Mark Twain’s fictional detective Pudd’nhead Wilson suggested “Put all your eggs in one basket, and watch that basket!”
Concentration creates opportunities for leverage, for both defenders and attackers. The decision of whether to concentrate your forces, or to split them up, is a classic military one. Not every approach is relevant for every situation. The infosec field has spent years debating the monoculture issue, asking whether the Internet has sufficient genetic diversity to ensure that entire virtual fields don’t fall over simultaneously. Those discussions need to be revisited in the context of cloud computing.
Greater concentration of customers and data in cloud-based services will lead to an overall higher level of protection, but when failures do occur, they could potentially result in huge levels of damage. When organizations assess the risk of using any particular XaaS offering, they are only concerned about the impact of a security failure or data loss on their own organization. This level of self-concern is understandable, but it leaves unaddressed a more profound and abstract question, “What would be the social/economic/national/global impact of an incident that affected all the customers of a major provider?”
The US Federal government is in the process of finishing what will likely be the most thorough form of cloud service risk analysis yet devised. Although FedRAMP risk assessment information will be shared between agencies, each will perform an assessment that only takes into account the risk to their own agency. The latest FedRAMP draft omits the question “what would be the impact on the entire government of a failure affecting all the customers of a widely-used service?” Some of the services that will be offered to the Feds are going to be offered from semi-private clouds, limited just to other government agencies.
Cloud Service Providers have astronomical expectations encompassing millions of customers and petabytes of data. The greater their success, the more they must be considered as a form of ‘critical infrastructure’. Is the security and reliability of these offerings a legitimate public policy concern?
Category: Cloud risk management security Strategic Planning Tags: Cloud, cloud disaster, cloud regulation, cloud security, critical infrastructure, disaster recovery, national security, public policy, security