Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
1. Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security
Requirements of the Spanish Public Sector
Text of the presentation by Miguel A. Amutio
Good morning, Ladies and Gentlemen,
I appreciate very much the invitation to speak here today in this CSA EMEA Congress.
My talk is about “Using cloud services: compliance with the Security Requirements
of the Spanish Public Sector.”
You might be aware that in Spain we are promoting the protection, the cybersecurity of
information and services managed by entities of the Spanish Public Sector by means of
the National Security Framework, in place since the beginning of 2010.
Since the use of cloud services is expanding also through the public sector we have seen
the need:
• To provide specific guidance to meet the requirements of the NSF
• And to deploy a compliance approach to be applied by Spanish entities of the public
sector, and also by providers of solutions or services through cloud computing.
So, in this presentation we will see:
First of all, Why and What is the National Security Framework (NSF- ENS)
Then, Compliance with the NSF-ENS
And finally, Challenges and conclusions
1
2. 1. Why and What is the National Security Framework (NSF-
ENS)
Digital public services
Look, the public sector in Spain has a considerable size: the General State
Administration, 17 regional governments and 2 autonomous cities, plus over 8,000
municipalities, public universities and other entities under public law. As you can imagine
the scenario is quite complex.
Our country has committed to the development of eGovernment services. In fact the
trend is the digital transformation of our Administration. For instance, the new
administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the
basis of working fully with electronic means.
And in any case, there is a need for a comprehensive framework to address
security.
Why the National Security Framework
The National Security Framework has been designed to ensure an overall approach
to information security throughout the public sector; both coherent and efficient, by
identifying synergies and eliminating duplication of work.
The NSF addresses the following objectives or needs, as you prefer:
To create the necessary conditions of trust, through measures to ensure IT
security for the exercise of rights and the fulfillment of duties through the electronic
access to public services.
To promote the continuous management of security, regardless of the impulses
of the moment or lack thereof.
To promote best practices for prevention, detection and reaction.
To provide common concepts and elements of security. This common approach is
helpful:
o to provide guidance to Public Administrations in the implementation of ICT
security,
o to enable cooperation to deliver eGovernment services
o and to facilitate the interaction between Public Administrations. The
NSF complements the National Interoperability Framework.
o To facilitate the communication of security requirements to the
2
3. Industry. Surely, it is easy to imagine what this means in terms of calls for
tenders, technical specifications, predictive offer. The Industry finds all Public
Administrations speaking the same language.
The NSF - Royal Decree 3/2010
How do we produce a positive change towards security? How do we make impact?
Through the legal framework.
The Spanish NSF is implemented through a legal text, a regulation, the Royal Decree
3/2010, which develops the provisions about security foreseen in the Legal framework of the
public sector.
The NSF establishes the security policy for eGovernment services. It consists of the
basic principles and minimum requirements to enable adequate protection of information, to be
followed by the Public Sector.
The National Security Framework introduces common security elements applicable to
the whole public sector in Spain.
It is also a key element of the National Cybersecurity Strategy.
This National Security Framework, as well as the National Interoperability Framework, is
the result of a collective effort of all public administrations and also of the Industry
through their main associations, under the leadership of the team formed by the Ministry of
Finance and Public Function and the National Cryptologic Center.
The main elements of the NSF
Public Administrations will have a security policy on the basis of the basic principles and
minimum requirements.
Which are the main elements of the NSF?
The basic principles to be taken into account in decisions about security.
The minimum requirements which allow an adequate protection of information.
How to satisfy the basic principles and minimum requirements by means of the
adoption of proportionate security measures according to information and
services to be protected and to the risks to which they are exposed.
Security audits.
Response to security incidents (CERT).
Security certified products, to be considered in procurement.
Awareness and training.
3
4. Security measures
Let`s see an overview of the security measures in the NSF.
There is a reference in the NSF to security measures. There are three general
classes of security measures:
Organizational: measures related to global security.
Operational: the measures to protect the system's operation as a comprehensive
set of components.
Asset protection: measures to protect specific assets (facilities, personnel,
equipment, communications, information media, applications, information, services),
according to their nature and requirements.
The NSF tells the WHAT, but there is freedom on HOW to implement them.
Using Cloud, Public entities should …
Public entities should, as SP 800-144 says:
“Carefully plan the security and privacy aspects of cloud computing solutions before
engaging them.
Understand the public cloud computing environment offered by the cloud provider ->
assess and manage risk accurately
Ensure that a cloud computing solution satisfies organizational security and privacy
requirements.
