Making Cloud SLAs readily usable in the EU private sector

ENISA - Secure Use of Cloud Computing in the Finance Sector

Last week saw the publication of a report by the European Union Agency for Network and Information Security (ENISA) on the current adoption of cloud services in the finance sector: Secure Use of Cloud Computing in the Finance Sector
Written in collaboration with the Cloud Security Alliance (CSA) and sector stakeholders, the report calls for joint actions by financial institutions, industry regulators and cloud service providers to overcome the currenly slow adoption of cloud services within the sector.
A key finding of the report is that the adoption of cloud services within the financial sector remains slow, with most of the institutions still relying on in-house infrastructures. There are several reasons for this, ranging from the risk of losing control over information assets, caution on the part of regulatory authorities and a general lack of awareness and guidance on the security benefits of the cloud.
Where adoption is taking place, it is most oftern a hybrid of public and private cloud, with test environments and email management among the top uses. Private cloud is not only seen as a better fir for the financial market, but is also favoured by the national financial supervisory authorities (NFSAs), as it gives more control over data and operations. 
The report identifies a number of challenges, perceived or real, that are best addressed through an open dialogue between financial institutions, national financial supervisory authorities and cloud service providers or cloud brokers.
The top seven challenges are:
  1. Managing governance and compliance risk. 
  2. Defining better tools for contract/SLA negotiation, especially for small financial institutions.
  3. Increasing the level of transparency of cloud service providers.
  4. Increasing the understanding of cloud security within the sector.
  5. Clarifying the differences between outsourcing and cloud computing. 
  6. Encouraging NFSAs to provide more guidance on cloud adoption. 
  7. Improving the security and privacy certification schemes currently available. 
Publication Date: December 2015
Target Audiences: financial institutions (e.g. banks, insurance companies, investment dealers); national financial supervisory authorities (NFSAs); cloud service providers and cloud brokers.
Authors: Rossen Naydenov, Dimitra Liveri, Lionel Dupre, Eftychia Chalvatzi. CSA, partners of SLA-Ready: Marina Bregu, Daniele Catteddu, Dr Jesus Luna, Damir Savanovic. Representatives from several European financial institutions also contributed to the report.