Cloud computing: good practices for governments

vrijdag, 7 februari 2014

The EU Agency for Network and Information Security (ENISA) announced in a press release that it has produced a report titled ‘Good Practice Guide for Securely Deploying Governmental Clouds’, which analyses the current state of play regarding governmental Cloud deployment in 23 countries across Europe, categorised on a scale of “Early adoptors”, “Well-Informed”, “Innovators” or “Hesitants”.

A high-level summary of the results for each category were as follows:

  • Early adoptors: UK, Spain and France
  • These countries have a Cloud strategy in place and have taken place to implement the governmental Cloud
  • Well Informed: The Netherlands, Germany, Republic of Moldova, Norway, Ireland, Finland, Slovak Republic, Belgium, Greece, Sweden and Denmark
  • These countries have strategy but are yet to take steps to implement the governmental Cloud
  • Innovators: Italy, Austria, Slovenia, Portugal and Turkey
  • These countries do not have a Cloud strategy but may have a digital agenda that considers adoption of Cloud computing, but already have some Cloud services running based on bottom-up initiatives. Cloud implementation is forthcoming but will need to be supported by national/ EU level regulation.
  • Hesitants: Malta, Romania, Cyprus and Poland
  • These countries are planning to implement governmental Cloud in the future to boost competitive business, but currently have no strategy or Cloud initiatives in place

The report sets out 10 recommendations for the secure development of governmental Clouds. These include:

  • Support the development of an EU strategy for governmental Clouds
  • Develop a business model to guarantee sustainability, as well as economies of scale for government Cloud solutions
  • Promote the definition of regulatory framework to address the locality problem
  • Promote the definition of a framework to mitigate the loss-of-control problem
  • Develop a common SLA framework
  • Enhance compliance to EU and country specific regulations for Cloud solutions
  • Develop certification framework
  • Develop a set of security measures for all deployment models
  • Support academic research for Cloud computing
  • Develop provisions for privacy enhancement

The Executive Director of ENISA, Professor Udo Helmbrecht, commented, “This report provides the governments the necessary insights to successfully deploy Cloud services. This is in the interest of both the citizens, and for the economy of Europe, being a business opportunity for EU companies to better manage security, resilience, and to strengthen the national cloud strategy using governmental Clouds.”

Our commentary: the Netherlands

In the Netherlands, in 2011, central government presented its Cloud Strategy or iStrategy. It identifies two main problems inhibiting the implementation of Cloud computing: the relative immaturity of the Cloud computing market, and the government’s highly stringent requirements with respect to data protection and privacy. Initially, therefore, Cloud computing was only to be implemented internally. As of June 2013, the Goal Architecture of the Closed Governmental Cloud has been approved.

In terms of development, the report classifies the Netherlands as a ‘well-informed’ country: they have a strategy, but the implementation is still at design or prototype stage, or they have only preliminary implementations of some governmental Cloud services. In all cases, they are planning to massively adopt the governmental Cloud in the future, after an in-depth evaluation and investigation of the risks and the benefits of the Cloud solutions they have identified for the implementation and after the analysis of the first results of the implemented Cloud services.

The report notes legal difficulties in adopting Cloud Computing, e.g. that public users and providers should be free to choose the level of security provided and requested for the public services, with positive effects on the competition between providers and leaving the departments the possibility for implement the most effective and the best value for money solutions.

The development towards Cloud Computing obviously raises a host of competition law issues as well. Not in the least in terms of possible dominance, the public/private divide (“Wet markt en overheid“), public procurement, as well as closely related legal issues, e.g. surrounding data protection.