Cloud Security Alliance EMEA Congress: Using cloud services: Compliance with the Security Requirements of the Spanish Public Sector

1. 1
Madrid, 16 November 2016
Miguel A. Amutio
Secretaría General de Administración Digital
Ministerio de Hacienda y Función Pública
Cloud Security Alliance EMEA Congress
Using cloud services:
Compliance with the Security
Requirements of the Spanish
Public Sector

2. 2
Why and What is the National Security
Framework (NSF- ENS)
Compliance with the NSF-ENS
Challenges and conclusions
Contents

3. 3
1. Why and what is
the National Security
Framework

4. 4
Digital public services
The new administrative laws
(39/2015 and 40/2015) foresee a
paperless Administration on the
basis of working fully with
electronic means.
Digital public services are provided
in a complex scenario in Spain.
Potential risks.

5. 5
Why the NSF-ENS
Create the necessary conditions of trust,
through measures to ensure IT security for the exercise of rights and the
fulfillment of duties through the electronic access to public services.
Promote the continuous management of
security, regardless of the impulses of the moment .
Promote prevention, detection and
correction.
Promote a common approach to security which
enables cooperation to deliver eGoverment services. The NSF complements
the National Interoperability Framework.
National Security Framework (NSF) = Esquema Nacional de Seguridad (ENS)

6. 6
The National Security Framework
It is a legal text (Royal Decree 3/2010).
It establishes the security policy for the use of ICT by the
Public Sector.
To be followed by the Public Sector in Spain.
Developed through ‘technical security instructions’
It is a key element of the National Cybersecurity Strategy.

7. 7
The Basic principles to be taken into account in
decision about security.
The minimum requirements which allow an
adequate protection of information.
Categorization of systems and risk
management for the adoption of
proportionate security measures according to
information and services to be protected and to the
risks to which they are exposed.
Security audit to verify compliance with the NSF.
Response to security incidents (CERT).
Use of security certified products, to be
considered in procurement.
Awareness and training.
NSF-ENS, Main elements
All entities of the Public Sector will have a security
policy, formally adopted, on the basis of the basic principles
and minimum requirements.

8. 8
operational
– planning
– access control
– operation
– external services
– continuity
– monitoring
asset protection
– facilities
– personnel
– equipment
– communications
– media
– software
– information
– services
organizational
– security policy
– security
regulations
– security
procedures
– authorization
process
Security measures
+ use of common infrastructures and services and security guidelines provided by CCN.

9. 9
Public entities, should, as SP 800-144 says:
• Carefully plan the security and privacy aspects of
cloud computing solutions before engaging them.
• Deploy
o Understand the public cloud computing
environment offered by the cloud provider ->
assess and manage risk accurately
o Ensure that a cloud computing solution satisfies
organizational security and privacy requirements.
o Ensure that the client-side computing environment
meets organizational security and privacy
requirements for cloud computing.
• Maintain accountability over the privacy and security
of data and applications implemented and deployed in
public cloud computing environments.
Using Cloud, Public entities should
…

10. 10
For instance:
In case of use of cloud services, the following measures deserve special
attention:
[Org.4] Authorization process
[Op.acc.4] Access rights management process
[Op.exp.7] Incident management
[Op.exp.11] Cryptographic Key Protection
[Op.ext] External services
There are measures that should not be transferred to the CSP:
Categorization of the system (Annex I)
Security policy [org.1]
Security policy [org.2]
Risk analysis [op.pl.1] (coordinate)
Authorization process [org.4] (to coordinate)
Daily management [op.ext.2] (coordinate)
Incident management [op.exp.7] (coordinate)
Protection of customer equipment [mp.eq.]
Activities that probably the CSP should not carry out:
Electronic signature [mp.info.4]
Time stamps [mp.info.5]
User identification [op.acc.1]
Access requirements [op.acc.2]
Management of access rights [op.acc.4]
Authentication mechanism [op.acc.5]
User activity log [op.exp.5]
Protection of activity records [op.exp.10]
Protection of cryptographic keys [op.exp.11]
Consideration of Who does What

11. 11
Cloud services and the NSF-ENS
2 SECURITY REQUIREMENTS
2.1 ROLES AND FUNCTIONS
2.2 CATEGORIZATION (ENS - ANNEX I)
2.2.1 COMMUNITIES
2.3 RECOMMENDATIONS
2.4 PROTECTION MEASURES (ENS - ANNEX II)
2.5 ADDITIONAL RESTRICTIONS
3 REQUIREMENTS DERIVED FROM OF DATA PROTECTION
4 INTERNAL REGULATIONS
5 PROCUREMENT
5.1 DESCRIPTION OF SERVICE
5.2 SUBCONTRACTING
5.3 PROTECTION OF INFORMATION
5.4 SERVICE LEVELAGREEMENTS
5.5 ACCESS TO SERVICE
5.6 GEOGRAPHICAL CONDITIONERS
5.7 RESPONSIBILITIES AND OBLIGATIONS
5.8 REGISTRATION OF ACTIVITY
5.9 TERMINATION OF SERVICE
6. OPERATION
6.1 OPERATING SECURITY PROCEDURES
6.2 FOLLOW-UP OF THE SERVICE
6.3 CHANGE MANAGEMENT
6.4 INCIDENT MANAGEMENT
6.5 BACKUP AND RECOVERY OF DATA
6.6 CONTINUITY OF THE SERVICE
6.7 TERMINATION
7 SUPERVISION AND AUDIT
ANNEX A. ENS COMPLIANCE

12. 12
Annex A contains the controls of standards 27002 and the CCM
matrix, together with their correspondence to meet the ENS
requirements.
(…)
(…)
NSF-ENS, 27000 and CCM

13. 13
2. Compliance with
the National Security
Framework
Fuente: NASA

14. 14
Audit, reporting & compliance
Interested
actors

15. 15
Compliance with the NSF-ENS
TECHNICAL SECURITY INSTRUCTION - COMPIANCE WITH THE
NATIONAL SECURITY FRAMEWORK
INDEX
I. Object.
II. Scope.
III. Procedures for determining compliance.
IV. Declaration of Compliance with the National Security Framework of BASIC
category systems and its publicity.
V. Certification of Compliance with the National Security Framework of systems
of category MEDIUM or HIGH and its publicity.
VI. Requirements of the certifying entities.
VII. Solutions and services provided by the private sector.
Annex I. Contents of the Declaration of Compliance with the National Security
Framework.
Annex II. Declaration of Compliance with the National Security Framework.
Annex III. Content of the Certification of Compliance with the National Security
Framework.
Annex IV. Certificate of Compliance with the National Security Framework.

16. 16
Providers are often engaged in the provision of
solutions or services (through, for example, cloud
services) for systems under the scope of the NSF.
Solutions or services should comply with the
requirements of the NSF-ENS and have the
corresponding Declarations or Certifications of
Compliance.
Declaration of Compliance with the NSF-ENS
(category BASIC)
Certification of Compliance with the NSF-ENS
(mandatory for categories MEDIUM or HIGH, voluntary for
category BASIC)
Providers: same procedures as for the Public Sector
Requirements for providers

17. 17
Accreditation by ENAC
according to UNE-EN ISO /
IEC 17065: 2012, for the
certification of systems within the
scope of ENS.
In case of NOT having the
accreditation:
1. They will request
accreditation to the ENAC.
2. They will inform of the
acceptance of the request
to the CCN.
3. They can begin their
certification activities on
a temporary basis, having
12 months to obtain it.
Requirements for Certifiers

18. 18
3. Challenges
and Conclusions

19. 19
The National Security Framework (NSF-ENS):
 Promotes a common approach to cybersecurity in the Public
Sector of Spain, adapted to its requirements
 Independent audits are the basis for the Security Report and for the
compliance with the NSF-ENS.
Compliance with the NSF-ENS is applicable to:
 Entities of the Public Sector
 Providers of solutions and services (e.g. Cloud services) engaged in
systems under the scope of the NSF-ENS.
Public entities should have an understanding of security issues
in the cloud computing environment and ensure security
requirements.
Under development: specific compliance requirements to
certify cloud service providers for systems falling under ENS.
Challenges & Conclusions

20. 20
Challenges:
 Progress in cibersecurity of entities of the
Public Sector.
 Improve the implementation of the security
measures.
 Extend the implementation of the NSF-ENS to all
kind of information systems of the Public Sector in
Spain.
 Extend the use of common services offered by
the General State Administration.
 Promote the compliance with the NSF-ENS.
Challenges & Conclusions

21. 21
More information

22. 22
Public Sector
Law 40/2015
Institutional Public
SectorGeneral State
Administration
Autonomous Communities
Local Entities
Law 39/2015
Public Entities and Public
Law Entities
Entities of Private Law
(Administrative powers)
Public Universities
Public Law Corporations
Linked
or
depend
ent
Linked
or
depend
ent
The Public Sector in Spain

23. 23

24. 24
CCN-CERT Guidelines and tools

25. 25

26. 26
eGovernment and Security

27. 27

28. 28
 E-mail addresses
– ens@ccn-cert.cni.es
– ens.minhap@correo.gob.es
– ccn@cni.es
– sondas@ccn-cert.cni.es
– redsara@ccn-cert.cni.es
– organismo.certificacion@cni.es
 Web pages:
– administracionelectronica.gob.es
– www.ccn-cert.cni.es
– www.ccn.cni.es
– www.oc.ccn.cni.es
Many thanks