Beware business cloud dangers, says EU agency

Beware business cloud dangers, says EU agency

Summary: Organisations should be wary of vendor lock-in, according to the European Network and Information Security Agency

TOPICS: Security

Businesses should exercise caution when procuring cloud services, according to the European agency charged with promoting IT security good practice.

The European Network and Information Security Agency (Enisa) on Friday published advice and a checklist for organisations thinking of jumping into the cloud, outlining the benefits and risks of using online service provision.

Primarily, organisations should beware of lock-in to cloud services, Enisa told ZDNet UK on Friday. "There is very little in the way of tools and standards for exporting data from one provider to another," said Enisa network security expert Giles Hogben. "That's one of the biggest risks."

Enisa risk management expert Daniele Catteddu told ZDNet UK that governance issues were also a major risk. "There are client code issues like patching, security testing, and policy enforcement," he said.

The Enisa experts also pointed to the dangers of  'isolation failure' where access control or bandwidth provision are inadequate.

Cattedu said legal and contractual issues are another risk, including data-protection compliance. "Under data-protection law, the cloud customer is the data controller," said Catteddu. "One of the [cloud customer's] duties is to ensure that data is managed in a proper way."

Both experts recommended businesses closely study liability limitations in a contract, and negotiate contracts to reduce the chance of vendor lock-in. "It may be a market differentiator that a provider is offering to share the cost of a migration [to another vendor]," said Catteddu.

The Enisa experts also highlighted several benefits of cloud computing. For smaller businesses, cloud services run by larger organisations may offer more security, as smaller businesses may not have the resources or expertise to adequately defend their networks.

In addition, cloud services can scale to mitigate the effects of denial-of-service attacks, said Hogben.

The checklist published on Friday will evolve into an assurance framework for cloud providers within a year, said the experts. Providers will be able to use this framework to be certified in a similar way to a kitemark, or guarantee of quality, said Hogben.

Cloud services are becoming increasingly sophisticated. For example, on Thursday Google said its Chrome operating system will run applications only in its browser, and store all data in the cloud.

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Yup but..

    "For example, on Thursday Google said its Chrome operating system will run applications only in its browser, and store all data in the cloud."

    True true but as Manek has already stated on another similar thread, if the bandwidth backbone aint there then it could end up flat on its face.
  • Small Business?

    Why would a small business have any interest in this at all?

    The company I work for backs up all it's dynamic data daily on a series of 2G USB sticks (one per day). There is then a more detailed weekly backup and a total admin monthly one.

    These are all taken off site, although they are only ever actually used in the office, and before there were memory sticks it was done with floppys and cady-based hard drives.

    If the office were to burn down our IT recovery would take as long as it takes to buy a couple of computers and shovel the stuff back. What possible benefit would there be in using cloud storage? If we had no office, we would also have no Internet, but we could all initially work from home using that old fashioned technology, tele-phonics I believe they call it (the same system our customers use to contact us).