ENISA Cloud Computing Risk Assessment

　こんにちは、丸山満彦です。ENISAがCloud Computing Risk Assessment を公表していますね。。。

　
■ENISA
・2009.11.20 Cloud Computing Risk Assessment

リスクについて
＝＝＝＝＝
3. Risks
Policy and organizational risks
　R.1 Lock-in
　R.2 Loss of governance
　R.3 Compliance challenges
　R.4 Loss of business reputation due to co-tenant activities
　R.5 Cloud service termination or failure
　R.6 Cloud provider acquisition
　R.7 Supply chain failure
Technical risks
　R.8 Resource exhaustion (under or over provisioning)
　R.9 Isolation failure
　R.10 Cloud provider malicious insider - abuse of high privilege roles
　R.11 Management interface compromise (manipulation, availability of infrastructure)
　R.12 Intercepting data in transit
　R.13 Data leakage on up/download, intra-cloud
　R.14 Insecure or ineffective deletion of data
　R.15 Distributed denial of service (DDoS)
　R.16 Economic denial of service (EDOS)
　R.17 Loss of encryption keys
　R.18 Undertaking malicious probes or scans
　R.19 Compromise service engine
　R.20 Conflicts between customer hardening procedures and cloud environment
Legal risks
　R.21 Subpoena and e-discovery
　R.22 Risk from changes of jurisdiction
　R.23 Data protection risks
　R.24 Licensing risks
Risks not specific to the cloud
　R.25 Network breaks
　R.26 Network management (ie, network congestion / mis-connection / non-optimal use)
　R.27 Modifying network traffic
　R.28 Privilege escalation
　R.29 Social engineering attacks (ie, impersonation)
　R.30 Loss or compromise of operational logs
　R.31 Loss or compromise of security logs (manipulation of forensic investigation)
　R.32 Backups lost, stolen
　R.33 Unauthorized access to premises (including physical access to machines and other facilities)
　R.34 Theft of computer equipment
　R.35 Natural disasters
＝＝＝＝＝