What is the ENISA Framework for Public Cloud Adoption?
European Union Agency for Network and Information Security (ENISA) in the latest report “The Security Framework for Governmental Clouds” shows government organization progress to help accelerate cloud adoption. The guide is positive to provide companies the information they need to use cloud services with confidence steps.
The report claims that “very few EU member states have currently developed approaches for cloud computing based on a well-defined and thorough cloud security strategy (including risk profiles, classification of assets, security objectives and measures).”
The report explains the different implications relating to the technical, strategic, and privacy by providing relevant information on how to contain and overcome the problems arising from the introduction of the instrument.
ENISA report further states that “the main security challenges, requirements and barriers in the ‘cloudification’ of governmental services are related to: data protection and compliance, interoperability and data portability, identity and access management, auditing, adaptability, and availability, as well as risk management and detailed security SLA [service-level agreement] formalization.”
It is recommended to use the toolbox to the public authorities if the use of the cloud and the assessment of security controls and procedures used are planned. The proposed framework is divided into four phases, nine security activities, and 14 structured steps that describe a set of measures that the Member States should follow in order to define and implement a secure government cloud.
There are 16,000+ services within the framework, which would take about 1,000 days’ effort to carry out assurance verification. Services can be updated anytime during the framework, so the amount of effort for assurance verification is vast, states the report.
Moreover, the model is tested previously, through the analysis of four case studies of government Clouds – which also serve as a model for the implementation of government Clouds in Estonia, Greece, Spain, and the UK. The real-life validation of the security framework also serves the purpose of defining examples of how some EU member states are implementing security into their Gov Cloud approaches. The framework focuses on the following activities: risk profiles, architectural models, security and privacy requirements, security controls, implementation, deployment, accreditation, log/monitoring, audit, change management, and exit management.
The report is part of the contribution of authority to the EU’s cloud strategy, which is aimed at national experts, government agencies and the public administration in the EU to define a national cloud security strategy, with an analysis of security aspects on the use of existing Clouds government seeks to provide or assist in completing their procurement requirements for safety. EU politicians, EU private sector cloud service providers (CSP) and cloud brokers may also benefit from the content.
The non-profit organization is working since last year with the select industry group on Cloud Certification Schemes and the European Commission and has developed two tools to assist customers in cloud security. This work is part of the European Cloud Strategy as part of the Digital Agenda of the EU.