EU28 Cloud Security Conference: Reaching the Cloud Era in the

European Union

Track A: Legal and Compliance - “Cloud Security and the Network and Information Security Directive: the need for Harmonization”

Jan NeutzeDirector, Cybersecurity Policy, EMEA, Microsoft

Aims of a national

cybersecurity strategy

Overview1) 1) Emerging Cloud & Cybersecurity Strategies

2) 2) The NIS Directive – opportunities and challenges

3) 3) Case Study: Estonia’s Virtual Data Embassies

Global Landscape

Emerging Cloud & Cybersecurity Strategies

US, Canada

Australia, New Zealand

Bangladesh,Hong Kong, India, Indonesia, Japan, Kyrgyzstan, Maldives, Malaysia, Mongolia, Philippines, Singapore, South Korea, Taiwan, Vanuatu

Austria, Belarus, Belgium, Czech Republic, Cyprus, Estonia, EU, Finland, France, Germany, Georgia, Hungary, Italy, Latvia, Lithuania, Luxembourg, Montenegro, Netherlands, Norway, Poland, Romania, San Marino, Slovakia, Spain, Sweden, Switzerland, UK

Ghana, Kenya, Mauritius, South Africa, Uganda Israel, Jordan,

Qatar, Saudi Arabia, Turkey, UAE

Argentina, Brazil

Panama,Trinidad & Tobago

Countries with only cloud programsCloud strategy: Ireland

Cloud initiatives: Azerbaijan, Chile, China, Costa Rica, Denmark, Egypt, Greece, Malta, Mexico, Moldova, Portugal, Russia, Slovenia, Sri Lanka, Thailand

Bold = cloud strategy Underline = cloud initiatives

60 governments and regional organizations have cybersecurity strategies; 14 have cloud strategies; and 36 have cloud initiatives

Trustworthy Cloud PrinciplesOperational guidance

Outline guidance or concrete steps that the government is taking to advance public sector cloud adoption, including:• controls for areas of concern

(i.e. contracts and security)• development of pilot projects;

public, private, or community clouds; or a synced approach to cloud procurement; or

• consolidation of data centers

Benefits, risks, and need for best practices/standards acknowledged.

Advancing government and private cloud adoption

Advancing government cloud adoption

Seek to encourage and enable public sector OR public and private sector cloud adoption by:• increasing or organizing procurement though whole-of-government

certification programs, dedicated cloud infrastructure, or app stores;• providing guidance to help agencies evaluate the benefits and risks of,

procure, and manage cloud services;

• centralizing government resources;• Promoting local SME understanding and acceptance of cloud services;• partnering with global CSPs to enable local market growth;• describing successful examples of government cloud projects; or• attempting to resolve issues that might inhibit adoption

Benefits and risks assessed; plans to mitigate risks described, including through the development of standards and security and procurement guidance.

Explanatory statements

Take basic steps to enable or demonstrate limited government cloud adoption by:• defining cloud computing and

deployment/service models;• applying existing legal

requirements to cloud;• describing a nascent cloud

project; or• approving of cloud for future

public sector procurement

Discussion of cloud adoption benefits and risks is undeveloped.

Denmark, Mauritius, Philippines, Sri Lanka

Hong Kong, Ireland, New Zealand, Qatar

Estonia, India, Netherlands, UK, United States

Australia, EU, Malaysia, Singapore

Cloud program categories, characteristics, and examples

Trustworthy Cloud PrinciplesUnited Kingdom: G-Cloud

Approach: Government procurement framework

Highlights:• Based on ISO 27001• Most data is “official”• Reusable certification

Australia:InfoSecurity Manual

United States:FedRAMP

European Union:ENISA CCSL and CCSM

Approach: Procurement guidance

Highlights:• Maps certification

regimes relevant to cloud customers

Notable strength:

• Flexible

Notable strength:

• Standards-based

Notable strength:

• Transparent

Notable strength:

• Risk-based

Public sector approaches to cloud security

Approach: Government procurement framework

Highlights:• Based on NIST 800-

53v4• Moderate and High

baseline controls

Approach: Government procurement guidance

Highlights:• Risk-based approach

encouraged• 5 control levels

Key EU Initiatives: DSM & NIS

Opportunities & Challenges

Trustworthy Cloud PrinciplesEuropean Commission Digital Single Market Strategy (May 2015)

- The Communication on a Digital Single Market Strategy includes an upcoming European “Free flow of data” initiative, which will build on the “Trusted Cloud Europe” vision and subsequent consultations. This initiative will address the emerging issues of ownership, interoperability, usability and access to data.

