As governments, companies and individuals increasingly use and rely on network and information systems, the frequency of security breaches is increasing and also the impact of such incidents. This has put cyber security at the top of the agenda in many EU countries.

"This list means more transparency and less confusion for the cloud computing market", according to European Commission Vice-President Neelie Kroes.


Recent developments (September 2014)

A list of security certification schemes for cloud computing is providing welcome reassurance for potential cloud computing customers.

The list has been put together by the European Union Network and Information Security Agency (ENISA) in support of the implementation of the European Cloud Computing Strategy.

Over the coming months the Commission and ENISA will work with the Cloud Select Industry Group (C-SIG) on certification – a group set up to help the Commission implement the Strategy – to further develop the list, for example by adding additional certification schemes.

A more detailed comparison of listed security certification schemes’ features, incorporating common public sector security requirements, is due in the second half of 2014 and will further improve transparency for potential cloud computing customers.

But cloud computing should not be seen primarily as a security risk – it also presents opportunities to reduce these risks. In the past, customers would mostly run their applications on local servers, on their own premises. In such a setting the burden of securing systems, patching, updating, hardening, falls on the user himself, whereas in cloud computing IT is outsourced and consumed online, as a pay-as-you-go service and users can often rely on the service provider's expertise for securing large parts of their systems.


Advanced and sophisticated attacks with high-profile targets often make the media headlines. Famous examples include:

  • 2009 – Operation Aurora was a complex attack on Google, Adobe, Juniper, Rackspace and Yahoo aimed at modifying the source code (the crown jewels); the attack shocked the industry.
  • 2010 – Stuxnet1 – a sophisticated virus, spread via USB, that targeted Siemens programmable logic controllers (PLCs) used in Iranian nuclear fuel enrichment plants.
  • 2011 – Millions of euros were stolen from the EU’s carbon emissions trading accounts via simple spear-phishing for passwords in 2010. Just a year later, after additional log-in security had been added, the site was hacked again, with a further 30 million euros being stolen.
  • 2013 –Adobe was forced to warn almost 3 million customers that their credit card details had been stolen. Around 40 gigabytes of source code were also stolen.
  • highly automated – automatic victim search, fast attacks;
  • smart – circumventing banking sites’ two-factor authentication schemes;
  • targeted – but in an automated way; only business accounts with high balances were targeted, in an attempt to stay beneath antivirus companies’ radars.
  • 2011 – A group of hackers calling themselves LulzSec carried out a ‘hack-a-day’ for 50 days, demonstrating that even government organisation sites were easy to hack into. Hacks often started with SQL injection.
  • 2011 – In the Netherlands, after a series of government sites were breached, journalists renamed October ‘Hacktober’, reporting on a new security breach every day of the month.
  • 2012 – Millions of weakly hashed Linkedin passwords were found on auction sites.
  • 2013 - Adobe was forced to warn almost 3 million customers that their credit card details had been stolen. Around 40 gigabytes of source code were also stolen.

Note that in these examples we mention specific companies and products, but this is not to suggest that these companies have weak security practices or that other companies have not had security breaches.

Exploiting weaknesses

Most cyber attacks are quite mundane and do not make the media headlines. They are carried out with off-the-shelf tools, targeting normal citizens and small and medium sized enterprises. PCs are fairly easy to infect (even with up-to-date antivirus software), making them an easy entry point for largescale online bank robberies. High Roller2 (2012) showed how far fraudsters have come when they were able to steal roughly 60 million euros out of bank accounts. These coordinated attacks were:

Following the High Roller case, the European Union Agency for Network and Information Security (ENISA) issued a blunt recommendation, which was echoed widely: “banks: assume user PCs are infected”.

In addition to problems with securing end-users’ PCs, the connection between a PC and a website can also be attacked: The implementation of HTTPS is quite vulnerable to attack, and the safety net (warnings, revocation, et cetera) is not adequate. This provides opportunities for ‘man-in-the-middle’ (MitM) attacks like in the Diginotar case3. The impact on Iranian citizens is not known, but it is feared that private conversation of Iranians were wiretapped. Mikko Hyponen of F-Secure, for example, argued that people probably died as a consequence of the attack.

Also many websites are vulnerable to attack. Tactics include SQL injection (malicious structured query language statements are injected, for example giving instructions to transfer data to the attacker) and XSS (client-side scripts are manipulated so that a web site functions in a different way). Infamous examples of breaches of websites include:

A lot of work remains to be done: we are learning that it is hard to implement network and information systems securely. On a more positive note, there are new ICT products and developments which offer important opportunities for improving security. Smartphone and tablets, for example, have a special way of delivering software to end-user devices: appstores. In the smartphone/appstore model apps are first reviewed and checked before users can install them. This could prove an important security benefit. Social media reputation systems (if implemented securely) can be used to establish better trust between users on the internet.

Security opportunities in cloud computing

Also cloud computing presents opportunities to reduce security risks. In the past, customers would mostly run their applications on local servers, on their own premises. In such a setting the burden of securing systems, patching, updating, hardening, falls on the customer. But in cloud computing IT is outsourced and consumed online, as a pay-as-you-go service. While this does introduce security risks, the cloud also presents security opportunities, as highlighted in ENISA’s 2009 cloud computing risk assessment4.

Generally speaking, cloud providers can implement high-end security, while spreading the costs across multiple customers, making them more affordable. Measures include: geographical spread datacentres; spare resources for rapid scaling and usage peaks; continuous monitoring and 24/7 incident reponse teams; and secure software development processes. Japan, for example, promotes cloud computing as a way to bolster resilience to major natural disasters.

Of course, that does not mean that cloud computing is without risk. ENISA’s past cloud papers5 provide guidance on how to procure cloud services securely. For SMEs, for example, the main risks arise during outsourcing due to a lack of governance and control. When outsourcing, it becomes more important to have clear agreements, inter alia on security and liability.

ENISA’s cloud computing work

To increase the adoption of cloud computing in Europe, the Europan Commission issued a cloud strategy6 in 2012. Recognising that security is a key concern for cloud customers, ENISA works closely with the Commission to support this strategy. This year the agency will publish white papers7 on securing governmental clouds and incident reporting for cloud services.

ENISA is also working with the Commission and industry to support the use of voluntary certification schemes for security. Cloud services are also gaining relevance from a CIIP perspective8 (Critical Information Infrastructure Protection). The adoption of cloud computing effectively moves multiple IT resources to a (smaller) number of platforms and datacentres (see diagram). Security might be less expensive this way, but if attacked, the impact could be high. The incident with Tieto, a Swedish ICT provider, is a good example – following a security incident in 2011, pharmacies across Finland could not operate for weeks. The proposed EU directive on network and information security9 mentions large cloud providers as potentially critical for the digital society.

Always when there are new IT products and developments, it is tempting for information security professionals to focus on the new risks. But it is important not to forget the security risks of existing technology. This is not the time to stay put. ENISA will continue to work with industry and government experts to help customers leverage the security opportunities of cloud computing, and at the same time mitigate the risks.


Marnix Dekker, Security Expert and Information Security Officer, the European Union Network and Information Security Agency (ENISA).

Marnix works in the Secure Services and Critical Infrastructures unit. He focuses on cloud security, smartphone security, and telecom security.


(Article from net-cloud future magazine (2013) - for complete magazine click here)