An interesting presentation by Giles Hogben of ENISA at TERENA’s CSIRT Task Force meeting in Heraklion last week, looking at security issues when moving to the public cloud computing model.There have been several papers on technical issues such as possible leakage of information between different virtual machines running on the same physical hardware (for example by Ristenpart et al), but the talk suggested that the major impacts actually come from the organisational change.
Here there are both risks and benefits: both arising from the fact that using a cloud (as with any type of outsourcing) means that you are depending on someone else to provide security. That could be seen as a risk, since the outsourcing organisation no longer has direct control of security measures and clouds are a “big juicy target” for attackers. However it may well be that the cloud operator is actually better at doing security than the outsourcer: many security measures such as patch management and filtering scale very well to large systems and a cloud provider is more likely than a small or medium enterprise to be able to recruit and retain a team of security experts.
So cloud security may not be either “better” or “worse” but it’s definitely different. ENISA’s full report is definitely worth reading.