ENISA, Europe’s network and information security agency, just released a report looking at cloud computing from the perspective of critical infrastructure protection.
ENISA asserts that 80% of large organisations will be using cloud solutions within two years. The approach that ENISA takes is nicely balanced, pointing out that cloud adoption is both good and bad in terms of critical infrastructure protection. From an organisational perspective, the message is similar
Like any information security endeavour, adoption of cloud boils down to a series of risk decisions. There is of course also a question of organisational and possibly national resilience in the case of critical infrastructure to adapt if any threats are realised.
Cloud is not bulletproof and is not the solution for all problems related to IT. A number of companies were affected by outages of the Amazon service in 2011 and this has provided a wake up call to the industry – http://www.wired.com/business/2011/04/lessons-amazon-cloud-failure/
However, it is possible to use the cloud securely for many applications. It requires resources devoted to intelligent system design. This means that the business case for cloud adoption is not one necessarily about saving money. One company that uses the Amazon service, but did not get affected in 2011 was Netflix. Netflix has a very clever piece of software called Chaosmonkey which tests its environment during working hours with the intention that systems are fixed before they break. Netflix released the software as open source in July 2012. http://techblog.netflix.com/2012/07/chaos-monkey-released-into-wild.html
Cloud providers can afford people, processes and equipment which is state of the art
Cloud providers able to offer very good uptime and good backup.
Cloud provides good mitigation against natural disasters
Elasticity – Cloud offerings are able to increase and decrease load dynamically, this allows them to mitigate against DDOS attacks
Cloud providers concentrate datasets from disparate organisations
Vulnerabilities are shared across the cloud
Even though cloud providers generally have excellent protective security, failures happen (eg Amazon in 2011)
Cloud providers located in different jurisdictions add complexity to the compliance and governance of organisations.
Better collaboration with other organisations, integration of supply chain across disparate organisations and locations.
Organisations that utilise cloud well can become more resilient eg Netflix
Cloud providers concentrate datasets so their ‘attractiveness’ as a target increases (aggregation)
An outage in one cloud provider can have consequences for multiple organisations. Additional issues may become apparent if those organisations are all providers of the same critical infrastructure.
The threat from human actors can be seen to be the combination of intent and capability. Both organised crime and nation states have the capability to attack cloud providers. Their intent is obviously higher if they assess that they can access several prize organisations through a single attack.
I’m struck by the thought that the emergence of cloud should mean that risks to the critical infrastructure from natural disasters and mistakes should decrease. However, on the other hand, cloud providers are such attractive targets, that the risks from human (active) threats are likely to be higher.
Importantly, the report makes a number of useful suggestions for organisations that are moving towards the use of cloud solutions in terms of risk assessment, security measures and recovery and reporting of incidents.