ETSI 2012. All rights reserved CLOUD STANDARDS COORDINATION Cannes, 4-5 December 2012 Session 1 Security and Privacy
Rapporteur: Thomas Haeberlen (ENISA)
Co-Facilitators: Daniele Catteddu (CSA), Michael Fisher (BT)
Participants: ~ 50
ETSI/BOARD(12)89_0XX 2 Functional scope
The scope covers the creation of a standards landscape and roadmap applicable to electronic information processed or stored in the cloud. The context is information security and privacy/data protection. Specifically, five main areas are envisaged Governance Risk assessment Compliance Technology-neutral risk treatment + controls Frameworks at detail level e.g. encryption, authentication, accountability, BCM, incident management, etc. Consider cloud-relevant standards, not just cloud-specific
Use cases/requirements Key questions that need to be addressed (bearing in mind the EU landscape and market) Cross-border legal issues Both privacy and security issues were cited Diversity in Data Privacy laws across EU seems to be a very prominent issue Conflict of interest between cloud users and national security of hosting country Visibility, transparency Assurance and trust Certification, Audit and testing Compatibility and interoperability with standards outside Europe Identity and Access Management, AAA Security along the supply chain Virtualization and multi-tenancy risks Data location, Secure data deletion
ETSI/BOARD(12)89_0XX 4 Use cases/requirements Requirements/use cases Use cases very diverse, no clear picture emerged during the session Defined use cases are essential Having a reference architecture would be helpful Need to cover the whole spectrum from consumer cloud to public procurement for government clouds and ECP
ETSI/BOARD(12)89_0XX 5 Who does what in this space? Organizations delivering technical specifications and/or standards ISO/IEC JTC1 SC27 InfoSec: 27000, 27001, 27002, 27005, 27009 (number TBC), 27017 / 27036-1 / 27036-5 / Sector Specific Implementation of ISO 27001 Privacy: 27018, 29100, 29100, 29101, PIMS project, PIA project Common Criteria ITU-T SG17 X.ccsec, X.gpim BSI (Germany) Security Recommendations for Cloud Computing Providers IT-Grundschutz plus extensions (e.g. technical guidelines) NIST SP 800-12, SP 800-14, SP 800-26, SP 800-37, SP 800-53 rev4, SP 800-122, SP 800-144
ETSI/BOARD(12)89_0XX 6 Who does what in this space? (contd) Organizations delivering technical specifications and/or standards (continued) ENISA Cloud Assurance Framework, Procure Secure guidelines ETSI Several standards related to electronic signatures etc. BSi (UK) BS 10012 UK government Published g-cloud security & privacy checklists for 27001/2 Information Security Forum Standard of Good Practice CSA Cloud Control Matrix (CCM) / Open Certification Framework (OCF)
ETSI/BOARD(12)89_0XX 7 Who does what in this space? (contd) Organizations delivering technical specifications and/or standards (continued) Payment Card Industry Security Standards Council: PCI DSS IETF: RFC2196, SCIM EuroCloud: STAR Audit AICPA: SOC 1, SOC 2, SOC 3 ODCA: requirements OASIS: SAML OpenID Foundation Commonwealth of Massachusetts: Checklist under Massachusetts General, Law Chapter 93H, 201 CMR 17.00
ETSI/BOARD(12)89_0XX 8 Who does what in this space? (contd) Organizations delivering technical specifications and/or standards (continued) ISACA - Cobit 5 Shared Assessments Program COSO Other suggestions on relevant standards ITIL V3 ISAE 3402 FFIEC PMBOK Information security rating (www.leetsecurity.com) CMMI for Development, V1.2 TOGAF 8.1
The CompTIA Network+ & Security+ Certification: 2 in 1 Book- Simplified Study Guide Eighth Edition (Exam N10-008) | The Complete Exam Prep with Practice Tests and Insider Tips & Tricks | Achieve a 98% Pass Rate on Your First Attempt!