Report on the EU Cloud Security Workshop: Building Trust in Cloud Services – Certification and Beyond, Brussels, 18 March 2016

The EU cloud security workshop, subtitled Building Trust in Cloud Services – Certification and Beyond, was held on 18 March 2016 in Brussels. There were approximately 50 participants from the EU, industry and academia.

The workshop opened with a short welcome by Mr Pearse O'Donohue, Head of Unit DG Connect Software & Services, who welcomed all participants and highlighted the importance of security and trust of cloud platforms and the aim of the European Commission (EC) to facilitate cloud services and cloud providers situated in Europe. He emphasized the significance of the free flow of data and the implementation aspects of the NIS directive.

Mr. O'Donohue was succeeded by Mr. Pierre Chastanet, Deputy Head of Unit DG Connect Trust & Security, who elaborated on the Network and Information Security (NIS) directive. The directive examines the user’s perspective and aims to set a minimum level of cyber-security. This would be realized through increased national CS capabilities, EU-level cooperation and reporting. The three main pillars of the directive are: NIS national strategies, NIS competent national authorities and national computer security incident response teams (CSIRTs). Its main aim is to define essential services and digital service providers (DSPs). After the adoption of the directive it is planned to provide the implementing acts within 1 year. Currently, the EC plans to adopt the final directive in spring 2016. It is projected that 21 months will be available for the implementation process.

The introductory talks were followed by a round table on Best Practice: Risk Management of cloud computing services. The facilitator was Aristotelis Tzafalias from DG Connect Trust & Security, and the panel included Mikk Lellsaar (RISO, Estonia), Marnix Dekker (IT Security Directorate, EC), Gilles Chekroun (VMware, EMEA) and Elena Alampi-Das Neves Moreira (eIDAS Task Force, European Commission). The panellists presented different aspects of current best practices, such as the Estonian governmental cloud, the ENISA perspective on cloud security and tools, and VMWare’s survey on cloud security and elaboration on the eIDAS regulation. Each topic was presented by one of the panellist, followed by a discussion on experience and the Estonian cloud, as well as the safety of in-house solutions.

The workshop continued with a round table on Transparency: Incident Notification and Information Sharing for cloud computing services. The facilitator was Aristotelis Tzafalias, DG Connect Trust & Security, and the panel included Mario Maawad Marcos (CaixaBank, Spain), Craig Balding (Barclays, UK), Jonathan Sage (IBM, UK). The panellists discussed the importance of incident reporting and the role of eIDAS and NIS regulations with regard to cloud computing. The main issue identified was the complexity of reporting in cloud computing and the importance of risk assessment. The panellists agreed that security should not be a competitive issue, in cloud computing or elsewhere. Additionally, a discussion on risk management frameworks and the need for these in cloud computing took place.

The next panel discussion was on Recognition: Cloud Certification Schemes& Assurance Levels. and included a presentation about "C5" - the Cloud Computing Compliance Controls Catalogue which was given by Patrick Grete (BSI, Germany), followed by a panel discussion in which the facilitator was Mr Pearse O'Donohue, Head of Unit DG Connect Software & Services, Cloud and the panellists Antonio Ramos (Leet Security, Spain) and Dimitra Liveri (ENISA). The two key issues discussed were the importance of certification and the need to define certification schemes. The panellists also stressed the importance of digital service providers in cloud computing and their role in security.

The last afternoon session, entitled “Impact Factors: Service Authentication, Law Enforcement Access, and Export Controls on cloud services”, featured Mark Smitham, DG Connect Software & Services, Cloud, as facilitator, and Jan Neutze (Microsoft, EMEA), Helmut Fallmann (Fabasoft, Austria) and Filippo Sevini (JRC, European Commission) as the panellists. Mr. Neutze presented the case of Microsoft versus the US government. Mr. Fallmann (Fabasoft) highlighted the importance of issues related to the interoperability of eIDs, as well as the need for an eIDAS standardization of interfaces for the users. Additionally, Mr. Sevini discussed the problem of export controls and cyber surveillance with regard to cloud computing.

Prof. David Wallom from the e-Research Centre, University of Oxford, summarized the workshop by highlighting the major points of the presentations and discussions. The workshop was closed by Mr Pearse O'Donohue, Head of Unit DG Connect Software & Services.

Download the Report on the EU Cloud Security Workshop