APPLIED AND INTEGRATED SECURITY

(1)

APPLIED AND INTEGRATED SECURITY

New approach for Compliance, Security and

Data privacy assessment in the Cloud Age –

NGCert Next Generation Certification

(2)

AGENDA



Fraunhofer AISEC in a nutshell



New approach for Compliance, Security and

Data privacy assessment in the Cloud Age –

NGCert Next Generation Certification

(3)

Fraunhofer AISEC – In a nutshell

Fraunhofer Institute for

Applied and Integrated Security

Parkring 4

85748 Garching (near Munich) Germany

Founded 2009

> 100 employees end of 2014 Directors: Prof. Dr. Claudia Eckert

Prof. Dr. Georg Sigl

(4)

Fraunhofer AISEC – In a nutshell

Fields of expertise

• Embedded Security • Security Evaluation • Hardware Security • Product Protection

• Cloud & Service Computing • Network Security

• Automotive Security • Smart Grid Security

(5)

New approach for Compliance, Security and

Data privacy assessment in the Cloud Age –

NGCert Next Generation Certification

(6)



Trust

 “Trust can be used to measure our confidence that a secure system behaves as expected.”

 Security guidelines & policies, SLAs, certificates (CSA, NIST, BSI, EuroCloud, …)



Certification

 You don‘t have to measure by your own

 Certificates can give evidence that a system behaves as specified and expected.



Cloud Services

 IaaS, PaaS, SaaS  A question of trust(?)

 Dynamic, flexibel, on-demand



Dynamic Certification

 Certification criteria are verified dynamically and on-demand

(7)



56% of German companies worry about that Cloud

Computing compromises compliance requirements



83% of German companies do expect that the data

centre is operated in Germany

Source: “Cloud Monitor 2015“

Association for Information Technology, Telecommunications and New Media BITKOM

(8)



The Court of Justice declares that

the Commission’s US Safe

Harbour Decision is invalid

http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

(9)

Example: EuroCloud Star Audit

Developed under European Cloud Strategy for a worldwide use https://eurocloud-staraudit.eu/



SaaS Seal of Quality

 Provider profile, contract and compliance, security, infrastructure realibility, processes, applications, implementations

 Levels of quality from 1 to 5 stars (example criteria out of > 150)

 3 Stars: Provider allows the choice of place of jurisdiction by the customer or offers a contract directly according to the customers legislation

 4 Stars: Direct access by admins is restricted and before getting single access transaction data will be anonymised with respect to user profiles.

 5 Stars: At least once a year pentests will be performed and documented in order to proof that security means have been implemented appropriately.

Link: DuD - Datenschutz und Datensicherheit 5 | 2011, „Zertifizierte Cloud durch das EuroCloud Star Audit SaaS“, Rüdiger Giebichenstein, Andreas Weiss

(10)

Problem Statement



Traditional approach to certification

 Manual evaluation of a certificate‘s requirements

 Static testing intervals and validity of one to three years

Years

0

1

2 Audit

Audit

Audit & Certification

(11)

Problem Statement



Problem of traditional approaches of certificates

 Between audits the certified Cloud service has changed already

 Violation of requirements of a certificate can occur without recognising

Years

0

1

2 Audit

Audit

?

(12)

Problem Statement



Automatic and continuous evaluation of the requirements

 Automatic comparison of high-level requirements of a certificate with information about the Cloud service (e.g. behaviour during runtime based on monitoring data)

Years

0

1

2 Audit

Audit

?

(13)

Motivation

Certification

• Multi-year validity periods may put in doubt the reliability of certifications • Many widespread certificates already

existed before Cloud

 More tailored certificates needed • Important: Transparency and

trustworthiness

Cloud Computing

• Cloud service certifications attempt to assure a high level of security and compliance.

• Cloud services are part of an ever-changing environment

• Challenge: Security, data privacy, service level objectives and legal compliance (e.g. commissioned data processing)

Research goal: Continuous auditing of selected certification criteria assure

continuously reliable and secure cloud services and thereby increase the trustworthiness of certifications.

(14)

The big picture

Le

gal

Imp

lica

tion

s

Certificates &

Catalogues of Criteria

Cloud Ecosystems

Status information Complex Event

Processing Data and process model

Machine Learning

& Data Mining Monitoring & Testing Tools

Criteria, derived from technical information needs to be validated automatically and on-demand

Aggregation and interpretation of Cloud sensor data

(15)

<Excursion>

Legal Implications

(16)



The Court of Justice declares that

the Commission’s US Safe

Harbour Decision is invalid

http://curia.europa.eu/jcms/upload/docs/application/pdf/2015-10/cp150117en.pdf

(17)

Legal implications (1/3)

• According to German data protection law the usage of Cloud Computing

services is about commissioned data processing

• German Data Protection Act regulates the monitoring obligation of the Cloud

user concerning technical and organisational measures of the Cloud provider

Cloud-Provider

Contractor Cloud-User

(18)

Legal implications (2/3)



Challenge

• Personal on-site control

• Cloud users show a common lack of expert knowledge • Where data is stored is ambiguous

• Disproportional effort necessary

• “Validation Tourism“ is not practical for both sides

Approach

• Utilisation of external expertise possible but static

certification does not fully fulfil legal compliance

• Dynamic certification?

(19)

Legal implications (3/3)



Research questions from a legal perspective:

• Who certifies?

• Private or public institution?

• Legitimation? Reputation? Acceptance?

• How are the testing criteria defined and specified? • Are they up-to-date?

• Who supervises the certification authority?

• What kind of legal impact has the grant/denial of such a certificate?



Fields of law concerned:

• Constitutional law, constitutional process law, European law, data protection law,

administrative law, administrative procedural law, civil law, civil process law, competition law, criminal law etc.

(20)

</Excursion>

(21)

NGCert – Next Generation Certification

nationally funded project 10/2014-09/2017 http://www.ngcert.de/download/papers/

Hypotheses:

• It is possible to evaluate critical requirements of a certificate automatically. • A completely automatic

certification for dedicated test steps (only) is possible. • Automatic test steps can

help to prove fulfiling requirements regarding quality, data protection, and data security ensuring legal compliance.

Technical requirements but not automatically verifiable Certificate requirements (checklist) Σ Checklists (requirements of all certificates) Automatically verifiable technical requirements

Analyse & Validate (e.g. CEP) Results & Reports

(e.g. dashboard)

Metric 1 (with threshold)

... Metric N

(22)

NGCert – Summary

• Design principles

for developing dynamic certifications

• Appropriate metrics

and (new) methods for assuring requirements such

as security, privacy, and compliance to …

• Match monitoring results

as appropriate evidence for common

compliance controls in the area of security, data privacy, service level

objectives and legal compliance

• Certification framework and tool chain

for continuous (semi-)automated

(23)

Contact

Fraunhofer AISEC Parkring 4

85748 Garching (near Munich) Germany

Service & Application Security – SAS Mario Hoffmann Head of department Tel: +49-(0)89 322 9986 -177 Fax: +49-(0)89 322 9986 -299 eMail: [email protected] Web: http://www.aisec.fraunhofer.de