Upload
hubert-ryan
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
EU28 Cloud Security Conference: Reaching the Cloud Era in the
European Union
Track A: Legal and Compliance - “Cloud Security and the Network and Information Security Directive: the need for Harmonization”
Jan NeutzeDirector, Cybersecurity Policy, EMEA, Microsoft
Aims of a national
cybersecurity strategy
Overview1) 1) Emerging Cloud & Cybersecurity Strategies
2) 2) The NIS Directive – opportunities and challenges
3) 3) Case Study: Estonia’s Virtual Data Embassies
Global Landscape
Emerging Cloud & Cybersecurity Strategies
US, Canada
Australia, New Zealand
Bangladesh,Hong Kong, India, Indonesia, Japan, Kyrgyzstan, Maldives, Malaysia, Mongolia, Philippines, Singapore, South Korea, Taiwan, Vanuatu
Austria, Belarus, Belgium, Czech Republic, Cyprus, Estonia, EU, Finland, France, Germany, Georgia, Hungary, Italy, Latvia, Lithuania, Luxembourg, Montenegro, Netherlands, Norway, Poland, Romania, San Marino, Slovakia, Spain, Sweden, Switzerland, UK
Ghana, Kenya, Mauritius, South Africa, Uganda Israel, Jordan,
Qatar, Saudi Arabia, Turkey, UAE
Argentina, Brazil
Panama,Trinidad & Tobago
Countries with only cloud programsCloud strategy: Ireland
Cloud initiatives: Azerbaijan, Chile, China, Costa Rica, Denmark, Egypt, Greece, Malta, Mexico, Moldova, Portugal, Russia, Slovenia, Sri Lanka, Thailand
Bold = cloud strategy Underline = cloud initiatives
60 governments and regional organizations have cybersecurity strategies; 14 have cloud strategies; and 36 have cloud initiatives
Trustworthy Cloud PrinciplesOperational guidance
Outline guidance or concrete steps that the government is taking to advance public sector cloud adoption, including:• controls for areas of concern
(i.e. contracts and security)• development of pilot projects;
public, private, or community clouds; or a synced approach to cloud procurement; or
• consolidation of data centers
Benefits, risks, and need for best practices/standards acknowledged.
Advancing government and private cloud adoption
Advancing government cloud adoption
Seek to encourage and enable public sector OR public and private sector cloud adoption by:• increasing or organizing procurement though whole-of-government
certification programs, dedicated cloud infrastructure, or app stores;• providing guidance to help agencies evaluate the benefits and risks of,
procure, and manage cloud services;
• centralizing government resources;• Promoting local SME understanding and acceptance of cloud services;• partnering with global CSPs to enable local market growth;• describing successful examples of government cloud projects; or• attempting to resolve issues that might inhibit adoption
Benefits and risks assessed; plans to mitigate risks described, including through the development of standards and security and procurement guidance.
Explanatory statements
Take basic steps to enable or demonstrate limited government cloud adoption by:• defining cloud computing and
deployment/service models;• applying existing legal
requirements to cloud;• describing a nascent cloud
project; or• approving of cloud for future
public sector procurement
Discussion of cloud adoption benefits and risks is undeveloped.
Denmark, Mauritius, Philippines, Sri Lanka
Hong Kong, Ireland, New Zealand, Qatar
Estonia, India, Netherlands, UK, United States
Australia, EU, Malaysia, Singapore
Cloud program categories, characteristics, and examples
Trustworthy Cloud PrinciplesUnited Kingdom: G-Cloud
Approach: Government procurement framework
Highlights:• Based on ISO 27001• Most data is “official”• Reusable certification
Australia:InfoSecurity Manual
United States:FedRAMP
European Union:ENISA CCSL and CCSM
Approach: Procurement guidance
Highlights:• Maps certification
regimes relevant to cloud customers
Notable strength:
• Flexible
Notable strength:
• Standards-based
Notable strength:
• Transparent
Notable strength:
• Risk-based
Public sector approaches to cloud security
Approach: Government procurement framework
Highlights:• Based on NIST 800-
53v4• Moderate and High
baseline controls
Approach: Government procurement guidance
Highlights:• Risk-based approach
encouraged• 5 control levels
Key EU Initiatives: DSM & NIS
Opportunities & Challenges
Trustworthy Cloud PrinciplesEuropean Commission Digital Single Market Strategy (May 2015)
- The Communication on a Digital Single Market Strategy includes an upcoming European “Free flow of data” initiative, which will build on the “Trusted Cloud Europe” vision and subsequent consultations. This initiative will address the emerging issues of ownership, interoperability, usability and access to data.
