On April, the first, EU (via ENISA) has published “Procure Secure: A guide to monitoring of security service levels in cloud contracts”. This guide follows the USA “Federal Risk Assessment Program” (FedRAMP) published in February 2012 (see our comment on 2012-mar-16). The purpose of FedRAMP is to:
- ensure that cloud based services have adequate information security;
- eliminate duplication of effort and reduce risk management costs;
- and enable rapid and cost-effective procurement of information systems/services for USA Federal agencies.
In the other hand the purpose of EU “Procure Secure Guide” to advice on questions to ask about the monitoring of security in cloud contracts. The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery.
Both reports have are based and share similar points:
- A key element to successful implementation of cloud computing is a security program that addresses the specific characteristics of cloud computing and provides the level of security commensurate with specific needs to protect government information. Effective security management must be based on risk management and not only on compliance. By adhering to a standardized set of processes, procedures, and controls, public agencies (and companies) can identify and assess risks and develop strategies to mitigate them.
- One-off or periodic provider assessments, such as ISO 2700x, SSAE 16 or ISAE 3402, assure that for the evaluation period, a certain set of controls and procedures was in place. These assessments are a vital component of effective security management. However, they are insufficient without additional feedback in the intervals between assessments: they do not provide real-time information, regular checkpoints or threshold based alerting, as covered in this report.
- The main focus is on the public sector, but much of the guide is also applicable to private sector procurement.
However, besides the different development level of both programmes, in my opinion the main difference is that the USA programme starts with a disrupting event: Cloud First policy that requires USA federal agencies to use cloud-based solutions whenever a secure, reliable, cost-effective cloud option exists policy (published on December 9, 2010, when the Office of Management and Budget (OMB) released the 25 Point Implementation Plan To Reform Federal Information Technology Management). In europe we lack that Cloud Policy, in spite of UK government stepped in that way creating “UK CloudStore”, a system designed to make the process of selecting software services simpler and, crucially cheaper for UK public sector procurement officers (see my comment on 2012-mar-05).
I think we need a EU Cloud First Policy (or something like) to foster the Cloud market, both the cloud providers and the cloud consumer companies, as well as the Cloud research & development investments.
In summary: a good step in the right way, but not enough …