Thursday, June 24, 2021
There’s clearly an urgent need to significantly improve the security and resilience of IT systems and applications in light of the growing threat of cyberattacks...

...which FBI director Christopher Wray recently compared to addressing the challenge of global terrorism following the 9/11 attack. Earlier this week, the NY Times published this front page article - Once, Superpower Summits Were About Nukes. Now, It’s Cyberweapons, that said: “The rising tempo and sophistication of recent attacks on American infrastructure - from gasoline pipelines running up the East Coast, to plants providing a quarter of America’s beef, to the operations of hospitals and the internet itself - has revealed a set of vulnerabilities no president can ignore.” On May 12, President Biden issued an Executive Order to Improve the Nation’s Cybersecurity, a welcome and very important step.

Cloud-based technologies and Cloud Service Provides (CSPs) can play a major role in improving the nation’s cybersecurity. Over the years, CSPs have invested billions in cloud security, hired thousands of top cyber experts, and developed an array of new tools and methods. CIOs generally agree that the security on cloud platforms is superior to that of in-house data centers, a major reason why the top IDC prediction for the post-pandemic new normal was that “By the end of 2021, based on lessons learned, 80% of enterprises will put a mechanism in place to shift to cloud-centric infrastructure and applications twice as fast as before the pandemic.”

“Cloud computing drives innovation and productivity across the economy, just as the electric grid did a century ago - yet it is more capable and dynamic.” This is the overriding message of Secrets From Cloud Computing's First Stage: An Action Agenda for Government and Industry, a report by Bill Whyman that was recently published by the Information Technology & Innovation Foundation (ITIF). As someone who’s long been following and writing about cloud computing, I found the report quite instructive. It includes a very good introduction to cloud computing, its economic impact and market dynamics, and the areas where cloud particularly excels. But, it also addresses the key challenges that cloud must overcome to fully achieve its benefits, as well as the need for a policy agenda for cloud computing, - a very important area that hasn’t received as much focus.

“Security and compliance can be better in the cloud than on premises, but automation and management are needed to achieve these benefits,” says Whyman. “The first question many customers ask when moving to the cloud is about security. Security in the cloud is now as good, or in many cases better, than on premises, as the CIO of CIA recently concluded. … The most security-conscious users around the world from intelligence agencies, defense ministries, and banks now rely on cloud computing.” Security remains a challenge for all, particularly small and medium businesses, “but these large and sophisticated organizations are demonstrating their confidence in cloud security by moving their workloads to the cloud.”

The cloud has introduced a new and different shared security model between cloud provider and customers. The cloud provider is responsible for securing its underlying infrastructure, while customers are responsible for their software, applications, and data that runs on the cloud, as well as for their network connections to the cloud. “Cloud breaches have almost all been the fault of customers, not the CSPs,” said McKinsey in a recent report. Companies need to make sure that the security of their production workloads is properly implemented. Compliance guidelines, - such as those offered by NIST and DHS, - can help identify and remediate security vulnerabilities.

CSPs are continually improving the security of their platforms, with advances like zero trust architectures, monitoring software, encryption, logging, and configuration tools that offer customers a safe, predictable environment with pretested security. These advanced capabilities enhance the security of cloud platforms, but they require well trained, dedicated skills to be properly implemented. “Many common vulnerabilities are driven by misconfigured software, not keeping up with a changing IT environment, or customers simply not using available security features. Higher-level services that integrate prescriptive guidance, best practices, and security artifacts into easier-to-use packages would help customers take full advantage of cloud security.”

“The cloud is also well positioned to provide better tools that automatically detect and correct vulnerabilities. As the industry has created new defenses, adversaries have responded with new counter-techniques,.” adds the report. “This ‘security leapfrog’ has created dozens of tools that have their own data formats, interfaces, and management tools. Integrating across these different tools will give customers a more complete view of their security posture. Automation built in to the cloud should also take over more of the continuous monitoring and management. This can make security more consistently deployed, up to date, and easier to use.”

But, while absolutely necessary, technology advances and best practices are not enough. The cloud’s “increasing pervasiveness and potent capabilities are drawing interest from government policymakers and administrators,” writes Whyman. In the reports final section, A Policy Agenda for Cloud Computing, he outlines several key steps that governments should take to support the development and adoption of cloud-based cybersecurity. Let me summarize a few of these steps:

Federal Cloud Modernization Moon Shot. While some government agencies have already achieved cost savings and program benefits by moving to the cloud, too many still rely on older legacy systems. To significantly accelerate adoption, the report recommends a moon shot initiative to modernize all federal civilian workloads over a decade, targeting at least 10% of workloads a year, and setting agency-specific outcome goals such as number of target workloads and cost savings. Procurement rules should also be modernized so that new technologies like cloud are not penalized. “The CIO council and a modernization moon shot implementation office should provide biannual public progress reports to spur action across federal, state, and private-sector IT, as well as drive alignment with the large federal IT community. Based on these learnings, state legislators should also mandate that state CIOs do essentially the same.”

Spur Cloud Adoption by the Private Sector. The federal government should use its multiple policy levers to encourage broader adoption by the private sector, including:

  • the bully pulpit, - highlighting the cloud’s impact on program outcomes showing concrete examples;
  • standards and goals, - that leverage the federal government’s massive IT operations and technology spending of well over $100 billion a year; 
  • R&D partnerships, - that support the use of cloud in public research initiatives across universities, industry labs, and government research agencies;
  • small and medium businesses, - including cloud resources and technical assistance in initiatives aimed at SMBs, such as NIST’s Manufacturing Extension Partnership; and
  • international trade agreements, - ensuring that foreign ownership and operation of cloud is permitted, as well as enabling greater market access for foreign cloud providers.

Government-Industry Cybersecurity Collaboration Programs. Cloud computing improves IT security, but also creates new challenges. As the cloud grows and becomes a more critical infrastructure that is concentrated in a handful of cloud providers, government concerns about security, resilience, and systemic risk will grow.” The federal government needs to deepen its relationship with cloud providers to better coordinate their work on cloud security and resilience. The report proposes regular government-industry reviews of cyber attack data, service outages, compliance effectiveness and joint planning of protective actions. Such government-industry programs should also aim to simplify legal and compliance requirements and the continuous enhancement of security best practices.

Strengthen Cross-Border Data Governance. “Governments are increasingly interested and assertive in data governance, including data residency (also called data localization) and data sovereignty (compelled access to data by another government). … Of 29 surveyed OECD countries, 11 have some kind of data localization rules that require data be stored in-country, as do major non-OECD countries such as China, Russia, and Indonesia. Yet, its not economically viable for each country to have its own cloud.… Governments dont need to localize data behind their physical borders to secure their data. The cloud provides granular controls so governments can isolate where their data is stored and who has access to it, as well as enforce and audit the controls.

Promote Skills and Inclusivity via Public-Private Training Partnerships. “New technologies often create and destroy jobs, changing the pattern of employment. … Cloud computing presents an opportunity to train a broader set of people with new skills so that the benefits of technology growth are more widely shared. Communities that are not well represented in technology need greater access and participation. … The time is ripe for a national initiative on a public-private technology training partnership, accompanied by a G-7 summit with funding commitments to training, re-skilling, and inclusivity.”

This post was first published on Irving Wladawsky-Berger's Blog and his next blog is forthcoming.