Using cloud services

Cloud Security Alliance EMEA Congress
Using cloud services:
C
Compliance
li
with
ith the
th Security
S
it
Requirements of the Spanish
Public Sector
Bilbao, 20 de abril de 2016
Madrid,
Miguel16
A. November
Amutio Gómez2016
Subdirector
S
bdi t Adjunto
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Miguel
A.
Amutio
Dirección de Tecnologías de la Información y las Comunicaciones
Secretaría General de Administración Digital
Ministerio de Hacienda y Función Pública
1
Contents
Why and What is the National Security
F
Framework
k (NSF(NSF ENS)
Compliance with the NSF
NSF-ENS
ENS
Challenges and conclusions
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
2
1. Why
1
Wh and
d what
h t iis
the National Security
Framework
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
3
Digital public services
The new administrative laws (39/2015
and 40/2015) foresee a paperless
Administration on the basis of
working fully with electronic
means.
means
Digital public services are provided in a
complex
l scenario
i in
i Spain.
S i
Potential risks.
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
4
Why the NSF-ENS
National Security Framework (NSF) = Esquema Nacional de Seguridad (ENS)
Create the necessary conditions of trust,
trust
through
measures to ensure IT security for the exercise of rights and the fulfillment of duties
through the electronic access to public services.
Promote the continuous management of
security,
y, regardless
g
of the impulses
p
of the moment .
Promote prevention, detection and
correction
correction.
Bilbao, 20 de abril de 2016
A. Amutio Gómez
Promote a commonMiguel
approach
to security
y
which
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
enables cooperation toDirección
deliver
eGoverment
services.
NSF complements the
de Tecnologías de la Información y lasThe
Comunicaciones
National Interoperability Framework.
5
The National Security Framework
It is a legal text (Royal Decree 3/2010).
It establishes the security policy for the use of ICT by the Public
Sector.
To be followed by the Public Sector in Spain.
Developed through ‘technical
technical security instructions
instructions’
It is a key element of the
National Cybersecurity Strategy.
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
6
NSF-ENS, Main elements
All entities of the Public Sector will have a security
policy formally
policy,
f rmall adopted,
ad ted onn the basis off the basic principles
rinci les and
minimum requirements.
The Basic
Th
B i principles
i i l
to be
b taken
k into
i
account in
i
decision about security.
The minimum requirements which allow an
adequate
d
protection
i off information.
i f
i
Categorization of systems and risk
management for the adoption of
proportionate
ti
t security
it measures according to
information and services to be protected Bilbao,
and to the
risks
20 de
abril de 2016
to which they are exposed.
Miguel A. Amutio Gómez
S bdi twith
Subdirector
Adjunto
Adj the
t dde
C
Coordinación
di ió dde Unidades
U id d TIC
Security audit to verify compliance
NSF.
Dirección de Tecnologías de la Información y las Comunicaciones
Response to security incidents (CERT).
Use of security certified products,
products to be
considered in procurement.
Awareness and training.
7
Security measures
organizational
– security policy
– security
regulations
– security
procedures
– authorization
process
asset protection
operational
– facilities
– planning
– personnel
– access control
– equipment
– operation
– communications
– external services
– media
– continuity
– software
– monitoring
– information
– services
+ use of common infrastructures and services and security guidelines provided by CCN.
CCN
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
8
Using Cloud, Public entities should …
Public entities, should, as SP 800-144 says:
• Carefully plan the security and privacy aspects of cloud
computing solutions before engaging them.
• Deploy
o Understand the public cloud computing
environment offered by the cloud provider -> assess
and
d manage risk
i k accurately
l
o Ensure that a cloud computing solution satisfies
organizational security and privacy requirements.
o Ensure that the client-side computing environment
20 deand
abrilprivacy
de 2016
meets organizational Bilbao,
security
Miguel A. Amutio Gómez
requirements for cloud computing.
