Blog Post

For Europe’s spooks, the cloud is a ‘double-edged sword’

The shift to the cloud brings with it many security risks – just look at the scary stories told by security vendors such as Arbor Networks for some examples. But the cloud can also mitigate against certain risks, as the European Network and Information Security Agency (ENISA) pointed out today in a new report.

ENISA is the agency charged with co-ordinating the fight across Europe, against various worrisome things prefixed with “cyber-“: “cybercrime”, “cyber attacks” and so on. Europe’s new cybersecurity strategy would make ENISA what security expert Ross Anderson recently called “a classified network of military and intelligence agencies”, but the fact remains that the agency is a relatively impartial observer of the security landscape.

When it comes to the cloud, ENISA sees the new approach to computing infrastructure as a “double-edged sword.”  Its report, entitled Critical Cloud Computing, notes as Arbor Networks did, that the concentration of many organizations’ resources in data centers can multiply “the impact of cyber attacks” – effectively, that an attack against one can be an attack against all. It also points to infrastructure-as-a-service (IaaS) and platform-as-a-service (PaaS) as particularly hot targets:

“The most critical services are large IaaS and PaaS services which deliver services to other IT vendors who service in turn millions of users and organisations.”

There’s also the issue of critical sectors such as finance, transport and energy increasingly putting their crown jewels into the cloud. However, that’s only one side of the coin. ENISA also sees cloud computing as a pretty good defense against, say, distributed denial-of-service (DDoS) attacks on specific services:

“Elasticity is a key benefit of cloud computing and this elasticity helps to cope with load and mitigates the risk of overload or DDoS attacks. It is difficult to mitigate the impact of peak usage or a DDoS attack with limited computing resources.”

With regional power cuts and natural disasters, the agency claimed cloud computing can also provide “resilience.” That depends on how resources are distributed of course – just ask customers using Amazon(s amzn)’s problem-prone Northern Virginia data center. Nonetheless, ENISA pointed to the 2011 Japanese earthquake as an example of a disaster taking out “traditional IT deployments” but failing to down certain cloud services.

As for conclusions, ENISA has a series of recommendations for national cybersecurity agencies that includes a focus on making sure IaaS and PaaS providers stay safe, and figuring out just which public services depend on which cloud services. The agency also sings the praises of standardization in the cloud sector:

“Standardization, especially for IaaS and PaaS services, would allow customers to move workload to other providers in case one provider has suffers a large outages caused by system failures or even administrative or legal disputes.”

One Response to “For Europe’s spooks, the cloud is a ‘double-edged sword’”

  1. American cloud services can’t be trusted. Not because of the companies themselves, but because of the US government and the Patriot Act – no matter what they say. If EU government’s are leaving their citizen’s sensitive data thinking US gov won’t look through it (either “officially” or in secret) they are being really naive.

    I’d be a lot more comfortable if they tried to use as many local and open source alternatives as possible, instead of proprietary US products and US-based cloud services.