Cloud computing security benefits, risks and recommendations

eBook: The DevOps Roadmap for Security - Tips and tools for bridging the security tribe into DevOps. Download →

How can businesses and governments get the obvious benefits of cloud computing without putting their organization at risk? ENISA (the European Network and Information Security Agency) released a new report on cloud computing benefits, risks and recommendations for information security. It covers the technical, policy and legal implications and most importantly, makes concrete recommendations for how to address the risks and maximize the benefits for users.

ENISA’s report is the first to take an independent, in-depth look at all the security and privacy issues of moving into the cloud, outlining some of the information security benefits of cloud computing, as well as 35 key security risks.

ENISA and their expert group started with a survey asking businesses their main concerns in moving into the cloud. “The picture we got back from the survey was clear:” says Giles Hogben, an ENISA expert and editor of the report – “the business case for cloud computing is obvious – it’s computing on tap, available instantly, commitment-free and on-demand. But the number one issue holding many people back is security – how can I know if it’s safe to trust the cloud provider with my data and in some cases my entire business infrastructure?”

The report answers this question with a detailed check-list of criteria which anyone can use to identify whether a cloud provider is as security-conscious as they could be.

“This is the most important result of our report: our check-list isn’t just pulled from thin-air,” says Daniele Catteddu, the ENISA report co-editor – “we based it on a careful risk analysis of a number of cloud computing scenarios, focussing on the needs of business customers. The most important risks addressed by the check-list include lock-in, failures in mechanisms separating customers’ data and applications, and legal risks such as the failure to comply with data protection legislation.” With the security check-list, customers now know the right questions to ask and providers can answer those questions just once instead of being overloaded with requests for assurance about their security practices.

Cloud computing also entails great economic interests, e.g. the IDC forecasts a growth of European cloud services from EUR971m in 2008 to EUR6,005m in 2013.

But as the report points out, cloud computing is also a security enabler. The Executive Director of ENISA, Dr Udo Helmbrecht, underlines: “The scale and flexibility of cloud computing gives the providers a security edge. For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics.”