The shift to the cloud brings with it many security risks – just look at the scary stories told by security vendors such as Arbor Networks for some examples. But the cloud can also mitigate against certain risks, as the European Network and Information Security Agency (ENISA) pointed out today in a new report.
ENISA is the agency charged with co-ordinating the fight across Europe, against various worrisome things prefixed with “cyber-“: “cybercrime”, “cyber attacks” and so on. Europe’s new cybersecurity strategy would make ENISA what security expert Ross Anderson recently called “a classified network of military and intelligence agencies”, but the fact remains that the agency is a relatively impartial observer of the security landscape.
When it comes to the cloud, ENISA sees the new approach to computing infrastructure as a “double-edged sword.” Its report, entitled Critical Cloud Computing, notes as Arbor Networks did, that the concentration of many organizations’ resources in data centers can multiply “the impact of cyber attacks” – effectively, that an attack against one can be an attack against all. It also points to infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) as particularly hot targets:
“The most critical services are large IaaS and PaaS services which deliver services to other IT vendors who service in turn millions of users and organisations.”
There’s also the issue of critical sectors such as finance, transport and energy increasingly putting their crown jewels into the cloud. However, that’s only one side of the coin. ENISA also sees cloud computing as a pretty good defense against, say, distributed denial-of-service (DDoS) attacks on specific services:
“Elasticity is a key benefit of cloud computing and this elasticity helps to cope with load and mitigates the risk of overload or DDoS attacks. It is difficult to mitigate the impact of peak usage or a DDoS attack with limited computing resources.”
With regional power cuts and natural disasters, the agency claimed cloud computing can also provide “resilience.” That depends on how resources are distributed of course – just ask customers using Amazon’s problem-prone Northern Virginia data center. Nonetheless, ENISA pointed to the 2011 Japanese earthquake as an example of a disaster taking out “traditional IT deployments” but failing to down certain cloud services.
As for conclusions, ENISA has a series of recommendations for national cybersecurity agencies that includes a focus on making sure IaaS and PaaS providers stay safe, and figuring out just which public services depend on which cloud services. The agency also sings the praises of standardization in the cloud sector:
“Standardization, especially for IaaS and PaaS services, would allow customers to move workload to other providers in case one provider has suffers a large outages caused by system failures or even administrative or legal disputes.”