Adoption of ‘Gov Cloud’ by authorities is still low or in a very early stage. Security and privacy issues are the main barriers and at the same time they become key factors to take into account when migrating to cloud services. So says the European Union Agency for Network and Information Security (ENISA), in a 40-page report.
ENISA’s Security Framework for Governmental Clouds details a how EU Member States (MS) can manage the procurement and secure use of Cloud services.
The European computer security body based in Crete says that its framework addresses the need for a common security framework when deploying Gov Clouds and follows two previous ENISA studies. It is recommended to be part of the public administrations’ toolbox when planning migration to the Cloud, and when assessing security controls and procedures.
The suggested framework is structured into four phases, nine security activities and 14 steps that details the set of actions countries should follow to define and implement a secure Gov Cloud. The model is empirically validated, through the analysis of four Gov Cloud case studies – Estonia, Greece, Spain and UK. The UK Government’s Cloud, G-Cloud for short, has more than 1200 providers and about 13,000 Cloud services spread across Infrastructure, Platform, and Software as a Service (IaaS, PaaS, and Saas) and Specialist Cloud Services (SCS). Providers of cloud services get accredited to become part of the G-Cloud. Only the UK and Spain has a national cloud strategy, the report notes.
The framework focuses on: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management.
ENISA sees a clear need for Cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration. Organisations are switching to Cloud computing, enhancing the effectiveness and efficiencies of ICT. For governments it is cost-efficient and offers important opportunities in terms of scalability, elasticity, performance, resilience and security.
ENISA’s Executive Director said: “The report provides governments with the necessary tools to successfully deploy Cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU”.
The report, is part of the agency’s contribution to the EU Cloud strategy, aimed at national experts, governmental bodies and public administration in the EU, for defining national Cloud security strategy, obtaining a baseline for analysing existing Gov Cloud deployment from the security perspectives, or to support them in filling in their procurement requirements in security. EU policymakers, EU private sector Cloud Service Providers (CSP), and Cloud brokers, can also benefit from the content.
In essence the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption. The next step by ENISA is to offer this framework as a tool.
For the report visit the ENISA website – http://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/governmental-cloud-security/security-framework-for-govenmental-clouds
Comment
Campbell Williams, group strategy and marketing director, Six Degrees Group says: “When it comes to cloud and the public sector, it’s not so much a question of “how much data?” as “where is my data?”, “how safe is my data?” and “who might be looking at my data?” Security and sovereignty of data is a priority for public sector organisations using the cloud. This is especially the case after Snowden’s revelations about the US, home of many large technology companies and cloud computing providers, and two specific pieces of legislation, the US Patriot Act and the US Foreign Intelligence Surveillance Amendment Act (FISAA).
“However, this shouldn’t be putting the public sector off working with the right cloud provider. All public sector bodies face significant budgetary pressures in the 2010s decade. The lingering effects of global recession have forced them to make significant cuts in many areas and to look for new ways to raise revenues or free up cash from balance sheet assets. Cloud is the ideal solution for these bodies. It can offer an opex-based technology solution, balanced with access to high quality, highly resilient computer power. The right cloud provider, with the relevant security accreditations and impact level (IL) classifications can provide the public sector organisations with the very best protection too.”
