Sie sind auf Seite 1von 9

Output Break-out Session #1

Security and Privacy




ETSI 2012. All rights reserved
CLOUD STANDARDS COORDINATION
Cannes, 4-5 December 2012
Session 1
Security and Privacy

Rapporteur: Thomas Haeberlen (ENISA)

Co-Facilitators: Daniele Catteddu (CSA), Michael Fisher (BT)

Participants: ~ 50


ETSI/BOARD(12)89_0XX
2
Functional scope

The scope covers the creation of a standards landscape and
roadmap applicable to electronic information processed or
stored in the cloud. The context is information security and
privacy/data protection.
Specifically, five main areas are envisaged
Governance
Risk assessment
Compliance
Technology-neutral risk treatment + controls
Frameworks at detail level e.g. encryption, authentication,
accountability, BCM, incident management, etc.
Consider cloud-relevant standards, not just cloud-specific


Use cases/requirements
Key questions that need to be addressed (bearing in mind the
EU landscape and market)
Cross-border legal issues
Both privacy and security issues were cited
Diversity in Data Privacy laws across EU seems to be a very prominent issue
Conflict of interest between cloud users and national security of hosting country
Visibility, transparency
Assurance and trust
Certification, Audit and testing
Compatibility and interoperability with standards outside Europe
Identity and Access Management, AAA
Security along the supply chain
Virtualization and multi-tenancy risks
Data location, Secure data deletion

ETSI/BOARD(12)89_0XX
4
Use cases/requirements
Requirements/use cases
Use cases very diverse, no clear picture emerged during the session
Defined use cases are essential
Having a reference architecture would be helpful
Need to cover the whole spectrum from consumer cloud to public
procurement for government clouds and ECP

ETSI/BOARD(12)89_0XX
5
Who does what in this space?
Organizations delivering technical specifications and/or
standards
ISO/IEC JTC1 SC27
InfoSec: 27000, 27001, 27002, 27005, 27009 (number TBC), 27017 / 27036-1
/ 27036-5 / Sector Specific Implementation of ISO 27001
Privacy: 27018, 29100, 29100, 29101, PIMS project, PIA project
Common Criteria
ITU-T SG17
X.ccsec, X.gpim
BSI (Germany)
Security Recommendations for Cloud Computing Providers
IT-Grundschutz plus extensions (e.g. technical guidelines)
NIST
SP 800-12, SP 800-14, SP 800-26, SP 800-37, SP 800-53 rev4, SP 800-122, SP
800-144





ETSI/BOARD(12)89_0XX
6
Who does what in this space? (contd)
Organizations delivering technical specifications and/or
standards (continued)
ENISA
Cloud Assurance Framework, Procure Secure guidelines
ETSI
Several standards related to electronic signatures etc.
BSi (UK)
BS 10012
UK government
Published g-cloud security & privacy checklists for 27001/2
Information Security Forum
Standard of Good Practice
CSA
Cloud Control Matrix (CCM) / Open Certification Framework (OCF)










ETSI/BOARD(12)89_0XX
7
Who does what in this space? (contd)
Organizations delivering technical specifications and/or
standards (continued)
Payment Card Industry Security Standards Council: PCI DSS
IETF: RFC2196, SCIM
EuroCloud: STAR Audit
AICPA: SOC 1, SOC 2, SOC 3
ODCA: requirements
OASIS: SAML
OpenID Foundation
Commonwealth of Massachusetts: Checklist under Massachusetts
General, Law Chapter 93H, 201 CMR 17.00








ETSI/BOARD(12)89_0XX
8
Who does what in this space? (contd)
Organizations delivering technical specifications and/or
standards (continued)
ISACA - Cobit 5
Shared Assessments Program
COSO
Other suggestions on relevant standards
ITIL V3
ISAE 3402
FFIEC
PMBOK
Information security rating (www.leetsecurity.com)
CMMI for Development, V1.2
TOGAF 8.1









ETSI/BOARD(12)89_0XX
9