Cloud Computing

ENISA has played an important role in giving stakeholders an overview of the information security risks when ‘going cloud’ (ENISA has a more rigorous definition of what this means). Our 2009 cloud security risk assessment is widely referred to, across EU member states, and outside the EU. Following up on this risk assessment we published an assurance framework for governing the information security risks when going cloud. This assurance framework is being used as the basis for some industry initiatives on cloud assurance (such as Eurocloud and CAMM). In 2011 ENISA published a report onsecurity and resilience in government clouds.

We are following up on our past cloud work with the following activities:

• Managing security through SLAs: The work of an organization's IT officer has changed as a consequence: Instead of setting up hardware, installing and configuring software, IT officers have to manage service contracts with these IT service providers. We will look at how these service contracts can be set up and monitored in such a way that the information security is optimized. We are running a survey on how security parameters are currently in SLAs. We are also organizing a workshop on security parameters in cloud SLAs, together with OASIS and CSA, at the upcoming OASIS International cloud symposium.

• Critical cloud services: We are also developing a vision on the criticality of cloud services. Cost savings are driving businesses into cloud services hosted in large datacenters which can deliver computing resources more efficiently than small ones: It is possible to deliver high quality, for a good price. Of course, if a cloud service with millions of customers ceases to operate, then the impact is big too. We intend to analyze and discuss, with stakeholders, what could be the impact of a cloud service failure, and in which circumstances cloud services should be considered "critical infrastructure".