Using cloud services
Cloud Security Alliance EMEA Congress Using cloud services: C Compliance li with ith the th Security S it Requirements of the Spanish Public Sector Bilbao, 20 de abril de 2016 Madrid, Miguel16 A. November Amutio Gómez2016 Subdirector S bdi t Adjunto Adj t dde C Coordinación di ió dde Unidades U id d TIC Miguel A. Amutio Dirección de Tecnologías de la Información y las Comunicaciones Secretaría General de Administración Digital Ministerio de Hacienda y Función Pública 1 Contents Why and What is the National Security F Framework k (NSF(NSF ENS) Compliance with the NSF NSF-ENS ENS Challenges and conclusions Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 2 1. Why 1 Wh and d what h t iis the National Security Framework Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 3 Digital public services The new administrative laws (39/2015 and 40/2015) foresee a paperless Administration on the basis of working fully with electronic means. means Digital public services are provided in a complex l scenario i in i Spain. S i Potential risks. Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 4 Why the NSF-ENS National Security Framework (NSF) = Esquema Nacional de Seguridad (ENS) Create the necessary conditions of trust, trust through measures to ensure IT security for the exercise of rights and the fulfillment of duties through the electronic access to public services. Promote the continuous management of security, y, regardless g of the impulses p of the moment . Promote prevention, detection and correction correction. Bilbao, 20 de abril de 2016 A. Amutio Gómez Promote a commonMiguel approach to security y which S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC enables cooperation toDirección deliver eGoverment services. NSF complements the de Tecnologías de la Información y lasThe Comunicaciones National Interoperability Framework. 5 The National Security Framework It is a legal text (Royal Decree 3/2010). It establishes the security policy for the use of ICT by the Public Sector. To be followed by the Public Sector in Spain. Developed through ‘technical technical security instructions instructions’ It is a key element of the National Cybersecurity Strategy. Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 6 NSF-ENS, Main elements All entities of the Public Sector will have a security policy formally policy, f rmall adopted, ad ted onn the basis off the basic principles rinci les and minimum requirements. The Basic Th B i principles i i l to be b taken k into i account in i decision about security. The minimum requirements which allow an adequate d protection i off information. i f i Categorization of systems and risk management for the adoption of proportionate ti t security it measures according to information and services to be protected Bilbao, and to the risks 20 de abril de 2016 to which they are exposed. Miguel A. Amutio Gómez S bdi twith Subdirector Adjunto Adj the t dde C Coordinación di ió dde Unidades U id d TIC Security audit to verify compliance NSF. Dirección de Tecnologías de la Información y las Comunicaciones Response to security incidents (CERT). Use of security certified products, products to be considered in procurement. Awareness and training. 7 Security measures organizational – security policy – security regulations – security procedures – authorization process asset protection operational – facilities – planning – personnel – access control – equipment – operation – communications – external services – media – continuity – software – monitoring – information – services + use of common infrastructures and services and security guidelines provided by CCN. CCN Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 8 Using Cloud, Public entities should … Public entities, should, as SP 800-144 says: • Carefully plan the security and privacy aspects of cloud computing solutions before engaging them. • Deploy o Understand the public cloud computing environment offered by the cloud provider -> assess and d manage risk i k accurately l o Ensure that a cloud computing solution satisfies organizational security and privacy requirements. o Ensure that the client-side computing environment 20 deand abrilprivacy de 