EU security agency issues cloud SLA checklist

Powered by SC Magazine
 

Guidance for public sector cloud procurement.

Europe's key security agency has released a cloud procurement checklist in a bid to improve how government organisations assess cloud computing contracts and services.

According to the European Network and Information Security Agency (ENISA), public sector cloud adoption was hindered by a lack of relevant procurement methods, and not the maturity of cloud providers.

The guide, released this week, aims to address difficulties organisations face in ensuring service level agreements (SLAs) are met, monitored and reported.

It follows an earlier ENISA survey that found that government agencies received little feedback from providers about availability or security vulnerabilities of cloud services bought. 

ENISA’s 2011 survey of 117 public sector IT managers who struck cloud service contracts found that only 32 percent of contracts included ways to classify the severity of security incidents.

Only 15 percent of organisations actually received availability reports, seven percent received penetration testing reports, and 16 percent received back up reports. 

Only 44 percent of contracts imposed penalties on cloud providers that failed to meet their SLAs.

SLAs in Australia

The Australian Government appears ready to begin procurement discussions with cloud service providers after years of hesitation, releasing draft guidelines for low-value cloud computing deals last week.

According to an iTnews investigation of cloud SLAs in Australiacustomers tend not to expect their service providers to meet the agreed levels of availability.

In an iTnews analysis of 25 standard cloud computing contracts, Truman Hoyle partner Mark Vincent warned against relying solely on SLAs to judge the reliability of a cloud vendor.

For Australian agencies, ENISA's guidance on identifying "security-relevant parameters", monitoring security features and sharing responsibilities between provider and customer may be useful.

The European agency also highlighted forensics, incident response expectations and severity classifications, elasticity and load tolerance testing, back up procedures, vulnerability management, change management and data isolation guidelines.

ENISA said the guide aimed to provide the public sector with tools to protect citizens.

“Europe’s citizens trust public and private sector bodies to keep our data secure," said professor Udo Helmbrecht, executive director of ENISA.

"With ever more organisations moving to cloud computing, ENISA’s new guidance is well-timed to help give direction in what is, for many buyers, a completely new area."

Copyright © iTnews.com.au . All rights reserved.


EU security agency issues cloud SLA checklist
 
 
 
Top Stories
The True Cost of BYOD - 2014 survey
Twelve months on from our first study, is BYOD a better proposition?
 
Photos: Unboxing the Magnus supercomputer
Pawsey's biggest beast slots into place.
 
ANZ looks to life beyond the transaction
If digital disruptors think an online payments startup could rock the big four, they’ve missed the point of why people use banks, says Patrick Maes.
 
 
Sign up to receive iTnews email bulletins
   FOLLOW US...
Latest Comments
Polls
What is delaying adoption of public cloud in your organisation?







   |   View results
Lock-in concerns
  29%
 
Application integration concerns
  3%
 
Security and compliance concerns
  27%
 
Unreliable network infrastructure
  9%
 
Data sovereignty concerns
  22%
 
Lack of stakeholder support
  3%
 
Protecting on-premise IT jobs
  4%
 
Difficulty transitioning CapEx budget into OpEx
  3%
TOTAL VOTES: 1124

Vote