Report: How risky is cloud computing?

Cloud computing is luring more businesses with its promise of minimal maintenance and low costs. But are companies putting their data at risk?

A new, free report released Friday by the European Network and Information Security Agency (ENISA) outlines the benefits and potential pitfalls of cloud computing. Based on an ongoing survey, the 123-page report, "Cloud Computing: Benefits, Risks and Recommendations for Information Security" (PDF), also offers recommendations to businesses on how to minimize the risks of entrusing their data to a cloud provider.

The benefits of cloud computing as described by ENISA are clear. Business content and services are always available. Companies can reduce costs by not overspending on the capacity of their own data centers. They can also scale up or down, depending on the services they use, and pay for those services only as needed. Internal IT is freed up by not having to implement or maintain certain hardware or software.

As more businesses hop onto the cloud, IDC expects worldwide spending on cloud services to hit $17.4 billion, revving up to $44.2 billion by 2013.

But cloud computing poses certain key risks.

"The picture we got back from the survey was clear," Giles Hogben, editor of the ENISA report, said in a statement. "The business case for cloud computing is obvious--it's computing on tap, available instantly, commitment-free and on-demand. But the number one issue holding many people back is security--how can I know if it's safe to trust the cloud provider with my data and in some cases my entire business infrastructure?"

Though cloud-service providers promise 24-by-7 availability, their data centers can go down. Security is out of the hands of the customer, who must place trust in the service provider. Customers become dependent on a single provider and may face challenges if data and services need to be migrated to a different provider. By entrusting data to the cloud, companies could face risks and challenges from regulatory audits. Further, some cloud providers may not fully and properly delete data even if a customer requests it.

In its report, ENISA outlines measures companies can take when dealing with cloud-service providers.

Companies must perform risk assessments, comparing the potential risks of storing data in the cloud with keeping files in an internal data center. Companies must also compare different cloud providers to narrow the list and then obtain service-level assurances from selected providers. Further, customers should clearly specify which services and tasks will be handled by internal IT and which by the cloud provider.

The report includes a checklist and detailed questions that customers can use when shopping for a cloud provider.

With the right provider, data can be safe and secure in the cloud. In fact, security with a cloud provider can be even more robust, flexible, and quicker to implement than when done internally. ENISA Executive Director Udo Helmbrecht noted in a statement: "The scale and flexibility of cloud computing gives the providers a security edge. For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics."

[bwinski]

Cloud computing and outsourcing of corporate infrastructure... sounds like Don Rumsfeld plan for wars in the middle-east and else where that are so over-run with waste, fraud, abuse and security breaches that Blackwater (and their look-alikes) probably run most of our country's military - worldwide - now and if this kind of stupidity keeps infiltrating corporate thinkers, they'll run the rest of the corporations they don't run already.<br /><br />Cloud computing is REAL stupid idea and you'll end up paying a mighty price for it if it's implemented.

[krosafcheg]

Encrypt your data. You already trust the banks to keep accurate safe records of your money, why wouldn't you with your data?

[daves_done]

Don't take this the wrong way, but that's a foolish mindset. I keep tabs on all of my accounts (balance checkbooks on my own, check 401k contributions, etc...) and compare my monthly statements to the banks records for accuracy. Everyone SHOULD DO THIS. I can guarantee you anything that you want to hear, but that doesn't mean I am true to my word. Sure, if I don't follow through you can sue me, but what if I can't pay your awarded damages? I go to jail and you are still screwed and you lose your clients trust (and may sue you as well, and that's when the real fun starts. If you think there's too much litigation now, wait and see what happens, when black hats start stealing data just to prove a point).<br /><br /> I am in the IT dept at a medical company that provides home nursing services and DME (durable medical equipment) and management here was looking into a "cloud" solution for billing and inventory purposes. They (the cloud provider) claim all the usual regulatory compliance, but in the end we had no way of telling and auditor "yes sir/maam, our data is backed up daily. Prove it you say? uhhh... well these other guys handle it. Here's what they do. Oh, prove that? Well I uhhh..."

[sundance808]

well we use AWS and the service sucks (support-wise.. unless you cough up the extra dough for premium support), that being said as far as the infrastructure is concerned there are tools/API that allows you to backup your data as often as you want.

