Brussels, 14/02/2013 (Agence Europe) - ENISA (the European Network and Information Security Agency) has published a new report on cloud computing, and more specifically on critical information infrastructure protection (CIIP). Today, when more and more companies and organisations are using the Cloud to manage their data, the question of security for these data is becoming more and more critical. “From a security perspective, the concentration of data is a 'double-edged' sword. Large providers can offer state-of-the-art security and business continuity (…) But if an outrage or security breach occurs, the impact is bigger, affecting many organisations and citizens at once”, says the author of the report, Marnix Dekker. In the view of ENISA's executive director, Udo Helmbrecht, “we must prepare to prevent service failures and cyber attacks on cloud services”.
In a few years, a large majority of organisations will be dependent on cloud computing. Large cloud services will have tens of millions of end users. The key messages of the ENISA report, which looks into this reality and the dangers linked to this new form of management, are: (1) critical infrastructure - the vast majority of organisations will soon use cloud computing in so-called critical sectors such as finance, energy and transport. Cloud services are themselves becoming a critical information infrastructure; (2) natural disasters and distributed denial of service (DDOS) attacks - an advantage of the Cloud is its resilience in the face of natural disasters and DDOS attacks, a very advanced type of attack aiming to make a machine crash or become unresponsive by drowning it in useless traffic. These attacks are difficult to stop using traditional approaches (servers on site or single data centres); (3) cyber-attacks - these can exploit software flaws and can cause large data breaches, affecting millions of users and data.
The report also provides nine recommendations for bodies responsible for critical information infrastructures. The recommendations particularly suggest including cloud services in national risk assessments, ensuring the tracking of cloud dependencies, and working with access providers on incident reporting schemes.
The complete report (only available in English) can be found at: http://www.enisa.europa.eu/activities/ Resilience-and-CIIP/cloud-computing/critical-cloud-computing. (LC/transl.fl)