Up close and personal with Mr GDPR
30 May 2018 – 12:20 | No Comment

Government Gazette’s Janani Krishnaswamy caught up with the European Data Protection Supervisor, Giovanni Buttarelli for an exclusive interview to discuss everything relating to the new regulation on personal data protection – the General Data Protection …

Read the full story »
Health

Energy & Environment

Circular Economy

Climate Change

Security

Home » Home Affairs, Policy

ENISA’s Role in Implementing the EU Cloud Strategy

Submitted by on 27 Mar 2013 – 16:12

By Steve Purser, ENISA

In its Cloud Strategy[1] the European Commission recognizes the great potential benefits of Cloud computing, but also the obstacles on the way to reaping these benefits. Security is not the least among the concerns cited frequently in this context. The European Commission has asked the European Network and Security Agency (ENISA) to provide advice and support in implementing the Cloud Strategy. This article takes a look at ENISA’s past work in the area of Cloud computing and outlines how ENISA will be contributing to the implementation of the Cloud Strategy.

ENISA in the Cloud Strategy

In the Cloud Strategy, the European Commission states that it will

Work with the support of ENISA and other relevant bodies to assist the development of EU-wide voluntary certification schemes in the area of cloud computing (including as regards data protection) and establish a list of such schemes by 2014.

In this context, ENISA is currently compiling an initial survey of existing certification schemes that are applicable to Cloud services. This initial list will be validated by an expert group consisting of leading experts from EU governments and industry, and will be presented to the European Commission in the course of this year.

ENISA is also actively engaged in the process initiated by ETSI on the request of the European Commission, with the aim of establishing a detailed map of the necessary standards (inter alia for security, interoperability, data portability and reversibility). Furthermore, ENISA will assist the European Commission in running the European Cloud Partnership by providing expert advice and supporting information.

ENISA’s Previous Work on Cloud Computing

ENISA took up the topic of Cloud computing in 2009 with an assessment of Cloud computing risks[2] and an information assurance framework[3] for Cloud computing. The topic of governmental Clouds was covered already in 2011 with a report on security and resilience in governmental Clouds[4] and a review of security parameters in service level agreements in governmental Clouds[5].

In 2012, ENISA published another study covering service level agreements and monitoring, and a report on the critical infrastructure aspect of Cloud services:

Procure Secure – Monitoring Security Service Levels in Clouds

The “Procure Secure”[6] guide to monitoring of security service levels in cloud contracts provides advice on questions to ask about the monitoring of security. The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery. One-off or periodic provider assessments are a vital component of effective security management. However, they are insufficient without additional feedback in the intervals between assessments: they do not provide real-time information, regular checkpoints or threshold based alerting, as covered in this report.

The “Critical Cloud”[7] report looks at Cloud computing from a Critical Information Infrastructure Protection (CIIP) perspective. We look at a number of scenarios and threats relevant from a CIIP perspective, based on a survey of public sources on uptake of Cloud computing, large scale Cyber attacks and disruptions of Cloud computing services. The key messages of the report are:

  • Critical infrastructure: Soon, the vast majority of organisations will use cloud computing notably also in critical sectors like finance, energy and transport. Cloud services are themselves becoming a critical information infrastructure.
  • Natural disasters and DDoS attacks: A benefit of Cloud computing is resilience in the face of natural disasters and Distributed Denial of Service (DDoS)-attacks, which are difficult to mitigate using traditional approaches (servers on site, or single data centre).
  • Cyber attacks: Cyber attacks exploiting software flaws can cause large data breaches, affecting millions of users, because of the large concentration of users and data. Physical redundancy does not safeguard against certain attacks of this kind, such as data breaches exploiting software flaws.

The report also provides nine recommendations for bodies responsible for critical information infrastructures. Key points: Include large Cloud services in national risk assessments, track cloud dependencies, and work with providers on incident reporting schemes.

ENISA’s 2013 Projects on Cloud Computing

In 2013, ENISA is working again on the topic of securing governmental Cloud computing infrastructures across the EU and looking into the question of if and how an incident reporting scheme for Cloud computing providers should be implemented.

In consultation with EU Member states’ competent authorities (e.g. NRAs, Cyber security agencies etc.), ENISA will take stock of existing national strategies for implementing governmental Cloud infrastructures across various public sectors. The agency will identify and assess all existing preparedness, response and recovery measures already deployed to protect assets and services of such Clouds. Based on ENISA’s past work and in consultation with experts from both public and private sectors the agency will recommend to EU Member states good practices on how to securely design, pilot, deploy governmental cloud infrastructures and protect them from malicious attacks and other threats. The recommendation will be categorised according to deployment models (public, private, hybrid, community Clouds) and service models (IaaS, PaaS, SaaS). Such recommendations, if consistently adopted by a critical mass of EU Member states, could be used as public procurement guidelines and thus raise the level of security of both governmental and private cloud services across the EU.

ENISA’s recommendations for governmental clouds will allow Cloud computing providers to cater for different EU Member states more easily, without having to adjust the cloud technology to different requests in different countries. EU Member states use ENISA’s recommendations in their procurement processes and switch more easily from one cloud provider to another. The adoption of these recommendations across EU Member states will allow them to procure from service providers in other EU countries, allowing for a single digital market.

Concerning incident reporting, ENISA will evaluate and technically assess how and under which conditions an incident reporting scheme could be implemented for Cloud computing providers. As usual, this will be done in close co-operation with EU Member states’ competent authorities, NRAs and industry. ENISA’s experience with Article 13 a will underpin the efforts of this study and make sure it delivers useful, practical and affordable recommendations to be used by policy makers and regulators in the context of the EU cyber security strategy[8].

 

 


[1] COM(2012) 529 “Unleashing the Potential of Cloud Computing in Europe” http://ec.europa.eu/information_society/activities/cloudcomputing/docs/com/com_cloud.pdf

[2] https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-risk-assessment

[3] https://www.enisa.europa.eu/activities/risk-management/files/deliverables/cloud-computing-information-assurance-framework

[4] https://www.enisa.europa.eu/activities/risk-management/emerging-and-future-risk/deliverables/security-and-resilience-in-governmental-clouds

[5] https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/survey-and-analysis-of-security-parameters-in-cloud-slas-across-the-european-public-sector

[6] https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/procure-secure-a-guide-to-monitoring-of-security-service-levels-in-cloud-contracts

[7] https://www.enisa.europa.eu/activities/Resilience-and-CIIP/cloud-computing/critical-cloud-computing

[8] JOIN(2013) 1 final “Cybersecurity Strategy of the European Union: An Open, Safe and Secure Cyberspace”