www.enisa.europa.eu

Cloud services security

Prof. Manel MedinaHead of Unit CERT Operations support

ENISAmanel.medina@enisa.europa.eu

www.enisa.europa.eu 2

o The European Network and Information Security Agency

o gives advice on information security issueso to national authorities, EU institutions, citizens, businesseso acts as a forum for sharing good NIS practiceso facilitates information exchange and collaboration

o Set up in 2004 – EC proposed a new mandate for 2013. New mandate pending of Council and Parliament approval.

o Around 35 security experts and 25 supporting staff.

o ENISA has an advisory role (not operational) and the focus is on prevention and preparedness.

About ENISA

www.enisa.europa.eu

Information Security Risks

3

information security

risks

time

www.enisa.europa.eu

Part of the solution

4

Part of the solution

Cloud computing

Smartphones and apps

Social media

www.enisa.europa.eu 5

The Shining Cloud

www.enisa.europa.eu 6

o 2009 Cloud computing risk assessment o 2009 Cloud security control frameworko 2011 Security and resilience for gov cloudso 2011 Security parameters in gov cloud SLAso 2011 EU Cloud strategyo 2012 Procure secureo 2012 Critical clouds

ENISA’s cloud security work

www.enisa.europa.eu

Leverage

www.enisa.europa.eu

Resilience

8

Resilience

www.enisa.europa.eu 9

Security will drive adoption of cloud computing

www.enisa.europa.eu

Trust

www.enisa.europa.eu 11

Security and assurance standards

www.enisa.europa.eu 12

Penetration tests

www.enisa.europa.eu 13

Backup/failover tests

www.enisa.europa.eu 14

Data portability tests

www.enisa.europa.eu

From periodic certification to continuous monitoring

15

Cloud security; if you can’t measure it, you can’t manage it

www.enisa.europa.eu

o Work started as an ENISA/OASIS/CSA workshopo Guide for customers on monitoring security

parameters of cloud serviceso Checklist with questions to asko 8 security parameters

o What and How to measure. Independence?o When to rise a flag? Responsible (Customer/Provider)?

o Examples of security parameterso Service availability o Incident response o Vulnerability management

Procure secure

16

www.enisa.europa.eu

1. Service availability: monitoring, thresholds2. Incident response: Severity classification, management

capabilities3. Service elasticity and load tolerance: burst tests, who?4. Data life-cycle management: back-up frequency &

integrity5. Technical compliance and Vulnerability management:

Configuration, patches, vulnerability discovery & reporting, 3rd party

6. Change management: Notification, critical periods, loss of certification status

7. Data isolation: categories of data, independent test?8. Log management and forensics: frequency, granularity,

availability, cross checking

Procure secure: security parameters

17

www.enisa.europa.eu

Dr. Marnix Dekker <marnix.dekker@enisa.europa.eu>

Prof. Manel Medina <manel.medina@enisa.europa.eu>

About securely moving to smartphones and cloud computing

http://www.enisa.europa.eu/act/application-security

Security parameters in Cloud SLAshttp://www.enisa.europa.eu/activities/application-security/test/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts

Contact

18