'Procure Secure': a new guide for monitoring cloud computing contracts

'Procure Secure', a new report from ENISA, provides the necessary parameters for customers’ continuous security monitoring in the cloud.
'Procure Secure', a new report from ENISA, provides the necessary parameters for customers’ continuous security monitoring in the cloud.

Concerns over security remain one of the biggest hindrances to greater adoption of cloud computing. One of the main reasons for this concern is that companies’ data is held at locations removed from the companies’ own control. The problem is that cloud customers are legally and morally responsible for their own data, but are not normally directly or wholly involved in the security of that data.

Security is primarily controlled by the service provider, and the customer’s main point of contact is via the service level agreement (SLA – the contract) with the provider. It is important, therefore, that customers are able to verify the security of their data by continuously monitoring the SLA performance of their provider. This latest report from the European Network and Information Security Agency (ENISA) sets out a detailed methodology on how to achieve this. 

Although the report is primarily designed for public authorities in Europe, the procedures and methodologies it provides are applicable to all companies considering a move into the cloud. ENISA defines three phases to a cloud contract: the request for a service proposal (RfP), the service delivery, and the end of service (moving to a different provider or back in-house). 'Procure Secure' concentrates on service delivery, although understanding how to monitor that delivery should be an important part of the RfP phase. A primary purpose of the document is “to align the expectations of the public authority and Cloud Service Provider (CSP) on service/security monitoring requirements to expect and to provide in the market. Therefore, even for customers not in a position to negotiate contract terms, this guidance can serve as a basis for selecting between offerings on the market.” By understanding the requirements for continuous security monitoring, the customer is in a better position to negotiate finer points of the SLA where possible, or to choose between different providers where not possible.

The basic structure of the report is to give a detailed description and discussion of what is necessary to monitor the security performance of the SLA, followed by a complete checklist of those steps. In its own words, “The goal of this document is to give guidance to customers on continuous monitoring of security service levels and governance of outsourced cloud services. This is achieved through the reporting and alerting of key measurable parameters, as well as a clear understanding of how to manage the customer’s own responsibilities for security.” 

Key areas covered include service availability; incident response; service elasticity and load tolerance; data life-cycle management; technical compliance and vulnerability management; change management; data isolation; and log management and forensics.

The full report will be presented at Europe’s only cloud-specific security conference, SecureCloud 2012 being held at Frankfurt, Germany on May 9th and 10th, and organized and hosted jointly by the Cloud Security Alliance (CSA), ENISA, CASED/Fraunhofer SIT and ISACA.

“Europe’s citizens trust public and private sector bodies to keep our data secure,” said Professor Udo Helmbrecht, executive director of ENISA. “With ever more organizations moving to cloud computing, ENISA’s new guidance is well-timed to help give direction in what is, for many buyers, a completely new area.”

What’s Hot on Infosecurity Magazine?