The workshop was streamed live online and a recording is available on our website
Agenda
You can view and download a copy of the agenda here.
8:30-9:00
Registration and coffee
9:00-9:20
Cloud Security in the context of European Commission initiatives
Pearse O'DONOHUE, Head of Unit
DG CNECT Software & Services, Cloud
9:20-9:40
Network & Information Security Directive and Cloud Computing Services
Pierre CHASTANET, Deputy Head of Unit
DG CNECT Trust & Security
9:40-10:40
Best Practice: Risk Management of cloud computing services
Facilitator: Aristotelis TZAFALIAS, DG CNECT Trust & Security, European Commission)
Panel: Mikk Lellsaar (RISO, Estonia), Marnix DEKKER (IT Security Directorate, European Commission), Gilles Chekroun (VMware, EMEA),
Elena ALAMPI-DAS NEVES MOREIRA (eIDAS Task Force, European Commission)
Which service management elements, such as business continuity or incident management, help to measure the risk of cloud services and meet the obligations of risk management in Art.15a(1) in the NIS Directive? What is the role of eIdentification, authentication and trust services under the eIDAS Regulation for accessing and provisioning cloud services? How do cloud service customers decide between Public vs Private Cloud services? What approaches could improve transparency of risk management for cloud-based services, including the use of risk-transfer mechanisms, such as insurance?
Presentations:
Mikk Lellsaar (RISO, Estonia) about Estonian Government cloud
Marnix Dekker (IT Security directorate, European Commission) about the EC as cloud customer
Gilles Chekroun (Network and Security Business Unit, VMware)
Elena Alampi (DG CNECT, European Commission) about eIDAS Regulation (EU) 910/2014
10:40-11:00
Coffee break
11:00-12:00
Transparency: Incident Notification and Information Sharing for cloud computing services
Facilitator: Aristotelis TZAFALIAS, DG CNECT Trust & Security
Panel: Mario Maawad Marcos (CaixaBank, Spain), Craig Balding (Barclays, UK), Jonathan Sage (IBM, UK)
How can we make the best of incident notification and what will it take in terms of impact parameters, formats and procedures? How can suppliers demonstrate compliance throughout the supply chain? How could we strengthen cooperation between industry and the public sector to build trust in cloud-based services?
Presentation:
Mario Maawad Marcos (CaixaBank, Spain) about Incident Notification and Information Sharing
12:00-13:00
Lunch
13:00-15:00
Recognition: Cloud Certification Schemes& Assurance Levels
Presentation: "C5" the Cloud Computing Compliance Controls Catalogue, Patrick Grete, (BSI, Germany)
Facilitator: Pearse O'DONOHUE, DG CNECT Software & Services, Cloud
Panel: Antonio Ramos (Leet Security, Spain), Dimitra Liveri (ENISA)
How could we raise awareness of cloud security that already meets the highest requirements in terms of cyber security? Is certification the right option or do certified cloud services attract cyber-attacks? Does certification replace risk management or would extra guidance and best practices complement certification? Should cloud certification be more aligned to the needs of users and cover additional aspects not already endorsed by certification schemes, such as data protection? How can certification be made accessible for all cloud service providers, including SMEs? What could be the most effective method to enable standardisation agreements or mutual recognition of distinct or national cloud certification schemes across the Digital Single Market?
Presentation:
Patrick Grete (Federal Office for Information Security (BSI), Germany) about the BSI 'C5'
Antonio Ramos (Leet Security, Spain)
Dimitra Liveri (NIS Expert, ENISA) about next steps in Cloud Certification
15:00-15:30
Coffee break
15:30-16:30
Impact Factors: Service Authentication, Law Enforcement Access, and Export Controls on cloud services
Facilitator: Mark SMITHAM, DG CNECT Software & Services, Cloud
Panel: Jan Neutze (Microsoft, EMEA), Helmut Fallmann (Fabasoft, Austria), Filippo SEVINI via video (JRC, European Commission)
What approaches are necessary for cloud computing services to support the Digital Single Market in relation to service authentication, encryption, law enforcement access, or export controls? What service authentication possibilities are made available and recognised across borders by cloud service providers to ensure a secure way of processing data? Are these issues common for users and cloud service providers? Are there other, more significant aspects of cloud security that would have sufficient impact to drive the uptake of cloud services?
Presentations:
Jan Neutze (Microsoft) about Law Enforcement Access
Helmut Fallmann (Fabasoft, Austria)
Filippo Sevini (JRC, European Commission) about Export Controls on cloud services and Cybersurveillance
16:30-16:50
Summary
Rapporteur: Professor David Wallom
e-Research Centre, University of Oxford
16:50-17:00
Conclusion
Pearse O'DONOHUE, Head of Unit
DG CNECT Software & Services, Cloud
17:00
Close
- Here is a link to the NIS Directive as agreed on 18 December 2015 on the European Parliament website and also on the European Council website
- Here is a link to the press release as regards the General Data Protection Regulation as agreed on 15 December 2015 on the European Commission website and the Q&A from the European Commission and also the Council website
- Information security and certification of cloud computing services are still barriers to the use of cloud computing services in Europe according to:-
- "Certification Schemes for Cloud Computing" (October 2014) that recommended 7 lines of action
- "Cloud computing - statistics on the use by enterprises" Eurostat report (November 2014)
- "EU28 Cloud Security Conference: Reaching the Cloud Era in the European Union" (June 2015) that highlighted 6 conclusions