Diese Präsentation wurde erfolgreich gemeldet.
Die SlideShare-Präsentation wird heruntergeladen. ×

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Anzeige
Wird geladen in …3
×

Hier ansehen

1 von 9 Anzeige

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

Herunterladen, um offline zu lesen

Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio

Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio

Anzeige
Anzeige

Weitere Verwandte Inhalte

Diashows für Sie (20)

Ähnlich wie Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector (20)

Anzeige

Weitere von Miguel A. Amutio (20)

Aktuellste (20)

Anzeige

Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

  1. 1. Cloud Security Alliance EMEA Congress Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector Text of the presentation by Miguel A. Amutio Good morning, Ladies and Gentlemen, I appreciate very much the invitation to speak here today in this CSA EMEA Congress. My talk is about “Using cloud services: compliance with the Security Requirements of the Spanish Public Sector.” You might be aware that in Spain we are promoting the protection, the cybersecurity of information and services managed by entities of the Spanish Public Sector by means of the National Security Framework, in place since the beginning of 2010. Since the use of cloud services is expanding also through the public sector we have seen the need: • To provide specific guidance to meet the requirements of the NSF • And to deploy a compliance approach to be applied by Spanish entities of the public sector, and also by providers of solutions or services through cloud computing. So, in this presentation we will see: First of all, Why and What is the National Security Framework (NSF- ENS) Then, Compliance with the NSF-ENS And finally, Challenges and conclusions 1
  2. 2. 1. Why and What is the National Security Framework (NSF- ENS) Digital public services Look, the public sector in Spain has a considerable size: the General State Administration, 17 regional governments and 2 autonomous cities, plus over 8,000 municipalities, public universities and other entities under public law. As you can imagine the scenario is quite complex. Our country has committed to the development of eGovernment services. In fact the trend is the digital transformation of our Administration. For instance, the new administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the basis of working fully with electronic means. And in any case, there is a need for a comprehensive framework to address security. Why the National Security Framework The National Security Framework has been designed to ensure an overall approach to information security throughout the public sector; both coherent and efficient, by identifying synergies and eliminating duplication of work. The NSF addresses the following objectives or needs, as you prefer: To create the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services. To promote the continuous management of security, regardless of the impulses of the moment or lack thereof. To promote best practices for prevention, detection and reaction. To provide common concepts and elements of security. This common approach is helpful: o to provide guidance to Public Administrations in the implementation of ICT security, o to enable cooperation to deliver eGovernment services o and to facilitate the interaction between Public Administrations. The NSF complements the National Interoperability Framework. o To facilitate the communication of security requirements to the 2
  3. 3. Industry. Surely, it is easy to imagine what this means in terms of calls for tenders, technical specifications, predictive offer. The Industry finds all Public Administrations speaking the same language. The NSF - Royal Decree 3/2010 How do we produce a positive change towards security? How do we make impact? Through the legal framework. The Spanish NSF is implemented through a legal text, a regulation, the Royal Decree 3/2010, which develops the provisions about security foreseen in the Legal framework of the public sector. The NSF establishes the security policy for eGovernment services. It consists of the basic principles and minimum requirements to enable adequate protection of information, to be followed by the Public Sector. The National Security Framework introduces common security elements applicable to the whole public sector in Spain. It is also a key element of the National Cybersecurity Strategy. This National Security Framework, as well as the National Interoperability Framework, is the result of a collective effort of all public administrations and also of the Industry through their main associations, under the leadership of the team formed by the Ministry of Finance and Public Function and the National Cryptologic Center. The main elements of the NSF Public Administrations will have a security policy on the basis of the basic principles and minimum requirements. Which are the main elements of the NSF? The basic principles to be taken into account in decisions about security. The minimum requirements which allow an adequate protection of information. How to satisfy the basic principles and minimum requirements by means of the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed. Security audits. Response to security incidents (CERT). Security certified products, to be considered in procurement. Awareness and training. 3
