Enisa looks to UK for government cloud security guidance

Doubts raised over Enisa looking to the UK for guidance on creating a security framework that speeds adoption of government cloud services in Europe

Doubts have been raised about Enisa's decision to look to the UK for guidance on how to create a security framework that accelerates adoption of government cloud services across Europe.

The European cyber security agency is among a number of EU-focused organisations keen to drive adoption of G-Cloud-like services within local and central governments for economic reasons.

“Very few EU member states have currently developed approaches for cloud computing based on a well-defined and thorough cloud security strategy (including risk profiles, classification of assets, security objectives and measures),” Enisa’s Security Framework for Governmental Clouds report stated.

To this end, Enisa has set out a multi-part framework to guide EU member states through the steps needed to deploy a secure government cloud.

“The final result is a security framework modelled into four phases, nine security activities and 14 steps that detail the set of actions we believe each member state should follow for the definition and implementation of a secure [government] cloud,” the report continued.

The framework’s content has been shaped through an analysis of cloud computing security literature and best practice, along with feedback from Estonia, Greece, Spain and the UK, which all operate government cloud services.

Read more about government cloud

These member states are described in the report as being home to some of the “few existing real-life case studies of governmental clouds in Europe” today.

However, former CloudStore leader for the G-Cloud programme, Mark Craddock, said Enisa’s take on the accreditation process for would-be G-Cloud providers is a little off.

For example, the report states G-Cloud membership is based on an accreditation process, but – according to Craddock – this often takes place after a supplier has been appointed.

“It seems [Enisa] have made some assumptions about the process, which are fair, but the practice is a little different,” he said. “Services are not accredited, but the contract does specify that those checks will be carried out.”

But, with around 20,000 services now offered via G-Cloud, Craddock admitted these checks are going to take a lot of time. “With 20,000 services, some will never get checked,” he said.

Craddock explored G-Cloud’s “assurance verification” procedures in a recent blog post, and highlighted just how time-consuming the accreditations process can be.

“There are 16,000+ services within the framework, which would take about 1,000 days’ effort to carry out assurance verification. Services can be updated anytime during the framework, so the amount of effort for assurance verification is vast," he wrote in the post.

Despite Craddock’s reservations, analyst and director of market watcher Quocirca, Bob Tarzey, said the fact Enisa considers the UK a prime example of cloud security best practice should instil confidence in public sector buyers.

“If the EU, which is a zealous guardian of citizen privacy, is holding up the UK's approach to cloud as an example – that cannot be bad,” he said.

Read more on Cloud security