Cloud computing is luring more businesses with its promise of minimal maintenance and low costs. But are companies putting their data at risk?
A new, free report released Friday by the European Network and Information Security Agency (ENISA) outlines the benefits and potential pitfalls of cloud computing. Based on an ongoing survey, the 123-page report, "Cloud Computing: Benefits, Risks and Recommendations for Information Security" (PDF), also offers recommendations to businesses on how to minimize the risks of entrusing their data to a cloud provider.
The benefits of cloud computing as described by ENISA are clear. Business content and services are always available. Companies can reduce costs by not overspending on the capacity of their own. They can also scale up or down, depending on the services they use, and pay for those services only as needed. Internal IT is freed up by not having to implement or maintain certain hardware or software.
As more businesses hop onto the cloud, IDC expects worldwide spending on cloud services to hit $17.4 billion, revving up to $44.2 billion by 2013.
But cloud computing poses certain key risks.
"The picture we got back from the survey was clear," Giles Hogben, editor of the ENISA report, said in a statement. "The business case for cloud computing is obvious--it's computing on tap, available instantly, commitment-free and on-demand. But the number one issue holding many people back is security--how can I know if it's safe to trust the cloud provider with my data and in some cases my entire business infrastructure?"
Though cloud-service providers promise 24-by-7 availability, their data centers can go down. Security is out of the hands of the customer, who must. Customers become dependent on a single provider and may face challenges if data and services need to be migrated to a different provider. By entrusting data to the cloud, companies could face risks and challenges from regulatory audits. Further, some cloud providers may not fully and properly delete data even if a customer requests it.
In its report, ENISA outlines measures companies can take when dealing with cloud-service providers.
Companies must perform risk assessments, comparing the potential risks of storing data in the cloud with keeping files in an internal data center. Companies must also compare different cloud providers to narrow the list and then obtain service-level assurances from selected providers. Further, customers should clearly specify which services and tasks will be handled by internal IT and which by the cloud provider.
The report includes a checklist and detailed questions that customers can use when shopping for a cloud provider.
With the right provider, data can be safe and secure in the cloud. In fact, security with a cloud provider can be even more robust, flexible, and quicker to implement than when done internally. ENISA Executive Director Udo Helmbrecht noted in a statement: "The scale and flexibility of cloud computing gives the providers a security edge. For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics."