Cloud Computing and Standards - A Regulator’s View OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology.

Cloud Computing and Cloud Computing and Standards - A Regulator’s Standards - A Regulator’s

ViewView

OASIS International Cloud Symposium11 October 2011

Steven Johnston, CISSPSenior Security and Technology Advisor

Office of the Privacy Commissioner of Canada

www.oasis-open.org

Things We’ve Done

• Guidelines for Processing Personal Data Across Borders (January 2009)

• Cloud computing paper released early April 2010

• Public consultations April – June 2010• Working on guidance for SMBs

Things We’ve Learned

• Privacy implications of cloud computing include:– Jurisdiction– Third party access– Security safeguards– Limitations on use and retention– Demonstrating/verifying compliance

How Standards Can Help

• To address new technology concerns (e.g. cloud computing)

• To address baseline issues such as limiting collection, data retention, safeguards, etc.

• Basis for Privacy Impact Assessments, Threat/Risk Assessments and Audits

• Basis for Systematic assessment of security requirements

• Basis for audit• Basis for contractual agreements with

cloud service providers

ISO Standards Development

• ISO/IEC JTC 1 SC7 (SSE)– Potential future work

• Cloud computing vocabulary• Modeling cloud solutions• Systems engineering of cloud-based

solutions• IT Service Management for Cloud

Computing• IS Governance Framework for Cloud

Computing


• ISO/IEC JTC 1 SC27 (IT Security)– Joint study period (WGs 1, 4, 5)– NWI proposal

• ISO 27017-2 (information security code of practice based on ISO 27002)(provisional)

• To be accompanied (eventually) by:– 27017-1 (requirements)– 27017-3 (legal and regulatory code of

practice)– 27017-4 (service code of practice)– 27017-5 (audit guidelines)


• ISO/IEC JTC 1 SC38 (DAPS)– WG 1 – Web Services– WG 2 – Service Oriented Architecture– Study Group on Cloud Computing

• Released a study report in June 2011


• SGCC Report (June 2011)– Part 1: Concepts, Terms and Reference

Model– Part 2: Standardization Requirements for

Cloud Computing– Part 3: Standardization Initiatives for

Cloud Computing– Part 4: Assessment of Areas for JTC1

Standardization


• SGCC Report (June 2011)– Technical requirements

• Terms and definitions• Interfaces• Security technology• Format and meaning of data

– Management requirements• Service provider qualification• Service quality metrics,• Service audit• Service agreements

Other Efforts

• ITU-T Focus Group on Cloud Computing• Open Grid Forum• Cloud Computing Interoperability

Forum• Open Cloud Consortium• Cloud Security Alliance• ETSI• OASIS• …

Challenges for Regulators

• DPA mandate is enforcement/compliance

• Many DPAs are limited in resources• Lack of appropriate expertise• So many standards development

activities underway– Where to focus our efforts?

• Difficulty in demonstrating ROI

Questions?Questions?

Steven JohnstonSenior Security and Technology Advisor

Office of the Privacy Commissioner of [email protected]

www.oasis-open.org

Cloud Computing and Standards - A Regulator’s View OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology.

Documents

cloud computingpart

cloud computingreleased

cloud computingnot

cloud computing paper

service code of practice27017

cisspsenior security

steven johnstonsenior

technology advisoroffice