01:00 PM
Dark Reading
Dark Reading
Products and Releases

Cloud Security Alliance Announces Release of Security Framework for Governmental Clouds

Report jointly developed by CSA, ENISA and TU Darmstadt Provides Step-by-Step Approach for the Procurement and Secure Use of Cloud Services

Edinburgh, UK – March 2, 2015  The Cloud Security Alliance (CSA), announces the release of a new report aimed at providing guidance to European Member States on how to develop a security framework for managing the risk in Governmental Clouds. The Security Framework for Governmental Clouds, a collaboration by CSA Europe, the European Union Agency for Network and Information Security (ENISA) and TU Darmstadt, provides Member States with a step-by-step guide for the procurement and secure use of cloud services.

“This study is the result of great collaboration between CSA, ENISA and TU Darmstadt,” said Daniele Catteddu, Managing Director, EMEA for the CSA. “We hope that the results of this study will make a tremendous difference for not only government bodies in European countries, but also any country government, that may be struggling in defining its security posture in the cloud. By implementing this framework, government bodies can now more confidently adopt cloud services, while maintaining risks at an acceptable level.”

The Security Framework for Governmental Clouds addresses the need for a common security framework when deploying Government Clouds and builds on the conclusions of two previous ENISA studies.  The framework is structured into four phases, nine security activities and fourteen steps that detail the set of actions Member States should follow to define and implement a secure Government Cloud.  The guidance has also been empirically validated through the analysis of four Government Cloud case studies in Estonia, Greece, Spain and the United Kingdom, serving as examples to Government Cloud implementation.  The framework is recommended to be part of the public administrations’ toolbox when planning migration to the cloud, and when assessing the deployed security controls and procedures.  

“With cloud usage as a key information and communications technology enabler, the guidance to governments on the cloud usage opens significant socio-technical and actual usability benefits to users of the European Union digital market,” said Neeraj Suri, Professor at the TU Darmstadt.

The framework focuses on the following activities: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management. In essence, the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption.

ENISA’s Executive Director commented: “The report provides governments with the necessary tools to successfully deploy cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU.”

Studies show that the level of adoption of Government Cloud is still low or in a very early stage. Security and privacy issues are the main barriers and, at the same time, have become key factors to take into account when migrating to cloud services. Additionally, there is a clear need for cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration.

For the full report visit:

ENISA Contact: [email protected]


About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at, and follow us on Twitter @cloudsa.


Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
New 'Mac-A-Mal' Tool Automates Mac Malware Hunting & Analysis
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/14/2018
Microsoft Report Details Different Forms of Cryptominers
Kelly Sheridan, Staff Editor, Dark Reading,  3/13/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.