Cloud Computing Benefits, risks and recommendations for information security

Rev.B – December 2012

2

Cloud Computing Benefits, risks and recommendations for information security

Document History

Date December 2009

Version 1.0

Modification Initial Release, Rev.A

Author Daniele Catteddu, Giles Hogben Thomas Haeberlen Lionel Dupré

December 2012

2.0

Rev.B

About ENISA
The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe’s critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu.

Contact details
This report has been edited by: Lionel Dupré, Thomas Haeberlen

For contacting ENISA or for general enquiries about this report, please use the following details: Email: resilience@enisa.europa.eu Internet: http://www.enisa.europa.eu

Cloud Computing 3 Benefits, risks and recommendations for information security

Legal notice
Notice must be taken that this publication represents the views and interpretations of the authors and editors, unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the ENISA Regulation (EC) No 460/2004 as lastly amended by Regulation (EU) No 580/2011. This publication does not necessarily represent state-of theart and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Reproduction is authorised provided the source is acknowledged. © European Network and Information Security Agency (ENISA), 2011

4

Cloud Computing Benefits, risks and recommendations for information security

1

Introduction and Recap

1.1 Updating the 2009 Cloud Risk Assessment
Since the publication of the 2009 Cloud Risk Assessment study, the perception of Cloud computing has changed, and so has the perception of the associated risks. However, the 2009 Cloud Risk Assessment continues to be one of the most downloaded documents on the ENISA website. It is therefore worthwhile to revise the document in general, but especially have a new look at the risks and try to reassess them, taking the developments of the last three years into account. This document is the result of a first review round carried out by ENISA with the assistance of external experts. To simplify things, the risks were separated from the extensive legal considerations that form part of the 2009 Cloud Risk Assessment. This does not mean, however, that legal aspects are not considered. On the contrary, there will be a separate working document covering the legal aspects in the appropriate depth, and the final revision of the Cloud Risk Assessment will again contain a discussion of legal aspects.

1.2 Cloud computing - working definition
During the first review round, the working definition of Cloud computing used in the Cloud Risk Assessment in 2009 was kept unchanged. Even at the time of the original report, this working definition was not intended as yet another definitive definition. Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies. Cloud computing architectures have: Cloud computing is an on-demand service model for IT provision, often based on virtualization and distributed computing technologies. Cloud computing architectures have:       highly abstracted resources near instant scalability and flexibility near instantaneous provisioning shared resources (hardware, database, memory, etc) ‘service on demand’, usually with a ‘pay as you go’ billing system programmatic management (eg, through WS API).

Highly abstracted resources Near instant scalability and flexibility Near instantaneous provisioning Shared resources (hardware, database, memory, etc) ‘Service on demand’, usually with a ‘pay as you go’ billing system Programmatic management (e.g., through WS API).

Cloud Computing 5 Benefits, risks and recommendations for information security

There are three categories of cloud computing: Software as a service (SaaS): is software offered by a third party provider, available on demand, usually via the Internet configurable remotely. Examples include online word processing and spreadsheet tools, CRM services and web content delivery services (Salesforce CRM, Google Docs, etc). Platform as a service (PaaS): allows customers to develop new applications using APIs deployed and configurable remotely. The platforms offered include development tools, configuration management, and deployment platforms. Examples are Microsoft Azure, Force and Google App engine. Infrastructure as service (IaaS): provides virtual machines and other abstracted hardware and operating systems which may be controlled through a service API. Examples include Amazon EC2 and S3, Terremark Enterprise Cloud, Windows Live Skydrive and Rackspace Cloud.

-

-

Clouds may also be divided into: Public: available publicly - any organisation may subscribe Private: services built according to cloud computing principles, but accessible only within a private network Partner or Community: cloud services offered by a provider to a limited and well-defined number of parties.

1.3 Top security benefits
The 2009 Cloud Risk Assessment considers a number of security benefits offered by the Cloud computing model. These have to be weighed against the risks that this model brings with it. Although they are not strictly necessary for the purpose of assessing the risks, they have been kept in this document (see section 2 Security benefits of cloud computing) to put the risks into perspective. Security and the benefits of scale: put simply, all kinds of security measures are cheaper when implemented on a larger scale. Therefore the same amount of investment in security buys better protection. This includes all kinds of defensive measures such as filtering, patch management, hardening of virtual machine instances and hypervisors, etc. Other benefits of scale include: multiple locations, edge networks (content delivered or processed closer to its destination), timeliness of response, to incidents, threat management. Security as a market differentiator: security is a priority concern for many cloud customers; many of them will make buying choices on the basis of the reputation for confidentiality, integrity and resilience of, and the security services offered by, a provider. This is a strong driver for cloud providers to improve security practices.

4 Top security risks The 2009 Cloud Risk Assessment contains a list of the top security risks related to Cloud computing. This also includes compliance risks. authentication. traffic shaping. application and service portability.. to defensive measures (e. against DDoS attacks) has obvious advantages for resilience. Updates can be rolled out many times more rapidly across a homogenous platform than in traditional client-based systems that rely on the patching model. After the first review round. risks and recommendations for information security More timely. At the same time. SLAs may not offer a commitment to provide such services on the part of the cloud provider.. procedures or standard data formats or services interfaces that could guarantee data. thus leaving a gap in security defences.g. industry standard or regulatory requirements) may be put at risk by migration to the cloud:   if the CP cannot provide evidence of their own compliance with the relevant requirements if the CP does not permit audit by the cloud customer (CC). encryption.g. it also means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved (e. In certain cases.. the top risks have turned out to be more or less unchanged from the 2009 Cloud Risk Assessment. 1. Benefits of resource concentration: Although the concentration of resources undoubtedly has disadvantages for security [see Risks]. etc. it has the obvious advantage of cheaper physical perimiterisation and physical access control (per unit resource) and the easier and cheaper application of many security-related processes. This can make it difficult for the customer to migrate from one provider to another or migrate data and services back to an in- . Rapid. smart scaling of resources: the ability of the cloud provider to dynamically reallocate resources for filtering. effective and efficient updates and defaults: default virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and security settings according to fine-tuned processes. because investment in achieving certification (e.g. PCI DSS). The most important classes of cloud-specific risks (see section 4 Risks) are: Loss of governance: in using cloud infrastructures.6 Cloud Computing Benefits. IaaS cloud service APIs also allow snapshots of virtual infrastructure to be taken regularly and compared with a baseline. Lock-in: there still is little on offer in the way of tools. the client necessarily cedes control to the Cloud Provider (CP) on a number of issues that may affect security.

