With security concerns still trotted out as a major inhibitor to the adoption of Cloud Computing, the European Union’s cyber security Agency ENISA has weighed in with a new report on Governmental Cloud Computing that might upset the anti-federalists.
Addressing security concerns, the Agency unsurprisingly concludes that private and community Clouds appear to be the solutions that best fit the needs of public administrations if they need to achieve the highest level of data governance.
The report argues: “In legal and data governance terms, certainly public clouds represent the most risky solution when compared with community and private clouds, for the following reasons:
* Cloud owners (public Cloud providers) and users (public bodies) have different missions and interests that can sometimes be in conflict.
* Public Clouds can be owned by non-EU companies.
* Public Cloud providers offer a lower degree of transparency about their security and resilience measures compared to any other cloud options or internal IT.
* Cloud providers are not obliged to report on security and resilience incidents, and while it is possible for users to identify incidents that have an impact on service availability, identifying breaches of integrity, confidentiality and data protection and their impact is not an easy matter.
But more controversially, at a time when national governments are still struggling with their local Cloud strategies, the EU is pitching for a Euro-Cloud, arguing that “National governments and the EU institutions should investigate the concept of an EU Governmental Cloud”.
This is a logical extension of the May 2010 commitment by the European Commission in its Digital Agenda for Europe which states ‘… the Commission will…establish an EU strategy for Cloud Computing notably for government and science’.
ENISA addresses the current issues that existing national laws and regulations in the Member States of the European Union currently impose, particularly in relation to restrictions on the movement of data outside national territory.
It notes that the main questions that each public organisation each EU central government must address are:
* Whether current legal frameworks can be changed to facilitate the communication, treatment and storage of data outside national territory without exposing the security and privacy of citizens and national security and economy to unacceptable risks;
* If so, whether moving citizens’ data outside the national territory is a risk that may be undertaken;
* Whether the trade-off between the risks of losing control over data and the beneficial effects of geo-distribution is positive for them.
With this backdrop, ENISA recommends “national governments and European Union institutions to further investigate the concept of a European Governmental cloud as a supra national virtual space where a consistent and harmonized set of rules could be applied, both in terms of legislation and security policy and where interoperability and standardization could be fostered. Moreover such a European Union wide infrastructure could be used in the context of a pan European mutual aid and assistance plan for emergencies”.
Whatever the outcome of such proposals longer term, ENISA wants national governments to bear in mind the bigger picture aspect when devising their own local strategies. It argues: “It is not unrealistic to assume that Cloud Computing, in all its possible implementations, will serve, in the near future, a significant portion of European Union citizens, small and medium-sized enterprises and public administrations, and therefore the Cloud infrastructures from which services are provided should be protected as such. In other words, a national strategy for Cloud Computing should aim to understand and address, among other issues, the effects of national and supra-national clouds interoperability and interdependencies.”
To that end, it recommends: “National governments should prepare, in the context of a wider EU approach, a strategy on Cloud computing that takes into account the implications for security and resilience that such service delivery models will have in the context of their national economies and services to citizens over the next 10 years.
“The early adopters in each Member State should be seen as possible test beds, but it will be essential to have, at least at a national level, a coherent and harmonized approach to Cloud Computing in order to avoid:
1) the proliferation of incompatible platform and data formats (lack of service interoperability),
2) an inconsistent approach to security and resilience, including an inconsistent and inefficient approach to risk management, and
3) a lack of critical mass.”