AWS Security Blog

ENISA Advances Cloud Adoption in Europe

AWS continually monitors how the work of international standards bodies affects how you run your regulated workloads in the cloud. As such, we were pleased to see a recent security-related announcement from the European Union Agency for Network and Information Security (ENISA). ENISA’s announcement addresses one of the most commonly asked questions by AWS customers who process or store data in the cloud: “With which compliance standards should I align?”

ENISA’s announcement of the latest Cloud Certification Schemes List (CCSL) and new Cloud Certification Schemes Metaframework (CCSM) is the latest step in its execution of the ongoing European Cloud Strategy. This announcement clarifies cloud adoption standards, and the guidance provided by CCSL is directed toward helping to streamline the process by which customers determine cloud compliance needs. 

The evolution of world standards bodies and governmental policy is paving the way for enterprises and government agencies to benefit from using the cloud. Each region of the world is taking slightly different approaches to policy creation, guidance formulation, and best practice recommendations for using the cloud securely within the bounds of their respective laws and cultures.

AWS Compliance closely watches how these standards bodies develop, and provides guidance about the following two key security tenets:

  1. The evaluation of the security practices of the cloud service provider (“security of the cloud”).
  2. The best practices for cloud customers to follow in order to use cloud services more securely (“security in the cloud”).

Learn more about the AWS Shared Responsibility Model, which is based on the two key security tenets.

ENISA’s latest guidance shows its progress in helping to speed the adoption of the cloud. The CCSL and the new CCSM fall under the first key tenet: security of the cloud. The guidance is a positive step toward giving companies the information they need to use cloud services confidently.

The CCSM moves a step beyond simply listing certification schemes. The CCSM is a tool that provides a mapping of certification schemes to security requirements used in the public sector. This mapping can help with procurement of cloud services because it helps to explain how the certifications of CSPs cover customers’ specific requirements. The clarity provided by the new CCSM also helps CSPs because it allows CSPs to be transparent about the security of their services by using recognized certifications and attestations, rather than attempting to be certified or audited under every local security standard. This transparency allows customers to map security and compliance to their specific local requirements, which is a benefit for both providers and customers.

AWS adheres to the certification schemes identified by ENISA that we believe are the most usable for our customers:

These schemes are comprehensive and provide a higher level of transparency because the attestation frameworks (the audit standards the certifying bodies follows) are mature, predictable, and consistent across auditors. The usability of these certification schemes is high because these are globally adopted standards, and many of our customers use these certification schemes themselves, making certification on AWS possible.

The other listed schemes are regional, country, and niche programs. They generally follow ISO security elements, and although they do not effectively reach the scope or applicability of the global programs, they may still be useful for those regional cloud providers who seek to serve local markets exclusively.

Kudos to ENISA for making notable progress in helping companies to clarify their efforts to procure cloud services.

Chad Woolf, Director, AWS Risk and Compliance