This report looks at cloud computing from a Critical Information Infrastructure Protection (CIIP) perspective and looks at a number of scenarios and threats relevant from a CIIP perspective, based on a survey of public sources on uptake of cloud computing and large cyber attacks and disruptions of cloud computing services.
The key messages of the Report are:
- Critical infrastructure: The vast majority of organizations soon will use cloud computing, notably in critical sectors like finance, energy and transport. Cloud services are themselves becoming a critical information infrastructure.
- Natural disasters and DDoS attacks: A benefit of cloud computing is resilience in the face of natural disasters and Distributed Denial of Service (DDoS) attacks, which are difficult to mitigate using traditional approaches (servers on site, or single data center).
- Cyber attacks: Cyber attacks exploiting software flaws can cause large data breaches, affecting millions of users, because of the large concentration of users and data. Physical redundancy does not safeguard against certain cyber attacks, such as data breaches exploiting software flaws.
The report also provides nine recommendations for bodies responsible for critical information infrastructures. Key points: include large cloud services in national risk assessments, track cloud dependencies, and work with Cloud service providers on incident reporting schemes.