INTERNAL USE

Cyber Security Guideline no. [14]

Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

CLOUD SECURITY FOR SAAS AND PAAS

SECURITY GUIDELINE

THE HEAD OF Cyber Security

Yuri Giuseppe Rassega

1/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

CONTENTS

1. DOCUMENT AIMS AND APPLICATION AREA ...............................................................................3

2. DOCUMENT VERSION MANAGEMENT .........................................................................................3

3. UNITS IN CHARGE OF THE DOCUMENT ......................................................................................3

4. REFERENCES .................................................................................................................................4

5. DEFINITIONS AND ACRONYMS.....................................................................................................4

6. GENERALITIES ................................................................................................................................5
6.1. Scope .............................................................................................................................................5
6.2. Protection Levels ............................................................................................................................5

7. SAAS SPECIFIC CONTROLS..........................................................................................................6

7.1. Applicative security.........................................................................................................................6
7.1.1. Baseline .......................................................................................................................................6

8. SAAS AND PAAS COMMON CONTROLS ......................................................................................6

8.1. Compliance ....................................................................................................................................6
8.1.1. Baseline .......................................................................................................................................6
8.2. Networking .....................................................................................................................................6
8.2.1. Baseline .......................................................................................................................................6
8.2.2. Advanced .....................................................................................................................................7
8.2.3. Mission Critical.............................................................................................................................7
8.3. Availability ......................................................................................................................................7
8.3.1. Baseline .......................................................................................................................................7
8.4. Infrastructural Security ...................................................................................................................8
8.4.1. Baseline .......................................................................................................................................8
8.5. Life-Cycle .......................................................................................................................................9
8.5.1. Baseline .......................................................................................................................................9
8.5.2. Advanced .....................................................................................................................................9
8.6. Supplier agreements ......................................................................................................................9
8.6.1. Baseline .......................................................................................................................................9

9. APPENDIX ......................................................................................................................................11
A. Working Group composition .........................................................................................................11
B. Controls Summary checklist .........................................................................................................11

2/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

1. DOCUMENT AIMS AND APPLICATION AREA

The goal of this guideline is to define the requirements that any Software as a Service (SaaS) or Platform as
a Service (PAAS) Cloud Provider treating Enel Group data of any kind and in any country must comply with,
and the Enel Group security controls to which it has to integrate.
This document is targeted to any Enel Group units responsible of any projects/services involving the use of
SaaS or PaaS cloud services as responsible to contractually enforce the controls here described or referred.
The configuration/customization of any specific SaaS/PaaS application or technology is out of scope of this
document, as well as any Enel Group internal organizational aspect (activities ownership, responsibilities, etc.).
This guideline shall be implemented and applied to the extent possible within Enel Group and in compliance
with any applicable laws, regulations and governance rules, including any stock exchange and unbundling-
relevant provisions, which in any case prevail over the provisions here contained.

2. DOCUMENT VERSION MANAGEMENT

Version Data Main changes description

1 12/2018 Merging and rewriting of Security Guideline no. 8 v.1 – “Cloud Security for SaaS”
(03/2016) and Security Guideline no. 9 v.1 – Cloud Security for PaaS (05/2016)
[both superseded]

3. UNITS IN CHARGE OF THE DOCUMENT

Responsible for drawing up the document:
• Information Systems Cyber Security Engineering unit
Responsible for authorizing the document:
• Head of Cyber Security

3/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

4. REFERENCES
[1] Enel Group Policy n. 25 – Management of Logical Access to IT Systems, 12/2017
[2] Enel Group Policy n. 33 – Information Classification and Protection, 10/2015
[3] Enel Group Policy n. 17 – Cyber Security Framework, 09/2017
[4] OD n. 543 – Organizational Structure of Cyber Security, 06/2017
[5] OP n. 204 – CERT - Cyber Emergency Respond and Management, 09/2017
[6] OI n. 944 – Cyber Security Risk Management Methodology, 11/2017
[7] Cyber Security Guide Line n. 11 v.1 – Cloud Security for IaaS, 10/2016
[8] Cyber Security Guide Line n. 7 v.2 – IT Security Guidelines – Applications, 09/2017
[9] Cyber Security Guide Line n. 10 v.1 – Infrastructural Security, 10/2016
[10] Italian Law n. 262/2005 – "Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari "
(Arrangements for the care of savings and discipline of financial markets), 12/2005
[11] GDPR General Data Protection Regulation, UE 2016/679
[12] NIST Special Publication 800-88 Revision 1 - Guidelines for Media Sanitization
[13] ISO/IEC 27001:2013 – ISMS requirements
[14] ISO/IEC 27002:2013 – Code of practice for Information Security controls
[15] ISO/IEC 27017:2015 – Code of practice for Information Security controls for cloud services
[16] ISO/IEC 27018:2014 – Code of practice for protection of PII in public clouds acting as PII processors

