ENISA’s new report proposing a “Security Framework for Governmental Clouds” may be more widely useful than its title and explicit scope suggest. Chapter 3 of the report suggests something pretty close to a project plan that any organisation could use to assess which applications and data are appropriate to move to a cloud service, what security measures they require, and which cloud models and services can provide them.
Being based on the Deming “Plan-Do-Check-Act” cycle, the report also identifies the need for monitoring and corrective measures (Check and Act stages). Here the most detailed information is in the Chapter 4 case studies, which indicate the types of monitoring, auditing and certification that four countries (including the UK) apply to their Government clouds. The report suggests some categories for these activities, but the variety of approaches actually taken suggests that the right level of monitoring/audit/certification may actually depend on the types and levels of risk identified for particular applications.