Barriers for cloud adoption
There are several concerns or barriers which are blocking or slowing the adoption of cloud services for governments and companies. The three main barriers are:
- fragmented market: we still don't have a single implementation of the data protection act;
- still a lot of concerns regarding security and protection of data;
- lack of transparency in the market, it is often not clear for the customer what the service includes.
Risk assessment in the cloud
Cloud adaption in the cloud has advantages and disadvantages. ENISA published a security guide for risk assessment in the cloud, this year a special guide is published for SMEs. When looking at SMEs we have to acknowledge that they are a special kind of users, which have their own special requirements. ENISA published a guide which is an attempt to help SMEs and don't let them go completely unprepared to cloud providers.
The key conclusion made by ENISA: the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective. An excerpt, non-exhaustive list, of recommendations by ENISA are:
- Development of an information assurance network: a set of questions that an organization can ask a cloud provider to assure themselves that they are sufficiently protecting the information entrusted to them.
- Division of liabilities: A clear definition of the legal liabilities with respect to security incidents for customers and providers.
- Division of responsibilities: With respect to security incidents, there needs to be a clear definition and understanding between the customer and the provider of security-relevant roles and responsibilities.
- Identity and access management: a set of questions that an organization can ask a cloud provider regarding proper identity and access management of employees and customers of the service.
Governmental Clouds
Understanding and managing risks related to the adoption and integration of cloud computing capabilities into public bodies (like governments) is a key challenge. Effectively managing the security and resilience issues related to cloud computing capabilities is prompting many public bodies to innovate, and some cases to rethink, their processes for assessing risk and making informed decisions related to this new service delivering model.
ENISA performed a study regarding these governmental clouds and as an outcome they proposed a framework for decision making. This framework is published in 2014 and is an evidence-based framework. The framework consists of 4 phases:
- the identification and collection of their business, security and legal requirements;
- the definition of their service level specifications and service level agreements;
- the identification of the solution that best addresses their needs;
- preparing a proposal for a request-for-service and establishing their mitigation plan.
It is based on four real use cases of governments that implemented a cloud adoption strategy.
Next steps
ENISAs next steps are composed of three main goals:
- Ex-post analysis of cloud incidents: Investigate past cloud incidents and learn how we can change or create procedures, legal frameworks tools and restrictions to ensure these from happening again.
- Cloud Computing in the financial sector: Try to introduce cloud computing in the financial sector. Challenges here lie in the assessment of risk, providing clear guidelines on secure deployment and a law for data location that is homogenous across Europe.
- ICT in e-Health: Deploying a governmental operated cloud, separated from the internet, by using a hybrid private-partner cloud. Additional challenges and opportunities is the Big Data that is generated in association with this deployment.
These are all guidelines and frameworks for facilitating and securing cloud adoption. However the biggest challenge, and perhaps the most important, remains the creation of a european data location law which tackles the problems regarding data location. If there is one thing that will break cloud in the future, it is the collection of problems that arise around the location of data.