DIGITALEUROPE’s commentary on CSPCERT’s recommendations to ENISA for a Cloud Security Certification Scheme

Executive summary

DIGITALEUROPE supports the objective to improve the EU’s level of cybersecurity and resilience. Greater homogeneity across all Member States will reduce barriers to entry for cloud service providers (CSPs), benefitting, in particular, the survivability and growth of European SMEs.

DIGITALEUROPE has witnessed a proliferation of cloud cybersecurity schemes and procurement specifications from many public sector bodies across the EU. Reducing this fragmentation is a noble goal, especially if an EU-wide scheme is sufficient to cover the broad needs of the public sector as well as other organisations. To this end:

• Existing, well-established international standards need to be prioritised to provide assurance to cloud customers. Any gaps in international standards should be harmonised within the standardisation system, preferably with the goal of international endorsement.
• Where Member States’ schemes exist, mutual recognition between Member States’ existing cloud security schemes should be established while an EU-wide scheme is being developed. Failure to do so creates a substantial barrier to entry, particularly for SMEs who will not have the resources to survive across Member States in a very competitive market. The Commission should investigate whether SOG-IS, and its transition into an EU scheme, can help in this respect.
• Assurance levels should build upon each other by adding security and assurance requirements from basic to substantial and from substantial to high. Other approaches would cause serious issues for SME providers trying to enhance security and could confuse customers.
• As mentioned in the CSPCERT Executive Summary, the suitability of the provided recommendations could be enhanced by the Commission’s and ENISA’s guidance through the refinement of the scheme to specific sectoral threats.

Introduction

DIGITALEUROPE supports the objective to improve the level of cybersecurity and resilience across Europe. The Cybersecurity Act, in particular, aims to contribute to this strategic priority by establishing an EU-wide cybersecurity certification framework ensuring a common approach in the European internal market. This will ultimately improve cybersecurity in a broad range of digital products and services.

The first Digital Single Market (DSM) Cloud Stakeholder Group met in June 2017 and since then has worked to explore a possible candidate certification scheme in the field of cloud security under the framework proposed by the Cybersecurity Act.

This work was underpinned by the study commissioned under SMART 2016/0029 ‘Certification schemes for cloud computing’ from March 2017 to March 2018. The methodology used in the SMART-commissioned report included analysing current certification requirements, analysing the results of 150 completed surveys and conducting a workshop with 85 participants. The final recommendations from CSPCERT[1] were presented in June 2018 and in summary, align to ENISA’s Cloud Certification Schemes Metaframework with a variety of conformity assessments for different assurance levels.

The purpose of this commentary is to provide feedback on CSPCERT’s recommendation for the implementation of the CSP certification scheme that can be used by the Commission when considering proposing a scheme and ENISA when preparing one.

The EU market, cybersecurity certification and standardisation

As the ‘Certification schemes for cloud computing’ study identified, CSPs are required to demonstrate alignment or compliance to over twenty different frameworks. This is required to address general misconceptions and misunderstandings about the security of cloud services, the control of data and compliance to existing frameworks. This is further complicated by the rise of mandatory schemes to provide assurance to public sector organisations in various Member States.[2]

This requires a significant amount of investment for cloud providers, including but not limited to: the costs related to instructing a third-party auditor throughout the lifecycle of the scheme; consultancy to advise on the requirements of the scheme; changes to the internal controls of the cloud provider’s organisation; and technical enhancements of the cloud services. The result is that only the most well-resourced cloud providers can provide such level of investment to meet a plethora of requirements throughout the EU’s internal market.

DIGITALEUROPE welcomes CSPCERT’s acknowledgement of this resource constraint and the need to establish greater homogeneity in all Member States to reduce the barriers to entry for CSPs. This is critical to ensure the survivability and growth of DIGITALEUROPE’s members, many of whom are SMEs. The suitability of CSPCERT’s recommendations should be further investigated by ENISA while developing and refining the scope of an EU Cybersecurity Act scheme.

DIGITALEUROPE recommends that the Commission and ENISA be precise on the risk profiles that are to be covered by any new scheme, such as applicable to the public sector or operators of essential services (OES).[3] This would be in alignment to the principles documented within the Cybersecurity Act, specifically:

‘(78) The choice of the appropriate certification and associated security requirements by the users of European cybersecurity certificates should be based on an analysis of the risks associated with the use of the ICT products, ICT services or ICT processes. Accordingly, the assurance level should be commensurate with the level of the risk associated with the intended use of an ICT product, ICT service or ICT process.’

Whilst CSPCERT has admirably attempted to recognise this complexity with the three assurance levels required by the Act, the difficulty in defining three assurance levels to cover all risk profiles should not be underestimated.

For example, the public sector is presented with complexity across different bodies. These include on the one hand organisations that are more likely to fall prey to commodity attacks (such as a Ministry for Agriculture), and should therefore only need a ‘basic’ level of assurance, and on the other organisations that are more likely to be targeted by bespoke attacks (such as a Ministry for Defence) and would hence need a ‘high’ level of assurance.

