miércoles, 18 de abril de 2012
Procure Secure. A guide to monitoring of security service levels in cloud contracts
Public procurement accounts for nearly 20% of the EU's gross domestic product- around 2.2 trillion Euro, according to Eurostat figures from 2009. Cloud computing is an area of growth in public procurement because of the substantial cost and efficiency savings cloud computing can offer.
However, the use of effective SLAs (service level agreements) and common security requirements is one of the most important issues for the further adoption of cloud computing (1). ENISA therefore supports the European Commission’s European Cloud Partnership initiative, with its focus on developing common requirements for public sector cloud procurement (2).
This document is a practical guide aimed at the procurement and governance of cloud services. The
main focus is on the public sector, but much of the guide is also applicable to private sector
procurement. This guide provides advice on questions to ask about the monitoring of security
(including service availability and continuity). The goal is to improve public sector customer
understanding of the security of cloud services and the potential indicators and methods which can be
used to provide appropriate transparency during service delivery.
One-off or periodic provider assessments, such as ISO 2700x, SSAE 16 or ISAE 3402, assure that for the evaluation period, a certain set of controls and procedures was in place. These assessments are a vital component of effective security management. However, they are insufficient without additional
feedback in the intervals between assessments: they do not provide real-time information, regular
checkpoints or threshold based alerting, as covered in this report. The security monitoring framework
is provided in the form of:
● A Checklist guide to the document. Use this if you have little time available- if you have read
this, you will have covered the most important points. It is important to be aware that not all
issues will be significant in all contexts; it is therefore strongly advised that you actively engage
with the material and ensure you understand the extent to which each issue is relevant to your
● A detailed description of each parameter which may be part of the security monitoring
framework. This is the complete, unabridged version- it contains examples and looks at some
of the more subtle points in more detail.