On 14 February 2013, ENISA announced the release of a new report titled “Critical Cloud Computing – A CIIP Perspective on Cloud Computing Services”. The report sets out new cyber-security measures for cloud providers and users to implement when protecting “CII systems” against outages, disruptions and cyber-attacks. “CII systems” are described as IT systems that are either a) critical infrastructure themselves (such as e-health platforms), or b) essential for the operation of other critical infrastructures (such as emergency call centres).
The report, which complements existing cyber-security and critical infrastructure documents published by the EU and Commission, including the Commission’s CIIP Action Plan and the EU’s new Cybersecurity Strategy, focuses on measures to protect financial, health, eGovernment and cloud service provider critical infrastructure. The report recommends:
- Designing “Smart” Risk Assessments
- That risk assessments should be prioritized, to address the most critical infrastructure issues (such as those that, if they fail, would disrupt entire network systems) over and above less interdependent and indispensable systems.
- That agencies responsible for developing national contingency plans should take into account modern society’s dependence on IT.
- That the interdependence between operators, services, and cloud computing should be mapped out — to ensure that disruptions can be quickly identified, and their impact managed.
- Increasing Security Measures
- That software and hardware technologies should be standardized, interoperable, and not dependent on the specific standards or technology of a specific provider. ENISA recommends standardization partly on the basis that data and system portability is an important part of building redundancy into systems.
- That systems should be monitored, audited, and tested. ENISA recommends that cloud providers carry out frequent audits and tests.
- Incident Reporting
- Mandatory incident reporting (including reporting about outages and security breaches) should be introduced, on the basis that such reporting effectively cross-checks the effectiveness of security measures and helps organisations to complete informed risk assessments. ENISA notes that incident reporting is especially important when organizations are trying to gauge the impact of security incidents on cloud providers.