ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security and resilience measures more efficient. However the dependency of many customers on a small number of suppliers will increase the impact of any problems that do occur.
Reporting (both in the press and to regulators) concentrates on a few large incidents rather than many small ones, so doesn’t provide useful evidence for the net effect of these opposing trends. However it is clear that cloud providers will become part of countries’ Critical Information Infrastructure (CII) – if they are not already – both because most other organisations will depend on them to some degree, and because of some of the services running on clouds will themselves be in critical sectors such as health, energy and finance. Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers are likely to be the most critical because of the number of customers that depend on them and the higher level cloud services they support.
Looking at the four main threats to CII, ENISA conclude that clouds are likely to provide better protection against local power failures and natural disasters, because physical resilience and geographic diversity are a routine part of cloud provision. The elasticity of clouds can also help to protect against denial of service attacks and flash crowds. However the dependence on a small number of platforms is likely to increase the impact of any software flaws, administrative or legal disputes, where problems involving one customer may have side-effects for others.
ENISA conclude that countries need to include clouds in their CIIP programmes and will need information about dependencies among services to assess which are the most critical. Critical cloud providers should be included in exchanges of threat information and best practices on protection, and in exercises to test those measures. ENISA note a tension between increasing standardisation – which allows customers to move between platforms in case of problems – and the risk that systems implementing the same standards may also share the same vulnerabilities. Although large clouds already offer physical redundancy, the possibility of implementing logical redundancy to protect against these common failure modes should also be examined. Finally ENISA stress the importance of encouraging incident reporting, not just through legal requirements but also by rewarding organisations that do report incidents and thereby help improve industry best practice. This is a very welcome turnaround from early laws that saw incident notification as a way to name and shame, thus encouraging organisations to hide their problems.