Cloud Security: Top 10 TipsENISA Offers Best Practices Guide
All data owners should write provisions into their cloud computing contracts and service-level agreements to gain the right to oversee their data and services on cloud platforms, says Liveri, a cloud computing security expert at the European Network and Information Security Agency. The contract terms also should define standard procedures to handle data in the cloud as well as how to migrate data and services to another cloud provider or back to the data owner.
"When I am the customer and sign a contract, I [should] know all of the data still remains under my jurisdiction," Liveri says in an interview with Information Security Media Group. "However, in some cases, lack of transparency makes it difficult to know exactly what's going on with my data at every point. In some cases ... when there is a bankruptcy from the provider side, this [creates a] loss of control problem."
The ENISA report Liveri co-authored - Good Practice Guide for Securely Deploying Governmental Clouds - offers 10 recommendations to keep in mind when working with outside vendors. She says the advice also applies to private-sector organizations.
In the interview, Liveri discusses:
- Why recent actions by the U.S. National Security Agency make it less likely for European governments to use American-based cloud providers (see NSA E-Spying: Bad Governance);
- Lessons learned from European governments in safeguarding data and privacy when using cloud services; and
- Why European governments can't agree on a common concept of a government cloud.
Liveri, based in Athens, joined ENISA in May 2010. In July 2012, she took a nine-month leave to work as a security analyst and communications leader at the Cloud Security Alliance before rejoining ENISA last March as security and resilience of communications networks officer.