The contents included in this section are DRAFT proposed for a public consultation and are under review.
Privacy and Security Scenario
Procurement needs
Security and Privacy are critical concerns for both individuals and organisations when determining whether they should [or can] adopt cloud-hosted services, thereby moving data and/or business functionalities onto clouds.
Security in the cloud computing context refers to the set of procedures, processes and standards designed to provide information security assurance in a cloud computing environment, and covers all the different service models of software, platform and infrastructure. Security is an issue for end-users who are concerned over the sharing of cloud resources/services with other users, and the perception by the user of a “lack-of-control” compared to on-site solutions. Specific concerns include questions over data protection (data encryption, access, etc.), data integrity, accessibility, and authentication and identity management amongst others. Concerns also arise over the ability to maintain security when integrating cloud solutions with retained ‘in-house’ services.
These security concerns also feed into data privacy concerns, with users concerned over “losing control of their data”, whether via the unauthorised access by third parties, an inability to access their data, or a lack of encryption by the Cloud Service Provider.
Three procurement needs, representing high-level scenarios, are presented here, from which three use cases have been derived:
• Secure cloud access for ‘bring your own device’ systems;
• Maintaining security when combining cloud and ‘in-house’ systems;
• Ensuring the Cloud Service Provider is protecting personal sensitive data.
For procurers, while the use of public clouds will offer substantial cost savings and increased flexibility for many ICT services and service users, data and privacy restrictions can currently prevent some services from being hosted or provided through such means. In these cases, a range of cloud service models incorporating private clouds can be used to provide the necessary security assurance to hold and process personal or restricted data. Such private clouds can be purchased as part of a hybrid model, or governments may be able to reuse their existing assets to create their own hybrid cloud services.
Costs & Benefits
The following studies present some predicted net costs and benefits associated with cloud computing across Europe, taking into account the impact of security and privacy concerns which are recognised barriers to the uptake of cloud solutions:
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=9742
• http://www.europarl.europa.eu/RegData/etudes/IDAN/2016/583786/EPRS_IDA(2016)583786_EN.pdf
For further introductory information see:
• http://www.cloudwatchhub.eu/taxonomy/term/92
About the impact of security/privacy concerns on cloud market growth, some researches have indicated that concerns over security and privacy represent two of the barriers hindering companies from fully embracing cloud solutions and models. While the public cloud will offer substantial cost savings and increased flexibility for many ICT services and service users, data and privacy restrictions currently prevent some services from being hosted or provided through such means.
Baseline EU Cloud Market forecasts estimate SaaS [1] spend by 2020 at €23.8bn. Pessimistic forecasts, whereby end-users refrain from fully adopting SaaS infrastructure, estimate this spend at € 12.7bn.
For further introductory information see:
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=9742
Situation in Member States
Eurostat has produced country-specific statistics on the use of cloud computing by enterprises across Europe.
The risk of a security breach is one of the most prevalent factors that limit and/or prevent the use of cloud computing across the individual Member States.
• http://appsso.eurostat.ec.europa.eu/nui/show.do?dataset=isoc_cicce_obs&lang=en
The following study provides information on uptake based on a number of country case-studies.
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=9742
ENISA has also produced relevant studies on the use of cloud computing in the public sector:
Privacy and Security Standards
The following contents are the starting sources for the list of standards reported in the excel spreadsheet.
As a framework of General Standards we can see the Regulatory context as follows:
• General Data Protection Regulation: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
• Data Protection Directive: http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=CELEX:31995L0046:en:HTML
Guides to application of security and privacy requirements:
• https://cloudsecurityalliance.org/guidance/csaguide.v3.0.pdf
• https://cloudsecurityalliance.org/download/privacy-level-agreement-version-2/
• ENISA’s Security Framework for Governmental Clouds details a step-by-step guide for the Member States (MS) for the procurement and secure use of Cloud services.
