Questions 85 and 86 — see how your service provider protects its services from denial-of-service (DoS) attacks, both distributed and economic, and whether they meet your requirements.
Questions 85 and 86 — DoS attacks
Table 1 lists who is responsible for answering each question.
Context and help for questions 85 and 86
Record your answers to these questions in either:
- the Excel version — risk assessment tool for public cloud services
- your organisation’s document for recording risk assessments.
Questions to answer
- Does the service provider use protocols and technologies that can protect against distributed denial-of-service (DDoS) attacks?
- If yes — does enabling the service provider’s DDoS protection services affect your answers to questions 15 to 17 about data sovereignty?
- Can your government organisation specify or configure resource usage limits to protect against economic denial-of-service (EDoS) attacks?
|Entity||Questions to answer|
|Service provider||85, 85a, 86|
Where to find the service provider’s answers
You can get the answers to the service provider’s questions from a combination of:
- direct communication with the provider
- the provider’s policies and audit reports on their website
- previous assessments by other government organisations.
If you do not have the service provider’s answers
If you need higher assurance for the information, consider a different public cloud service if:
- the provider does not give you their answers or other information you need for your risk assessment
- you cannot get acceptable third-party assurance
- there are no ways to lessen the risk of this incomplete information.
Independent assurance reports — New Zealand Information Security Manual
Context and help for questions 85 and 86
The following guidance gives you context and help for answering questions about DoS attacks.
Direct contracts — check for information you can use
Another NZ government organisation may have previously assessed the public cloud service you’re looking to use. See which organisation to contact for information by:
NZ government agreements and contracts — check for certification documents you can use
You can use certification documents to help with your risk assessment of using either:
- an all-of-government agreement
- a Marketplace contract.
To get these, contact the security team at the Department of Internal Affairs at firstname.lastname@example.org.
Why DoS attacks happen
Any service delivered over the internet has an inherent risk of DoS attacks.
A DoS attack may be launched against the service provider or government organisation.
How public cloud services are at risk of DoS attacks
For DoS attacks, public cloud services can:
- be more visible and attractive targets — multiple organisations using a single service can be seen as a worthwhile opportunity for attackers
- cause collateral damage — government organisations might experience damage from attacks on the service provider or another organisation using the service.
How public cloud services lessen the risk of DoS attacks
Using public cloud services may lessen the impact of some forms of DoS attacks. Service providers often:
- have spare network bandwidth and computing capacity
- use data centres in different locations in the world, paired with protocols and technologies, to distribute network traffic and computer processing.
Distributed denial-of-service attacks
It’s difficult to protect against traffic-based DoS attacks — called distributed denial-of-service (DDoS) attacks. This is because:
- they consume all the available resources
- effective defences against them rely on blocking the source of the attack as close to the attackers’ location as possible.
How to lessen the risk of DDoS attacks
Service providers use protocols and technologies, such as:
- application delivery networks
- content delivery networks.
Economic denial-of-service attacks
One of the benefits of public cloud services is that government organisations can pay for only what they’re using in a service. This can be turned into a disadvantage by economic denial-of-service (EDoS) attacks — also called bill shocks.
A successful EDoS attack may force a service to scale exponentially to the increased demand it’s creating. This results in unusually high charges for resource use.
How to lessen the risk of EDoS attacks
You can reduce the risk of unexpected charges by setting limits in the service’s security configurations. Set the limits for resources used to be near your government organisation’s expected peak usage for a service.
The technical owner or subject matter experts of the current information system can help to properly set these configurations.
Technical context of an information system
Utility links and page information