5. DEFINITIONS AND ACRONYMS

The complete list of acronyms and definitions is reachable on the Cyber Security section of the Intranet site
(at present, https://intranet.enel.com/it-it/Initiative/Pagine/Global/GICT_CSD/sgtr.aspx).

4/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

6. GENERALITIES

6.1. Scope
This guideline defines security controls for Enel Group Digital Solutions to be operated within an external
provider with Software as a Service (SaaS) or Platform as a Service (PaaS) cloud capabilities (hereafter:
the Cloud Provider), on request by a responsible Enel Group unit (hereafter: Enel Requester).
Such security controls are meant to ensure that confidentiality, integrity, and availability of Enel Group data
are enforced by the Cloud Provider at a level equivalent to the one provided by Enel Group on-premises.
We considered the following assumptions during the analysis and the writing of this document.
1. Enel Requester, possibly comprising multiple consumers (e.g., Business Units), requests and provisions the
cloud service for its use; the cloud service is owned, managed, and operated by the Cloud Provider including
the applicative level, in SaaS scenario, while excluding it in PaaS one, and it exists off premises.
2. The Cloud Provider may adopt security controls (for both applications and infrastructures) technically
different from those adopted by Enel Group.
3. For security controls that, for their nature, require integration with other Enel Group Digital Solutions (for
instance application integration, user authentication, VPN), the interoperability shall be guaranteed by the
Cloud Provider using the well know standards adopted by Enel Group.
4. Insofar as the applicative level is concerned, unless stated otherwise, the Applications Security Guideline
[8] applies. As in SaaS scenario the Cloud Provider is directly responsible of the applicative level and its
compliance, this is explicitly remarked by [R1].
This guideline supports the currently available and expected SaaS/PaaS scenarios, but it is open to support
new coming solutions that will be refined in additional guidelines or a new version of this guideline.

6.2. Protection Levels

Requisites within each control category are classified in three protection levels, based on BIA evaluations (see
Cyber Security Risk Management Methodology [6]), with respect to three security parameters (Confidentiality,
Integrity and/or Availability – C/I/A):
• Baseline (“default”, minimum required security, actually independent from the BIA and the parameters),
• Advanced (with respect to C/I/A);
• Mission Critical (highest security, with respect to C/I/A).

The level hierarchy establishes that a higher protection level shall comply with all requisites for lower levels.
Please note that in this specific document, controls do not depend on the specific security parameter (C/I/A)
but only on the protection level. As usual, compliance to laws, regulations and Enel Group policies in force
(such as Policy 33 [2]) is meant to be Baseline (see e.g. [R2], [R24]).

5/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

7. SAAS SPECIFIC CONTROLS

7.1. Applicative security

7.1.1. Baseline
[R1] Applicative level security shall comply with Application Security guidelines [8]. Therefore, the
Security Annex shall include all the (applicable) items provided there. The responsibility to
guarantee and enforce applicative level controls relies on the Cloud Provider in a SaaS scenario.
In particular real time availability of applicative logs is mandatory (Baseline) without additional
costs for Enel Group (including Security Service suppliers like CASB providers).

8. SAAS AND PAAS COMMON CONTROLS

8.1. Compliance

8.1.1. Baseline
[R2] Classification of the service/application and all the data it manages has been carried out by Enel
Requester1, in general as part of the BIA process [6], involving Enel Group Business, Legal and
Cyber Security functions for support as needed and as early as possible (requirements phase).
Therefore, restricted data according to business needs, legal and regulatory constraints (usually
personal and financial; see also [R24]) and Enel Policies (e.g. Policy 33 [2]) are being identified.
[R3] Compliance to the requisites shall be agreed upon by Enel Requester and the Cloud Provider at
Contract level, within the respective scope of responsibility, to ensure that the Cloud Provider is
contractually bound to their adoption, implementation and management. Any deviations from this
standard responsibility scope shall be detailed and evaluated according to the Risk Management
Framework described in [4] and [6].
[R4] To define and track how the requisites are satisfied, a Security Annex shall be maintained by
Enel Requester as part of the project documentation, following the structure of the present
guideline. All relevant information provided by the Cloud Provider shall be reported or referenced
here, as well as any exceptions (including “N/A” statements) and compensative countermeasures
(to be) agreed upon with the competent Cyber Security Risk and Response Managers according
to the Risk Management Framework described in [4] and [6].

