Cloud computing in critical information infrastructure protection

ENISA has launched a new report looking at cloud computing from a Critical Information Infrastructure Protection (CIIP) perspective, and identifying that cloud computing is critical given the concentration of users and data and its growing use in critical sectors, such as finance, health and insurance.

In a few years, a large majority of organisations will be dependent on cloud computing. Large cloud services will have tens of millions of end-users. What happens if one of these cloud services fails, or gets hacked?

“From a security perspective, the concentration of data is a “double-edged sword’; large providers can offer state-of-the-art security, and business continuity, spreading the costs across many customers. But if an outage or security breach occurs, the impact is bigger, affecting many organisations and citizens at once,” Dr Marnix Dekker says. Last years, there have been many examples of failures affecting very large sites with millions of users (for example, the leap year bug outage).

This report looks at the threats from a CIIP perspective, i.e. how to prevent large cyber disruptions and large cyber-attacks. The key messages of the report are:

Critical infrastructure: Soon, the vast majority of organisations will use cloud computing notably also in critical sectors like finance, energy and transport. Cloud services are themselves becoming a critical information infrastructure.

Natural disasters and DDoS attacks: A benefit of Cloud computing is resilience in the face of natural disasters and Distributed Denial of Service (DDoS)-attacks, which are difficult to mitigate using traditional approaches (servers on site, or single data centre).

Cyber attacks: Cyber attacks exploiting software flaws can cause large data breaches, affecting millions of users, because of the large concentration of users and data. Physical redundancy does not safeguard against certain cyber attacks, such as data breaches exploiting software flaws.

The report also provides nine recommendations for bodies responsible for critical information infrastructures. Key points: Include large cloud services in national risk assessments, track cloud dependencies, and work with providers on incident reporting schemes.

The Executive Director of ENISA, Professor Udo Helmbrecht, commented: “Cloud computing is a reality and therefore we must prepare to prevent service failures and cyber attacks on cloud services. The European Cyber Security and Cloud Computing Strategies provide a roadmap for this.”

The complete report is available here.

Don't miss