The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. In their report, published on February 14, 2013, they look at cloud computing from a Critical Information Infrastructure Protection (CIIP) perspective.
Public and private sector organizations are switching to cloud computing: public data on the uptake of cloud computing shows that in a couple of years around 80% of organizations will be dependent on cloud computing. From a CIIP perspective this concentration of IT resources is a ‘double edged sword’:
- On the one hand, large cloud providers can deploy state of the art security and resilience measures and spread the associated costs across the customers.
- On the other hand, if an outage or a security breach occurs the consequences could be big, affecting a lot of data, many organizations and a large number of citizens, at once.
The ENISA look at a number of scenarios and threats relevant from a CIIP perspective, based on a survey of public sources on uptake of cloud computing and large cyber attacks and disruptions of cloud computing services. From the scenarios and the data about uptake and incidents the ENISA draws a number of conclusions in their publication:
- Cloud computing is critical: Cloud computing usage is growing and in the near future the vast majority of organizations will rely on some form of cloud computing services. This makes cloud computing services critical in themselves. When cyber attacks and cyber disruptions happen, millions of users are affected. Cloud computing is being adopted also in critical sectors, like finance, energy and transport.
- Cloud computing and natural disasters: A key benefit of cloud computing is resilience in the face of regional power cuts or local natural disasters. It is difficult to mitigate the impact of fairly common regional disasters like floods, storms, or earthquakes in a set up with only a single datacentre, or a traditional set-up with a legacy onsite IT deployment.
- Cloud computing and overloads or DDoS attacks: Elasticity is a key benefit of cloud computing and this elasticity helps to cope with load and mitigates the risk of overload or DDoS attacks. It is difficult to mitigate the impact of peak usage or a DDoS attack with limited computing resources.
- Cyber attacks: Cyber attacks which exploit software flaws can cause very large data breaches, affecting millions of users directly. The impact of cyber attacks is multiplied by the concentration of resources which is a result of the uptake in cloud computing.
- Infrastructure and platform as a Service the most critical: The most critical services are large IaaS and PaaS services which deliver services to other IT vendors who service in turn millions of users and organizations.
- Administrative and legal disputes: Cloud computing is not immune to administrative or legal issues. If there is a legal dispute involving the provider or one of its customers, than this could have an impact on the data of all the other co- customers (or co-tenants).
The CIIP action plan calls for a discussion about governance strategies for cloud computing and also in speeches about the EU Cyber Security Strategy the issue of cyber security governance is addressed. Below we make a number of recommendations related to the issue of national governance of critical cloud computing services. Governance, from a national perspective, can be split into three key processes:
- Risk assessment: Risk assessment is the basis for security governance.
- Security measures: Taking appropriate security measures is the focus of security governance.
- Incident reporting: Incident reporting provides a cross-check on the security measures, it provides the input for an improved risk assessment, and it provides strategic feedback about the overall governance process.
Download the full report, Critical_Cloud_Computing_V_1_0.pdf, directly or visit the ENISA webpage Critical Cloud Computing – A CIIP perspective on cloud computing services to find out more.