  4. 4. Security measures Let`s see an overview of the security measures in the NSF. There is a reference in the NSF to security measures. There are three general classes of security measures: Organizational: measures related to global security. Operational: the measures to protect the system's operation as a comprehensive set of components. Asset protection: measures to protect specific assets (facilities, personnel, equipment, communications, information media, applications, information, services), according to their nature and requirements. The NSF tells the WHAT, but there is freedom on HOW to implement them. Using Cloud, Public entities should … Public entities should, as SP 800-144 says: “Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. Understand the public cloud computing environment offered by the cloud provider -> assess and manage risk accurately Ensure that a cloud computing solution satisfies organizational security and privacy requirements. Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing. Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.” Consideration of Who does What In relation to the implementation of the security measures ‘Who does What’ requires careful consideration; some measures should remain on the side of the public entity; other measures could be carried out by the provider, other ones would require a detailed analysis to decide who does them: 4
  5. 5. In case of use of cloud services, the following measures deserve special attention: [Org.4] Authorization process [Op.acc.4] Access rights management process [Op.exp.7] Incident management [Op.exp.11] Cryptographic Key Protection [Op.ext] External services There are measures that should not be transferred to the CSP: Categorization of the system (Annex I) Security policy [org.1] Security policy [org.2] Risk analysis [op.pl.1] (coordinate) Authorization process [org.4] (to coordinate) Daily management [op.ext.2] (coordinate) Incident management [op.exp.7] (coordinate) Protection of customer equipment [mp.eq.] Activities that probably the CSP should not carry out: Electronic signature [mp.info.4] Time stamps [mp.info.5] User identification [op.acc.1] Access requirements [op.acc.2] Management of access rights [op.acc.4] Authentication mechanism [op.acc.5] User activity log [op.exp.5] Protection of activity records [op.exp.10] Protection of cryptographic keys [op.exp.11] Metric system [op.mon.2] (coordinate) Cloud services and the NSF For all these reasons, we are offering guidance about the use of cloud services and security through a guide (CCN-STIC 823) with the following contents. This guide is under revision at this moment. 2 SECURITY REQUIREMENTS 2.1 ROLES AND FUNCTIONS 2.2 CATEGORIZATION (ENS - ANNEX I) 2.2.1 COMMUNITIES 2.3 RECOMMENDATIONS 2.4 PROTECTION MEASURES (ENS - ANNEX II) 2.5 ADDITIONAL RESTRICTIONS 3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION 4 INTERNAL REGULATIONS 5 PROCUREMENT 5.1 DESCRIPTION OF SERVICE 5.2 SUBCONTRACTING 5.3 PROTECTION OF INFORMATION 5.4 SERVICE LEVEL AGREEMENTS 5.5 ACCESS TO SERVICE 5.6 GEOGRAPHICAL CONDITIONERS 5.7 RESPONSIBILITIES AND OBLIGATIONS 5.8 REGISTRATION OF ACTIVITY 5
  6. 6. 5.9 TERM 6. OPERA MINATION OF SERVVICE 6 OPEERATION 6.1 OPER ATION 6.2 FOLLO RATING SE 6.3 CHAN 6.4 INCID 6.5 BACK 6.6 CONT 6.7 TERM 7 SUPER ANNEX A NSF, 27 The sup certificat evidence Re Info Co Clo Annex A matrix, to This table 2. Com Audit, Who are t OW-UP O ECURITY NGE MANA DENT MAN KUP AND R TINUITY O MINATION RVISION AN A. ENS CO 7000 an plier/prov ions can s es of comp commende ormation S ntinuity Ma oud Contro of Guide ogether wi e shows t mpliance reportin the interes F THE SE PROCEDUURES AGEMENT RVICE NAGEMEN T RECOVER T OF THE SE RY OF DATTA ERVICE ND AUDIT OMPLIANC T E nd CCM vider may simplify th pliance to ed audits b Security Ma anagemen ols Matrix [ e CCN-STI ith their co he gaps w e with th ng and c ted actors? have se he comple be valued by ENISA f anagemen nt System [ CCM] C 823 con orrespond with the NS he Natio complia ? 6 ecurity ce ete audit o d by the au for service t System ( [ISO 22301 ntains the dence to m SF. onal Sec ance ertification of the serv udit team. F e providers (ISMS) [ISO 1: 2012] e controls meet the r curity F ns or acc ice rendere For examp in the clou O / IEC 27 s of ISO 2 equireme Framew creditation ed, in its co ple: ud [ENISA- 001: 2013 27002 and nts of the work ns. These ondition of -CCSL] ] the CCM NSF. e f M
