European agency details cloud security recommendations
The European Network and Information Security Agency (ENISA) turned its focus to cloud computing, and in particular how businesses can reap the benefits without putting themselves at risk. It has published a report titled "Cloud Computing: Benefits, risks and recommendations for information security".
The paper examines the technical, policy and legal implications of cloud computing and makes "concrete recommendations" on how to address the risks while maximising the benefits for end users. It describes the cloud as "both a friend and a foe" from a security point of view, noting that while the massive concentrations of resources and data present an attractive target for attackers, the flipside is that cloud-based defences can be more robust, scalable and cost-effective.
Key risks identified included loss of governance, because customers need to cede control of a number of issues that may affect security to the cloud provider; lock-in, introducing dependence on a cloud provider if customers are unable to easily migrate their data elsewhere; compliance risks, if a cloud partner is unable to provide evidence that necessary standards are being met; and data protection, with the customer, as data controller, needing to be able to ensure that data handling takes place in line with required practices.
ENISA suggested that with security being such a concern for potential cloud computing customers, there is a strong driver for cloud providers to improve their performance in this area -- and therefore make security a product differentiator, alongside price and technical capabilities. But it was also noted that while some risk can be handed-over to the cloud provider, "you can outsource responsibility, but you can't outsource accountability".
The body said the most important aspect of its recommendations is its Information Assurance Framework, which is detailed here. This is designed to enable IT execs to assess the risk of adopting cloud services, compare different cloud service providers, obtain assurances from cloud providers, and reduce the assurance burden on potential partners.
ENISA is a European Union agency intended to be "a centre of excellence for the European Member States and European institutions in network and information security". Its full cloud computing report can be downloaded here. Also available are the results of a survey into SME attitudes to cloud computing.