Critical services in the cloud: Understanding security and resilience risks

The promise of low costs, adaptation to customer load, and fast service roll-out has made cloud infrastructures a primary choice for many service providers. So far, this has been largely for end-user and enterprise services. Recently, the cloud paradigm is being considered by service providers of critical infrastructures. A prominent example of this is ETSI´s Industry Specification Group (ISG) on Network Function Virtualization, which provides guidelines on how to move telecommunications services to the cloud. But other critical infrastructure providers are following closely. Common characteristics of critical infrastructure services, such as network functions, are their high requirements for service dependability and security. In this paper, we present a risk assessment method for assessing the risks of moving critical infrastructure services to the cloud. To achieve this, we have extended a well-established information security risk assessment process and developed an extensive cloud-specific fault and challenge catalogue.