Subdirector
S
bdi t Adjunto
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
accountability
the privacy
and security
of
Dirección over
de Tecnologías
de la Información
y las Comunicaciones
• Maintain
data and applications implemented and deployed in public
cloud computing environments.
environments
9
Consideration of Who does What
For instance:
In case of use of cloud services, the following measures deserve special attention:
[Org.4]
[Org
4] Authorization process
[Op.acc.4] Access rights management process
[Op.exp.7] Incident management
[Op.exp.11] Cryptographic Key Protection
[Op.ext] External services
There are measures that should not be transferred to the CSP:
Categorization of the system (Annex I)
Security policy [org.1]
Security
ec ty po
policy
cy [o
[org.2]
g ]
Risk analysis [op.pl.1] (coordinate)
Authorization process [org.4] (to coordinate)
Daily management [op.ext.2] (coordinate)
g
[[op.exp.7]
p p ] (coordinate)
(
)
Incident management
Protection of customer equipment [mp.eq.]
Activities that probably the CSPBilbao,
should
carry
out:
20 not
de abril
de 2016
Electronic signature [mp.info.4]
Miguel A. Amutio Gómez
Time stamps [mp.info.5]
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
User identification [op.acc.1]
Access requirements [op.acc.2] Dirección de Tecnologías de la Información y las Comunicaciones
Management of access rights [op.acc.4]
Authentication mechanism [op.acc.5]
U activity
User
i i log
l [op.exp.5]
[
5]
Protection of activity records [op.exp.10]
Protection of cryptographic keys [op.exp.11]
Metric system [op.mon.2] (coordinate)
10
Cloud services and the NSF-ENS
2 SECURITY REQUIREMENTS
2.1 ROLES AND FUNCTIONS
2.2 CATEGORIZATION (ENS - ANNEX I)
2.2.1 COMMUNITIES
2 3 RECOMMENDATIONS
2.3
2.4 PROTECTION MEASURES (ENS - ANNEX II)
2.5 ADDITIONAL RESTRICTIONS
3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION
4 INTERNAL REGULATIONS
5 PROCUREMENT
5.1 DESCRIPTION OF SERVICE
5.2 SUBCONTRACTING
5.3 PROTECTION OF INFORMATION
5.4 SERVICE LEVEL AGREEMENTS
5.5 ACCESS TO SERVICE
5.6 GEOGRAPHICAL CONDITIONERS
5.7 RESPONSIBILITIES AND OBLIGATIONS
5.8 REGISTRATION OF ACTIVITY
5.9 TERMINATION
SERVICE
Bilbao,
20 de abril deOF
2016
6. OPERATION
Miguel
A. Amutio Gómez
6.1 OPERATING
SECURITY PROCEDURES
S bdi t Adjunto
Subdirector
Adj6.2tFOLLOW-UP
dde C
Coordinación
di ióOFddeTHE
Unidades
U idSERVICE
d TIC
Dirección de Tecnologías
de la Información
y las Comunicaciones
6.3 CHANGE
MANAGEMENT
6.4 INCIDENT MANAGEMENT
6.5 BACKUP AND RECOVERY OF DATA
6 6 CONTINUITY OF THE SERVICE
6.6
6.7 TERMINATION
7 SUPERVISION AND AUDIT
ANNEX A. ENS COMPLIANCE
11
NSF-ENS, 27000 and CCM
Annex A contains the controls off standards 27002
A
2 002 and the CCM
CC matrix,
together with their correspondence to meet the ENS requirements.
( )
(…)
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
(…)
12
2. Compliance with
2
the National Security
Framework
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
Fuente: NASA
13
Audit, reporting & compliance
Interested
actors
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
14
Compliance with the NSF-ENS
TECHNICAL SECURITY INSTRUCTION - COMPIANCE WITH THE NATIONAL SECURITY FRAMEWORK
INDEX
I. Object.
II Scope
II.
Scope.
III. Procedures for determining compliance.
IV. Declaration of Compliance with the National Security Framework of BASIC category systems and its publicity.
V. Certification of Compliance
p
with the National Securityy Framework of systems
y
of category
g y MEDIUM or HIGH and its
publicity.
VI. Requirements of the certifying entities.
VII. Solutions and services provided by the private sector.
A
Annex
I.I CContents off the
h DDeclaration
l i off CCompliance
li
with
i h the
h NNational
i l Security
S i Framework.
F
k
Annex II. Declaration of Compliance with the National Security Framework.
Annex III. Content of the Certification of Compliance with the National Security Framework.
