Small and medium size enterprises (SMEs) are an important driver for innovation and growth in the EU. SMEs also stand to gain the most from cloud computing, because it is complicated and costly for them to set-up and run ICT in the traditional way. SMEs do not always understand all the information security risks and opportunities of cloud computing.
The ex-vice president of the EU’s Digital Agenda, Miss Kroes, said explicitly: “These issues [blocking adoption of cloud computing] are particularly troublesome for smaller companies, which stand to benefit the most from the Cloud, but do not have a lot of spending power, nor resources for individual negotiations with Cloud suppliers”.
ENISA has developed a security guide and built a security tool to provide guidance for SMEs on network information security risks and opportunities of cloud computing. It is important that SMEs do not only look at the network and information security risks of cloud computing but also at the opportunities to improve their network and information security.
ENISA Security Guide for SMEs
This guide is aimed not only to SMEs but also to government agencies or end users. This guide wants to help SMEs understand the NIS risks and opportunities they should take into account when procuring cloud service. SMEs often have few IT or information security experts and it is infeasible for SMEs to negotiate with providers about custom features or custom contracts. SMEs typically buy standardized (off the shelf) services under fixed (boilerplate) contracts and SLAs.
This document will be useful as among other information contains a list of 11 security opportunities and a list of 11 security risks in a rate-able form that can be used directly by SMEs when they procure cloud services.
The Security Guide for SMEs has been created in close collaboration with the ENISA Cloud Security and Resilience expert group, based on the 2009 ENISA risk assessment guide. The risks and opportunities have been extensively cross checked and reviewed by subject matter experts.
ENISA SME Cloud Security Tool
The SME Cloud Security Tool is the realisation of the guide into a usefull online tool for SMEs. Using this tool the user can rate the security risks and opportunities and generate a list of security questions linked to his/her requirements. This set of questions can be addressed to the cloud providers to assist the SME making an informative decision when procuring cloud services: the user can print empty forms to use during procurement. Results of the tool are customised to each SME according to its priorities and requirements.