European Comission Cloud certification expert group

Preparatory meeting 21.2.2013

Issues paper on cloud certification

The cloud computing strategy of the Commission aims to create EU-wide voluntary certification schemes. ENISA is asked to support the Commission in this activity and to establish a list of voluntary certification schemes by 2014.

In order to implement the certification action of the Communication the Commission has already started to discuss with ENISA about different possibilities to encourage certifications schemes. The Commission will also in the coming months launch a study on European cloud certification schemes in order to see where Europe stands in this field.

Certification and cloud take up

When preparing the Communication the Commission conducted a study on the likely barriers to cloud computing uptake1. It indicates that certification can play a role in cloud take up. According to the study security and data protection together with legal jurisdiction are one of the major obstacles for cloud adoption in companies. Uncertainties about the way legal and security issues are managed in the cloud are strongly correlated with uncertainties about the trustworthiness of cloud computing In order to overcome the trust barriers the study recommends establishment of clear and harmonised principles about cloud service providers' accountability and liability, particularly about security breaches and data protection. Certification could be a tool to guarantee that the cloud service providers comply with legal and other critical requirements.

Role of certification in the cloud service provision

Certification is somewhat disputed amongst the industry and policy makers. Although it is widely agreed that standardisation could increase the interoperability and credibility of cloud services the role of certification in relation to standards is not clear. It is acknowledged that certification can simplify evaluation and provide transparency to service offerings. On the other hand it is argued that certification can prevent access to the market and lead to market dominance of large players - those having money and resources to go through expensive, time consuming and complex auditing schemes. Certification can also lead to false sense of security leading customers to assume that checking all the boxes had addressed all security or other critical issues. SME's especially might have difficulties in obtaining at least some of the most expensive certificates. The main questions are:

  • Can certification create trust and if so how?
  • Is there a market demand for certification and what are the key high level areas to be included to the scope of certification?
  • What trust elements are the users looking for?
  • How can the issue of composite services be addressed. It is increasingly common to see cloud services composed of independent providers. Questions arise as to how individual certifications can provide assurance on the security and other elements of composite systems.

Another issue is the role of the public sector and regulation. Some governments already support certification schemes such as the US government initiative Fedramp and the German government initiative Grundschutz. Others, like UK, have a more negative attitude towards certification. Certification and its role is also linked to the Commission's cloud partnership initiative, where the aim is to define common requirements for public sector cloud services. It is possible that certain criteria might require common certification for public sector clouds within Europe. Some of the main questions are:

  • Should the public sector select specific certification schemes for recognition?
  • Should the public sector follow the FedRAMP model and create a specific certification programme for providers of cloud services to the public sector.
  • Should auditing schemes be regulated or purely voluntary?
  • Should there be a common minimum set of criteria for cloud certification in Europe?

One critical element is also the trust model for certification - self-assessment, third party auditing, etc. Third party auditing can easily require complex monitoring schemes such as accreditation. On the other hand self-assessment – although light and easy – can lead to lack of common recognition and create competing and possible non- interoperable schemes.

Certification schemes

Certification efforts in Europe are taking off. Nevertheless there are currently a number of challenges such as the choice between competing standards originating from different bodies, open vs. proprietary solutions and lack of or incompatible schemes.

Some of the major existing certification schemes such as ISO 27001 for security are at least partly applicable for cloud services. There are cloud specific certification schemes on the market such as EuroCloud and schemes under development such as governmental initiatives (FedRAMP, Grundschutz), industry initiatives (CSA, EuroCloud, SAP) and initiatives from the standards organisation (ISO, ITU, NIST). The main problem is to get an overview of different schemes, analyse what is missing and decide how to best to support the establishment of voluntary certification schemes.