SME Cloud Security Toolhttps://www.enisa.europa.eu/topics/cloud-and-big-data/cloud-security/security-for-smes/sme-guide-toolhttps://www.enisa.europa.eu/@@site-logo/logo.png
SME Cloud Security Tool
SME Cloud Security Tool offers the functionality to rate the risks and opportunities and to generate a list of security questions to understand the main features of the cloud service under deployment. The tool can also calculate and visualise risks and opportunities, and consult the results into a customised set of security questions.
Rate the security opportunities and the security risks below according to your organisation requirements.
ConsultLess is a small consultancy firm in the EU that has 20 employees (mostly legal and management experts). One of the employees is partner and also the Chief Information Officer (CIO) of the firm. Occasionally the CIO pays consultants for IT advice or support. ConsultLess decides to procure office software as a service (SaaS) for use by its employees: the cloud service offers document storage/editing, email and calendar. This cloud service should replace an internal mail-server and office software installed on computers.
In this scenario the security tasks which will be carried out by the cloud provider are:
Managing of hardware and facilities, including physical security, power, cooling, etc.;
Managing of server operating systems and the application server, including development, deployment, patching, updating, monitoring, checking logs, etc. For example, it is the responsibility of the provider to patch the server operating systems in time;
Managing the application software, including development, patching, updating, monitoring, and checking logs, and so on. For example, it is the responsibility of the provider to fix software flaws in the office software;
Managing updates of software and data.
The customer, ConsultLess, is merely responsible for handing out accounts to its employees, revoking accounts when employees leave, resetting passwords, etc.
Most security tasks are outsourced to the provider. The customer, once the service has been procured and is up and running, will have few security tasks left to perform. It should be stressed that the responsibility for security cannot be “outsourced”. If something goes wrong with the office software ConsultLess has procured, causing sensitive data about its clients to leak, then ConsultLess will in the first place be held responsible for the damages. For ConsultLess, hence, clarity about security tasks and responsibilities is a crucial consideration in the procurement process.
EasyAgriSelling is a small tech start-up in the EU, which developed an online web shop software (as a service) for farmers who would like to start direct-selling their vegetables and other products. Their slogan is: “Selling your agricultural produce to consumers, made easy”. Farmers can set up an online shop in a few clicks - customizing their shop with a logo, colours and a description of their farm.
EasyAgriSelling operates a pay-as-you-go model, charging no monthly fee, but only charging their customers when products are sold. EasyAgriSelling is a SaaS provider and they are a cloud services customer building services on a cloud provider who offers them IaaS and PaaS on which to build their product. he SaaS platform runs on top of the IaaS/PaaS platform.
EasyAgriSelling is a customer of an IaaS/PaaS service which it uses for running its web shop software for farmers.
In this setting the security tasks the IaaS/PaaS provider carries out are:
Managing hardware and facilities, including physical security, power, cooling, etc.;
Managing the server operating systems and the application server, including development, deployment, patching, updating, monitoring, checking logs, and so on. For example, it is the responsibility of the provider to patch the server operating systems in time.
EasyAgriSelling, the customer, remains responsible for:
Managing the application software, including development, patching, updating, monitoring, and checking logs, and so on. For example, it is the responsibility of EasyAgriSelling to fix software flaws in the deployed web shop software;
Managing the accounts of the farmers using their web shop software, as well as the consumer accounts, including resetting passwords, troubleshooting issues with payments etc.;
Managing backups of application software and data.
Some security tasks are outsourced to the provider, but many security tasks still have to be carried out by the customer (EasyAgriSelling). Security considerations in the procurement process really only regard security of the facilities, the operating system and the application servers which are under control of the provider.
Opportunities
As every SME is different, not all of these security opportunities to cloud services are as important for all of you. This tool enables you to select the rating or ranking of the opportunities most relevant to you as an SME using the following scale:
Small opportunity: As an SME you could exploit this opportunity, but benefits would be limited.
Medium opportunity: As an SME you should exploit this opportunity, because benefits would be significant.
Large opportunity: As an SME you must exploit this opportunity, as there would be crucial benefits.
ID
Title / Description
Opportunity
Rating
Explanation
{{ 'O' + (opportunity.position + 1) }}
{{ opportunity.title }}
{{ opportunity.description }}
Risks
Applicable
ID
Title
Impact
Probability
Rate
Remarks
{{ 'R' + (risk.position + 1) }}
{{ risk.title }}
{{ risk.description }}
1 = Low, 5 = High
Major
Significant
Minor
High impact, low probability
Security Questions
ID
Title / Description
Opportunities
Risks
Relevant information
{{ 'SQ' + (sec_q.position + 1)}}
{{ sec_q.title }}
{{ sec_q.description }}
This site uses cookies to offer you a better browsing experience.
Aside from essential cookies we also use tracking cookies for analytics.
Find out more on
how we use cookies.