ra2 studio - Fotolia

What can enterprises learn from the new EU cloud security framework?

Expert Dan Sullivan outlines key takeaways enterprises should learn from the European Union's cloud security framework recommendations.

The Cloud Security Alliance recently released a new cloud security framework for the European Union, outlining baseline security measures government agencies should deploy. Could these frameworks benefit enterprises, and if so, what are the key components that non-government enterprises should also adhere to?

The Cloud Security Alliance and European Union Agency for Network and Information Security (ENISA) have compiled a set of recommendations in a cloud security framework for European Union (EU) governments. The recommendations discuss some EU- and government-specific topics, such as the possibility of a European Government Cloud and an assessment of EU member cloud maturity, but most of the report is generally applicable to cloud security across application domains.

The most generally applicable parts of the report center on a logical security framework. The framework uses widely accepted roles, including cloud owner, cloud service provider and cloud customer. The cloud owner in the context of the report is a government; this is less relevant to enterprise cloud users than the other two roles.

The report also outlines a four-stage lifecycle for developing and deploying government clouds, which includes planning, implementing, review and evaluation, and remediation.

During the planning phase, participants set policies and define strategies for implementing security controls. This process should include risk profiling, assessing security and privacy requirements, and developing a service model and architecture to support deployment.

Security controls are selected during the implementation phase. Participants should perform a readiness or capabilities assessment at this point as well. A review and verification of security controls and policies by a third party (e.g., auditor or security consultant) may also be done at this point.

Review and evaluation is an ongoing process when a cloud is in use. This phase includes logging and monitoring to ensure policies and procedures implemented work as expected. Of course, monitoring and logging is also essential for detecting security events. Audits are also performed during review and evaluation.

The EU framework explicitly calls for a remediation phase. Monitoring and auditing may detect weaknesses in current practices and implementations. The EU framework includes a discussion of change management as well as exit management. The former is more widely practiced, but the latter is less so. Exit management is especially important to manage transitions when a government or enterprise terminates a cloud contract. A number of critical areas should be addressed when planning for exits, including how data will be deleted, how access control and identity information will be protected, and how services continuity will be maintained.

The ENISA cloud security framework is widely applicable and complements other cloud security resources, such as security best practices documented by cloud providers like Amazon Web Services.

Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your questions now via email. (All questions are anonymous.)

Next Steps

Learn more about security frameworks and standards

Dig Deeper on Cloud Computing Frameworks and Standards