CSA Virtual Summit: Future of European Cloud Services Scheme Detailed

Written by

Speaking at the Cloud Security Alliance European Virtual Summit Eric Vétillard, lead certification expert, ENISA, talked about the concept and development of a European certification scheme for cloud services as part of the EU Cybersecurity Act..

Intended to revamp and strengthen the EU Agency for Cybersecurity (ENISA) and establish an EU-wide cybersecurity certification framework for digital products, services and processes, the EU Cybersecurity Act will introduce the first EU-wide cybersecurity certification framework for ICT products, services and processes.

After the announcement of the Cybersecurity Act, ENISA was tasked in November 2019 by the European Commission to design a candidate scheme for cloud services. Vétillard said there were two missions around the establishment of a European Certification Framework: to make ENISA permanent, and to define a cybersecurity certification framework, in particular to support the drafting of new policies through certification schemes.

“The idea here is to define a framework to increase the use of cybersecurity certification throughout Europe and extending to all counties,” he said. “To do that, we need to go beyond national schemes and offer mutual recognition at the European level.”

Vétillard explained that the framework will also allow users to make “informed decisions” on cybersecurity, and ultimately only require one certificate throughout Europe. “In order for the scheme to be successful it needs to be accepted by a majority of the member states of the European Union,” he added.

He explained that the certification is being drafted by ENISA, along with the European Cybersecurity Certification Group – a member group of member states – and an advisory group, who will assist in drafting the scheme. When a scheme is selected, around 20 experts representing stakeholders, institutions and observers will work together to build a candidate scheme, which will be submitted to the next phase to get an opinion from the ECCG.

In terms of building the scheme, Vétillard said there are 22 questions to be answered, including the “specific evaluation criteria and methods to be used” which he said will represent a significant part of the work. He also said there is a mandate to monitor compliance of certified and self-assessed products.

As for what the scheme will achieve, Vétillard said this will include determining what a cloud service is. “If you look around, there are many definitions of what is meant by cloud computing” and ultimately the definition from ISO/IEC 17788 was selected “as it determines any service run on top of a cloud system.”

The next determination will be on cloud capabilities, where the same ISO standard was again used in order to determine that all cloud capabilities support some aspect of infrastructure, platform and application. Also all deployment models will be considered, including private, public and hybrid clouds.

The third consideration is three assurance levels, including “basic,” “substantial” and “high” which will be assessed by an accredited third party. Basic means that the cloud security provider has shown some intentions to implement security controls. Substantial means that the provider has correctly implemented security controls and there is some vulnerability testing, and High means that the effectiveness of the provider’s controls against attacks has been demonstrated, requiring penetration testing and intended for “critical applications in sensitive fields.”

Vétillard said the choice of the level is based on the level of risk, and the number of parameters of the activity and size of the cloud service.

ENISA’s objective is to have answers to key questions and to know the structure of the scheme by the end of June 2020 “and to know how to move forward into the writing of the scheme itself.”

By September, the first draft will be completed, and after internal reviews, the final delivery of the candidate scheme is due by the end of the year. Vétillard said this is intended to be part of a larger framework, and ultimately used to provide baselines to other schemes.

What’s hot on Infosecurity Magazine?