ENISA publishes guide for monitoring cloud contracts
Written by staff reporter
To address the challenge of cloud computing service procurement, cyber security agency, ENISA, has launched a practical guide for IT teams focusing on continuous security monitoring throughout the lifecycle of a cloud contract. The new guide focuses on public procurement, which accounts for nearly 20% of the EU's gross domestic product, around 2.2 trillion euro (Eurostat figures from 2009).
The publication builds on groundwork done by ENISA in 2009, when the agency produced an assurance framework and tool for IT teams to assess the security of service providers before making a decision to move to the cloud.
Professor Udo Helmbrecht, executive director of ENISA, comments: “With ever more organisations moving to cloud computing, ENISA’s new guidance is well-timed to help give direction in what is, for many buyers, a completely new area.”
A recent ENISA survey on service level agreements (SLAs) showed that many IT officers in public sector organisations hardly receive any feedback on important security factors, such as service availability, or software vulnerabilities. The Procure Secure guide helps customers to prepare for monitoring security on an ongoing basis. “ENISA’s guide emphasises the use of continuous security monitoring, in addition to certification and accreditation processes,” says Dr Giles Hogben, editor of the report.
The ENISA guide includes a checklist for procurement teams, as well as an in-depth description of each security parameter, what to measure and how. The security parameters covered are: service availability; incident response; service elasticity and load tolerance; data lifecycle management; technical compliance and vulnerability management; change management; data isolation; and log management and forensics.
This guide complements a number of cloud security papers published by ENISA, including its recent report, Cloud Computing: Benefits, Risks and Recommendations for Information Security.