ENISA underlines the importance of incident reporting in cloud computing, particularly in critical sectors, as a way to better understand security and foster trust. ENISA presents a practical approach which results in a ‘win-win’ scheme for customers and providers.
Cloud security incidents often catch the media’s attention as they affect large number of users; for example, recently a large storage service provider suffered an outage (http://thenextweb.com/insider/2014/01/13/dropbox-apologizes-for -extended-outage-and-says-no-user-data-was -affected/?utm_content=buffer961f2&utm_medium=social&utm_source=twitter.c om&utm_campaign=buffer#!r57NE) lasting two days. However, due to the lack of consistent reporting schemes regarding cloud security incidents, it is hard to understand the causes and impact of these incidents. To comprehend the resilience and security of cloud computing services better, it is important to discuss the topic with the industry and government and find common ground as regards pragmatic incident reporting schemes, which would provide useful information to customers and government authorities.
The Executive Director (https://www.enisa.europa.eu/about -enisa/structure-organization/executive-director) of ENISA, Professor
The report looks at four different cloud computing scenarios and investigates how incident reporting schemes could be set up, involving cloud providers, cloud customers, operators of critical infrastructure and government authorities:
1. A. Cloud service used by a critical information infrastructure operator; 2. B. Cloud service used by customers in multiple critical sectors; 3. C. Cloud service for government and public administration (a gov-cloud); 4. D. Cloud service used by SMEs and citizens.
Using surveys and interviews with experts, we identified a number of key issues:
· In most EU Member States, there is no national authority to assess the criticality of cloud services. · Cloud services are often based on other cloud services. This increases complexity and complicates incident reporting. · Cloud customers often do not put incident reporting obligations in their cloud service contracts.
The report contains several recommendations, based on feedback from cloud experts in industry and government:
· Voluntary reporting schemes hardly exist and legislation might be needed for operators in critical sectors to report about security incidents. · Government authorities should address incident reporting obligations in their procurement requirements. · Critical sector operators should address incident reporting in their contracts. · Incident reporting schemes can provide a “win-win” for providers and customers, increasing transparency and, in this way, fostering trust. · Providers should lead the way and set up efficient and effective, voluntary reporting schemes.
For full report (https://www.enisa.europa.eu/activities/Resilience-and -CIIP/cloud-computing/incident-reporting-for-cloud-computing/)
Background: Proposed NIS Directive (http://eeas.europa.eu/policies/eu -cyber-security/cybsec_directive_en.pdf) EU Cyber Security Strategy (http://www.eeas.europa.eu/policies/eu-cyber-security/) For interviews; Ulf BergstrÖm, Spokesman, firstname.lastname@example.org, mobile: + 30 6948 460 143, or
For all media inquiries please contact email@example.com
This information was brought to you by Cision http://news.cision.com
The following files are available for download:
Most Popular Stories
- Dmytro Firtash, Ukrainian Billionaire, Arrested in Vienna
- Obama, Ukraine Discuss Russian Incursion in Crimea
- Koch Brothers Step up Anti-Obamacare Campaign
- Obama's Overtime Initiative Praised, Condemned
- FDIC Sues Big Banks Over Rate Manipulation
- Republicans Warn Obama on Immigration
- Calumet Photo Files for Bankruptcy
- West Readies Harsh Sanctions Against Russia
- Liberty Media Drops Sirius Bid
- Uli Hoeness, Bayern Munich President, Gets Prison for Tax Evasion