Would it be helpful for US companies to adopt the EU guidelines for improving security in cloud contracts?


ENISA (the European Network and Information Security Agency) released a set of guidelines that essentially provides a model set of questions for companies entering into contracts with cloud service providers. It's a 64 page document that you can review if you are so inclined: http://www.enisa.europa.eu/activities/application-security/test/procure-...

Without going into too much depth, the guidelines offer suggestions for contractual agreements on specific actions and duties of the cloud provider, and, when appropriate sets out metrics for measuring compliance. In my view it helps the two parties understand exactly what is expected and what will be provided. Of course, every company can do this on an individual basis, but good luck getting Amazon Cloud Services to sit down and agree to thousands of individual agreements that all differ. This provides a sort of standardization as to what the mutual expectations are, especially as related to data security. As far as I know there isn't anything comparable in the US. Why not adopt these guidelines outright in the US, or some form of them to ensure providers are upfront with customers about security practices and expectations?

Answer this Question


2 total
Vote Up (17)

I'm a big fan of "draw water from many wells." If these new guidelines have useful concepts and information, then it makes sense to take a look at them. It might not all be useful, but if there are useful ideas then why not?

Vote Up (12)

I think it would be helpful in theory, but in the US I don't think it is likely that companies will voluntarily adopt a standard that isn't drafted by their own lawyers or perhaps their own trade association.  It would be like asking AT&T to adopt a customer friendly service contract - it isn't going to happen, because they can stack the deck in their favor, and you can't do a darn thing about it.  I don't view most of the major cloud service providers as negatively as I view AT&T, but unless everybody is on board at once, I can't see one of them agreeing to anything that might cost them money through increased obligations to customer service.  


As to the specifics of the ENISA guidelines, I think they are actually quite good.  While I may have doubts as to the adoption of them or something similar as an industry standard for contracts, I think they could be very helpful guidence for companies entering "The Cloud" for the first time.  The ENISA guide helps ensure that, if they are followed, the right questions are at least being considered, and the company entering into the contract will understand what they are getting and the responsibilities of the could provider under the contract. 

Ask a question

Join Now or Sign In to ask a question.
In response to a query from Vint Cerf, professional developers explain why they don’t feel a membership in the Association for Computing Machinery is worth the cost
Microsoft and IBM are gaining momentum in the cloud infrastructure services market, putting pressure on Amazon and outpacing rival Google, according to a new study.
A network testbed being constructed just south of San Francisco will help carriers and vendors develop standards for better cloud services, the CloudEthernet Forum says.
Managed cloud service offers alternative to DIY or WAN optimization appliances.
IT leaders need to learn how to manage the evolving legal, privacy and compliance issues of SMAC contracts.
California is moving its IT services to a cloud, on-demand, subscription-based service that state officials believe may meet as much as 80% of its computing needs.
Microsoft has begun boosting the free allowance of its OneDrive cloud-based storage service to one terabyte for subscribers to consumer and college student Office 365 plans.
IBM is offering a potentially powerful incentive in its attempts to entice organizations to move supercomputing jobs to the cloud: a high-speed network communications link called InfiniBand.
Businesses don't have to use Sprint's network or even Android devices.
Dropbox will continue beefing up the business version of its cloud storage and file sharing service, adding security features to shared links, full-text search capabilities and new tools for enterprise developers.
Join us: