A new ENISA report provides advice on how to implement incident reporting in cloud computing. ‘Incident Reporting for Cloud Computing’ looks at four different cloud computing scenarios and investigates how incident reporting schemes could be set up, involving cloud providers, cloud customers, operators of critical infrastructure and government authorities.
Using surveys and interviews with experts, ENISA identified a number of key issues:
- In most EU Member States, there is no national authority to assess the criticality of cloud services.
- Cloud services are often based on other cloud services. This increases complexity and complicates incident reporting.
- Cloud customers often do not put incident reporting obligations in their cloud service contracts.
The report contains several recommendations,including:
- Voluntary reporting schemes hardly exist and legislation might be needed for operators in critical sectors to report about security incidents.
- Government authorities should address incident reporting obligations in their procurement requirements.
- Critical sector operators should address incident reporting in their contracts.
- Incident reporting schemes can provide a ‘win-win’ for providers and customers, increasing transparency and, in this way, fostering trust.
- Providers should lead the way and set up efficient and effective, voluntary reporting schemes.