The European Union Agency for Network and Information Security (ENISA) has deemed that the information security policies and practices demanded of cloud providers under the Cloud Industry Forum's (CIF's) code of practice (CoP) for cloud service providers (CSPs) meets the standards required to include the code on a cloud certification scheme list it maintains.
Other certification schemes that feature on ENISA's cloud certification scheme list include the ISO/IEC 27001 certification scheme, a Payment Card Industry data security standard and three schemes operated by the Cloud Security Alliance.
CIF said it hopes the inclusion of its code on the ENISA list will encourage businesses looking to use cloud-based IT services to seek a cloud provider that has adopted the code.
Alex Hilton, chief executive of CIF, said: "There are no dedicated cloud standards in the market, making it difficult for small business customers to identify trusted advisors. We hope this recognition will encourage more users of cloud services to actively seek providers that are CIF-certified, and likewise more CSPs to seek certification. We have taken important steps in providing a foundation in what is a fast changing and, to many, a new technology sector.”
To be included on ENISA's cloud certification scheme list, CIF's code had to correspond to 27 network and information security requirements developed by the EU agency as part of the European Commission's cloud computing strategy. ENISA said the aim of its "meta-framework" is ultimately to help give credence to existing cloud certification schemes when businesses are buying cloud-based services.
"Before buying a cloud service, customers want to know if the service is secure and reliable," a statement on ENISA's website said. "But cloud computing services are complex and built up from many different ICT components (cables, large data centers, software, etc), so it is hard for individual customers to check all the technical details by themselves. Cloud providers have many customers (this is the main idea of cloud computing) so if all customers would check their security requirements separately, then this would mean double work. If each customer would want to do an on-site audit, for example, there would be long cues at the gates of data centers."
"The idea of a certification scheme is to check one basic set of security requirements, once for all customers. In this way certification can simplify the procurement of cloud services by customers. Note that certification schemes do not replace the need for customers to do due-diligence when procuring, rather certification is a way to simplify this process," it said.
Cloud providers must self-certify their compliance with CIF's code annually and notify CIF of their compliance so as to be authorised to display the CIF certification mark. Random audits of self-certified compliance are carried out. Cloud providers can alternatively win the right to display the CIF certification mark by obtaining an independent certification of compliance by a body approved by CIF.
To comply with the CIF code, cloud providers must be open about the measures they have in place to protect information security, as well as detail the countries and location where data will or could be stored and processed and the measures taken "to ensure compliance with relevant [data protection] legislation and to ensure data privacy".
The cloud providers must also document the policies and procedures they have in place on information security management, including data protection, as well as who the "specific individuals" responsible for information security are. The documentation must also detail the "appropriate training and awareness programs" to protect information security.
"We have worked very closely with ENISA over the last few months to ensure that the code of practice maps to the high standards set by the European Commission," Ian Osborne, a member of CIF’s Code of Governance Board, said. "It’s therefore incredibly encouraging to have received its seal of approval, confirming the CoP’s position in the fragmented cloud standards arena. Furthermore, it marks a significant step for the Cloud Industry Forum code of practice, originally set up to help UK businesses gain confidence in suppliers, as this has now been adopted across the European Union."