ENISA launches cloud certification framework

The European Union has introduced a new scheme to help customers negotiate the security minefield when buying cloud services.

ENISA launches cloud certification framework
ENISA launches cloud certification framework

A lack of security is widely held to be the leading inhibiting factor preventing companies from adopting cloud. However, trying to ascertain which clouds are secure and which ones aren't can be problematic, given the large numbers of providers.

EU agency ENISA aims to solve this problem by launching what it calls a metaframework (Cloud Certification Schemes Metaframework or CCSM). This first version of CCSM has been based on 29 documents from 11 countries (including the UK, Germany, Italy, Netherlands and Spain), covering 27 security objectives, and maps these to five cloud certification schemes.  The CCSM follows the launch of the list of cloud certification scheme, CCSL, which was launched last year. And CCSM is already being used:  the European Commission announced  that it had offered to tender a large cloud services procurement contract that builds upon the 27 security objectives of CCSM.

ENISA claimed that the tool would help provide more transparency about cloud certification, giving guidance to customers over cloud procurement.

Udo Helmbrecht, executive director of ENISA, said: “Cloud security is an important issue for both private and public sector customers in the EU. Obviously certification does not solve all the security issues, but it can simplify some of the procurement steps. This tool helps customers use existing certification schemes and it also offers cloud service providers a format for explaining security measures they take to protect their services.”

However, Mark Craddock, the former lead for the UK government's CloudStore, says that the real winners would not be corporate customers. Yes, he said, it may help corporate to select a security standard but it would really provide a boost to cloud vendors “as it would allow them to differentiate on security and ENISA as they would get to control the security market.”

Clive Longbottom, senior analyst with Quocirca applauded the approach when speaking to SCMagazineUK.com. “It's a reasonable starting point.  If anyone took it as the be all and end all for their security needs, they would be opening themselves up for trouble as the security landscape changes so often.  However, to take the CCSM guidelines and use them as a basic means of base-lining and benchmarking possible providers makes sense.”

Both Craddock and Longbottom agree however, that the ENISA approach is just a starting point. “Where a provider does not meet the guideline criteria, it may be that they have a better way of doing things – it just sets out some good practices for not only the public sector, but also private companies, to consider,” said Longbottom.

There are a lot of EU initiatives around cloud at the moment, all following the launch of the EU cloud strategy by EU commissioner Neelie Kroes in September 2012, the idea being to have one single framework for cloud computing across Europe, thus simplifying the procurement process.

The ENISA announcement can be seen as fitting into this wider strategy, but Craddock had a warning for the UK government – or any European government looking to follow its own path.  “There's a staggering amount of work going on in the EU around cloud, there is a danger with the current UK approach that we could get left behind …. or we support Betamax, when the EU goes with VHS.”