Professional Documents
Culture Documents
SGL - 14 - v01 - CloudSecurityForSaaS e PaaS - 20181220
SGL - 14 - v01 - CloudSecurityForSaaS e PaaS - 20181220
1/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
CONTENTS
4. REFERENCES .................................................................................................................................4
6. GENERALITIES ................................................................................................................................5
6.1. Scope .............................................................................................................................................5
6.2. Protection Levels ............................................................................................................................5
9. APPENDIX ......................................................................................................................................11
A. Working Group composition .........................................................................................................11
B. Controls Summary checklist .........................................................................................................11
2/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
3/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
4. REFERENCES
[1] Enel Group Policy n. 25 – Management of Logical Access to IT Systems, 12/2017
[2] Enel Group Policy n. 33 – Information Classification and Protection, 10/2015
[3] Enel Group Policy n. 17 – Cyber Security Framework, 09/2017
[4] OD n. 543 – Organizational Structure of Cyber Security, 06/2017
[5] OP n. 204 – CERT - Cyber Emergency Respond and Management, 09/2017
[6] OI n. 944 – Cyber Security Risk Management Methodology, 11/2017
[7] Cyber Security Guide Line n. 11 v.1 – Cloud Security for IaaS, 10/2016
[8] Cyber Security Guide Line n. 7 v.2 – IT Security Guidelines – Applications, 09/2017
[9] Cyber Security Guide Line n. 10 v.1 – Infrastructural Security, 10/2016
[10] Italian Law n. 262/2005 – "Disposizioni per la tutela del risparmio e la disciplina dei mercati finanziari "
(Arrangements for the care of savings and discipline of financial markets), 12/2005
[11] GDPR General Data Protection Regulation, UE 2016/679
[12] NIST Special Publication 800-88 Revision 1 - Guidelines for Media Sanitization
[13] ISO/IEC 27001:2013 – ISMS requirements
[14] ISO/IEC 27002:2013 – Code of practice for Information Security controls
[15] ISO/IEC 27017:2015 – Code of practice for Information Security controls for cloud services
[16] ISO/IEC 27018:2014 – Code of practice for protection of PII in public clouds acting as PII processors
4/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
6. GENERALITIES
6.1. Scope
This guideline defines security controls for Enel Group Digital Solutions to be operated within an external
provider with Software as a Service (SaaS) or Platform as a Service (PaaS) cloud capabilities (hereafter:
the Cloud Provider), on request by a responsible Enel Group unit (hereafter: Enel Requester).
Such security controls are meant to ensure that confidentiality, integrity, and availability of Enel Group data
are enforced by the Cloud Provider at a level equivalent to the one provided by Enel Group on-premises.
We considered the following assumptions during the analysis and the writing of this document.
1. Enel Requester, possibly comprising multiple consumers (e.g., Business Units), requests and provisions the
cloud service for its use; the cloud service is owned, managed, and operated by the Cloud Provider including
the applicative level, in SaaS scenario, while excluding it in PaaS one, and it exists off premises.
2. The Cloud Provider may adopt security controls (for both applications and infrastructures) technically
different from those adopted by Enel Group.
3. For security controls that, for their nature, require integration with other Enel Group Digital Solutions (for
instance application integration, user authentication, VPN), the interoperability shall be guaranteed by the
Cloud Provider using the well know standards adopted by Enel Group.
4. Insofar as the applicative level is concerned, unless stated otherwise, the Applications Security Guideline
[8] applies. As in SaaS scenario the Cloud Provider is directly responsible of the applicative level and its
compliance, this is explicitly remarked by [R1].
This guideline supports the currently available and expected SaaS/PaaS scenarios, but it is open to support
new coming solutions that will be refined in additional guidelines or a new version of this guideline.
The level hierarchy establishes that a higher protection level shall comply with all requisites for lower levels.
Please note that in this specific document, controls do not depend on the specific security parameter (C/I/A)
but only on the protection level. As usual, compliance to laws, regulations and Enel Group policies in force
(such as Policy 33 [2]) is meant to be Baseline (see e.g. [R2], [R24]).
5/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
7.1.1. Baseline
[R1] Applicative level security shall comply with Application Security guidelines [8]. Therefore, the
Security Annex shall include all the (applicable) items provided there. The responsibility to
guarantee and enforce applicative level controls relies on the Cloud Provider in a SaaS scenario.
In particular real time availability of applicative logs is mandatory (Baseline) without additional
costs for Enel Group (including Security Service suppliers like CASB providers).
8.1. Compliance
8.1.1. Baseline
[R2] Classification of the service/application and all the data it manages has been carried out by Enel
Requester1, in general as part of the BIA process [6], involving Enel Group Business, Legal and
Cyber Security functions for support as needed and as early as possible (requirements phase).
