The European Network and Information Security Agency (ENISA) has issued one of the most comprehensive reports on the security risks and benefits of cloud computing. The report takes an impartial look at the cloud phenomena, and it starts out with the obvious—that is, cloud computing’s benefits of ease of access, scalability, instant provisioning and monetary savings are undisputable, but the biggest issue holding people back is the security concern.

In many cases, the concern over security is one of perception. We tend to think that things are more secure if we can put our hands on it. But the ENISA paper gets into more specific detail about precisely what the top security risks are:

1. Loss of governance. The biggest and most common concern, ceding control to a cloud provider may create a vulnerability if security isn’t specifically addressed in the service level agreement.
2. Lock-in. A lack of standardization and portability means that it may be difficult to switch cloud providers, or bring service back in-house.
3. Isolation failure. Because it is based on multi-tenancy, the cloud may be vulnerable to guest-hopping attacks or attacks on the cloud’s isolation mechanisms.
4. Compliance risks. The cloud provider may not be able to provide evidence of compliance with regulations to which the customer must comply.
5. Management interface compromise. There may be an increased risk of exposure through the customer management interface.
6. Data protection. The customer may not be able to verify the provider’s data handling processes.
7. Insecure or incomplete data deletion. What happens when you request that your resources be deleted? A true “wipe” of data may not take place, and reuse of resources may pose some risk of deleted information being detected later by another party.
8. Malicious insider. Insider attacks are always a risk, whether on-premise or in a cloud provider.

But it’s not all downside, either, and the report lists several security benefits as well. Most importantly, there’s the obvious differential that exists between what a small business knows it should do, and what it has actually gotten around to doing when it comes to on-premises security. Smaller businesses in particular which may lack in-house expertise and may be short on time or funds often don’t have the best security, and it is often out of date. In such a case, the cloud may present a big security advantage, since the cloud provider is more likely to have security expertise and the staff to implement it. In the case of the cloud provider, it’s a matter of scale. A top of the line security investment at the cloud center is paid for ultimately by distributing the cost between hundreds of customers, which makes it possible to get better protection for all parties.