01:00 PM
Dark Reading
Dark Reading
Products and Releases

Cloud Security Alliance Announces Release of Security Framework for Governmental Clouds

Report jointly developed by CSA, ENISA and TU Darmstadt Provides Step-by-Step Approach for the Procurement and Secure Use of Cloud Services

Edinburgh, UK – March 2, 2015  The Cloud Security Alliance (CSA), announces the release of a new report aimed at providing guidance to European Member States on how to develop a security framework for managing the risk in Governmental Clouds. The Security Framework for Governmental Clouds, a collaboration by CSA Europe, the European Union Agency for Network and Information Security (ENISA) and TU Darmstadt, provides Member States with a step-by-step guide for the procurement and secure use of cloud services.

“This study is the result of great collaboration between CSA, ENISA and TU Darmstadt,” said Daniele Catteddu, Managing Director, EMEA for the CSA. “We hope that the results of this study will make a tremendous difference for not only government bodies in European countries, but also any country government, that may be struggling in defining its security posture in the cloud. By implementing this framework, government bodies can now more confidently adopt cloud services, while maintaining risks at an acceptable level.”

The Security Framework for Governmental Clouds addresses the need for a common security framework when deploying Government Clouds and builds on the conclusions of two previous ENISA studies.  The framework is structured into four phases, nine security activities and fourteen steps that detail the set of actions Member States should follow to define and implement a secure Government Cloud.  The guidance has also been empirically validated through the analysis of four Government Cloud case studies in Estonia, Greece, Spain and the United Kingdom, serving as examples to Government Cloud implementation.  The framework is recommended to be part of the public administrations’ toolbox when planning migration to the cloud, and when assessing the deployed security controls and procedures.  

“With cloud usage as a key information and communications technology enabler, the guidance to governments on the cloud usage opens significant socio-technical and actual usability benefits to users of the European Union digital market,” said Neeraj Suri, Professor at the TU Darmstadt.

The framework focuses on the following activities: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management. In essence, the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption.

ENISA’s Executive Director commented: “The report provides governments with the necessary tools to successfully deploy cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU.”

Studies show that the level of adoption of Government Cloud is still low or in a very early stage. Security and privacy issues are the main barriers and, at the same time, have become key factors to take into account when migrating to cloud services. Additionally, there is a clear need for cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration.

For the full report visit:

ENISA Contact: [email protected]


About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at, and follow us on Twitter @cloudsa.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.