Therefore, restricted data according to business needs, legal and regulatory constraints (usually
personal and financial; see also [R24]) and Enel Policies (e.g. Policy 33 [2]) are being identified.
[R3] Compliance to the requisites shall be agreed upon by Enel Requester and the Cloud Provider at
Contract level, within the respective scope of responsibility, to ensure that the Cloud Provider is
contractually bound to their adoption, implementation and management. Any deviations from this
standard responsibility scope shall be detailed and evaluated according to the Risk Management
Framework described in [4] and [6].
[R4] To define and track how the requisites are satisfied, a Security Annex shall be maintained by
Enel Requester as part of the project documentation, following the structure of the present
guideline. All relevant information provided by the Cloud Provider shall be reported or referenced
here, as well as any exceptions (including “N/A” statements) and compensative countermeasures
(to be) agreed upon with the competent Cyber Security Risk and Response Managers according
to the Risk Management Framework described in [4] and [6].
8.2. Networking
8.2.1. Baseline
[R5] For any communications with any other Enel Group areas (e.g. On-Premises, IaaS, PaaS, SaaS),
authentication, integrity and confidentiality shall be ensured by state-of-the-art encrypted
protocols at applicative level and/or segregation at the underlying infrastructural level (e.g. by
IPSEC/TLS VPN, dedicated link/MPLS circuit etc.). Refer to Application Security guidelines [8] for
further details about encryption features and constraints.
1
Please note that this cannot be deferred to the Cloud Provider (although it may/should support the task: see also [R24]).
6/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
[R6] Any communications with any other Enel Group areas (e.g. On-Premises, IaaS, PaaS, SaaS)
shall be filtered and logged by a technical solution (e.g.: firewalling, proxying, CASB, etc.) with
at least the following features:
a. directly managed by Enel Group (standard/preferred solution), or whose logging and policies
are available at least in near-real-time to Enel Group;
b. strictly allowing only the required application traffic;
c. traffic inspection/analysis;
d. already or to be integrated with Enel Group Risk Monitoring Platform2, through the Service
Activation process described in [5].
It is Enel Requester’s responsibility to identify such technical solution between currently available
alternatives, with the support of Enel Group Cyber Security functions and the Cloud Provider.
8.2.2. Advanced
[R7] The Cloud Provider shall ensure at least one of the following:
a. applications/services shall run in a private cloud dedicated to Enel Group, such as:
i. Enel Group private cloud shall be segregated from any other network, including public
networks (the Internet), other customers’ private cloud and provider’s intranet;
ii. only the traffic strictly required to accomplish agreed services shall be allowed between
Enel Group private cloud and any other network, as well as controlled in compliance to
req. [R15];
iii. such network connections shall be explicitly declared and documented by the Cloud
Provider.
b. all Enel Group data at rest and in transit managed by the applications/services shall be
encrypted by methods whose keys are owned only by Enel Group3.
8.3. Availability
8.3.1. Baseline
[R9] The Enel Group data property shall be always entitled to Enel Group.
[R10] Cloud Provider shall return data to Enel Group at the end of the agreement between Enel Group
and the Cloud Provider or on request by the authorized Enel Group responsible. For Enel Group
data return, the Cloud Provider shall provide exporting functionalities to Enel Group, or a
procedure for data portability has to be defined and tested.
[R11] Cloud Provider shall delete data of Enel Group data after data return or on request by the
authorized Enel Group responsible. Enel Group data deletion (both on request and before reuse
or disposal of the physical or virtual media) shall be compliant with Policy 33 [2] provisions; in
particular, any Enel Group data classified as Confidential or higher shall be deleted according to
NIST Special Publication 800-88 Revision 1 - Guidelines for Media Sanitization [12].
2
This platform/service includes and replaces the previous SIEM-Security Information and Event Management infrastructure.
3
Please note that this is more restrictive than the standard encryption requisite in Application SGL [8], still valid at Baseline
protection level, where it depends on the classification of specific data according to Policy 33 [2].
7/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
8.4.1. Baseline
[R12] The Cloud Provider shall assure proper segregation of Enel Group data from provider’s own data
and other customers’ data for use, storage and transit.
[R13] Rights of access and management of ICT infrastructures supporting Enel Group data and
applications shall be properly restricted to individual, authenticated accounts of the Cloud
Provider personnel on a Least Privilege basis and according to an RBAC model of authorization.
Authentication policies (e.g.: password/multifactor policy) shall be declared and documented.
[R14] Logging (at both system and network level) of ICT infrastructures managing Enel Group data
and applications shall be available on request to Enel Group for forensic activities in case of
Security Incidents and legal/regulatory inquiries without additional costs.
