Making Cloud SLAs readily usable in the EU private sector
Cloud Adoption Risks
Cloud computing brings benefits and risks. Knowing which risks you assume depending on the service is crucial to realising the benefits.
To help the cloud industry and regulators in risk management, the European Union Agency for Network and Information Security (ENISA) has identified 35 specific risk categories to pay particular attention to when selecting a cloud service and when using it. Eight risk categories are particularly important.
In the table below are listed the 8 most relevant ones chosen by ENISA itself.
|Loss of governance||In the Service Level Agreement (SLA) the cloud service provider (CSP) doesn’t commit to do task that need to be done but can't be done by the consumer (e.g. security updates)|
|Compliance risks||CSP fails to deliver the right evidence to demonstrate his compliance to laws/regulations|
|Management interface compromise||The web page/application from where the cloud service customer control and access his data has been violated|
|Data protection||CSP can't demonstrate the proper handling of customer’s data|
A cloud service customer (CSC) who needs to move from one CSP to another experience difficulties in doing this due to excessive resources/time needed
|Isolation Failure||By error, a CSC can access to another’s customer data or one user uses all the available capacity (e.g. bandwith) leaving no capacity for other consumers|
|Insecure or incomplete data deletion||The CSP cannot assure the complete deletion of all the customer’s data because of multiple location (e.g. several disks/servers/machines)|
|Malicious insider||A CSP employee/partner access the CSC data without permission.|
Prospective cloud customers need to check each of the most risks when assessing a cloud contract and associated service level agreements and take actions to mitigate the risks.
To facilitate prospective customers, SLA-Ready has analysed a set of representative use cases as a guide through the entire cloud service life cycle based on different levels of knowledge.