Would it be helpful for US companies to adopt the EU guidelines for improving security in cloud contracts?


ENISA (the European Network and Information Security Agency) released a set of guidelines that essentially provides a model set of questions for companies entering into contracts with cloud service providers. It's a 64 page document that you can review if you are so inclined: http://www.enisa.europa.eu/activities/application-security/test/procure-...

Without going into too much depth, the guidelines offer suggestions for contractual agreements on specific actions and duties of the cloud provider, and, when appropriate sets out metrics for measuring compliance. In my view it helps the two parties understand exactly what is expected and what will be provided. Of course, every company can do this on an individual basis, but good luck getting Amazon Cloud Services to sit down and agree to thousands of individual agreements that all differ. This provides a sort of standardization as to what the mutual expectations are, especially as related to data security. As far as I know there isn't anything comparable in the US. Why not adopt these guidelines outright in the US, or some form of them to ensure providers are upfront with customers about security practices and expectations?

Answer this Question


2 total
Vote Up (17)

I'm a big fan of "draw water from many wells." If these new guidelines have useful concepts and information, then it makes sense to take a look at them. It might not all be useful, but if there are useful ideas then why not?

Vote Up (12)

I think it would be helpful in theory, but in the US I don't think it is likely that companies will voluntarily adopt a standard that isn't drafted by their own lawyers or perhaps their own trade association.  It would be like asking AT&T to adopt a customer friendly service contract - it isn't going to happen, because they can stack the deck in their favor, and you can't do a darn thing about it.  I don't view most of the major cloud service providers as negatively as I view AT&T, but unless everybody is on board at once, I can't see one of them agreeing to anything that might cost them money through increased obligations to customer service.  


As to the specifics of the ENISA guidelines, I think they are actually quite good.  While I may have doubts as to the adoption of them or something similar as an industry standard for contracts, I think they could be very helpful guidence for companies entering "The Cloud" for the first time.  The ENISA guide helps ensure that, if they are followed, the right questions are at least being considered, and the company entering into the contract will understand what they are getting and the responsibilities of the could provider under the contract. 

Ask a question

Join Now or Sign In to ask a question.
Technology companies make up almost half of the businesses ranked highest by their employees for culture and values in a new survey
Microsoft has extended the data loss prevention features in Office 365 so that they are available not only for its email tools but also for data in SharePoint Online and OneDrive for Business.
Salesforce.com's development teams are continuing their steady pace of improvements to the Salesforce1 mobile application, which first debuted at last year's Dreamforce conference.
Responding to the growth of enterprise software development teams, Microsoft will allow occasional contributors to access the Visual Studio Online project development environment at no cost.
Dropbox is consolidating its three Pro account options into a single plan that's priced at US$9.99 per month and includes 1TB of storage and added controls for document sharing and security.
Use your coding powers to raise money for a worthy cause, no ice water involved
To beef up its cloud platform with more specialized packages, Google is acquiring Zync for its large scale rendering service for movie special effects, called Zync Render.
McAfee, part of Intel Security, has made improvements to its Server Security Suites portfolio with the introduction of performance optimisation and additional management efficiency to increase security for servers in physical, virtualised and Cloud environments.
A new analysis of Reddit comments shows which language’s developers seem to be the happiest - and which are the most foul-mouthed
Google's Slides presentation app can now be used without an Internet connection on iOS devices, joining the two other core office productivity tools in the company's suite, the Docs word processor and Sheets spreadsheet software.
Join us: