EU security agency to launch tool to evaluate cloud security

14 Sep 2010

The single biggest question organisations should have about cloud computing is deciding which provider to trust with their information, a European IT security expert has said.

Giles Hogben, network security policy expert with the European Network and Information Security Agency (ENISA), presented at last week’s Cloud Computing Summit in Croke Park and said the agency’s remit is to help governments and businesses gain the cost benefits of the cloud while making them aware of the risks.

ENISA is working on a common assurance maturity model (CAMM) which will act as a framework to benchmark a cloud provider’s security capability. Hogben said the CAMM framework would provide businesses with an objective way of comparing various cloud services and deciding which provider to trust with important data. “You may not have the information you need to know about the controls the cloud provider is applying,” he said.

Why cloud is the best thing to happen to security

Irish security consultant and ENISA member Brian Honan is chief operations officer of the team drafting CAMM – which is currently being drafted and is due to be completed by the end of the year. Speaking to Siliconrepublic later, Honan said he believed the cloud is the best thing to happen to security for years because it has now become a board-level issue that senior managers are asking about.

In his presentation, Hogben said many unanswered questions remain about cloud providers’ security precautions. Some don’t allow penetration testing which would allow an organisation to check for any weaknesses that could be exploited. If an incident were to occur, firms might not be able to access the logs afterwards, while the opportunities to use forensic analysis on a cloud-based system may be limited.

Hogben also exposed another commonly held myth about the cloud: that encrypting data solves many security issues. “In theoretical and practical terms, processing encrypted data is not possible. You can transfer it and store it, but you can’t do anything with it unless it’s decrypted. If you’re doing anything with your data in the cloud, you have to trust the cloud provider,” he said.

He added that he wouldn’t recommend storing sensitive intellectual property in the cloud, while healthcare-related information is also a touchy area. Hogben also recommended that government departments looking to share data with one another should consider a private cloud where the information would not be visible to third parties.

Security concerns should not stand in the way of moving to the cloud, provided organisations take the time to inform themselves properly, he said. “My message is, the cloud can bring enormous benefits with security as long as you do the right due diligence and risk assessment before you make your decision.”

Gordon Smith was a contributor to Silicon Republic