Data protection: cloud computing poses several data protection risks for cloud customers and providers. Isolation failure: multi-tenancy and shared resources are defining characteristics of cloud computing. the damage which may be caused by malicious insiders is often far greater.. as with most operating systems. In some cases. so-called guest-hopping attacks). Adequate or timely data deletion may also be impossible (or undesirable from a customer perspective). Management interface compromise: customer management interfaces of a public cloud provider are accessible through the Internet and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk. or the actual temptation of the CP to reduce costs further by sacrificing on some security aspects. memory. Insecure or incomplete data deletion: when a request to delete a cloud resource is made. it may be difficult for the cloud customer (in its role as data controller) to effectively check the data handling practices of the cloud provider and thus to be sure that the data is handled in a lawful way. Examples include CP system administrators and managed security service providers.. Malicious insider: while usually less likely. This problem is exacerbated in cases of multiple transfers of data.g. Cloud architectures necessitate certain roles which are extremely high-risk. this may not result in true wiping of the data.. this represents a higher risk to the customer than with dedicated hardware. . risks and recommendations for information security house IT environment. some cloud providers do provide information on their data handling practices. Availability Chain: Reliance on Internet Connectivity at Customer’s end creates a Single point of failure in many cases. against hypervisors) are still less numerous and much more difficult for an attacker to put in practice compared to attacks on traditional OSs. especially if data portability. either because extra copies of data are stored but are not available. as the most fundamental aspect.g. This risk category covers the failure of mechanisms separating storage. is not enabled. routing and reputation between different tenants (e. Some also offer certification summaries on their data processing and data security activities and the data controls they have in place.Cloud Computing 7 Benefits. However it should be considered that attacks on resource isolation mechanisms (e. or because the disk to be destroyed also stores data from other clients. On the other hand. Customers’ security expectations: the perception of Security levels by Customers might differentiate from the actual security (and availability) offered by the CP. especially when combined with remote access and web browser vulnerabilities. between federated clouds..g. This introduces a dependency on a particular CP for service provision. e.g. e. In the case of multiple tenancies and the reuse of hardware resources.. SAS70 certification.

including Cloud providers. serious damage to reputation or legal implications. It is often possible.5 Target audience The intended audience of this report is the “Cloud community” at large. they are just ten of the most important cloud computing specific risks identified during the assessment. . you can outsource responsibility but you can't outsource accountability. 1. The risks of using Cloud computing should be compared to the risks of staying with traditional solutions. the 2009 Cloud Risk Assessment contains estimates of relative risks as compared with a typical traditional environment. In terms of criticality. for the cloud customer to transfer risk to the cloud provider. risks and recommendations for information security The risks listed above do not follow a specific order of criticality.However not all risks can be transferred: If a risk leads to the failure of a business. consultants as well as policy makers concerned with the area of Cloud computing. loss of governance is still considered the top risk associated with moving to the Cloud. To facilitate this. it is hard or impossible for any other party to compensate for this damage. The feedback received from all stakeholders will be used in a second review round that will yield a comprehensive update of the 2009 Cloud Risk Assessment. and in many cases explanations were added. and in some cases advisable. Ultimately. such as desktop-based models. current and potential Cloud customers.8 Cloud Computing Benefits. These were also reconsidered during the first review round.

processing and delivery closer to the network edge mean service reliability and quality is increased overall and local network problems are less likely to have global side-effects. risks and recommendations for information security 2 Security benefits of cloud computing It is hardly necessary to repeat one again about the Put simply. hardening of virtual machine instances and hypervisors.2 Security as a market differentiator Security is a priority concern for many cloud customers – customers will make buying choices on the basis of the reputation for confidentiality. Therefore the same amount of investment in security buys better protection. all kinds of security measures are cheaper when implemented on a larger scale. 2. Threat management: cloud providers can also afford to hire specialists in dealing with specific security threats. Edge networks: storage. human resources and their management and vetting. as well as according to recent Therefore the same amount of news from the ‘real world’. specific security benefits. more so than in traditional environments. efficient role-based access control and federated identity management solutions by default. This increases redundancy and independence from failure and provides a level of disaster recovery out-of-the-box. strong authentication. architectural and ecological benefits of measures are cheaper when cloud computing.1 Security and the benefits of scale Put simply. What follows is a description of the key ways in which it can contribute. and the security services offered by a provider. - - - 2. all kinds of security economic. . an examination of the security investment in security buys better risks of cloud computing must be balanced by a review of its protection. hardware and software redundancy. integrity and resilience. Other benefits of scale include: Multiple locations: most cloud providers have the economic resources to replicate content in multiple locations by default. for example due to early detection of new malware deployments. patch management. which also improves the network effects of collaboration among various partners involved in defense. technical. This is currenly still a strong incentive for cloud providers to improve their security practices and compete on security. members of our expert group. Improved timeliness of response to incidents: well-run larger-scale systems. This includes all kinds of defensive measures such as filtering. Cloud computing has significant potential to improve security and resilience. while smaller companies can only afford a small number of generalists. However. can develop more effective and efficient incident response capabilities.Cloud Computing 9 Benefits. in the direct experience of the implemented on a larger scale.

g.g. moreover. IaaS cloud service APIs also allow snapshots of virtual infrastructure to be taken regularly and compared with a baseline (e. 2. storage. memory.3 More timely and effective and efficient updates and defaults Virtual machine images and software modules used by customers can be pre-hardened and updated with the latest patches and security settings according to fine-tuned processes. open interface to managed security services (MSS) providers offering services to all its customers. encryption. When this ability for dynamic resource reallocation is combined with appropriate resource optimisation methods. Updates can be rolled out many times more rapidly across a homogenous platform than in traditional client-based systems that rely on the patching model. against DDoS attacks) when an attack is likely or it is taking place.5 Standardised interfaces for managed security services Large cloud providers can offer a standardised. without scaling all of the system resources. in order to increase support for defensive measures (e. and the level of granular control over resource consumption is increasing as technologies mature. risks and recommendations for information security 2. e.. smart scaling of resources The list of cloud resources that can be rapidly scaled on demand already includes. web service requests and virtual machine instances. which makes them likely to be more portable and robust than the equivalent enterprise software (where it exists). Finally in PaaS and SaaS models the applications are more likely to have been hardened to run outside the enterprise environment.. CPU time. They are also more likely to be regularly updated and patched in a centralized fashion minimizing the window of vulnerability. 2. . Achieving this requires however that the provider implements adequate coordination of autonomics for security defence and for resource management and optimisation. traffic shaping.g. to ensure software firewall rules have not changed). the more all kinds of individual resources can be scaled in a granular way. This potentially creates a more open and readily available market for security services where customers can switch providers more easily and with lower set-up costs.10 Cloud Computing Benefits. A cloud provider has the potential to dynamically reallocate resources for filtering. Furthermore. etc.4 Rapid. the cheaper it is to respond to sudden (non-malicious) peaks in demand. as well as limit the effect of increasing the use of resources by the security defence to combat such attacks. the cloud provider may be able to limit the effect that some attacks could have on the availability of resources that legitimately hosted services use. The ability to dynamically scale defensive resources on demand has obvious advantages for resilience..

