Joint Workshop between Parties to the Memorandum of Understanding
UPDATE
The Cloud Computing Information Security Challenges workshop which was originally planned for 21 April 2020 had to be postponed due to the COVID-19 situation. The new date for the workshop is 22 October 2020. We deeply regret these developments, however, the decision was taken to safeguard the well-being of all participants.
Context
Cloud computing offers a flexible, simple and affordable approach to Enterprise computing, by centralizing resources and optimize their use across several customers. Three computing models are usually available for cloud computing: IaaS (Infrastructure as a Service), PaaS (Platform as a Service) and SaaS (Software as a Service), all based on various levels of virtualization (sharing resources setup by the cloud provider across different cloud users), with an increasing level of migration and storage of information between the Enterprise and the Cloud Provider network.
This model offers significant advantages in terms of organizational and economic impact, in both private and public/government organizations. Despite its economic and technological advantages, information security has been a growing concern for cloud computing adoption, about the increasing amount of information being centralized on cloud providers, and specifically about the risks that this migration implies to the information assurance quality of Enterprise information.
In particular, there are at least the following sources of risk:
- Network monitoring. In a local context, Enterprises define security measures dedicated to network monitoring, in order to protect information handled on their networks. In a cloud computing context, while Cloud Providers offer several security measures to provide similar monitoring, the tools and techniques available to effectively monitor and follow the exchange of information have yet to be consolidated and optimized. In particular, the integration between local network and cloud computing network monitoring presents issues that are still largely unsolved.
- Incident management. The management of incidents in a cloud computing context provides challenges that cross the boundaries between domains (es.: contractual responsibilities vs technical knowledge, SLAs vs standard operating procedures, etc…).
- EU Classified Information handling. While the handling of EUCI classified at EU Confidential and above present challenges that cannot be reconciled with the use of a cloud computing platform, several EU entities are looking into the possibility to host EUCI classified up to EU Restricted in a public cloud. This approach presents important challenges, both from a regulation/accreditation perspective and from a technology perspective. These challenges are of particular interest to Defence actors, who are constantly looking for new and secure solutions to handle their information.
Scope
The EU Defence Agency, in collaboration with CERT-EU, ENISA and EC3, is promoting a workshop focused on the aforementioned topics, and is asking industry partners to contribute to the discussion. Depending on response, the event will be scheduled with panel discussions and individual keynotes.
In order to simplify the discussion, it is requested to provide a paper of no more than 1500 words explaining the contributor’s points on view in the areas mentioned above. The paper could focus on one or more of the areas, and provide assessments such as specific the security challenges based on the contributor’s experience, focus on technology evolution of specific solutions, detailed product roadmaps, use cases, specific scenarios.
The paper, which should not contain commercially sensitive information, will be used to determine the final invitations to the event and will be handled respecting proper attribution. Submitters should also specify whether they have any limitation in presenting their views in a panel format, together with other industry partners.
Please send your paper, clearly linking answers to questions, to EDA by e-mail to cyberteam@eda.europa.eu. Please clearly indicate a point of contact to coordinate possible participation in the workshop; any questions may be addressed by e-mail to the same mailbox.
Selection
The event organizers will assess the papers across the following criteria:
- Credibility - Lack of defence expertise will not be a criterion for exclusion but interested commercial actors must have a demonstrated track record on the Cybersecurity and/or Cyber Defence market.
- Versatility – Submitters should be well versed in Cybersecurity and/or Cyber Defence. Participation is not limited to systems integrators and submissions from SMEs is strongly encouraged.
- Innovation - The level of innovation and originality demonstrated in the answer.
- Comprehensiveness – i.e. how different aspects are articulated with each other. Ability to include answers in the broader context of Cyber Defence and in relation between the Cyber domain and other military domains.
- Relevance – The profile of the participants should be related to the scope of the event.
The event organizers will assess the papers according to the criteria described above, while also striving to select a broad spectrum of representatives to ensure as fair, objective and balanced a discussion as possible. Responses from academia, national research centres as well as commercial actors will be considered. Participation slots will be assigned based on the assessment of contributions and availability.
Deadlines
The workshop organization will follow the deadlines:
- 31 May 2020: Papers submission deadline
- 30 September 2020: Notification to selected industry partners for a speaker’s slot
- 22 October 2020: Workshop execution