Out-Law News 2 min. read
13 Apr 2015, 12:00 pm
The European Union Agency for Network and Information Security (ENISA) said SMEs "stand to gain the most from cloud computing, because it is complicated and costly for them to set-up and run ICT in the traditional way" and that there are "opportunities" for SMEs to "improve their network and information security" by turning to cloud services.
"Generally speaking large cloud computing providers can offer advanced security measures, while spreading the associated costs across several customers," ENISA said in new guidance it has issued. "In some cases this means that fundamental security settings might be ‘shared’ between customers and might not be customisable but it also translates to a number of specific security opportunities."
The "geographic spread" of data storage offered by some cloud providers can allow SMEs to reduce the risk of outages caused by regional disasters and "to mitigate certain denial of service (DoS) attacks", ENISA said. The ability to expand data processing capacity to account for spikes in traffic, including during DoS attacks, is another network and information security opportunity SMEs can exploit if using cloud services, it said.
ENISA also pointed to potential cost-savings of "physical security" that SMEs could enjoy when using the cloud. SMEs could also benefit from speedier identification and resolution of security faults when using cloud services, because many cloud providers have incident response plans in place.
"In traditional IT deployments, an SME would have to invest a lot to have a 24/7 incident response capability," ENISA said. "Having personnel ready 24/7 is costly, but in cloud computing these security measures become affordable for customers because the costs are shared with many customers."
SMEs stand to benefit from lower costs involved in the deployment of "secure software" and from the automated updating and 'patching' of software by cloud providers, which can help reduce SMEs' exposure to cyber attack risks, the agency said. ENISA also said that SMEs that use cloud providers which obtain certifications of compliance with network and information security standards can "fulfil their own compliance obligation" in a more streamlined fashion.
"Certification, by independent auditors, against network and information security standards (like ISO27001 certification), could be used by customers to fulfil their own compliance obligation," ENISA said. "An auditor, when assessing compliance of an SME, would not have to check all the assets underlying the cloud services, by using existing compliance certificates for the cloud services they use."
ENISA said that there are network and security risks inherent in using cloud services, including those stemming from "the risk of network attacks" and from "social engineering attacks". SMEs must also assess the way cloud providers authenticate administrators' access to services to ensure hackers cannot gain access to their account, and find ways to address the security risks posed by the 'bring your own device' trend that has accompanied the shift to using cloud-based services, ENISA said.
Among the other risks it identified, ENISA said that SMEs that are 'locked-in' to using services from a single cloud provider can face threats to their network and information security.
"Customers should have a business continuity strategy, which includes migration/exit plans for moving data and/or processes to another provider," ENISA said. "As part of this strategy, customers should consider backing up their data regularly, in a standard format, to be able to migrate when needed, and test regularly if migration works."
In a separate report published earlier this year, ENISA said that security and privacy issues are holding back "the cloudification of governmental services" in the EU.