DG Connect launched some weeks ago a web-based Public Consultation regarding the definition of future research priorities in Cloud Computing, Software and Services, ahead of the H2020 ICT Work Programme. From leet security, as developers of a security labeling system based on rating, we have sent our comment that is attached below:
In addition to technical mechanisms that contribute to reduce lock-in and to improve interoperability, cloud services need a efficient way to negotiate security conditions of services between users and providers.
Traditional ways of audit and certification have shown to be necessary but not sufficient to build trusted relationships (they are expensive, complicated and not compatible between users).
One option could be a security labeling system that helps users to understand the security measures implemented by the providers, and to the providers to show what security measures are they implementing.
That system should be:
- Simple (easy-to-understand by non-technical people)
- Service specific
- Objective / verifiable
In brief, it should be as common language for users and providers to define security conditions as a kind of metrical system, instead of define how many "units of security" are needed, leaving it to the agreement between parts (this is perfectly compatible with the definition of a minimum [certifiable] requirements for provide cloud services).
In fact this kind of systems have been proposed by the recent EU Cibersecurity Strategy. Other considerations for this kind of this system could be:
- Consider different needs for different security dimensions (confidentiality - integrity - availability)
- Not limitate to only preventive system; it should include resilience conditions of services.
- General conditions related with the service provider (long term strategy, quality of staff, financial solvency, insurance...)
In LEET's opinion, EU should foster the definition and adoption of this kind of security systems that helps to build up trusted relationships between users and providers and that could also help Government's to simplify their role in cloud environment.
This security labeling system role in the cloud environment should serve to solve the information asymmetry regarding security that today we face between users (that do no have any o very few information) and providers (that have all the information).
You can follow us on twitter.com/leet_security.com
You can follow us on twitter.com/leet_security