[josephmartins]

Losing money is one thing - yes it's painful - but losing one's irreplaceable data is another and could easily bury a business.

[gfsdfge]

Most corp networks go down far more often that a cloud would. They are also far less secure that a cloud would be. The $75 - $150 an hour network jockeys we get from the local body shops are not qualified to handle serious security. I would absolutely trust M$, Oracle, IBM, to handle security far better than at least 95% of the mid to large sized companies.

[Random_Walk]

"Most corp networks go down far more often that a cloud would."<br /><br />If my corp network goes down, it's my (network admin's) fault. I know who to throttle. In very short order, I know what happened. I can also get it back up faster.<br /><br />Compare to a cloud outage: call a customer service center halfway around the planet, hope you can understand the dialect enough to get the outage report in, and pray that they made working backups if the data got 'Sidekicked'. No idea who to yell at though, and collecting on an SLA is a whole lot harder than typing one up...

[Renegade Knight]

Ignoring the data. Our network goes down for problems and maintenance. Internet has it's own problems and then the servers in Cloudland have thier own problems. You are increasing the number of problem areas. If the network goes down. No access, If the internet link is severed. No access. If your ISP manages your "bandwidth usage" No access. If the Coud is down, No access. <br /> <br />It's like increasing the number of moving parts in a machine to make it more reliable. It doesn't (normally) work that way.

[dragonbite]

That's why I think Private Clouds are going to be the way to go. A company with multiple locations and/or external sales force can harness the Cloud for all of their employees to use the same applications, store data within the company structure and reduce the power required by the client machines (mobile sales can use Netbooks even). <br /> <br />Best of both worlds!

[daves_done]

Couldn't agree more.

[winstein]

+ 1

[Random_Walk]

Yep. Ever since I started messing with VMWare a couple of years back, I absolutely fell in love with the ability to 'cloud' servers and services internally, and it is the best of both worlds...

[cvaldes1831]

Cloud computing simply isn't ready for primetime; I'm not sure if it will ever be.<br /><br />Cost competition will probably lead cloud computing service providers to cut resources (e.g., staff). Rather than hire top-tier security experts, system/network/database admins, they will cheap out an put less expensive/less talented employees running production systems. They will not have enough staff to do it right: make regular offline backups that are thoroughly tested for data integrity, use the two-person rule on production systems, have warm spares, continue test security procedures and update for vulnerabilities, etc.<br /><br />Currently, I am witnessing Yet Another Cloud Fail. This is day six that Mint.com is unable to connect with Chase and download credit card data. This is a known problem that is not specific to my account.<br /><br />Ongoing incidents like this one and the massive Danger outage that affected SideKick users cumulatively damage the already tarnished reputation of cloud computing.<br /><br />I expect cloud computing to have more problems, and much larger and damaging ones. <br /><br />It's simply a matter of time.

[AluminumMonster]

Cloud computing is definitely the future, but we are still a long way from it being the industry standard. US internet blows, and thats already a big blow to the cloud computing concept, and then companies dont really know if there systems can handle that kind of traffic. Its gonna happen eventually, just not for atleast a decade (best case scenario)

[Renegade Knight]

Cloud computing was the past. It's what personal computers freed us from and thereby brough in more productivity. Now they are saying, Go bakc to the mainframe er...cloud where it's better again, just like before".

[H3Jonline]

@Renegade Knight. I was of the same opinion until I was reminded of a pretty big difference which is the fact that we are now mobile workers, not chained down to a desk anymore, we need access to our data from everywhere at any time, but not only us, our peers and other memebers of our organizations also need that information available everywhere and anywhere. <br />With that said, it will take time (a lot of it) for the cloud infrastucture and applications to prove themselfs trustable and reliable.

[Mergatroid Mania]

Clouds are great. I see them in the sky every day.<br /><br />Lol, however if anyone is foolish enough to base all their business data on one....well lets just say I don't want to listen to him whine when his business grinds to a halt because all or part of the "cloud" is down.<br /><br />This is like people who's business depends on their fax machine, or copier. They actually stop functioning when these devices go down. These companies (usually small businesses) should always have a spare in a closet on the premises to use for when their primary machine stops working, and until it can be repaired. <br /><br />To have all your eggs in one basket is foolish. Especially if you give the basket to someone else to take care of.

