Putting Trust Into the Cloud: an EU/ENISA Project

Putting Trust Into the Cloud: an EU/ENISA Project
Putting Trust Into the Cloud: an EU/ENISA Project

A study undertaken by Ponemon for Axway demonstrates the depth of corporate concern over the use of public cloud services. The research questioned 621 IT professionals about the use of public cloud services, and found that 89% are unlikely to know if data is lost through the cloud, 80% are concerned about negative consequences from the loss of intellectual property, 69% probably don't know whether staff are using the public cloud, 66% consider the practice risky, and nearly 50% believe popular cloud-sharing services are unsuitable for business.

Although this survey was specifically looking at public cloud file-sharing services (such as Dropbox, Box and Drive), the results are indicative of one of the biggest blocks to increased use of cloud services in general: a lack of confidence. It is an issue being tackled in Europe, as part of the European Cloud Strategy, by a joint project between the Digital Agenda and ENISA (the European Union Agency for Network and Information Security).

"One of the obstacles to making the most of the cloud," explained Neelie Kroes, vice-president of the European Commission and in charge of the Digital Agenda, "can be a lack of user trust; particularly about the security of systems (and for both individual users and businesses). Even though using the cloud can make your system safer, valid questions remain. What can I expect from my cloud provider? If I put my data into the cloud, will I lose control? Who is responsible for what happens to it? Will the data stay confidential, available, and maintain its integrity?"

She was announcing completion of the first phase of Europe's solution: cloud certification. Cloud certification schemes already exist, but they are disjointed and incomplete; and not necessarily understood by users. ENISA's first task has been to gather and analyze the existing schemes. "ENISA has checked what the schemes are, what standards and specifications they use, and who actually provides the assurance (e.g. a third party or the concerned company itself via self-certification). In short, the list gives potential cloud customers more transparency about certification schemes and how they relate to the cloud," she explained.

More specifically, ENISA announced today the publication of a list of certification schemes for the cloud: the Cloud Computing Certification Schemes List, or CCSL. "The Agency has investigated: the specific certification schemes (based on the EU Cert.-SIG feedback); what standards and specifications they certify against; and who actually provides the assurance," it announced. "This gives potential cloud customers more transparency about existing certification schemes and how they relate to the cloud."

The intent is nothing less than to provide trust in cloud services by providing an authoritative reference point for the security claims made by providers. A service that is certified by one of the certification schemes included can immediately be checked against the certification details held in the CCSL – which so far includes ISO 27001 certification, the Open Certification Framework, the EuroCloud Star audit, the TUV Certified Cloud Service, and the Security Rating Guide.

"It’s only a first step, and work in progress," explained Kroes; "there are plenty of schemes to be added over the coming months. And we will continue to make the list more relevant to the different ways the cloud can be used. For example, 'mapping' users' security objectives to the listed schemes, so they can assess and compare different schemes and offers on the market based on their own specific requirements."

What’s Hot on Infosecurity Magazine?