Digital Single Market
Digital Economy & Society

Cloud Security Workshop: Building Trust in Cloud Services – Certification and Beyond

Article
Cloud Security Workshop: Building Trust in Cloud Services – Certification and Beyond
The cloud security workshop was facilitated by the European Commission and focused on the issues shown in this agenda. In each session throughout the day, panels of experts in cloud computing touched on their own experience to convey their perspective of these issues. Participants actively discussed their own experience of these issues and together prioritised mechanisms to address them.
Friday
18
Mar
2016
Add to Calendar

Add to calendar

European Commission, Room 1.4 PLB3, Rue Philippe Le Bon 3, Brussels, BELGIUM

The workshop was streamed live online and a recording is available on our website

Agenda

You can view and download a copy of the agenda here.

8:30-9:00
Registration and coffee

9:00-9:20
Cloud Security in the context of European Commission initiatives
Pearse O'DONOHUE, Head of Unit
DG CNECT Software & Services, Cloud

9:20-9:40
Network & Information Security Directive and Cloud Computing Services
Pierre CHASTANET, Deputy Head of Unit
DG CNECT Trust & Security

9:40-10:40
Best Practice: Risk Management of cloud computing services
Facilitator: Aristotelis TZAFALIAS, DG CNECT Trust & Security, European Commission)          
Panel: Mikk Lellsaar (RISO, Estonia), Marnix DEKKER (IT Security Directorate, European Commission), Gilles Chekroun (VMware, EMEA),
Elena ALAMPI-DAS NEVES MOREIRA (eIDAS Task Force, European Commission)

Which service management elements, such as business continuity or incident management, help to measure the risk of cloud services and meet the obligations of risk management in Art.15a(1) in the NIS Directive?  What is the role of eIdentification, authentication and trust services under the eIDAS Regulation for accessing and provisioning cloud services?   How do cloud service customers decide between Public vs Private Cloud services?  What approaches could improve transparency of risk management for cloud-based services, including the use of risk-transfer mechanisms, such as insurance?

Presentations:

Mikk Lellsaar (RISO, Estonia) about Estonian Government cloud

Marnix Dekker (IT Security directorate, European Commission) about the EC as cloud customer

Gilles Chekroun (Network and Security Business Unit, VMware)

Elena Alampi (DG CNECT, European Commission) about eIDAS Regulation (EU) 910/2014

 

10:40-11:00
Coffee break

11:00-12:00
Transparency: Incident Notification and Information Sharing for cloud computing services
Facilitator: Aristotelis TZAFALIAS, DG CNECT Trust & Security           
Panel: Mario Maawad Marcos (CaixaBank, Spain), Craig Balding (Barclays, UK), Jonathan Sage (IBM, UK)

How can we make the best of incident notification and what will it take in terms of impact parameters, formats and procedures?  How can suppliers demonstrate compliance throughout the supply chain?  How could we strengthen cooperation between industry and the public sector to build trust in cloud-based services?

Presentation:

Mario Maawad Marcos (CaixaBank, Spain) about Incident Notification and Information Sharing

 

12:00-13:00
Lunch

13:00-15:00
Recognition: Cloud Certification Schemes& Assurance Levels
Presentation: "C5" the Cloud Computing Compliance Controls Catalogue, Patrick Grete, (BSI, Germany)
Facilitator: Pearse O'DONOHUE, DG CNECT Software & Services, Cloud
Panel: Antonio Ramos (Leet Security, Spain), Dimitra Liveri (ENISA)

How could we raise awareness of cloud security that already meets the highest requirements in terms of cyber security?  Is certification the right option or do certified cloud services attract cyber-attacks?  Does certification replace risk management or would extra guidance and best practices complement certification?  Should cloud certification be more aligned to the needs of users and cover additional aspects not already endorsed by certification schemes, such as data protection?  How can certification be made accessible for all cloud service providers, including SMEs?  What could be the most effective method to enable standardisation agreements or mutual recognition of distinct or national cloud certification schemes across the Digital Single Market?

Presentation:

Patrick Grete (Federal Office for Information Security (BSI), Germany) about the BSI 'C5'

Antonio Ramos (Leet Security, Spain)

Dimitra Liveri (NIS Expert, ENISA) about next steps in Cloud Certification

 

15:00-15:30
Coffee break

15:30-16:30
Impact Factors: Service Authentication, Law Enforcement Access, and Export Controls on cloud services
Facilitator: Mark SMITHAM, DG CNECT Software & Services, Cloud
Panel: Jan Neutze (Microsoft, EMEA), Helmut Fallmann (Fabasoft, Austria), Filippo SEVINI via video (JRC, European Commission)

What approaches are necessary for cloud computing services to support the Digital Single Market in relation to service authentication, encryption, law enforcement access, or export controls?  What service authentication possibilities are made available and recognised across borders by cloud service providers to ensure a secure way of processing data?  Are these issues common for users and cloud service providers?  Are there other, more significant aspects of cloud security that would have sufficient impact to drive the uptake of cloud services?

Presentations:

Jan Neutze (Microsoft) about Law Enforcement Access

Helmut Fallmann (Fabasoft, Austria)

Filippo Sevini (JRC, European Commission) about Export Controls on cloud services and Cybersurveillance

 

16:30-16:50
Summary
Rapporteur: Professor David Wallom
e-Research Centre, University of Oxford

16:50-17:00
Conclusion
Pearse O'DONOHUE, Head of Unit
DG CNECT Software & Services, Cloud

17:00
Close