[Groucho6]

First question: Are the cloud companies going to take responsibility, in writing, for your data? If they lose it or corrupt it, will they bear the financial burden? I doubt it. Look for various weaselly disclaimers in the fine print. What about the pipes between you and the cloud? Can you rely on them being available 24/7? When your internet service goes down now, it doesn't take your entire business with it?when you're "in the cloud," it will. Clouds are sometimes pretty and sometimes ugly, but they are always ephemeral. One day the sky is covered with them; the next it's clear blue from horizon to horizon. I think "cloud computing" is a perfect analogy. Bottom line: I will cheerfully use external servers for backup, offsite replication, distribution, and so on. I will never rely on them for the day-to-day internal workings of my business, and I certainly won't rely on software stored on them, either.

[kewldude2008]

The following article may be of interest to readers... <br /> <br />http://www.fanaticmedia.com/infosecurity/archive/Oct09/Identity%20Management.htm

[Aurora_7]

To me, Groucho6, Renegade Knight and Mergatroyd Mania have it spot on. We will use the cloud for communication and collaboration - and as dragonbite says, private clouds could be a way forward too. But there is no way we will send key data to the cloud - not as it currently stands. Nor will we rely on it for everyday apps (sorry about that, Google Chrome OS, but guess you weren't aiming at us anyway! )

[cube3]

anyone want to invest in PUSH technology? <br />if so , please send a check.

[john_mjhm]

Lost in the hype about "cloud computing" is that it isn't really a technology, and it's too poorly defined to label it good or bad. Also lost in the hype is that the real technology that is enabling cloud computing innovation is really fast/reliable/available internet access. As the internet access becomes ubiquitous we will all take it for granted along with all the enabled technologies. Indeed it's all ready happening. For example nearly everyone using the internet -- google, facebook, ebay, amazon -- is already using cloud computing without knowing or even caring.<br /><br />It's clearly a tough sell to convince businesses to port existing applications and data to public cloud servers. However the advantages of cloud/internet based architectures are increasingly overwhelming for new applications and their associated data. So most users should never need to make an explicit decision to switch to cloud computing. Rather the switch will just be folded into familiar business decisions for newer/better technology. It will be the responsibility of the new application developers to adequately resolve the security/privacy/legal/reliability concerns. These concerns are already adequately addressed for some users and applications, and it's really just a matter of time before they are addressed for most.

[tech_crazy]

And that is exactly why it is a pain (at the minimum) when the server and/or link goes down. The best way is to always have a local copy that periodically sync with the server aka cloud.

[DTolo]

We have Voip at work. We are a retail store. When the "internet" goes down, the phones go with it. That stops any transactions occurring over the phone. With "Cloud" computing, when the internet goes down we would lose the phones, our POS software, we wouldn't be able to open the tills, look up prices, check inventory and so on.<br /><br />Basically, not a good outcome.<br /><br />Imagine: Christmas Eve, supermarket, internet goes down. Not pretty.

[crmtimmii]

Awalys have a plan b...its just most of the time changes are implemented without an alternative in place...nothing wrong with VOIP, Cloud computing...its just how you use it.

[rlebherz]

Everyone is quick to judge and speak to why clouds wont work. You speak of and point to issues that exist today. First, have you looked around the industry to see what companies like OpSource and others are doing to innovate Security? yes, large public cloud vendors do hjave some issues, but much of what they do will work for their uses. When you start looking at enterprise requirements, the game changes, but dont think it can never be done. And the same challenges that exist internally are the same challenges faced by clouds. Honestly, if people have concerns many times its because they feel they and their team can do it better. I think the real issues is that internal depts dont want to relinquish control in fear that they will become less critical to an organization and fall back on the its not safe argument. Honestly, is anything "truly" safe? And the C-levels who should be driving this turn to their teams for advice and hear it wont work. But from a business stand point, the cost savings is there, the SLAs and uptime factors are in place, and additional security and approaches are coming everyday. <br /><br />Check out www.opsource.net and www.opsourcecloud.net for the benefits of public clouds with the security performance and control of public clouds<br /><br />RLE01 will get you 20% off to try