Using cloud computing (rather than setting up your own hardware) is often much more convenient for citizens; cheaper and more flexible for businesses; and offering a hundred-billion euro boost for our economy. So all together the cloud means jobs for Europe: potentially a net gain of 2.5 million. Our cloud computing strategy is all about ensuring Europe can capture that boost; the EU's leaders have agreed how important this is. Today we take another step forward in building that trust.
One of the obstacles to making the most of the cloud can be a lack of user trust; particularly about the security of systems (and for both individual users and businesses). Even though using the cloud can make your system safer, valid questions remain. What can I expect from my cloud provider? If I put my data into the cloud, will I lose control? Who is responsible for what happens to it? Will the data stay confidential, available, and maintain its integrity?
Many of those questions can be addressed by proper certification: schemes for adequate standards that are transparent and centred on the customer. Certification can never be a 100% guarantee – and indeed if not correctly used, it could provide a false sense of security. But it does give you a framework to assess and mitigate risks.
There are already a number of those schemes on the market relating to network and information security; some of them are also relevant to the cloud. But in some cases the relevance is only partial; and indeed the need to compare and make a choice can, in itself, be confusing.
As set out in our cloud strategy, we have been working with the EU's Network and Information Security Agency ENISA — and with the industry — to find out how the certification schemes already "out there" could help potential cloud users decide how secure different solutions are.
Based on those existing schemes, they have now delivered a list of certification schemes for the cloud. Not merely listing schemes, ENISA has checked what the schemes are, what standards and specifications they use, and who actually provides the assurance (e.g. a third party or the concerned company itself via self-certification). In short, the list gives potential cloud customers more transparency about certification schemes and how they relate to the cloud.
Publishing this list means more transparency and less confusion. But it’s only a first step, and work in progress; there are plenty of schemes to be added over the coming months. And we will continue to make the list more relevant to the different ways the cloud can be used. For example, "mapping" users' security objectives to the listed schemes, so they can assess and compare different schemes and offers on the market based on their own specific requirements.
Over time we can also expect to fill in gaps and address overlaps: more transparency will help the market for certification to evolve. This should make it simpler for cloud users—whether private, business or public sector—to find the exact scheme they need.
See the list at https://resilience.enisa.europa.eu/cloud-computing-certification.