Good Practice
Steps Public Bodies Should Take When Procuring Cloud Services

The European Union Agency for Network and Information Services (ENISA) released an in-depth guide last month aimed at public authorities planning to procure cloud services.

The report and guide, titled Security Framework for Governmental Clouds, outlines four phases, nine security activities and 14 steps that public bodies should employ when procuring cloud services.

According to an article in, where a download of the guide is available, it can be used as support during the pre-procurement process and throughout the entire lifecycle of cloud adoption. The report compiled and analysed four relevant case studies on national Cloud security approaches, namely in Estonia, Greece, Spain and the UK.

ENISA’s guide states that despite creating successful cloud computing service delivery models, “many public bodies have not yet built a model for assessing their organisational risks related to security and resilience.” The guide recommends that national governments should prepare a strategy on cloud computing that considers implications for security. It also suggests national governments and the EU investigate the concept of a European Governmental Cloud, which would act as a national virtual space where standardised legislation and security policy could be applied. Lastly, the guide recommends that all national governmental and member states foster the adoption of baseline security measures for all cloud deployment models.

The guide identified four lifecycle phases that governmental agencies and public administrations take when securing cloud services.

  • PLAN — focuses on establishing policies and strategies for implementing controls to achieve security objectives
  • DO — involves executing these controls
  • CHECK —  tests are performed to make sure controls are operating correctly and that the system is functioning effectively
  • ACT — involves fixing deficiencies identified in the ‘check’ phase

Across the four phases, nine security activities and 14 security steps are included in the guide as suggested framework. The activities also have corresponding examples from the four case study nations.

ENISA’s guide says that the four EU countries used as case studies in the report are currently in the advanced stage of cloud procurement activity. In comparison, it says that all other EU countries are at low or early stages of adoption, with the main barriers being security and privacy issues.

The report concluded that across Europe in general, the adoption of Gov Clouds remains low. Only the UK and Spain have defined and implemented a nation-wide Cloud strategy. It also found that “common security denominators” exist across EU states, and these may be used to develop homogenous security best practices. ENISA’s report states that in the Gov Clouds that were analysed, policies for incident management were also in place and scattered across all phases of the lifecycle.

Finally, the report concludes that the framework suggested is flexible for extension and adaptation to new security needs and requirements from other EU Gov Clouds. The framework may be used during the design phase of new Gov Clouds but could also be used by existing Gov Clouds as a baseline for analysing side-by-side different deployments.