8 Benefits of resource concentration Although the concentration of resources undoubtedly has disadvantages for security it has the obvious advantage of cheaper physical perimiterisation and physical access control (per unit resource) and the easier and cheaper application of a comprehensive security policy and control over data management. In the event of a suspected security breach. This makes the process of identifying security incidents as they happen more efficient (7).Cloud Computing 11 Benefits. The extent to which those savings are passed on to customers will obviously vary. However.7 Audit and SLAs force better risk management The need to quantify penalties for various risk scenarios in SLAs and the possible impact of security breaches on reputation (see Security as market differentiator) motivate more rigorous internal audit and risk assessment procedures than would otherwise be exist. Pay as you go cloud storage brings transparency to your audit storage costs and makes adjusting to meet future audit log requirements easier. incident management. risks and recommendations for information security 2. . 2.6 Audit and evidence-gathering IaaS offerings support on-demand cloning of virtual machines. multiple clones can be created and analysis activities parallelised to reduce investigation time. thus allowing more comprehensive logging without compromising performance. It can also provide more cost-effective storage for logs. With storage on tap. patch management. The frequent audits imposed on CPs tend to expose risks which would not otherwise have been discovered. This improves the expost analysis of security incidents and increases the probability of tracking attackers and patching weaknesses. the customer can take an image of a live virtual machine – or virtual components thereof – for offline forensic analysis. and maintenance processes. it does presume the customer has access to trained forensic experts (which is not a standard cloud service as of writing). 2. leading to less down-time for analysis. having therefore the same positive effect.

and should be considered by all organisations. risks and recommendations for information security 3 Risk assessment 3. 3. However.1 Use-case scenario The scenario used for the Risk Assessment uses a generic approach.2 Risk assessment process The level of risk is estimated on the basis of the likelihood of an incident scenario.12 Cloud Computing Benefits. This risk scale could also be mapped to a simple overall risk rating:    Low risk: 0-2 Medium Risk: 3-5 High Risk: 6-8 Likelihood of incident scenario Very Low Low Medium Business Impact High Very High Very Low (Very Unlikely) 0 1 2 3 4 Low (Unlikely) Medium (Possible) High (Likely) Very High (Frequent) 1 2 3 4 5 2 3 4 5 6 3 4 5 6 7 4 5 6 7 8 . The resulting risk is measured on a scale of 0 to 8 that can be evaluated against risk acceptance criteria. mapped against the estimated negative impact. The following shows the risk level as a function of the business impact and likelihood of the incident scenario. In many cases the estimate of likelihood depends heavily on the cloud model or architecture under consideration. and no statement was intended to be completely realistic for a specific case. The likelihood of an incident scenario is given by a threat exploiting vulnerability with a given likelihood. a given cloud client or provider. many or even all elements of this scenario are likely to occur.

the risks included references to lists of assets and vulnerabilities. In order to keep the document short. vulnerability and asset would look like. . the lists of assets and vulnerabilities were therefore omitted for the time being. Assets and Risks A risk is commonly described by a combination of a threat and a vulnerability.Cloud Computing 13 Benefits. In the 2009 Cloud Risk Assessment. In the full revision of the Cloud Risk Assessment.3 Threats. while the risk title in most cases describes the threat involved. they are likely to be included again. in revised form. risks and recommendations for information security We have based the estimation of risk levels on ISO/IEC 27005:2008 (10). the risks can stand quite well by themselves because it is rather obvious how the combination of threat. 3. Vulnerabilities. we found that while the lists of assets and vulnerabilities also need some revision. affecting an asset. During the first review round.

risks and recommendations for information security 4 Risks The following points should be noted in relation to the descriptions of risk below: - - - - Risk should always be understood in relation to overall business opportunity and appetite for risk – sometimes risk is compensated by opportunity. the risks of using cloud computing should be compared to the risks of staying with traditional solutions. This paper is not meant to replace a project-specific organisational risk assessment. . serious damage to reputation or legal implications. Therefore. a comparative analysis needs to compare not only the risks of storing data in different places (on premises vs. a spreadsheet . the cloud) but also the risks when on premises-data stored on premises – e. The risk analysis in this paper applies to cloud technology. but include important benefits such as more convenient communication and instant multi-point collaboration. against the security issues of a spreadsheet stored in the cloud and open to collaboration between those persons. Cloud services are not only about convenient storage. accessible by multiple devices. The level of risk will in many cases vary significantly with the type of cloud architecture being considered.g. It does not apply to any specific cloud computing offering or company. It is possible for the cloud customer to transfer risk to the cloud provider and the risks should be considered against the cost benefit received from the services. Therefore. it is hard or impossible for any other party to compensate for this damage.14 Cloud Computing Benefits. such as desktop-based models. However not all risks can be transferred: if a risk leads to the failure of a business. The level of risks is expressed from the perspective of the cloud customer.is emailed to other persons for their contributions.

Cloud Computing 15 Benefits.2 3 4 5 R.23 4 R.16 5 R.1 6 R.11 2 3 4 R.8 R.19 R.9 6 R.4 5 1 2 3 R.10 R.6 R.5 (1) R.15 R.3 R.14 0 1 2 4 IMPACT Figure 1: Risk distribution The risks are classified into three categories:   Policy and Organizational Technical .22 R.13 0 3 R.20 R. risks and recommendations for information security The following table shows the distribution of the risk probabilities and impacts: PROBABILITY 4 5 6 7 8 R.7 R.21 7 R.12 R.6 R.18 R.

The arrows show the way the risk changes when moving from the “Classic IT” to the “Cloud” setting As in the original Risk Assessment document. .16 Cloud Computing Benefits. Each risk is presented in tables which include:     Probability estimate Impact estimate Level of risk Comparison (where applicable) between the “Classic IT” and “Cloud” settings. we have not included an overall comparative risk since it is assumed that all the risks selected are higher in the Cloud setting. risks and recommendations for information security  Legal.

There is currently little on offer in the way of tools.1 Policy and organizational risks R.Cloud Computing 17 Benefits. depending on the CP's commitments. procedures or standard data formats or services interfaces that could guarantee data and service portability. . Migrating to another provider may even become virtually impossible.1 Lock-in Relying strongly on the services of one provider can lead to severe difficulties in changing the provider. Probability: High  Impact: Medium Risk: High Risk rating¶ Probability in Comparison to classic IT Cloud services are often based on proprietary nonstandard data formats and application logic. This potential dependency for service provision on a particular CP. risks and recommendations for information security 4. but in this case the customer usually has more control over the data and services.1 Lock-in Risk number and name Short description R. Impact in Comparison to classic IT  In both cases. This can make migrating data and services to another CP difficult or even impossible. data and own development efforts can be lost. or to migrate data and services to or from an inhouse IT environment. may lead to a catastrophic business failure should the cloud provider go bankrupt and the content and application migration path to another provider is too costly (financially or time-wise) or insufficient warning is given (no early warning). Furthermore. cloud providers may have an incentive to prevent (directly or indirectly) the portability of their customers services and data. Lock-in also occurs in the classic IT setting. A missing exit strategy exacerbates this risk. This makes it extremely difficult for a customer to migrate from one provider to another.

