zaterdag, 13 december 2014 00:00

ENISA: European approach towards secure cloud adoption Featured

Written by
Rate this item
(0 votes)

An interesting presentation to follow was the one where ENISA highlighted what actions the European Union is taking to ensure a guided form of cloud adaption for governments and to put a firm and secure cloud strategy implementation into place. It does this by providing frameworks and procurement guidelines for adopting cloud services. We go into more detail regarding risk assessment and management for Small and Medium Enterprises (SMEs). We end with the challenges that are still present for the financial and e-Health sectors. 

ENISA is active and operational in several fields being: 

  • providing recommendations to member states on security best practices;
  • policy implementation;
  • mobilizing communities and raising security awareness;
  • providing hands-on experience.

The goal of their cloud strategy guideline frameworks is a dual one: the first one being the facilitation of adopting cloud computing for users at home and companies and the second one being the adaption of governmental cloud computing.

Barriers for cloud adoption

There are several concerns or barriers which are blocking or slowing the adoption of cloud services for governments and companies. The three main barriers are:

  • fragmented market: we still don't have a single implementation of the data protection act;
  • still a lot of concerns regarding security and protection of data;
  • lack of transparency in the market, it is often not clear for the customer what the service includes.

Risk assessment in the cloud

Cloud adaption in the cloud has advantages and disadvantages. ENISA published a security guide for risk assessment in the cloud, this year a special guide is published for SMEs. When looking at SMEs we have to acknowledge that they are a special kind of users, which have their own special requirements. ENISA published a guide which is an attempt to help SMEs and don't let them go completely unprepared to cloud providers.

The key conclusion made by ENISA: the cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective. An excerpt, non-exhaustive list, of recommendations by ENISA are:

  • Development of an information assurance network: a set of questions that an organization can ask a cloud provider to assure themselves that they are sufficiently protecting the information entrusted to them.
  • Division of liabilities: A clear definition of the legal liabilities with respect to security incidents for customers and providers.
  • Division of responsibilities: With respect to security incidents, there needs to be a clear definition and understanding between the customer and the provider of security-relevant roles and responsibilities.
  • Identity and access management: a set of questions that an organization can ask a cloud provider regarding proper identity and access management of employees and customers of the service.

Governmental Clouds

Understanding and managing risks related to the adoption and integration of cloud computing capabilities into public bodies (like governments) is a key challenge. Effectively managing the security and resilience issues related to cloud computing capabilities is prompting many public bodies to innovate, and some cases to rethink, their processes for assessing risk and making informed decisions related to this new service delivering model.

ENISA performed a study regarding these governmental clouds and as an outcome they proposed a framework for decision making. This framework is published in 2014 and is an evidence-based framework. The framework consists of 4 phases: 

  • the identification and collection of their business, security and legal requirements;
  • the definition of their service level specifications and service level agreements;
  • the identification of the solution that best addresses their needs;
  • preparing a proposal for a request-for-service and establishing their mitigation plan.

It is based on four real use cases of governments that implemented a cloud adoption strategy.

Next steps

ENISAs next steps are composed of three main goals:

  • Ex-post analysis of cloud incidents: Investigate past cloud incidents and learn how we can change or create procedures, legal frameworks tools and restrictions to ensure these from happening again.
  • Cloud Computing in the financial sector: Try to introduce cloud computing in the financial sector. Challenges here lie in the assessment of risk, providing clear guidelines on secure deployment and a law for data location that is homogenous across Europe.
  • ICT in e-Health: Deploying a governmental operated cloud, separated from the internet, by using a hybrid private-partner cloud. Additional challenges and opportunities is the Big Data that is generated in association with this deployment.

These are all guidelines and frameworks for facilitating and securing cloud adoption. However the biggest challenge, and perhaps the most important, remains the creation of a european data location law which tackles the problems regarding data location. If there is one thing that will break cloud in the future, it is the collection of problems that arise around the location of data.

Read 24712 times Last modified on zaterdag, 13 december 2014 21:34

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

@Saasifisecured on twitter