The ENISA report released on 14 February examined Cloud computing from a Critical Information Infrastructure Protection (CIIP) perspective, and identified Cloud computing as a critical issue given the concentration of users and data and its growing use in critical sectors, such as finance, health and insurance. The report also provides nine recommendations for bodies responsible for critical information infrastructures. This included large cloud services in national risk assessments, track cloud dependencies, and work with providers on incident reporting schemes. This report comes a week after the EU launched its Cybersecurity Directive.
My thoughts on two of the key findings:
?Cloud services are themselves becoming a critical information infrastructure?. That quote, given some of the recent cloud service failures, is recognition that infrastructure as a service (IaaS) goes beyond basic foundations and drives into the operational heart of many mainstream businesses which the public rely on, such as financial services and utilities. Cloud as a business model choice allows firms to focus on the core competencies of their IT infrastructures, which are not necessarily the volume activities of the business. However, data exploitation has a tendency to occur in the high volume transactional operations.
?Physical redundancy does not safeguard against certain cyber attacks, such as data breaches exploiting software flaws?, also is telling in that many firms are not aware of their possible exposure to breaches, as the weakest link may be the software, not the hardware or the network.
Firms are building out cloud services with external partners for both economic and resource-oriented reasons. To focus on providing a good service, risk assessment and building in resilience and security become even more important when a value chain is created for mission-critical service provisioning.
Is it worth me saying ?it?s about the infrastructure, stupid??