The the European Network and Information Security Agency (ENISA) posted in November 2009 a very thorough assessment of cloud security. Here are their “most important classes of cloud-specific risks”:
- Loss of Governance
- Lock-in
- Isolation Failure
- Compliance Risks
- Management Interface Compromise
- Data Protection
- Insecure or Incomplete Data Deletion
- Malicious Insider
They end the list with a disclaimer:
NB: the risks listed above do not follow a specific order of criticality; they are just ten of the most important cloud computing specific risks identified during the assessment.
I counted the list, then I counted it again, and one more time just to be certain. Unless I am missing something I only see eight, not ten. Data Protection also seems to overlap with Insecure or Incomplete Data Deletion, which could bring the list to seven.
Those details aside, it also occurs to me that these are not cloud-specific risks. We discuss them outside of the cloud all the time, and I mean all the time. Some could be said to be more service-provider oriented than in-house, but items like insider threat definitely can not be termed specific to the cloud. Insiders are, well, inside everything.
The full document actually gives thirty-five risks (R.1 to R.35), which it distributes on a map by severity and likelihood. This is a typical assessment practice and very useful. However, it does not seem to correspond well with the executive summary and list of eight (seven) mentioned above. How were risks in box five excluded from the top list, for example?
In conclusion I find this an excellent reference document. It is interesting to see an assessment performed of a concept rather than an actual service. That gives me the feeling that it is more of a template for assessments, not a report on risks found in an operating environment. Perhaps those on the team (e.g. Google, Microsoft) were hesitant to publish a more tangible level of tests.
The assumptions that had to be made, due to this approach, could be the reason their final analysis appears to stays extremely high-level. It does not look different from assessments of non-cloud environments, but it gives eight critical risks (2, 3, 9, 10, 11, 14, 22 and 26) to consider when talking to a cloud provider. I am left asking myself when remediation will begin…for the concept of cloud.