Cloud security incidents often attract media attention because they affect a large number of users; for example, a major storage provider recently experienced a two-day service outage. However, due to a lack of consistent reporting programs for cloud security incidents, understanding their causes and impact is difficult. To better understand the resilience and security of cloud computing services, it is important to discuss this issue with industry and government stakeholders to reach a consensus on pragmatic reporting programs that would provide valuable information to customers, governments, and authorities.
ENISA Executive Director Professor Udo Helmbrecht stated: “Incident reporting is crucial for a better understanding of the security and resilience of critical information infrastructure in Europe. Cloud computing is becoming the backbone of our digital society, so it is important that cloud service providers improve their levels of transparency and trust by adopting efficient incident reporting programs.”
The report addresses four different cloud computing scenarios and investigates how incident reporting programs involving cloud service providers, their customers, critical infrastructure operators, and government authorities could be established:
1. A. The cloud service used by a critical information infrastructure operator;
2. B. The cloud service used by customers in various critical sectors;
3. C. The cloud service for the government sector and public administration (a government cloud);
4. D. The cloud service used by SMEs and citizens.
The surveys and interviews conducted with experts have allowed us to identify certain key issues:
• In most EU Member States, there is no national authority that assesses the significance of cloud services.
• Cloud services are often based on other cloud services. This increases complexity and complicates incident reporting.
• Cloud service customers do not include incident reporting obligations in their cloud service agreements.
The report contains several recommendations based on the opinions of cloud computing experts from industry and government:
• Voluntary reporting programs are virtually nonexistent, so legislation may be needed to require operators in critical sectors to report security incidents.
• Government authorities should include mandatory incident reporting in their tender specifications.
• Operators in critical sectors should include incident reporting in their contracts.
• Incident reporting programs can provide mutual benefits to both providers and customers by increasing transparency and, therefore, building trust.
• Providers should lead this initiative and establish efficient and effective voluntary reporting programs.
