CloudWATCH2 services include the provision of cloud risk management guides for private and public organisations to lower barriers and ensure a trusted European cloud market. In order to accomplish this objective CloudWATCH2 released a new report Risk-Based Decision Making Mechanisms For Cloud Service In The Public Sector.
Despite the advantages of cloud computing, customers like Public Administrations (PAs) and Small-Medium-sized Enterprises (SMEs) are still in need of “meaningful” understanding of the security and risk management changes the cloud entails. Traditional ICT risk management approaches usually adopt one-size-fits-all methodologies relying on experts, which are usually not adequate for small organisations and PAs that use relatively simple IT-components. SMEs/PAs need simple, flexible, efficient and cost-effective cloud security solutions.
This report looks at the case of PAs and provides an overview of their current requirements as well as information on current research and standards. The document then outlines how CloudWATCH2 will develop a simplified cloud risk assessment/management approach (risk profile) to assist PAs with the risk assessment process from the perspective of a cloud service customer (CSC) procuring a suitable cloud-based service.
The next version of this document, released in July 2017, will present a validated version of the proposed methodology. The validation process will take place by developing relevant real-world use cases, and getting feedback from stakeholders.
The document will also:
- document a set o risk profiles (covering both PAs and SMEs);
- provide a further focus on best practices for deploying automated tools instantiating the different stages of the contributed risk profiling methodology;
- show how to leverage the proposed methodology using best practices like CSA Cloud Controls Matrix.