2016 meets organizational Bilbao, security Miguel A. Amutio Gómez requirements for cloud computing. Subdirector S bdi t Adjunto Adj t dde C Coordinación di ió dde Unidades U id d TIC accountability the privacy and security of Dirección over de Tecnologías de la Información y las Comunicaciones • Maintain data and applications implemented and deployed in public cloud computing environments. environments 9 Consideration of Who does What For instance: In case of use of cloud services, the following measures deserve special attention: [Org.4] [Org 4] Authorization process [Op.acc.4] Access rights management process [Op.exp.7] Incident management [Op.exp.11] Cryptographic Key Protection [Op.ext] External services There are measures that should not be transferred to the CSP: Categorization of the system (Annex I) Security policy [org.1] Security ec ty po policy cy [o [org.2] g ] Risk analysis [op.pl.1] (coordinate) Authorization process [org.4] (to coordinate) Daily management [op.ext.2] (coordinate) g [[op.exp.7] p p ] (coordinate) ( ) Incident management Protection of customer equipment [mp.eq.] Activities that probably the CSPBilbao, should carry out: 20 not de abril de 2016 Electronic signature [mp.info.4] Miguel A. Amutio Gómez Time stamps [mp.info.5] S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC User identification [op.acc.1] Access requirements [op.acc.2] Dirección de Tecnologías de la Información y las Comunicaciones Management of access rights [op.acc.4] Authentication mechanism [op.acc.5] U activity User i i log l [op.exp.5] [ 5] Protection of activity records [op.exp.10] Protection of cryptographic keys [op.exp.11] Metric system [op.mon.2] (coordinate) 10 Cloud services and the NSF-ENS 2 SECURITY REQUIREMENTS 2.1 ROLES AND FUNCTIONS 2.2 CATEGORIZATION (ENS - ANNEX I) 2.2.1 COMMUNITIES 2 3 RECOMMENDATIONS 2.3 2.4 PROTECTION MEASURES (ENS - ANNEX II) 2.5 ADDITIONAL RESTRICTIONS 3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION 4 INTERNAL REGULATIONS 5 PROCUREMENT 5.1 DESCRIPTION OF SERVICE 5.2 SUBCONTRACTING 5.3 PROTECTION OF INFORMATION 5.4 SERVICE LEVEL AGREEMENTS 5.5 ACCESS TO SERVICE 5.6 GEOGRAPHICAL CONDITIONERS 5.7 RESPONSIBILITIES AND OBLIGATIONS 5.8 REGISTRATION OF ACTIVITY 5.9 TERMINATION SERVICE Bilbao, 20 de abril deOF 2016 6. OPERATION Miguel A. Amutio Gómez 6.1 OPERATING SECURITY PROCEDURES S bdi t Adjunto Subdirector Adj6.2tFOLLOW-UP dde C Coordinación di ióOFddeTHE Unidades U idSERVICE d TIC Dirección de Tecnologías de la Información y las Comunicaciones 6.3 CHANGE MANAGEMENT 6.4 INCIDENT MANAGEMENT 6.5 BACKUP AND RECOVERY OF DATA 6 6 CONTINUITY OF THE SERVICE 6.6 6.7 TERMINATION 7 SUPERVISION AND AUDIT ANNEX A. ENS COMPLIANCE 11 NSF-ENS, 27000 and CCM Annex A contains the controls off standards 27002 A 2 002 and the CCM CC matrix, together with their correspondence to meet the ENS requirements. ( ) (…) Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones (…) 12 2. Compliance with 2 the National Security Framework Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones Fuente: NASA 13 Audit, reporting & compliance Interested actors Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 14 Compliance with the NSF-ENS TECHNICAL SECURITY INSTRUCTION - COMPIANCE WITH THE NATIONAL SECURITY FRAMEWORK INDEX I. Object. II Scope II. Scope. III. Procedures for determining compliance. IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity. V. Certification of Compliance p with the National Securityy Framework of systems y of category g y MEDIUM or HIGH and its publicity. VI. Requirements of the certifying entities. VII. Solutions and services provided by the private sector. A Annex I.I CContents off the h DDeclaration l i off CCompliance li with i h the h NNational i l Security S i Framework. F k Annex II. Declaration of Compliance with the National Security Framework. Annex III. Content of the Certification of Compliance with the National Security Framework. Annex IV IV. Certificate of Compliance with the National Security Framework Framework. Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 15 Requirements for providers Providers are often engaged in the provision of solutions or services (through, for example, cloud services) for systems under the scope of the NSF. NSF Solutions or services should comply with the requirements of the NSF-ENS and have the corresponding Declarations or Certifications of Compliance. Declaration of Compliance with the NSF-ENS (category BASIC) Bilbao,with 20 de abril de NSF-ENS 2016 Certification of Compliance the A. Amutiovoluntary Gómez (mandatory for categories MEDIUMMiguel or HIGH, for category S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC BASIC) Dirección de Tecnologías de la Información y las Comunicaciones P Providers: id same procedures d as ffor th the P Public bli Sector S t 16 Requirements for Certifiers Accreditation by ENAC according to UNE UNE-EN EN ISO / IEC 17065: 2012, for the certification of systems y within the scope of ENS. In case of NOT having the accreditation: 1. They will request accreditation to the ENAC. 2. They will inform ofBilbao, the20 de abril de 2016 acceptance of the request Miguel A. Amutio Gómez S bdi t Adjunto Adj t dde C Coordinación di ió dde Unidades U id d TIC t the to th CCN CCN. Subdirector Dirección de Tecnologías de la Información y las Comunicaciones 3. They can begin their certification activities on a temporary basis, having 12 months to obtain it. 17 3. Ch 3 Challenges ll and Conclusions Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 18 Challenges & Conclusions The National Security Framework (NSF-ENS): 9 Promotes a common approach to cybersecurity in the Public Sector off Spain, S i adapted d t d to t its it requirements i t 9 Independent audits are the basis for the Security Report and for the compliance with the NSF-ENS. Compliance with the NSF-ENS is applicable to: 9 Entities of the Public Sector 9 Providers of solutions and services (e.g. Cloud services) engaged in systems under the scope of the NSF-ENS. Public P bl entities should h ld have h an understanding d di off security i issues i in the h Bilbao, 20 de abril de 2016 cloud computing environment and ensure security requirements. Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones Under development: specific compliance requirements to certify cloud service providers for systems falling under ENS. 19 Challenges & Conclusions Challenges: 9 Progress in cibersecurity of entities of the Public Sector. 9 Improve the implementation of the security measures. NSF-ENS ENS to all 9 Extend the implementation of the NSF kind of information systems of the Public Sector in Spain. 9 Extend the useBilbao, of 20common services offered by de abril de 2016 the General StateMiguel Administration. A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC 9 Promote P the h compliance li with h the h NSF-ENS. NSF ENS Dirección de Tecnologías de la Información y las Comunicaciones 20 More information Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 21 The Public Sector in Spain Public Sector Institutional Public Sector General State Administration Autonomous Communities Linked or dependent Public Entities and Public Law Entities Local Entities Entities of Private Law (Administrative powers) Linked or Bilbao, 20 de dependent abril de 2016 Miguel A. Amutio Gómez Public Universities Law 40/2015 Subdirector S bdi t Adjunto Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones Public Law Corporations Law 39/2015 22 Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 23 CCN-CERT Guidelines and tools Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 24 Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 25 eGovernment and Security Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 26 Bilbao, 20 de abril de 2016 Miguel A. Amutio Gómez S bdi t Adjunto Subdirector Adj t dde C Coordinación di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 27 Many y thanks 9 E-mail addresses – – – – – – [email protected] [email protected] ccn@cni es [email protected] [email protected] [email protected] [email protected] g @ – – – – administracionelectronica.gob.es www.ccn-cert.cni.es www.ccn.cni.es Bilbao, 20 de abril de 2016 www.oc.ccn.cni.es 9 Web pages: Miguel A. Amutio Gómez Subdirector Coordinación S bdi t Adjunto Adj t dde C di ió dde Unidades U id d TIC Dirección de Tecnologías de la Información y las Comunicaciones 28
© Copyright 2025