Thoughts on the ENISA Governmental Clouds Report

A report released this month by the European Network and Information Security Agency (ENISA) has investigated the utility and applicability of cloud services for governments across Europe. The report, entitled Security and Resilience in Governmental Cloudsaims to provide a decision making model that can be used by governments and other public bodies, to assess the information security challenges posed by cloud computing and to guide them in the definition of their requirements when planning such a migration. All in all it is a thorough piece of work and should absolutely be on the recommended reading for anyone; private enterprises included, considering the commercial benefits of cloud. Cloud computing offers a number of benefits to public bodies, including high performance, resilience and security together with cost efficiency. The report highlights that effectively managing the security and resilience issues related to cloud computing capabilities is prompting many public bodies to rethink their processes for assessing risks. One conclusion of the report though did seem at best premature, if not a little under researched. The report recommends: “its [public cloud] adoption should be limited to non-sensitive or non critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.” On the face of it this is sensible advice but unfortunately the report does not go on to address the strategies and technologies that exist to mitigate these risks, making public cloud a viable and secure platform for enterprises and public bodies alike. The multi-tenanted nature of public cloudmeans that organisations need to be able to reduce their effective perimeter to the edge of their virtual machine, segmenting their systems away from other customers. The service provider’s network should be treated as public. The challenge of data security in public clouds has typically been complex to answer, as encryption services are usually managed by the cloud provider. Organisations need the ability to segment their data away from other customers but also away from the service provider. Service providers need that too, otherwise they risk inheriting some serious liability. Data should be provisioned to the cloud in an encrypted format, the data owner should retain ownership and control of the keys and only the customer’s own machines should be able to get access to those keys ensuring that the data is only ever in-the-clear inside the secure perimeter of their own virtual machines. However, encryption is trickier than it looks, though. Exactly how secure does your encryption need to be? And how secure will today’s tapes need to be in five years, a not uncommon legal retention requirement. Who will have access to encryption keys and how will they, in turn, be secured? This needs a systematic approach. Data encryption, which engineered for the cloud and managed by the customer and not the service provider, is a business enabler. It accelerates adoption of cloud services, drives down costs, and allows regulatory and legislative compliance. It means you no longer have to worry about how you’re going to delete the cloud when you decide to change service provider.