ENISA Cloud Computing Risk Assessment Report
17 views
Skip to first unread message
Reuven Cohen
Nov 23, 2009, 7:46:37 AM11/23/09
to cloud...@googlegroups.com
I've been traveling so there is a bit of a back log of news. In case you missed this, The European Network and Information Security Agency (ENISA), working for the EU Institutions and Member States has released a Cloud Computing Risk Assessment report. ENISA is the EU’s response to Information security issues of the European Union. As such, it is the 'pacemaker' for Information Security in Europe.
ENISA supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.
A few highlights of the report include:
Read the Complete Report Here >
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport
ENISA supported by a group of subject matter expert comprising representatives from Industries, Academia and Governmental Organizations, has conducted, in the context of the Emerging and Future Risk Framework project, an risks assessment on cloud computing business model and technologies. The result is an in-depth and independent analysis that outlines some of the information security benefits and key security risks of cloud computing. The report provide also a set of practical recommendations.
A few highlights of the report include:
- The Cloud’s economies of scale and flexibility are both a friend and a foe from a security point of view. The massive concentrations of resources and data present a more attractive target to attackers, but cloud-based defences can be more robust, scalable and cost-effective. This paper allows an informed assessment of the security risks and benefits of using cloud computing - providing security guidance for potential and existing users of cloud computing.
- Scale: commoditisation and the drive towards economic efficiency have led to massive concentrations of the hardware resources required to provide services. This encourages economies of scale - for all the kinds of resources required to provide computing services.
- Architecture: optimal resource use demands computing resources that are abstracted from underlying hardware. Unrelated customers who share hardware and software resources rely on logical isolation mechanisms to protect their data. Computing, content storage and processing are massively distributed. Global markets for commodities demand edge distribution networks where content is delivered and received as close to customers as possible. This tendency towards global distribution and redundancy means resources are usually managed in bulk, both physically and logically.
STANDARDISED INTERFACES FOR MANAGED SECURITY SERVICES: large cloud providers can offer a standardised, open interface to managed security services providers. This creates a more open and readily available market for security services.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
- Scale: commoditisation and the drive towards economic efficiency have led to massive concentrations of the hardware resources required to provide services. This encourages economies of scale - for all the kinds of resources required to provide computing services.
- Architecture: optimal resource use demands computing resources that are abstracted from underlying hardware. Unrelated customers who share hardware and software resources rely on logical isolation mechanisms to protect their data. Computing, content storage and processing are massively distributed. Global markets for commodities demand edge distribution networks where content is delivered and received as close to customers as possible. This tendency towards global distribution and redundancy means resources are usually managed in bulk, both physically and logically.
STANDARDISED INTERFACES FOR MANAGED SECURITY SERVICES: large cloud providers can offer a standardised, open interface to managed security services providers. This creates a more open and readily available market for security services.
LOCK-IN: there is currently little on offer in the way of tools, procedures or standard data formats or services interfaces that could guarantee data, application and service portability. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in-house IT environment. This introduces a dependency on a particular CP for service provision, especially if data portability, as the most fundamental aspect, is not enabled..
ISOLATION FAILURE: multi-tenancy and shared resources are defining characteristics of cloud computing. This risk category covers the failure of mechanisms separating storage, memory, routing and even reputation between different tenants (e.g., so-called guest-hopping attacks). However it should be considered that attacks on resource isolation mechanisms (e.g.,. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs.
MANAGEMENT INTERFACE COMPROMISE: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk, especially when combined with remote access and web browser vulnerabilities.
Read the Complete Report Here >
http://www.enisa.europa.eu/act/rm/files/deliverables/cloud-computing-risk-assessment/at_download/fullReport
Paulo Calcada
Nov 23, 2009, 7:54:51 AM11/23/09
to cloud...@googlegroups.com
This is a subject already being discussed on the Cloud Computing Use Cases, it was brought by Garry Mazzaferro. But definitely it's a subject that worth all the attention.
Paulo
--
http://pcalcada.name
--
Paulo
2009/11/23 Reuven Cohen <r...@enomaly.com>
--
You received this message because you are subscribed to the Google
Groups "Cloud Computing Interoperability Forum (CCIF)" group.
To post to this group, send email to cloud...@googlegroups.com
To unsubscribe from this group, send email to
cloudforum+...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/cloudforum?hl=en
-----
Join our Twitter Group at www.twitter.com/cloudforum
Or Our Linkedin Group at http://www.linkedin.com/e/gis/927567
--
http://pcalcada.name
--
Bhaskar Prasad Rimal
Nov 23, 2009, 6:00:17 PM11/23/09
to cloud...@googlegroups.com
Nice sharing!! Its a very excellent report. In my preliminary study I found one interest classification in this report
Clouds may also be divided into:
Regards
--
Bhaskar Prasad Rimal,Master's Student
Graduate School of Business IT
Kookmin University
861-1 Jeongneung-Dong, Seongbuk-Gu, Seoul, 136-702, Korea
Clouds may also be divided into:
- public: available publicly - any organization may subscribe
- private: services built according to cloud computing principles, but accessible only within a private network
- partner: cloud services offered by a provider to a limited and well-defined number of parties.
Regards
--
You received this message because you are subscribed to the GoogleGroups "Cloud Computing Interoperability Forum (CCIF)" group.
To post to this group, send email to cloud...@googlegroups.comcloudforum+...@googlegroups.com
To unsubscribe from this group, send email to
http://groups.google.com/group/cloudforum?hl=en
For more options, visit this group at
-----
Join our Twitter Group at www.twitter.com/cloudforum
Or Our Linkedin Group at http://www.linkedin.com/e/gis/927567
--
Bhaskar Prasad Rimal,Master's Student
Graduate School of Business IT
Kookmin University
861-1 Jeongneung-Dong, Seongbuk-Gu, Seoul, 136-702, Korea
Reuven Cohen
Nov 23, 2009, 6:05:41 PM11/23/09
to cloud...@googlegroups.com
I would also classify a partner as a white label or reseller cloud where the capacity might be provided by ATT, Amazon or someone else and rebranded.
r/c
r/c
Bhaskar Prasad Rimal
Nov 23, 2009, 6:11:17 PM11/23/09
to cloud...@googlegroups.com
I think, "Partner"- It is a business point of view of classification. Any typical technical significant like public, private and hybrid classification?
Regards
Regards
Joe Stein
Nov 23, 2009, 6:16:53 PM11/23/09
to cloud...@googlegroups.com, cloud...@googlegroups.com
I think an example would be google gov cloud that Los Angeles says it will be using.... SaaS google apps partitioned and used just for gov agencies.
Reply all
Reply to author
Forward
0 new messages