Embed Size (px)
Citation preview
1
Madrid, 16 November 2016Miguel A. Amutio
Secretaría General de Administración DigitalMinisterio de Hacienda y Función Pública
Cloud Security Alliance EMEA Congress
Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector
2
Why and What is the National Security Framework (NSF- ENS)Compliance with the NSF-ENSChallenges and conclusions
Contents
3
1. Why and what is the National Security Framework
4
Digital public servicesThe new administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the basis of working fully with electronic means.Digital public services are provided in a complex scenario in Spain.Potential risks.
5
Why the NSF-ENSCreate the necessary conditions of trust, through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services.
Promote the continuous management of security, regardless of the impulses of the moment .
Promote prevention, detection and correction.Promote a common approach to security which enables cooperation to deliver eGoverment services. The NSF complements the National Interoperability Framework.
National Security Framework (NSF) = Esquema Nacional de Seguridad (ENS)
6
The National Security FrameworkIt is a legal text (Royal Decree 3/2010).
It establishes the security policy for the use of ICT by the Public Sector.
To be followed by the Public Sector in Spain.Developed through ‘technical security instructions’ It is a key element of the National Cybersecurity Strategy.
7
The Basic principles to be taken into account in decision about security.The minimum requirements which allow an adequate protection of information.Categorization of systems and risk management for the adoption of proportionate security measures according to information and services to be protected and to the risks to which they are exposed.Security audit to verify compliance with the NSF.Response to security incidents (CERT).Use of security certified products, to be considered in procurement.Awareness and training.
NSF-ENS, Main elementsAll entities of the Public Sector will have a security policy, formally adopted, on the basis of the basic principles and minimum requirements.
8
operational– planning– access control– operation– external services– continuity– monitoring
asset protection– facilities– personnel– equipment– communications– media– software– information– services
organizational– security policy– security
regulations– security
procedures– authorization
process
Security measures
+ use of common infrastructures and services and security guidelines provided by CCN.
9
Public entities, should, as SP 800-144 says:• Carefully plan the security and privacy aspects
of cloud computing solutions before engaging them.
• Deployo Understand the public cloud computing
environment offered by the cloud provider -> assess and manage risk accurately
o Ensure that a cloud computing solution satisfies organizational security and privacy requirements.
o Ensure that the client-side computing environment meets organizational security and privacy requirements for cloud computing.
• Maintain accountability over the privacy and security of data and applications implemented and deployed in public cloud computing environments.
Using Cloud, Public entities should …
10
For instance:
In case of use of cloud services, the following measures deserve special attention:
[Org.4] Authorization process[Op.acc.4] Access rights management process[Op.exp.7] Incident management[Op.exp.11] Cryptographic Key Protection[Op.ext] External services
There are measures that should not be transferred to the CSP:Categorization of the system (Annex I)Security policy [org.1]Security policy [org.2]Risk analysis [op.pl.1] (coordinate)Authorization process [org.4] (to coordinate)Daily management [op.ext.2] (coordinate)Incident management [op.exp.7] (coordinate)Protection of customer equipment [mp.eq.]
Activities that probably the CSP should not carry out:Electronic signature [mp.info.4]Time stamps [mp.info.5]User identification [op.acc.1]Access requirements [op.acc.2]Management of access rights [op.acc.4]Authentication mechanism [op.acc.5]User activity log [op.exp.5]Protection of activity records [op.exp.10]Protection of cryptographic keys [op.exp.11]Metric system [op.mon.2] (coordinate)
Consideration of Who does What
11
Cloud services and the NSF-ENS
2 SECURITY REQUIREMENTS2.1 ROLES AND FUNCTIONS2.2 CATEGORIZATION (ENS - ANNEX I)2.2.1 COMMUNITIES2.3 RECOMMENDATIONS2.4 PROTECTION MEASURES (ENS - ANNEX II)2.5 ADDITIONAL RESTRICTIONS3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION4 INTERNAL REGULATIONS5 PROCUREMENT5.1 DESCRIPTION OF SERVICE5.2 SUBCONTRACTING5.3 PROTECTION OF INFORMATION5.4 SERVICE LEVEL AGREEMENTS5.5 ACCESS TO SERVICE5.6 GEOGRAPHICAL CONDITIONERS5.7 RESPONSIBILITIES AND OBLIGATIONS5.8 REGISTRATION OF ACTIVITY5.9 TERMINATION OF SERVICE6. OPERATION6.1 OPERATING SECURITY PROCEDURES6.2 FOLLOW-UP OF THE SERVICE6.3 CHANGE MANAGEMENT6.4 INCIDENT MANAGEMENT6.5 BACKUP AND RECOVERY OF DATA6.6 CONTINUITY OF THE SERVICE6.7 TERMINATION7 SUPERVISION AND AUDITANNEX A. ENS COMPLIANCE
12
Annex A contains the controls of standards 27002 and the CCM matrix, together with their correspondence to meet the ENS requirements.
