120 likes | 274 Views
www.oasis-open.org. Cloud Computing and Standards - A Regulator’s View. OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada. Things We’ve Done.
E N D
www.oasis-open.org Cloud Computing and Standards - A Regulator’s View OASIS International Cloud Symposium 11 October 2011 Steven Johnston, CISSP Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada
Things We’ve Done • Guidelines for Processing Personal Data Across Borders (January 2009) • Cloud computing paper released early April 2010 • Public consultations April – June 2010 • Working on guidance for SMBs
Things We’ve Learned • Privacy implications of cloud computing include: • Jurisdiction • Third party access • Security safeguards • Limitations on use and retention • Demonstrating/verifying compliance
How Standards Can Help To address new technology concerns (e.g. cloud computing) To address baseline issues such as limiting collection, data retention, safeguards, etc. Basis for Privacy Impact Assessments, Threat/Risk Assessments and Audits Basis for Systematic assessment of security requirements Basis for audit Basis for contractual agreements with cloud service providers
ISO Standards Development • ISO/IEC JTC 1 SC7 (SSE) • Potential future work • Cloud computing vocabulary • Modeling cloud solutions • Systems engineering of cloud-based solutions • IT Service Management for Cloud Computing • IS Governance Framework for Cloud Computing
ISO Standards Development • ISO/IEC JTC 1 SC27 (IT Security) • Joint study period (WGs 1, 4, 5) • NWI proposal • ISO 27017-2 (information security code of practice based on ISO 27002)(provisional) • To be accompanied (eventually) by: • 27017-1 (requirements) • 27017-3 (legal and regulatory code of practice) • 27017-4 (service code of practice) • 27017-5 (audit guidelines)
ISO Standards Development • ISO/IEC JTC 1 SC38 (DAPS) • WG 1 – Web Services • WG 2 – Service Oriented Architecture • Study Group on Cloud Computing • Released a study report in June 2011
ISO Standards Development • SGCC Report (June 2011) • Part 1: Concepts, Terms and Reference Model • Part 2: Standardization Requirements for Cloud Computing • Part 3: Standardization Initiatives for Cloud Computing • Part 4: Assessment of Areas for JTC1 Standardization
ISO Standards Development • SGCC Report (June 2011) • Technical requirements • Terms and definitions • Interfaces • Security technology • Format and meaning of data • Management requirements • Service provider qualification • Service quality metrics, • Service audit • Service agreements
Other Efforts ITU-T Focus Group on Cloud Computing Open Grid Forum Cloud Computing Interoperability Forum Open Cloud Consortium Cloud Security Alliance ETSI OASIS …
Challenges for Regulators • DPA mandate is enforcement/compliance • Many DPAs are limited in resources • Lack of appropriate expertise • So many standards development activities underway • Where to focus our efforts? • Difficulty in demonstrating ROI
www.oasis-open.org Questions? Steven Johnston Senior Security and Technology Advisor Office of the Privacy Commissioner of Canada Steven.Johnston@priv.gc.ca