ENISA Urges Security Monitoring For Cloud Contracts

The European Network and Information Security Agency (ENISA), the European Union’s cyber-security body, has focused its attention on the cloud with a new guide aimed at helping IT procurement teams monitor the security of cloud-based contracts.

The guide, released on Tuesday, builds on an assurance framework produced by ENISA in 2009 intended to help IT teams assess the security of service providers before moving to the cloud. Last year a further report recommended private clouds as the best option for organisations worried about governance issues.

Today’s follow-up goes a step further, helping to prepare IT teams for continuous monitoring of cloud services throughout the project’s life-cycle, according to ENISA.

Public sector focus

ENISA is particularly focusing on public-sector procurement, which it said accounts for nearly 20 percent of the EU’s gross domestic product, or around 2.2 trillion euros.

The problem is that IT officers in public sector organisations are often under-informed on important security factors related to their service-level agreements (SLAs), according to ENISA. The security body said it found in a recent survey that many public-sector IT officers received “hardly any feedback” on security factors such as service availability or software vulnerabilities.

The area of security in cloud procurement is, indeed, a “completely new area” for many buyers, ENISA executive director Udo Helmbrecht said in a statement.

The new “Procure Secure” guide provides a checklist for procurement teams, an in-depth description of key security parameters, and descriptions of what to measure and how.

The parameters covered include service availability, incident response, service elasticity and load tolerance, data life-cycle management, technical compliance and vulnerability management, as well as log management and forensics.

ENISA said it will present the report in detail at the SecureCloud 2012 conference to be held in Frankfurt in May.

ICS warning

In December the agency called on EU member states to improve their protection against potential attacks on Industrial Control Systems (ICS) and to work closer together to prevent cyber attacks. The findings were published in a study of European ICS security that included seven recommendations for European countries.

The European Commission (EC) has long called for its members to do more to prepare for cyber attacks and earlier this year proposed a number of measures. These included the creation of a European cyber-incident contingency plan by 2012, the organisation of regular national and pan-European cyber incident exercises, and strategic partnerships with non-EU countries, especially the US.

How well do you know the cloud? Take our quiz.