DIGITALEUROPE is concerned that the analysis of the CSPCERT group has not sufficiently considered the respective roles and responsibilities of the CSP and the cloud customer in defining the right level of security, in particular for infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) providers. The recommendations assume that cloud customers can only rely on the level of assurance offered by a CSP and cannot build upon it. However, security is a shared responsibility and cloud customers are generally able to enhance their overall security without exclusively relying upon the underlying CSP.

Furthermore, cloud customers not categorised as OES are more likely to experience much more effective security by migrating to cloud services than continuing to manage their own on-premise IT. For these organisations, cloud computing is no longer inherently a greater risk compared to managing their own ICT systems, though each customer should still conduct its own risk analysis.

We recommend that the Commission and ENISA undertake an in-depth risk assessment to help determine the risk profiles within the scope of any scheme.

Security objectives of European cybersecurity certification schemes

DIGITALEUROPE welcomes that the deliverables produced by CSPCERT are based on existing international standards and the Member States’ cloud security certification schemes currently in force.[4]

Building upon CSPCERT’s observation regarding the control differences of CSA CSM and NIST 800-53, we conclude that the gaps between the requirements of all the control frameworks considered in the CSPCERT analysis are rather small.

The acknowledgement of the overlaps present in existing schemes is critical. This highlights the growing burden CSPs face in having the same controls audited time and again. Not only is this inefficient and costly, but it also limits CSPs’ resources away from the core task of providing the cloud service and confuses cloud customers who also have to understand multiple, yet very similar, schemes.

Taking this premise further, CSPs, whatever their size, cannot support such a burden without introducing risk to the quality and security of the services provided. Given that many of the controls in the analysed schemes contain many of the controls that should be included in the management of any information system, the focus should be on identifying those controls that make cloud computing different. ISO/IEC 27017 provides an international baseline focused on the provision and use of cloud services, yet other schemes either do not build upon this standard or add to it.

DIGITALEUROPE believes that once the goals of a scheme have been identified, the required controls for such a scheme should be harmonised at European and International levels. This has the benefit of leveraging well-established schemes maximising cloud customers’ acceptance as well as cloud providers’ own return on investment for their current compliance portfolios (‘audit once, certify many’).

Building assurance levels based on a harmonised set of controls enables substantial and high assurance levels to be defined based on extending existing prior levels. That is, a substantial assurance level should extend the security functionality and assurance requirements from a basic assurance level, and high should be an extension of substantial. Having each assurance level reference different control frameworks will make it harder for providers, especially SMEs, to build out their services and certify to additional assurance levels. It could also confuse customers as their responsibilities could be affected across assurance levels.

In the absence of international harmonisation and prior to the adoption of any EU scheme, a useful steppingstone would be to establish mutual recognition between Member States’ individual cloud security schemes. This would significantly reduce the cost of doing business, particularly for SME providers, as well as reduce barriers for entry. In addition, the mutual recognition of existing schemes could be encouraged as part of the current review of the SOG-IS agreement and its transition under the EU Cybersecurity Framework.

Assurance levels of European cybersecurity schemes

DIGITALEUROPE welcomes CSPCERT’s attempt to rationalise various conformity assessment methodologies in its proposed scheme. During its work, CSPCERT considered the applicability of recognised international approaches to conformity assessments, notably ISO 17021[5] and ISAE 3401. Admirably, CSPCERT has also considered emergent approaches to enhance the assurance provided by certifications, such as penetration testing and continuous auditing even if this not widely adopted in practice. The complexity from such a hybrid approach, whilst admittedly limited to substantial or high levels, will represent a challenge for all service providers.

Of the methodologies identified by CSPCERT, DIGITALEUROPE agrees that the most pragmatic form of assurance would be an approach using ISO 17021 or ISAE 3401. These approaches to conformity assessments are internationally recognised and accepted by service providers, as they are already used to provide assurance for their customers’ own financial reporting.

From an academic perspective, ISO 17021 and ISAE 3402 can complement each other well, with one focusing on an organisation’s governance structures (essentially the design of the controls) and the latter focusing on control effectiveness. Such integration requires a high degree of maturity,[6] where controls are quantitatively managed and optimised by the service provider. This is something that takes years to achieve for any organisation, with significant investment in business process efficiencies and automation. It should also be noted that there are a limited number of firms that meet the competency requirements for both ISO 17021 and ISAE3402.[7] The use of such firms may also be cost-prohibitive for some SMEs.

While CSPCERT makes interesting observations, DIGITALEUROPE suggests that ENISA considers these in the context of other potential non-cloud schemes, as consistency between all schemes will help reduce the burden on national cybersecurity certification authorities, conformity assessment bodies and providers of multiple types of ICT products and services.

CSPCERT has admirably considered emergent approaches to enhance the assurance provided by certifications, such as continuous auditing and penetration testing.

