The European Agency for Network and Information Security Information Security Agency (ENISA) published a report that argues excessive growth of cloud computing is a double-edged risk. But the agency also recognizes the advantages of using the cloud.
Barely a week after the announcement by the European Commission of its plans for a new directive on security of networks and information, ENISA has published a report on the protection of critical infrastructures. Under the proposed new law, ENISA could play a key role in helping Member States of the European Union to share information on security vulnerabilities.
Public data on the uptake of cloud computing shows that in a couple of years around 80 per cent of organizations will be dependent on cloud computing and large cloud providers will be serving tens of millions of end users, the report states. From a CIIP perspective, this concentration of IT resources is a ‘double-edged sword’: on the one hand, large cloud providers can deploy state-of-the-art security and resilience measures and spread the associated costs across the customers. On the other hand, if an outage or a security breach occurs the consequences could be big, affecting a lot of data, many organizations and a large number of citizens at once.
“In a few years, a large majority of organizations will be dependent on cloud computing. Large cloud services will have tens of millions of end-users. What happens if one of these cloud services fails, or gets hacked?” asks the report.
According to the agency, the cloud is clearly an area of great concern because it focuses the users and data and is used in critical areas such as finance, health, energy and transport. Cybercrime is growing rapidly. Computer viruses, intrusion into networks and cybercrime can lead to significant financial losses, undermine confidence in online services and great harm to the EU economy. With its cyber security policy, the ENISA wants to improve the application of existing international law in cyberspace to protect private Internet users and commercial industry.
The report calls for greater transparency in physical and logical dependencies, for example, to know what cloud services depend on such operators or such critical services. ENISA also calls on governments to include cloud services in their main risk assessments at the national level and to track dependencies on the cloud.
Cloud, however, is not only a security risk, but there are also positive aspects, such as reduced risk of natural disasters (with appropriate allocation) or higher resistance against DDoS (distributed denial of service).