For such services on the part of the cloud provider.. the customer will need to develop a program to extract their data and write it to file ready for import to another provider. if the data is to be brought back in-house. The new provider can normally help with this work at a negotiated cost.g. for integration number of issues which may affect security. SaaS providers typically develop a custom application tailored to the needs of their target market. It is important to understand that the extent and nature of lock-in varies according to the cloud type: SaaS Lock-in  Customer data is typically stored in a custom database schema designed by the SaaS provider. the client developed programs to interact with the necessarily cedes control to the CP on a providers API directly (e. Moreover. risks and recommendations for information security The acquisition of the cloud provider can also have a similar effect. Not only must the customer develop code using the custom APIs offered Moreover the cloud provider may outsource or by the provider.g.  Application lock-in is the most obvious form of lock-in (although it is not specific to cloud services). re-training is necessary). However. efficient back-end data store. example. However.18 Cloud Computing Benefits. with other applications).. the customer will need to write import routines that take care of any required data mapping unless the CP offers such a routine. there may be conflicts between customer hardening procedures and PaaS Lock-in the cloud environment. the PaaS provider may offer a highly thus leaving a gap in security defenses. so the terms and conditions of their services may also change. since it increases the likelihood of sudden changes in provider policy and non-binding agreements such as terms of use (ToU). testing. It should be noted that there are few formal agreements on the structure of business records (e.. it is in the long-term business interest of CPs to make data portability as easy. although there are common underlying file formats for the export and import of data. As customers will evaluate this aspect before making important migration decisions. but they must also code data access sub-contract services to third-parties routines in a way that is compatible with the back-end (unknown providers) which may not offer the same guarantees (such as to provide the service in a lawful way) as issued by the cloud provider. these will also need For example ToUs may prohibit port scans. Or the control of the cloud provider changes.g. to be re-written to take into account the new vulnerability assessment and penetration provider’s API. complete and cost-effective as possible. platform SLAs may not offer a commitment to provide specific API calls) and at the component level. a customer record at one SaaS provider may have different fields than at another provider). SaaS customers with a large user-base can incur very high switching costs when migrating to another SaaS provider as the end-user experience is impacted (e.. XML. e.g. On the other hand. Where the customer has In using cloud infrastructures. if the provider does not offer a readymade data ‘export’ routine. Most SaaS providers offer API calls to read (and thereby ‘export’) data records. PaaS lock-in occurs at both the API layer (ie. .

as well as a loss of investment. Furthermore. However application level dependence on specific policy features (e. in the same way as in SaaS. Migrating between providers is non-trivial until open standards..Cloud Computing 19 Benefits.g. some customers will never be able to retrieve their data and applications. as the data access model may be different (e. PaaS lock-in happens at the runtime layer as ‘standard’ runtimes are often heavily customised to operate safely in a cloud environment. In other words. suppose there is a crisis of confidence in the cloud provider’s financial position. competitive pressure.g. The impact of this threat for the cloud customer is easily understandable. but in this case the onus is completely on the customer to create compatible export routines. Data lock-in is the obvious concern with IaaS storage services. relational v hashing). This code will not necessarily be portable across PaaS providers. hence so do storage semantics.. failures in the services outsourced to the CP may have a significant impact on the cloud customer’s ability to meet its duties and obligations to its own customers.  IaaS-Lock-in IaaS lock-in varies depending on the specific infrastructure services consumed. access controls) may limit the customer’s choice of provider. an inadequate business strategy. a Java runtime may have ‘dangerous’ calls removed or modified for security reasons. it is possible that in the short or medium term some cloud computing services could be terminated. are adopted. a customer using cloud storage will not be impacted by non-compatible virtual machine formats. risks and recommendations for information security data store. IaaS storage provider offerings vary from simplistic key/value based data stores to policy enhanced file based stores.   Common to all providers is the possibility of a ‘run on the banks’ scenario for a cloud provider. Then. and quality of service. For example. PaaS also suffers from data lock-in. in a situation where a provider limits the amount of ’content’ (data and application code) which can be ‘withdrawn’ in a given timeframe. since it could lead to a loss or deterioration of service delivery performance. first served basis. Feature sets can vary significantly. such as OVF (11). even if a seemingly compatible API is offered. etc.   PaaS lock-in at the API layer happens as different providers offer different APIs. and therefore a mass exit and withdrawal of content on a first come. lack of financial support. For example. Software and VM metadata is bundled together for portability – typically just within the provider’s cloud. For this scenario. The customer of the cloud provider may thus be exposed to contractual and tortuous liability to its customers based on its . As cloud customers push more data to cloud storage. data lock-in increases unless the CP provides for data portability. could lead some providers to go out of business or at least to force them to restructure their service portfolio offering. The onus is on the customers' developers to understand and take into account these differences.  IaaS computing providers typically offer hypervisor based virtual machines. As in any new IT market.

20 Cloud Computing Benefits. This could make it impossible to comply with the security requirements. non-contractual security controls). and employee loyalty and experience.. Acquisition of the cloud provider could increase the likelihood of a strategic shift and may put nonbinding agreements at risk (e. Failures by the cloud provider may also result in liability by the customer to its employees. risks and recommendations for information security provider’s negligence.g. customer or patient trust. software interfaces. The final impact could be damaging for crucial assets such as: the organization’s reputation. security investments. .

Loss of governance might occur in classic IT scenarios. For example ToUs may prohibit port scans.  In using cloud infrastructures. as certain organisations migrating to the cloud have made considerable investments in achieving certification either for competitive .Cloud Computing 21 Benefits. Moreover the CP may outsource or sub. the CC necessarily cedes control to the CP on a number of issues which may affect security. and is therefore almost certain to occur. and of any kind of outsourcing in general. On the other hand. If it occurs. Probablity: Very High  Impact: Very High Risk: Very High Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT Ceding control to a service provider lies in the nature of Cloud services. Moreover. the impact will be similar. as well. vulnerability assessment and penetration testing. below). risks and recommendations for information security R. The loss of control and governance can also lead to the impossibility of complying with the security requirements. SLAs may not offer a commitment to provide such services on the part of the CP. and a deterioration of performance and quality of service. there may be conflicts between customer hardening procedures and the cloud environment. thus leaving a gap in security defenses. not to mention the introduction of compliance challenges. The loss of governance and control could have a potentially severe impact on the organization’s strategy and therefore on the capacity to meet its mission and goals. the client necessarily cedes control to the CP on a number of issues which may affect security. PCI DSS). integrity and availability of data. so the terms and conditions of their services may also change. a lack of confidentiality.Certain organisations migrating to the cloud contract services to third-parties (unknown have made considerable investments in providers) which may not offer the same achieving certification either for competitive guarantees (such as to provide the service in a advantage or to meet industry standards or lawful way) as issued by the CP (see also regulatory requirements (eg.2 Loss of governance Risk number and name Short description R. Or the control of the CP changes.2 Loss of governance When using Cloud services.

