www.enisa.europa.eu cloud services security prof. manel medina head of unit cert operations support...
TRANSCRIPT
www.enisa.europa.eu
Cloud services security
Prof. Manel MedinaHead of Unit CERT Operations support
www.enisa.europa.eu 2
o The European Network and Information Security Agency
o gives advice on information security issueso to national authorities, EU institutions, citizens, businesseso acts as a forum for sharing good NIS practiceso facilitates information exchange and collaboration
o Set up in 2004 – EC proposed a new mandate for 2013. New mandate pending of Council and Parliament approval.
o Around 35 security experts and 25 supporting staff.
o ENISA has an advisory role (not operational) and the focus is on prevention and preparedness.
About ENISA
www.enisa.europa.eu
Part of the solution
4
Part of the solution
Cloud computing
Smartphones and apps
Social media
www.enisa.europa.eu 6
o 2009 Cloud computing risk assessment o 2009 Cloud security control frameworko 2011 Security and resilience for gov cloudso 2011 Security parameters in gov cloud SLAso 2011 EU Cloud strategyo 2012 Procure secureo 2012 Critical clouds
ENISA’s cloud security work
www.enisa.europa.eu
From periodic certification to continuous monitoring
15
Cloud security; if you can’t measure it, you can’t manage it
www.enisa.europa.eu
o Work started as an ENISA/OASIS/CSA workshopo Guide for customers on monitoring security
parameters of cloud serviceso Checklist with questions to asko 8 security parameters
o What and How to measure. Independence?o When to rise a flag? Responsible (Customer/Provider)?
o Examples of security parameterso Service availability o Incident response o Vulnerability management
Procure secure
16
www.enisa.europa.eu
1. Service availability: monitoring, thresholds2. Incident response: Severity classification, management
capabilities3. Service elasticity and load tolerance: burst tests, who?4. Data life-cycle management: back-up frequency &
integrity5. Technical compliance and Vulnerability management:
Configuration, patches, vulnerability discovery & reporting, 3rd party
6. Change management: Notification, critical periods, loss of certification status
7. Data isolation: categories of data, independent test?8. Log management and forensics: frequency, granularity,
availability, cross checking
Procure secure: security parameters
17
www.enisa.europa.eu
Dr. Marnix Dekker <[email protected]>
Prof. Manel Medina <[email protected]>
About securely moving to smartphones and cloud computing
http://www.enisa.europa.eu/act/application-security
Security parameters in Cloud SLAshttp://www.enisa.europa.eu/activities/application-security/test/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts
Contact
18