A 2011 ENISA survey demonstrated that many cloud customers do not regularly monitor their information security and concluded that customers only “find out about failing security measures when it is already too late.” This new report, 'Procure Secure', provides the necessary parameters for customers’ continuous security monitoring in the cloud.
Concerns over security remain one of the biggest hindrances to greater adoption of cloud computing. One of the main reasons for this concern is that companies’ data is held at locations removed from the companies’ own control. The problem is that cloud customers are legally and morally responsible for their own data, but are not normally directly or wholly involved in the security of that data.
Security is primarily controlled by the service provider, and the customer’s main point of contact is via the service level agreement (SLA – the contract) with the provider. It is important, therefore, that customers are able to verify the security of their data by continuously monitoring the SLA performance of their provider. This latest report from the European Network and Information Security Agency (ENISA) sets out a detailed methodology on how to achieve this.
Although the report is primarily designed for public authorities in Europe, the procedures and methodologies it provides are applicable to all companies considering a move into the cloud. ENISA defines three phases to a cloud contract: the request for a service proposal (RfP), the service delivery, and the end of service (moving to a different provider or back in-house). 'Procure Secure' concentrates on service delivery, although understanding how to monitor that delivery should be an important part of the RfP phase. A primary purpose of the document is “to align the expectations of the public authority and Cloud Service Provider (CSP) on service/security monitoring requirements to expect and to provide in the market. Therefore, even for customers not in a position to negotiate contract terms, this guidance can serve as a basis for selecting between offerings on the market.” By understanding the requirements for continuous security monitoring, the customer is in a better position to negotiate finer points of the SLA where possible, or to choose between different providers where not possible.
No comments:
Post a Comment