# ENISA Cloud Computing: Benefits, risks and recommendations for information security

# Acronyms, Abbreviations, and Initialisms

Short Form Full Form
DDoS Distributed Denial-of-Service
EDoS Economic Denial-of-Service
ENISA European Union Agency for Network and Information Security

# Overview

Cloud Computing: Benefits, risks, and recommendations for information security is a paper published by the European Union Agency for Network and Information Security (ENISA) that identifies and categorizes 35 security risks related to cloud computing. From these risks, it further identifies the top eight security risks based on likelihood and impact. This paper allows an informed assessment of the security risks and benefits of using cloud computing - providing security guidance for potential and existing users of cloud computing.

# Risks

  • R.1 Lock-in
  • R.2 Loss of governance
  • R.3 Compliance challenges
  • R.4 Loss of business reputation due to co-tenant activities
  • R.5 Cloud service termination or failure
  • R.6 Cloud provider acquisition
  • R.7 Supply chain failure
  • R.8 Resource exhaustion (under or over provisioning)
  • R.9 Isolation failure
  • R.10 Cloud provider malicious insider - abuse of high privilege roles
  • R.11 Management interface compromise (manipulation, availability of infrastructure)
  • R.12 Intercepting data in transit
  • R.13 Data leakage on up/download, intra-cloud
  • R.14 Insecure or ineffective deletion of data
  • R.15 Distributed denial-of-service (DDoS)
  • R.16 Economic denial-of-service (EDoS)
  • R.17 Loss of encryption keys
  • R.18 Undertaking malicious probes of scans
  • R.19 Compromise service engine
  • R.20 Conflicts between customer hardening procedures and cloud environment
  • R.21 Subpoena and e-discovery
  • R.22 Risk from changes of jurisdiction
  • R.23 Data protection risks
  • R.24 Licensing risk
  • R.25 Network breaks
  • R.26 Network management (i.e., network congestion/misconnection/non-optimal use)
  • R.27 Modifying network traffic
  • R.28 Privilege escalation
  • R.29 Social engineering attacks (i.e., impersonation)
  • R.30 Loss of compromise of operational logs
  • R.31 Loss or compromise of security logs (manipulation of forensice investigation)
  • R.32 Backups lost, stolen
  • R.33 Unauthorized access to premises (including physical access to machines and other facilities)
  • R.34 Theft of computer equipment
  • R.35 Natural disasters

# Noteworthy

  • The Cloud Computing framework contains 35 types of risks.
  • The Cloud Computing framework identifies the top eight security risks based on likelihood and impact.

# Sources