Annex IV
IV. Certificate of Compliance with the National Security Framework
Framework.
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
15
Requirements for providers
Providers are often engaged in the provision of
solutions or services (through, for example, cloud services)
for systems under the scope of the NSF.
NSF
Solutions or services should comply with the
requirements of the NSF-ENS and have the
corresponding Declarations or Certifications of
Compliance.
Declaration of Compliance with the NSF-ENS
(category BASIC)
Bilbao,with
20 de abril
de NSF-ENS
2016
Certification of Compliance
the
A. Amutiovoluntary
Gómez
(mandatory for categories MEDIUMMiguel
or HIGH,
for category
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
BASIC)
Dirección de Tecnologías de la Información y las Comunicaciones
P
Providers:
id
same procedures
d
as ffor th
the P
Public
bli Sector
S t
16
Requirements for Certifiers
Accreditation by ENAC
according to UNE
UNE-EN
EN ISO /
IEC 17065: 2012, for the
certification of systems
y
within the
scope of ENS.
In case of NOT having the
accreditation:
1. They will request
accreditation to the ENAC.
2. They will inform ofBilbao,
the20 de abril de 2016
acceptance of the request
Miguel A. Amutio Gómez
S bdi t Adjunto
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
t the
to
th CCN
CCN. Subdirector
Dirección de Tecnologías de la Información y las Comunicaciones
3. They can begin their
certification activities on
a temporary basis, having
12 months to obtain it.
17
3. Ch
3
Challenges
ll
and Conclusions
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
18
Challenges & Conclusions
The National Security Framework (NSF-ENS):
9 Promotes a common approach to cybersecurity in the Public Sector
off Spain,
S i adapted
d t d to
t its
it requirements
i
t
9 Independent audits are the basis for the Security Report and for the
compliance with the NSF-ENS.
Compliance with the NSF-ENS is applicable to:
9 Entities of the Public Sector
9 Providers of solutions and services (e.g. Cloud services) engaged in
systems under the scope of the NSF-ENS.
Public
P
bl entities should
h ld have
h
an understanding
d
di off security
i issues
i
in the
h
Bilbao,
20 de
abril de 2016
cloud computing environment
and
ensure
security requirements.
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
Under development: specific compliance requirements to certify
cloud service providers for systems falling under ENS.
19
Challenges & Conclusions
Challenges:
9 Progress in cibersecurity of entities of the Public
Sector.
9 Improve the implementation of the security
measures.
NSF-ENS
ENS to all
9 Extend the implementation of the NSF
kind of information systems of the Public Sector in
Spain.
9 Extend the useBilbao,
of 20common
services offered by
de abril de 2016
the General StateMiguel
Administration.
A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
9 Promote
P
the
h
compliance
li
with
h the
h NSF-ENS.
NSF ENS
Dirección de Tecnologías de la Información y las Comunicaciones
20
More information
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
21
The Public Sector in Spain
Public Sector
Institutional Public Sector
General State Administration
Autonomous Communities
Linked or
dependent
Public Entities and Public Law
Entities
Local Entities
Entities of Private Law
(Administrative powers)
Linked or
Bilbao, 20 de dependent
abril de 2016
Miguel A. Amutio Gómez Public Universities
Law 40/2015
Subdirector
S
bdi t Adjunto
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
Public Law Corporations
Law 39/2015
22
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
23
CCN-CERT Guidelines and tools
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
24
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
25
eGovernment and Security
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
26
Bilbao, 20 de abril de 2016
Miguel A. Amutio Gómez
S bdi t Adjunto
Subdirector
Adj t dde C
Coordinación
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
27
Many
y thanks
9 E-mail addresses
–
–
–
–
–
–
[email protected]
[email protected]
ccn@cni es
[email protected]
[email protected]
[email protected]
[email protected]
g
@
–
–
–
–
administracionelectronica.gob.es
www.ccn-cert.cni.es
www.ccn.cni.es
Bilbao, 20 de abril de 2016
www.oc.ccn.cni.es
9 Web pages:
Miguel A. Amutio Gómez
Subdirector
Coordinación
S bdi t Adjunto
Adj t dde C
di ió dde Unidades
U id d TIC
Dirección de Tecnologías de la Información y las Comunicaciones
28