A new EU certification scheme for cloudinfrastructure and services (EUCS) has been prepared by the European Union Agency for Cybersecurity (ENISA). It is currently being reviewed by the European Cyber Security Organisation ECSO which is collecting comments and opinions from renowned cybersecurity experts, to develop a Position Paper to the EUCS draft. One of them is our CIO André Kudra, Board member of IT Security Association Germany (TeleTrusT), and Convenor of TeleTrusT Working Groups “Blockchain” and “Secure Platform”. You can read his point of view in this blog post.
General comments:
Already in its draft state, the EUCS demonstrates it will be a comprehensive scheme thoroughly based on international best-practice frameworks and standards. It needs to be closely aligned with other components of the European cybersecurity certification framework to allow for efficient certification. It can be assumed that
- vendors, manufacturers, and service providers may opt for/require certification against multiple schemes, or
- need to be able to rely on certified components or services allowing for an easier certification process for their (e.g. EUCC-certified ICT products being used in an EUCS-certified cloud service).
Digitalization is not done “right” today. A major shift towards a higher level of IT security for mankind in a hyperconnected digital world needs to be invoked.
EUCS can provide a helpful, suitable toolset. But an accompanying “regulatory push” is critical to ensure practical relevance and de-facto create a higher level of IT security. A “market demand only” solution will not suffice.
Technical impact of EUCS from a security related perspective and expected benefits:
When applied broadly and by many stakeholders, an increased level of IT security will be the consequence. Even though the desired effect by the EUCS – i.e. having secure cloud services up to the Level of Assurance “high” for wide availability in production deployments – the practical relevance of such a scheme has to prove itself. Certification against the scheme will be a substantial effort which not all providers will be able or willing to undertake. But a powerful, impactful scheme should be broadly applied, especially under the following premise:
Current worldwide practices for creating, deploying, and operating IT systems show that IT security requirements are often neglected. This is impressively demonstrated by a steadily increasing intensity and number of hacks causing data leakage or outage incidents. Neglect has various roots, often they are limited awareness of stakeholders and budget/resource constraints. Considering the rate of digitalization with flawed, unsatisfactory IT security in many ICT and cloud systems, creating a regulatory mandate for deploying certified ICT products and cloud systems is a required accompanying measure.
Digitalization is not done right but mankind seems to have learned to live with unsecure IT. But why? There wouldn’t be broad acceptance for planes falling out of the air all the time. A major shift needs to happen and EUCS can be a suitable toolset.
“Complexity is the worst enemy of IT security!”
Bruce Schneier, world-renowned IT security researcher
A desirable consequence would be that ICT systems become less complex, i.e. easier and cheaper to operate, as certification will be more efficiently to obtain for less “cluttered” systems.
What are the risks associated to the conformity assessment and which level assurance can be attained in the scheme
One key risk is that only few will entertain a EUCS certification for their services, particularly in the “high” category, because it is hard and costly and there is not enough market demand. But having a high or in many areas of application even highest level of IT security for humanity in a hyperconnected digital world is crucial.
Re-certification should be a “rolling” exercise which facilitates (also major) system adjustments during a certification cycle. Evolution of ICT is too fast for a once-in-three-years innovation cycle.
What is the impact of the ENISA EUCS from a market perspective – both at the European and global level?
If EUCS will be demanded by organizations requiring operating cloud services or consuming running in the cloud, which should be most of the organizations soon, market players will design, create, and provide EUCS-certified services. Due to the current purchaser/consumer attitude of not liking to spend a lot on an increased level of IT security, this demand will not come naturally. A “regulatory push” is needed to only allow certified products being operated in the EU. An even better and stronger requirement would be that only certified products shall be sold in the EU.
The EUCS has the potential of becoming a “gold standard” in which other nations will be interested, hopefully to mandate broad application via laws and regulations within their own jurisdictions.
