniele Catteddu (CSA), Michael Fisher (BT)Daniele Catteddu (CSA), Michael Fisher (BT)

~ 50

ETSI/BOARD(12)89_0XX2

Functional scope

• The scope covers the creation of a standards landscape and

roadmap applicable to electronic information processed or

stored in the cloud. The context is information security and

privacy/data protection.

Specifically, five main areas are envisaged• Specifically, five main areas are envisaged

• Governance

• Risk assessment

• Compliance

• Technology-neutral risk treatment + controls

• Frameworks at detail level e.g. encryption, authentication,

accountability, BCM, incident management, etc.

• Consider cloud-relevant standards, not just cloud-specific

Use cases/requirements

Key questions that need to be addressed (bearing in mind the

EU landscape and market)

• Cross-border legal issues

• Both privacy and security issues were cited

• Diversity in Data Privacy laws across EU seems to be a very prominent issue

• Conflict of interest between cloud users and national security of hosting country

• Visibility, transparency

• Assurance and trust

• Certification, Audit and testing

• “Compatibility” and “interoperability” with standards outside Europe

• Identity and Access Management, AAA

• Security along the supply chain

• Virtualization and multi-tenancy risks

• Data location, Secure data deletion


Use cases/requirements

Requirements/use cases

• Use cases very diverse, no clear picture emerged during the session

• Defined use cases are essential

• Having a reference architecture would be helpful

• Need to cover the whole spectrum from “consumer” cloud to public

procurement for government clouds and ECPprocurement for government clouds and ECP


Who does what in this space?

Organizations delivering technical specifications and/or

standards

• ISO/IEC JTC1 SC27

• InfoSec: 27000, 27001, 27002, 27005, 27009 (number TBC), 27017 / 27036-1

/ 27036-5 / Sector Specific Implementation of ISO 27001

• Privacy: 27018, 29100, 29100, 29101, PIMS project, PIA project• Privacy: 27018, 29100, 29100, 29101, PIMS project, PIA project

• Common Criteria

• ITU-T SG17

• X.ccsec, X.gpim

• BSI (Germany)

• Security Recommendations for Cloud Computing Providers

• IT-Grundschutz plus extensions (e.g. technical guidelines)

• NIST

• SP 800-12, SP 800-14, SP 800-26, SP 800-37, SP 800-53 rev4, SP 800-122, SP

800-144


Who does what in this space? (cont’d)


standards (continued)

• ENISA

• Cloud Assurance Framework, “Procure Secure” guidelines

• ETSI

• Several standards related to electronic signatures etc.• Several standards related to electronic signatures etc.

• BSi (UK)

• BS 10012

• UK government

• Published “g-cloud” security & privacy checklists for 27001/2

• Information Security Forum

• Standard of Good Practice

• CSA

• Cloud Control Matrix (CCM) / Open Certification Framework (OCF)





• Payment Card Industry Security Standards Council: PCI DSS

• IETF: RFC2196, SCIM

• EuroCloud: STAR Audit

• AICPA: SOC 1, SOC 2, SOC 3• AICPA: SOC 1, SOC 2, SOC 3

• ODCA: requirements

• OASIS: SAML

• OpenID Foundation

• Commonwealth of Massachusetts: Checklist under Massachusetts

General, Law Chapter 93H, 201 CMR 17.00





• ISACA - Cobit 5

• Shared Assessments Program

• COSO

Other suggestions on relevant standardsOther suggestions on relevant standards

• ITIL® V3

• ISAE 3402

• FFIEC

• PMBOK

• Information security rating (www.leetsecurity.com)

• CMMI® for Development, V1.2

• TOGAF 8.1


output break-out session #1 security and privacy cloud...

Documents