ENISA released a framework structured into four phases, nine security activities and fourteen steps that details the set of actions Member States should follow to define and implement a secure Gov Cloud.
In addition the model is empirically validated, through the analysis of four Gov Cloud case studies – Estonia, Greece, Spain and UK – serving also as examples to implementation.
The framework focuses on the following activities: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management.
The study shows that the level of adoption of Gov Cloud is still low or in a very early stage. Security and privacy issues are the main barriers and at the same time they become key factors to take into account when migrating to cloud services. Additionally, there is a clear need for cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration.
Organizations are switching to cloud computing, enhancing the effectiveness and efficiencies of ICT. For governments it is cost-efficient and offers important opportunities in terms of scalability, elasticity, performance, resilience and security.
ENISA’s Executive Director commented: “The report provides governments with the necessary tools to successfully deploy cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU”.
The report, is part of the agency’s contribution to the EU cloud strategy, aimed at national experts, governmental bodies and public administration in the EU, for defining national cloud security strategy, obtaining a baseline for analyzing existing Gov Cloud deployment from the security perspectives, or to support them in filling in their procurement requirements in security. EU policymakers, EU private sector cloud service providers, and cloud brokers, can also benefit from the content.
In essence the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption. The next step by ENISA is to offer this framework as a tool.