risks and recommendations for information security advantage or to meet industry standards or regulatory requirements (e. For example. A CP can also outsource certain specialised tasks of its ‘production chain’ to third parties. An important example here is where a critical dependency exists on a third party single-sign-on or identity management service. a lack of transparency in the contract can be a problem for the whole system. if the CP does not permit audit by the CC. Resource sharing means that malicious activities carried out by one tenant may affect the reputation of another tenant. loss of data confidentiality.22 Cloud Computing Benefits. In this case. Any interruption or corruption in the chain or a lack of coordination of responsibilities between all the parties involved can lead to: unavailability of services.. This investment may be put at risk by a migration to the cloud:  if the CP cannot provide evidence of their own compliance to the relevant requirements. etc. In such a situation the level of security of the CP may depend on the level of security of each one of the links and the level of dependency of the CP on the third party. violation of SLA. economic and reputational losses due to failure to meet customer demand. an interruption of the third party service or of the CP’s connection to the service or a weakness in their security procedures may compromise the availability or confidentiality of a CC or indeed the entire cloud offering. . PCI DSS).the CC is not in a position to properly evaluate the risk he is facing.it is not realistic that providers should list the contractors since these may change frequently .g. EC2 says customers would be hard-pressed to achieve PCI compliance on their platform. cascading service failure. This lack of transparency could decrease the level of trust in the provider. it even means that using a public cloud infrastructure implies that certain kinds of compliance cannot be achieved and hence cloud hosted services cannot be used for services that need them. In general. integrity and availability. If a CP does not declare which core IT services are outsourced . So EC2 hosted services cannot be used to handle credit card transactions.  In certain cases.

In general. This way. or even use another cloud service as a ‘backend’. In this case. loss of data confidentiality.the customer is not in a position to properly evaluate the risk he is facing. In such a situation the level of security of the cloud service depends on the level of security of each one of the links and the level of dependency of the cloud provider on the third party. Any interruption or corruption in the chain or a lack of coordination of responsibilities between all the parties involved can lead to: unavailability of services.3 Suppy Chain Failure A CP can outsource parts of its production chain to third parties. a lack of transparency in the contract can be a problem for the whole system. etc. or even use other CPs as part of its service.3 Suppy Chain Failure Risk number and name Short description R. . a potential for cascading failures is created Probability: Low  Impact: Medium Risk: Medium Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT Supply chain failiures can occur also in classic IT setups.Cloud Computing 23 Benefits. cascading service failure.it is not realistic that providers should list the contractors since these may change frequently . because the supply chain is likely to be longer and the customer’s options fewer. violation of SLA. If a CP does not declare which core IT services are outsourced . This lack of transparency could decrease the level of trust in the provider. The potential impact of supply chain failures has to be considered higher than in classic IT setups. An important example here is where a critical dependency exists on a third party single-sign-on or identity management service. integrity and availability. but the probability is considered to be higher in Cloud scenarios. risks and recommendations for information security R. economic and reputational losses due to failure to meet customer demand. an interruption of the third party service or of the CP’s connection to the service or a weakness in their security procedures may compromise the availability or confidentiality of a cloud customer or indeed the entire cloud offering.  A CP can outsource certain specialised tasks of its ‘production chain’ to third parties.

a. customers to secure their resources.4 Conflicts between customer hardening procedures and cloud environment Short description Certain security measures of a CC may conflict with a CP’s environment. whether this is via virtualization on a server or the common network shared by the customers. Probability: Medium n. are tasked with providing a multi-tenant environment. by their very nature.4 Conflicts between customer hardening procedures and cloud environment Risk number and name R. risks and recommendations for information security R. Customers must realize and assume their responsibility as failure to do so would place their data and resources at further risk.24 Cloud Computing Benefits. The failure of customers to properly secure their environments may pose a vulnerability to the cloud platform if the CP has not taken the necessary steps to provide isolation. This assumption by the customer. placed unnecessary risk on the customer’s data.a. The co-location of many customers inevitably causes conflict for the CP as customers’ communication security requirements are likely to be divergent from each other. making their implementation by the CC impossible. and was conducting. Impact: Medium Risk: Medium Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT This risk doesn’t exist in classic IT settings n. In some cases CC have inappropriately assumed that the CP was responsible for. all activities required to ensure security of their data. CPs Customers must realize and assume their should further articulate their isolation mechanisms responsibility as failure to do so would place and provide best practice guidelines to assist their data and resources at further risk. It is imperative that CCs identify their responsibilities and comply with them. . CPs must set out a clear segregation of responsibilities that articulates the minimum actions customers must undertake. CPs. and/or a lack of clear articulation by the CP.

Therefore. This type of challenge only worsens as the number of tenants and the disparity of their requirements increase. for example. risks and recommendations for information security Take. . who wins? This same type of issue is raised by customers who have competing and conflicting compliance requirements. CPs must be in a position to deal with these challenges by way of technology. but another customer is running a web server farm and requires passage of HTTP and HTTPS. policy and transparency (where appropriate). If one customer wishes the network firewall to block all traffic except for SSH. the case of two customers on a shared traditional network infrastructure.Cloud Computing 25 Benefits.

If a social engineering attack occurs. risks and recommendations for information security R. Impact in Comparison to classic IT  .26 Cloud Computing Benefits. the impact will be the same in both classic IT and Cloud settings. While it is similar to a confidence trick or simple fraud.5 Social engineering attacks Social engineering is understood to mean the art of manipulating people into performing actions or divulging confidential information. fraud. or computer system access. it is typically trickery or deception for the purpose of information gathering. Probability: Medium  Impact: High Risk: Medium Risk rating Probability in Comparison to classic IT Due to the involvement of different organisations.5 Social engineering attacks Risk number and name Short description R. the probablility for social engineering attacks is considered higher. This is mostly due to the greater attack surface created by the interaction between two different entities. in most cases the attacker never comes face-to-face with the victims.

Impact: Medium Risk: Medium Ris rating for failing to meet Probability: Medium an increase in demand Risk rating for failing to Probability: Low maintain the current service level Probability in Comparison to classic IT  Impact: High Risk: Medium Resource exhaustion can also occur in classic IT settings.Cloud Computing 27 Benefits.6 Resource exhaustion (under or over provisioning) Risk number and name Short description R. because resources are allocated according to statistical projections. Inaccurate modelling of resources usage .6 Resource Exhaustion As Cloud services are on-demand services.or inadequate resource provisioning and inadequate investments in infrastructure can lead. Impact in Comparison to classic IT  Cloud services are on-demand services.common resources allocation algorithms are vulnerable to distortions of fairness . Therefore there is a level of calculated risk in allocating all the resources of a cloud service. to:  Service unavailability: failure in certain highly specific application scenarios which use a particular resource very intensively (ie. If a resource exhaustion event occurs. or to maintain a given service level. As the CP is supposed to have an effective capacity management in place that will make it unlikely that a resource exhaustion event occurs. the impact will be the same in both classic IT and Cloud settings. . from the CP perspective. CPU/Memory intensive number crunching or simulation (eg. risks and recommendations for information security 4.2 Technical risks R. forecasting stock prices. there is the possibility that the CP won’t be able to   meet an increased demand in a certain shared resource. the probability is considered lower in a Cloud setting.

