ENISA’s Cloud Computing Risk Summary

September 15th, 2010   •   8 Comments   

ENISA’s report on Cloud Security identified number of places where risk elements were identified viz. the report acknowledged 8 high risk items & 29 medium risk items in the varied areas of Policies & Organizational RisksTechnical RisksLegal Risks, and Cloud Unspecific Risks. In summary, the identified elements labeled as *key risk’s* are briefed below:

(1) Loss Of Governance: It’s giving Cloud infrastructure, client necessary seize control to the cloud provider and a number of issues which may effect security. But, at the same time service level agreement may not offer complete commitment to provide such services on the part of cloud provider, thus leaving a gap in the security defenses. Lack Of Governance’s a key issue here.

Vulnerabilities:

  • V34: Unclear Roles and Responsibilities.
  • V35: Poor enforcement of role definitions.
  • V21: Synchronizing responsibilities or contractual obligations to different stakeholders
  • V23: SLA clauses with conflicting promises to different stakeholders
  • V25: Audit or certification not available to consumers
  • V18: Lack of standard technologies and solutions
  • V22: Cross cloud applications creating hidden dependency
  • V29: Storing of data in multiple jurisdiction and lack of transparency about THIS
  • V14: No source escrow agreement
  • V16: No control on vulnerability assessment process
  • V26: Certification schemes not adapted to cloud infrastructures
  • V30: Lack of information on jurisdictions
  • V31: Lack of completeness and transparency in terms of use
  • V44: Unclear assets ownership

Affected Assets:

  • A1: Company reputation
  • A2: Customer trust
  • A3: Employee loyalty and experience
  • A5: Personal sensitive data
  • A6: Personal Data
  • A7: Personal Data: Critical
  • A9: Service delivery- real time services
  • A10: Service delivery

(2)Lock In Situation: Also ‘Lock In Situation’ has been considered. This can be a little unoffered of the way of tools and procedures from the standard data, from an ‘as a service’ interface’s that could guarantee data application service portability.
This can make it difficult for customers to migrate from one provider to another, to migrate data and services back to an inhouse IT environment. It introduces the dependency on particular cloud providers for service provisions especially if data portability had the most fundamental aspect, not enabled.

(3) Isolation failure: Which is comfortable because they are working mostly in multi-tenant environment and ‘share resources & they are defining characteristics of cloud computing’. This risk category covers the failure of mechanism, server install-age, memory, routing and reputation between different tenants. However, it should be considered that attacks result in a relational mechanism are still in mere risk and much more difficult for attackers to put in practice as compared to attacks on traditional operating system.

(4) Compliance Risks: Of course one of the key parts is the compliance risks. Investment and saving certificates may pull a risk by migrating to the cloud if the cloud providers don’t provide evidence of their own compliance with relevant requirement. And also for cloud provider they will not permit audits by cloud customer. In certain case it also means that ‘If you are using a public cloud infrastructure’ implies a certain kind of compliance cannot be achieved (for example PCI).

Vulnerabilities:

  • V25: Audit or certification not available to consumers
  • V13: Lack of standard technologies and solutions
  • V29: Storage of data in multiple jurisdictions and lack od transparency about this.
  • V26 Certification scheme not adapted to cloud infrastructure
  • V30: Lack of information on jurisdiction
  • V31: lack of completeness and transparency in terms of use

Affected Assets:

  • A20: Certification

(5) Management Interface Compromise: Now, it’s also a time that management interface compromise (MIC), may be an issue that customer management interfaces of a public cloud provides additional programmed effort’s of applications an increased with, especially when combined with remote access and web browser vulnerabilities.

(6 & 7) Data protection & Insecure or incomplete data deletion: Of course Cloud Computing poses several data protection risks. For cloud providers and customers in some cases it may be difficult for the cloud customer to get ‘correct level’ of data protection at all and for example if you leave this cloud provider it must be guaranteed that you have a complete data deletion. When a request to delete cloud resources is made the well merged prevailing system may not result into wiping the data. Adequate, primary data deletion must be or could be impossible; either become extra copies of data for restore; but unavailable.

Vulnerabilities:

  • V30: Lack of information on jurisdiction
  • V29: Storage of data in multiple jurisdictions and lack od transparency about this.

Affected Assets:

  • A1: Company reputation
  • A2: Customer trust
  • A5: Personal sensitive data
  • A6: Personal Data
  • A7: Personal Data: Critical
  • A9: Service delivery- real time services
  • A10: Service delivery

(8) Malicious insider: So, and a lot point of testing outbound by an either risk, was malicious insider which vitiates, but lightly. Damage which may be caused by malicious insider is often far greater. Cloud architecture necessitates certain rules over extremely high risks for example: includes Custom Provider System Administrative & Manage Security Service Provider.

Reposted from Sectruni0
This post can also be viewed here.

Share this article

8 Responses

  1. Croatia says:

    I really loved reading your blog. It was very well authored and easy to undertand. Unlike additional blogs I have read which are really not tht good. I also found your entries very interesting. In fact after reading, I had to go show it to my friend and he ejoyed it as well!

  2. Superb blog post, I have book marked this internet site so ideally I’ll see much more on this subject in the foreseeable future!

  3. dever says:

    Wow! What an idea! Gorgeous .. Brilliant

  4. Wow,Fantastic article,it’s so helpful to me,and your blog is very good,I’ve learned a lot from your blog here,Keep on going,my friend,I will keep an eye on it,One more thing,thanks for your post!welcome to”惠美思.

  5. seks says:

    Rattling excellent info can be found on website .

  6. beijing265 says:

    thank you very much, very well written article, found it through a random yahoo search and i shared it on my twitter!

  7. Longsworth says:

    I admit, I have not been on this webpage in a long time… however it was another joy to see It is such an important topic and ignored by so many, even professionals. I thank you to help making people more aware of possible issues.

  8. I discovered your blog web site on google and verify a number of of your early posts. Proceed to keep up the very good operate. I just additional up your RSS feed to my MSN Information Reader. Seeking forward to reading extra from you in a while!…

Leave a Reply


  • + 8 = seventeen