cloud computing and standards - a regulator’s view
DESCRIPTION
www.oasis-open.org. Cloud Computing and Standards - A Regulator’s View. OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada. Things We’ve Done. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/1.jpg)
Cloud Computing and Cloud Computing and Standards - A Regulator’s Standards - A Regulator’s
ViewView
OASIS International Cloud Symposium11 October 2011
Steven Johnston, CISSPSenior Security and Technology Advisor
Office of the Privacy Commissioner of Canada
www.oasis-open.org
![Page 2: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/2.jpg)
Things We’ve Done
• Guidelines for Processing Personal Data Across Borders (January 2009)
• Cloud computing paper released early April 2010
• Public consultations April – June 2010• Working on guidance for SMBs
![Page 3: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/3.jpg)
Things We’ve Learned
• Privacy implications of cloud computing include:– Jurisdiction– Third party access– Security safeguards– Limitations on use and retention– Demonstrating/verifying compliance
![Page 4: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/4.jpg)
How Standards Can Help
• To address new technology concerns (e.g. cloud computing)
• To address baseline issues such as limiting collection, data retention, safeguards, etc.
• Basis for Privacy Impact Assessments, Threat/Risk Assessments and Audits
• Basis for Systematic assessment of security requirements
• Basis for audit• Basis for contractual agreements with
cloud service providers
![Page 5: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/5.jpg)
ISO Standards Development
• ISO/IEC JTC 1 SC7 (SSE)– Potential future work
• Cloud computing vocabulary• Modeling cloud solutions• Systems engineering of cloud-based
solutions• IT Service Management for Cloud
Computing• IS Governance Framework for Cloud
Computing
![Page 6: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/6.jpg)
ISO Standards Development
• ISO/IEC JTC 1 SC27 (IT Security)– Joint study period (WGs 1, 4, 5)– NWI proposal
• ISO 27017-2 (information security code of practice based on ISO 27002)(provisional)
• To be accompanied (eventually) by:– 27017-1 (requirements)– 27017-3 (legal and regulatory code of
practice)– 27017-4 (service code of practice)– 27017-5 (audit guidelines)
![Page 7: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/7.jpg)
ISO Standards Development
• ISO/IEC JTC 1 SC38 (DAPS)– WG 1 – Web Services– WG 2 – Service Oriented Architecture– Study Group on Cloud Computing
• Released a study report in June 2011
![Page 8: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/8.jpg)
ISO Standards Development
• SGCC Report (June 2011)– Part 1: Concepts, Terms and Reference
Model– Part 2: Standardization Requirements for
Cloud Computing– Part 3: Standardization Initiatives for
Cloud Computing– Part 4: Assessment of Areas for JTC1
Standardization
![Page 9: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/9.jpg)
ISO Standards Development
• SGCC Report (June 2011)– Technical requirements
• Terms and definitions• Interfaces• Security technology• Format and meaning of data
– Management requirements• Service provider qualification• Service quality metrics,• Service audit• Service agreements
![Page 10: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/10.jpg)
Other Efforts
• ITU-T Focus Group on Cloud Computing• Open Grid Forum• Cloud Computing Interoperability
Forum• Open Cloud Consortium• Cloud Security Alliance• ETSI• OASIS• …
![Page 11: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/11.jpg)
Challenges for Regulators
• DPA mandate is enforcement/compliance
• Many DPAs are limited in resources• Lack of appropriate expertise• So many standards development
activities underway– Where to focus our efforts?
• Difficulty in demonstrating ROI
![Page 12: Cloud Computing and Standards - A Regulator’s View](https://reader035.vdocuments.us/reader035/viewer/2022062718/56812fe0550346895d955760/html5/thumbnails/12.jpg)
Questions?Questions?
Steven JohnstonSenior Security and Technology Advisor
Office of the Privacy Commissioner of [email protected]
www.oasis-open.org