Procure secure: ENISA’s new guide for monitoring cloud computing contracts
April 2012 by ENISA
Procurement of cloud computing services is an increasingly important task for governments and businesses across the EU - and information security is a key pain point. To help solve this problem, the EU’s cyber security agency, ENISA, today launched a new, practical guide for IT procurement teams, focusing on continuous security monitoring throughout the life-cycle of a cloud contract.
The publication builds on groundwork done by ENISA in 2009, when the Agency produced an assurance framework and tool for IT teams to assess the security of service providers before making a decision to move to the cloud. ENISA now goes one step further, with a follow-up guide detailing how to monitor the security of cloud services throughout the project life-cycle. The new guide focuses on public procurement, which accounts for nearly 20% of the EU’s gross domestic product, around 2.2 trillion euro (Eurostat figures from 2009).
Professor Udo Helmbrecht, Executive Director of ENISA, comments: “Europe’s citizens trust public and private sector bodies to keep our data secure. With ever more organisations moving to cloud computing, ENISA’s new guidance is well-timed to help give direction in what is, for many buyers, a completely new area.”
A recent ENISA survey on Service Level Agreements (SLAs) showed that many IT officers in public sector organisations hardly receive any feedback on important security factors, such as service availability, or software vulnerabilities. The Procure Secure guide helps customers to prepare for monitoring security on an ongoing basis. “ENISA’s guide emphasises the use of continuous security monitoring, in addition to certification and accreditation processes,” says Dr Giles Hogben, editor of the report.
The ENISA guide includes a checklist for procurement teams, as well as an in-depth description of each security parameter, what to measure and how. The security parameters covered are: service availability; incident response; service elasticity and load tolerance; data life-cycle management; technical compliance and vulnerability management; change management; data isolation; and log management and forensics.
This guide complements a number of cloud security papers published by ENISA, including its widely used 2009 report, Cloud Computing: Benefits, Risks and Recommendations for Information Security.
Full report: The report will be presented in detail at the SecureCloud 2012, the only European conference to focus specifically on cloud computing security.