On April, the first, EU (via ENISA) has published
“Procure Secure: A guide to monitoring of security service levels in cloud contracts”. This guide follows the USA “Federal Risk Assessment
Program” (FedRAMP) published in February 2012 (see our comment on 2012-mar-16).
The purpose of FedRAMP is to:
- ensure that cloud based services have adequate information security;
- eliminate duplication of effort and reduce risk management costs;
- and enable rapid and cost-effective procurement of information systems/services for USA Federal agencies.
In the other hand the purpose of EU “Procure
Secure Guide” to advice on questions to ask about the monitoring of security in
cloud contracts. The goal is to improve public sector customer understanding of
the security of cloud services and the potential indicators and methods which
can be used to provide appropriate transparency during service delivery.
Both reports have are based and
share similar points:
- A key element to successful implementation of cloud computing is a security program that addresses the specific characteristics of cloud computing and provides the level of security commensurate with specific needs to protect government information. Effective security management must be based on risk management and not only on compliance. By adhering to a standardized set of processes, procedures, and controls, public agencies (and companies) can identify and assess risks and develop strategies to mitigate them.
- One-off or periodic provider assessments, such as ISO 2700x, SSAE 16 or ISAE 3402, assure that for the evaluation period, a certain set of controls and procedures was in place. These assessments are a vital component of effective security management. However, they are insufficient without additional feedback in the intervals between assessments: they do not provide real-time information, regular checkpoints or threshold based alerting, as covered in this report.
- The main focus is on the public sector, but much of the guide is also applicable to private sector procurement.
However, besides the different development level
of both programmes, in my opinion the main difference is that the USA programme
starts with a disrupting event: Cloud First policy that requires USA
federal agencies to use cloud-based solutions whenever a secure, reliable,
cost-effective cloud option exists policy (published on December 9, 2010, when
the Office of Management and Budget (OMB) released the 25
Point Implementation Plan To Reform Federal Information
Technology Management). In
europe we lack that Cloud Policy, in spite of UK government
stepped in that way creating ”UK CloudStore”, a system designed to make the
process of selecting software services simpler and, crucially cheaper for UK
public sector procurement officers (see my comment on 2012-mar-05).
I think we need a EU Cloud First Policy (or
something like) to foster the Cloud market, both the cloud providers and the
cloud consumer companies, as well as the Cloud research & development
investments.
In summary:
a good step in the right way, but not enough ...
No hay comentarios:
Publicar un comentario