EU unveiled "cloud computing contract Security Service level monitoring Guide"

With the deepening of cloud computing applications, cloud computing services are becoming a more and more important part of government procurement. How to ensure the security of the Government and enterprises to use cloud computing services, how to establish the security standards for cloud computing services, how to strengthen the security monitoring of cloud computing services has aroused the high concern of government authorities. In order to ensure the security of cloud computing services for member Governments, the European Union Network and Information Security Authority formally introduced in April 2012 the "Cloud Computing contract Security Service level monitoring Guide" ("The Guide"), providing a continuous monitoring of cloud computing service provider service level agreement operation system, The monitoring action is scientifically introduced into the whole contract cycle to achieve the objective of real-time verification of user data security. Strengthening safety monitoring becomes the important prerequisite of cloud computing service development

With the wide and deep application of cloud computing, the problem of cloud service security is becoming more and more prominent, and strengthening security monitoring is an important prerequisite for the development of cloud services.

As cloud computing can dramatically reduce costs and increase efficiency, the amount and proportion of countries buying cloud computing services in the public service sector is rising rapidly. According to IDC forecast, 2013 cloud service profit will reach 44.2 billion US dollars, and European cloud service market also will surpass 6 billion euros. While the benefits of cloud services abound, there are many risks and uncertainties associated with their multiple users and shared resources. Especially with the application of cloud computing increasingly extensive and in-depth, cloud services involved in the data security problems become increasingly prominent. Overall, there are 3 main risks to the cloud environment: policy and organizational risk, if the loss of certain management rights, forced to lock on a certain or a number of cloud service providers (CSP), the second is the technical risk, such as the user data isolation failure, incomplete data deletion, internal personnel malicious operation, etc., the third is the legal risk, such as data protection risk. Therefore, to strengthen the safety monitoring and risk prevention is undoubtedly the important prerequisite for the development of cloud services. This not only helps to play the scale effect, but also makes the CSP have differentiated competitive advantage and more timely and effective updating ability.

The introduction of the guide is the key to the security deployment of EU cloud services

In order to ensure the security of cloud services, the EU issued the "Cloud Computing contract Security Service level monitoring Guide", the assessment work throughout the contract period.

Back in 2009, the European Union's Network and Information Security Agency (ENISA) has launched research work on the issue of cloud computing: benefits, risks and information security recommendations and the ENISA Cloud computing information security framework to enable the public sector to assess cloud service providers to determine whether to procure their services. In 2011, ENISA released a report on the security and resilience of government clouds, which provided a guide to decision-making for public institutions. ENISA also surveyed the practices of more than 140 European public institutions in the procurement of cloud services, laying the groundwork for further detailed operational guidelines. However, the above deployment focuses on how to circumvent security risks in the early days of cloud service delivery. In order to guarantee the security of cloud services continuously throughout the contract period, ENISA developed and released the "Cloud Computing contract Security Service level monitoring Guide" in April 2012. The guide focuses on contracts in the public service sector, which will be assessed throughout the contract period. This will help to continuously monitor the data security of cloud services, provide guidance to the cloud service purchasers, and push the industry into a new stage of development.

The eight indicator system of the guide reflects SLA operation

From the SLA point of view, the Guide presents 8 index systems including service availability, accident response and data lifecycle management.

Because the security of the cloud services is primarily controlled by the cloud service provider, the customer's interoperability with the provider is primarily through a service level agreement (SLA). Therefore, this guide mainly from the SLA point of view, for customers, including service availability, accident response, service elasticity, data lifecycle management, such as a set of 8 aspects of continuous monitoring of its service provider SLA Performance Index system, The aim is to help customers to verify their data security through continuous monitoring and early warning of these 8 key indicators that reflect SLA performance.

Availability of services: availability is the proportion of service requests and service times that are met within a certain amount of time. In a service agreement, a description of the service availability status must be explicitly given. At present, many services and products have been used to monitor the state of network connectivity, as well as monitoring tools that rely on cloud service providers.

Incident response: An incident is a state in which a service is not normally provided, and an event that causes or may cause a service outage or deterioration in the quality of service. According to the Information Technology Infrastructure Library (ITIL) model, the level of monitoring and response to accidents is usually determined by two factors: first, severity, determined according to the severity rating of the accident. The second is response time, which means the time of the remedial

Service elasticity and load tolerance: elasticity can be described quantitatively as the proportion of failed resource allocations to all configuration requirements during one execution period. Some CSPs provide a redundant capability that not only guarantees a certain degree of flexibility in the use of other users, but, more importantly, is significant for disaster recovery times.

Data lifecycle Management: Primarily used to measure the efficiency and effectiveness of provider data processing, including backup or data replication systems for services, ability to export data, and data loss protection systems.

Technical compliance and vulnerability management: used to measure whether cloud services conform to technical security policies, including the accuracy of controls and the ability to handle vulnerabilities. Compliance and vulnerability management of monitoring techniques are often based on deviations from baseline security policies.

Change management: Used to monitor and manage important changes related to system security attributes and configurations. When signing a contract, you need to make a list of the details, if the item on the list changes, should give the user notice.

Data isolation: A functional requirement that must be done in real time. Data isolation ensures the confidentiality, integrity, and availability of different customer data and services and protects data from unauthorized third-party users.

Log management and forensics: include capturing historical information about the user's use of cloud resources. In accordance with its internal controls, compliance, auditing, legal and regulatory requirements, customers may need to obtain the following information: Which users are when, where, and what data is processed.

(Responsible editor: Lu Guang)