With the public sector set to follow the private into the Cloud, a new report from the European Union IT security body Enisa has cast doubt on the safety of Cloud Computing.
Enisa (The European Network and Information Security Agency) doesn't dismiss Cloud Computing as a no go option, but does recommend that close attention needs to be paid to certain critical aspects. The report cites loss of control over data, difficulties proving compliance, and additional legal risks as data moves from one legal jurisdiction to another. Other areas of concern are vendor lock-in, failure of mechanisms separating different companies, management interfaces that get accessed by hackers, data not deleted properly and malicious insiders.
"The number one issue holding many people back is security," said Giles Hogben, an ENISA expert and editor of the report. “How can I know if it’s safe to trust the Cloud provider with my data and in some cases my entire business infrastructure?"
In total the report highlights 35 separate security risks. The security assessment is based on three use-case scenarios: SME migration to Cloud Computing services; the impact of Cloud Computing on service resilience; and Cloud Computing in e-government. To minimize these risks the report proposes a list of questions that a company needs to ask potential Cloud providers, including what guarantees does the provider offer that customer resources are fully isolated, what security education programme does it run for staff, and what measures are taken to ensure third-party service levels are met?
The report concluded that the Cloud's economies of scale and flexibility are both "a friend and a foe from a security point of view". But it also estimated that expenditure on Cloud Computing will reach €6bn in 2013.
Udo Helmbrecht, executive director of ENISA, said that with appropriate attention paid Cloud Computing is a viable option for the public sector. “The scale and flexibility of Cloud Computing gives the providers a security edge," he said. "For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics.”
Post new Comment