« previous article | next article in Technology »

Cloud computing is risky

ENISA report highlights cloud problems

By Mikael Ricknäs | Published: 10:23 GMT, 23 November 09 | CIO UK

Related Content

News

Features

Opinion and Debate

Cloud computing users face problems including loss of control over data, difficulties proving compliance, and additional legal risks as data moves from one legal jurisdiction to another, according to an assessment of cloud computing risks from the European Network and Information Security Agency (ENISA).

The agency highlighted those problems as having the most serious consequences and being among the most likely for companies using cloud computing services, according to ENISA.

ENISA examined the assets that companies put at risk when they turn to cloud computing, including customer data and their own reputation; the vulnerabilities that exist in cloud computing systems; the risks to which those vulnerabilities expose businesses, and the probabilities that those risks will occur.

When moving to cloud-based computing services, companies have to hand over control to the cloud provider on a number of issues, which may affect security negatively. For example, the provider's terms of use may not allow port scans, vulnerability assessment and penetration testing. At the same time, service level agreements (SLAs) may not include those services. The result is a gap in defences, ENISA said in the report.

Compliance could also prove to be a big problem if the provider can't offer the right levels of certification or the certification scheme hasn't been adapted for cloud services, the report said.

One of the advantages of cloud services is that data can be stored in multiple locations, which could save the day in the event of an incident in one of the data centers. However, it could also be a big risk if the data centres are located in countries with a shaky legal system, according to the report.

Other areas of concern are vendor lock-in, failure of mechanisms separating different companies, management interfaces that get accessed by hackers, data not deleted properly and malicious insiders.

To minimise these risks the report proposes a list of questions that a company needs to ask potential cloud providers. For example, what guarantees does the provider offer that customer resources are fully isolated, what security education program does it run for staff, what measures are taken to ensure third-party service levels are met, and so on.

In the end a good contract can lessen the risks, according to the report. Companies should especially pay attention to their rights and obligations related to data transfers, access to data by law enforcement and notifications of breaches in security, it said.

ENISA's report isn't all doom and gloom, though. Using cloud computing services can result in more robust, scalable and cost-effective defences against certain kinds of attack, according to the report. For example, the ability to dynamically allocate resources could provide better protection against DDoS (distributed denial-of-service) attacks, ENISA said.

Email Updates

CIO Newsletters: Expert insight, advice and tools for technology, business, leadership and the CIO career.

Email this article to a friend or colleague:

PLEASE NOTE: Your name is used only to let the recipient know who sent the story, and in case of transmission error. Both your name and the recipient's name and address will not be used for any other purpose.

CIO White Papers

Creating an AUP: Common myths & mistakes

Avoid the common myths & mistakes when implementing your AUP

Aligning your IT organisation with profit centres

This paper will discuss how this alignment can be achieved, and 5 important steps that every IT organisation needs to take for success.

Six essential steps to successful IT centralisation

This report provides some practical insights for CIOs, CTOs, Heads of IT, IT Directors and those involved more closely with the service management function.

Unleashing the power of virtualisation 2010

Find out more about cloud computing in European enterprises.

CIO UK - Business - Technology - Leadership

Differentiate your company with complete CRM

Focused on productivity and empowerment and leveraging the natural rhythms people work
What defines Complete CRM? How businesses can better engage customers and users, manage customer transactions, and analyse results to adapt and take advantage of changing business and economic circumstances.

DOWNLOAD

Oracle White Paper

IT Misuse Survey

Complete this survey and you could win a Nexus One.

CIO are running a short survey to discover how UK businesses are managing internet and email misuse in the Enterprise.

COMPLETE SURVEY

Virtualisation 2.0
Driving to higher ground beyond the basics

Virtualisation can deliver unparalleled efficiency and cost reductions to your business, allowing direct access to servers and guaranteeing a dependable, rapid response in times of crisis. Read this e-book to learn more about consolidation, discover the latest technologies and find out how to reduce the TCO of virtualisation.

DOWNLOAD

Trend Micro

* *