Last updated: 
2 hours 21 min ago
Blog Manager
One of Jisc’s activities is to monitor and, where possible, influence regulatory developments that affect us and our customer universities, colleges and schools as operators of large computer networks. Since Janet and its customer networks are classified by Ofcom as private networks, postings here are likely to concentrate on the regulation of those networks. Postings here are, to the best of our knowledge, accurate on the date they are made, but may well become out of date or unreliable at unpredictable times thereafter. Before taking action that may have legal consequences, you should talk to your own lawyers. NEW: To help navigate the many posts on the General Data Protection Regulation, I've classified them as most relevant to developing a GDPR compliance process, GDPR's effect on specific topics, or how the GDPR is being developed. Or you can just use my free GDPR project plan.

Group administrators:

Critical Cloud Computing

Wednesday, February 20, 2013 - 10:10

ENISA’s Critical Cloud Computing report examines cloud from a Critical Information Infrastructure Protection (CIIP) perspective: what is the impact on society of outages or attacks? The increasing adoption of the cloud model has both benefits and risks. A previous ENISA report noted that the massive scale of cloud providers makes state of the art security and resilience measures more efficient. However the dependency of many customers on a small number of suppliers will increase the impact of any problems that do occur.

Reporting (both in the press and to regulators) concentrates on a few large incidents rather than many small ones, so doesn’t provide useful evidence for the net effect of these opposing trends. However it is clear that cloud providers will become part of countries’ Critical Information Infrastructure (CII) – if they are not already – both because most other organisations will depend on them to some degree, and because of some of the services running on clouds will themselves be in critical sectors such as health, energy and finance. Infrastructure as a Service (IaaS) and Platform as a Service (PaaS) providers are likely to be the most critical because of the number of customers that depend on them and the higher level cloud services they support.

Looking at the four main threats to CII, ENISA conclude that clouds are likely to provide better protection against local power failures and natural disasters, because physical resilience and geographic diversity are a routine part of cloud provision. The elasticity of clouds can also help to protect against denial of service attacks and flash crowds. However the dependence on a small number of platforms is likely to increase the impact of any software flaws, administrative or legal disputes, where problems involving one customer may have side-effects for others.

ENISA conclude that countries need to include clouds in their CIIP programmes and will need information about dependencies among services to assess which are the most critical. Critical cloud providers should be included in exchanges of threat information and best practices on protection, and in exercises to test those measures. ENISA note a tension between increasing standardisation – which allows customers to move between platforms in case of problems – and the risk that systems implementing the same standards may also share the same vulnerabilities. Although large clouds already offer physical redundancy, the possibility of implementing logical redundancy to protect against these common failure modes should also be examined. Finally ENISA stress the importance of encouraging incident reporting, not just through legal requirements but also by rewarding organisations that do report incidents and thereby help improve industry best practice. This is a very welcome turnaround from early laws that saw incident notification as a way to name and shame, thus encouraging organisations to hide their problems.