ENISA: Cloud is a double-edged sword for security
Concentration of data with a handful of large cloud service providers could pose its own risks
A new report by the European Network and Information Security Agency (ENISA) has set out both the benefits and the drawbacks of cloud computing for critical information infrastructure protection (CIIP).
Entitled Critical Cloud Computing, the report regards cloud as both vital and inevitable. However, it cautions organisations to have backup plans in place should something happen to their chosen cloud supplier.
“Public data on the uptake of cloud computing shows that in a couple of years around 80 per cent of organisations will be dependent on cloud computing [and] large cloud providers will be serving tens of millions of end users,” the report states.
“From a CIIP perspective, this concentration of IT resources is a ‘double-edged sword’: on the one hand, large cloud providers can deploy state-of-the-art security and resilience measures and spread the associated costs across the customers. On the other hand, if an outage or a security breach occurs the consequences could be big, affecting a lot of data, many organisations and a large number of citizens at once.”
The report identifies four issues it considers to be the most relevant from a CIIP perspective:
- Physical disruption through natural disaster, power outage or hardware failure
- Resource exhaustion due to an overload or DDoS attack
- Cyber attack due to a software flaw
- Administrative or legal issues
The author outlines several actual instances of downtime caused by these issues, including the Amazon EC2 outage that was caused by a huge thunderstorm. It also highlights the fact that, overall, cloud offers better protection from outages, whatever their cause, than on premise.
In light of the report, ENISA has announced it will launch a new working group focussing on CIIP and governmental cloud strategy.