8.2. Networking

8.2.1. Baseline
[R5] For any communications with any other Enel Group areas (e.g. On-Premises, IaaS, PaaS, SaaS),
authentication, integrity and confidentiality shall be ensured by state-of-the-art encrypted
protocols at applicative level and/or segregation at the underlying infrastructural level (e.g. by
IPSEC/TLS VPN, dedicated link/MPLS circuit etc.). Refer to Application Security guidelines [8] for
further details about encryption features and constraints.

1
Please note that this cannot be deferred to the Cloud Provider (although it may/should support the task: see also [R24]).

6/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

[R6] Any communications with any other Enel Group areas (e.g. On-Premises, IaaS, PaaS, SaaS)
shall be filtered and logged by a technical solution (e.g.: firewalling, proxying, CASB, etc.) with
at least the following features:
a. directly managed by Enel Group (standard/preferred solution), or whose logging and policies
are available at least in near-real-time to Enel Group;
b. strictly allowing only the required application traffic;
c. traffic inspection/analysis;
d. already or to be integrated with Enel Group Risk Monitoring Platform2, through the Service
Activation process described in [5].
It is Enel Requester’s responsibility to identify such technical solution between currently available
alternatives, with the support of Enel Group Cyber Security functions and the Cloud Provider.

8.2.2. Advanced
[R7] The Cloud Provider shall ensure at least one of the following:
a. applications/services shall run in a private cloud dedicated to Enel Group, such as:
i. Enel Group private cloud shall be segregated from any other network, including public
networks (the Internet), other customers’ private cloud and provider’s intranet;
ii. only the traffic strictly required to accomplish agreed services shall be allowed between
Enel Group private cloud and any other network, as well as controlled in compliance to
req. [R15];
iii. such network connections shall be explicitly declared and documented by the Cloud
Provider.
b. all Enel Group data at rest and in transit managed by the applications/services shall be
encrypted by methods whose keys are owned only by Enel Group3.

8.2.3. Mission Critical

[R8] The Cloud Provider shall ensure both private cloud and encryption as described by req. [R7].

8.3. Availability

8.3.1. Baseline
[R9] The Enel Group data property shall be always entitled to Enel Group.
[R10] Cloud Provider shall return data to Enel Group at the end of the agreement between Enel Group
and the Cloud Provider or on request by the authorized Enel Group responsible. For Enel Group
data return, the Cloud Provider shall provide exporting functionalities to Enel Group, or a
procedure for data portability has to be defined and tested.
[R11] Cloud Provider shall delete data of Enel Group data after data return or on request by the
authorized Enel Group responsible. Enel Group data deletion (both on request and before reuse
or disposal of the physical or virtual media) shall be compliant with Policy 33 [2] provisions; in
particular, any Enel Group data classified as Confidential or higher shall be deleted according to
NIST Special Publication 800-88 Revision 1 - Guidelines for Media Sanitization [12].

2
This platform/service includes and replaces the previous SIEM-Security Information and Event Management infrastructure.
3
Please note that this is more restrictive than the standard encryption requisite in Application SGL [8], still valid at Baseline
protection level, where it depends on the classification of specific data according to Policy 33 [2].