[R15] ICT infrastructures managing Enel Group data and applications shall be protected from network
intrusion and malware by different, layered security controls, i.e.:
a. Allowing only communications strictly required for the service (addresses, protocols, ports)
b. Encryption and authentication of all inbound/outbound communications
c. Traffic inspection functionalities for all inbound/outbound traffic
d. Hiding private IP address of network nodes
e. Network segregation from the Internet through a DMZ
f. IP packet spoofing protection
g. Traffic logging (allowed and rejected)
h. (for inbound http/s traffic, w/a) hiding of front URL (URL rewrite/reverse proxying)
i. (for outbound http/s traffic, w/a) URL/IP destination address filtering based on reputation/whitelisting
j. Monitoring integrated with a Risk Monitoring Platform.
[R16] ICT infrastructures managing Enel Group data and applications shall be protected from host
based malware by an End Point Protection (EPP) solution with the following functionalities:
a. First option: “Signature” based EPP (with regular and periodic update of EPP signature/agent),
with local firewalling and intrusion detection/prevention.
b. Second option: “whitelisting” based EPP.
c. For both the options: centralized management and integration with a Risk Monitoring Platform.
[R17] ICT infrastructures managing Enel Group data and applications shall be properly hardened, at
least by disabling/protecting unnecessary software/services and default accounts and passwords.
[R18] ICT infrastructures managing Enel Group data and applications shall be patched at system level
according to a definite patching policy shared at contractual level.
[R19] Cloud Provider shall monitor risks and promptly notify Enel Group about security incidents.
a. The Cloud Provider shall have in place a Risk Monitoring Platform to monitor the risks and
promptly communicate security incidents.
b. The Cloud Provider shall agree the potential security incidents classification, notification
methods and SLA.
8/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
8.5. Life-Cycle
8.5.1. Baseline
[R20] Before going into production, and then at least yearly, the Cloud Provider shall provide a
successful certification of Assurance Check (i.e. a Penetration Test/Ethical Hacking activity)
by an external recognized entity in order to ensure that security controls are active and effective
on the whole perimeter of the service offered to Enel Group. In case such certification is not
provided, Enel Group will be entitled to perform it.
8.5.2. Advanced
[R21] The party performing the yearly Assurance Check shall be agreed with Enel Group.
[R22] Extraordinary check and remediation activities shall be promptly agree with Enel Group in case
of high-severity incident or threat.
[R23] If no direct remediation (e.g. patching) is available/applicable, compensative controls shall be
promptly agree with Enel Group. Techniques include:
a. adapting or adding access controls, e.g. firewalls, at network borders,
b. tuning Intrusion Detection/Prevention system,
c. increasing monitoring to detect actual attacks,
d. turning off services or capabilities related to the vulnerability.
8.6.1. Baseline
[R24] The Cloud Provider shall guarantee and ensure the compliance with all applicable national and
international legal and regulatory constraints about security of information, both present (such
as Italian Law no. 262 [10] and EU GDPR [11]) and future, for all relevant data and within the
whole scope of its responsibility: i.e., at both applicative and infrastructural level, in case of SaaS
provider, or infrastructural level only (in case of PaaS provider)4. In particular, the Cloud Provider:
a. shall notify Enel of security incidents at least in compliance to legal and regulatory constraints;
b. shall ensure logs availability at least in compliance to legal and regulatory constraints;
c. shall identify the physical locations of all Data Centers managing Enel Group Data, and store
restricted data in geographical locations compliant with legal and regulatory constraints;
d. shall provide the list of all contractors and sub-contractors involved in Enel Group data and
applications management (including its underlying IaaS/PaaS/SaaS providers, if any), all
having the same obligations about security of information as the Cloud Provider.
[R25] The Cloud Provider shall have a comprehensive IT Security Plan covering all areas of security,
including:
a. logical security,
b. physical security,
c. communications security,
d. data center management,
e. audits and reviews,
f. continuity and contingency plan.
4
See [R3].
9/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
10/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
9. APPENDIX
Networking
[R5] Authentication, integrity and confidentiality of BAS
communications with any other Enel Group area
ensured at applicative or infrastructural level
[R6] Communications with any other Enel Group area BAS
controlled, logged, analyzed and monitored
[R7] Applications/services running in a private cloud or ADV [specify which one
encryption of all Enel Group data applies]
Availability
[R9] Enel Group data property entitled to Enel Group BAS
11/12
INTERNAL USE
Cyber Security Guideline no. [14]
Version no. [1] dated [12/2018]
Life Cycle
[R20] Successful yearly certification of “Assurance Check” BAS
Supplier’s Agreements
[R24] Compliance to all legal and regulatory constraints (e.g. BAS
security incidents notification, logs availability, physical
locations of Data Centers, list of all involved contractors
and sub-contractors)
[R25] IT Security Plan in place BAS
12/12