- The publication of technical guides and automation scripts for the deployment of eight Microsoft cloud services helps IT staff meet the criteria of the National Security Scheme.
- The first resources are already available for download from the official CCN portals and their public access allows their use not only by the public sector, subject to ENS compliance, but they will also be very useful in the private sector.
Microsoft and the National Cryptologic Center, in the development of their functions related to the security of the information technologies and the protection of the information of all the Spanish Government agencies, have developed a commendable joint project, unprecedented in the European Union, and only equivalent to recent similar Government projects in the United States, Canada or the United Kingdom.
In addition to the existing certifications of Microsoft’s cloud services against the most demanding level of the National Security Scheme (ENS), there are the publication of technical guides and automation scripts for security configurations complying with the high level of the National Security Scheme for eight services in the company’s cloud: Microsoft Azure, Microsoft Office 365, Microsoft Teams, Microsoft Cognitive Services, Microsoft Exchange Online, Microsoft SharePoint Online, Microsoft Kubernetes and Microsoft Azure SQL.
The ease and immediacy with which Microsoft’s cloud services can be made available in the configuration officially considered by the Cryptologic Center as HIGH Level, according to the criteria established in the National Security Scheme, has been in great demand over time by many Spanish Government agencies.
Resources to help ensure compliance
The sharing of responsibilities between users and providers inherent in the process of securing a cloud environment could present a certain asymmetry from the moment that, while the responsibilities of the cloud provider are perfectly established, configured, certified and guaranteed, the responsibilities assigned to Users may not be established at the same level of trust. The guides and automated processes presented by Microsoft and the Cryptologic Center are aimed at facilitating and guiding, with guarantees, the fulfillment of the responsibilities of the administrators of cloud services in this shared responsibility model.
Each of the security recommendations established in the CCN-STIC 823 guide (guide for applying the ENS to cloud environments) has been dealt with, documented, automated and revised in each of the eight Microsoft cloud services considered.
In the opinion of the director of Microsoft’s Director of Technology in Spain, Héctor Sánchez Montenegro: “Accompanying and technically guiding users in the fulfillment of their regulatory security obligations, in a shared responsibility cloud model has been frequently demanded by many administrations towards Microsoft. The work announced today is a resounding response to these demands and, today, places Microsoft as the only major cloud provider capable of guiding the Spanish Government and accelerating its transition to the cloud on its own terms, demands and needs, as set out in the National Security Scheme.”
He also emphasizes: “If something makes this work unique in the world, it is the joint authorship of the guides between CCN and Microsoft itself, which is unprecedented and will undoubtedly mark a path of high demand, but with trust between the government agencies and the cloud service providers. ”
Javier Candau, head of the Department of Cybersecurity at the National Cryptologic Center: “Not only is it important to have certified technologies, it is key to have configurations that allow security to be implemented following recognized standards such as the ENS and, more importantly, to measure the degree of associated exposure, since this makes it easier for entities to contract services in cloud environments with verified security guarantees. These guides, with their associated scripts, provide an answer to this key need. ”
A boost for private sector security as well
The guides, the first two versions of which are already available, will be available on the official CCN portals and their public downloading allows their use not only by the public sector, subject to compliance with the National Security Scheme, but will also be very useful in the private sector which, not being subject to the ENS compliance requirements, appreciates and values the security recommendations defined by the National Cryptology Centre, and therefore the Microsoft cloud security guarantees.
About the CCN
The National Cryptologic Center (CCN) is a public body dependent on the National Intelligence Center (CNI), whose activity is regulated by R.D.421/2004, which determines its mission, functions and scope of competence, such as developing and disseminating standards, instructions, guides and recommendations to ensure the security of the ICTs in the Administration. Likewise, the RD assigns the training of the Government personnel specialized in the field of ICT security, constitution of the Certification Body of the National Evaluation and Certification Scheme for application to products and systems in its field; as well as the coordination, promotion, development, procurement, acquisition and use of the aforementioned System security technology.