Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Business continuity information

‘The double-edged sword of Cloud computing in Critical Information Infrastructure Protection’

ENISA, the EU’s information security agency, has launched a new report looking at cloud computing from a critical information infrastructure protection (CIIP) perspective, and identifying that cloud computing is critical given the concentration of users and data and its growing use in critical sectors, such as finance, health and insurance.

According to ‘The double-edged sword of Cloud computing in Critical Information Infrastructure Protection’ in a few years a large majority of organisations will be dependent on cloud computing. Large cloud services will have tens of millions of end-users. What happens if one of these cloud services fails, or gets hacked?

“From a security perspective, the concentration of data is a ‘double-edged sword’; large providers can offer state-of-the-art security, and business continuity, spreading the costs across many customers. But if an outage or security breach occurs, the impact is bigger, affecting many organizations and citizens at once,” says ENISA’s Dr Marnix Dekker.

The key messages of the report are:

  • Critical infrastructure: Soon, the vast majority of organizations will use cloud computing notably also in critical sectors like finance, energy and transport. Cloud services are themselves becoming a critical information infrastructure.
  • Natural disasters and DDoS attacks: A benefit of cloud computing is resilience in the face of natural disasters and distributed denial of service (DDoS)-attacks, which are difficult to mitigate using traditional approaches (servers on site, or single data centre).
  • Cyber attacks: Cyber attacks exploiting software flaws can cause large data breaches, affecting millions of users, because of the large concentration of users and data. Physical redundancy does not safeguard against certain cyber attacks, such as data breaches exploiting software flaws.

The report also provides nine recommendations for bodies responsible for critical information infrastructures.

Read the report.

Reader comment

Cloud services are becoming a critical information infrastructure. According to research company Gartner, the worldwide market for cloud computing will total $207 billion by 2016. In 2012 alone, it said that the market grew 20 percent to become a $109 billion industry. As we move closer to a cloud-enabled future, cyber criminality and state sponsored attacks are increasingly targeting the cloud in ever more sophisticated ways, while leaving organisations unable to maintain the same obligations to security, compliance and regulation. Companies and government agencies cannot rely on cloud application providers alone for data security and confidentiality of information stored in the cloud.

In the case of CIA Director, David Petraeus, whose emails became the subject of an FBI investigation, we saw how easy it is for law enforcement agencies to legally require cloud application providers to give them access to email and other sensitive data needed for criminal investigations, all without notifying the data’s owner. The Petraeus case serves as a wake-up call for executives at companies and senior officials at government agencies to take control of the data. There is no confidentiality of sensitive information in the cloud.

With the UK’s Information Commissioner’s Office (ICO) also publishing its own guidelines on cloud computing last October, clearly stating that responsibility for security now resides with the company that owns the data, not the third party cloud provider, this is becoming an even more serious challenge. It has been recognised by leading security analysts, and also by the ICO that storing information unencrypted in the cloud leaves personal and business data at risk from cyber criminals, accidental leakage, and other threats. It is essential that organizations encrypt their data before it’s sent to the cloud. That is the only way to ensure that information is not vulnerable to cloud threats, hackers and accidental leakage.

Pravin Kothari, CEO of CipherCloud

•Date: 15th Feb 2013 • Europe/UK •Type: Article • Topic: Cloud computing

Business Continuity Newsletter Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.

How to advertise How to advertise on Continuity Central.

To submit news stories to Continuity Central, e-mail the editor.

Want an RSS newsfeed for your website? Click here