ENISA, Europe’s network and information security agency, just released a report looking at cloud computing from the perspective of critical infrastructure protection.

ENISA asserts that 80% of large organisations will be using cloud solutions within two years. The approach that ENISA takes is nicely balanced, pointing out that cloud adoption is both good and bad in terms of critical infrastructure protection. From an organisational perspective, the message is similar

Like any information security endeavour, adoption of cloud boils down to a series of risk decisions. There is of course also a question of organisational and possibly national resilience in the case of critical infrastructure to adapt if any threats are realised.

Cloud is not bulletproof and is not the solution for all problems related to IT. A number of companies were affected by outages of the Amazon service in 2011 and this has provided a wake up call to the industry – http://www.wired.com/business/2011/04/lessons-amazon-cloud-failure/

Clouds

Light streaming through clouds

However, it is possible to use the cloud securely for many applications. It requires resources devoted to intelligent system design. This means that the business case for cloud adoption is not one necessarily about saving money. One company that uses the Amazon service, but did not get affected in 2011 was Netflix. Netflix has a very clever piece of software called Chaosmonkey which tests its environment during working hours with the intention that systems are fixed before they break. Netflix released the software as open source in July 2012. http://techblog.netflix.com/2012/07/chaos-monkey-released-into-wild.html

STRENGTHS

Cloud providers can afford people, processes and equipment which is state of the art

Cloud providers able to offer very good uptime and good backup.

Cloud provides good mitigation against natural disasters

Elasticity – Cloud offerings are able to increase and decrease load dynamically, this allows them to mitigate against DDOS attacks

WEAKNESSES

Cloud providers concentrate datasets from disparate organisations

Vulnerabilities are shared across the cloud

Even though cloud providers generally have excellent protective security, failures happen (eg Amazon in 2011)

Cloud providers located in different jurisdictions add complexity to the compliance and governance of organisations.

OPPORTUNITIES

Better collaboration with other organisations, integration of supply chain across disparate organisations and locations.

Organisations that utilise cloud well can become more resilient  eg Netflix

Code optimisation

THREATS

Cloud providers concentrate datasets so their ‘attractiveness’ as a target increases (aggregation)

An outage in one cloud provider can have consequences for multiple organisations. Additional issues may become apparent if those organisations are all providers of the same critical infrastructure.
A legal dispute related to data owned by one organisation which is located in the cloud might affect others

The threat from human actors can be seen to be the combination of intent and capability. Both organised crime and nation states have the capability to attack cloud providers. Their intent is obviously higher if they assess that they can access several prize organisations through a single attack.

I’m struck by the thought that the emergence of cloud should mean that risks to the critical infrastructure from natural disasters and mistakes should decrease.  However, on the other hand, cloud providers are such attractive targets, that the risks from human (active) threats are likely to be higher.

Importantly, the report makes a number of useful suggestions for organisations that are moving towards the use of cloud solutions in terms of risk assessment, security measures and recovery and reporting of incidents.

To download the report go to the ENISA site www.enisa.europa.eu or follow this link http://goo.gl/NZRQA which should take you to the right part of the site.