The ‘EU28 Cloud Security Conference: Reaching the Cloud Era in the European Union’ brought to the foreground the current cloud landscape. The aim of the conference was to bring together practitioners, academics and policy makers to discuss the level of cloud computing security in the context of current and future policy activities. The conference included presentations and panel debates on legal and compliance issues, technical advancements, privacy and personal data protection, critical information infrastructures and cloud certification.
During the conference the important role of cloud computing was acknowledged for the development of the digital economy in Europe. Cloud computing is becoming essential for users, including individual consumers, businesses and public sector organisations. However, recent figures indicate that users' concerns on cloud security are still the main barrier to the adoption of cloud services in Europe.
Key conclusions highlight that:
- There is a need to raise awareness and educate users and SMEs on cloud security, to encourage safe and responsible use of cloud services. “Informed customers” should be able to ask the right questions to providers and understand where their responsibilities lay, and SMEs understand that they are co-responsible for the security of the cloud services provided. A risk assessment culture should be nourished applicable to all. Transparency of cloud services must be improved by the implementation of continuous monitoring mechanisms, increasing accountability through evidence-based assurance solutions, and certification, keeping in mind that one size does not fit all. Rapid, context-based information sharing of incidents within the industry sectors, will also enable collaborative information security able to respond quickly to the changing cybersecurity landscape.
- There is a need for flexible policy approaches towards cloud security to allow further technological advancements. Within this framework co-regulatory and self-regulatory initiatives should be supported, and create technology-neutral legal guidelines and obligations based on principles, to allow for flexible solutions. Europe-wide solutions should be encouraged
- Data protection is an important element to be considered. Implementation of existing rules and techniques should be encouraged and this information should be shared.
- Governmental clouds bring benefits to cloud security. There is space to strengthen cooperation and define clear procurement guidelines built on cooperation between industry and public sector. Furthermore, customised solutions based on the needs of each country and sharing of best practices can be encouraged.
- Cloud benefits from an open market. Meanwhile discussions are required on security in relation to data location requirements, foreign jurisdiction and access to European data.
- As cloud usage for critical sectors is increasing there is a need for elaborated security measures and specific risk assessment techniques addressing each critical sector’s needs.
Furthermore, cloud security was discussed in relation to the recent regulatory and policy initiatives, such as the ongoing data protection reform, the proposal for a Network and Information Security directive, cloud computing communication and the Digital Single Market strategy. There was consensus that further policy actions on cloud security could support trust and confidence in cloud services by addressing the key findings and issues deriving from the conference.
The findings of the EU28 Cloud Security Conference were discussed and presented to the wider audience of the Digital Assembly European Commission high-level event taking place in Riga on the 17th and 18th June, 2015. The conclusions drawn were presented by ENISA’s Head of Critical infrastructures and Services Unit, Dr. Ouzounis, during workshop 1: “Building Trust and Confidence online”.
Background:
The joint conference ‘EU28 Cloud Security Conference: Reaching the Cloud Era in the European Union’ was organised by the Ministry of Defence of the Republic of Latvia and the European Union Agency for Network and Information Security (ENISA), which took place on June 16th, 2015 in Riga.
For press enquiries please contact press@enisa.europa.eu , Tel. +30 2814 409 576