Apr 12, 2012

Would it be helpful for US companies to adopt the EU guidelines for improving security in cloud contracts?

ENISA (the European Network and Information Security Agency) released a set of guidelines that essentially provides a model set of questions for companies entering into contracts with cloud service providers. It's a 64 page document that you can review if you are so inclined: http://www.enisa.europa.eu/activities/application-security/test/procure-...

Without going into too much depth, the guidelines offer suggestions for contractual agreements on specific actions and duties of the cloud provider, and, when appropriate sets out metrics for measuring compliance. In my view it helps the two parties understand exactly what is expected and what will be provided. Of course, every company can do this on an individual basis, but good luck getting Amazon Cloud Services to sit down and agree to thousands of individual agreements that all differ. This provides a sort of standardization as to what the mutual expectations are, especially as related to data security. As far as I know there isn't anything comparable in the US. Why not adopt these guidelines outright in the US, or some form of them to ensure providers are upfront with customers about security practices and expectations?


I think it would be helpful in theory, but in the US I don't think it is likely that companies will voluntarily adopt a standard that isn't drafted by their own lawyers or perhaps their own trade association.  It would be like asking AT&T to adopt a customer friendly service contract - it isn't going to happen, because they can stack the deck in their favor, and you can't do a darn thing about it.  I don't view most of the major cloud service providers as negatively as I view AT&T, but unless everybody is on board at once, I can't see one of them agreeing to anything that might cost them money through increased obligations to customer service.  


As to the specifics of the ENISA guidelines, I think they are actually quite good.  While I may have doubts as to the adoption of them or something similar as an industry standard for contracts, I think they could be very helpful guidence for companies entering "The Cloud" for the first time.  The ENISA guide helps ensure that, if they are followed, the right questions are at least being considered, and the company entering into the contract will understand what they are getting and the responsibilities of the could provider under the contract. 

I'm a big fan of "draw water from many wells." If these new guidelines have useful concepts and information, then it makes sense to take a look at them. It might not all be useful, but if there are useful ideas then why not?

Answer this