(…)
(…)
NSF-ENS, 27000 and CCM
13
2. Compliance with the National Security Framework
Fuente: NASA
14
Audit, reporting & compliance
Interested actors
15
Compliance with the NSF-ENSTECHNICAL SECURITY INSTRUCTION - COMPIANCE WITH THE
NATIONAL SECURITY FRAMEWORKINDEXI. Object.II. Scope.III. Procedures for determining compliance.IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity.V. Certification of Compliance with the National Security Framework of systems of category MEDIUM or HIGH and its publicity.VI. Requirements of the certifying entities.VII. Solutions and services provided by the private sector.Annex I. Contents of the Declaration of Compliance with the National Security Framework.Annex II. Declaration of Compliance with the National Security Framework.Annex III. Content of the Certification of Compliance with the National Security Framework.Annex IV. Certificate of Compliance with the National Security Framework.
16
Providers are often engaged in the provision of solutions or services (through, for example, cloud services) for systems under the scope of the NSF.
Solutions or services should comply with the requirements of the NSF-ENS and have the corresponding Declarations or Certifications of Compliance.
Declaration of Compliance with the NSF-ENS (category BASIC) Certification of Compliance with the NSF-ENS (mandatory for categories MEDIUM or HIGH, voluntary for category BASIC)
Providers: same procedures as for the Public Sector
Requirements for providers
17
Accreditation by ENAC according to UNE-EN ISO / IEC 17065: 2012, for the certification of systems within the scope of ENS. In case of NOT having the accreditation:
1. They will request accreditation to the ENAC.
2. They will inform of the acceptance of the request to the CCN.
3. They can begin their certification activities on a temporary basis, having 12 months to obtain it.
Requirements for Certifiers
19
The National Security Framework (NSF-ENS): Promotes a common approach to cybersecurity in the
Public Sector of Spain, adapted to its requirements Independent audits are the basis for the Security Report
and for the compliance with the NSF-ENS.Compliance with the NSF-ENS is applicable to:
Entities of the Public Sector Providers of solutions and services (e.g. Cloud services)
engaged in systems under the scope of the NSF-ENS. Public entities should have an understanding of security issues in the cloud computing environment and ensure security requirements.Under development: specific compliance requirements to certify cloud service providers for systems falling under ENS.
Challenges & Conclusions
20
Challenges:Progress in cibersecurity of entities of
the Public Sector. Improve the implementation of the
security measures.Extend the implementation of the NSF-ENS
to all kind of information systems of the Public Sector in Spain.
Extend the use of common services offered by the General State Administration.
Promote the compliance with the NSF-ENS.
Challenges & Conclusions
22
Public Sector
Law 40/2015
Institutional Public SectorGeneral State
AdministrationAutonomous CommunitiesLocal Entities
Law 39/2015
Public Entities and Public Law Entities
Entities of Private Law(Administrative powers)Public Universities
Public Law Corporations
Linked or dependent
Linked or dependent
The Public Sector in Spain
23
24
CCN-CERT Guidelines and tools
26
eGovernment and Security
27
28
E-mail addresses – [email protected] – [email protected]– [email protected] – [email protected] – [email protected] – [email protected]
Web pages: – administracionelectronica.gob.es– www.ccn-cert.cni.es– www.ccn.cni.es – www.oc.ccn.cni.es
Many thanks
