I don't usually like to criticise the efforts of others to provide useful (or at least informative) guidance however the latest paper from ENISA on Security and Resilience in Governmental Clouds has provoked me into something of a reaction. And that reaction is meh.
To expand further...
If you're not familiar with cloud computing, it's probably a good document to pick up and have a read through in order to get an idea of what the whole cloud thing is about. But there's nothing startlingly new or original in here - the decision framework is new but I wouldn't say startling. I think some of the flows are troublesome as well as it happens. I'm really not confident that the order of risk assessment, choose deployment model (or "IT Architecture" in ENISA parlance) and then identifying threats is particularly applicable in the real world. I'd have preferred something more along the lines of identify business requirements, identify threats, identify potential solutions, narrow down choice based on trade-off between risk and business benefits, prepare RfP etc... I guess I'm a little uncomfortable with attempting to put security as a blocker right at the start of the process; perhaps I'm just a bit too heretical to work in security these days.
My other problem with the paper is that it suffers from the usual naivety in terms of clumping together all IaaS, PaaS and SaaS providers into the 3 buckets and assuming that you have the same risks regardless of service provider. They fall into the same trap as most of the material in this space by practically treating IaaS, PaaS and SaaS as specifications rather than broad categories. As an example of the problem - if you look at the PaaS offerings of Microsoft Azure, Force.com, Heroku, Google's AppEngine and Terracotta and tell me that you can apply the same risk profiles to platforms offering Ruby, Apex, Java, Python and .NET and administered in a variety of ways using differing authentication and authorisation mechanisms then I'm not playing with you anymore and I'm going to tell your mum. Don't even get me started on the diversity you'll find with SaaS - how can you apply the same risk profiles to services that range from accounting through to collaboration through to authentication or whatever?
But as I say, if you're not familiar with the subject and want to get a grounding then it's not a bad document. But if you are familiar with this space, I'd say read it so that you're not left out in cloud conversation* but overall... meh.
* yes, there is such a beast as cloud conversation, unfortunately it does tend to go pretty much as summarised by Dilbert http://www.dilbert.com/strips/comic/2011-01-07/
Subscribe to:
Post Comments (Atom)
1 comment:
Heretical is a good thing. The information security field needs more. There's little or no innovation so the free-thinkers are leading the way and blazing the trail.
Post a Comment