There is a level of calculated risk in allocating all the resources of a cloud service. violation of SLA. From the CC perspective. risks and recommendations for information security     Access control compromised: in some cases it may be possible to force a system to ‘fail open’ in the event of resource exhaustion. cascading service failure.28 Cloud Computing Benefits. Access control system compromised: put the confidentiality and Integrity of data at risk. The opposite consequences of inaccurate estimation of resource needs could lead to: Infrastructure oversize: excessive provisioning leading to economic losses and loss of profitability. Economic and reputational losses: due to failure to meet customer demand. because resources are allocated according to statistical projections. Economic and reputational losses: due to failure to meet customer demand. a poor provider selection and lack of supplier redundancy could lead to:    Service unavailability: failure in the delivery (or degrading performance) of services both in real time and not in real time. etc. Note: this risk could be also a consequence of a DDoS attack and of misbehaving applications due to poor application compartmentalization in some CPs’ systems. .

but due to the shared nature of Cloud services and the exposed interfaces. port scanning or the serving of malicious content from cloud infrastructure can lead to: . and side channel attacks). Computing capacity. and network are shared between multiple users. Note that the likelihood (probability) of this incident scenario depends on the cloud model considered. The impact of an isolation failure is considered the same for both classic IT and Cloud settings. and even reputation between different tenants of the shared infrastructure (e. The impact can be a loss of valuable or sensitive data. reputation damage and service interruption for cloud providers and their clients. Impact in Comparison to classic IT  Multi-tenancy and shared resources are two of the defining characteristics of cloud computing environments.7 Isolation failure In shared environments. Resource sharing also means that malicious activities carried out by one tenant may affect the reputation of another tenant. or even of all customers of the Cloud service.Cloud Computing 29 Benefits. an attacker gets access to the resources or data of a specific customer. For example.g. it is likely to be low for private clouds and higher (medium) in the case of public clouds. the probability is considered higher for Cloud services. risks and recommendations for information security R.7 Isolation failure Risk number and name Short description R. routing. SQL injection attacks exposing multiple customers’ data stored in the same table. In the case of attacks. This class of risks includes the failure of mechanisms separating storage. spamming.. errors or attacks can lead to situations where one tenant has access to another tenant’s resources or data. memory. storage. so-called guest-hopping attacks. Probability: High  Impact: High Risk: High Risk rating¶ Probability in Comparison to classic IT Isolation failures can also occur in classic IT settings.

including the attacker and other innocent tenants of an infrastructure. as well as problems for the organization’s reputation. confiscation of resources due to neighbour activities (neighbour subpoenaed). risks and recommendations for information security   a range of IP addresses being blocked.30 Cloud Computing Benefits. . The impact can be deterioration in service delivery and data loss.

integrity and availability of all kind of data. As cloud use increases.8 Cloud provider malicious insider .abuse of high privilege roles Short description Malicious insiders at the CP can cause various kinds of damage to a CC’s assets. This can be considered especially important in the case of cloud computing due to the fact that cloud architectures necessitate certain roles which are extremely high-risk. Impact in Comparison to classic IT  The malicious activities of an insider could potentially have an impact on: the confidentiality. employees of cloud providers increasingly become targets for criminal gangs (as has been witnessed in the financial services industry with call centre workers). Probability: Medium  Impact: Very high Risk: High Risk rating Probability in Comparison to classic IT The malicious insider threat also exists in classic IT settings.Cloud Computing 31 Benefits.abuse of high privilege roles Risk number and name R. all kind of services and therefore indirectly on the organization’s reputation. The impact caused by mailicious insider is considered the same for both classic IT and Cloud settings. . risks and recommendations for information security R. but the likelihood of an incident has to be considered higher because admin roles at CPs provide more temptation and more opportunities. customer trust and the experiences of employees. Examples of such roles include CP system administrators and auditors and managed security service providers dealing with intrusion detection reports and incident response.8 Cloud provider malicious insider . IP.

. This includes mediate access to larger sets of resources customer interfaces controlling a number of virtual (than traditional hosting providers) and machines and. CP interfaces therefore pose an increased risk especially controlling the operation of the overall cloud system.9 Management interface compromise (manipulation. this risk may be mitigated by more browser vulnerabilities. investment in security by providers. availability of infrastructure) Risk number and name R. Short description The customer management interfaces of public cloud providers are Internet accessible and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased risk especially when combined with remote access and web browser vulnerabilities. Probability: Medium  Impact: Very high Risk: High Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT This risk doesn’t exit in classic IT settings  If management interfaces are compromised in classic IT settings. risks and recommendations for information security R. The customer management interfaces of public cloud providers are Internet accessible and mediate access to larger sets of resources (than traditional hosting providers) and therefore pose an increased The customer management interfaces of public risk especially when combined with remote access cloud providers are Internet accessible and and web browser vulnerabilities.9 Management interface compromise availability of infrastructure) (manipulation. most importantly.32 Cloud Computing Benefits. when combined with remote access and web Of course. the impact is the same as for Cloud settings.

. This is especially relevant in shared environments and when data is transferred between sites (e. Furthermore.  Cloud computing. Sniffing.10 Intercepting data in transit Risk number and name Short description Whenever data is transferred between different computers or sites. spoofing. If data is intercepted. being a distributed architecture. a practice not always followed in the cloud context. between cloud infrastructure and remote web clients. data must be transferred in order to synchronise multiple distributed machine images. man-in–the-middle attacks. because these always involve both a shared environment and transfers between sites. between CC and CP).Cloud Computing 33 Benefits. in some cases the CP does not offer a confidentiality or non-disclosure clause or these clauses are not sufficient to guarantee respect for the protection of the customer’s secret information and ‘know-how’ that will circulate in the ‘cloud’. the impact is the same in both Cloud and classic IT settings. risks and recommendations for information security R. images distributed across multiple physical machines. most use of data-centre hosted computing is implemented using a secure VPN-like connection environment. For example. side channel and replay attacks have to be considered as possible threat sources.10 Intercepting data in transit R. Moreover. there is the possibility that the transfer can be intercepted. Probability: Medium  Impact: High Risk: Medium Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT The risk of data being intercepted is considerably higher in Cloud environments. etc. implies more data in transit than traditional infrastructures.g.

resources are scaled down. the data could be accessed at at later time by another customer of a Cloud provider Probability: Medium  Impact: Very high Risk: High Risk rating¶ Probability in Comparison to classic IT Scaling up or down resources and moving data around is a characteristic of the Cloud deployment model. physical hardware is reallocated.11 Insecure or ineffective deletion of data Risk number and name Short description Deleting data from Cloud storage does not in fact mean that the data is removed from the storage or eventual backup media. etc. the probability of a data exposure due to ineffective deletion is considered higher than in a classic IT setting. It may be impossible to carry out the procedures specified by the security policy. Where true data cloud customer's resources may be used by wiping is required.11 Insecure or ineffective deletion of data R. If disk storage is not encrypted. data may be available beyond the lifetime specified in the security policy. When a request to delete a cloud resource is made. . Impact in Comparison to classic IT  Whenever a provider is changed. In this context. since full data deletion is only possible by destroying a disk which also stores data from other clients. If effective encryption is used then the level of risk may be considered to be lower. risks and recommendations for information security R.34 Cloud Computing Benefits. standard API (or at all). The impact of a data exposure is considered the same for both Cloud and classic IT settings. this may not result in true wiping of the data There are several different scenarios in which a (as with most operating systems). special procedures must be other parties in a malicious way that has an followed and this may not be supported by the economic impact.

