Would it be helpful for US companies to adopt the EU guidelines for improving security in cloud contracts?
ENISA (the European Network and Information Security Agency) released a set of guidelines that essentially provides a model set of questions for companies entering into contracts with cloud service providers. It's a 64 page document that you can review if you are so inclined: http://www.enisa.europa.eu/activities/application-security/test/procure-...
Without going into too much depth, the guidelines offer suggestions for contractual agreements on specific actions and duties of the cloud provider, and, when appropriate sets out metrics for measuring compliance. In my view it helps the two parties understand exactly what is expected and what will be provided. Of course, every company can do this on an individual basis, but good luck getting Amazon Cloud Services to sit down and agree to thousands of individual agreements that all differ. This provides a sort of standardization as to what the mutual expectations are, especially as related to data security. As far as I know there isn't anything comparable in the US. Why not adopt these guidelines outright in the US, or some form of them to ensure providers are upfront with customers about security practices and expectations?
Answers
Related Questions
We just got notice yesterday that our Google Cloud Storage costs will be getting cheaper by about 10%. All right, I'll take it. Other...
Just as OpenStack released its newest cloud OS, Essex, Citrix announced that is was going to drop support of OpenStack and focus on...
A few months back, Newsweek published its list of "America's Dying Cities," and my hometown, South Bend, Indiana, is one of them. It...
Best Buy has announced their own cloud-based music service, named Music Cloud. It is set to compete with Amazon, Google, Microsoft, and...
Given the rising surge in hacking attacks from Anonymous, Lulzsec, as well as attacks from Russia and China, is a cloud-based service...
Ask a question
White Papers & Webcasts
White Paper
Bullet-Proof Your Enterprise Linux Environment
White Paper
How to Avoid the High Cost of Security Audits
White Paper
Business Assureance Technology Infographic
See more White Papers | Webcasts
I think it would be helpful in theory, but in the US I don't think it is likely that companies will voluntarily adopt a standard that isn't drafted by their own lawyers or perhaps their own trade association. It would be like asking AT&T to adopt a customer friendly service contract - it isn't going to happen, because they can stack the deck in their favor, and you can't do a darn thing about it. I don't view most of the major cloud service providers as negatively as I view AT&T, but unless everybody is on board at once, I can't see one of them agreeing to anything that might cost them money through increased obligations to customer service.
As to the specifics of the ENISA guidelines, I think they are actually quite good. While I may have doubts as to the adoption of them or something similar as an industry standard for contracts, I think they could be very helpful guidence for companies entering "The Cloud" for the first time. The ENISA guide helps ensure that, if they are followed, the right questions are at least being considered, and the company entering into the contract will understand what they are getting and the responsibilities of the could provider under the contract.