The suggested framework is structured into four (4) phases, nine (9) security activities and fourteen (14) steps that details the set of actions Member States should follow to define and implement a secure Government Cloud. In addition the model is empirically validated, through the analysis of four (4) Government Cloud case studies – Estonia, Greece, Spain and UK – serving also as examples to Government Cloud implementation.
The framework focuses on the following activities: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management.
The study shows that the level of adoption of Government Cloud is still low or in a very early stage. Security and privacy issues are the main barriers and at the same time they become key factors to take into account when migrating to cloud services. Additionally, there is a clear need for Cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration.
Organisations are switching to Cloud computing, enhancing the effectiveness and efficiencies of ICT. For governments it is cost-efficient and offers important opportunities in terms of scalability, elasticity, performance, resilience and security.
ENISA’s Executive Director Udo Helmbrecht commented: “The report provides governments with the necessary tools to successfully deploy Cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU”.
The report is part of the agency’s contribution to the EU Cloud strategy, aimed at national experts, governmental bodies and public administration in the EU, for defining national Cloud security strategy, obtaining a baseline for analysing existing Government Cloud deployment from the security perspectives, or to support them in filling in their procurement requirements in security. EU policymakers, EU private sector Cloud Service Providers (CSP), and Cloud brokers, can also benefit from the content.
In essence the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption. The next step by ENISA is to offer this framework as a tool.
For full report: Security Framework for Governmental Clouds