Ensure that the client-side computing environment meets organizational security
and privacy requirements for cloud computing.
Maintain accountability over the privacy and security of data and applications
implemented and deployed in public cloud computing environments.”
Consideration of Who does What
In relation to the implementation of the security measures ‘Who does What’ requires
careful consideration; some measures should remain on the side of the public entity; other
measures could be carried out by the provider, other ones would require a detailed
analysis to decide who does them:
4
5. In case of use of cloud services, the following measures deserve special attention:
[Org.4] Authorization process
[Op.acc.4] Access rights management process
[Op.exp.7] Incident management
[Op.exp.11] Cryptographic Key Protection
[Op.ext] External services
There are measures that should not be transferred to the CSP:
Categorization of the system (Annex I)
Security policy [org.1]
Security policy [org.2]
Risk analysis [op.pl.1] (coordinate)
Authorization process [org.4] (to coordinate)
Daily management [op.ext.2] (coordinate)
Incident management [op.exp.7] (coordinate)
Protection of customer equipment [mp.eq.]
Activities that probably the CSP should not carry out:
Electronic signature [mp.info.4]
Time stamps [mp.info.5]
User identification [op.acc.1]
Access requirements [op.acc.2]
Management of access rights [op.acc.4]
Authentication mechanism [op.acc.5]
User activity log [op.exp.5]
Protection of activity records [op.exp.10]
Protection of cryptographic keys [op.exp.11]
Metric system [op.mon.2] (coordinate)
Cloud services and the NSF
For all these reasons, we are offering guidance about the use of cloud services and
security through a guide (CCN-STIC 823) with the following contents. This guide is under
revision at this moment.
2 SECURITY REQUIREMENTS
2.1 ROLES AND FUNCTIONS
2.2 CATEGORIZATION (ENS - ANNEX I)
2.2.1 COMMUNITIES
2.3 RECOMMENDATIONS
2.4 PROTECTION MEASURES (ENS - ANNEX II)
2.5 ADDITIONAL RESTRICTIONS
3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION
4 INTERNAL REGULATIONS
5 PROCUREMENT
5.1 DESCRIPTION OF SERVICE
5.2 SUBCONTRACTING
5.3 PROTECTION OF INFORMATION
5.4 SERVICE LEVEL AGREEMENTS
5.5 ACCESS TO SERVICE
5.6 GEOGRAPHICAL CONDITIONERS
5.7 RESPONSIBILITIES AND OBLIGATIONS
5.8 REGISTRATION OF ACTIVITY
5
6. 5.9 TERM
6. OPERA
MINATION OF SERVVICE 6 OPEERATION
6.1 OPER
ATION
6.2 FOLLO
RATING SE
6.3 CHAN
6.4 INCID
6.5 BACK
6.6 CONT
6.7 TERM
7 SUPER
ANNEX A
NSF, 27
The sup
certificat
evidence
Re
Info
Co
Clo
Annex A
matrix, to
This table
2. Com
Audit,
Who are t
OW-UP O
ECURITY
NGE MANA
DENT MAN
KUP AND R
TINUITY O
MINATION
RVISION AN
A. ENS CO
7000 an
plier/prov
ions can s
es of comp
commende
ormation S
ntinuity Ma
oud Contro
of Guide
ogether wi
e shows t
mpliance
reportin
the interes
F THE SE
PROCEDUURES
AGEMENT
RVICE
NAGEMEN
T
RECOVER
T
OF THE SE
RY OF DATTA
ERVICE
ND AUDIT
OMPLIANC
T
E
nd CCM
vider may
simplify th
pliance to
ed audits b
Security Ma
anagemen
ols Matrix [
e CCN-STI
ith their co
he gaps w
e with th
ng and c
ted actors?
have se
he comple
be valued
by ENISA f
anagemen
nt System [
CCM]
C 823 con
orrespond
with the NS
he Natio
complia
?
6
ecurity ce
ete audit o
d by the au
for service
t System (
[ISO 22301
ntains the
dence to m
SF.
onal Sec
ance
ertification
of the serv
udit team. F
e providers
(ISMS) [ISO
1: 2012]
e controls
meet the r
curity F
ns or acc
ice rendere
For examp
in the clou
O / IEC 27
s of ISO 2
equireme
Framew
creditation
ed, in its co
ple:
ud [ENISA-
001: 2013
27002 and
nts of the
work
ns. These
ondition of
-CCSL]
]
the CCM
NSF.
e
f
M
7. Compliance with NSF
The NSF can be developed through ‘Technical Security Instructions’ to address some
specific issues.
