TRENDING:

The Public Eye with Eric Chabrow

Cloud Security: Good News, Bad News

Eric Chabrow (GovInfoSecurity) • November 20, 2009    
Cloud Security: Good News, Bad News

A report issued Friday by the European Union's European Network and Information Security Agency panel gives proponents of secure government cloud computing hope, and some pause. It's not that authors of the study, Cloud Computing: Benefits, Risks and Recommendations for Information Security, are fickle, but they note the challenges of securing data on the public cloud are complex.

"The key conclusion of this paper is that the cloud's economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defenses can be more robust, scalable and cost-effective."

The report doesn't suggest that the most sensitive data be placed on the cloud, but says many e-government applications could be appropriately situated on the public Internet. Here are summaries of the top security benefits and risk of cloud computing, according to ENISA:

Top Benefits

  • Scale: Security measures are cheaper when implemented on a large scale.

  • Market Differentiator: Cloud providers will see strong security as a competitive advantage

  • Standardized Interfaces for Managed Security Services: Larger providers can offer a standardized, open interface to manage security services providers.

  • Rapid, Smart Scaling of Resources: Ability of a provider to dynamically reallocate resources for filtering, traffic shaping, authentication and encryption.

  • Audit and Evidence Gathering: Cloud computing when using virtualization can provide dedicated, pay-per-use forensic images of virtual machines that are accessible without taking infrastructure off-line, leading to less down-time for forensic analysis.

  • More Timely and Efficient Updates: Default virtual machine images and software modules can be pre-hardened and updated with the latest patches and security settings.
Top Risks

  • Loss of Governance: The client necessarily concedes control to the cloud provider that could affect security. Plus, service level agreements may not be provided, leaving a gap in security defenses.

  • Lock-In: There are few tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability, making it difficult to migrate from one provider to another or back to an in-house environment.

  • Isolation Failure: The risk exists in shared resources for the failure of mechanisms separating storage, memory, routing and even reputation among different tenants.

  • Compliance Risks: Achieving certification may be put at risk if the cloud provider cannot provide evidence of its own compliance with relevant requirements and/or it does not permit audits by cloud customers or their auditors.

  • Management Interface Compromise: Customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources - than traditional hosting providers - and thus pose an increased risk, especially when combined with remote access and web browser vulnerabilities.

  • Data Protection: It may prove difficult for the cloud customer to check effectively the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way.

  • Insecure or Incomplete Data Deletion: When a request to delete a cloud resource is made, as with most operating systems, this may not result in true wiping of the data.

  • Malicious Insiders: While usually less likely, the damage that might may be caused by malicious insiders is often far greater. Cloud architectures necessitate certain roles that are extremely high-risk. Examples include cloud provider system administrators and managed security service providers.

There also are legal considerations that differ from more traditional IT services. ENISA says:

"The parties to a contract should pay particular attention to their rights and obligations related to notifications of breaches in security, data transfers, creation of derivative works, change of control, and access to data by law enforcement entities. Because the cloud can be used to outsource critical internal infrastructure, and the interruption of that infrastructure may have wide ranging effects, the parties should carefully consider whether standard limitations on liability adequately represent allocations of liability, given the parties use of the cloud, or responsibilities for infrastructure.

"Until legal precedent and regulations address security concerns specific to cloud computing, customers and cloud providers alike should look to the terms of their contract to effectively address security risks."

Sound advice from our friends across the pond.



About the Author

Eric Chabrow

Eric Chabrow

Retired Executive Editor, GovInfoSecurity

Chabrow, who retired at the end of 2017, hosted and produced the semi-weekly podcast ISMG Security Report and oversaw ISMG's GovInfoSecurity and InfoRiskToday. He's a veteran multimedia journalist who has covered information technology, government and business.




Around the Network

How 'Security by Default' Boosts Health Sector Cybersecurity
How 'Security by Default' Boosts Health Sector Cybersecurity
Transforming a Cyber Program in the Aftermath of an Attack
Transforming a Cyber Program in the Aftermath of an Attack
Protecting Medical Devices Against Future Cyberthreats
Protecting Medical Devices Against Future Cyberthreats
Is It Generative AI's Fault, or Do We Blame Human Beings?
Is It Generative AI's Fault, or Do We Blame Human Beings?
Safeguarding Critical OT and IoT Gear Used in Healthcare
Safeguarding Critical OT and IoT Gear Used in Healthcare
Identity Security and How to Reduce Risk During M&A
Identity Security and How to Reduce Risk During M&A
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
How the NIST CSF 2.0 Can Help Healthcare Sector Firms
Why Health Firms Struggle with Cybersecurity Frameworks
Why Health Firms Struggle with Cybersecurity Frameworks
Evolving Threats Facing Robotic and Other Medical Gear
Evolving Threats Facing Robotic and Other Medical Gear
Medical Device Cyberthreat Modeling: Top Considerations
Medical Device Cyberthreat Modeling: Top Considerations

Continue »

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.