Enisa looks to UK for government cloud security guidance

Doubts raised over Enisa looking to the UK for guidance on creating a security framework that speeds adoption of government cloud services in Europe

Doubts have been raised about Enisa's decision to look to the UK for guidance on how to create a security framework that accelerates adoption of government cloud services across Europe.

The European cyber security agency is among a number of EU-focused organisations keen to drive adoption of G-Cloud-like services within local and central governments for economic reasons.

“Very few EU member states have currently developed approaches for cloud computing based on a well-defined and thorough cloud security strategy (including risk profiles, classification of assets, security objectives and measures),” Enisa’s Security Framework for Governmental Clouds report stated.

To this end, Enisa has set out a multi-part framework to guide EU member states through the steps needed to deploy a secure government cloud.

“The final result is a security framework modelled into four phases, nine security activities and 14 steps that detail the set of actions we believe each member state should follow for the definition and implementation of a secure [government] cloud,” the report continued.

The framework’s content has been shaped through an analysis of cloud computing security literature and best practice, along with feedback from Estonia, Greece, Spain and the UK, which all operate government cloud services.

Read more about government cloud

These member states are described in the report as being home to some of the “few existing real-life case studies of governmental clouds in Europe” today.

However, former CloudStore leader for the G-Cloud programme, Mark Craddock, said Enisa’s take on the accreditation process for would-be G-Cloud providers is a little off.

For example, the report states G-Cloud membership is based on an accreditation process, but – according to Craddock – this often takes place after a supplier has been appointed.

“It seems [Enisa] have made some assumptions about the process, which are fair, but the practice is a little different,” he said. “Services are not accredited, but the contract does specify that those checks will be carried out.”

But, with around 20,000 services now offered via G-Cloud, Craddock admitted these checks are going to take a lot of time. “With 20,000 services, some will never get checked,” he said.

Craddock explored G-Cloud’s “assurance verification” procedures in a recent blog post, and highlighted just how time-consuming the accreditations process can be.

“There are 16,000+ services within the framework, which would take about 1,000 days’ effort to carry out assurance verification. Services can be updated anytime during the framework, so the amount of effort for assurance verification is vast," he wrote in the post.

Despite Craddock’s reservations, analyst and director of market watcher Quocirca, Bob Tarzey, said the fact Enisa considers the UK a prime example of cloud security best practice should instil confidence in public sector buyers.

“If the EU, which is a zealous guardian of citizen privacy, is holding up the UK's approach to cloud as an example – that cannot be bad,” he said.

Read more on Cloud security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

The worst combinations I have ever seen in business are when one organization that does not understand the product they are even selling try to sell to another group of executives that do not understand the work the product will support. It is physically painful.

The story here, looking to guidance to the UK government - the people that gave us PRINCE2, seems comical. Eventually we'll get some vague, unvalidated, never-done advice that has no reference implementation. I suppose some consultants will make some money selling compatibility, and some auditors make some money asking a list of questions made up by yet another consultant.

Really, tho, if we didn't do any of this at all, would be worse off? 

Aside from the industries this "work" advances, I don't think so.

Judgemental today, I know. :-)