- In the 2nd Quarter of 2015, the Commission is expected to launch a Public consultation on a Green Paper on Trust & cloud computing in Europe.
- In 2016, the Commission is planning to launch a European Cloud initiative which will include cloud services certification, contracts and switching of cloud services providers. Some of the elements stem from the work carried out by the industry working groups (C-SIGs) on the EU Cloud Computing Strategy.
- The Commission is currently still assessing whether to opt for full, co- or self-regulatory actions.
The Digital Single Market Strategy
Trustworthy Cloud PrinciplesProposal for a Directive on Network and Information Security (February 2013)
- The Directive aims to raise the level of network and information security across European critical operators.
- The Directive is a first step towards building more common approaches to cybersecurity. This can result in a more integrated operational picture, sharing of strategic assessments from reported incidents and enhanced public-private cooperation.
- Cybersecurity baseline: the Directive should result in processes and capabilities to pro-actively prevent serious cybersecurity incidents as well as the ability to isolate and quickly recover from any incident.
- Directive is likely to be adopted in the Second half of 2015 and Member States will get 18-24 months for transposition in national law.
The NIS Directive - opportunities
The NIS Directive – Challenges Scope -> Latvian Presidency has proposed separate Annex & approach for IEs
-> details remain unclear
The Directive must be focused on critical infrastructure only.
Lack of EU Harmonization: Major Challenges around Jurisdiction/Applicable LawCybersecurity Patchwork: Could end up with 28 entirely different regimes
Reporting obligations -> to whom do pan-EU operators report?-> how would internet enablers determine impact on customer side?-> how is customer confidentiality ensured?Security Baselines & Audit requirements -> Which security standards would be applied by which NCA? -> Which NCA would receive audits? New audit powers vs. sharing existing audit results?
Estonia’s Data Embassies
Leveraging the cloud for national resiliency
Estonia: a digital society moving to the cloud
First country to offer digital citizenship
First country to implement electronic voting
First country to issue digital ID cards
144% mobile adoption
GD
P p
er
Cap
ita $
22
,00
0
Estonia leverages IT to provide public services and maintains roughly 200 databases across 14 agencies, 900 registries and roughly 3,000 services, including its population register, business register, land register, and e-government systems.
Approximately 10% of Estonia’s services relate to military and defense. Data for several of these systems have no “paper” hard copy and exist online only.
80% of population internet users
Pop
ula
tion
1.3
mill
ion
Estonia: a digital society moving to the cloud
Estonian Data Embassy Initiative Overarching strategy
• Citizen services. Ability to drive innovation with data services in the cloud that citizens can reuse.
• Infrastructure. Reduction in data centers and public sector ICT can drive hardware efficiencies.
• Flexibility. Allows the meeting of real-time needs, or offloading of onsite data to the public cloud as needed to improve operational efficiencies.
• Collaboration. Enables more effective communicating and collaboration.
• Continuity of operations. With centralized data storage, management, and backups, data recovery can be faster and easier.
• Creative IT. Since cloud services can be centrally managed, IT workers are freed from a “keep-the-lights-on” approach, providing more time to foster creative problem-solving.
CLOUD BENEFITS FOR GOVERNMENTS
Estonia Data Embassy InitiativeOverarching strategy
Research Project: Estonia and Microsoft partner for success
Cloud technologies: Microsoft Azure™. Electronic State Gazette: Operating system; CentOS, application stack; Apache, Java
and PostgreSQL.
Explore feasibility of
migrating services to the
cloud
Demonstrate how services run
in a failover scenario
Understand where existing services can be
optimized
Cloud technologies: Microsoft Azure™. Website of the President of Estonia: Operating system; FreeBSD, application stack;
PHP and MariaDB.
Research project: Estonia and Microsoft partner for success
15