Archive for November, 2009

Cloud Computing Security & Risks

Sunday, November 29th, 2009

The interesting thing about cloud computing is that we”ve redefined cloud computing to include everything that we already do. I can”t think of anything that isn”t cloud computing with all of these announcements. The computer industry is the only industry that is more fashion-driven than women”s fashion. Maybe I”m an idiot, but I have no idea what anyone is talking about. What is it? It”s complete gibberish. It”s insane. When is this idiocy going to stop?

Although Larry Allison ridiculed Cloud Computing by saying the above things, many executives and IT analysts don”t agree with Larry Allison on cloud computing.

According to many analysts in information technologies area, security and cloud computing are hot topics for most of the enterprises. Firms need data storage, processing software, infrastructure and framework on-demand and without heavy investments on hardware/software. Every organization wants to get more benefits from this new way of delivering computing resources. Many firms, mainly small and medium enterprises(SME), are considering migration to cloud computing services.

ENISA (European Network and Information Security Agency) has launched a survey of the actual needs, requirements and expectations of SME for cloud computing services. The following is one of the raw data from survey showing reasons behind possible engagement in cloud computing area:

survey_1

As seen, “Avoiding capital expenditures in hardware, software”, “Flexibility and Scalability of IT resources” and “Business continuity and Disaster Recovery” are the main points that firms (SME) want possible engagement in Cloud computing area. These are the reasons driving firms to Cloud computing. On the other hand, the things are not so easy and smooth. There are some important concerns in SME”s approach to cloud computing (preventing them to use cloud computing services):

survey_2

Most important concerns in SME”a approach to cloud computing are security and privacy of the data. It is almost impossible to expect SMEs to use cloud computing services without providing secure cloud computing services to SMEs.

Last week, ENISA (European Network and Information Security Agency) released a report which allows an informed assessment of the security risks and benefits of using cloud computing – providing security guidance for potential and existing users of cloud computing. This report can be used as a starting point from both security risks and benefits perspective. ENISA”s “Cloud Computing and Security Risk Assessment Report” categorized risks as “Policy and Organizational Risks”, “Technical Risks” and “Legal Risks”. According to risk assessment, “Lock-in” and “Loss of Governance” are the most important risks.

Policy and organizational risks

  • Lock-in
  • Loss of governance
  • Compliance challenges
  • Loss of business reputation due to co-tenant activities
  • Cloud service termination or failure
  • Cloud provider acquisition
  • Supply chain failure

Last April, some of the cloud providers had released a manifesto named “Open Cloud Manifesto“. (my blog entry about it : “Open Could Manifesto”) Defining some important aspects of the “cloud” like portability & easy migration to other cloud providers and openness of the cloud were the goal of the manifesto. Now, ENISA”s (European Network and Information Security Agency) “Cloud Computing Security Risk Assessment” report is emphasizing same portability problem by putting “Lock-in” first in the list of policy and organizational risks.

Anyone who wants to get more information on cloud computing or any enterprise that thinks of implementing/using cloud computing should read this report as a starting point. That is really detailed in accordance with SME”s concerns and needs.

Using ENISA”s own title from its press release, we can say “ENISA clears the fog on cloud computing security”….

Have a nice and happy week,
Erhan