Security still an issue for cloud computing, says report

But Enisa argues that when done properly, security can be better in the cloud

Could Computing is a growing market

The hosting of IT services online, known as Cloud Computing, is both a friend and a foe for chief security officers, according to a new report from EU IT security body Enisa.

While significant resources and data present a more attractive target to attackers, cloud-based defences can be more robust, scalable and cost-effective.

Giles Hogben, an ENISA expert and editor of the report said the business case for cloud computing is clear but boards want reassurance on security.

"The number one issue holding many people back is security," he said. "How can I know if it’s safe to trust the cloud provider with my data and in some cases my entire business infrastructure?"

The report provides a detailed check-list of criteria allowing potential customers to identify whether a cloud provider is security conscious.

Businesses should check contracts for legal responsibility in the case of data loss.

They should pay particular attention to their rights and obligations related to notifications of breaches in security, data transfers, creation of derivative works, change of control, and access to data by law enforcement entities.

And checking that cloud deployed applications are able to combat threats from the internet.

They should check that models are designed with standard security countermeasures in mind to guard against common web vulnerabilities and ensure an effective patch strategy is in place.

In addition, they should not be tempted to use custom implementations of authentication, authorisation and accounting (AAA) as these can become weak if not properly implemented.

But if all these criteria are fulfilled, cloud computing can be a security enabler, according to Udo Helmbrecht, executive director of ENISA.

“The scale and flexibility of cloud computing gives the providers a security edge," he said.

"For example, providers can instantly call on extra defensive resources like filtering and re-routing. They can also roll out new security patches more efficiently and keep more comprehensive evidence for diagnostics.”

IDC forecasts a growth of European cloud services from €971m in 2008 to €6,005m in 2013.

But this potential will only be fulfilled if security concerns can be satisfied, the report says.