How will a new guide to procuring cloud services for government help the private sector? Ian Murphy takes a look.

The Cloud Security Alliance (CSA), ENISA and TU Darmstadt have provided a step-by-step guide for the procurement and secure use of cloud services.

This report comes after the European Agency for Network and Information Security (ENISA) closely analysed the state of governmental cloud deployment in 2013.

The lessons from that study no doubt shaped much of the advice in this latest report which runs to 40 pages.

The report along with the questionnaire templates and two sample case studies can be downloaded for free from the link above.

All three documents are worth reading, especially the case studies as they show two different approaches to cloud adoption comparing the approaches of the UK and Spain.

This report describes a framework that is modelled into four phases, nine security activities and fourteen steps.

The authors believe every member state should follow in order to define and implement a secure Gov Cloud.

This is no academic exercise. The authors have validated the generic security framework through the analysis of four Gov Cloud case studies – Estonia, Greece, Spain and UK.

While another report on cloud might seem only mildly interesting to most readers, this one is different.

The focus of the report is on how a security framework that is fit for governmental clouds. Ultimately, if such a framework is viable for governmental cloud at a reasonable or at least not excessive cost, then it is also valid for private companies.

One group that are likely to be particularly interested in implementation are Cloud Service Providers (CSPs) and Cloud Brokers (CBs) looking to win business from governments.

One of the early facts from the report is that few European countries are actually at an executional stage in terms of adopting cloud computing.

The more advanced have anchored the adoption of cloud computing in the public sector as a national strategy. Despite this, it will take several years before full implementation is achieved.

In terms of adoption those governments already working on cloud have adopted several cloud deployment models. Community and private cloud are the most common with public and hybrid cloud also being adopted. In terms of cloud service models, Software as a Service (SaaS) and Infrastructure as a Service (IaaS) are the most common but Platform as a Service (PaaS) is not far behind and likely to become more important going forward.

In terms of cloud e-Government services, email topped the list with a wide range of different services ranging from backup/archive, Identity as a Service (IDaaS), collaboration, office applications, public information repositories and citizen participation are also on the list.

Some countries are already a long way down the line with some of these services. However, it is clear that all of these have two underlying technology requirements – security and privacy.

In the UK, the government has take the step of drastically overhauling the different security classifications for government data in order to make it easier for service providers to build secure systems. There is a serious lesson here for many corporates.

Large organisations have invested heavily in data classification systems that often become overly complex and an inhibitor to conducting business. While reviewing risk and looking at what data needs to be protected and how, simplification makes it much easier to build a secure solution.

Security is not an easy issue to solve. Germany, for example, has very strong privacy and security rules.

As a result, there has been a rush of service providers looking to build data centres in Germany in order to hold data from German companies.

It is interesting that Germany is so concerned about the inability of other countries to protect data that they are espousing a Germany first rather than an EU first policy.

While not using the same language or legal requirements as Germany, many members of the UK government are moving to a similar position as Germany. For example, a recent survey among parliamentarians in the UK showed that the idea of government data, both local and national, being stored in offshore data centres, including those located in other EU countries, was seen as being an inhibitor to a greater take-up of cloud computing.

While neither of these are mentioned in the report, they do highlight the need for the EU to take this report seriously.

The report does look at security requirements and the need to meet compliance requirements and makes the case that these may differ depending on whether the cloud infrastructure and management are done by the government or by a third party.

Section three of the report, running to eleven pages, deals explicitly with the Security Framework, the roles, the logic model, the plan, do, check and act phases. This draws on the experience of the four governments named above and uses some of their decisions to highlight key issues.

This section looks at inputs, plan activities and outputs and how they relate to risk profiling, architectural model and the security and privacy requirements. For experienced IT managers, many of these steps are no different to the decisions they would have made when outsourcing systems or working with system integrators.

What is different here is that outsourcing focuses on entire systems while cloud focuses on services. Services are more agile, flexible and are likely to be provided by multiple companies rather than a single outsourcer or system integrator.

Section four which deals with the framework through use cases then takes all of those steps in section three and applies them to four governments.

One of the most powerful parts of this report is hidden away here where the case studies are applied to plan, do, check and act phases. The different approaches of national governments is highlighted here and proves what many private companies and CSPs already know, while cloud at its more simple is about commoditisation and common approaches, the reality is that there is more than one way to solve the problem.

The report draws six conclusions:

• Despite considerable efforts from the EC, ENISA and other international organisations and market actors (e.g. CSP’s) the level of adoption of Gov Clouds is still low. Some EU MS have already defined a Cloud strategy, some others show a tactical or opportunistic adoption of Cloud services, but very few (actually only UK and Spain) have defined and implemented a national wide Cloud strategy. This security framework will be one more reason to support the systematic adoption of Cloud security strategies and actual governmental cloud deployment.
• The report’s analysis made evident that “common security denominators” exist across the MS deployed Gov Clouds, in particular related to aspects like defined roles, use of standards, and adopted security controls. It is our expectation that the discovered commonalities will be the basis to develop homogeneous security best practices, SLA’s and contracts for Gov Clouds in the short term.
• The analysis of the input collected from Estonia, Greece, Spain and UK also shows that these Gov Clouds apply different practices in the registration of evidences, selection of monitoring tools, SLA violation management, types and frequency of performed audits, and accreditation procedures.
• From the consideration of change-management practices, all the use cases portend mechanisms for the continuous improvement of the implemented security frameworks (policies, mechanisms).
• The analysed Gov Clouds have established policies for incident management. However, the adopted approaches do not directly appear under the ACT phase, but are scattered among the other stages of the framework. This means that incident management is not only one step in the lifecycle but is a horizontal activity that has to be considered in all different stages.
• The security framework proposed in this report (a) encompasses the analysed Gov Clouds, and (b) is projected to be flexible for extension and adaptation to new security needs and requirements from other Gov Clouds in the EU. This was demonstrated by its empirical validation through four selected use cases. This framework is also meant to be used during the design phase of new Gov Clouds, as it contains specific guidance related to different security features/best-practices that should be taken into account by practitioners and Cloud security architects. On the other hand, the framework can be also used by existing Gov Clouds as a baseline for analysing side-by-side different deployments from MS.

While the report proposes a security framework it does not go as far as saying that there is a need for the EU to adopt the framework as a matter of urgency. That is unfortunate because without a coherent, EU-wide approach to cloud security, there will inevitably be gaps in security which will make it easy for hackers and others to exploit.

It also means that companies that are looking to operate across the EU offering cloud solutions to different governments will continue to have to work with a complex mesh of different and even conflicting requirements from different governments. For cloud to deliver everything it promises and for the EU to become a leader in the use of technology from government to large enterprise, SME to consumers, it has to ensure that is sets the gold standard for a security framework.

This report starts that process but it is now up to EU ministers to take it further and create formal policies that can be enacted by member states.