CloudWATCH2: Takeaways from Cloud for Europe Certification Workshop
A key takeaway of the workshop is the complexity of risk assessment for cloud services. There is a general lack of standards in cloud-specific risk assessment. An Existing ISO standard relates mainly to ICT security so there is a gap there. ENISA have identified 150 cloud risks and the Cloud Security Alliance 133 cloud controls. However, clearly checking and mapping these is a massive job for companies and is usually just too large especially for SMEs.
A key output for CloudWATCH2 is the agreement with the Public Administrations in Cloud for Europe to join our consultation on defining and validating risk profiles and associated security measures. The CloudWATCH2 Risk profiles could be a way of streamlining this risk assessment process by providing an association between a set of pre-compiled risk associations. This would make it easier for companies to identify and manage risk.
The two sides also agreed to share their findings and reports that can guide public administrations in moving to the cloud.
The following experts shared their expertise with the audience:
Dimitra Liveri on the ENISA security tools
Daniele Cattedu on the CSA STAR Certifications
Fritz Bollman – Certification schemes for Cloud for Europe
Jan Colpaert FEDICT – Cloud for Europe Risk impact methodology, which gave a good understanding about the challenges companies face.