Activities - Activity 4

Cloud Computing Pilot Certifications

 

What is this activity about?

The aim of this activity is to perform cloud services pilot certifications in Ireland and Cyprus, involving at least two preselected cloud services (Software as a service (SaaS), Platform as a Service (PaaS), Anything as a Service (XaaS)), the evaluation facility, and the CAB assessment and certification process. The evaluation will put in practice the upcoming EU cloud certification scheme.

What are the tasks involved?

The cloud pilot certifications will involve vendors selected based on specific requirements

The activity will ultimately result in certification reports, allowing an increase of the assurance in the readiness level of the partners involved.

Technical brief

Two ISO 27001 certified Cloud Service Providers (CSPs) in Ireland and one CSP from Cyprus were selected to take part in the EUCS pilot certifications in the context of this project. ISO 27001 certified CSPs were deemed suitable as participants as they were more mature in the implementation of Information Security Management Systems (ISMS) and familiar with auditing processes. This exercise involved:

  • 2 Cloud Services at Basic assurance level

  • 1 Cloud Service evaluated at High assurance level

The partners developed, reviewed, and validated a Cloud Security Maturity Questionnaire (CSMQ) to assess the maturity of the CSPs. 2 types of CSMQ were developed and issued to Cloud Service Providers, one for Basic Assurance level and another for High Assurance level.

The responses and evidence provided by the CSPs were reviewed in accordance with the requirements of the EUCS Candidate scheme 2020, and giving the vendors opportunity to provide clarifications and additional supporting evidence.

Evaluation reports were then issued and reviewed according to the current requirements of the candidate scheme and the consortium partners' experience.

All cloud services assessed demonstrated the highest level of compliance in Organisation of Information Security (OIS) over the 20 categories of controls available in Annex A of the EUCS candidate scheme and demonstrated highest level of noncompliance with Product Safety and Security (PSS) and Dealing with Investigation Requests from Government Agencies (INQ) categories.

This assessment highlighted the following insights and challenges:

  • The increased awareness of the participating CSPs for the requirements included in Annex A of the EUCS candidate scheme.

  • The lack of guidance associated with the said requirements as the guidance on requirements of the EUCS candidate scheme is not fully available yet, the required evidence to meet those requirements is not clear;

  • The significant number of requirements to meet even at Basic assurance level and the time taken to provide input to the questionnaires and collate the evidence do demonstrate compliance;

  • Performing the evaluation without a clear mapping between the scheme requirements and the ISO/IEC 27001 standard;

  • Information exchange during the assessments, especially in relation to the submission of supporting evidence.