Cloud Security Alliance Announces Cyber Security Guide
The Cloud Security Alliance (CSA), European Agency for Network and Information Security (ENISA), and TU Darmstadt has published a step-by-step guide for the attainment and security of cloud services. This report stems from ENISA’s 2013 report on governmental cloud use. This report details framework modeled into four phases, nine security activities and fourteen steps. Every member nation who follows this guide will, according to its authors, define and implement a secure government cloud. The authors used four nations as case studies to base their recommendations on: Estonia, Greece, Spain and the United Kingdom.
The focus of this report is what type of security framework is suitable for government clouds and how to execute them. If an infrastructure is fit for government use, then it is also fit for private company use as well, so long as it does not cost an excessive amount of money. Currently, there are very few European Nations who have the ability to adopt and execute cloud computing. Many in the private sector however have already begun to implement the cloud, yet it will still be many years before full execution is achieved.
Governments that have already been working with the cloud have adopted several cloud deployment models. Community and private clouds are the most popular, with hybrid and public clouds also being utilized. Software as a Service (SaaS) and Infrastructure as a Service (IaaS) are the most common cloud service model, and Platform as a Service (PaaS) will likely become more important moving forward. Of the e-government services that use the cloud, email was at the top of the list with other services, such as backup and archive, Identity as a Service (IDaaS), office applications, and citizen participation, follow on the list.
Security and privacy are the two key technology requirements for the aforementioned services. The UK government has taken drastic steps to overhaul the security classifications for government data to make it easier for service providers to construct more secure systems. Many corporations have heavily invested in complex data classification systems that have become an inhibitor to business. Simplification could make it easy to build a secure system without complicating the data classification.
However, security is not an easily resolved issue. For example, Germany has very strong privacy and security regulations. Because of this there has been quite a few service providers trying to build data centers there in order to hold German company’s data. The UK government has been making moves towards a similar position. A recent survey of parliament members in the UK found that many thought the idea of government data being stored in off-shore centers was inhibiting a greater use of cloud computing.
The next part of the guide covers the roles, logic model, and the plan, do, check and act phases of security framework. It points out how inputs, activities and outputs relate to risk profiling, architectural modeling and the security and privacy requirements. Many of these steps are no different than steps IT managers take when outsourcing systems or working with system integrators. However, in the guide the outsourcing focused on entire systems while cloud focuses on services.
The next section focuses on applying the steps from the previous section to government applications. They apply them to the four governments mentioned at the beginning of this article as a case study. The study proves that while in its simplest form, the cloud is about commoditization and common approaches, but in real applications there can be more than one way to solve a problem.
In conclusion, the report comes to some very important conclusions. The report does not say that it is urgent for the EU to adopt the suggested security framework. However without a coherent framework across all of the European Union, there will certainly be gaps in security that hackers can easily exploit. Also, this means that companies who wish to work in different EU nations need to continue to have a complex network, and sometimes even conflicting government requirements. It is now up to EU leaders to ensure than comprehensive standar