7/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

8.4. Infrastructural Security

8.4.1. Baseline
[R12] The Cloud Provider shall assure proper segregation of Enel Group data from provider’s own data
and other customers’ data for use, storage and transit.
[R13] Rights of access and management of ICT infrastructures supporting Enel Group data and
applications shall be properly restricted to individual, authenticated accounts of the Cloud
Provider personnel on a Least Privilege basis and according to an RBAC model of authorization.
Authentication policies (e.g.: password/multifactor policy) shall be declared and documented.
[R14] Logging (at both system and network level) of ICT infrastructures managing Enel Group data
and applications shall be available on request to Enel Group for forensic activities in case of
Security Incidents and legal/regulatory inquiries without additional costs.
[R15] ICT infrastructures managing Enel Group data and applications shall be protected from network
intrusion and malware by different, layered security controls, i.e.:
a. Allowing only communications strictly required for the service (addresses, protocols, ports)
b. Encryption and authentication of all inbound/outbound communications
c. Traffic inspection functionalities for all inbound/outbound traffic
d. Hiding private IP address of network nodes
e. Network segregation from the Internet through a DMZ
f. IP packet spoofing protection
g. Traffic logging (allowed and rejected)
h. (for inbound http/s traffic, w/a) hiding of front URL (URL rewrite/reverse proxying)
i. (for outbound http/s traffic, w/a) URL/IP destination address filtering based on reputation/whitelisting
j. Monitoring integrated with a Risk Monitoring Platform.
[R16] ICT infrastructures managing Enel Group data and applications shall be protected from host
based malware by an End Point Protection (EPP) solution with the following functionalities:
a. First option: “Signature” based EPP (with regular and periodic update of EPP signature/agent),
with local firewalling and intrusion detection/prevention.
b. Second option: “whitelisting” based EPP.
c. For both the options: centralized management and integration with a Risk Monitoring Platform.
[R17] ICT infrastructures managing Enel Group data and applications shall be properly hardened, at
least by disabling/protecting unnecessary software/services and default accounts and passwords.
[R18] ICT infrastructures managing Enel Group data and applications shall be patched at system level
according to a definite patching policy shared at contractual level.
[R19] Cloud Provider shall monitor risks and promptly notify Enel Group about security incidents.
a. The Cloud Provider shall have in place a Risk Monitoring Platform to monitor the risks and
promptly communicate security incidents.
b. The Cloud Provider shall agree the potential security incidents classification, notification
methods and SLA.

8/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

8.5. Life-Cycle

8.5.1. Baseline
[R20] Before going into production, and then at least yearly, the Cloud Provider shall provide a
successful certification of Assurance Check (i.e. a Penetration Test/Ethical Hacking activity)
by an external recognized entity in order to ensure that security controls are active and effective
on the whole perimeter of the service offered to Enel Group. In case such certification is not
provided, Enel Group will be entitled to perform it.

8.5.2. Advanced
[R21] The party performing the yearly Assurance Check shall be agreed with Enel Group.
[R22] Extraordinary check and remediation activities shall be promptly agree with Enel Group in case
of high-severity incident or threat.
[R23] If no direct remediation (e.g. patching) is available/applicable, compensative controls shall be
promptly agree with Enel Group. Techniques include:
a. adapting or adding access controls, e.g. firewalls, at network borders,
b. tuning Intrusion Detection/Prevention system,
c. increasing monitoring to detect actual attacks,
d. turning off services or capabilities related to the vulnerability.

8.6. Supplier agreements

8.6.1. Baseline
[R24] The Cloud Provider shall guarantee and ensure the compliance with all applicable national and
international legal and regulatory constraints about security of information, both present (such
as Italian Law no. 262 [10] and EU GDPR [11]) and future, for all relevant data and within the
whole scope of its responsibility: i.e., at both applicative and infrastructural level, in case of SaaS
provider, or infrastructural level only (in case of PaaS provider)4. In particular, the Cloud Provider:
a. shall notify Enel of security incidents at least in compliance to legal and regulatory constraints;
b. shall ensure logs availability at least in compliance to legal and regulatory constraints;
c. shall identify the physical locations of all Data Centers managing Enel Group Data, and store
restricted data in geographical locations compliant with legal and regulatory constraints;
d. shall provide the list of all contractors and sub-contractors involved in Enel Group data and
applications management (including its underlying IaaS/PaaS/SaaS providers, if any), all
having the same obligations about security of information as the Cloud Provider.
[R25] The Cloud Provider shall have a comprehensive IT Security Plan covering all areas of security,
including:
a. logical security,
b. physical security,
c. communications security,
d. data center management,
e. audits and reviews,
f. continuity and contingency plan.

