Presentation on the impact of EU data protection and cyber-security regulations/directives on cloud computing @ Public Policy Exchange symposium 'Rethinking Data Protection and Privacy in Europe: Shaping the European Digital Future', 6th July 2016
8. Why all this worry?
– Cloud computing is pervasive in modern society
– Limited market penetration from EU cloud provider -> vast majority of cloud providers based outside EU
10. Why all this worry?
– Cloud computing is pervasive in modern society
– Limited market penetration from EU cloud provider -> vast majority of cloud providers based outside EU
– Pace of service development and nefarious capability outstrips that of the regulatory environment
11. What should you think about when…
Who are you entering into a contract with?
What protections does your contract give you?
Who can make changes to the T&C?
Where is the data?
On whom is the liability?
13. Trust at the Last Mile
• Problem for high value instantly usable data and services
– Critical data or keys are still exposed inside the cloud at the final steps
– Still require customers unconditional trust of their CSP
18. Approach: Government
procurement framework
Highlights:
• Based on ISO 27001
• Most data is “official”
• Reusable certification
European Union:
ENISA CCSL and CCSM
Approach: Procurement
guidance
Highlights:
• Maps certification
regimes relevant to
cloud customers
Notable strength:
• Flexible
Notable strength:
• Standards-based
Notable strength:
• Transparent
Notable strength:
• Risk-based
Public sector approaches to cloud security
Approach: Government
procurement framework
Highlights:
• Based on NIST 800-
53v4
• Moderate and High
baseline controls
Approach: Government
procurement guidance
Highlights:
• Risk-based approach
encouraged
• 5 control levels
20. Conclusions from a recent workshop on Cloud Security and certification
• Trust and security are key to the successful adoption of cloud computing and its ability to drive
European economic expansion,
• Urgently gain clarity in the implementation of newly introduced regulatory regimes
• Promote the use of existing certification schemes and standards
• Raise awareness of cloud security and ensure understanding of what cloud security means
• Support the Free Flow of Data
21. To end…
• Recommendations for Future Policy Action
– What does cloud mean? – automation
– What would destroy cloud – over regulation and interruptions in automated interactions
– Flexibility to allow innovative services to develop
– Where possible use open standards and approaches more generally to allow transparency
• Technology solutions including the unification of trusted and cloud computing may break the need to
trust you provider
– May end up with no-one able to see inside though…
Hinweis der Redaktion
How to effectively verify “what is really going on inside the cloud”.
Whether the acquired Cloud services are enforced;
Whether only the acquired Cloud services are accessing customers’ data.
In addition to developing cloud strategies, various countries and regions are taking the next step of developing cloud security requirements for government services or even as national policies. Each of their approaches have varying strengths from which countries can learn as they develop requirements and iterate going forward.
With its Cloud Strategy, NIS Directive, and the Digital Single Market strategy, the EU is pushing the importance of innovation, security, and resilience. While it is still unclear what the final form of the NIS Directive will be, it is likely that the Directive will encourage regulation that affects cloud service providers. In addition to being innovative, it is important that such regulation ultimately considers the other principles mentioned here today, including flexible, data-aware, risk-based, global standards-based, and transparent. Using these principles will ensure that countries are able to implement the regulations in the way that makes the most sense for them and that workable requirements ultimately result. A good first step is the EU’S Cloud Certifications Schemes List and Cloud Certification Schemes Metaframework, which are flexible tools that cloud customers can use to guide their procurement of secure and resilient cloud services.
The UK’s G-Cloud program, in addition to demonstrating data awareness, is global standards-based, utilizing ISO 27001 as its basis and adding only a thin layer of unique requirements. In addition, G-Cloud takes the standards-based principle a step further in creating a reusable certification, which results in efficiencies similar to those achieved by utilizing global standards. It is also flexible, with multiple levels of certification possible, allowing government agencies to choose which level meets their needs.
In the US, FedRAMP has been developed and improved through consultation with cloud service providers, enabling important transparency. FedRAMP is also fairly flexible, as Moderate and High baselines are being developed, and government agencies will be able to choose which certification levels make sense for their varying data and services. However, as FedRAMP layers many controls and control parameters on top of NIST 800-53 rev. 4, it could be improved by being more risk-based and global standards-based.
In Australia, the Department of Defence has developed a new Information Security Manual, encouraging Australian government agencies to use its manual by taking a risk-based approach in evaluating which of the controls it outlines are important for their cybersecurity and cloud security. It also demonstrates data awareness, mapping the controls to five levels of data sensitivity (from a baseline level to top secret). In conjunction with the new cloud policy allowing agencies to determine for themselves whether to host data offshore, this policy enables flexibility.