Cloud Computing and Standards - A Regulator’s View

Cloud Computing and Cloud Computing and Standards - A Regulator’s Standards - A Regulator’s

ViewView

OASIS International Cloud Symposium11 October 2011

Steven Johnston, CISSPSenior Security and Technology Advisor

Office of the Privacy Commissioner of Canada

www.oasis-open.org

Things We’ve Done

• Guidelines for Processing Personal Data Across Borders (January 2009)

• Cloud computing paper released early April 2010

• Public consultations April – June 2010• Working on guidance for SMBs

Things We’ve Learned

• Privacy implications of cloud computing include:– Jurisdiction– Third party access– Security safeguards– Limitations on use and retention– Demonstrating/verifying compliance

How Standards Can Help

• To address new technology concerns (e.g. cloud computing)

• To address baseline issues such as limiting collection, data retention, safeguards, etc.

• Basis for Privacy Impact Assessments, Threat/Risk Assessments and Audits

• Basis for Systematic assessment of security requirements

• Basis for audit• Basis for contractual agreements with

cloud service providers

ISO Standards Development

• ISO/IEC JTC 1 SC7 (SSE)– Potential future work

• Cloud computing vocabulary• Modeling cloud solutions• Systems engineering of cloud-based

solutions• IT Service Management for Cloud

Computing• IS Governance Framework for Cloud

Computing


• ISO/IEC JTC 1 SC27 (IT Security)– Joint study period (WGs 1, 4, 5)– NWI proposal

• ISO 27017-2 (information security code of practice based on ISO 27002)(provisional)

• To be accompanied (eventually) by:– 27017-1 (requirements)– 27017-3 (legal and regulatory code of

practice)– 27017-4 (service code of practice)– 27017-5 (audit guidelines)


• ISO/IEC JTC 1 SC38 (DAPS)– WG 1 – Web Services– WG 2 – Service Oriented Architecture– Study Group on Cloud Computing

• Released a study report in June 2011


• SGCC Report (June 2011)– Part 1: Concepts, Terms and Reference

Model– Part 2: Standardization Requirements for

Cloud Computing– Part 3: Standardization Initiatives for

Cloud Computing– Part 4: Assessment of Areas for JTC1

Standardization


• SGCC Report (June 2011)– Technical requirements

• Terms and definitions• Interfaces• Security technology• Format and meaning of data

– Management requirements• Service provider qualification• Service quality metrics,• Service audit• Service agreements

Other Efforts

• ITU-T Focus Group on Cloud Computing• Open Grid Forum• Cloud Computing Interoperability

Forum• Open Cloud Consortium• Cloud Security Alliance• ETSI• OASIS• …

Challenges for Regulators

• DPA mandate is enforcement/compliance

• Many DPAs are limited in resources• Lack of appropriate expertise• So many standards development

activities underway– Where to focus our efforts?

• Difficulty in demonstrating ROI

Questions?Questions?

Steven JohnstonSenior Security and Technology Advisor

Office of the Privacy Commissioner of [email protected]

www.oasis-open.org

Cloud Computing and Standards - A Regulator’s View

Documents

Transcript of Cloud Computing and Standards - A Regulator’s View