Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

Categories
Articles

Critical Cloud Computing

ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security and resilience measures more efficient. However the dependency of many customers on a small number of suppliers will increase the impact of any problems that do occur.

Reporting (both in the press and to regulators) concentrates on a few large incidents rather than many small ones, so doesn’t provide useful evidence for the net effect of these opposing trends. However it is clear that cloud providers will become part of countries’ Critical Information Infrastructure (CII) – if they are not already – both because most other organisations will depend on them to some degree, and because of some of the services running on clouds will themselves be in critical sectors such as health, energy and finance. Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers are likely to be the most critical because of the number of customers that depend on them and the higher level cloud services they support.

Looking at the four main threats to CII, ENISA conclude that clouds are likely to provide better protection against local power failures and natural disasters, because physical resilience and geographic diversity are a routine part of cloud provision. The elasticity of clouds can also help to protect against denial of service attacks and flash crowds. However the dependence on a small number of platforms is likely to increase the impact of any software flaws, administrative or legal disputes, where problems involving one customer may have side-effects for others.

ENISA conclude that countries need to include clouds in their CIIP programmes and will need information about dependencies among services to assess which are the most critical. Critical cloud providers should be included in exchanges of threat information and best practices on protection, and in exercises to test those measures. ENISA note a tension between increasing standardisation – which allows customers to move between platforms in case of problems – and the risk that systems implementing the same standards may also share the same vulnerabilities. Although large clouds already offer physical redundancy, the possibility of implementing logical redundancy to protect against these common failure modes should also be examined. Finally ENISA stress the importance of encouraging incident reporting, not just through legal requirements but also by rewarding organisations that do report incidents and thereby help improve industry best practice. This is a very welcome turnaround from early laws that saw incident notification as a way to name and shame, thus encouraging organisations to hide their problems.

By Andrew Cormack

I'm Chief Regulatory Advisor at Jisc, responsible for keeping an eye out for places where our ideas, services and products might raise regulatory issues. My aim is to fix either the product or service, or the regulation, before there's a painful bump!

Leave a Reply

Your email address will not be published. Required fields are marked *