Cloud security incidents often catch the media’s attention as they affect large number of users. For example, recently a large storage service provider suffered an outage lasting two days. However, due to the lack of consistent reporting schemes regarding cloud security incidents, it is hard to understand the causes and impact of these incidents.
To comprehend the resilience and security of cloud computing services better, it is important to discuss the topic with the industry and government and find common ground as regards pragmatic incident reporting schemes, which would provide useful information to customers and government authorities.
The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “Incident reporting is crucial to enable better understanding of the security and resilience of Europe’s critical information infrastructures. Cloud computing is now becoming the backbone of our digital society, so it is important that cloud providers improve transparency and trust by adopting efficient incident reporting schemes.”
A new report looks at four different cloud computing scenarios and investigates how incident reporting schemes could be set up, involving cloud providers, cloud customers, operators of critical infrastructure and government authorities:
A. Cloud service used by a critical information infrastructure operator
B. Cloud service used by customers in multiple critical sectors
C. Cloud service for government and public administration (a gov-cloud)
D. Cloud service used by SMEs and citizens.
Using surveys and interviews with experts, we identified a number of key issues:
- In most EU Member States, there is no national authority to assess the criticality of cloud services.
- Cloud services are often based on other cloud services. This increases complexity and complicates incident reporting.
- Cloud customers often do not put incident reporting obligations in their cloud service contracts.
The report contains several recommendations, based on feedback from cloud experts in industry and government:
- Voluntary reporting schemes hardly exist and legislation might be needed for operators in critical sectors to report about security incidents.
- Government authorities should address incident reporting obligations in their procurement requirements.
- Critical sector operators should address incident reporting in their contracts.
- Incident reporting schemes can provide a “win-win” for providers and customers, increasing transparency and, in this way, fostering trust.
- Providers should lead the way and set up efficient and effective, voluntary reporting schemes.