www.enisa.europa.eu/activities/applicati...s-in-cloud-contracts

Procure Secure: A guide to monitoring of security service levels in cloud contracts

A practical guide aimed at the procurement and governance of cloud services. This guide provides advice on questions to ask about the monitoring of security. The goal is to improve public sector customer understanding of the security of cloud services and the potential indicators and methods which can be used to provide appropriate transparency during service delivery. One-off or periodic provider assessments are a vital component of effective security management. However, they are insufficient without additional feedback in the intervals between assessments: they do not provide real-time information, regular checkpoints or threshold based alerting, as covered in this report.

Publication date: Apr 02, 2012

Authors:
Dr. Giles Hogben, Dr. Marnix Dekker, ENISA

On Monday, as part of its effort to help put Europe back on track with cloud services adoption, ENISA - the public agency responsible for the security of Europe's information services - published a new set of surprisingly legible recommendations for not just public-sector firms, but private sector firms as well, on how to evaluate a cloud service provider's (CSP) performance during a security event and determine whether it's living up to the terms spelled out by their SLAs.

Very informative document - thanks for posting. One of the provisos they mention really hit home for me - This document focuses on public procurement and it is reasonable to expect that for some large procurement projects, public customers will be in a position to negotiate the SLA. However, even the largest public procurement projects may not justify customising some elements of the service or contract offered by the cloud provider: cloud computing offers elasticity and scalability benefits through the application of common requirements to a very large user base.

It speaks to the difficulty that organizations always face - the tradeoff between "vanilla" installations which offer easy upgrades and add-ons, and custom installations that are tailored to meet an organization's needs precisely, but which is expensive to upgrade, and difficult to maintain.

Here, the same applies, but in the cloud the focus is more on massive scalability through cloud, and the challenge can be maintaining common requirements to take advantage of the scaling, rather than tweaking the offering to exactly meet your requirements, but limiting the seemingly (ok, not really) scalability that going vanilla offers.

Thanks for posting!

Cheryl