Enisa: Private clouds are best for public sector

The private cloud, or a collection of interlinked private clouds, is the best fit for the IT needs of public administrations, according to the EU's information security advisory agency.

Provided there is a strategy in place for cloud computing at the national or international level to prevent inconsistencies in data formats, security approaches and risk management, clouds can work well with the needs of public sector, the European Network and Information Security Agency (Enisa) said in a report on Monday.

"Public cloud offers a very high level of service availability and is the most cost effective," Enisa's executive director Udo Helmbrecht said in a statement. "Yet, currently its adoption should be limited to non-sensitive or non-critical applications, in the context of a well-defined cloud adaptation strategy with a clear exit strategy."

The report found that public clouds were potentially risky in legal and data governance terms, but contained major economies of scale with regards to running costs.

The report concludes that private clouds and 'community clouds' will best suit the IT needs of public administrations. Private clouds are where the entity using the data also owns and operates the infrastructure. A community cloud is a federation of private clouds, possibly connected by a management layer.

"Private cloud provides a chance of the levels of security that government has to have," said Clive Longbottom, founder of analysis company Quocirca. "However, it is possible to provide full security while including community and public cloud — it just has to be well designed and implemented."

Public cloud offers a very high level of service availability and is the most cost effective. Yet, currently its adoption should be limited to non-sensitive or non-critical applications.

– Udo Helmbrecht, Enisa

European Governmental Cloud
In addition, Enisa urged national governments and EU institutions to consider the possibility of setting up a 'European Governmental Cloud'. This would be a virtual space where consistent rules could be applied to legislation and security across countries. The governmental cloud could be used in the context of a pan-European mutual aid and assistance plan for emergencies, the report said.

However, a lack of connectivity in some EU countries could also hinder those using any type of cloud, the report's authors said.

Enisa believes that cloud computing will provide a "significant portion" of the IT services that EU citizens, small and medium-sized enterprises and public administrations will consume "in the near future". The report is designed to give public bodies a model for weighing up the issues involved when deciding whether to use the cloud.

The study applied its model to several scenarios, including a migration to cloud by a healthcare authority and a local public administration, and the building of a governmental cloud infrastructure.

Decision-making model
"The new report presents a decision-making model for senior management to determine the best cloud solution from a security and resilience point of view," the report's author Daniele Catteddu, said in an Enisa statement.

Some information, particularly that which can identify an individual citizen, should be stored and secured via a private cloud, Longbottom said, but other information "can be shared throughout community clouds, using shared security policies and virtual private networks as access mechanisms".

"A private cloud approach may seem like the best way to go for cloud computing — but it will miss the main value of a hybrid cloud solution," he added.

In December, Enisa said that public clouds, such as Amazon Web Services, were ideally suited to sites that could potentially be targeted by hackers, due to their scalability in the face of DDoS attacks.