4
See [R3].

9/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

[R26] The Cloud Provider shall be certified by external recognized entities.

a. The Cloud Provider shall provide all the following certifications/reports:
i. ISO 27001 (including ISO/IEC 27018 controls if personal data are managed), including the
Statement of Applicability (cfr. section “6.1.3 Information security risk treatment”) containing
the justification for exclusions of any controls in Annex A,
ii. ISAE 3402/SSAE 16 Service Organization Control (SOC) reports (certification summaries
on data processing, data security activities, data controls, physical control access, etc.),
iii. PCI DSS v3 - Payment Card Industry (PCI) Data Security Standard (DSS) certification –
Level 1 (if Payment Card Industry data is managed).
b. Required certifications/reports shall be updated and provided to Enel Group at least yearly.
[R27] SLAs related to Security requirements shall be included in the agreement with the Cloud Provider.
a. SLAs shall involve identification of responsibility and limitations, including compensative
actions in case the service levels provided were not in line with expectations.
b. The SLA requirements should include for instance the following statements:
i. Availability thresholds (of the infrastructure, in case of PaaS; of the application/service, in
case of Saas);
ii. a definite “Patching Policy”;
iii. a definite “Incident Management policy”;
iv. “Assurance Check” (i.e. VA/PT/EH) certification and/or engagement rules;
v. Logs availability time frame.
[R28] Penalties related to Security SLA shall be included in the agreement with the Cloud Provider.

10/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

9. APPENDIX

A. Working Group composition

Working Group Member Role

Antonio Piazzolla Head of Information Systems Cyber Security Engineering
Stefano Vassallo Information Systems Cyber Security Engineering
Valerio Verona Information Systems Cyber Security Engineering
Sebastiano Testa Information Systems Cyber Security Engineering

B. Controls Summary checklist

The following summary checklist can be included in the Security Annex to keep track of the requisites; it is not
the Security Annex itself. “Pj/appl” column values shall be OK, NO or N/A; how the requisite is satisfied, or why
it isn’t or is N/A, shall be briefly described in the “Notes (how/why)” field.

PJ/Appl: BIA: Protection Level: [BAS / ADV / MC]

Req Control description Level PJ/Appl Notes

Applicative Level
[R1] Applicative level security compliant with Application BAS [SAAS [Application Security
Security Guidelines In particular real time availability of ONLY] GL checklist has to be
applicative logs is mandatory without additional costs for put here or referred]
Enel Group (including Security Service suppliers like
CASB providers). [8]
Compliance
[R2] Classification of the service/application and the data it BAS
manages
[R3] Compliance to the requisites agreed at Contract level BAS

[R4] Security Annex documentation in place BAS

Networking
[R5] Authentication, integrity and confidentiality of BAS
communications with any other Enel Group area
ensured at applicative or infrastructural level
[R6] Communications with any other Enel Group area BAS
controlled, logged, analyzed and monitored
[R7] Applications/services running in a private cloud or ADV [specify which one
encryption of all Enel Group data applies]

[R8] Both private cloud and encryption MC

Availability
[R9] Enel Group data property entitled to Enel Group BAS

[R10] Data return at the end of the agreement or on authorized BAS

request
[R11] Data deletion after data return or on authorized request BAS

11/12
 INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]

Subject: CLOUD SECURITY for SaaS and PaaS

Application Area: Digital Solutions
Perimeter: Global

Req Control description Level PJ/Appl Notes

Infrastructural Security
[R12] Enel Group data properly segregated from provider’s BAS
own data and other customers’ data
[R13] Rights of access and management of supporting ICT BAS
infrastructures properly entitled and restricted
[R14] Logging available in case of Security Incidents and BAS
legal/regulatory inquiries
[R15] ICT infrastructures protected from network intrusion and BAS
malware
[R16] ICT infrastructures protected from host based malware BAS

[R17] ICT infrastructures properly hardened BAS

[R18] Definite patching policy at system level in place BAS

[R19] Risk monitoring and security incidents notification BAS

Life Cycle
[R20] Successful yearly certification of “Assurance Check” BAS

[R21] Party performing the yearly “Assurance Check” ADV

[R22] Extraordinary check and remediation activities ADV

[R23] Compensative security controls ADV

Supplier’s Agreements
[R24] Compliance to all legal and regulatory constraints (e.g. BAS
security incidents notification, logs availability, physical
locations of Data Centers, list of all involved contractors
and sub-contractors)
[R25] IT Security Plan in place BAS

[R26] Certifications by external recognized entities (ISO 27001 BAS

and Statement of Applicability; ISAE 3402/SSAE 16
SOC; PCI DSS v3 w/a)
[R27] SLA related to Security Requirements (Availability BAS
thresholds, patching politcy etc.)
[R28] Penalties related to Security SLA BAS

12/12