12 Distributed denial of service (DDoS) R. Impact in Comparison to classic IT  . risks and recommendations for information security R.Cloud Computing 35 Benefits. The reason is that a Cloud provider is expected to have better resources and mitigation techniques available than an individual company could have.12 Distributed denial of service (DDoS) Risk number and name Short description Distributed Denial of Service attacks aim at overloading a resource (network or service interface) by flooding it with requests from many sources distributed across a wide geographical or topological area. so that the legitimate users are unable to use the resource as intended. The impact of a DDoS attack is considered to be the same in both classic IT and Cloud settings. Probability: Medium  Impact: High Risk: Medium Risk rating¶ Probability in Comparison to classic IT The probability of a DDoS attack affecting a particular customer is considered lower than the probability of a standalone service being affected by a targeted DDoS attack.

the worst case scenario would be the bankruptcy of the customer or a serious economic impact. EDoS destroys economic resources. a DDoS attack can have this effect. the impact will be the same both in a classic IT and in Cloud setting. or misconfigurations. poor budget planning. the cost of a Cloud service can strain the financial resources of a CC to an extent that the service is no longer affordable. it becomes much more relevant in Cloud settings.13 Economic denial of service (EDoS) Risk number and name Short description As a consequence of attacks. Impact in Comparison to classic IT  There are several different scenarios in which a CC's resources may be used by other parties in a malicious way that has an economic impact:    Identity theft: an attacker uses an account and uses the customer's resources for his own gain or in order to damage the customer economically.for example. where the customer pays per HTTP request. . An attacker uses a public channel to use up the CC's metered resources . risks and recommendations for information security R. If an EDoS event occurs. because resources are allocated and billed dynamically. The CC has not set effective limits on the use of paid resources and experiences unexpected loads on these resources through no malicious actions. Probability: Low  Impact: High Risk: Medium Risk rating¶ Probability in Comparison to classic IT Although this risk is to some extent also present in classic IT settings.13 Economic denial of service (EDoS) R.36 Cloud Computing Benefits.

the runtime environment the minimum actions customers must (PaaS clouds). It can be further customized by the CPs. Like any other software layer.14 Compromise of Service Engine R. the application pool (SaaS clouds). resulting in a potential complete loss of data or denial of service. For example. the service engine that sits above the physical hardware resources and manages customer resources at different levels of abstraction. Hacking the service engine may be useful to escape the isolation between different customer environments (jailbreak) and gain access to the data contained inside them. causing a denial of service. The service engine is developed and supported by cloud platform vendors and the open source community in some cases. the service engine code can have vulnerabilities and is prone to attacks or unexpected failure. n. risks and recommendations for information security R.Cloud Computing 37 Benefits. through its APIs.a. Each cloud architecture relies on a highly specialized platform. Probability: Low  Impact: Very high Risk: High Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT This risk does not exist in classic IT settings. in IaaS clouds this software component can be the hypervisor. or to reduce the resources assigned to them. . to monitor and modify the information inside them in a transparent way (without direct interaction with the application inside the customer environment). An attacker can compromise Cloud providers must set out a clear the service engine by hacking it from inside a virtual segregation of responsibilities that articulates machine (IaaS clouds). A compromise of the service engine will give an attacker access to the data of all customers.14 Compromise of Service Engine Risk number and name Short description The service engine is a fundamental part of a Cloud service. or undertake.

customer private keys.38 Cloud Computing Benefits.15 Loss of Cryptographic Keys Risk number and name Short description The loss or compromise of cryptographic keys used for encryption. file encryption. etc) or passwords to malicious parties. . the impact is considered the same both in classic IT and in Cloud settings. or financial damages Probability: Low  Impact: High Risk: Medium Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT This risk is also present in classic IT settings. authentication or digital signatures can lead to data loss. denial of services. but cryptographic techniques are more likely to be used in Cloud settings If a loss of cryptographic keys occurs. or their unauthorised use for authentication and non-repudiation (digital signature).15 Loss of Cryptographic Keys R.  This includes disclosure of secret keys (SSL. the loss or corruption of those keys. risks and recommendations for information security R.

risks and recommendations for information security R.16 Non Cloud-Specific Network-Related Technical Failures or Attacks R. temporarily reduced network bandwidth on the path between CC and CP.16 Non Cloud-Specific Network-Related Technical Failures or Attacks Risk number and name Short description Cloud services can be affected by a number of network-related technical failures that can also occur on classic IT settings.Cloud Computing 39 Benefits. .  The impact of network-related failures is considered higher in a Cloud setting because of the rather immediate effect on the performance or even the availability of the Cloud service. Probability: Medium  Impact: Medium Risk: Medium Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT Network-related technical failures or attacks can occur both in Cloud and in classic IT settings. disruptions in the global Internet routing infrastructure leading to the loss of the network path between CC and CP. Examples include the loss of Internet connectivity due to failures at the CC’s site or the CC’s Internet service provider. and failures of the CP’s Internet connectivity.

or the physical media on which the backup is stored can get stolen.17 Loss of Backups 0 Loss of Backups Risk number and name Short description The backups a CP makes of it’s customers’ data can get lost. risks and recommendations for information security R. Impact in Comparison to classic IT  . the impact is the same for both Cloud and classic IT settings. If backups are lost or stolen.40 Cloud Computing Benefits. Probability: Low  Impact: High Risk: Medium Risk rating¶ Probability in Comparison to classic IT The probability of a loss of backups is considered lower in a Cloud setting because it is assumed that a CP will have better protection mechanisms in place than an average CC. damaged.

g. the time to recovery may be higher than in a classic IT setting. a CC might be affected by natural disasters occurring far away from its own location. This is illustrated e. This way.18 Natural disasters R. the risk from natural disasters is lower compared to traditional infrastructures because CPs often offer multiple redundant sites and network paths by default. the impact is considered higher than in a classic IT setting. earthquakes. tsunamis can affect the infrastructure of a CP.18 Natural disasters Risk number and name Short description Natural disasters like flooding. Probability: Very low  Impact: High Risk: Medium Risk rating¶ Probability in Comparison to classic IT The probability of a natural disaster affecting a Cloud service is considered lower for a Cloud service than for classic IT because it is assumed that a CP has more redundancy built into its infrastructure than an average CC. . Therefore. If a natural disaster does affect a Cloud service. but rather to restore the service in general. Impact in Comparison to classic IT  Generally speaking. risks and recommendations for information security R. because the recovery efforts of a CP will not be focussed on restoring service to a particular customer. by the 2011 Japan earthquake where “classic” IT often failed.Cloud Computing 41 Benefits. but no large datacentre went down.

