miércoles, 18 de abril de 2012

Procure Secure. A guide to monitoring of security service levels in cloud contracts

Executive summary
Public  procurement  accounts  for  nearly  20% of  the  EU's  gross  domestic product- around  2.2  trillion Euro,  according  to  Eurostat  figures  from  2009.  Cloud  computing  is  an  area  of  growth  in  public procurement  because  of  the  substantial  cost  and  efficiency  savings  cloud  computing  can  offer.
However,  the use of effective SLAs (service  level  agreements) and  common  security  requirements  is one  of  the  most  important issues  for the further adoption  of  cloud  computing (1).  ENISA  therefore supports  the  European  Commission’s  European  Cloud  Partnership  initiative,  with  its  focus  on developing common requirements for public sector cloud procurement (2).

This document is a practical guide aimed at the procurement and governance of cloud services. The
main focus is on the public sector, but much of the guide is also applicable to private sector
procurement. This guide provides advice on questions to ask about the monitoring of security
(including service availability and continuity). The goal is to improve public sector customer
understanding of the security of cloud services and the potential indicators and methods which can be
used to provide appropriate transparency during service delivery.

One-off or periodic provider assessments, such as ISO 2700x, SSAE 16 or ISAE 3402, assure that for the evaluation period, a certain set of controls and procedures was in place.  These assessments are a vital component of effective security management. However, they are insufficient without additional
feedback in the intervals between assessments: they do not provide real-time information, regular
checkpoints or threshold based alerting, as covered in this report. The security monitoring framework
is provided in the form of:
●  A Checklist guide to the document. Use this if you have little time available- if you have read
this, you will have covered the most important points. It is important to be aware that not all
issues will be significant in all contexts; it is therefore strongly advised that you actively engage
with the material and ensure you understand the extent to which each issue is relevant to your
●  A detailed description of each parameter which may be part of the security monitoring
framework. This is the complete, unabridged version- it contains examples and looks at some
of the more subtle points in more detail.


No hay comentarios: