We use the ENISA checklist to check the security of the cloud provider and read the SLA

When small companies choose cloud-based IT services, they immediately look to save time and money. But it is usually impossible to assess the security of a service β€œby eye” without experience. Even if companies read the cloud provider agreement carefully, they don't always know what to look out for. 





The European Network and Information Security Agency (ENISA) decided to help small businesses and created Cloud Security Guide for SMEs . This guide describes the risks of information security for medium and small businesses, helps to formulate the right questions to the cloud provider and check the service level agreement (SLA). Not everything from this list can be checked for sure, but some points are fully confirmed by certificates and licenses.





Today we take a closer look at the list of questions to the provider. Let's evaluate it with a fresh perspective, supplement it with examples from Russian practice and find out what evidence from the provider can really guarantee data protection in the cloud.





1. How does the provider generally manage information security risks? 

. , . 





, : 





  • ;





  • ;





  • . , , , Cloud Controls Matrix Cloud Security Alliance, ISO/IEC 27017:2015 , (STAR).  , . 





  • , , ISO/IEC 27001. , .





2. , ?

, . 





. ENISA :





Types of assets depending on the type of service.
.

, . , SaaS , , β€” . , . 





,





  • , . , PCI DSS . :





    Who is responsible for what is indicated in the table.
    , .
  • , ; 





  • SLA;





  • : , .





3. , ?

- . 





, , . , . DR-, . 





  -. , , . 





,





  • -, , Uptime Institute;





  • - , ; 





  • , ;





  • , , (RTO RPO).





4. ?

. , , . β€”





, .  





,





  • , , - ;





  • .





5. , ?

: . , , .  





, .  





,





  • ;





  • , ;  





  • (, ); 





  • , .





6. ?

, . , - . 





,





  • ISO/IEC 27001;





  • PCI DSS;





  • ;





  • (IdM), , .





7. ?

,   . , β€œ ”, . ENISA , , .





,





  • , , ; 





  • ;





  • : , , ;





  • .





8. API ?

- API. , , . 





, :





  • ;





  • -;





  • .





9. , , ?

, .   .





, :





  • ;





  • ;





  • , SLA.





10. ?

, . - .





, :





  • GUI, API, ;





  • .





11. , ?

. , , . , . , . 





, . 





, :





  • ;





  • ;





  • ;





  • SLA, .





12. ?

β€œ ”. 152- , . 





:





  • -;









  • .





, - ENISA . , ?








All Articles