• https://www.enisa.europa.eu/publications/security-framework-for-govenmental-clouds
As general purpose standards, or policy standards, please find a list of sample existing standards, issued by different organisations:
ETSI: http://www.etsi.org/deliver/etsi_sr%5C003300_003399%5C003391%5C02.01.01_60%5Csr_003391v020101p.pdf
ISO:
See also as reference:
Cloud Watch:
http://www.cloudwatchhub.eu/cloud-standards-guide
Use Cases
Important common disclaimers applying to all European Catalogue use cases:
• The use cases provided here represent generic use cases. You may need to modify these to meet the specific procurement needs of your organisation;
• All standards listed with the individual use cases can be substituted with any reasonable alternatives unless this action is prevented by any applicable EU or national legislation;
• Simply listing these standards within your tender documents will not ensure the interoperability of any acquired solution/service, nor will the interoperability of your solution and your existing systems be guaranteed. You will still need to conduct your own internal technical assessment before publishing your tender – the European Catalogue is not a substitute for this process;
• Simply incorporating a list of relevant standards will not guarantee adequate levels of privacy/security. Gaps should be realised through your risk management processes.
Use Case 1: a Cloud Service Customer employing a bring-your-own-device policy needs to (be able to) ensure secure access to systems in the cloud via these multiple devices.
• ISO/IEC 27001: "Information technology - Security techniques - Information security management systems - Requirements";
• ISO/IEC 27002: "Information technology - Security techniques - Code of practice for information security controls";
See also as reference:
• NIST SP 800-53r4 Security and Privacy Controls for Federal Information Systems and Organizations;
• NIST SP 800-144: "Guidelines on security and privacy in public cloud computing"
Relevant guides to the application of these standards:
• CSA Cloud Control Matrix – Consensus Assessments Initiative Questionnaire https://cloudsecurityalliance.org/download/consensus-assessments-initiative-questionnaire-v3-0-1
Use Case 2: The Cloud Service Customer needs to (be able to) ensure security is retained when mixing services provisioned by their own IT department and services provided by Cloud vendors.
• ISO/IEC 27001: "Information technology - Security techniques - Information security management systems - Requirements";
• ISO/IEC 27002: "Information technology - Security techniques - Code of practice for information security controls ";
• Draft ISO/IEC 19086-4, “Information technology – Cloud computing – SLA framework and terminology – Part 4: Security and Privacy”;
• ISO/IEC 27017 Information technology -- Security techniques -- Code of practice for information security controls based on ISO/IEC 27002 for cloud services;
• ISO/IEC 27036-4 Information technology -- Security techniques -- Information security for supplier relationships -- Part 4: Guidelines for security of cloud services.
Relevant guides to the application of these standards:
• AICPA SOC 2 (http://www.aicpa.com)
• CSA Cloud Control Matrix ( https://cloudsecurityalliance.org)
Use Case 3: The Cloud Service Customer needs to know the Cloud Service Provider is providing sufficient security for protecting personal sensitive information stored and processed by the Provider’s cloud service, and complying to the General Data Protection Regulation.
Sample standards to be consulted:
• ISO/IEC 27018, Information technology -- Security techniques -- Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors
• ISO/IEC 29100, Information technology -- Security techniques -- Privacy framework
• ISO/IEC 29101, Information technology -- Security techniques -- Privacy architecture framework
See also as reference:
• Draft ISO/IEC 19086-4, “Information technology – Cloud computing – SLA framework and terminology – Part 4: Security and Privacy”;
Relevant guides to the application of these standards:
• AICPA SOC 2 (http://www.aicpa.com)
• CSA Privacy Level Agreement (https://cloudsecurityalliance.org )
• EU General Data Protection Regulation
(http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf)
• NIST SP 800-144: "Guidelines on security and privacy in public cloud computing"
Privacy and Security Guidelines
Interoperability
Interoperability within cloud computing encompasses both the ability for one cloud service to work with others, as well as the ability of a cloud service customer to interact with a cloud service and exchange information via a set method to obtain predictable results. This will include the successful interaction of a customer’s systems with the cloud service systems. In the absence of specific EU legislation on cloud computing, guidelines for achieving interoperability are not linked to applying specific Directives/Regulations:
• http://www.etsi.org/deliver/etsi_sr%5C003300_003399%5C003391%5C02.01.01_60%5Csr_003391v020101p.pdf
Procurement
A general guidelines for procurement:
• http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=9742
ENISA has provided guidance and tools on cloud security that possess direct application to public procurers:
• securely deploying Governmental clouds: https://www.enisa.europa.eu/publications/good-practice-guide-for-securely-deploying-governmental-clouds/at_download/fullReport
• Security Framework for Governmental clouds: https://www.enisa.europa.eu/publications/security-framework-for-governmental-clouds/at_download/fullReport
• Cloud security for SMEs: https://www.enisa.europa.eu/publications/cloud-security-guide-for-smes/at_download/fullReport
[1] Software As A Service
