elastisys / welkin

Documentation for the Welkin project - a Kubernetes-based platform for software critical to society
https://elastisys.io/
Apache License 2.0
122 stars 32 forks source link

Document how Compliant Kubernetes maps towards ENISA #199

Open simonekman opened 3 years ago

simonekman commented 3 years ago

It would be great if we had a section under "compliance" that describes how Compliant Kubernetes maps towards relevant parts of ENISA. Some EU companies have specifically asked for this.

ENISA contributes to EU cyber policy, enhances the trustworthiness of ICT products, services and processes with cybersecurity certification schemes, cooperates with Member States and EU bodies, and helps Europe prepare for the cyber challenges of tomorrow.

ENISA's Regulation is the Regulation (EU) 2019/881 of the European Parliament and of the EU Council of 17 April 2019 (Cybersecurity Act) on ENISA (the European Union Agency for Cybersecurity) and on information and communications technology cybersecurity certification and repealing Regulation (EU) No 526/2013.

https://www.enisa.europa.eu/ https://www.enisa.europa.eu/about-enisa/regulatory-framework

Also, is it relevant to look at the ENISA certification? https://www.enisa.europa.eu/topics/standards/certification

simonekman commented 3 years ago

201 should be done before this issue.

simonekman commented 3 years ago

For most medtech companies ENISA seems to be out of scope.

ENISA is relevant for "samhällsviktiga tjänster eller infrastruktur"

(https://www.msb.se/sv/amnesomraden/krisberedskap--civilt-forsvar/samhallsviktig-verksamhet/vad-ar-samhallsviktig-verksamhet/).

simonekman commented 2 years ago

ENISA direktiv: Artikel 8 Marknad, cybersäkerhetscertifiering och standardisering

  1. Enisa ska stödja och främja utvecklingen och genomförandet av unionens politik för cybersäkerhetscertifiering av IKT-produkter, IKT-tjänster och IKT-processer, enligt avdelning III i denna förordning, genom att a) fortlöpande övervaka utvecklingen i fråga om standardisering inom anknutna områden och rekommendera lämpliga tekniska specifikationer för användning vid utveckling av de europeiska ordningarna för cybersäkerhetscertifiering enligt artikel 54.1 c där standarder inte finns tillgängliga, b) utarbeta förslag till europeiska ordningar för cybersäkerhetscertifiering (nedan kallade förslag till certifieringsordning) för IKT-produkter och IKT-tjänster och IKT-processer, i samarbete med branschen och i enlighet med artikel 49, c) utvärdera antagna europeiska ordningar för cybersäkerhetscertifiering i enlighet med artikel 49.8, d) delta i sakkunnigbedömningar enligt artikel 59.4, e) bistå kommissionen med att tillhandahålla sekretariatet för europeiska gruppen för cybersäkerhetscertifiering i enlighet med artikel 62.5.
  2. Enisa ska tillhandahålla sekretariatet för europeiska gruppen för cybersäkerhetscertifiering i enlighet med artikel 22.4.
  3. Enisa ska sammanställa och offentliggöra riktlinjer och utveckla god praxis, däribland om principer om it-hygien när det gäller cybersäkerhetskraven för IKT-produkter, IKT-tjänster och IKT-processer, i samarbete med nationella myndigheter för cybersäkerhetscertifiering och branschen på ett formellt, standardiserat och transparent sätt.
  4. Enisa ska bidra till kapacitetsuppbyggnad i samband med utvärderings- och certifieringsprocesser genom att sammanställa och utfärda riktlinjer samt ge stöd till medlemsstaterna på deras begäran.
  5. Enisa ska underlätta upprättandet och tillämpningen av europeiska och internationella standarder för riskhantering och för säkerheten hos IKT-produkter, IKT-tjänster och IKT-processer.
  6. Enisa ska, i samarbete med medlemsstaterna och branschen, utarbeta råd och riktlinjer avseende de tekniska områden som har en koppling till säkerhetskraven för leverantörer av samhällsviktiga tjänster och leverantörer av digitala tjänster, samt avseende redan befintliga standarder, inbegripet medlemsstaternas nationella standarder, i enlighet med artikel 19.2 i direktiv (EU) 2016/1148.
  7. Enisa ska genomföra och sprida regelbundna analyser av de viktigaste trenderna på marknaden för cybersäkerhet på både efterfråge- och utbudssidan, i syfte att främja marknaden för cybersäkerhet i unionen.
simonekman commented 2 years ago

https://www.enisa.europa.eu/topics/standards/certification

https://www.enisa.europa.eu/publications/eucs-cloud-service-scheme/

simonekman commented 2 years ago

So this is a short summary of 4 hours of google searches.

The EU law “Cybersecurity Act” has enabled ENISA (EU agency for cybersecurity) to create a unified, EU wide, certification for ICT services, products and processes (Informations- och kommunikationsteknik). The certifications specific for Cloud is right now in draft state and is expected to be completed early 2022 (they have other certifications for 5G etc). There will be 3 levels of ENISA certification for “cloud”. It will be the work of the Swedish governmental agency “Försvarets materielverk” to make sure that the companies in Sweden, with the certification in place, follows the certification requirement.

The way I understand the Cybersecurity act is that it is relevant for all ICT products, ICT-services and ICT-processes. This means all users of Compliant Kubernetes fall under the cybersecurity act and that these certifications will be super relevant (when completed) to them when evaluating Kubernetes platforms and managed service providers in the future.

The only question will be if the need basic, substantial or high compliance.

Basic A European cybersecurity certificate or an EU statement of conformity referring to assurance level ‘basic’ provides assurance that the ITC products, services and processes meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the known basic risks of cyberincidents and cyberattacks. The evaluation activities should include at least a review of the technical documentation or, failing that, substitute evaluation activities with equivalent effect.sentence or two describing this item.

SUBSTANTIAL A European cybersecurity certificate referring to assurance level ‘substantial’ provides assurance that the ITC products, services and processes meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise cybersecurity risks, cyberincidents and cyberattacks carried out by actors with limited skills and resources. The evaluation activities should include at least:a review to demonstrate the absence of known vulnerabilities;testing to demonstrate that the products, service or processes correctly implement the security functionalities;failing that, substitute evaluation activities with equivalent effect.

HIGH A European cybersecurity certificate referring to assurance level ‘high’ provides assurance that the ITC products, services and processes meet the corresponding security requirements, including security functionalities, and that they have been evaluated at a level intended to minimise the risk of state-of-the-art cyberattacks carried out by actors with significant skills and resources. The evaluation activities should include at least: a review to demonstrate the absence of known vulnerabilities;testing to demonstrate that the products, service or processes correctly implement the security functionalities;an assessment of their resistance to skilled attackers using penetration testing;failing

EUCS – Cloud Service candidate cybersecurity certification scheme (1).pdf that, substitute activities.

simonekman commented 2 years ago

@cristiklein @tordsson we should investigate how well we mapp towards the requirements of basic, substantial and high in Annex A in order to see how well we are prepared for an ENISA certification (basic, substantial or high). The ISO27001 certification work will come in handy for sure.

cristiklein commented 9 months ago

@simonekman Is this issue still relevant?

I get mixed signals.

Toss a coin? :smile:

simonekman commented 9 months ago

I'd say it's relevant, the questions is if we should prioritize it over other tasks that are also relevant. Let's discuss in next product strategy meeting?