19 Subpoena and e-discovery R. or information may have to be provided during civil lawsuits.42 Cloud Computing Benefits. At the same time. storage media or other hardware might be seized as evidence. In some cases. Probability: High  Impact: Medium Risk: High Risk rating¶ Probability in Comparison to classic IT Due to the shared usage of hardware resources in a Cloud setting. .19 Subpoena and e-discovery Risk number and name Short description Law enforcement authorities may ask operators of IT infrastructures to provide information pertaining to criminal cases. risks and recommendations for information security 4. a CC can also be affected by subpoenas or civil law suits directed at the CP or third parties. The impact of subpoena or e-discovery is considered to be the same in both classic IT and Cloud settings. not just those directed at the CC himself. Impact in Comparison to classic IT  In the event of the confiscation of physical hardware as a result of subpoena by law-enforcement agencies or civil suits. the centralisation of storage as well as shared tenancy of physical hardware means many more clients are at risk of the disclosure of their data to unwanted parties. The probability is therefore higher in a Cloud setting than in a classic IT setting. it may become impossible for the agency of a single nation to confiscate ‘a cloud’ given pending advances around long distance hypervisor migration.3 Legal risks R.

.  Customer data may be held in multiple jurisdictions. The impact of an event related to this risk is considered the same in both classic IT and Cloud settings. states that do not respect international agreements. Note that we are not implying here that all subpoena law-enforcement measures are unacceptable.20 Risk from changes of jurisdiction R. a CP might be subject to law enforcement or national security actions from the country its business headquarters is based in. because a potentially large number of different countries’ jurisdictions might be involved. national security interests of the hosting country might be cited as a reason for seizing data. there are numerous ways in which the change in jurisdiction could affect the security of the information. Additionally. those. In some cases. Impact: High Risk: High Risk rating¶ Probability in Comparison to classic IT Impact in Comparison to classic IT Probability: High  This risk is considered to be considerably higher in a Cloud setting. not just those from the countries where its data centres are located.g. e.. Examples include:    Data might be seized or the operations of a service disrupted due to reasons that don’t exist in the CC’s country.Cloud Computing 43 Benefits. lacking the rule of law and having an unpredictable legal framework and enforcement. etc. autocratic police states. If data centres are located in high-risk countries.20 Risk from changes of jurisdiction Risk number and name Short description When data is stored or processed in a data centre located in a country other than the CC’s. sites could be raided by local authorities and data or systems subject to enforced disclosure or seizure. some of which may be high risk. risks and recommendations for information security R. merely that some may be so and that some legitimate seizures of hardware (which appear to be rare) may affect more customers than the targets of a law-enforcement action depending on how the data is stored.

44 Cloud Computing Benefits. risks and recommendations for information security .

Failure to comply with data protection law may lead to administrative.Cloud Computing 45 Benefits. It has to be clear that the CC will be the main person responsible for the processing of personal data.g.. risks and recommendations for information security R. between federated CPs). for the data controller. The CC may lose control of the data processed by the CP. SAS70 certification providers. the impact will be the same in both classic IT and Cloud setting. Probability: High  Impact: High Risk: High Risk rating¶ Probability in Comparison to classic IT As a CP might move data and processing applications between data centres located in different countries even without notifying the CC. civil and also criminal sanctions.21 Data protection risks Risk number and name Short description Processing data in another country may incur difficulties regarding data protection legislation..  It can be difficult for the CC (in its role of data controller) to effectively check the data processing that the CP carries out.. This issue is increased in the case of multiple transfers of data (e. which vary from country to country. If difficulties regarding data protection regulations are encountered. some CPs do provide information on the data processing that they carry out. where the data processor has full control over the location.    .21 Data protection risks R. e. The CP may receive data that have not been lawfully collected by its customer (the controller). or might even be considered unlawful by the responsible Data Protection authority. even when such processing is carried out by the CP in its role of external processor. On the other hand. and thus be sure that the data is handled in a lawful way. Some also offer certification summaries of their data processing and data security activities and the data controls they have in place. This problem is exacerbated in the case of multiple transfers of data e. There may be data security breaches which are not notified to the controller by the CP. the probability has to be considered higher in a Cloud setting than in a classic IT setting. Impact in Comparison to classic IT  Cloud computing poses several data protection risks for CCs and CPs. between federated clouds.g.g.

46 Cloud Computing Benefits. risks and recommendations for information security .

. For example.Cloud Computing 47 Benefits. if software is charged on a per instance basis every time a new machine is instantiated then the cloud customer’s licensing costs may increase exponentially even though they are using the same number of machine instances for the same duration.22 Licensing Issues Risk number and name Short description Violating a software supplier’s licensing agreements can result in significant financial penalties or disruptions of service. Probability: Medium  Impact: Medium Risk: Medium Risk rating Probability in Comparison to classic IT Impact in Comparison to classic IT As many software licensing agreements are not yet “cloud aware”. The impact of a licensing issue is considered the same in both settings.  Licensing conditions. the probability of incidents related to licensing has to be considered higher in a Cloud setting. and online licensing checks may become unworkable in a cloud environment. such as per-seat agreements. risks and recommendations for information security R.22 Licensing Issues R.

Probability: Low  Impact: Medium Risk: Medium Risk rating Probability in Comparison to classic IT Impact in Comparison to classic IT The probability of intellectual property issues is considered higher in a Cloud setting. . there is the possibility for creating original work (new applications.) tied to this specific environment. if not protected by the appropriate contractual clauses. this original work may be at risk. As with all intellectual property. risks and recommendations for information security R.23 Intellectual Property Issues R.  The impact of intellectual property issues is considered the same in both classic IT and Cloud settings.48 Cloud Computing Benefits. software etc.23 Intellectual Property Issues Risk number and name Short description Both in the Cloud and when using certain software and service environments within the own infrastructure.

are now available instantly. with the European market ranging from €971m in 2008 to €6. we conclude that the main risks. such as email handling. it must offer solid information security. This year we decided to update the assessment of risk and benefits. Computing services ranging from data storage and processing to software. proper consideration and management of risks. not a new technology.005m in 2013. when adopting cloud computing.4bn. After the first round of reviews. to better reflect the current situation.Cloud Computing 49 Benefits. At the same time. across EU member states. For cloud computing to reach the full potential promised by the technology. We have restructured the risks with the goal of making the descriptions more uniform. . This new economic model for computing has found fertile ground and is seeing massive global investment. there will be a more in-depth review of the legal and data protection aspects of Cloud computing. The updated risk assessment will now be subjected to a second review round by a group of experts set up by ENISA. and therefore. the worldwide forecast for cloud services in 2009 will be in the order of $17. have not changed. Our 2009 cloud security risk assessment is widely referred to. ENISA has played an important role in giving stakeholders an overview of the information security risks when ‘going cloud’ .2bn. commitment-free and on-demand. According to IDC’s analysis. ENISA will continue to monitor the developments related to risks of Cloud computing and update the Risk Assessment as necessary. The estimation for 2013 amounts to $44. and outside the EU. risks and recommendations for information security 5 Conclusions and next steps Cloud computing is a new way of delivering computing resources. which were excluded from the first round of review.

eu Heraklion. 71001 Greece¶www.O.50 Cloud Computing Benefits. Box 1309. risks and recommendations for information security P. .europa.enisa.