Cloud computing offers a number of benefits to the Federal government, but a new report warns that government policy must evolve to address the unique risk profile of cloud computing and prevent a potential cloud outage or compromise.
A report published today by the Digital Forensic Research Lab (DFRLab) at the Atlantic Council zeroes in on a high-risk area for cloud risk management: critical infrastructure (CI) sectors. Specifically, it focuses on two risks associated with cloud computing at a national level: compounded dependence, and delegated control and visibility.
Compounded dependence describes how widespread cloud adoption causes organizations “to depend upon a few shared linchpin technology systems,” where the failure of one node could lead to a collapse of the entire system.
Delegated control and visibility describe how organizations that adopt cloud services “cede control of and lose visibility into the operations and failure modes of these technology systems,” which poses challenges to policymakers who are looking to understand cloud risks.
“This report aims to raise awareness of the risks that a potential cloud compromise or outage poses to CI and, in so doing, to make the case that these risks necessitate the maturation of current policy tools, and creation of others, to address these risks,” the report says.
“It does not seek to vilify cloud adoption by CI sectors or preach a return to on-premises data processing. Instead, it suggests that CI sector regulators must consider cloud security and resilience a key question within their remit,” it adds.
The report offers recommendations for policymakers looking to better understand the risks associated with widespread cloud adoption.
The key recommendation – which the report says is one of the fastest ways to improve cloud visibility within CI sectors – is to leverage the existing framework for critical-sector risk management and establish “Cloud Management Offices” (CMOs) within Sector Risk Management Agencies (SRMAs).
These offices can assess cloud risks, establish policies, and offer a fresh point of focus for new budget and hiring authorities.
The report also calls on the Cybersecurity and Infrastructure Security Agency (CISA) to play a facilitating role to assist the CMOs, serving as the “quarterback” for Federal cyber risk management.
Although CISA is an example of an SRMA, the report says it can offer resources such as reports or frameworks to assist CMOs in surveying cloud usage.
“As more entities adopt the cloud, and as more of the core infrastructure of systems like the internet come to rely on it, this dependence and the systemic nature of its attendant risks will only compound,” the report says. “Risk management must have visibility. The thrust, therefore, of this report’s recommendations is towards increased fact-finding and awareness as a key first step for policy.”
