A very good document raising the right issues.
My primary comment is centered on the textbox on page 27. The text is written as if the European Network and Information Security Agency ENISA said in 2011 that “the use of public clouds is not recommended for anything but the lowest assurance classes of data”.
It was of course the Danish Data Protection Agency quoting an old ENISA report from 2009.
ENISA already explained the quote on page 8 in the publication "Security and Resilience in Governmental Clouds" (January 2011) :
"The public cloud option is already able to provide a very resilient service with an associated satisfactory level of data assurance and is the most cost effective.
Moreover public cloud offers potentially the highest level of service availability, but due to the current regulatory complexity of intra-EU and extra-EU trans-border data transfer, its adoption should be limited to non-sensitive or non critical applications and in the context of a defined strategy for cloud adoption which should include a clear exit strategy.
At the same time a number of emerging initiatives, including CSA Guidance, Control Matrix, and Consensus Assessment as well as the work of the Common Assurance Maturity Model (CAMM) (2) consortium are pushing the yardstick on providing the transparency and assurance that will allow using public cloud model in more sensitive applications."
http://www.enisa.europa.eu/act/rm/emerging-and-future-risk/deliverables/security-and-resilience-in-governmental-clouds
So let's get the laws up-to-date, thanks.
Thank you for your comment, Carsten. I will note it as a comment to the report, so that we are aware of ENISA's updated viewpoints.
Camilla Fisker
Project Manager, Danish Agency for Digitisation
Der skulle rates op, og ikke ned! Godt indlæg Carsten.
En ny fil vil overskrive en eksisterende fil, hvis begge filer har samme navn og samme ekstension.