The Cloud Security Alliance has teamed up with European security agency ENISA and Darmstadt university to release a new step-by-step guide for governments looking to securely deploy cloud computing projects.
The Security Framework for Governmental Clouds builds on two previous ENISA studies and analysis of four government cloud initiatives in the UK, Spain, Greece and Estonia, to provide common best practice guidance for European member states.
It covers every step, from pre-procurement right through to what is needed when exiting a cloud contract – all with security and privacy in mind.
The framework is split into four phases, nine security 'activities' and 14 steps government IT managers can use to plan their journey to the cloud.
It can be used both as a pre-procurement guide and throughout the cloud adoption lifecycle, structured according to the 'Plan-Do-Check-Act' security cycle.
The following activities are covered in the guide: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management.
Concerns have been raised in the past that government cloud projects are simply not getting the buy-in they need from stakeholders.
A study of 300 UK civil servants last year found that two-thirds had knowledge of the government’s G-Cloud initiative while just 38% said they’d used it to procure cloud services.
The CSA/ENISA report itself echoed such concerns:
"Despite considerable efforts from the EC, ENISA and other international organisations and market actors (e.g. CSP’s) the level of adoption of Gov Clouds is still low. Some EU member states have already defined a cloud strategy, some others show a tactical or opportunistic adoption of cloud services, but very few (actually only UK and Spain) have defined and implemented a national wide cloud strategy. This security framework will be one more reason to support the systematic adoption of cloud security strategies and actual governmental cloud deployment.”