ENISA has developed a security guide and built a security tool to provide guidance for SMEs on network information security risks and opportunities of cloud computing. It is important that SMEs do not only look at the network and information security risks of cloud computing but also at the opportunities to improve their network and information security.
ENISA SME Cloud Security Tool
The SME Cloud Security Tool is the realisation of the guide into a usefull online tool for SMEs. Using this tool the user can rate the security risks and opportunities and generate a list of security questions linked to his/her requirements. This set of questions can be addressed to the cloud providers to assist the SME making an informative decision when procuring cloud services: the user can print empty forms to use during procurement. Results of the tool are customised to each SME according to its priorities and requirements.
SME Cloud Security Tool offers the functionality to rate the risks and opportunities and to generate a list of security questions to understand the main features of the cloud service under deployment. The tool can also calculate and visualise risks and opportunities, and consult the results into a customised set of security questions.
Rate the security opportunities and the security risks below according to your organisation requirements.
As every SME is different, not all of these security opportunities to cloud services are as important for all of you. This tool enables you to select the rating or ranking of the opportunities most relevant to you as an SME using the following scale:
- Small opportunity: As an SME you could exploit this opportunity, but benefits would be limited.
- Medium opportunity: As an SME you should exploit this opportunity, because benefits would be significant.
- Large opportunity: As an SME you must exploit this opportunity, as there would be crucial benefits.
Scenario 1: SME using SaaS
ConsultLess is a small consultancy firm in the EU that has 20 employees (mostly legal and management experts). One of the employees is partner and also the Chief Information Officer (CIO) of the firm. Occasionally the CIO pays consultants for IT advice or support. ConsultLess decides to procure office software as a service (SaaS) for use by its employees: the cloud service offers document storage/editing, email and calendar. This cloud service should replace an internal mail-server and office software installed on computers.
In this scenario the security tasks which will be carried out by the cloud provider are:
- Managing of hardware and facilities, including physical security, power, cooling, etc.;
- Managing of server operating systems and the application server, including development, deployment, patching, updating, monitoring, checking logs, etc. For example, it is the responsibility of the provider to patch the server operating systems in time;
- Managing the application software, including development, patching, updating, monitoring, and checking logs, and so on. For example, it is the responsibility of the provider to fix software flaws in the office software;
- Managing updates of software and data.
The customer, ConsultLess, is merely responsible for handing out accounts to its employees, revoking accounts when employees leave, resetting passwords, etc.
Most security tasks are outsourced to the provider. The customer, once the service has been procured and is up and running, will have few security tasks left to perform. It should be stressed that the responsibility for security cannot be “outsourced”. If something goes wrong with the office software ConsultLess has procured, causing sensitive data about its clients to leak, then ConsultLess will in the first place be held responsible for the damages. For ConsultLess, hence, clarity about security tasks and responsibilities is a crucial consideration in the procurement process.