Roman Sakhno - Fotolia

CSA introduces security frameworks for government cloud security

The Cloud Security Alliance's new frameworks for the European Union offer baseline security measures for government agencies worldwide deploying secure cloud services.

The Cloud Security Alliance this week debuted new security frameworks to help governments in Europe and beyond...

better secure their cloud computing implementations.

The cloud security frameworks, which were developed in conjunction with the European Union Agency for Network and Information Security and research university TU Darmstadt in Germany, were released in a new report titled Security Framework for Governmental Clouds. The report recommends that government agencies prepare a cloud strategy that focuses on security and adopt baseline security measures for all cloud deployment models.

"The idea was to provide a guidance for countries starting at zero about what you're supposed to do to secure your clouds," said Daniele Catteddu, managing director of EMEA for the CSA. "Different regions have different levels of maturity with information technology and cloud, so we wanted to provide a basic framework for EU member states starting the cloud migration process."

Planning key to government cloud security

The frameworks, designed specifically to help European Union governments secure their use of cloud computing but applicable beyond the EU, include four primary phases and nine security activities for securing government cloud.

The first phase, titled "Plan," focuses on developing policies and a strategy for implementing cloud security controls; activities include performing a risk profile for the government agency or department, establishing security and privacy requirements it must follow, and deciding which cloud service and deployment models (SaaS, IaaS, public, private, etc.) are the best fit.

Catteddu said performing a risk assessment or risk profile is a key component of cloud migration that is often overlooked by both governments and private enterprises.

"Risk profiling for cloud security is a weak area in general, not just for governments" Catteddu said. "Even though it requires a lot of homework, it's all going to be paid back in the end."

Allen Falcon, CEO of cloud solution provider Cumulus Global in Westborough, Mass., said the picture isn't much different in the U.S. Most of Cumulus Global's government clients have an idea of what they want, but they don't have a specific roadmap for cloud migration and haven't done the due diligence around security. Therefore, Falcon said, it's incumbent on solution providers like himself to provide that guidance.

"Our approach is to educate," he said. "So we help them build a roadmap to the cloud. At some point, they're all going to need a blueprint or a plan of what they want, where they want it to go, and how they're going to get there."

Falcon said cloud security today is less of a concern for government clients, largerly because the security functionality of leading cloud services and apps has improved greatly. But even with those improvements, he said, each individual agency and department must determine what data and applications will be moved to the cloud, who will have access to them, and how those data and applications can be used.

"There are a lot of questions that still need to be asked," Falcon said. "Operational continuity of government services is a good example. Then there's the data. A lot of government data starts internal and ends up as public info, so agencies need to be careful with how data is managed."

Security controls, log monitoring and more

The next phase of the security frameworks, titled "Do," includes the selection, implementation and verification of security controls for the cloud services that have been chosen. But this is another challenging area for governments, as the report stated that none of the surveyed government clouds had defined baseline security controls based on the cloud service or deployment model chosen.

In addition, some governments, such as Spain, use self-assessments for verification rather than using independent organizations or third-party vendors, according to the report. Catteddu, however, recommended that government agencies explore independent verifications and certifications for their cloud services.

The third phase of the security frameworks, titled "Check," focuses on regular performance monitoring and evaluation of the cloud services via log monitoring and security audits.

But the report found that audits in many cases were only being performed every 12-24 months. The UK, for example, performed annual audits on G-Cloud through accredited consultants, but Catteddu argued that's not enough. 

"I'd recommend doing audits every 6-12 months for noncritical services," he said, "while critical services should be done monthly or even more frequently."

The final phase, titled "Act," focuses on the remediation of security gaps or deficiencies that are identified during the "Check" phase. This process includes SLA renegotiations or changes with cloud providers, depending on the actions needed (for example, upgrading encryption protection for cloud data). The phase may also include contract terminations with vendors and providers, as well as processes for the return of or deletion of customer data following the termination.

Overall, the report states the level of cloud adoption within EU governments "is still low," and that only Spain and the UK have defined and implemented national government cloud strategies. In addition, security standards for government clouds remain an overlooked area, according to the report.

"[V]ery few EU Member States have currently developed approaches for cloud computing based on a well-defined and thorough cloud security strategy (including risk profiles, classification of assets, security objectives and measures)," the report reads.

However, Catteddu believes the new security frameworks will help address those shortcomings and potentially help all governments deploy secure and effective cloud services. "Everyone understands the advantages that cloud services can bring, but there's still some apprehensive about moving to the cloud in the EU, depending on the country," he said. "My hope is that member states as well as governments around the world can use this framework for effective cloud migration projects."

Next Steps

Learn best practices for crafting effective cloud security controls

Find out why security experts are pushing for global data privacy standards for the cloud

Dig Deeper on Cloud Computing Frameworks and Standards