Regarding continuous auditing, CSPCERT acknowledged that ‘[t]he use of continuous auditing approaches in the certification landscape is relatively new and not yet mature.’[8] DIGITALEUROPE fully agrees with this statement, which reflects a number of issues with the concept, including: establishing repeatable metrics of performance; secure transfer mechanism; amendments to service agreements; and enough resources within national cybersecurity certification authorities to provide oversight. These issues need to be further investigated and overcome by ENISA before continuous auditing is implemented as an appropriate form for establishing assurance.

Furthermore, the concept of establishing repeatable metrics, if too prescriptive and not based on international standards, would potentially threaten technological innovation. DIGITALEUROPE believes that this would not be in accordance with the principles of the Cybersecurity Act.[9]

Regarding using penetration tests for further assurance, DIGITALEUROPE agrees with the constraints recommended by CSPCERT[10] and further notes that penetration testing, if not controlled correctly in a way that understands the specific nature of cloud services, can cause a significant amount of damage and misleading results.

Most significantly, a high degree of trust is required from a relatively small number of firms engaged in penetration testing. We have a significant concern about a relatively small number of firms aggregating vulnerability data and identifying potential compromise paths for many cloud providers. Such information is extremely valuable, and these firms could find themselves targeted by threat actors to then be able to exploit the services that they have assessed. We recommended ENISA to consider this issue and propose how to mitigate the problem.

Data localisation

DIGITALEUROPE does not believe that the requirements associated with any of the three assurance levels should include data localisation. In particular, given the strict application of data localisation under SecNumCloud, we do not believe that it is appropriate to directly copy those requirements across to the ‘high’ assurance level in a proposed EU scheme. The concern here is that for most SaaS offerings, keeping all the data within Europe’s borders is an unrealistic prospect and comes at the price of significant functionality and service loss. Furthermore, any personal data that leaves the EU’s borders should be compliant with GDPR, which established transfer mechanisms that ensure an equivalent level of data protection.

Including localisation requirements in the proposed scheme will also hinder the expansion of EU companies’ businesses outside of the EU. To maintain the quality and reliability of their operations, EU companies should be able to use cloud services with the same level of assurance as in the EU, no matter where they operate. It is, therefore, necessary that the benefit of EU-wide schemes can be ‘exportable’ by allowing cloud services provided from outside of the EU to be certified against EU schemes, without any localisation criteria. This is something that already exists with EU compliance mechanisms such as CE marking, which has demonstrated over the years its efficiency to protect EU consumers. Similarly to CE marking, the proposed EU scheme should allow providers to claim compliance of their cloud services with the EU cloud computing scheme regardless of where they operate.

Conclusion

DIGITALEUROPE agrees with CSPCERT that the current state, with over twenty requirements throughout the EU’s internal market that cloud service providers must comply with, is inefficient and costly. The work that CSPCERT has done provides a useful starting point for harmonising cloud certification schemes within the EU’s internal market. A significant benefit of these recommendations is that it highlights existing international standards as a baseline for a new scheme. This conclusion should be taken further – existing international standards need to be fully leveraged and any additions or changes to international standards must be harmonised both at European and international level.

As a steppingstone to a full scheme, mutual recognition needs to be established between existing cloud security schemes. In addition, there are several enhancements that are required to improve the suitability and effectiveness of CSPCERT’s recommendations. For example, ENISA should undertake a thorough risk assessment to determine the appropriate assurance level for users and avoid a scenario where the scheme is deemed inapplicable for a significant portion of higher-risk user communities. From that, the most appropriate form of conformity assessment will be able to be identified. We also urge the European Commission to be very clear on the scope of any scheme it requests ENISA to prepare, which should be based on risk profiles.

Footnotes

[1] CSPCERT WG (Milestone 3), ‘Recommendations for the implementation of the CSP Certification scheme,’ available at https://drive.google.com/file/d/1J2NJt-mk2iF_ewhPNnhTywpo0zOVcY8J/view

[2] Most notably Germany’s C5, France’s SecNumCloud and Spain’s ENS.

[3] As defined by the NIS Directive.

[4] Notably, CSPCERT’s work expanded upon the ‘Certification schemes for cloud computing’ study with a comparative analysis of ISO 27002, ISO 27017, ISO 27018, C5 and SecNumCloud. These were then cross-referenced to ENISA’s Cloud Computing Schemes Metaframework.

[5] The conformity assessment methodology used for the issuance of management system certifications, such as ISO 27001.

[6] The Capability Maturity Model is a useful mechanism to demonstrate the degree of formality and optimisation of processes, from ad hoc practices to formally defined steps, to managed result metrics, to active optimisation of the processes.

[7] This requires a firm that is both a chartered public accountant and a firm that is also accredited to issue ISO 27001 certificates.

[8] P. 53 of the Milestone 3 document.

[9] See notably Recital 95: ‘The design of the European cybersecurity certification schemes should take into account and allow for the development of innovations in the field of cybersecurity.’

[10] See Section 4.5 of ‘CSPCERT WG (Milestone 3) Recommendations for the implementation of the CSP Certification scheme’.