1 / 12

Cloud Computing and Standards - A Regulator’s View

www.oasis-open.org. Cloud Computing and Standards - A Regulator’s View. OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada. Things We’ve Done.

Télécharger la présentation

Cloud Computing and Standards - A Regulator’s View

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. www.oasis-open.org Cloud Computing and Standards - A Regulator’s View OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada

  2. Things We’ve Done • Guidelines for Processing Personal Data Across Borders (January 2009) • Cloud computing paper released early April 2010 • Public consultations April – June 2010 • Working on guidance for SMBs

  3. Things We’ve Learned • Privacy implications of cloud computing include: • Jurisdiction • Third party access • Security safeguards • Limitations on use and retention • Demonstrating/verifying compliance

  4. How Standards Can Help To address new technology concerns (e.g. cloud computing) To address baseline issues such as limiting collection, data retention, safeguards, etc. Basis for Privacy Impact Assessments, Threat/Risk Assessments and Audits Basis for Systematic assessment of security requirements Basis for audit Basis for contractual agreements with cloud service providers

  5. ISO Standards Development • ISO/IEC JTC 1 SC7 (SSE) • Potential future work • Cloud computing vocabulary • Modeling cloud solutions • Systems engineering of cloud-based solutions • IT Service Management for Cloud Computing • IS Governance Framework for Cloud Computing

  6. ISO Standards Development • ISO/IEC JTC 1 SC27 (IT Security) • Joint study period (WGs 1, 4, 5) • NWI proposal • ISO 27017-2 (information security code of practice based on ISO 27002)(provisional) • To be accompanied (eventually) by: • 27017-1 (requirements) • 27017-3 (legal and regulatory code of practice) • 27017-4 (service code of practice) • 27017-5 (audit guidelines)

  7. ISO Standards Development • ISO/IEC JTC 1 SC38 (DAPS) • WG 1 – Web Services • WG 2 – Service Oriented Architecture • Study Group on Cloud Computing • Released a study report in June 2011

  8. ISO Standards Development • SGCC Report (June 2011) • Part 1: Concepts, Terms and Reference Model • Part 2: Standardization Requirements for Cloud Computing • Part 3: Standardization Initiatives for Cloud Computing • Part 4: Assessment of Areas for JTC1 Standardization

  9. ISO Standards Development • SGCC Report (June 2011) • Technical requirements • Terms and definitions • Interfaces • Security technology • Format and meaning of data • Management requirements • Service provider qualification • Service quality metrics, • Service audit • Service agreements

  10. Other Efforts ITU-T Focus Group on Cloud Computing Open Grid Forum Cloud Computing Interoperability Forum Open Cloud Consortium Cloud Security Alliance ETSI OASIS …

  11. Challenges for Regulators • DPA mandate is enforcement/compliance • Many DPAs are limited in resources • Lack of appropriate expertise • So many standards development activities underway • Where to focus our efforts? • Difficulty in demonstrating ROI

  12. www.oasis-open.org Questions? Steven Johnston Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada Steven.Johnston@priv.gc.ca

More Related