EU governments are CRAP at cloud, moans Brussels' infosec watchdog European governments haven’t got a clue how to implement cloud services. So say the EU's own cybersecurity experts. ENISA (the European Network and Information Security Agency) has released a report on the adoption of something it calls “Gov Cloud”, defined as “a deployment model to build and deliver services to state agencies …
I wonder if this report is paid for by the European Association of Outsourced Cloud Computing?
It's worrying that I find a lot of policy makers are a little too excited about "the cloud" and when you ask them questions, they tend to have no real concept of what it is.
I'm not very comfortable with the idea of putting sensitive government information which could contain information like the entire population's financial / tax records, law enforcement databases, health and welfare records etc into third party outsourced data warehouses.
There are some services that are more suited to being 'cloud based' but there are others that are worryingly being pushed into the cloud by IT managers who are just enamoured by the buzzword.
The Cloud is something that might be useful for companies, internally or as a platform for services, or for individuals as a storage location available to them from anywhere.
Both of these entities have one thing in common : they have no need to compile data concerning an entire population on a daily basis. Not talking about state surveillance, just the boring stuff like tax returns and administrative filing. That is the kind of stuff governments do, and they're already doing it.
That means that the government already has its servers in place, its comm lines working and, hopefully, proper physical security about the premises. This data is being accrued most likely via the Internet already, and, if I refer to my own country, citizens can already access their own data via a secure portal.
What would be the advantage of moving to "the cloud" in this case ? Nil. What would be the disadvantage ? Probably too many to count, but the first one on my list would be putting citizen data into the hands of a 3rd party that is not answerable to the citizens.
I will not accept that move with my personal administrative data.
Not a bad point and it bears repeating:
"That means that the government already has its servers in place, its comm lines working and, hopefully, proper physical security about the premises. This data is being accrued most likely via the Internet already, and, if I refer to my own country, citizens can already access their own data via a secure portal."
In fact, if the above is true, gov has already centralized its data inside a private cloud and provided its users with a portal.
Unless economically beneficial, necessary and/or provably more secure, there is no reason to move this data anywhere else. For all practical purposes, this data is already "in the cloud".
This is a classic school boy error, the spending of hard-earned money in an apparent attempt to save money but then to waste even more money in the process. Govs aren't the only ones guilty of this practice but are frequently in first place.
The problems begin (so often the case with big gov IT projects) when greedy providers and stupid officials with large sums of taxpayer cash are allowed to sit at the same table and design "projects".
The projects that are too big to fail often do, especially when there is no pesky moral hazard to contend with.
I believe that putting the people responsible for such messes into sacks full of weasels and then tipping them into the river would work much, much better.
Independent pre-fiasco auditing could also help, as long as those auditors were also subject to the weasels-in.sack (WIS) penalty.
And it would make a good reality TV format as well. The advertising revenue could be used to pay down the national debt.
This post has been deleted by its author
The results of this report are baffling, particularly because a great deal or most of the best Cloud Services technologies - like OpenStack, Cloudstack, Docker Containerization, etc, including Cloud Management and Operating Sstem infrastructure software like Linux is Free/Open Source Software (FOSS) which would not place any burden on the European Union in regards to costs or quick adoption and mastering of these great and innovative (Internationally developed) technologies.
Maybe it's the language barrier for non-English speaking countries! :(
Most .gov.uk folks are reasoning -
+ Any data will be known to the person from '5' placed in the dept. with the unlimited access/no trace login
+ Then it'll be passed to GCHQ for analysis
+ Anything SIS has will be shared with NSA
ergo, may as will store in the cloud in US data centre and let NSA access directly
This latest report of ENISA's refers to their earlier one, January 2011, Security & Resilience in Governmental clouds, on p.8 of which they say about cloud compting: "its adoption should be limited to non-sensitive or non critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy".
They can hardly be surprised that many EU governments have, very sensibly, on ENISA's own recommendation, proceeded slowly.
The surprise, as noted by earlier commenters, is that so many EU governments, the UK included, have put sensitive and critical applications in the cloud with no known exit strategy – HMRC, the Home Office, the Ministry of Defence and the Government Digital Service, to name but a few – often with one-man companies like Skyscape.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
