Cloud Security Alliance Announces Release of Security Framework for Governmental Clouds

Report jointly developed by CSA, ENISA and TU Darmstadt Provides Step-by-Step Approach for the Procurement and Secure Use of Cloud Services

March 5, 2015

3 Min Read


Edinburgh, UK – March 2, 2015  The Cloud Security Alliance (CSA), announces the release of a new report aimed at providing guidance to European Member States on how to develop a security framework for managing the risk in Governmental Clouds. The Security Framework for Governmental Clouds, a collaboration by CSA Europe, the European Union Agency for Network and Information Security (ENISA) and TU Darmstadt, provides Member States with a step-by-step guide for the procurement and secure use of cloud services.

“This study is the result of great collaboration between CSA, ENISA and TU Darmstadt,” said Daniele Catteddu, Managing Director, EMEA for the CSA. “We hope that the results of this study will make a tremendous difference for not only government bodies in European countries, but also any country government, that may be struggling in defining its security posture in the cloud. By implementing this framework, government bodies can now more confidently adopt cloud services, while maintaining risks at an acceptable level.”

The Security Framework for Governmental Clouds addresses the need for a common security framework when deploying Government Clouds and builds on the conclusions of two previous ENISA studies.  The framework is structured into four phases, nine security activities and fourteen steps that detail the set of actions Member States should follow to define and implement a secure Government Cloud.  The guidance has also been empirically validated through the analysis of four Government Cloud case studies in Estonia, Greece, Spain and the United Kingdom, serving as examples to Government Cloud implementation.  The framework is recommended to be part of the public administrations’ toolbox when planning migration to the cloud, and when assessing the deployed security controls and procedures.  

“With cloud usage as a key information and communications technology enabler, the guidance to governments on the cloud usage opens significant socio-technical and actual usability benefits to users of the European Union digital market,” said Neeraj Suri, Professor at the TU Darmstadt.

The framework focuses on the following activities: risk profiling, architectural model, security and privacy requirements, security controls, implementation, deployment, accreditation, log/ monitoring, audit, change management and exit management. In essence, the framework serves as a pre-procurement guide and can be used throughout the entire lifecycle of cloud adoption.

ENISA’s Executive Director commented: “The report provides governments with the necessary tools to successfully deploy cloud services. Both citizens and businesses benefit from the EU digital single market accessing services across the EU. Cloud computing is a fundamental pillar and enabler for growth and development across the EU.”

Studies show that the level of adoption of Government Cloud is still low or in a very early stage. Security and privacy issues are the main barriers and, at the same time, have become key factors to take into account when migrating to cloud services. Additionally, there is a clear need for cloud pilots and prototypes to test the utility and effectiveness of the cloud business model for public administration.

For the full report visit:

ENISA Contact: [email protected]


About the Cloud Security Alliance
The Cloud Security Alliance is a not-for-profit organization with a mission to promote the use of best practices for providing security assurance within Cloud Computing, and to provide education on the uses of Cloud Computing to help secure all other forms of computing. The Cloud Security Alliance is led by a broad coalition of industry practitioners, corporations, associations and other key stakeholders. For further information, visit us at, and follow us on Twitter @cloudsa.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights