How to implement incident reporting in cloud computing
Posted on 17 January 2014.
Cloud security incidents often catch the media’s attention as they affect large number of users. For example, recently a large storage service provider suffered an outage lasting two days. However, due to the lack of consistent reporting schemes regarding cloud security incidents, it is hard to understand the causes and impact of these incidents.


To comprehend the resilience and security of cloud computing services better, it is important to discuss the topic with the industry and government and find common ground as regards pragmatic incident reporting schemes, which would provide useful information to customers and government authorities.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: "Incident reporting is crucial to enable better understanding of the security and resilience of Europe’s critical information infrastructures. Cloud computing is now becoming the backbone of our digital society, so it is important that cloud providers improve transparency and trust by adopting efficient incident reporting schemes."

A new report looks at four different cloud computing scenarios and investigates how incident reporting schemes could be set up, involving cloud providers, cloud customers, operators of critical infrastructure and government authorities:

A. Cloud service used by a critical information infrastructure operator
B. Cloud service used by customers in multiple critical sectors
C. Cloud service for government and public administration (a gov-cloud)
D. Cloud service used by SMEs and citizens.

Using surveys and interviews with experts, we identified a number of key issues:
  • In most EU Member States, there is no national authority to assess the criticality of cloud services.
  • Cloud services are often based on other cloud services. This increases complexity and complicates incident reporting.
  • Cloud customers often do not put incident reporting obligations in their cloud service contracts.
The report contains several recommendations, based on feedback from cloud experts in industry and government:
  • Voluntary reporting schemes hardly exist and legislation might be needed for operators in critical sectors to report about security incidents.
  • Government authorities should address incident reporting obligations in their procurement requirements.
  • Critical sector operators should address incident reporting in their contracts.
  • Incident reporting schemes can provide a “win-win” for providers and customers, increasing transparency and, in this way, fostering trust.
  • Providers should lead the way and set up efficient and effective, voluntary reporting schemes.





Spotlight

Chrome extension thwarts user profiling based on typing behavior

Infosec consultant Paul Moore came up with a working solution to thwart a type of behavioral profiling. The result is a Chrome extension called Keyboard Privacy, which prevents profiling of users by the way they type by randomizing the rate at which characters reach the DOM.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  
DON'T
MISS

Wed, Jul 29th
    COPYRIGHT 1998-2015 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //