The adoption of cloud computing in the public sector across the European Union is being held back by worries over how sensitive data can be secured, according to a report by the European Union Agency for Network and Information Security (ENISA).
The report notes that, while some EU states have adopted comprehensive cloud strategies and encouraged public-sector organisations to shift services to the cloud, where appropriate, others have made little or no headway.
“Very few EU member states have currently developed approaches for cloud computing based on a well-defined and thorough cloud security strategy (including risk profiles, classification of assets, security objectives and measures),” claims the report, the Security Framework for Governmental Clouds.
It continues: “The main security challenges, requirements and barriers in the ‘cloudification’ of governmental services are related to: data protection and compliance, interoperability and data portability, identity and access management, auditing, adaptability and availability, as well as risk management and detailed security SLA [service-level agreement] formalisation.”
It suggests that the “security framework [should be] modelled into four phases, nine security activities and 14 steps that detail the set of actions that we believe each member state should follow for the definition and implementation of a secure ‘Gov Cloud’.
“The generic security framework has been empirically validated through the analysis of four Gov Cloud case studies, namely Estonia, Greece, Spain and the UK. The real-life validation of the security framework also serves the purpose of defining examples of how some EU member states are implementing security into their Gov Cloud approaches.”
The report examines a number of government cloud implementations in the UK, Estonia, Spain and Greece, and provides a series of best practices based on their examples.
“The steps range from taking initial measures to classify services that can be moved to the cloud, conducting a risk analysis and setting security requirements, to selecting security controls and verifying assurances about security offered by cloud providers. They also account for security controls testing and implementation of any ‘remedies’, as well as the termination of cloud contracts and the deletion of data, among other things,” according to law firm Pinsent Masons.
Feature: Is the UK’s G-Cloud Framework being slowly abandoned, or can Whitehall “digital supremo” Tony Singleton make it a success story?