  7. 7. Compliance with NSF The NSF can be developed through ‘Technical Security Instructions’ to address some specific issues. In order to satisfy the demand, a ‘Technical Security Instruction’ has been published recently in the official diary: TECHNICAL SECURITY INSTRUCTION - COMPLIANCE WITH THE NATIONAL SECURITY FRAMEWORK INDEX I. Object. II. Scope. III. Procedures for determining compliance. IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity. V. Certification of Compliance with the National Security Framework of systems of category MEDIUM or HIGH and its publicity. VI. Requirements of the certifying entities. VII. Solutions and services provided by the private sector. Annex I. Contents of the Declaration of Compliance with the National Security Framework. Annex II. Declaration of Compliance with the National Security Framework. Annex III. Content of the Certification of Compliance with the National Security Framework. Annex IV. Certificate of Compliance with the National Security Framework. Requirements for providers Private sector organizations are often engaged in the provision of solutions or services to public entities (through, for example, cloud services) within systems subject to the obligations of the NSF. Solutions or services should comply with the provisions of the NSF-ENS and have the corresponding Declarations or Certifications of Compliance. In this case, providers should be able to show: A Declaration of Compliance with the NSF-ENS (in the case of category systems BASIC) or a Certification of Compliance with the NSF-ENS (mandatory, in the case of MEDIUM or HIGH category systems, and of voluntary application in the case of BASIC category systems), using the same procedures as those required for public entities. It is the responsibility of contracting public entities to notify providers of solutions or of services, the obligation that such solutions or services should comply with the provisions of the ENS-NSF and have the corresponding Declarations or Certifications of Compliance. When the provision of solutions or services subject to compliance with the ENS is carried out by private sector organizations, they should use the same documentary models 7
  8. 8. used for Declarations, Certifications or Compliance Badges contained in this guide, replacing the references to the public entities by the ones corresponding to the private entities. Likewise, the Compliance Badges, when displayed by such private operators, should link to the corresponding Declarations or Certifications of Compliance, which will always be accessible on the website of the economic operator in question. In addition to the National Cryptological Center, public entities that use solutions or services provided or rendered by private sector organizations that exhibit a Declaration or Certification of Compliance with the ENS may at any time request from such operators the corresponding Self-Assessment or Audit Reports, in order to verify the appropriateness and adequacy of the aforementioned manifestations. Requirements for certifiers The main requirement for certifiers of compliance with the NSF-ENS is the accreditation by ENAC according to UNE-EN ISO / IEC 17065: 2012 (Conformity assessment — Requirements for bodies certifying products, processes and services), for the certification of systems within the scope of ENS. In case of NOT having the accreditation: • They will request accreditation to the ENAC. • They will inform of the acceptance of the request to the CCN. • They can begin their certification activities on a temporary basis, having 12 months to obtain it. The CCN maintains a list of Certification Entities, accredited or in the process of being accredited. Exempt are those entities, organs, agencies and units of the Public Administrations whose competencies correspond to the development of IS audits as recorded in their creation regulations or structure decrees. Challenges and Conclusions The National Security Framework (NSF-ENS): Promotes a common approach to cybersecurity in the public sector of Spain, adapted to its requirements. Independent audits are the basis for the Security Report and for the compliance with the NSF-ENS. Compliance with the NSF-ENS is applicable to: Entities of the Public Sector 8
  9. 9. 9 Providers of solutions and services (e.g. Cloud services) engaged in systems under the scope of the NSF-ENS. Public entities should have an understanding of security issues in the cloud computing environment and ensure security requirements. Under development: specific compliance requirements to certify cloud service providers for systems falling under ENS. Challenges: Progress in cybersecurity of entities of the Public Sector. Improve the implementation of the security measures. Extend the implementation of the NSF-ENS to all kind of information systems of the Public Sector in Spain. Extend the use of common services offered by the General State Administration. Improve the compliance with the NSF-ENS. To know more about IT security in Spain Well, for more information about IT security and Spain: The NSF is available in English. The eGovernment factsheet of Spain published by the European Commission in JOINUP. And the websites of the CCN, the Certification Body, ENAC and the eGovernment Portal provide more information. Thank you very much for your attention

×