Cloud Computing and Standards - A Regulator’s View
-
Upload
dylan-gallegos -
Category
Documents
-
view
21 -
download
1
description
Transcript of Cloud Computing and Standards - A Regulator’s View
Cloud Computing and Cloud Computing and Standards - A Regulator’s Standards - A Regulator’s
ViewView
OASIS International Cloud Symposium11 October 2011
Steven Johnston, CISSPSenior Security and Technology Advisor
Office of the Privacy Commissioner of Canada
www.oasis-open.org
Things We’ve Done
• Guidelines for Processing Personal Data Across Borders (January 2009)
• Cloud computing paper released early April 2010
• Public consultations April – June 2010• Working on guidance for SMBs
Things We’ve Learned
• Privacy implications of cloud computing include:– Jurisdiction– Third party access– Security safeguards– Limitations on use and retention– Demonstrating/verifying compliance
How Standards Can Help
• To address new technology concerns (e.g. cloud computing)
• To address baseline issues such as limiting collection, data retention, safeguards, etc.
• Basis for Privacy Impact Assessments, Threat/Risk Assessments and Audits
• Basis for Systematic assessment of security requirements
• Basis for audit• Basis for contractual agreements with
cloud service providers
ISO Standards Development
• ISO/IEC JTC 1 SC7 (SSE)– Potential future work
• Cloud computing vocabulary• Modeling cloud solutions• Systems engineering of cloud-based
solutions• IT Service Management for Cloud
Computing• IS Governance Framework for Cloud
Computing
ISO Standards Development
• ISO/IEC JTC 1 SC27 (IT Security)– Joint study period (WGs 1, 4, 5)– NWI proposal
• ISO 27017-2 (information security code of practice based on ISO 27002)(provisional)
• To be accompanied (eventually) by:– 27017-1 (requirements)– 27017-3 (legal and regulatory code of
practice)– 27017-4 (service code of practice)– 27017-5 (audit guidelines)
ISO Standards Development
• ISO/IEC JTC 1 SC38 (DAPS)– WG 1 – Web Services– WG 2 – Service Oriented Architecture– Study Group on Cloud Computing
• Released a study report in June 2011
ISO Standards Development
• SGCC Report (June 2011)– Part 1: Concepts, Terms and Reference
Model– Part 2: Standardization Requirements for
Cloud Computing– Part 3: Standardization Initiatives for
Cloud Computing– Part 4: Assessment of Areas for JTC1
Standardization
ISO Standards Development
• SGCC Report (June 2011)– Technical requirements
• Terms and definitions• Interfaces• Security technology• Format and meaning of data
– Management requirements• Service provider qualification• Service quality metrics,• Service audit• Service agreements
Other Efforts
• ITU-T Focus Group on Cloud Computing• Open Grid Forum• Cloud Computing Interoperability
Forum• Open Cloud Consortium• Cloud Security Alliance• ETSI• OASIS• …
Challenges for Regulators
• DPA mandate is enforcement/compliance
• Many DPAs are limited in resources• Lack of appropriate expertise• So many standards development
activities underway– Where to focus our efforts?
• Difficulty in demonstrating ROI
Questions?Questions?
Steven JohnstonSenior Security and Technology Advisor
Office of the Privacy Commissioner of [email protected]
www.oasis-open.org