ENISA’s Security Framework for Governmental Clouds details a step-by-step guide for the Member States (MS) for the procurement and secure use of Cloud services.
This framework addresses the need for a common security framework when deploying Gov Clouds and builds on the conclusions of two previous ENISA studies. It is recommended to be part of the public administrations’ toolbox when planning migration to the Cloud, and when assessing the deployed security controls and procedures.
The suggested framework is structured into four (4) phases, nine (9) security activities and fourteen (14) steps that details the set of actions Member States should follow to define and implement a secure Gov Cloud. In addition the model is empirically validated, through the analysis of four (4) Gov Cloud case studies - Estonia, Greece, Spain and UK – serving also as examples to Gov Cloud implementation.
The framework focuses on the following activities: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management.
The study shows that the level of adoption of Gov Cloud is still low or in a very early stage. Security and privacy issues are the main barriers and at the same time they become key factors to take into account when migrating to cloud services. Additionally, there is a clear need for Cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration.
Organisations are switching to Cloud computing, enhancing the effectiveness and efficiencies of ICT. For governments it is cost-efficient and offers important opportunities in terms of scalability, elasticity, performance, resilience and security.
ENISA’s Executive Director commented: “The report provides governments with the necessary tools to successfully deploy Cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU”.
The report, is part of the agency’s contribution to the EU Cloud strategy, aimed at national experts, governmental bodies and public administration in the EU, for defining national Cloud security strategy, obtaining a baseline for analysing existing Gov Cloud deployment from the security perspectives, or to support them in filling in their procurement requirements in security. EU policymakers, EU private sector Cloud Service Providers (CSP), and Cloud brokers, can also benefit from the content.
In essence the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption. The next step by ENISA is to offer this framework as a tool.
For full report: Security Framework for Governmental Clouds
For interviews: Dimitra Liveri, Security & Resilience of Communication Networks, cloud.security@enisa.europa.eu
Background Information:
Previous reports on the subject:
Security and Resilience in Governmental Clouds
Good practice Guide for securely deploying Governmental Clouds