Cloud computing is a “double-edged sword” from a critical information...
Cloud computing is a “double-edged sword” from a critical information infrastructure protection (CIIP) perspective, the European Network and Information Security Agency said Thursday in a report on critical cloud computing. Large cloud providers can deploy state-of-the-art security and resilience measures…
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
and spread the associated costs among customers, but if an outage or security breach occurs, the consequences can be massive, it said. The report (http://bit.ly/11IJoQZ) examined various scenarios and threats relevant from a CIIP standpoint, based on a survey of public sources on take-up of cloud computing and large cyberattacks, and disruptions to cloud services. It drew several conclusions, among them that cloud computing is critical because the vast majority of organizations will soon use it; millions of users are affected by breaches and disruptions; and the cloud is being adopted in critical sectors such as finance, energy and transport. One key benefit of the cloud is its resilience to regional power cuts or local natural disasters, the report found. Clouds are also elastic, allowing them to cope with load and lessening the risk of overload or distributed denial-of-service attacks, it said. But the impact of cyberattacks is multiplied by the concentration of resources which result from use of cloud computing, it said. The most critical services are large operating system and application servers-as-a-service, which deliver services to other information technology vendors who in turn serve millions of organizations and users. Cloud computing isn’t immune to administrative or legal issues, the report found. A legal dispute involving the provider or a customer could affect the data of all other co-customers, it said. The European Commission CIIP action plan calls for discussion about cloud computing governance strategies, it said. ENISA recommended that governance be split into three processes: (1) Making a risk assessment to determine which infrastructures are critical, what their value is to the economy and society, and what kinds of incidents need to be prevented. (2) Taking security measures to prevent large incidents or mitigate their impact. (3) Collecting incident reports in order to understand weakness in security measures and evaluate risk assessments. These processes can by supervised by a government authority such as a regulator, or some industry association such as a body of auditors, it said. The report included recommendations related to each governance prong. ENISA plans to launch a new working group on CIIP and governmental cloud security, it said.