Chairs: Marnix Dekker (ENISA), Daniele Catteddu (CSA), Jamie Clark (OASIS)
Thursday, 13 October, 10.00-12.45
Open to conference attendees and public
Organizations are switching from running computer systems and networks, to managing service contracts for cloud and other ICT services. Organizations focus on what service they want delivered, rather than how it can be delivered.
The adage ‘if you can’t measure it, you can’t manage it’ is very relevant to security in cloud computing. Service level agreements (SLAs) are often the only measurable part of a contract. It is important that cloud SLAs describe relevant and measurable security parameters and that the SLRs (Service Level Reports) contain the measurements of these security parameters. Of course not all security aspects are captured in SLAs or SLRs; for example, the requirement to store data only in the EU would feature in an RFP and in a contract, but would typically not appear in an SLA or SLR.
In this workshop, organized jointly by ENISA, CSA and OASIS, we want to identify, with the help of the audience, good-practices for SLAs that allow customers to manage the security of services, to allow them to address information security risks. It is important to stress that we will focus only on what level of security and resilience gets delivered, rather than on how it is delivered (firewalls, loadbalancers, access control lists, etc).
This workshop is a working session, in which we will agree and draft a set of best practices and/or considerations together with participants.
A preliminary agenda of topics is the following:
- Parameters: We will go over a wide range of security parameters (e.g.reachability, through-put, QoS, e2e availability).
- Measurement: Per security parameter we will discuss if they are suited for inclusion in SLAs, and how they can be measured by the customer, a third party or the vendor.
- SLA building: Looking at different scenarios and business cases, we will take the security parameters and focus on how they can be integrated in different SLAs for different kind of services/customers.
Related work: The development of template contracts and service level agreements was mentioned by Commissioner Kroes as one of the areas to be addressed in the European Cloud computing strategy. ENISA is currently running a survey across government organisations, to find out which security parameters are included in SLAs, and how. Preliminary results of this survey will be used as input here.