Cloud Computing Security Addressed in EU PaperMany Recommendations Applicable to U.S. Governments, Hospitals
The 146-page report from the European Union agency, Security and Resilience in Government Clouds: Making an Informed Decision, identifies a decision-making model that can be used by senior management to determine how operational, legal and information security requirements, can drive the identification of the architectural solution that best suits the needs of their organization.
"Effectively managing the security and resilience issues related to cloud computing capabilities is prompting many public bodies to innovate, and some cases to rethink, their processes for assessing risk and making informed decisions related to this new service delivering model," the paper says.
The main objectives of the report are to highlight the pros and cons, with regard to information security and resilience, of community, private and public cloud computing delivery models and guide public bodies in the definition of their requirements for information security and resilience when evaluating cloud computing service delivery models.
Among the paper's recommendations:
- Assess their risks and define their requirements (possibly using as a support those suggested in this report) in order to identify which cloud solution matches their needs. Administrators also should consider human factors and legal frameworks.
- Review existing information security management policies and processes and assess how these would be addressed or supported in various cloud models.
- Define acceptable levels of service - a benchmark to evaluate parameters such as availability and response time, for instance - for their requirements. Benchmarks will be used to measure the performance of services.
- Identify the set of controls and their degree of specificity needed to reach a minimum acceptable level of data assurance and services resilience.
- Guarantee that all the essential security, resilience and legal requirements are detailed in their service level requirements and specified in their service level agreements.
- Provide tools, methodologies and governance structures to assure due diligence.
- Ensure that satisfactory telecommunication connections, critical dependencies such as electricity, processing power and storage capacity are guaranteed and maintained.
- Check the priority for the resumption of third-party communications and cloud services in the event of a disruption.
- Test the business continuity plan along the whole services supply chain.