In order to satisfy the demand, a ‘Technical Security Instruction’ has been published
recently in the official diary:
TECHNICAL SECURITY INSTRUCTION - COMPLIANCE WITH THE NATIONAL
SECURITY FRAMEWORK
INDEX
I. Object.
II. Scope.
III. Procedures for determining compliance.
IV. Declaration of Compliance with the National Security Framework of BASIC category
systems and its publicity.
V. Certification of Compliance with the National Security Framework of systems of
category MEDIUM or HIGH and its publicity.
VI. Requirements of the certifying entities.
VII. Solutions and services provided by the private sector.
Annex I. Contents of the Declaration of Compliance with the National Security Framework.
Annex II. Declaration of Compliance with the National Security Framework.
Annex III. Content of the Certification of Compliance with the National Security Framework.
Annex IV. Certificate of Compliance with the National Security Framework.
Requirements for providers
Private sector organizations are often engaged in the provision of solutions or
services to public entities (through, for example, cloud services) within systems subject
to the obligations of the NSF.
Solutions or services should comply with the provisions of the NSF-ENS and have the
corresponding Declarations or Certifications of Compliance.
In this case, providers should be able to show:
A Declaration of Compliance with the NSF-ENS (in the case of category systems
BASIC)
or a Certification of Compliance with the NSF-ENS (mandatory, in the case of MEDIUM
or HIGH category systems, and of voluntary application in the case of BASIC category
systems), using the same procedures as those required for public entities.
It is the responsibility of contracting public entities to notify providers of solutions or of
services, the obligation that such solutions or services should comply with the provisions of
the ENS-NSF and have the corresponding Declarations or Certifications of Compliance.
When the provision of solutions or services subject to compliance with the ENS is carried
out by private sector organizations, they should use the same documentary models
7
8. used for Declarations, Certifications or Compliance Badges contained in this guide,
replacing the references to the public entities by the ones corresponding to the private
entities.
Likewise, the Compliance Badges, when displayed by such private operators, should link
to the corresponding Declarations or Certifications of Compliance, which will always be
accessible on the website of the economic operator in question.
In addition to the National Cryptological Center, public entities that use solutions or
services provided or rendered by private sector organizations that exhibit a Declaration or
Certification of Compliance with the ENS may at any time request from such operators
the corresponding Self-Assessment or Audit Reports, in order to verify the
appropriateness and adequacy of the aforementioned manifestations.
Requirements for certifiers
The main requirement for certifiers of compliance with the NSF-ENS is the
accreditation by ENAC according to UNE-EN ISO / IEC 17065: 2012 (Conformity
assessment — Requirements for bodies certifying products, processes and services), for
the certification of systems within the scope of ENS.
In case of NOT having the accreditation:
• They will request accreditation to the ENAC.
• They will inform of the acceptance of the request to the CCN.
• They can begin their certification activities on a temporary basis, having 12 months
to obtain it.
The CCN maintains a list of Certification Entities, accredited or in the process of being
accredited.
Exempt are those entities, organs, agencies and units of the Public Administrations whose
competencies correspond to the development of IS audits as recorded in their creation
regulations or structure decrees.
Challenges and Conclusions
The National Security Framework (NSF-ENS):
Promotes a common approach to cybersecurity in the public sector of Spain,
adapted to its requirements.
Independent audits are the basis for the Security Report and for the compliance
with the NSF-ENS.
Compliance with the NSF-ENS is applicable to:
Entities of the Public Sector
8
9. 9
Providers of solutions and services (e.g. Cloud services) engaged in systems under
the scope of the NSF-ENS.
Public entities should have an understanding of security issues in the cloud
computing environment and ensure security requirements.
Under development: specific compliance requirements to certify cloud service
providers for systems falling under ENS.
Challenges:
Progress in cybersecurity of entities of the Public Sector.
Improve the implementation of the security measures.
Extend the implementation of the NSF-ENS to all kind of information systems of the
Public Sector in Spain.
Extend the use of common services offered by the General State Administration.
Improve the compliance with the NSF-ENS.
To know more about IT security in Spain
Well, for more information about IT security and Spain:
The NSF is available in English.
The eGovernment factsheet of Spain published by the European Commission
in JOINUP.
And the websites of the CCN, the Certification Body, ENAC and the eGovernment
Portal provide more information.
Thank you very much for your attention