Cloud computing continues to be a hot topic. But so what if people are talking about it, who is actually adopting it? One of the questions I have been asking myself is, ‘Will cloud be adopted for critical infrastructure? And what is the security perspective on this?
Naturally a blog to answer that question will never really do the topic any justice. But it is a crucial issue. I wrote about critical cloud computing already a year ago on my blog, and over the past years I have worked on these issues, for example with the European Network and Information Security Agency (ENISA), who have published the white paper; Critical Cloud Computing: A CIIP Perspective on cloud computing services.
The ENISA paper focusses on large cyber disruptions and large cyber attacks, as in the EU’s Critical Information Infrastrcuture Protection (CIIP) plan, e.g.) and looks at the relevant underlying threats like natural disaster, power network outages, software bugs, exhaustions due to overload, cyber attacks, etc. It underlines the strengths of cloud computing, when it comes to dealing with natural disasters, regional powercuts and DDoS attacks. At the same time it highlights that the impact of cyber attacks could be very large, because of the concentration of resources. Everyday people discover software exploits, in widely used software (this week UPnP, last month Ruby on Rails, and so on). What would be the impact if there was a software exploit for a cloud platform used widely across the globe?
As an expert on the ENISA Cloud Security and Resilience Working Group, I see this white paper as the starting point for discussions about what are the big cloud computing risks from a CIIP perspective. Revisiting the risk assessments we worked on in the past is important, mainly because the use of cloud computing is now so different, and because cloud computing is being adopted in critical sectors like finance, energy, transport and even governmental services.
A discussion about the CIIP perspective on cloud computing becomes all the more relevant in the light of the EU’s Cyber Security strategy, which will focus on critical sectors and preventing large-scale cyber attacks and disruptions. The strategy will be revealed by the European Commission in February and it will be interesting to see what role cloud computing will play in the strategy.
The report is available on the ENISA website at; https://resilience.enisa.europa.eu/cloud-security-and-resilience/cloud-computing-benefits-risks-and-recommendations-for-information-security/view
There is no doubt that internet connections and cloud computing are becoming the backbone of our society. The adoption within critical infrastructure sectors means that resilience and security becomes even more imperative for all of us.
[Note: This article was also published on the Cloud Security Alliance website]