- In the 2nd Quarter of 2015, the Commission is expected to launch a Public consultation on a Green Paper on Trust & cloud computing in Europe.

- In 2016, the Commission is planning to launch a European Cloud initiative which will include cloud services certification, contracts and switching of cloud services providers. Some of the elements stem from the work carried out by the industry working groups (C-SIGs) on the EU Cloud Computing Strategy.

- The Commission is currently still assessing whether to opt for full, co- or self-regulatory actions.

The Digital Single Market Strategy

Trustworthy Cloud PrinciplesProposal for a Directive on Network and Information Security (February 2013)

- The Directive aims to raise the level of network and information security across European critical operators.

- The Directive is a first step towards building more common approaches to cybersecurity. This can result in a more integrated operational picture, sharing of strategic assessments from reported incidents and enhanced public-private cooperation.

- Cybersecurity baseline: the Directive should result in processes and capabilities to pro-actively prevent serious cybersecurity incidents as well as the ability to isolate and quickly recover from any incident.

- Directive is likely to be adopted in the Second half of 2015 and Member States will get 18-24 months for transposition in national law.

The NIS Directive - opportunities

The NIS Directive – Challenges Scope -> Latvian Presidency has proposed separate Annex & approach for IEs

-> details remain unclear

The Directive must be focused on critical infrastructure only.

Lack of EU Harmonization: Major Challenges around Jurisdiction/Applicable LawCybersecurity Patchwork: Could end up with 28 entirely different regimes

Reporting obligations -> to whom do pan-EU operators report?-> how would internet enablers determine impact on customer side?-> how is customer confidentiality ensured?Security Baselines & Audit requirements -> Which security standards would be applied by which NCA? -> Which NCA would receive audits? New audit powers vs. sharing existing audit results?

Estonia’s Data Embassies

Leveraging the cloud for national resiliency

Estonia: a digital society moving to the cloud

First country to offer digital citizenship

First country to implement electronic voting

First country to issue digital ID cards

144% mobile adoption

GD

P p

er

Cap

ita $

22

,00

0

Estonia leverages IT to provide public services and maintains roughly 200 databases across 14 agencies, 900 registries and roughly 3,000 services, including its population register, business register, land register, and e-government systems.

Approximately 10% of Estonia’s services relate to military and defense. Data for several of these systems have no “paper” hard copy and exist online only.

80% of population internet users

Pop

ula

tion

1.3

mill

ion

Estonia: a digital society moving to the cloud

Estonian Data Embassy Initiative Overarching strategy

• Citizen services. Ability to drive innovation with data services in the cloud that citizens can reuse.

• Infrastructure. Reduction in data centers and public sector ICT can drive hardware efficiencies.

• Flexibility. Allows the meeting of real-time needs, or offloading of onsite data to the public cloud as needed to improve operational efficiencies.

• Collaboration. Enables more effective communicating and collaboration.

• Continuity of operations. With centralized data storage, management, and backups, data recovery can be faster and easier.

• Creative IT. Since cloud services can be centrally managed, IT workers are freed from a “keep-the-lights-on” approach, providing more time to foster creative problem-solving.

 

 

CLOUD BENEFITS FOR GOVERNMENTS

Estonia Data Embassy InitiativeOverarching strategy

Research Project: Estonia and Microsoft partner for success

Cloud technologies: Microsoft Azure™. Electronic State Gazette: Operating system; CentOS, application stack; Apache, Java

and PostgreSQL.

Explore feasibility of

migrating services to the

cloud

Demonstrate how services run

in a failover scenario

Understand where existing services can be

optimized

Cloud technologies: Microsoft Azure™. Website of the President of Estonia: Operating system; FreeBSD, application stack;

PHP and MariaDB.

Research project: Estonia and Microsoft partner for success

15