This article is reproduced from the European Network for Information Security Agency.
ENISA’s Security Framework for Governmental Clouds details a step-by-step guide for the Member States (MS) for the procurement and secure use of Cloud services.
framework addresses the need for a common security framework when
deploying Gov Clouds and builds on the conclusions of two previous ENISA studies.
It is recommended to be part of the public administrations’ toolbox
when planning migration to the Cloud, and when assessing the deployed
security controls and procedures.
The suggested framework is structured into four (4) phases, nine (9)
security activities and fourteen (14) steps that details the set of
actions Member States should follow to define and implement a secure Gov
Cloud. In addition the model is empirically validated, through the
analysis of four (4) Gov Cloud case studies – Estonia, Greece, Spain and
UK – serving also as examples to Gov Cloud implementation.
The framework focuses on the following activities: risk profiling,
architectural model, security and privacy requirements, security
controls, implementation, deployment, accreditation, log/ monitoring,
audit, change management and exit management.
The study shows that the level of adoption of Gov Cloud is still low
or in a very early stage. Security and privacy issues are the main
barriers and at the same time they become key factors to take into
account when migrating to cloud services. Additionally, there is a clear
need for Cloud pilots and prototypes to test the utility and
effectiveness of the cloud business model for public administration.
Organisations are switching to Cloud computing, enhancing the
effectiveness and efficiencies of ICT. For governments it is
cost-efficient and offers important opportunities in terms of
scalability, elasticity, performance, resilience and security.
ENISA’s Executive Director commented: “The
report provides governments with the necessary tools to successfully
deploy Cloud services. Both citizens and businesses benefit from the
accessing services across the EU. Cloud computing is a fundamental
pillar and enabler for growth and development across the EU”.
The report, is part of the agency’s contribution to the EU Cloud
strategy, aimed at national experts, governmental bodies and public
administration in the EU, for defining national Cloud security strategy,
obtaining a baseline for analysing existing Gov Cloud deployment from
the security perspectives, or to support them in filling in their
procurement requirements in security. EU policymakers, EU private sector
Cloud Service Providers (CSP), and Cloud brokers, can also benefit from
In essence the framework serves as a pre-procurement guide and can be
used throughout the entire lifecycle of cloud adoption. The next step
by ENISA is to offer this framework as a tool.
For full report: Security Framework for Governmental Clouds
For interviews: Dimitra Liveri, Security & Resilience of Communication Networks,
Previous reports on the subject:
Security and Resilience in Governmental Clouds
Good practice Guide for securely deploying Governmental Clouds