After a lot of hard work, you’ve managed to work out a contract with your cloud provider that contains the level of security your organization needs. But how do you make sure the cloud provider actually adheres to the contract and meets your security requirements?
The European Network and Information Security Agency (ENISA) on Tuesday released guidance for monitoring cloud computing contracts that should help cloud customers on this front. The Procure Secure publication builds on ENISA’s previous reports, which provided guidance on cloud computing risks and a framework for assessing the security of cloud providers before signing a contract. The new guide focuses on ways organizations can monitor and assess security of a cloud provider on a continuous basis.
Even with the best of intentions, not all risks can be addressed pre-emptively, according to guide.
“Both the CSP [cloud service provider] and the customer must be able to respond to changes in the threat environment on a continuous basis. It is essential to monitor the on-going implementation of security controls and the fulfilment of key security objectives,” ENISA states in its guide.
Procure Secure focuses on governance of cloud services by the public sector but much of it is also applicable to the private sector, according to ENISA.
Security experts routinely advise organizations to make sure cloud computing contracts include auditing clauses, but the ENISA guidance is detailed and practical. It includes a checklist for procurement teams and guidance for what to measure and how.
The guide lists eight areas where cloud customers need to monitor their providers: service availability, incident response, service elasticity and load tolerance, data lifecycle management, technical compliance and vulnerability management, change management, data isolation, and log management and forensics. In the area of incident response, for example, the report looks at issues such as definition of minimum response times, severity classifications of incidents and incident management capabilities.
ENISA points out that one-off or periodic assessments such as SSAE16 only provide assurance that a certain set of controls were in place during the evaluation period. While vital for security management, they are “insufficient without additional feedback in the intervals between assessments” and don’t provide the real-time information or regular checkpoints covered in the report, ENISA states.
In the U.S., the Federal Risk and Authorization Management Program (FedRAMP) aims to provide a standard approach for government agencies to assess and continuously monitor the security of cloud services. Officials expect FedRAMP to be operational by June.